Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_art / 36994ba006c18c1933815cc0c4c036df086e6814^! / . / runtime / gc / reference_processor.cc
commit36994ba006c18c1933815cc0c4c036df086e6814[log] [tgz]
authorMathieu Chartier <mathieuc@google.com>Tue Dec 13 11:46:28 2016 -0800
committerMathieu Chartier <mathieuc@google.com>Tue Dec 13 12:52:41 2016 -0800
tree013dfafba31b6d07f4880873f378475a1ce5975f
parent017c55c120a40612364448826692cc7d402eb913 [diff] [blame]
Don't re-read referent in ReferenceProcessor::GetReferent

Re-reading has the issue that it may read a null value after already
having done the null check. Using a cached value prevents this from
happening and causing DCHECK failures.

Added a related stress test.

Bug: 33569625
Bug: 33389022

Test: test-art-host

Change-Id: Ic42d540e035d41ac6e5b01762f9510cd6632b28c

diff --git a/runtime/gc/reference_processor.cc b/runtime/gc/reference_processor.cc
index 2cde7d5..641a919 100644
--- a/runtime/gc/reference_processor.cc
+++ b/runtime/gc/reference_processor.cc

@@ -75,11 +75,10 @@
   MutexLock mu(self, *Locks::reference_processor_lock_);
   while ((!kUseReadBarrier && SlowPathEnabled()) ||
          (kUseReadBarrier && !self->GetWeakRefAccessEnabled())) {
-    mirror::HeapReference<mirror::Object>* const referent_addr =
-        reference->GetReferentReferenceAddr();
+    ObjPtr<mirror::Object> referent = reference->GetReferent<kWithoutReadBarrier>();
     // If the referent became cleared, return it. Don't need barrier since thread roots can't get
     // updated until after we leave the function due to holding the mutator lock.
-    if (referent_addr->AsMirrorPtr() == nullptr) {
+    if (referent == nullptr) {
       return nullptr;
     }
     // Try to see if the referent is already marked by using the is_marked_callback. We can return
@@ -91,10 +90,15 @@
       // case only black nodes can be safely returned. If the GC is preserving references, the
       // mutator could take a white field from a grey or white node and move it somewhere else
       // in the heap causing corruption since this field would get swept.
-      if (collector_->IsMarkedHeapReference(referent_addr)) {
+      // Use the cached referent instead of calling GetReferent since other threads could call
+      // Reference.clear() after we did the null check resulting in a null pointer being
+      // incorrectly passed to IsMarked. b/33569625
+      ObjPtr<mirror::Object> forwarded_ref = collector_->IsMarked(referent.Ptr());
+      if (forwarded_ref != nullptr) {
+        // Non null means that it is marked.
         if (!preserving_references_ ||
            (LIKELY(!reference->IsFinalizerReferenceInstance()) && reference->IsUnprocessed())) {
-          return referent_addr->AsMirrorPtr();
+          return forwarded_ref;
         }
       }
     }