-
Type:
Enhancement
-
Resolution: Fixed
-
Priority:
P3
-
Affects Version/s: 24
-
Component/s: core-libs
-
None
Consider this code:
jshell> var layout = MemoryLayout.structLayout(MemoryLayout.paddingLayout(Long.MAX_VALUE - 1), ValueLayout.JAVA_BYTE.withName("x"));
layout ==> [x9223372036854775806b1(x)]
jshell> layout.byteOffset(PathElement.groupElement("x"));
$4 ==> 9223372036854775806
jshell> MethodHandle offHandle = layout.byteOffsetHandle(PathElement.groupElement("x"));
offHandle ==> MethodHandle(long)long
jshell> offHandle.invoke(42);
$7 ==> -9223372036854775768
As can be seen, it is possible to make the method handle returned by "offsetHandle" return a negative value, if the field offset is large and a base offset is provided which make the "add" overflow.
This doesn't happen with other long-based method handles, such as "MemoryLayout::scaleHandle", which correctly throw ArithmeticException in case of overflow.
jshell> var layout = MemoryLayout.structLayout(MemoryLayout.paddingLayout(Long.MAX_VALUE - 1), ValueLayout.JAVA_BYTE.withName("x"));
layout ==> [x9223372036854775806b1(x)]
jshell> layout.byteOffset(PathElement.groupElement("x"));
$4 ==> 9223372036854775806
jshell> MethodHandle offHandle = layout.byteOffsetHandle(PathElement.groupElement("x"));
offHandle ==> MethodHandle(long)long
jshell> offHandle.invoke(42);
$7 ==> -9223372036854775768
As can be seen, it is possible to make the method handle returned by "offsetHandle" return a negative value, if the field offset is large and a base offset is provided which make the "add" overflow.
This doesn't happen with other long-based method handles, such as "MemoryLayout::scaleHandle", which correctly throw ArithmeticException in case of overflow.
- csr for
-
JDK-8338742 MemoryLayout::offsetHandle can return a negative offset
-
- Closed
-
- links to
-
Commit(master)
openjdk/jdk/1ff9ac72
-
Review(master)
openjdk/jdk/20662