Wed, 01 May 2019 22:02:48 +0530
8202414: Unsafe write after primitive array creation may result in array length change
Summary: Avoided collecting unaligned stores in Initialize node by making can_capture_store return false for same
Reviewed-by: dlong, kvn, vlivanov
src/share/vm/opto/memnode.cpp | file | annotate | diff | comparison | revisions | |
test/compiler/c2/Test8202414.java | file | annotate | diff | comparison | revisions |
1.1 --- a/src/share/vm/opto/memnode.cpp Tue May 28 18:50:44 2019 +0200 1.2 +++ b/src/share/vm/opto/memnode.cpp Wed May 01 22:02:48 2019 +0530 1.3 @@ -3353,9 +3353,6 @@ 1.4 // within the initialized memory. 1.5 intptr_t InitializeNode::can_capture_store(StoreNode* st, PhaseTransform* phase, bool can_reshape) { 1.6 const int FAIL = 0; 1.7 - if (st->is_unaligned_access()) { 1.8 - return FAIL; 1.9 - } 1.10 if (st->req() != MemNode::ValueIn + 1) 1.11 return FAIL; // an inscrutable StoreNode (card mark?) 1.12 Node* ctl = st->in(MemNode::Control); 1.13 @@ -3371,6 +3368,10 @@ 1.14 return FAIL; // inscrutable address 1.15 if (alloc != allocation()) 1.16 return FAIL; // wrong allocation! (store needs to float up) 1.17 + int size_in_bytes = st->memory_size(); 1.18 + if ((size_in_bytes != 0) && (offset % size_in_bytes) != 0) { 1.19 + return FAIL; // mismatched access 1.20 + } 1.21 Node* val = st->in(MemNode::ValueIn); 1.22 int complexity_count = 0; 1.23 if (!detect_init_independence(val, complexity_count))
2.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 2.2 +++ b/test/compiler/c2/Test8202414.java Wed May 01 22:02:48 2019 +0530 2.3 @@ -0,0 +1,117 @@ 2.4 +/* 2.5 + * Copyright (c) 2019, Huawei Technologies Co. Ltd. All rights reserved. 2.6 + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 2.7 + * 2.8 + * This code is free software; you can redistribute it and/or modify it 2.9 + * under the terms of the GNU General Public License version 2 only, as 2.10 + * published by the Free Software Foundation. 2.11 + * 2.12 + * This code is distributed in the hope that it will be useful, but WITHOUT 2.13 + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 2.14 + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 2.15 + * version 2 for more details (a copy is included in the LICENSE file that 2.16 + * accompanied this code). 2.17 + * 2.18 + * You should have received a copy of the GNU General Public License version 2.19 + * 2 along with this work; if not, write to the Free Software Foundation, 2.20 + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2.21 + * 2.22 + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2.23 + * or visit www.oracle.com if you need additional information or have any 2.24 + * questions. 2.25 + */ 2.26 + 2.27 +/** 2.28 + * @test 2.29 + * @bug 8202414 2.30 + * @summary Unsafe write after primitive array creation may result in array length change 2.31 + * @requires (os.arch != "sparc") & (os.arch != "sparcv9") 2.32 + * @run main/othervm compiler.c2.Test8202414 2.33 + */ 2.34 + 2.35 +package compiler.c2; 2.36 + 2.37 +import sun.misc.Unsafe; 2.38 +import java.lang.reflect.Field; 2.39 +import java.security.AccessController; 2.40 +import java.security.PrivilegedAction; 2.41 + 2.42 +public class Test8202414 { 2.43 + 2.44 + public static void main(String[] args) { 2.45 + System.err.close(); 2.46 + int count = 0; 2.47 + while (count++ < 120000) { 2.48 + test(); 2.49 + } 2.50 + } 2.51 + 2.52 + public static void test() { 2.53 + byte[] newBufb = serByte(397); 2.54 + short[] newBufs = serShort(397); 2.55 + int[] newBufi = serInt(397); 2.56 + long[] newBufl = serLong(397); 2.57 + if (newBufb.length != 397 || newBufs.length != 397 2.58 + || newBufi.length != 397 || newBufl.length != 397) { 2.59 + System.out.println("array length internal error"); 2.60 + throw new RuntimeException("Test failed"); 2.61 + } 2.62 + 2.63 + } 2.64 + 2.65 + public static byte[] serByte(int bufLen) { 2.66 + byte[] buf = new byte[bufLen]; 2.67 + THE_UNSAFE.putByte(buf, BYTE_ARRAY_BASE_OFFSET + 1, (byte) buf.length); 2.68 + System.err.println("ref " + buf); 2.69 + return buf; 2.70 + } 2.71 + 2.72 + public static short[] serShort(int bufLen) { 2.73 + short[] buf = new short[bufLen]; 2.74 + THE_UNSAFE.putShort(buf, SHORT_ARRAY_BASE_OFFSET + 1, (short) buf.length); 2.75 + System.err.println("ref " + buf); 2.76 + return buf; 2.77 + } 2.78 + 2.79 + public static int[] serInt(int bufLen) { 2.80 + int[] buf = new int[bufLen]; 2.81 + THE_UNSAFE.putInt(buf, INT_ARRAY_BASE_OFFSET + 1, buf.length); 2.82 + System.err.println("ref " + buf); 2.83 + return buf; 2.84 + } 2.85 + 2.86 + public static long[] serLong(int bufLen) { 2.87 + long[] buf = new long[bufLen]; 2.88 + THE_UNSAFE.putLong(buf, LONG_ARRAY_BASE_OFFSET + 1, buf.length); 2.89 + System.err.println("ref " + buf); 2.90 + return buf; 2.91 + } 2.92 + 2.93 + /* Unsafe fields and initialization 2.94 + */ 2.95 + static final Unsafe THE_UNSAFE; 2.96 + static final long BYTE_ARRAY_BASE_OFFSET; 2.97 + static final long SHORT_ARRAY_BASE_OFFSET; 2.98 + static final long INT_ARRAY_BASE_OFFSET; 2.99 + static final long LONG_ARRAY_BASE_OFFSET; 2.100 + static { 2.101 + THE_UNSAFE = (Unsafe) AccessController.doPrivileged ( 2.102 + new PrivilegedAction<Object>() { 2.103 + @Override 2.104 + public Object run() { 2.105 + try { 2.106 + Field f = Unsafe.class.getDeclaredField("theUnsafe"); 2.107 + f.setAccessible(true); 2.108 + return f.get(null); 2.109 + } catch (NoSuchFieldException | IllegalAccessException e) { 2.110 + throw new Error(); 2.111 + } 2.112 + } 2.113 + } 2.114 + ); 2.115 + BYTE_ARRAY_BASE_OFFSET = THE_UNSAFE.arrayBaseOffset(byte[].class); 2.116 + SHORT_ARRAY_BASE_OFFSET = THE_UNSAFE.arrayBaseOffset(short[].class); 2.117 + INT_ARRAY_BASE_OFFSET = THE_UNSAFE.arrayBaseOffset(int[].class); 2.118 + LONG_ARRAY_BASE_OFFSET = THE_UNSAFE.arrayBaseOffset(long[].class); 2.119 + } 2.120 +}