Integrated: 8373525: C2: assert(_base == Long) failed: Not a Long

[Damon Fenacci]

On Fri, 19 Dec 2025 10:22:58 GMT, Damon Fenacci <dfenacci at openjdk.org> wrote:

> # Issue
> Olivier's fuzzer found a test that makes C2 crash while running the optimization that collapses the addition with overflow-protection (`fold_subI_no_underflow_pattern`).
> 
> # Causes
> The crash happens because during `fold_subI_no_underflow_pattern` the first input of the `AddL` node (see comment below) becomes top.
> https://github.com/openjdk/jdk/blob/82b04f01bc99e8155518b8b8600d180981a42fc5/src/hotspot/share/opto/addnode.cpp#L1525-L1533
> 
> This happens because of a whole `IfFalse` subgraph that dies and nodes are being removed. `AddL` is not removed immediately as it has another input which is still alive but it is put in the IGVN worklist instead.
> 
> <img width="463" height="239" alt="image" src="https://github.com/user-attachments/assets/bce0e4b0-b823-473d-91de-2bb048841e65" />
> 
> Unfortunately the `fold_subI_no_underflow_pattern` optimization runs before the next GVN pass and triggers the assert.
> 
> # Fix
> `fold_subI_no_underflow_pattern` should actually take into account that we could have the graph in such a state and that `x` could be top. So, the sensible fix is not to presume `x` to be of type long and bailout if it is not.
> 
> # Testing
> Tier 1-3+
> (also checked for new regression test failure before the change)

This pull request has now been integrated.

Changeset: a61a1d32
Author:    Damon Fenacci <dfenacci at openjdk.org>
URL:       https://git.openjdk.org/jdk/commit/a61a1d32a2bbf227081b9da6d101071ceb73076a
Stats:     117 lines in 2 files changed: 116 ins; 0 del; 1 mod

8373525: C2: assert(_base == Long) failed: Not a Long

Reviewed-by: chagedorn, mhaessig

-------------

PR: https://git.openjdk.org/jdk/pull/28920