8203196: C1 emits incorrect code due to integer overflow in _tableswitch keys
Summary: Avoid integer overflow in TableSwitch().
Reviewed-by: goetz, mdoerr, vlivanov
--- a/src/hotspot/share/c1/c1_Instruction.hpp Mon May 21 21:27:12 2018 -0700
+++ b/src/hotspot/share/c1/c1_Instruction.hpp Tue May 22 09:04:15 2018 +0200
@@ -2122,11 +2122,11 @@
// creation
TableSwitch(Value tag, BlockList* sux, int lo_key, ValueStack* state_before, bool is_safepoint)
: Switch(tag, sux, state_before, is_safepoint)
- , _lo_key(lo_key) {}
+ , _lo_key(lo_key) { assert(_lo_key <= hi_key(), "integer overflow"); }
// accessors
int lo_key() const { return _lo_key; }
- int hi_key() const { return _lo_key + length() - 1; }
+ int hi_key() const { return _lo_key + (length() - 1); }
};
--- a/src/hotspot/share/c1/c1_LIRGenerator.cpp Mon May 21 21:27:12 2018 -0700
+++ b/src/hotspot/share/c1/c1_LIRGenerator.cpp Tue May 22 09:04:15 2018 +0200
@@ -2304,8 +2304,8 @@
move_to_phi(x->state());
int lo_key = x->lo_key();
- int hi_key = x->hi_key();
int len = x->length();
+ assert(lo_key <= (lo_key + (len - 1)), "integer overflow");
LIR_Opr value = tag.result();
if (compilation()->env()->comp_level() == CompLevel_full_profile && UseSwitchProfiling) {