8337958: Out-of-bounds array access in secondary_super_cache

Reviewed-by: vlivanov, shade

src/hotspot/cpu/aarch64/macroAssembler_aarch64.cpp

@@ -1730,8 +1730,8 @@ void MacroAssembler::lookup_secondary_supers_table_slow_path(Register r_super_kl
   // The bitmap is full to bursting.
   // Implicit invariant: BITMAP_FULL implies (length > 0)
   assert(Klass::SECONDARY_SUPERS_BITMAP_FULL == ~uintx(0), "");
-  cmn(r_bitmap, (u1)1);
+  cmpw(r_array_length, (u1)(Klass::SECONDARY_SUPERS_TABLE_SIZE - 2));
-  br(EQ, L_huge);
+  br(GT, L_huge);
 
   // NB! Our caller has checked bits 0 and 1 in the bitmap. The
   // current slot (at secondary_supers[r_array_index]) has not yet

src/hotspot/cpu/riscv/macroAssembler_riscv.cpp

@@ -3973,8 +3973,8 @@ void MacroAssembler::lookup_secondary_supers_table_slow_path(Register r_super_kl
 
   // Check if bitmap is SECONDARY_SUPERS_BITMAP_FULL
   assert(Klass::SECONDARY_SUPERS_BITMAP_FULL == ~uintx(0), "Adjust this code");
-  addi(t0, r_bitmap, (u1)1);
+  subw(t0, r_array_length, Klass::SECONDARY_SUPERS_TABLE_SIZE - 2);
-  beqz(t0, L_bitmap_full);
+  bgtz(t0, L_bitmap_full);
 
   // NB! Our caller has checked bits 0 and 1 in the bitmap. The
   // current slot (at secondary_supers[r_array_index]) has not yet

src/hotspot/cpu/x86/macroAssembler_x86.cpp

@@ -4945,9 +4945,8 @@ void MacroAssembler::lookup_secondary_supers_table_slow_path(Register r_super_kl
 
   // The bitmap is full to bursting.
   // Implicit invariant: BITMAP_FULL implies (length > 0)
-  assert(Klass::SECONDARY_SUPERS_BITMAP_FULL == ~uintx(0), "");
+  cmpl(r_array_length, (int32_t)Klass::SECONDARY_SUPERS_TABLE_SIZE - 2);
-  cmpq(r_bitmap, (int32_t)-1); // sign-extends immediate to 64-bit value
+  jcc(Assembler::greater, L_huge);
-  jcc(Assembler::equal, L_huge);
 
   // NB! Our caller has checked bits 0 and 1 in the bitmap. The
   // current slot (at secondary_supers[r_array_index]) has not yet

src/hotspot/share/oops/klass.cpp

@@ -306,6 +306,7 @@ void Klass::set_secondary_supers(Array<Klass*>* secondaries, uintx bitmap) {
   if (UseSecondarySupersTable && secondaries != nullptr) {
     uintx real_bitmap = compute_secondary_supers_bitmap(secondaries);
     assert(bitmap == real_bitmap, "must be");
+    assert(secondaries->length() >= (int)population_count(bitmap), "must be");
   }
 #endif
   _bitmap = bitmap;
@@ -344,11 +345,12 @@ uintx Klass::hash_secondary_supers(Array<Klass*>* secondaries, bool rewrite) {
     return uintx(1) << hash_slot;
   }
 
-  // For performance reasons we don't use a hashed table unless there
+  // Invariant: _secondary_supers.length >= population_count(_secondary_supers_bitmap)
-  // are at least two empty slots in it. If there were only one empty
+
-  // slot it'd take a long time to create the table and the resulting
+  // Don't attempt to hash a table that's completely full, because in
-  // search would be no faster than linear probing.
+  // the case of an absent interface linear probing would not
-  if (length > SECONDARY_SUPERS_TABLE_SIZE - 2) {
+  // terminate.
+  if (length >= SECONDARY_SUPERS_TABLE_SIZE) {
     return SECONDARY_SUPERS_BITMAP_FULL;
   }
 
@@ -788,6 +790,7 @@ void Klass::remove_java_mirror() {
 void Klass::restore_unshareable_info(ClassLoaderData* loader_data, Handle protection_domain, TRAPS) {
   assert(is_klass(), "ensure C++ vtable is restored");
   assert(is_shared(), "must be set");
+  assert(secondary_supers()->length() >= (int)population_count(_bitmap), "must be");
   JFR_ONLY(RESTORE_ID(this);)
   if (log_is_enabled(Trace, cds, unshareable)) {
     ResourceMark rm(THREAD);