RFR: 8347006: LoadRangeNode floats above array guard in arraycopy intrinsic [v4]
Tobias Hartmann
thartmann at openjdk.org
Thu Jan 9 10:22:12 UTC 2025
> C2's arraycopy intrinsic adds guards that check that the source and destination objects are arrays:
> https://github.com/openjdk/jdk/blob/afe543414f58a04832d4f07dea88881d64954a0b/src/hotspot/share/opto/library_call.cpp#L5917-L5919
>
> If these guards pass, the array length is loaded:
> https://github.com/openjdk/jdk/blob/afe543414f58a04832d4f07dea88881d64954a0b/src/hotspot/share/opto/library_call.cpp#L5930-L5933
>
> But since the `LoadRangeNode` is not pinned, it might float above the array guard:
> https://github.com/openjdk/jdk/blob/afe543414f58a04832d4f07dea88881d64954a0b/src/hotspot/share/opto/graphKit.cpp#L1214
>
> If the object is not an array, we will read garbage. That's usually fine because the result will not be used (the array guard will trigger) but with `-XX:+UseCompactObjectHeaders` it can happen that the memory right after the header is not mapped and we crash.
>
> The fix is to add a `CheckCastPPNode` to propagate the information that the operand is an array and prevent the load from floating.
>
> Thanks to @shipilev for identifying the root cause!
>
> I was able to reliably reproduce the issue with `compiler/arraycopy/TestArrayCopyNoInit.java` and `-XX:-UseTLAB -XX:+UnlockExperimentalVMOptions -XX:+UseCompactObjectHeaders` on Linux AArch64 and verified that the fix solves the problem.
>
> Best regards,
> Tobias
Tobias Hartmann has updated the pull request incrementally with one additional commit since the last revision:
Copyright date
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/22967/files
- new: https://git.openjdk.org/jdk/pull/22967/files/3b465a4b..0a1fe387
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=22967&range=03
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=22967&range=02-03
Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod
Patch: https://git.openjdk.org/jdk/pull/22967.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/22967/head:pull/22967
PR: https://git.openjdk.org/jdk/pull/22967
More information about the hotspot-compiler-dev
mailing list