Infinite loop leading to memory corruption and crash.

[manqingl]

Crash happened here (Java 8.0.6.15):

#10 <signal handler called>
#11 0x00001458902f4e51 in writeU16 (val=<optimized out>, this=0x1458873d48d0) at ClassFileWriter.hpp:234
#12 ClassFileWriter::writeTypeAnnotationsAttribute (this=0x1458873d48d0, typeAnnotationsData=<optimized out>) at ClassFileWriter.cpp:1927
#13 0x00001458902f6513 in ClassFileWriter::writeCodeAttribute (this=this@entry=0x1458873d48d0, method=method@entry=0x14584ce3f214) at ClassFileWriter.cpp:1242
#14 0x00001458902f715b in ClassFileWriter::writeMethod (this=this@entry=0x1458873d48d0, method=method@entry=0x14584ce3f214) at ClassFileWriter.cpp:854
#15 0x00001458902f73f7 in ClassFileWriter::writeMethods (this=this@entry=0x1458873d48d0) at ClassFileWriter.cpp:911
#16 0x00001458902f751f in ClassFileWriter::writeClassFile (this=this@entry=0x1458873d48d0) at ClassFileWriter.cpp:549
#17 0x00001458902d3f42 in ClassFileWriter::ClassFileWriter (this=0x1458873d48d0, javaVM=<optimized out>, portLibrary=<optimized out>, romClass=<optimized out>) at ClassFileWriter.hpp:364
#18 0x00001458902cf7b0 in j9bcutil_transformROMClass (javaVM=javaVM@entry=0x14588c045500, portLibrary=portLibrary@entry=0x1458909a1360 <j9portLibrary>,
    romClass=romClass@entry=0x14584ce3bb00, classData=classData@entry=0x1458873d4a80, size=size@entry=0x1458873d4a7c) at ROMClassBuilder.cpp:200
#19 0x00001458902c9219 in internalLoadROMClass (vmThread=vmThread@entry=0x1e5a900, loadData=loadData@entry=0x1458873d4b80, localBuffer=localBuffer@entry=0x1458873d4cf0)
    at defineclass.c:340
#20 0x00001458902c986e in createROMClassFromClassFile (localBuffer=0x1458873d4cf0, loadData=0x1458873d4b80, currentThread=0x1e5a900) at defineclass.c:823
#21 internalDefineClass (vmThread=0x1e5a900, className=0x1458873d4d10, classNameLength=39, classData=<optimized out>, classDataLength=<optimized out>, classDataObject=<optimized out>,
    classLoader=0x145854399dc8, protectionDomain=0xa45d7cf0, options=6145, existingROMClass=0x14584ce3bb00, hostClass=0x0, localBuffer=0x1458873d4cf0) at defineclass.c:141
#22 0x00001458892fce45 in defineClassCommon (env=env@entry=0x1e5a900, classLoaderObject=classLoaderObject@entry=0x255e5e0, className=className@entry=0x255e5d8,
    classRep=classRep@entry=0x255e5d0, offset=offset@entry=0, length=length@entry=40, protectionDomain=0x255e598, options=2048, hostClass=0x0, patchMap=0x0) at common/jcldefine.c:196
#23 0x00001458892f1127 in Java_java_lang_ClassLoader_defineClassImpl (env=0x1e5a900, receiver=0x255e5e0, className=0x255e5d8, classRep=0x255e5d0, offset=0, length=<optimized out>,
    protectionDomain=0x255e598) at common/clsldr.cpp:73

The root cause is the infinite loop in ClassFileWriter.cpp:

				case CFR_TARGET_TYPE_TypeInLocalVar:
				case CFR_TARGET_TYPE_TypeInResourceVar: {
					U_16 tableLength = 0;
					NEXT_U16(tableLength, data);
					writeU16(tableLength);
					for (U_32 ti=0; tableLength; ++ti) {  <-- Infinite loop !
						NEXT_U16(u16Data, data);
						writeU16(u16Data); /* startPC */
						NEXT_U16(u16Data, data);
						writeU16(u16Data); /* length */
						NEXT_U16(u16Data, data);
						writeU16(u16Data); /* index */  <-- Line 1927
					}
				}
				break;

[pshipton]

@tajila fyi

[manqingl]

Glad this has been fixed recently. #12752

[JamesKingdon]

What an amazing bug!! Great find @manqingl