RFR(S): 8215265: C2: range check elimination may allow illegal out of bound access
Tobias Hartmann
tobias.hartmann at oracle.com
Mon Dec 17 12:52:39 UTC 2018
Hi Roland,
but like this, you may unnecessarily increase the number of iterations of the pre-loop, right?
Best regards,
Tobias
On 17.12.18 10:28, Roland Westrelin wrote:
>
> http://cr.openjdk.java.net/~roland/8215265/webrev.00/
>
> In the test case, for the loop in test1, the limit for the pre loop is
> computed by range check elimination to be, for offset = -5:
>
> (0 - (-5)) / 2 = 2
>
> So main loop starts executing with i = 2, but 2 * 2 - 5 = -1 and is out
> of bound.
>
> For the loop in test2, the limit for the pre loop is, for offset = 203:
>
> (199 - (203+1)) / -2 = 2
>
> and main loop starts at i = 2, but 203 - 4 = 199 is out of bound.
>
> In both cases, the root cause is that integer division rounds the limit
> of the pre loop down. The fix I propose is to add 1 to the limit of the
> pre loop in both cases.
>
> I thought the same problem would apply to the limit of the main loop in
> some cases but couldn't write a test case or find a scale/offset pair
> that would allow an out of bound array access.
>
> Roland.
>
More information about the hotspot-compiler-dev
mailing list