RFR: 8374755: ML-KEM's 12-bit decompression uses incorrect assertions [v2]
Andrew Haley
aph at openjdk.org
Thu Jan 15 10:59:34 UTC 2026
On Wed, 14 Jan 2026 13:06:15 GMT, Ferenc Rakoczi <duke at openjdk.org> wrote:
>> The preconditions for the aarch64 and the AVX-512 intrinsic implementations of the implKyber12To16() method of com.sun.crypto.provider.ML_KEM are different and the AVX-512 one has stricter preconditions on the input, which was not recorded in the assert() before calling the function (although they were satisfied by all calling code). Now the assert() is corrected, and with these preconditions, the aarch64 implementation is simplified.
>
> Ferenc Rakoczi has updated the pull request incrementally with one additional commit since the last revision:
>
> Fix off-by-one error discovered by Shawn
src/hotspot/cpu/aarch64/stubGenerator_aarch64.cpp line 6084:
> 6082: // byte[] condensed, int index, short[] parsed, int parsedLength) {}
> 6083: //
> 6084: // it is assumed that parsed and condensed are allocated such that for
By whom? :-)
Suggestion:
// we assume that parsed and condensed are allocated such that for
src/hotspot/cpu/aarch64/stubGenerator_aarch64.cpp line 6280:
> 6278: vs_st2_post(vs_front(vs_front(vb)), __ T8H, parsed);
> 6279:
> 6280: __ BIND(L_end);
This is a substantial change, not a mere matter of "incorrect assertions". Perhaps this PR needs a more appropriate title.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/29141#discussion_r2693915262
PR Review Comment: https://git.openjdk.org/jdk/pull/29141#discussion_r2693920223
More information about the security-dev
mailing list