RFR: 8262295: C2: Out-of-Bounds Array Load from Clone Source [v2]
Roland Westrelin
roland at openjdk.java.net
Fri Mar 19 09:29:40 UTC 2021
On Thu, 18 Mar 2021 09:49:10 GMT, Richard Reingruber <rrich at openjdk.org> wrote:
>> This c2 fix makes the optimization of loads from the result array of a
>> Object.clone() call dependent on a compile time range check in order to prevent
>> out-of-bounds array loads described in JDK-8262295.
>>
>> Testing: The included reproducer test. The fix passed also our CI testing: JCK
>> and JTREG, also in Xcomp mode, SPECjvm2008, SPECjbb2015, SAP specific tests with
>> fastdebug and release builds on all platforms.
>>
>> Alternatively the transformed load could be made dependent on a range check at
>> runtime. Based on our automated benchmarking it wouldn't be worth
>> it. Our benchmark results include quite a bit of noise though.
>
> Richard Reingruber has updated the pull request incrementally with one additional commit since the last revision:
>
> Changes based on feedback from Vladimir K.
Changes requested by roland (Reviewer).
src/hotspot/share/opto/memnode.cpp line 552:
> 550: const TypeInt* sizetype = ary_t->size();
> 551:
> 552: if (ld_offs_t->_lo >= header && ld_offs_t->_hi < sizetype->_lo * elemsize + header) {
Isn't there a risk of overflow with sizetype->_lo * elemsize + header?
-------------
PR: https://git.openjdk.java.net/jdk/pull/2708
More information about the hotspot-compiler-dev
mailing list