RFR: 8331717: C2: Crash with SIGFPE

theoweidmannoracle duke at openjdk.org
Wed Dec 11 14:19:40 UTC 2024 

Fixes a bug in loop predication where not strictly invariant tests involving divisions or modulo are pulled out of the loop.

The bug can be seen in this code:


public class Reduced {
    static int iArr[] = new int[100];

    public static void main(String[] strArr) {
        for (int i = 0; i < 10000; i++) {
            test();
        }
    }

    static void test() {
        int i1 = 0;

        for (int i4 : iArr) {
            i4 = i1;
            try {
                iArr[0] = 1 / i4;
                i4 = iArr[2 / i4]; // Source of the crash
            } catch (ArithmeticException a_e) {
            }
        }
    }
}


The crucial element is the division `2 / i4`. Since it is used to access an array, it is the input to a range check. See node 230:
<img width="699" alt="Screenshot 2024-12-11 at 15 14 47" src="https://github.com/user-attachments/assets/0b2ed978-7135-4a7e-bd10-25c0ffe7a9bb" />

Loop predication will try to pull this range check together with its input, the division, before the `for` loop. Due to a bug in Invariance::compute_invariance loop predication is allowed to do so, which results in the division being pulled out without its non-zero check. 322 is a clone of 230 placed before the loop head without any zero check for the divisor:

<img width="798" alt="Screenshot 2024-12-11 at 15 11 48" src="https://github.com/user-attachments/assets/9d4911cc-9967-4b7a-9969-98e01a55cd0d" />

To fix this, Invariance::compute_invariance must check that the node not only `depends_only_on_test()` but also that it has `no_dependent_zero_check(n)`.

Similar past bug, which introduced `no_dependent_zero_check`: https://github.com/openjdk/jdk16/pull/9

-------------

Commit messages:
 - Fix typo
 - Update TestLoopPredicationDivZeroCheck2.java
 - Fix copyright
 - Describe tests
 - Add tests
 - try to fix

Changes: https://git.openjdk.org/jdk/pull/22666/files
  Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=22666&range=00
  Issue: https://bugs.openjdk.org/browse/JDK-8331717
  Stats: 124 lines in 3 files changed: 123 ins; 0 del; 1 mod
  Patch: https://git.openjdk.org/jdk/pull/22666.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/22666/head:pull/22666

PR: https://git.openjdk.org/jdk/pull/22666

More information about the hotspot-compiler-dev mailing list