RFR: 8373525: C2: assert(_base == Long) failed: Not a Long [v3]

Christian Hagedorn chagedorn at openjdk.org
Mon Dec 22 09:09:53 UTC 2025 

On Mon, 22 Dec 2025 08:02:43 GMT, Damon Fenacci <dfenacci at openjdk.org> wrote:

>> # Issue
>> Olivier's fuzzer found a test that makes C2 crash while running the optimization that collapses the addition with overflow-protection (`fold_subI_no_underflow_pattern`).
>> 
>> # Causes
>> The crash happens because during `fold_subI_no_underflow_pattern` the first input of the `AddL` node (see comment below) becomes top.
>> https://github.com/openjdk/jdk/blob/82b04f01bc99e8155518b8b8600d180981a42fc5/src/hotspot/share/opto/addnode.cpp#L1525-L1533
>> 
>> This happens because of a whole `IfFalse` subgraph that dies and nodes are being removed. `AddL` is not removed immediately as it has another input which is still alive but it is put in the IGVN worklist instead.
>> 
>> <img width="463" height="239" alt="image" src="https://github.com/user-attachments/assets/bce0e4b0-b823-473d-91de-2bb048841e65" />
>> 
>> Unfortunately the `fold_subI_no_underflow_pattern` optimization runs before the next GVN pass and triggers the assert.
>> 
>> # Fix
>> `fold_subI_no_underflow_pattern` should actually take into account that we could have the graph in such a state and that `x` could be top. So, the sensible fix is not to presume `x` to be of type long and bailout if it is not.
>> 
>> # Testing
>> Tier 1-3+
>> (also checked for new regression test failure before the change)
>
> Damon Fenacci has updated the pull request incrementally with two additional commits since the last revision:
> 
>  - Apply suggestion from @chhagedorn
>    
>    Co-authored-by: Christian Hagedorn <christian.hagedorn at oracle.com>
>  - JDK-8373525: add comment

src/hotspot/share/opto/addnode.cpp line 1601:

> 1599:         Node* con2 = add2->in(2);
> 1600:         if (is_sub_con(con2)) {
> 1601:           // The graph could be in a dirty state. So, we need to check for the type of x

I suggest to be more explicit:
Suggestion:

          // The graph could be dying (i.e. x is top) in which case type(x) is not a long.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/28920#discussion_r2639167385

More information about the hotspot-compiler-dev mailing list