RFR: 8299259: C2: Div/Mod nodes could be split through iv phi of loop nodes resulting in SIGFPE

Christian Hagedorn chagedorn at openjdk.org
Mon Jan 9 14:46:57 UTC 2023


A `Div/Mod` node can have an iv phi of a counted loop as a divisor input which has a type that does not include zero. As a result, the zero check is removed for the `Div/Mod` node. When splitting the `Div/Mod` node through the iv phi with `split_thru_phi()`, one clone ends up on the backedge with the loop increment node as divisor input which can include zero in its type:

iv i type: [2..10]
increment type: [0..8] // 0 on last iteration when the loop is exited

for (int i = 10; i > 1; i -= 2) {
     iFld = 10 / i;
}

After split through phi:

div1 = 10/10;
loop:
     iFld =  phi[div1, div2];
     if (i > 1) then exit
     i -= 2; // increment node
     div2 = 10 / i; // On last iteration: 10 / 0
     jump to loop;
}

Since we do not have a zero check anymore, the `Div/Mod` node could freely float above the loop-exit check `i > 1` and we crash with a division by zero on the last iteration because the increment node updated the trip-counter to zero and the loop-exit was not taken, yet.

This was originally fixed by [JDK-8248552](https://bugs.openjdk.org/browse/JDK-8248552) for integer counted loops by bailing out of `split_thru_phi()` if a type of an input of an iv phi could be zero. However, there are two additional missing cases:
- The same problem applies to long counted loop (triggers since [JDK-8256655](https://bugs.openjdk.org/browse/JDK-8256655) which allows iv phis of `LongCountedLoop` to be optimized).
- The original fix for JDK-8248552 only checks if the phi to be split through is an iv phi by checking `counted_loop->phi()`. But we could have a chain `iv phi -> x -> Div/Mod` and already split x through the iv phi in the same split-if pass. In this case, we've created a new phi for merging the clones of `x` and we do not bail out anymore. This is fixed by simply checking if a phi has the counted loop node as control input.

I've also improved the bail out to only check if the backedge type includes zero as the init type is always included in the type of the iv phi.

Thanks,
Christian

-------------

Commit messages:
 - 8299259: C2: Div/Mod nodes could be split through iv phi of loop nodes resulting in SIGFPE

Changes: https://git.openjdk.org/jdk/pull/11900/files
 Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=11900&range=00
  Issue: https://bugs.openjdk.org/browse/JDK-8299259
  Stats: 214 lines in 3 files changed: 199 ins; 11 del; 4 mod
  Patch: https://git.openjdk.org/jdk/pull/11900.diff
  Fetch: git fetch https://git.openjdk.org/jdk pull/11900/head:pull/11900

PR: https://git.openjdk.org/jdk/pull/11900


More information about the hotspot-compiler-dev mailing list