8371864: GaloisCounterMode.implGCMCrypt0 AVX512/AVX2 intrinsics stubs cause AES-GCM encryption failure for certain payload sizes

[jianglizhou]

Please review the fix in StubGenerator::aesgcm_avx512 and StubGenerator::aesgcm_avx2 to handle some edge cases with input sizes that are not multiple of the block size.

Thanks to Thomas Holenstein and Lukas Zobernig for analyzing the issue and providing the test case!

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8371864: GaloisCounterMode.implGCMCrypt0 AVX512/AVX2 intrinsics stubs cause AES-GCM encryption failure for certain payload sizes (Bug - P3)

Contributors

• Thomas Holenstein <[email protected]>
• Lukas Zobernig <[email protected]>

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/28363/head:pull/28363
$ git checkout pull/28363

Update a local copy of the PR:
$ git checkout pull/28363
$ git pull https://git.openjdk.org/jdk.git pull/28363/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 28363

View PR using the GUI difftool:
$ git pr show -t 28363

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/28363.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back jiangli! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[jianglizhou]

/contributor [email protected]
/contributor [email protected]

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

@jianglizhou Syntax: /contributor (add|remove) [@user | openjdk-user | Full Name <email@address>]. For example:

• /contributor add @openjdk-bot
• /contributor add duke
• /contributor add J. Duke <[email protected]>

User names can only be used for users in the census associated with this repository. For other contributors you need to supply the full name and email address.

[openjdk]

@jianglizhou Syntax: /contributor (add|remove) [@user | openjdk-user | Full Name <email@address>]. For example:

• /contributor add @openjdk-bot
• /contributor add duke
• /contributor add J. Duke <[email protected]>

User names can only be used for users in the census associated with this repository. For other contributors you need to supply the full name and email address.

[openjdk]

@jianglizhou The following labels will be automatically applied to this pull request:

• hotspot-compiler
• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command.

[jianglizhou]

/contributor Thomas Holenstein [email protected]
/contributor Lukas Zobernig [email protected]

[openjdk]

@jianglizhou Syntax: /contributor (add|remove) [@user | openjdk-user | Full Name <email@address>]. For example:

• /contributor add @openjdk-bot
• /contributor add duke
• /contributor add J. Duke <[email protected]>

User names can only be used for users in the census associated with this repository. For other contributors you need to supply the full name and email address.

[openjdk]

@jianglizhou Syntax: /contributor (add|remove) [@user | openjdk-user | Full Name <email@address>]. For example:

• /contributor add @openjdk-bot
• /contributor add duke
• /contributor add J. Duke <[email protected]>

User names can only be used for users in the census associated with this repository. For other contributors you need to supply the full name and email address.

[jianglizhou]

/contributor add Thomas Holenstein [email protected]
/contributor add Lukas Zobernig [email protected]

[openjdk]

@jianglizhou
Contributor Thomas Holenstein <[email protected]> successfully added.

[openjdk]

@jianglizhou
Contributor Lukas Zobernig <[email protected]> successfully added.

[mlbridge]

Webrevs

• 06: Full - Incremental (d26d0ee9)
• 05: Full - Incremental (8617ab4c)
• 04: Full - Incremental (54fbf2b1)
• 03: Full - Incremental (e99a441b)
• 02: Full - Incremental (528b1b47)
• 01: Full - Incremental (f1e7291b)
• 00: Full (338a99d0)

[TobiHartmann]

Drive-by comment: Java code should use 4x whitespace indentation.

[jianglizhou]

@TobiHartmann, thanks! Fixed.

[shipilev]

Good catch! Some stylistic comments for the product fix, and suggestions for the test.

[shipilev]

From the stylistic logic, this should be written as 16 * 16, to match the surrounding subl and addl.

[jianglizhou]

Thanks for the detailed review, @shipilev! Fixed.

[shipilev]

I get that you want a stress test. But time-limiting puts the test into weird condition: it can have different number of iterations, depending on auxiliary load on the machine. These tests are running in parallel with lots of other tests, so it is not uncommon. Do you even need to repeat jitFunc() call multiple times? Looks like it traverses the interesting configurations in one go?

[jianglizhou]

I did some testing today. For 200 runs, removing the time-limited loop, there is 89 runs out of 200 fail. So I changed to use an iteration of three runs, all 200 runs fail without the fix.

[shipilev]

I believe it makes sense to check that round-trip is successful, e.g. that decrypt(encrypt(message)) == message. Currently we implicitly rely on exceptions being thrown from the incorrectly executing code, which is IMO too weak -- in the boundary conditions like these, there might be bugs that do not manifest in visible exceptions, and just the encryption is subtly broken.

[jianglizhou]

That's a good idea. I added decrypt part and the check as suggested.

[jianglizhou]

With the changes, there were more common parts in the test. I moved common code into helper methods.

[shipilev]

This sounds like TestGCMSplitBound or some such; it is not a generic test for AES/GCM intrinsic.

[jianglizhou]

I renamed to TestAesGcmIntrinsic name, when converting the original test into the jtreg test. TestGCMSplitBound SGTM. Changed.

[shipilev]

[SPLIT_LEN - 300; SPLIT_LEN + 300] for completeness, perhaps?

[jianglizhou]

Done.

[shipilev]

Do you really need a SecureRandom here? Random RANDOM = Utils.getRandomInstance(); gets you the pre-seeded random instance, which can be used to repeatably reproduce failures.

[jianglizhou]

I kept the SecureRandom without changing. I think that could be more related to what the original reproducible.

[shipilev]

Indenting is still 2-space here.

[jianglizhou]

Indeed. Fixed, thanks.

[shipilev]

Er. This is used from gcmDecrypt? How does it work without Cipher.DECRYPT_MODE?

[jianglizhou]

Good catch. Interestingly the test passed for me on my local machine. Fixed to use Cipher.DECRYPT_MODE when doing gcmDecrypt.

Also an interesting new finding, with the decrypted message verification, I see there are 2 failures out of 200 runs with AVX512. I'm filing a new issue on the specifically, so it can be investigated.

[jianglizhou]

Filed https://bugs.openjdk.org/browse/JDK-8372364.

[openjdk]

⚠️ @jianglizhou This pull request contains merges that bring in commits not present in the target repository. Since this is not a "merge style" pull request, these changes will be squashed when this pull request in integrated. If this is your intention, then please ignore this message. If you want to preserve the commit structure, you must change the title of this pull request to Merge <project>:<branch> where <project> is the name of another project in the OpenJDK organization (for example Merge jdk:master).

[sviswa7]

I think the fix should instead be to just move the addl to pos before the MESG_BELOW_32_BLKS, as below:

+  __ addl(pos, 16 * 16);
   __ bind(MESG_BELOW_32_BLKS);
   __ subl(len, 16 * 16);
-  __ addl(pos, 16 * 16);

This is because on fall through path addl is needed but not while coming from line 3479 via jcc. For the latter, the addl has already been done on line 3477.