RFR(S): 8215265: C2: range check elimination may allow illegal out of bound access
rwestrel at redhat.com
Mon Dec 17 09:28:38 UTC 2018
In the test case, for the loop in test1, the limit for the pre loop is
computed by range check elimination to be, for offset = -5:
(0 - (-5)) / 2 = 2
So main loop starts executing with i = 2, but 2 * 2 - 5 = -1 and is out
For the loop in test2, the limit for the pre loop is, for offset = 203:
(199 - (203+1)) / -2 = 2
and main loop starts at i = 2, but 203 - 4 = 199 is out of bound.
In both cases, the root cause is that integer division rounds the limit
of the pre loop down. The fix I propose is to add 1 to the limit of the
pre loop in both cases.
I thought the same problem would apply to the limit of the main loop in
some cases but couldn't write a test case or find a scale/offset pair
that would allow an out of bound array access.
More information about the hotspot-compiler-dev