RFR (S): 8159431: C1 arraycopy intrinsic type checks missing
zoltan.majo at oracle.com
Mon Jun 27 18:20:18 UTC 2016
thank you for the feedback!
On 06/25/2016 12:56 AM, Vladimir Kozlov wrote:
> Zoltan, check that klass is not j.l.Object is not enough.
> See next code in stub generators how to check for arrays (similar code
> exists on all platforms):
right, thank you for catching that!
Here is the updated webrev:
Testing: JPRT (testset hotspot).
> On 6/24/16 9:05 AM, Zoltán Majó wrote:
>> please review the patch for 8159431.
>> Problem: The C1 intrinsic for
>> java.lang.System.arraycopy(Object src, int srcPos, Object dest, int
>> destPos, int length)
>> does not verify that 'src' or 'dest' is a "proper" array. As a
>> result, the intrinsic reads the non-existing 'length' field from
>> java.lang.Object (i.e., the intrinsic reads past the end of the
>> java.lang.Object instance), which is incorrect.
>> Also, the intrinsic only checks if 'src' is a subclass of 'dest'
>> before writing into 'dest' without checking the special case
>> 'dest'==java.lang.Object. That can result in data being written to a
>> random heap location instead of the required ArrayStoreException
>> being thrown.
>> Solution: Check the type of 'src' and 'dest' at runtime if the
>> compiler was not able to prove at compile-time that 'src' and 'dest'
>> are "proper" arrays.
>> Testing: JPRT (testset hotspot).
>> I'll do an RBT run once the code is close to its final shape.
>> The problem was originally reported by Xiang Yuan from Linaro. Once
>> the code is reviewed, I plan to push the patch with Xiang and myself
>> as contributors.
>> The open arm port and ppc are also likely to be affected. I'll file
>> bugs for those architectures and notify persons working on the
>> appropriate ports.
>> Thank you!
>> Best regards,
More information about the hotspot-compiler-dev