[9] RFR(L) 8158168: SIGSEGV: CollectedHeap::fill_with_objects(HeapWord*, unsigned long, bool)+0xa8

dean.long at oracle.com dean.long at oracle.com
Wed Mar 15 21:28:51 UTC 2017



This crash is caused by missing array bounds checks on compact string 
intrinsics.  It shows up when unsynchronized access to a StringBuilder 
object causes inconsistent field values.

To convince myself that all the necessary bounds checks are being done, 
I put callers into two groups, trusted and untrusted. Untrusted callers 
are all directed through StringUTF16 methods, so that bounds checks are 
done in one place and can be tested easily. Trusted callers bypass the 
bounds checks, so they must do their own checking.

As a safety net, I added asserts around the intrinsic calls, and a 
try/catch that so any out of bounds exception turns into an assert error 
as well.  Finally, I restored some C2 debug code that was previously 
removed, and I use it to do bounds checking in debug builds.  In a 
product build C2 will remove all of these.

See the bug report for tests run.

There are some unavoidable performance regressions on micro benchmarks, 
because now we are doing bounds checks that we weren't before.


More information about the hotspot-compiler-dev mailing list