P4
Found via manual code inspection.
I modified the relevant code to make the overflow apparent:
diff --git a/src/hotspot/share/opto/graphKit.cpp b/src/hotspot/share/opto/graphKit.cpp
index 20feca26ede..6e46de0ec6e 100644
--- a/src/hotspot/share/opto/graphKit.cpp
+++ b/src/hotspot/share/opto/graphKit.cpp
@@ -3803,7 +3803,9 @@ Node* GraphKit::new_array(Node* klass_node, // array klass (maybe variable)
assert(!StressReflectiveCode, "stress mode does not use these paths");
// Increase the size limit if we have exact knowledge of array type.
int log2_esize = Klass::layout_helper_log2_element_size(layout_con);
+ tty->print_cr("before shift: %d", fast_size_limit);
fast_size_limit <<= (LogBytesPerLong - log2_esize);
+ tty->print_cr("after shift: %d", fast_size_limit);
}
Node* initial_slow_cmp = _gvn.transform( new CmpUNode( length, intcon( fast_size_limit ) ) );
java -XX:FastAllocateSizeLimit=1073741824 -Xbatch --version
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: -2147483648
java 25-internal 2025-09-16 LTS
Java(TM) SE Runtime Environment (fastdebug build 25-internal-LTS-2025-05-12-0650357.empeter...)
Java HotSpot(TM) 64-Bit Server VM (fastdebug build 25-internal-LTS-2025-05-12-0650357.empeter..., mixed mode)
Analysis: default values for FastAllocateSizeLimit cannot lead to overflow. And values can only be changed in debug.
Proposed Solution: Constrain the flag to a reasonable range. No negative values should be allowed. Make sure that the maximum value is small enough so the left-shift cannot lead to overflow.
I modified the relevant code to make the overflow apparent:
diff --git a/src/hotspot/share/opto/graphKit.cpp b/src/hotspot/share/opto/graphKit.cpp
index 20feca26ede..6e46de0ec6e 100644
--- a/src/hotspot/share/opto/graphKit.cpp
+++ b/src/hotspot/share/opto/graphKit.cpp
@@ -3803,7 +3803,9 @@ Node* GraphKit::new_array(Node* klass_node, // array klass (maybe variable)
assert(!StressReflectiveCode, "stress mode does not use these paths");
// Increase the size limit if we have exact knowledge of array type.
int log2_esize = Klass::layout_helper_log2_element_size(layout_con);
+ tty->print_cr("before shift: %d", fast_size_limit);
fast_size_limit <<= (LogBytesPerLong - log2_esize);
+ tty->print_cr("after shift: %d", fast_size_limit);
}
Node* initial_slow_cmp = _gvn.transform( new CmpUNode( length, intcon( fast_size_limit ) ) );
java -XX:FastAllocateSizeLimit=1073741824 -Xbatch --version
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: 0
before shift: 1073741824
after shift: -2147483648
java 25-internal 2025-09-16 LTS
Java(TM) SE Runtime Environment (fastdebug build 25-internal-LTS-2025-05-12-0650357.empeter...)
Java HotSpot(TM) 64-Bit Server VM (fastdebug build 25-internal-LTS-2025-05-12-0650357.empeter..., mixed mode)
Analysis: default values for FastAllocateSizeLimit cannot lead to overflow. And values can only be changed in debug.
Proposed Solution: Constrain the flag to a reasonable range. No negative values should be allowed. Make sure that the maximum value is small enough so the left-shift cannot lead to overflow.