RFR: 8283408: Fix a C2 crash when filling arrays with unsafe [v3]

Pengfei Li pli at openjdk.java.net
Wed Mar 23 02:01:24 UTC 2022 

> We recently found a segmentation fault issue in C2 compiler with some
> code that uses Java Unsafe API to initialize an array in a loop. It can
> be reproduced by below code snippet compiled by C2 on AArch64. It's also
> reproducible on x86 with an additional VM option "-XX:+OptimizeFill".
> 
>   byte[] arr = new byte[size];
>   int offset = unsafe.arrayBaseOffset(byte[].class);
>   for (int i = offset; i < offset + size; i++) {
>     unsafe.putByte(arr, i, val);
>   }
> 
> This issue is caused by a NULL pointer in a C2 loop optimization phase
> called intrinsify_fill. In this phase, array filling loop patterns are
> recognized and replaced by some intrinsics. But filling operations with
> Unsafe API call are not handled very well. From C2 mid-end's point of
> view, a difference between an Unsafe call and a normal array access like
> `arr[i] = val` is element addressing. For normal array accesses, C2 uses
> two AddP nodes for computing an element's address - one for adding array
> header size and another for adding the element's relative offset from
> the header. But Unsafe calls may have only one AddP node for adding an
> absolute offset of an element from the array base. In current code, the
> intrinsify_fill phase creates an AddP node but with NULL input for above
> case and eventually causes a segmentation fault.
> 
> In this patch, we add a check to allow one AddP node in array filling
> patterns to be optional. After this fix, the case above can be optimized
> by intrinsify_fill as well. We know that the Unsafe call is rarely used
> in Java application code and developers should use it at their own risk.
> But we still propose this fix because C2 crashes even Unsafe is used in
> a correct way.
> 
> Jtreg hotspot::hotspot_all_no_apps, jdk::tier1~3 and langtools::tier1
> are tested and no issue is found. We also create a new jtreg case within
> this patch.

Pengfei Li has updated the pull request incrementally with one additional commit since the last revision:

  Add an assertion

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/7884/files
  - new: https://git.openjdk.java.net/jdk/pull/7884/files/16ebef57..a7bfd896

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=7884&range=02
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=7884&range=01-02

  Stats: 2 lines in 1 file changed: 2 ins; 0 del; 0 mod
  Patch: https://git.openjdk.java.net/jdk/pull/7884.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/7884/head:pull/7884

PR: https://git.openjdk.java.net/jdk/pull/7884

More information about the hotspot-compiler-dev mailing list