8331920: ubsan: g1CardSetContainers.inline.hpp:266:5: runtime error: index 2 out of bounds for type 'G1CardSetHowl::ContainerPtr [2]' reported

Ivan Walulya · Ivan Walulya · commit 92d33501e091 · 2024-05-22T13:45:37.000Z
Reviewed-by: tschatzl, aboldtch
diff --git a/src/hotspot/share/gc/g1/g1CardSet.cpp b/src/hotspot/share/gc/g1/g1CardSet.cpp
@@ -533,7 +533,7 @@ G1AddCardResult G1CardSet::add_to_howl(ContainerPtr parent_container,
   ContainerPtr container;
 
   uint bucket = _config->howl_bucket_index(card_in_region);
-  ContainerPtr volatile* bucket_entry = howl->get_container_addr(bucket);
+  ContainerPtr volatile* bucket_entry = howl->container_addr(bucket);
 
   while (true) {
     if (Atomic::load(&howl->_num_entries) >= _config->cards_in_howl_threshold()) {
diff --git a/src/hotspot/share/gc/g1/g1CardSetContainers.hpp b/src/hotspot/share/gc/g1/g1CardSetContainers.hpp
@@ -238,23 +238,27 @@ class G1CardSetHowl : public G1CardSetContainer {
   using ContainerPtr = G1CardSet::ContainerPtr;
   EntryCountType volatile _num_entries;
 private:
-  ContainerPtr _buckets[2];
-  // Do not add class member variables beyond this point
+  // VLA implementation.
+  ContainerPtr _buckets[1];
+  // Do not add class member variables beyond this point.
 
   // Iterates over the given ContainerPtr with at index in this Howl card set,
   // applying a CardOrRangeVisitor on it.
   template <class CardOrRangeVisitor>
   void iterate_cardset(ContainerPtr const container, uint index, CardOrRangeVisitor& found, G1CardSetConfiguration* config);
 
+  ContainerPtr at(EntryCountType index) const;
+
+  ContainerPtr const* buckets() const;
+
 public:
   G1CardSetHowl(EntryCountType card_in_region, G1CardSetConfiguration* config);
 
-  ContainerPtr* get_container_addr(EntryCountType index) {
-    return &_buckets[index];
-  }
+  ContainerPtr const* container_addr(EntryCountType index) const;
 
-  bool contains(uint card_idx, G1CardSetConfiguration* config);
+  ContainerPtr* container_addr(EntryCountType index);
 
+  bool contains(uint card_idx, G1CardSetConfiguration* config);
   // Iterates over all ContainerPtrs in this Howl card set, applying a CardOrRangeVisitor
   // on it.
   template <class CardOrRangeVisitor>
diff --git a/src/hotspot/share/gc/g1/g1CardSetContainers.inline.hpp b/src/hotspot/share/gc/g1/g1CardSetContainers.inline.hpp
@@ -257,23 +257,41 @@ inline size_t G1CardSetBitMap::header_size_in_bytes() {
     return offset_of(G1CardSetBitMap, _bits);
 }
 
+inline G1CardSetHowl::ContainerPtr const* G1CardSetHowl::container_addr(EntryCountType index) const {
+  assert(index < _num_entries, "precondition");
+  return buckets() + index;
+}
+
+inline G1CardSetHowl::ContainerPtr* G1CardSetHowl::container_addr(EntryCountType index) {
+  return const_cast<ContainerPtr*>(const_cast<const G1CardSetHowl*>(this)->container_addr(index));
+}
+
+inline G1CardSetHowl::ContainerPtr G1CardSetHowl::at(EntryCountType index) const {
+  return *container_addr(index);
+}
+
+inline G1CardSetHowl::ContainerPtr const* G1CardSetHowl::buckets() const {
+  const void* ptr = reinterpret_cast<const char*>(this) + header_size_in_bytes();
+  return reinterpret_cast<ContainerPtr const*>(ptr);
+}
+
 inline G1CardSetHowl::G1CardSetHowl(EntryCountType card_in_region, G1CardSetConfiguration* config) :
   G1CardSetContainer(),
   _num_entries((config->max_cards_in_array() + 1)) /* Card Transfer will not increment _num_entries */ {
   EntryCountType num_buckets = config->num_buckets_in_howl();
   EntryCountType bucket = config->howl_bucket_index(card_in_region);
   for (uint i = 0; i < num_buckets; ++i) {
-    _buckets[i] = G1CardSetInlinePtr();
+    *container_addr(i) = G1CardSetInlinePtr();
     if (i == bucket) {
-      G1CardSetInlinePtr value(&_buckets[i], _buckets[i]);
+      G1CardSetInlinePtr value(container_addr(i), at(i));
       value.add(card_in_region, config->inline_ptr_bits_per_card(), config->max_cards_in_inline_ptr());
     }
   }
 }
 
 inline bool G1CardSetHowl::contains(uint card_idx, G1CardSetConfiguration* config) {
   EntryCountType bucket = config->howl_bucket_index(card_idx);
-  ContainerPtr* array_entry = get_container_addr(bucket);
+  ContainerPtr* array_entry = container_addr(bucket);
   ContainerPtr container = Atomic::load_acquire(array_entry);
 
   switch (G1CardSet::container_type(container)) {
@@ -299,14 +317,14 @@ inline bool G1CardSetHowl::contains(uint card_idx, G1CardSetConfiguration* confi
 template <class CardOrRangeVisitor>
 inline void G1CardSetHowl::iterate(CardOrRangeVisitor& found, G1CardSetConfiguration* config) {
   for (uint i = 0; i < config->num_buckets_in_howl(); ++i) {
-    iterate_cardset(_buckets[i], i, found, config);
+    iterate_cardset(at(i), i, found, config);
   }
 }
 
 template <class ContainerPtrVisitor>
 inline void G1CardSetHowl::iterate(ContainerPtrVisitor& found, uint num_card_sets) {
   for (uint i = 0; i < num_card_sets; ++i) {
-    found(&_buckets[i]);
+    found(container_addr(i));
   }
 }
 
