8211926: Catastrophic size_t underflow in BitMap::*_large methods

Reviewed-by: kbarrett, stuefe
2018-11-10 20:47:28 +01:00 · 2018-11-10 20:47:28 +01:00 · 2df435e191
commit 2df435e191
parent 8f1a1b9cab
4 changed files with 143 additions and 5 deletions
--- a/src/hotspot/share/utilities/bitMap.cpp
+++ b/src/hotspot/share/utilities/bitMap.cpp
@ -263,14 +263,24 @@ void BitMap::clear_range(idx_t beg, idx_t end) {
  }
 }

+bool BitMap::is_small_range_of_words(idx_t beg_full_word, idx_t end_full_word) {
+  // There is little point to call large version on small ranges.
+  // Need to check carefully, keeping potential idx_t underflow in mind.
+  // The threshold should be at least one word.
+  STATIC_ASSERT(small_range_words >= 1);
+  return (beg_full_word + small_range_words >= end_full_word);
+}
+
 void BitMap::set_large_range(idx_t beg, idx_t end) {
  verify_range(beg, end);

  idx_t beg_full_word = word_index_round_up(beg);
  idx_t end_full_word = word_index(end);

-  assert(end_full_word - beg_full_word >= 32,
-         "the range must include at least 32 bytes");
+  if (is_small_range_of_words(beg_full_word, end_full_word)) {
+    set_range(beg, end);
+    return;
+  }

  // The range includes at least one full word.
  set_range_within_word(beg, bit_index(beg_full_word));
@ -284,7 +294,7 @@ void BitMap::clear_large_range(idx_t beg, idx_t end) {
  idx_t beg_full_word = word_index_round_up(beg);
  idx_t end_full_word = word_index(end);

-  if (end_full_word - beg_full_word < 32) {
+  if (is_small_range_of_words(beg_full_word, end_full_word)) {
    clear_range(beg, end);
    return;
  }
@ -368,8 +378,10 @@ void BitMap::par_at_put_large_range(idx_t beg, idx_t end, bool value) {
  idx_t beg_full_word = word_index_round_up(beg);
  idx_t end_full_word = word_index(end);

-  assert(end_full_word - beg_full_word >= 32,
-         "the range must include at least 32 bytes");
+  if (is_small_range_of_words(beg_full_word, end_full_word)) {
+    par_at_put_range(beg, end, value);
+    return;
+  }

  // The range includes at least one full word.
  par_put_range_within_word(beg, bit_index(beg_full_word), value);
--- a/src/hotspot/share/utilities/bitMap.hpp
+++ b/src/hotspot/share/utilities/bitMap.hpp
@ -72,6 +72,10 @@ class BitMap {
  static const bm_word_t find_ones_flip = 0;
  static const bm_word_t find_zeros_flip = ~(bm_word_t)0;

+  // Threshold for performing small range operation, even when large range
+  // operation was requested. Measured in words.
+  static const size_t small_range_words = 32;
+
 protected:
  // Return the position of bit within the word that contains it (e.g., if
  // bitmap words are 32 bits, return a number 0 <= n <= 31).
@ -117,6 +121,8 @@ class BitMap {

  static void clear_range_of_words(bm_word_t* map, idx_t beg, idx_t end);

+  static bool is_small_range_of_words(idx_t beg_full_word, idx_t end_full_word);
+
  // The index of the first full word in a range.
  idx_t word_index_round_up(idx_t bit) const;

--- a/src/hotspot/share/utilities/bitMap.inline.hpp
+++ b/src/hotspot/share/utilities/bitMap.inline.hpp
@ -237,10 +237,12 @@ BitMap::inverted_bit_mask_for_range(idx_t beg, idx_t end) const {
 }

 inline void BitMap::set_large_range_of_words(idx_t beg, idx_t end) {
+  assert(beg <= end, "underflow");
  memset(_map + beg, ~(unsigned char)0, (end - beg) * sizeof(bm_word_t));
 }

 inline void BitMap::clear_large_range_of_words(idx_t beg, idx_t end) {
+  assert(beg <= end, "underflow");
  memset(_map + beg, 0, (end - beg) * sizeof(bm_word_t));
 }

