Status fields:
| creation_ts: | 2008-12-26 13:17 |
|---|---|
| component: | vm |
| version: | unspecified |
| rep_platform: | All |
| op_sys: | All |
| bug_status: | RESOLVED |
| resolution: | FIXED |
| reporter: | michi@complang.tuwien.ac.at |
cacaojvm.org
When accessing an array of boxed elements (ex. java.lang.Integer[]) via reflection, the
VM segfaults. The problem is that our array access functions (ie. array_element_set)
unbox the boxed primitive ignoring the actual type of the destination array. This leads
to the primitive value being written into the object-array. The following is a snippet
of the SEGV log:
LOG: [0x00002aaaab2346d0] We received a SIGSEGV and tried to handle it, but we were
LOG: [0x00002aaaab2346d0] unable to find a Java method at:
LOG: [0x00002aaaab2346d0]
LOG: [0x00002aaaab2346d0] PC=0x00002aaaab308311
LOG: [0x00002aaaab2346d0]
LOG: [0x00002aaaab2346d0] Dumping the current stacktrace:
at java.lang.reflect.Array.set(Ljava/lang/Object;ILjava/lang/Object;)V(Native
Method)
at PR119.test()V(PR119.java:37)
[...]
I have already written a regression test and will commit it in a second. I have only
tested this with OpenJDK so far, but I suspect GNU Classpath is not being affected. This
is a critical bug because it can be exploited easily.
This is the fix: http://mips.complang.tuwien.ac.at/hg/cacao/rev/c9d8153b15bc