RFR: 8361842: Validate input in both Java and C++ for java.lang.StringCoding intrinsics
Chen Liang
liach at openjdk.org
Thu Jul 10 12:58:55 UTC 2025
On Fri, 27 Jun 2025 07:22:48 GMT, Tobias Hartmann <thartmann at openjdk.org> wrote:
>> src/java.base/share/classes/java/lang/StringCoding.java line 93:
>>
>>> 91: public static int countPositives(byte[] ba, int off, int len) {
>>> 92: Objects.requireNonNull(ba, "ba");
>>> 93: Objects.checkFromIndexSize(off, len, ba.length);
>>
>> I recall core libraries intentionally avoided this because of performance problems. Is it possible for us to say trust the `len` argument to be non-negative? That allows us to simplify this to `Objects.checkIndex(off, ba.length - len)`. See this usage in perf-sensitive FFM API: https://github.com/openjdk/jdk/blob/149882416a956dec728a964c150b826dd589908f/src/java.base/share/classes/jdk/internal/foreign/AbstractMemorySegmentImpl.java#L401
>
> But the original code already checks for `len >= 0`, right? See `LibraryCallKit::inline_countPositives` -> `generate_string_range_check` -> `// Offset and count must not be negative`
>
> This PR is about moving the range checks from the intrinsics into the Java wrappers. Removing range checks is out of the scope and should be carefully evaluated on a case-by-case basis separately.
My point is this is a performance-sensitive API. We are using a known-slow check method `checkFromIndexSize` which may introduce a performance regression.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/25998#discussion_r2172044145
More information about the core-libs-dev
mailing list