[GR-59981] Fix potential crash with DynamicObjectLibrary.removeKey.

PullRequest: graal/22608

Author: woess

truffle/src/com.oracle.truffle.api.object/src/com/oracle/truffle/api/object/DynamicObjectLibraryImpl.java

@@ -390,14 +390,13 @@ static RemovePlan prepareRemove(Shape shapeBefore, Shape shapeAfter, Property re
                 moves.add(move);
             }
         }
+        Location removedPropertyLoc = removedProperty.getLocation();
+        if (!removedPropertyLoc.isValue()) {
+            // Use a no-op move to clear the location of the removed property. Must be first.
+            moves.add(new Move(removedPropertyLoc, null, removedPropertyLoc.getOrdinal(), Integer.MIN_VALUE));
+        }
         if (canMoveInPlace) {
-            if (moves.isEmpty()) {
-                Location removedPropertyLoc = removedProperty.getLocation();
-                if (!removedPropertyLoc.isPrimitive()) {
-                    // Use a no-op move to clear the location of the removed property.
-                    moves.add(new Move(removedPropertyLoc, removedPropertyLoc, 0, 0));
-                }
-            } else if (!isSorted(moves)) {
+            if (!isSorted(moves)) {
                 moves.sort(Move::compareTo);
             }
         }
@@ -415,6 +414,10 @@ private static boolean isSorted(List<Move> moves) {
         return true;
     }
 
+    /**
+     * Moves the value from one location to another, and clears the from location. If both locations
+     * are the same, only clears the location.
+     */
     private static final class Move implements Comparable<Move> {
         private final Location fromLoc;
         private final Location toLoc;
@@ -424,30 +427,51 @@ private static final class Move implements Comparable<Move> {
         private static final Move[] EMPTY_ARRAY = new Move[0];
 
         Move(Location fromLoc, Location toLoc, int fromOrd, int toOrd) {
-            assert (fromLoc == toLoc) == (fromOrd == toOrd);
-            this.fromLoc = fromLoc;
+            assert fromLoc != toLoc;
+            this.fromLoc = Objects.requireNonNull(fromLoc);
             this.toLoc = toLoc;
             this.fromOrd = fromOrd;
             this.toOrd = toOrd;
         }
 
         void perform(DynamicObject obj) {
-            if (fromLoc == toLoc) {
-                return;
+            if (toLoc != null) {
+                performSet(obj, performGet(obj));
             }
-            performSet(obj, performGet(obj));
+            /*
+             * It does not matter for correctness whether we clear after the get or set. Clearing
+             * after the set might be slightly preferable w.r.t. store ordering.
+             */
+            clear(obj);
         }
 
         Object performGet(DynamicObject obj) {
             return fromLoc.get(obj, false);
         }
 
         void performSet(DynamicObject obj, Object value) {
+            if (toLoc == null) {
+                return; // clear only
+            }
             toLoc.setSafe(obj, value, false, true);
         }
 
-        void clear(DynamicObject obj) {
-            // clear location to avoid memory leak
+        Object performGetAndClear(DynamicObject obj) {
+            Object value = performGet(obj);
+            clear(obj);
+            return value;
+        }
+
+        /*
+         * Clears the location to avoid potential memory leaks AND kills the from location identity.
+         *
+         * Note: It is important that we always set the "from" location in compiled code to kill the
+         * location identity at this point, so as to prevent reads from that location identity (of
+         * the old shape) to move below any write to the same memory location but with a different
+         * location identity (of the new shape), since that would be seen as independent and
+         * therefore not kill the "from" location that is being overwritten or cleared. (GR-59981)
+         */
+        private void clear(DynamicObject obj) {
             fromLoc.clear(obj);
         }
 
@@ -498,25 +522,19 @@ void perform(DynamicObject object) {
                     moves[i].perform(object);
                 }
 
-                if (moves.length > 0) {
-                    moves[0].clear(object);
-                }
-
                 DynamicObjectSupport.trimToSize(object, shapeBefore, shapeAfter);
-                object.setShape(shapeAfter);
             } else {
                 // we cannot perform the moves in place, so stash away the values
                 Object[] tempValues = new Object[moves.length];
                 for (int i = moves.length - 1; i >= 0; i--) {
-                    tempValues[i] = moves[i].performGet(object);
-                    moves[i].clear(object);
+                    tempValues[i] = moves[i].performGetAndClear(object);
                 }
                 DynamicObjectSupport.resize(object, shapeBefore, shapeAfter);
                 for (int i = moves.length - 1; i >= 0; i--) {
                     moves[i].performSet(object, tempValues[i]);
                 }
-                object.setShape(shapeAfter);
             }
+            object.setShape(shapeAfter);
         }
 
