JDK-8356865 : C2: Unreasonable values for debug flag FastAllocateSizeLimit can lead to left-shift-overflow, which is UB
  • Type: Bug
  • Component: hotspot
  • Sub-Component: compiler
  • Affected Version: 11,17,21,25
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2025-05-13
  • Updated: 2025-07-03
  • Resolved: 2025-06-23
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 26
26 b04Fixed
Description
Found via manual code inspection.

I modified the relevant code to make the overflow apparent:

diff --git a/src/hotspot/share/opto/graphKit.cpp b/src/hotspot/share/opto/graphKit.cpp
index 20feca26ede..6e46de0ec6e 100644
--- a/src/hotspot/share/opto/graphKit.cpp
+++ b/src/hotspot/share/opto/graphKit.cpp
@@ -3803,7 +3803,9 @@ Node* GraphKit::new_array(Node* klass_node, // array klass (maybe variable)
     assert(!StressReflectiveCode, "stress mode does not use these paths");
     // Increase the size limit if we have exact knowledge of array type.
     int log2_esize = Klass::layout_helper_log2_element_size(layout_con);
+ tty->print_cr("before shift: %d", fast_size_limit);
     fast_size_limit <<= (LogBytesPerLong - log2_esize);
+ tty->print_cr("after shift: %d", fast_size_limit);
   }
 
   Node* initial_slow_cmp = _gvn.transform( new CmpUNode( length, intcon( fast_size_limit ) ) );

java -XX:FastAllocateSizeLimit=1073741824 -Xbatch --version
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: -2147483648
java 25-internal 2025-09-16 LTS
Java(TM) SE Runtime Environment (fastdebug build 25-internal-LTS-2025-05-12-0650357.empeter...)
Java HotSpot(TM) 64-Bit Server VM (fastdebug build 25-internal-LTS-2025-05-12-0650357.empeter..., mixed mode)


Analysis: default values for FastAllocateSizeLimit cannot lead to overflow. And values can only be changed in debug.

Proposed Solution: Constrain the flag to a reasonable range. No negative values should be allowed. Make sure that the maximum value is small enough so the left-shift cannot lead to overflow.
Comments
Changeset: c220b135 Branch: master Author: BenoƮt Maillard <bmaillard@openjdk.org> Committer: Emanuel Peter <epeter@openjdk.org> Date: 2025-06-23 07:52:02 +0000 URL: https://git.openjdk.org/jdk/commit/c220b1358c91bce2eb7515e9f600004c7b975ee6
23-06-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/25834 Date: 2025-06-16 14:50:46 +0000
16-06-2025
Assigning this to me to reserve it for a new hire.
14-05-2025
ILW = Undefined behavior due to left-shift overflow (harmless), with large value of debug flag FastAllocateSizeLimit, disable TLAB allocations = MML = P4
14-05-2025