8202414: Unsafe write after primitive array creation may result in array length change
authorrraghavan
Wed, 01 May 2019 22:02:48 +0530
changeset 54667 f8d2b5ce4491
parent 54666 1b5f0a3f9c41
child 54668 0bda2308eded
8202414: Unsafe write after primitive array creation may result in array length change Summary: Avoided collecting unaligned stores in Initialize node by making can_capture_store return false for same Reviewed-by: dlong, kvn, vlivanov
src/hotspot/share/opto/memnode.cpp
test/hotspot/jtreg/compiler/c2/Test8202414.java
--- a/src/hotspot/share/opto/memnode.cpp	Wed May 01 09:06:12 2019 -0700
+++ b/src/hotspot/share/opto/memnode.cpp	Wed May 01 22:02:48 2019 +0530
@@ -3549,9 +3549,6 @@
 // within the initialized memory.
 intptr_t InitializeNode::can_capture_store(StoreNode* st, PhaseTransform* phase, bool can_reshape) {
   const int FAIL = 0;
-  if (st->is_unaligned_access()) {
-    return FAIL;
-  }
   if (st->req() != MemNode::ValueIn + 1)
     return FAIL;                // an inscrutable StoreNode (card mark?)
   Node* ctl = st->in(MemNode::Control);
@@ -3567,6 +3564,10 @@
     return FAIL;                // inscrutable address
   if (alloc != allocation())
     return FAIL;                // wrong allocation!  (store needs to float up)
+  int size_in_bytes = st->memory_size();
+  if ((size_in_bytes != 0) && (offset % size_in_bytes) != 0) {
+    return FAIL;                // mismatched access
+  }
   Node* val = st->in(MemNode::ValueIn);
   int complexity_count = 0;
   if (!detect_init_independence(val, complexity_count))
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/hotspot/jtreg/compiler/c2/Test8202414.java	Wed May 01 22:02:48 2019 +0530
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) 2019, Huawei Technologies Co. Ltd. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8202414
+ * @summary Unsafe write after primitive array creation may result in array length change
+ * @requires (os.arch != "sparc") & (os.arch != "sparcv9")
+ * @run main/othervm compiler.c2.Test8202414
+ */
+
+package compiler.c2;
+
+import sun.misc.Unsafe;
+import java.lang.reflect.Field;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+public class Test8202414 {
+
+    public static void main(String[] args) {
+        System.err.close();
+        int count = 0;
+        while (count++ < 120000) {
+          test();
+        }
+    }
+
+    public static void test() {
+        byte[] newBufb = serByte(397);
+        short[] newBufs = serShort(397);
+        int[] newBufi = serInt(397);
+        long[] newBufl = serLong(397);
+        if (newBufb.length != 397 || newBufs.length != 397
+            || newBufi.length != 397 || newBufl.length != 397) {
+            System.out.println("array length internal error");
+            throw new RuntimeException("Test failed");
+        }
+
+    }
+
+    public static byte[] serByte(int bufLen) {
+        byte[] buf = new byte[bufLen];
+        THE_UNSAFE.putByte(buf, BYTE_ARRAY_BASE_OFFSET + 1, (byte) buf.length);
+        System.err.println("ref " + buf);
+        return buf;
+    }
+
+    public static short[] serShort(int bufLen) {
+        short[] buf = new short[bufLen];
+        THE_UNSAFE.putShort(buf, SHORT_ARRAY_BASE_OFFSET + 1, (short) buf.length);
+        System.err.println("ref " + buf);
+        return buf;
+    }
+
+    public static int[] serInt(int bufLen) {
+        int[] buf = new int[bufLen];
+        THE_UNSAFE.putInt(buf, INT_ARRAY_BASE_OFFSET + 1, buf.length);
+        System.err.println("ref " + buf);
+        return buf;
+    }
+
+    public static long[] serLong(int bufLen) {
+        long[] buf = new long[bufLen];
+        THE_UNSAFE.putLong(buf, LONG_ARRAY_BASE_OFFSET + 1, buf.length);
+        System.err.println("ref " + buf);
+        return buf;
+    }
+
+    /* Unsafe fields and initialization
+     */
+    static final Unsafe THE_UNSAFE;
+    static final long BYTE_ARRAY_BASE_OFFSET;
+    static final long SHORT_ARRAY_BASE_OFFSET;
+    static final long INT_ARRAY_BASE_OFFSET;
+    static final long LONG_ARRAY_BASE_OFFSET;
+    static {
+        THE_UNSAFE = (Unsafe) AccessController.doPrivileged (
+            new PrivilegedAction<Object>() {
+                @Override
+                public Object run() {
+                    try {
+                        Field f = Unsafe.class.getDeclaredField("theUnsafe");
+                        f.setAccessible(true);
+                        return f.get(null);
+                    } catch (NoSuchFieldException | IllegalAccessException e) {
+                        throw new Error();
+                    }
+                }
+            }
+        );
+        BYTE_ARRAY_BASE_OFFSET = THE_UNSAFE.arrayBaseOffset(byte[].class);
+        SHORT_ARRAY_BASE_OFFSET = THE_UNSAFE.arrayBaseOffset(short[].class);
+        INT_ARRAY_BASE_OFFSET = THE_UNSAFE.arrayBaseOffset(int[].class);
+        LONG_ARRAY_BASE_OFFSET = THE_UNSAFE.arrayBaseOffset(long[].class);
+    }
+}