RFR: 8321974: Crash in ciKlass::is_subtype_of because TypeAryPtr::_klass is not initialized

Tobias Hartmann thartmann at openjdk.org
Wed Dec 13 12:02:53 UTC 2023 

[JDK-8297933](https://bugs.openjdk.org/browse/JDK-8320292) added code that relies on lazy initialization of the `TypeAryPtr::_klass` field. However, there are cases when the field is not yet initialized, leading to a null pointer dereference at C2 compilation time.

In the failing case we process a CmpP:

 116  Phi  === 109 160 57  [[ 120 128 128 ]]  #long[int:1..2] (java/lang/Cloneable,java/io/Serializable):NotNull:exact * !jvms: TestSimple::test @ bci:11 (line 32)
  10  Parm  === 3  [[ 173 143 128 40 120 128 94 72 83 ]] Parm0: long[int:>=0] (java/lang/Cloneable,java/io/Serializable):exact * !jvms: TestSimple::test @ bci:-1 (line 29)
 120  CmpP  === _ 10 116  [[ 121 ]]  !jvms: TestSimple::test @ bci:13 (line 32)

`CmpPNode::sub` performs a subtype check to check if the klasses of its two operands are unrelated. We crash in `ciKlass::is_subtype_of` because the `TypeAryPtr::_klass` field is not initialized ( `= nullptr`) for the `116 Phi` operand.

The issue only reproduces with release builds because [additional verification code](https://github.com/openjdk/jdk/blob/21cda19d05b688148f023f6d92778b5da210b709/src/hotspot/share/opto/type.cpp#L996-L1007) in `Type::meet_helper` in debug builds calls `klass()` which leads to eager initialization of the `_klass` field. When disabling the verification code, the issue also reproduces with debug builds and we hit the `this_one->_klass != nullptr && other->_klass != nullptr` assert in `TypePtr::is_same_java_type_as_helper_for_array`.

The fix is to always use the `klass()` method for accesses which makes sure that the field is properly initialized since the overhead is negligible. The patch also includes some unrelated removal of dead code in `TypeAryPtr::compute_klass` (after [JDK-8297933](https://bugs.openjdk.org/browse/JDK-8320292), the verify argument is always false).

Thanks,
Tobias

-------------

Commit messages:
 - 8321974: Crash in ciKlass::is_subtype_of because TypeAryPtr::_klass is not initialized

Changes: https://git.openjdk.org/jdk/pull/17085/files
 Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=17085&range=00
  Issue: https://bugs.openjdk.org/browse/JDK-8321974
  Stats: 89 lines in 3 files changed: 54 ins; 22 del; 13 mod
  Patch: https://git.openjdk.org/jdk/pull/17085.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/17085/head:pull/17085

PR: https://git.openjdk.org/jdk/pull/17085

More information about the hotspot-compiler-dev mailing list