RFR: 8271925: ZGC: Arraycopy stub passes invalid oop to load barrier
Nils Eliasson
neliasso at openjdk.java.net
Thu Aug 5 21:30:29 UTC 2021
On Thu, 5 Aug 2021 15:24:23 GMT, Vladimir Kozlov <kvn at openjdk.org> wrote:
>> The fix for [JDK-8270461](https://bugs.openjdk.java.net/browse/JDK-8270461), see [PR 252](https://git.openjdk.java.net/jdk17/pull/252), made sure that the arraycopy offset when cloning an oop array always points to the first element of the array. However, it missed to adjust the copy length as well, leading to reading/copying 8 bytes beyond the end of the array.
>>
>> This only reproduces in Valhalla (probably because the mark word layout differs there) and only with `-XX:-UseCompressedClassPointers`. I'll backport the fix to JDK 17u.
>>
>> Thanks,
>> Tobias
>
> src/hotspot/share/gc/z/c2/zBarrierSetC2.cpp line 309:
>
>> 307: assert(!UseCompressedClassPointers, "should only happen without compressed class pointers");
>> 308: assert((arrayOopDesc::base_offset_in_bytes(T_OBJECT) - offset) == BytesPerLong, "unexpected offset");
>> 309: length = phase->transform_later(new SubXNode(length, phase->longcon(1))); // Size is in longs
>
> Do we have check that `length` is count of `BytesPerLong`?
> Do we have a guard that this code is executed only in 64-bit VM?
> `SubXNode` is SubINode in 32-bit VM.
Z is 64 bit only.
-------------
PR: https://git.openjdk.java.net/jdk/pull/5014
More information about the hotspot-compiler-dev
mailing list