RFR(S): 8215265: C2: range check elimination may allow illegal out of bound access
vladimir.kozlov at oracle.com
Tue Dec 18 17:46:21 UTC 2018
I think we should adjust pre-loop limit expression by (scale -1) - round up integer division instead of default round down.
pre_limit = (low_limit - offset - (scale_con - 1)) / scale_con
Upper limit (main-loop limit) division should stay with round down.
On 12/17/18 1:28 AM, Roland Westrelin wrote:
> In the test case, for the loop in test1, the limit for the pre loop is
> computed by range check elimination to be, for offset = -5:
> (0 - (-5)) / 2 = 2
> So main loop starts executing with i = 2, but 2 * 2 - 5 = -1 and is out
> of bound.
> For the loop in test2, the limit for the pre loop is, for offset = 203:
> (199 - (203+1)) / -2 = 2
> and main loop starts at i = 2, but 203 - 4 = 199 is out of bound.
> In both cases, the root cause is that integer division rounds the limit
> of the pre loop down. The fix I propose is to add 1 to the limit of the
> pre loop in both cases.
> I thought the same problem would apply to the limit of the main loop in
> some cases but couldn't write a test case or find a scale/offset pair
> that would allow an out of bound array access.
More information about the hotspot-compiler-dev