RFR: 8213415: BitMap::word_index_round_up overflow problems
Thomas Stüfe
thomas.stuefe at gmail.com
Thu Nov 28 12:42:07 UTC 2019
Hi Kim,
http://cr.openjdk.java.net/~kbarrett/8213415/open.03/src/hotspot/share/utilities/bitMap.hpp.udiff.html
+ // Limit max_size_in_bits so aligning up to a word never overflows.
+ static idx_t max_size_in_words() { return
raw_to_words_align_down(~idx_t(0)); }
+ static idx_t max_size_in_bits() { return max_size_in_words() *
BitsPerWord; }
Could we have better comments? I first thought that max_size_in_words()
means bitmap size, only the static specifier ticked me off.
So, if I understand this correctly, we need this since we use the same type
for bit and word indices and since we have a n:1 relationship between those
two the max. bit index is necessary smaller than <type>_MAX?
+ // Assumes relevant validity checking for bit has already been done.
+ static idx_t raw_to_words_align_up(idx_t bit) {
+ return raw_to_words_align_down(bit + (BitsPerWord - 1));
+ }
Interestingly, this could break should we ever have different types for
word- and bit indices. Should we ever want to templatize the underlying
types, eg. to support small bitmaps where 8 or 16 bits would be enough to
encode a bitmap index. Then it could make sense to have a larger type for
word indices than for bit indices and we could overflow here.
(Just idle musings.. we have talked about using different types for bit-
and word-indexes before. I have worked on a patch for this, but it got
snowed under by other work. See:
http://cr.openjdk.java.net/~stuefe/webrevs/bitmap-improvements/bitmap-better-types.
What do you think, does this still make sense?)
+
+ // Verify size_in_bits does not exceed maximum size.
+ static void verify_size(idx_t size_in_bits) NOT_DEBUG_RETURN;
"maximum size" is unclear. Can you make the comment more precise?
Also, could this function be private?
+ // Verify bit is less than size.
+ void verify_index(idx_t bit) const NOT_DEBUG_RETURN;
+ // Verify bit is not greater than size.
+ void verify_limit(idx_t bit) const NOT_DEBUG_RETURN;
+ // Verify [beg,end) is a valid range, e.g. beg <= end <= size().
+ void verify_range(idx_t beg, idx_t end) const NOT_DEBUG_RETURN;
I have a bit of a trouble understanding these variants and how they are
used.
I believe to understand that verify_limit() is to verify range sizes, since
the valid range for a size type is always one larger than that for an index
type, right? But it is used to test indices for validity, for example via
to_words_align_down() -> word_addr(). Which would mean for a 64bit sized
bitmap (1 word size) I can feed an invalid "64" as index to word_addr(),
which verify_limit() would accept but would get me the invalid word index
"1". I would have expected word_addr() to only return usable word adresses
and to assert in this case.
I also feel that if I got it right the naming is the wrong way around. I
would have expected "verify_size()" to refer to the bitmap object map size,
and "verify_limit()" to the type limit (similar to limits.h)..
Cheers, Thomas
On Wed, Nov 27, 2019 at 1:41 AM Kim Barrett <kim.barrett at oracle.com> wrote:
> > On Jun 11, 2019, at 12:42 PM, Kim Barrett <kim.barrett at oracle.com>
> wrote:
> >
> >> On Jun 10, 2019, at 9:14 PM, Kim Barrett <kim.barrett at oracle.com>
> wrote:
> >> new webrevs:
> >> full: http://cr.openjdk.java.net/~kbarrett/8213415/open.01/
> >> incr: http://cr.openjdk.java.net/~kbarrett/8213415/open.01.inc/
> >
> > Stefan and I have been talking about this offline. We have some ideas
> for further changes in
> > a slightly different direction, so no point in anyone else reviewing the
> open.01 changes right now
> > (or maybe ever).
>
> Finally returning to this. Stefan Karlsson and Thomas Shatzl had some
> offline feedback on earlier versions that led to some rethinking and
> rework. This included an attempt to be a little more consistent with
> nomenclature. There are still some lingering naming issues, which
> might be worth fixing some other time.
>
> The basic approach hasn't changed though. From the original RFR:
>
> Constructing a BitMap now ensures the size is such that rounding it up
> to a word boundary won't overflow. This is the new max_size_in_bits()
> value. This lets us add some asserts and otherwise tidy things up in
> some places by making use of that information.
>
> This engendered some changes to ParallelGC's ParMarkBitMap. It no
> longer uses the obsolete BitMap::word_align_up, instead having its own
> internal helper for aligning range ends that knows about invariants in
> ParMarkBitMap.
>
> CR:
> https://bugs.openjdk.java.net/browse/JDK-8213415
>
> New webrev:
> http://cr.openjdk.java.net/~kbarrett/8213415/open.03/
> (No incremental webrev; it wouldn't help that much for BitMap changes,
> and there have been several intervening months since the last one.)
>
> Testing:
> mach5 tier1-5
>
>
More information about the hotspot-dev
mailing list