-
Bug
-
Resolution: Fixed
-
P3
-
1.4.1
-
05
-
sparc
-
solaris_8
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2055583 | 1.4.1 | Michael Paleczny | P3 | Resolved | Fixed | rc |
| JDK-2055582 | 1.4.0_03 | Michael Paleczny | P3 | Resolved | Fixed | 03 |
Name: cl74495 Date: 06/13/2002
Below is part of the enc_String_Compare implementation
from file src/cpu/sparc/vm/sparc.ad .
The branch instruction marked with "set annul" comment
needs to have the annul bit set. The code is shown
after applying the fix, which is to have the
second argument to br() be true.
Without the annul bit, the delay slot fetch marked
"SEGV here" can execute a fetch one character past
the end of the "chr1" character array . If the
chr1 character array is at the end of a memory space
and the next virtual address page is not committed,
a SEGV can result.
// Compare the rest of the characters
__ lduh(tmp1_reg, limit_reg, chr1_reg);
__ bind(Lloop);
// __ lduh(tmp1_reg, limit_reg, chr1_reg); // hoisted
__ lduh(tmp2_reg, limit_reg, chr2_reg);
__ subcc(chr1_reg, chr2_reg, chr1_reg);
__ br(Assembler::notZero, false, Assembler::pt, Ldone);
assert(chr1_reg == result_reg, "result must be pre-placed");
__ delayed()->inccc(limit_reg, sizeof(jchar));
__ br(Assembler::notZero, true, Assembler::pt, Lloop); // set annul, gemstone fix 27662
__ delayed()->lduh(tmp1_reg, limit_reg, chr1_reg); // hoisted // SEGV here
This problem exists in src/cpu/sparc/vm/sparc.ad
for all of these J2SE versions :
1.3.1.03
1.4.0.01
1.4.1 beta b14
I have not checked 1.2.x sources.
(Review ID: 153413)
======================================================================
- backported by
-
JDK-2055582 in sparc.ad, missing annul bit in enc_String_Compare causes SEGV
-
- Resolved
-
-
-
- Resolved
-