[OpenJDK 2D-Dev] RFR 8144445: Maximum size checking in Marlin ArrayCache utility methods is not optimal

Laurent Bourgès bourges.laurent at gmail.com
Wed Dec 9 21:38:23 UTC 2015 

Hi Jim,

I took me some time to understand your detailled analysis and make a new
webrev:
http://cr.openjdk.java.net/~lbourges/marlin/marlin-8144445.2/

I think I adopted all your change proposals, see below:

In looking this over again I notice that really the exceptions are only
> thrown on "out of range" needSize values and they are probably always
> thrown in that case, but sometimes we only discover those range issues if
> other things fail and many of the tests that lead to getting to that
> statement may or may not operate correctly depending on whether they are
> dealing with a valid needSize (for instance testing against "< needSize"
> when needSize might be negative, etc.).  It makes verifying this code much
> more difficult due to having to deal with cases where multiple variables
> might be out of range when they are computed or compared against each
> other.  To that end, it might be more straightforward to simply test
> needSize at the top and then the rest of the function can know it is
> dealing with a proper value for needSize and only has to worry about
> returning a non-overflowing number.  Knowing that needSize is a valid
> number makes any computations with it or compares against it have fewer
> "failure conditions" to note and vet.
>

I followed your approach and I agree it is more clear.

>
> For example:
>
> first function:
>
> 185-189 move to the top of the function and only test needSize and then
> later on line 177 we capture any overflow since we know that needSize
> cannot be negative as well.  180,182 are then sufficient to make sure that
> the value calculated in that case will be >= needSize.
>

Fixed.


> second function:
>
> 215-220 also move to the top of that function and 214 (if it compares size
> in both cases) is sufficient to make sure we are returning a value >=
> needSize in all cases.  As it stands 210 and 212 could be computing random
> values and the tests at 214 and later are no longer complicated by having
> to consider the case that needSize itself is wrong - they only have to deal
> with whether the returned size bumped out of range.
>

Fixed.


> general note:
>
> Also, "(longval < 0L || longval > MAX_INT)" can be calculated as
> "((longval >> 31) != 0)".
>

Thanks for the tip: I use it now.


> I could also check size < 0L if you want but it is only possible if
>> curSize < 0 (that should never happen) !
>>
>
> That may be true at line 209, but then you test it against needSize and do
> more calculations where the new value of size depends only on needSize and
> so its dependence on curSize no longer offers any protection.  At 214 you
> might not be able to assert that size>=0 any more as a result.
>
>   That works.  I was thinking more along the lines of this which is more
>> straightforward:
>>
>
> try {
>     do test;
>     throw new RuntimeException("AIOBException not thrown");
> } catch (AIOBException e) (
>     return;
> } catch (Throwable t) {
>     throw new RuntimeException("Wrong exception (not AIOB) thrown", t);
> }
>

Fixed.

Cheers,
Laurent
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/2d-dev/attachments/20151209/39ba7e29/attachment.html>

More information about the 2d-dev mailing list