RFR: 8267904: C2 crash when compile negative Arrays.copyOf length after loop [v2]

Hui Shi hshi at openjdk.java.net
Sun May 30 00:50:41 UTC 2021 

> C2 crash when Arrays.copyOf has a negative length after a loop. This happens in release and debug build. Test and hs_err are in JBS.
> 
> Crash reason is:
> - CastIINode is created in GraphKit::new_array (in AllocateArrayNode::make_ideal_length), Cast array lenght  to range [0, maxint-2]. This is safe when allocation is success and CastIINode 's input control is InitializeNode's proj control.
> - In LibraryCallKit::inline_arraycopy, InitializeNode's proj control's use nodes' control is replaced with AllocateArrayNode's input control (in LibraryCallKit::arraycopy_move_allocation_here). This is necessary to move allocation after array copy checks. But this also includes CastIINode.
> 
>    C->gvn_replace_by(init->proj_out(TypeFunc::Control), alloc->in(0));
> 
> - CastIINode's control is also adjust to AllocateArrayNode's input control, which is illegal state in laster IGVN phase, casting a negative to [0, maxint-2].
> - This cause control and nodes after loop become top and removed. The previous loop has no fall-through edge and crash.
> 
> Fix is:
> - In LibraryCallKit::inline_arraycopy entry, if tightly coupled AllocateArrayNode is found, replace its CastIINode with original array length.
> - In LibraryCallKit::arraycopy_move_allocation_here, recreate CastIINode if necessary.
> - In LibraryCallKit::inline_arraycopy entry, avoid invoking AllocateArrayNode::make_ideal_length  when getting "tightly coupled AllocateArrayNode"'s length. This avoids creating incorrect CastIINode again.
> 
> Before fix:  node 250 is CastII which should be after InitializeNode.
> ![image](https://user-images.githubusercontent.com/70356247/119938428-f7fa4e80-bfbe-11eb-925e-c239620c73f3.png)
> 
> After fix: all arry copy check is performed on original array length node 203
> ![image](https://user-images.githubusercontent.com/70356247/119938532-2415cf80-bfbf-11eb-98c6-76e6b19b691f.png)
> 
> New test test/hotspot/jtreg/compiler/c2/TestNegativeArrayCopyAfterLoop.java is added and pass.
> Tests performs on Linux X64 and no regression
> - Tier1/2/3/hotspot_all_no_apps on release and fastdebug build.
> - Tier1/2/3 with option "-XX:-TieredCompilation -Xbatch" on fastdebug build

Hui Shi has refreshed the contents of this pull request, and previous commits have been removed. The incremental views will show differences compared to the previous content of the PR. The pull request contains one new commit since the last revision:

  8267904: C2 crash when compile negative Arrays.copyOf length after loop

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/4238/files
  - new: https://git.openjdk.java.net/jdk/pull/4238/files/4ee111d2..05d2ac2f

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=4238&range=01
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=4238&range=00-01

  Stats: 143 lines in 4 files changed: 34 ins; 103 del; 6 mod
  Patch: https://git.openjdk.java.net/jdk/pull/4238.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/4238/head:pull/4238

PR: https://git.openjdk.java.net/jdk/pull/4238

More information about the hotspot-compiler-dev mailing list