- A Concurrent Affair - https://www.concurrentaffair.org -

Java Bug 4396719 – Mark Sweep stack overflow on deeply nested Object arrays

I’m trying to create a call graph of all of DrJava using Soot [1]. DrJava is a cross-platform application that has some classes that get compiled and used only on certain operating systems; for example, the com.apple.eawt package is only used on the Mac. That means that Soot doesn’t normally find these classes when generating the call graph with Sun JDKs. Setting the Soot -allow-phantom-refs option doesn’t really help; it gets past the initial stages, but later still has errors. What I did instead was make the Apple classes available on Windows and Linux as well, just on the Soot classpath (they aren’t actually loaded by the JVM).

Now I’m getting a HotSpot Java error. Except for memory addresses, it is identical to this bug 6849033 [2], filed in June 2009. The bug report, however, is closed because it is a duplicate of bug 4396719 – Mark Sweep stack overflow on deeply nested Object arrays [3]… which isn’t in the database.

Why is that bug not in the database? Probably for security reasons [4], which isn’t immediately obvious. The fact that the original bug report to which all other bugs are referring isn’t available makes it hard to figure out what’s going on. What I find really shocking, though, is that the first bug I can find that lists the ominous bug 4396719 as original bug report is from February 2002: bug 4641910 [5]. That means this bug has been known and not fixed for eight years!

Some other duplicate bug reports [6] provide a description of the problem:

The problem is in the Garbage collection subsystem, dealing with
the very deeply nested arrays (an array who’s element is an array who’s
element is an array…)

This also makes it clear why there are security concerns that lead to the removal of the bug report: It is fairly simple to write Java code that is perfectly legal and that passes the Java verifier, but that will cause the JVM to crash. This can be used for a denial-of-service attack [7] in Java plugins.

The source for exploits is out there, this bug has been known for over eight years, some duplicate bug reports still describe the problem. Security through obscurity won’t work, especially not if you are this sloppy. I’m disappointed, Sun!

[8] [9]Share [10]