[9] RFR(S): 8150804: C2 Compilation fails with assert(_base >= OopPtr && _base <= AryPtr) failed: Not a Java pointer

Tobias Hartmann tobias.hartmann at oracle.com
Fri Mar 11 15:40:04 UTC 2016


Hi,

please review the following patch.

https://bugs.openjdk.java.net/browse/JDK-8150804
http://cr.openjdk.java.net/~thartmann/8150804/webrev.00/

We fail in Compile::Process_OopMap_Node() while processing monitors of a safepoint node because the monitor object is TOP. The crash is rare but reproduces with my regression test. The problem is the elimination of Phi nodes with a unique input which was broken by the fixes for JDK-8139771 [1] and JDK-8146999 [2].

Here are the details (for context, see 'TestPhiElimination.java'):
A::get() is inlined into test(obj) producing the following graph:

        Parm (obj)
     TestPhiElimination
            |
          CastPP
 TestPhiElimination:NotNull
            |
       CheckCastPP
        A:NotNull
        /       \
CheckCastPP     |
 A:NotNull      |
         \     /
           Phi
            A
            |
        Safepoint

https://bugs.openjdk.java.net/secure/attachment/57820/before_ideal.png

PhiNode::ideal() then replaces the Phi by a CheckCastPP because it has a unique input (see PhiNode::unique_input()):

        Parm (obj)
     TestPhiElimination
            |
       CheckCastPP
            A
            |
        Safepoint

https://bugs.openjdk.java.net/secure/attachment/57821/after_ideal.png

We completely lose the NotNull information provided by the CastPP. Therefore, we cannot prove that obj != null when accessing a field of obj and add an uncommon trap. Obj is also used as a monitor (A::get() is synchronized) and set to TOP in the uncommon trap branch. We are never able to prove that the null branch is not reachable and later fail when emitting code in Process_OopMap_Node because the monitor object is still TOP.

Before the fix for JDK-8139771, we had a check to verify that the type of the unique (uncasted) input is "at least as good" as the type of the PhiNode:

 phase->type(uncasted_input)->higher_equal(type()))

http://hg.openjdk.java.net/jdk9/hs-comp/hotspot/rev/9e17d9e4b59f#l4.79

Re-adding this check, fixes the problem. However, I'm concerned that this check is not strong enough. For example, in the case where the type of the PhiNode is Object:

        Parm (obj)         
     TestPhiElimination    
            |              
          CastPP           
 TestPhiElimination:NotNull
            |              
       CheckCastPP         
        A:NotNull          
        /       \          
CheckCastPP     |          
 A:NotNull      |          
         \     /           
           Phi             
          Object

We would still replace the Phi because TestPhiElimination->higher_equal(Object) and again lose the NotNull information. I therefore added a slightly stronger check that also checks the types in-between. I had to remove the assert that Roland added.

What do you think?

Thanks,
Tobias

[1] https://bugs.openjdk.java.net/browse/JDK-8139771
[1] https://bugs.openjdk.java.net/browse/JDK-8146999


More information about the hotspot-compiler-dev mailing list