RFR: 8267904: C2 crash when compile negative Arrays.copyOf length after loop

Hui Shi hshi at openjdk.java.net
Fri May 28 06:25:25 UTC 2021 

C2 crash when Arrays.copyOf has a negative length after a loop. This happens in release and debug build. Test and hs_err are in JBS.

Crash reason is:
- CastIINode is created in GraphKit::new_array (in AllocateArrayNode::make_ideal_length), Cast array lenght  to range [0, maxint-2]. This is safe it allocation is success and CastIINode 's input control is InitializeNode's proj control.
- In LibraryCallKit::inline_arraycopy, InitializeNode's proj control's use nodes' control is replaced with AllocateArrayNode's input control (in LibraryCallKit::arraycopy_move_allocation_here). This is necessary to move allocation after array copy checks.

   C->gvn_replace_by(init->proj_out(TypeFunc::Control), alloc->in(0));

- CastIINode's control is also adjust to AllocateArrayNode's input control, which is illegal state in laster IGVN phase, casting a negative to [0, maxint-2].
- This cause control and nodes after loop become top and removed. The previous loop has no fall-through edge and crash.

Fix is:
- In LibraryCallKit::inline_arraycopy entry, if tightly coupled AllocateArrayNode is found, replace its CastIINode with original array length.
- In LibraryCallKit::arraycopy_move_allocation_here, recreate CastIINode if necessary.
- In LibraryCallKit::inline_arraycopy entry, avoid invoking AllocateArrayNode::make_ideal_length  when getting "tightly coupled AllocateArrayNode"'s length. This avoids creating incorrect CastIINode again.

Before fix:  node 250 is CastII which should be after InitializeNode.
![image](https://user-images.githubusercontent.com/70356247/119938428-f7fa4e80-bfbe-11eb-925e-c239620c73f3.png)

After fix: all arry copy check is performed on original array length node 203
![image](https://user-images.githubusercontent.com/70356247/119938532-2415cf80-bfbf-11eb-98c6-76e6b19b691f.png)

New test test/hotspot/jtreg/compiler/c2/TestNegativeArrayCopyAfterLoop.java is added and pass.
Tests performs on Linux X64 and no regression
- Tier1/2/3/hotspot_all_no_apps on release and fastdebug build.
- Tier1/2/3 with option "-XX:-TieredCompilation -Xbatch" on fastdebug build

-------------

Commit messages:
 - 8267904: C2 crash when compile negative Arrays.copyOf length after loop

Changes: https://git.openjdk.java.net/jdk/pull/4238/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=4238&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8267904
  Stats: 123 lines in 5 files changed: 116 ins; 0 del; 7 mod
  Patch: https://git.openjdk.java.net/jdk/pull/4238.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/4238/head:pull/4238

PR: https://git.openjdk.java.net/jdk/pull/4238

More information about the hotspot-compiler-dev mailing list