8354428: [ubsan] g1BiasedArray.hpp: pointer overflow in address calculation

Reviewed-by: ayang, kbarrett, mbaesken
2026-03-15 10:23:28 +00:00 · 2025-05-28 06:55:20 +00:00 · 2025-05-28 06:55:20 +00:00 · db51556687
commit db51556687
parent 670ef8cc52
4 changed files with 13 additions and 18 deletions
--- a/src/hotspot/share/gc/g1/g1BiasedArray.cpp
+++ b/src/hotspot/share/gc/g1/g1BiasedArray.cpp
@ -29,7 +29,7 @@ G1BiasedMappedArrayBase::G1BiasedMappedArrayBase() :
  _alloc_base(nullptr),
  _base(nullptr),
  _length(0),
-  _biased_base(nullptr),
+  _biased_base(0),
  _bias(0),
  _shift_by(0) { }

@ -51,7 +51,7 @@ void G1BiasedMappedArrayBase::verify_index(idx_t index) const {
 }

 void G1BiasedMappedArrayBase::verify_biased_index(idx_t biased_index) const {
-  guarantee(_biased_base != nullptr, "Array not initialized");
+  guarantee(_biased_base != 0, "Array not initialized");
  guarantee(biased_index >= bias() && biased_index < (bias() + length()),
            "Biased index out of bounds, index: %zu bias: %zu length: %zu",
            biased_index, bias(), length());
--- a/src/hotspot/share/gc/g1/g1BiasedArray.hpp
+++ b/src/hotspot/share/gc/g1/g1BiasedArray.hpp
@ -49,7 +49,7 @@ class G1BiasedMappedArrayBase : public CHeapObj<mtGC> {
    assert(shift_by < sizeof(uintptr_t) * 8, "Shifting by %u, larger than word size?", shift_by);
    _base = base;
    _length = length;
-    _biased_base = base - (bias * elem_size);
+    _biased_base = (uintptr_t)base - (bias * elem_size);
    _bias = bias;
    _shift_by = shift_by;
  }
@ -60,7 +60,7 @@ public:
 protected:
  address _base;          // the real base address
  size_t _length;         // the length of the array
-  address _biased_base;   // base address biased by "bias" elements
+  uintptr_t _biased_base; // base address biased by "bias" elements
  size_t _bias;           // the bias, i.e. the offset biased_base is located to the right in elements
  uint _shift_by;         // the amount of bits to shift right when mapping to an index of the array.

@ -102,10 +102,9 @@ public:
 template<class T>
 class G1BiasedMappedArray : public G1BiasedMappedArrayBase {
 protected:
-  T* base() const { return (T*)G1BiasedMappedArrayBase::_base; }
+  T* base() const { return (T*)this->_base; }

-  // The raw biased base pointer.
-  T* biased_base() const { return (T*)G1BiasedMappedArrayBase::_biased_base; }
+  T* biased_base_at(idx_t index) const { return (T*)(this->_biased_base + index * sizeof(T)); }

 public:
  typedef G1BiasedMappedArrayBase::idx_t idx_t;
@ -131,7 +130,7 @@ public:
  T get_by_address(HeapWord* value) const {
    idx_t biased_index = ((uintptr_t)value) >> this->shift_by();
    this->verify_biased_index(biased_index);
-    return biased_base()[biased_index];
+    return *biased_base_at(biased_index);
  }

  T* get_ref_by_index(uintptr_t index) const {
@ -151,7 +150,7 @@ public:
  void set_by_address(HeapWord * address, T value) {
    idx_t biased_index = ((uintptr_t)address) >> this->shift_by();
    this->verify_biased_index(biased_index);
-    biased_base()[biased_index] = value;
+    *biased_base_at(biased_index) = value;
  }

 public:
@ -180,7 +179,7 @@ public:
  // Allocate and initialize this array to cover the heap addresses in the given MemRegion.
  void initialize(MemRegion region, size_t mapping_granularity) {
    G1BiasedMappedArrayBase::initialize(region.start(), region.end(), sizeof(T), mapping_granularity);
-    this->clear();
+    clear();
  }
 };

--- a/src/hotspot/share/gc/g1/vmStructs_g1.hpp
+++ b/src/hotspot/share/gc/g1/vmStructs_g1.hpp
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2025, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -48,7 +48,7 @@
                                                                              \
  nonstatic_field(G1HeapRegionTable, _base,             address)              \
  nonstatic_field(G1HeapRegionTable, _length,           size_t)               \
-  nonstatic_field(G1HeapRegionTable, _biased_base,      address)              \
+  nonstatic_field(G1HeapRegionTable, _biased_base,      uintptr_t)            \
  nonstatic_field(G1HeapRegionTable, _bias,             size_t)               \
  nonstatic_field(G1HeapRegionTable, _shift_by,         uint)                 \
                                                                              \
--- a/test/hotspot/gtest/gc/g1/test_g1BiasedArray.cpp
+++ b/test/hotspot/gtest/gc/g1/test_g1BiasedArray.cpp
@ -26,7 +26,7 @@

 class TestMappedArray : public G1BiasedMappedArray<int> {
  void verify_biased_index_inclusive_end(idx_t biased_index) const {
-    guarantee(_biased_base != nullptr, "Array not initialized");
+    guarantee(_biased_base != 0, "Array not initialized");
    guarantee(biased_index >= bias() && biased_index <= (bias() + length()),
              "Biased index out of inclusive bounds, index: %zu bias: %zu length: %zu",
              biased_index, bias(), length());
@ -37,17 +37,13 @@ public:
    return 0xBAADBABE;
  }

-  // Returns the address of the element the given address maps to
  int* my_address_mapped_to(HeapWord* address) {
    idx_t biased_index = ((uintptr_t)address) >> shift_by();
    verify_biased_index_inclusive_end(biased_index);
-    return biased_base() + biased_index;
+    return biased_base_at(biased_index);
  }

  int* base() const { return G1BiasedMappedArray<int>::base(); }
-
-  // The raw biased base pointer.
-  int* biased_base() const { return G1BiasedMappedArray<int>::biased_base(); }
 };

 TEST_VM(G1BiasedArray, simple) {