RFR (XXS): 8006807: C2 crash due to out of bounds array access in Parse::do_multianewarray

Volker Simonis volker.simonis at gmail.com
Tue Jan 29 10:41:50 PST 2013 

Please review the fix for the following issue and submit the change if you
find it appropriate:

http://cr.openjdk.java.net/~simonis/webrevs/8006807/

The change <http://cr.openjdk.java.net/%7Eiveresov/7058510/webrev.03/>
for "7058510:multinewarray
with 6 dimensions uncommon traps in server
compiler<http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7058510>"
replaced the fixed sized, stack allocated array 'length' of length 5 with a
dynamically, arena allocated array of size 'ndimensions + 1':

  Node** length = NEW_RESOURCE_ARRAY(Node*, ndimensions + 1);
  length[ndimensions] = NULL;  // terminating null for make_runtime_call

 In cases where 'ndimensions' is smaller than 4 (and bigger than 1 because
the 1-dimensional case is handled specially) this leads to field accesses
beyond the bounds of the 'length' array later on during the call to '
make_runtime_call(..)' which can eventually crash the compiler:

    c = make_runtime_call(RC_NO_LEAF | RC_NO_IO,
                          OptoRuntime::multianewarray_Type(ndimensions),
                          fun, NULL, TypeRawPtr::BOTTOM,
                          makecon(TypeKlassPtr::make(array_klass)),
                          length[0], length[1], length[2],
                          length[3], length[4]);

 Notice that these crashes are extremely rare, because usually, there is
still some accessible memory beyond the arena allocated 'length' array. We
only observed four crashes because of this problem in regular nightly runs
of JVM2008 during the last six month. The crashes only happened on Windows
although the problem is platform independent. I also couldn't reproduce the
problem with a test program which ran for several hours and constantly
compiled a method which allocated several two- and three-dimensional arrays
so I refrained from writing a regression test for this problem.

The fix is trivial: just check the value of 'ndimensions' before accessing
the corresponding 'length' slots and use NULL values for the cases where
the array slots do not exist. Notice that we only call make_runtime_call if
'ndimensions' is bigger than 1 in which case 'length' already contains
three entries (see allocation of the 'length' array above).

    c = make_runtime_call(RC_NO_LEAF | RC_NO_IO,
                          OptoRuntime::multianewarray_Type(ndimensions),
                          fun, NULL, TypeRawPtr::BOTTOM,
                          makecon(TypeKlassPtr::make(array_klass)),
                          length[0], length[1], length[2],
                          (ndimensions > 2) ? length[3] : NULL,
                          (ndimensions > 3) ? length[4] : NULL);




Thank you and best regards,
Volker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/hotspot-compiler-dev/attachments/20130129/2e857d06/attachment.html

More information about the hotspot-compiler-dev mailing list