RFR: 8299259: C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE

Martin Doerr mdoerr at openjdk.org
Mon Jan 9 16:24:53 UTC 2023


On Mon, 9 Jan 2023 09:39:55 GMT, Christian Hagedorn <chagedorn at openjdk.org> wrote:

> A `Div/Mod` node can have an iv phi of a counted loop as a divisor input which has a type that does not include zero. As a result, the zero check is removed for the `Div/Mod` node. When splitting the `Div/Mod` node through the iv phi with `split_thru_phi()`, one clone ends up on the backedge with the loop increment node as divisor input which can include zero in its type:
> 
> iv i type: [2..10]
> increment type: [0..8] // 0 on last iteration when the loop is exited
> 
> for (int i = 10; i > 1; i -= 2) {
>      iFld = 10 / i;
> }
> 
> After split through phi:
> 
> div1 = 10/10;
> loop:
>      iFld =  phi[div1, div2];
>      if (i > 1) then exit
>      i -= 2; // increment node
>      div2 = 10 / i; // On last iteration: 10 / 0
>      jump to loop;
> }
> 
> Since we do not have a zero check anymore, the `Div/Mod` node could freely float above the loop-exit check `i > 1` and we crash with a division by zero on the last iteration because the increment node updated the trip-counter to zero and the loop-exit was not taken, yet.
> 
> This was originally fixed by [JDK-8248552](https://bugs.openjdk.org/browse/JDK-8248552) for integer counted loops by bailing out of `split_thru_phi()` if a type of an input of an iv phi could be zero. However, there are two additional missing cases:
> - The same problem applies to long counted loop (triggers since [JDK-8256655](https://bugs.openjdk.org/browse/JDK-8256655) which allows iv phis of `LongCountedLoop` to be optimized).
> - The original fix for JDK-8248552 only checks if the phi to be split through is an iv phi by checking `counted_loop->phi()`. But we could have a chain `iv phi -> x -> Div/Mod` and already split x through the iv phi in the same split-if pass. In this case, we've created a new phi for merging the clones of `x` and we do not bail out anymore. This is fixed by simply checking if a phi has the counted loop node as control input.
> 
> I've also improved the bail out to only check if the backedge type includes zero as the init type is always included in the type of the iv phi.
> 
> Thanks,
> Christian

I think this is only problematic for some architectures. Integer division instructions of some other architectures (some RISC architectures like PPC64) never raise any signals, so they can get executed speculatively without zero check. Should we have an extra RFE for that?

-------------

PR: https://git.openjdk.org/jdk/pull/11900


More information about the hotspot-compiler-dev mailing list