Possible integer overflow in LIRGenerator::generate_address on SPARC and other platforms
dean.long at oracle.com
dean.long at oracle.com
Wed Sep 14 21:26:14 UTC 2016
For sparc, I think this is used by LIRGenerator::do_LoadField() and
do_StoreField(), so "disp" should be limited by the size of object. I
didn't find sparc using it for Unsafe put.
dl
On 9/14/16 11:11 AM, Vladimir Kozlov wrote:
> CC to group since I am not familiar with C1.
>
> On SPARC generate_address() is called only from
>
> LIR_Address* generate_address(LIR_Opr base, int disp, BasicType type) {
> return generate_address(base, LIR_OprFact::illegalOpr, 0, disp,
> type);
> }
>
> So it is not a issue. But I agree with you in general.
>
> On x86 LIRGenerator::emit_array_address() may have this problem.
>
> The only explanation I see that we did not hit it is Interpreter may
> be more careful about checking it and throw exception.
>
> It could be C1 check this values somewhere else.
>
> Thanks,
> Vladimir
>
> On 9/6/16 9:21 AM, Doerr, Martin wrote:
>> Hi Vladimir,
>>
>> I was wondering about the following code in
>> LIRGenerator::generate_address in c1_LIRGenerator_sparc.cpp (and some
>> other platforms):
>>
>> if (index->is_constant()) {
>>
>> disp += index->as_constant_ptr()->as_jint() << shift;
>>
>> It’s fine to compute the constant in general, but disp is an int!
>>
>> Seems like the only user of this function which uses an index is
>> Unsafe put/get where nobody has noticed it yet.
>>
>> Do you think we have to fix this in 9?
>>
>> I can open a bug if you like.
>>
>> Best regards,
>>
>> Martin
>>
More information about the hotspot-compiler-dev
mailing list