RFR(S): 8215265: C2: range check elimination may allow illegal out of bound access

Roland Westrelin rwestrel at redhat.com
Mon Dec 17 09:28:38 UTC 2018


In the test case, for the loop in test1, the limit for the pre loop is
computed by range check elimination to be, for offset = -5:

(0 - (-5)) / 2 = 2

So main loop starts executing with i = 2, but 2 * 2 - 5 = -1 and is out
of bound.

For the loop in test2, the limit for the pre loop is, for offset = 203:

(199 - (203+1)) / -2 = 2

and main loop starts at i = 2, but 203 - 4 = 199 is out of bound.

In both cases, the root cause is that integer division rounds the limit
of the pre loop down. The fix I propose is to add 1 to the limit of the
pre loop in both cases.

I thought the same problem would apply to the limit of the main loop in
some cases but couldn't write a test case or find a scale/offset pair
that would allow an out of bound array access.


More information about the hotspot-compiler-dev mailing list