--- a/test/hotspot/gtest/utilities/test_bitMap_large.cpp
+++ b/test/hotspot/gtest/utilities/test_bitMap_large.cpp
@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 2018, Red Hat Inc. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#include "precompiled.hpp"
+#include "utilities/bitMap.inline.hpp"
+#include "unittest.hpp"
+
+// Bitmap size should be large enough to accept large operations.
+static const BitMap::idx_t BITMAP_SIZE = 8192;
+
+// The test would like to fuzz indexes in this window. Having the fuzz
+// window at bitmap word size makes sure the test would touch every combination
+// of indexes (un)aligned on word boundary.
+static const BitMap::idx_t FUZZ_WINDOW = sizeof(BitMap::bm_word_t) * 8;
+
+static void verify_set(CHeapBitMap& map, BitMap::idx_t l, BitMap::idx_t r) {
+  for (BitMap::idx_t c = l; c < r; c++) {
+    EXPECT_TRUE(map.at(c));
+  }
+}
+
+static void verify_unset(CHeapBitMap& map, BitMap::idx_t l, BitMap::idx_t r) {
+  for (BitMap::idx_t c = l; c < r; c++) {
+    EXPECT_FALSE(map.at(c));
+  }
+}
+
+TEST(BitMap, clear_large_range) {
+  CHeapBitMap map(BITMAP_SIZE);
+
+  map.set_range(0, BITMAP_SIZE);
+  verify_set(map, 0, BITMAP_SIZE);
+
+  for (size_t size_class = 0; size_class <= BITMAP_SIZE; size_class = MAX2<size_t>(1, size_class*2)) {
+    for (BitMap::idx_t l = 0; l < FUZZ_WINDOW; l++) {
+      for (BitMap::idx_t tr = l; tr < FUZZ_WINDOW; tr++) {
+        BitMap::idx_t r = MIN2(BITMAP_SIZE, size_class + tr); // avoid overflow
+
+        map.clear_large_range(l, r);
+        verify_unset(map, l, r);
+        verify_set(map, 0, l);
+        verify_set(map, r, BITMAP_SIZE);
+
+        // Restore cleared
+        map.set_range(l, r);
+        verify_set(map, l, r);
+      }
+    }
+  }
+}
+
+TEST(BitMap, set_large_range) {
+  CHeapBitMap map(BITMAP_SIZE);
+
+  map.clear();
+  verify_unset(map, 0, BITMAP_SIZE);
+
+  for (size_t size_class = 0; size_class <= BITMAP_SIZE; size_class = MAX2<size_t>(1, size_class*2)) {
+    for (BitMap::idx_t l = 0; l < FUZZ_WINDOW; l++) {
+      for (BitMap::idx_t tr = l; tr < FUZZ_WINDOW; tr++) {
+        BitMap::idx_t r = MIN2(BITMAP_SIZE, size_class + tr); // avoid overflow
+
+        map.set_large_range(l, r);
+        verify_set(map, l, r);
+        verify_unset(map, 0, l);
+        verify_unset(map, r, BITMAP_SIZE);
+
+        // Restore set
+        map.clear_range(l, r);
+        verify_unset(map, l, r);
+      }
+    }
+  }
+}
+
+TEST(BitMap, par_at_put_large_range) {
+  CHeapBitMap map(BITMAP_SIZE);
+
+  map.clear();
+  verify_unset(map, 0, BITMAP_SIZE);
+
+  for (size_t size_class = 0; size_class <= BITMAP_SIZE; size_class = MAX2<size_t>(1, size_class*2)) {
+    for (BitMap::idx_t l = 0; l < FUZZ_WINDOW; l++) {
+      for (BitMap::idx_t tr = l; tr < FUZZ_WINDOW; tr++) {
+        BitMap::idx_t r = MIN2(BITMAP_SIZE, size_class + tr); // avoid overflow
+
+        map.par_at_put_large_range(l, r, true);
+        verify_set(map, l, r);
+        verify_unset(map, 0, l);
+        verify_unset(map, r, BITMAP_SIZE);
+
+        // Restore set
+        map.clear_range(l, r);
+        verify_unset(map, l, r);
+      }
+    }
+  }
+}