JDK-8155608 : String intrinsic range checks are not strict enough
  • Type: Bug
  • Component: hotspot
  • Sub-Component: compiler
  • Affected Version: 9
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2016-04-28
  • Updated: 2016-06-29
  • Resolved: 2016-05-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 9
9 b122Fixed
Related Reports
Relates :  
JDK-8054307 - JEP 254: Compact Strings
Relates :  
JDK-8156534 - Check if range checks can be moved into Java wrapper for intrinsics
Description
The Java level range checks for StringLatin1::inflate() and StringUTF16::compress() are too weak. Offset and length need to be multiplied by two because they access a char value in a byte array:

--- a/src/java.base/share/classes/java/lang/StringLatin1.java	Tue Apr 19 15:26:52 2016 -0400
+++ b/src/java.base/share/classes/java/lang/StringLatin1.java	Thu Apr 28 10:30:23 2016 +0200
@@ -567,7 +567,7 @@
     @HotSpotIntrinsicCandidate
     public static void inflate(byte[] src, int srcOff, byte[] dst, int dstOff, int len) {
         // We need a range check here because 'putChar' has no checks
-        checkBoundsOffCount(dstOff, len, dst.length);
+        checkBoundsOffCount(dstOff << 1, len << 1, dst.length);
         for (int i = 0; i < len; i++) {
             StringUTF16.putChar(dst, dstOff++, src[srcOff++] & 0xff);
         }

--- a/src/java.base/share/classes/java/lang/StringUTF16.java	Tue Apr 19 15:26:52 2016 -0400
+++ b/src/java.base/share/classes/java/lang/StringUTF16.java	Thu Apr 28 10:30:23 2016 +0200
@@ -162,7 +162,7 @@
     @HotSpotIntrinsicCandidate
     public static int compress(byte[] src, int srcOff, byte[] dst, int dstOff, int len) {
         // We need a range check here because 'getChar' has no checks
-        checkBoundsOffCount(srcOff, len, src.length);
+        checkBoundsOffCount(srcOff << 1, len << 1, src.length);
         for (int i = 0; i < len; i++) {
             char c = getChar(src, srcOff);
             if (c > 0xFF) {
Comments
Some String API methods use StringUTF16.putChar/getChar to read a char value from a byte array. For performance reasons, putChar/getChar is intrinsified by C1/C2 without range checks (like the Unsafe counterparts). The Java callers are responsible for adding the corresponding explicit range checks if necessary. I noticed that the Java level range checks in StringUTF16::compress(), StringUTF16::getChars() and StringLatin1::inflate() are not strong enough. Offset and length need to be multiplied by two because they index a char value in a byte array. I added a regression test that triggers the problem and also checks the other relevant intrinsics by invoking the methods with different arguments. http://cr.openjdk.java.net/~thartmann/8155608/jdk/webrev.00/ http://cr.openjdk.java.net/~thartmann/8155608/hotspot/webrev.00/
28-04-2016
ILW = potential out of bounds access, reproducible with regression test but not in product, disable intrinsic = MMM = P3
28-04-2016