RFR: 8366845: C2 SuperWord: wrong VectorCast after VectorReinterpret with swapped src/dst type
Emanuel Peter
epeter at openjdk.org
Fri Sep 5 06:06:41 UTC 2025
I have seen 3 manifestations of this bug:
1. assert
# Internal Error (.../src/hotspot/cpu/x86/x86.ad:7640), pid=84140, tid=28419
# assert(UseAVX > 2 && VM_Version::supports_avx512dq()) failed: require
2. assert
# Internal Error (.../src/hotspot/share/opto/vectornode.cpp:1601), pid=4022154, tid=4022168
# Error: assert(bt == T_FLOAT) failed
3. Wrong result
When the feature was available but we used the wrong CastVector
It seems that [JDK-8346236](https://bugs.openjdk.org/browse/JDK-8346236) introduced reinterpret nodes to SuperWord:
} else if (VectorNode::is_reinterpret_opcode(opc)) {
assert(first->req() == 2 && req() == 2, "only one input expected");
const TypeVect* vt = TypeVect::make(bt, vlen);
vn = new VectorReinterpretNode(in1, vt, in1->bottom_type()->is_vect());
Sadly, the `src` and `dst` type are swapped. For JDK25 [JDK-8346236](https://bugs.openjdk.org/browse/JDK-8346236) this had no bad effect yet, since we only cast between HF and short, which are both based on short.
But with [JDK-8329077](https://bugs.openjdk.org/browse/JDK-8329077) we can now do reinterpret between I/F and between D/L. Here swapping has an effect, especially if it is followed by a cast:
The cast deterines its input type from the output type of the input node. If that was a reinterpret node with the wrong output type, **we would get a cast with the wrong src type**. We might do a double -> int cast instead of a long -> int cast. That leads to all sorts of issues.
The fuzzer test was only just recently added with [JDK-8324751](https://bugs.openjdk.org/browse/JDK-8324751). It uses MemorySegment, where unaligned float/double access gets handled with long/int memory access and then reinterpret (eg `MoveI2F`). But I was able to find examples that just work with `Float.intBitsToFloat` etc.
-------------
Commit messages:
- fix whitespace
- fix test vector api visibility
- fix copyright
- IR rules
- JDK-8366845
Changes: https://git.openjdk.org/jdk/pull/27100/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=27100&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8366845
Stats: 226 lines in 2 files changed: 225 ins; 0 del; 1 mod
Patch: https://git.openjdk.org/jdk/pull/27100.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/27100/head:pull/27100
PR: https://git.openjdk.org/jdk/pull/27100
More information about the hotspot-compiler-dev
mailing list