Bytecodes::special_length_at does not check for the end of the buffer before reading from memory. This can cause uninitialized or even unmapped memory to be read. The attached test triggers this condition using tableswitch.
JDK-2172826Bytecodes::special_length_at reads past end of code buffer
JDK-2177343Bytecodes::special_length_at reads past end of code buffer