RFR: 8347006: LoadRangeNode floats above array guard in arraycopy intrinsic
Tobias Hartmann
thartmann at openjdk.org
Wed Jan 8 12:12:32 UTC 2025
C2's arraycopy intrinsic adds guards that check that the source and destination objects are arrays:
https://github.com/openjdk/jdk/blob/afe543414f58a04832d4f07dea88881d64954a0b/src/hotspot/share/opto/library_call.cpp#L5917-L5919
If these guards pass, the array length is loaded:
https://github.com/openjdk/jdk/blob/afe543414f58a04832d4f07dea88881d64954a0b/src/hotspot/share/opto/library_call.cpp#L5930-L5933
But since the `LoadRangeNode` is not pinned, it might float above the array guard:
https://github.com/openjdk/jdk/blob/afe543414f58a04832d4f07dea88881d64954a0b/src/hotspot/share/opto/graphKit.cpp#L1214
If the object is not an array, we will read garbage. That's usually fine because the result will not be used (the array guard will trigger) but with `-XX:+UseCompactObjectHeaders` it can happen that the memory right after the header is not mapped and we crash.
The fix is to add a `CheckCastPPNode` to propagate the information that the operand is an array and prevent the load from floating.
Thanks to @shipilev for identifying the root cause!
Best regards,
Tobias
-------------
Commit messages:
- 8347006: LoadRangeNode floats above array guard in arraycopy intrinsic
Changes: https://git.openjdk.org/jdk/pull/22967/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=22967&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8347006
Stats: 10 lines in 2 files changed: 8 ins; 0 del; 2 mod
Patch: https://git.openjdk.org/jdk/pull/22967.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/22967/head:pull/22967
PR: https://git.openjdk.org/jdk/pull/22967
More information about the hotspot-compiler-dev
mailing list