         @TruffleBoundary

truffle/src/com.oracle.truffle.api.object/src/com/oracle/truffle/api/object/ExtLocations.java

@@ -51,8 +51,8 @@
 import com.oracle.truffle.api.CompilerDirectives.CompilationFinal;
 import com.oracle.truffle.api.CompilerDirectives.TruffleBoundary;
 import com.oracle.truffle.api.Truffle;
-
 import com.oracle.truffle.api.impl.AbstractAssumption;
+
 import sun.misc.Unsafe;
 
 /**
@@ -197,6 +197,10 @@ public final void set(DynamicObject store, Object value, boolean guard, boolean
             }
         }
 
+        @Override
+        void clear(DynamicObject store) {
+        }
+
         @Override
         public String toString() {
             return "=" + value;
@@ -637,8 +641,8 @@ private void setObjectInternal(DynamicObject store, Object value, boolean guard)
         }
 
         @Override
-        protected void clear(DynamicObject store) {
-            UnsafeAccess.unsafePutObject(getArray(store, false), getOffset(), null, this);
+        void clear(DynamicObject store) {
+            setObjectInternal(store, null, false);
         }
 
         @Override
@@ -696,8 +700,8 @@ private void setObjectInternal(DynamicObject store, Object value) {
         }
 
         @Override
-        protected void clear(DynamicObject store) {
-            UnsafeAccess.unsafePutObject(store, getOffset(), null, this);
+        void clear(DynamicObject store) {
+            setObjectInternal(store, null);
         }
 
         @Override
@@ -825,6 +829,11 @@ private void setIntInternal(DynamicObject store, int value) {
             UnsafeAccess.unsafePutLong(store, getOffset(), value & 0xffff_ffffL, this);
         }
 
+        @Override
+        protected void clear(DynamicObject store) {
+            setIntInternal(store, 0);
+        }
+
         @Override
         public boolean canStore(Object value) {
             return value instanceof Integer;
@@ -885,6 +894,11 @@ private void setDoubleInternal(DynamicObject store, double value) {
             UnsafeAccess.unsafePutLong(store, getOffset(), Double.doubleToRawLongBits(value), this);
         }
 
+        @Override
+        void clear(DynamicObject store) {
+            setDoubleInternal(store, 0);
+        }
+
         @Override
         protected void set(DynamicObject store, Object value, boolean guard, boolean init) {
             if (canStore(value)) {
@@ -1009,6 +1023,11 @@ public void setInt(DynamicObject store, int value, boolean guard, boolean init)
             setIntInternal(store, value, guard);
         }
 
+        @Override
+        void clear(DynamicObject store) {
+            setIntInternal(store, 0, false);
+        }
+
         @Override
         public boolean canStore(Object value) {
             return value instanceof Integer;
@@ -1076,6 +1095,11 @@ private void setDoubleInternal(DynamicObject store, double value, boolean guard)
             UnsafeAccess.unsafePutDouble(getArray(store, guard), getOffset(), value, this);
         }
 
+        @Override
+        void clear(DynamicObject store) {
+            setDoubleInternal(store, 0, false);
+        }
+
         @Override
         public void setDouble(DynamicObject store, double value, boolean guard, boolean init) {
             if (!init) {
@@ -1164,6 +1188,11 @@ private void setLongInternal(DynamicObject store, long value) {
             UnsafeAccess.unsafePutLong(store, getOffset(), value, this);
         }
 
+        @Override
+        void clear(DynamicObject store) {
+            setLongInternal(store, 0L);
+        }
+
         @Override
         protected void set(DynamicObject store, Object value, boolean guard, boolean init) {
             if (canStore(value)) {
@@ -1260,6 +1289,11 @@ private void setLongInternal(DynamicObject store, long value, boolean guard) {
             UnsafeAccess.unsafePutLong(getArray(store, guard), getOffset(), value, this);
         }
 
+        @Override
+        void clear(DynamicObject store) {
+            setLongInternal(store, 0L, false);
+        }
+
         @Override
         public void setLong(DynamicObject store, long value, boolean guard, boolean init) {
             if (!init) {

truffle/src/com.oracle.truffle.api.object/src/com/oracle/truffle/api/object/Location.java

@@ -40,12 +40,12 @@
  */
 package com.oracle.truffle.api.object;
 
+import java.util.Objects;
+
 import com.oracle.truffle.api.Assumption;
 import com.oracle.truffle.api.CompilerDirectives;
 import com.oracle.truffle.api.nodes.UnexpectedResultException;
 
-import java.util.Objects;
-
 /**
  * Property location.
  *
@@ -416,8 +416,7 @@ Class<?> getType() {
         return null;
     }
 
-    void clear(@SuppressWarnings("unused") DynamicObject store) {
-    }
+    abstract void clear(DynamicObject store);
 
     abstract int getOrdinal();