Name: clC74495 Date: 11/12/99


In the Hotspot 1.0.1 sources , in rememberedSet.hpp there is
the implementation of record_array_store

  // Same for multi-word stores (all words in [start..end[ have been stored into)
  static void record_array_store(oop* start, oop* end) {
    if (oop(start)->is_old_or_perm()) {
      jbyte* s = byte_for(start);
      jbyte* e = byte_for(end);
      while (s <= e) *s++ = dirty_card;
    }
  }


The comments and implementation imply that the argument end is a pointer to
the last slot stored into.

However, all of the callers of record_array_store pass a second argument
which is a limit pointer, pointing to one past the last slot stored into.

We have seen this cause an access violation when using the train garbage
collector . record_array_store can attempt to store past the end
of the card marking array . This usually happens during a JVM_Clone .

Assuming the call sites are not to be changed, we believe the fix would be
as follows

  // Same for multi-word stores (all words in [start..limit-1] have been stored into)
  static void record_array_store(oop* start, oop* limit) { // Rename second arg
    if (oop(start)->is_old_or_perm()) {
      jbyte* s = byte_for(start);
      jbyte* e = byte_for(limit - 1); // Add -1 here to fix bug
      while (s <= e) *s++ = dirty_card;
    }
  }
(Review ID: 97744)
======================================================================