[jdk17] RFR: 8269285: Crash/miscompile in CallGenerator::for_method_handle_inline after JDK-8191998
Igor Veresov
iveresov at openjdk.java.net
Tue Jun 29 20:14:03 UTC 2021
On Tue, 29 Jun 2021 09:01:23 GMT, Aleksey Shipilev <shade at openjdk.org> wrote:
> See the bug report for more details.
>
> I believe the [JDK-8191998](https://bugs.openjdk.java.net/browse/JDK-8191998) change introduced a slight regression, where the speculative type join may empty the type. It would then crash on assert in `fastdebug` builds, or miscompile the null-check to `true` in `release` bits. New test captures both failure modes.
>
> This is not a recent regression, but a regression nevertheless, so I would like to have that fix in JDK 17. Please review carefully, or speak up if you want to move it to JDK 18+ and then backport later.
>
> Additional testing:
> - [x] New test fails without the patch, passes with it
> - [x] Linux x86_64 `fastdebug` `tier1`
Well, `join_speculative()` also does a join between the normal types. And evidently the type system has no idea how `byte[]` relates to `Serializable`, so the answer is the lowest type possible, which is `Object`. I hope Roland cleans this up in his type system rework down the road.
To do the surgery on the speculative part, it seems like the only way to do that is to add a `Type* cast_with_speculative(Type*)` to the `Type` interface. Otherwise I don't see how we can clone all the little protected fields in `TypeOopPtr`. Or may be some idiom exists that already does that... But I don't know. @vnkozlov, what do you think?
-------------
PR: https://git.openjdk.java.net/jdk17/pull/169
More information about the hotspot-compiler-dev
mailing list