Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8069191

moving predicate out of loops may cause array accesses to bypass null check

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 9
    • Fix Version/s: 9
    • Component/s: hotspot
    • Labels:
      None
    • Subcomponent:
    • Resolved In Build:
      b64

      Backports

        Description

        public class TestPredicate {
            static class A {
                int i;
            }

            static class B extends A {
            }

            static boolean crash = false;

            static boolean m2() {
                return crash;
            }

            static int m3(float[] arr) {
                return 0;
            }

            static float m1(A aa) {
                float res = 0;
                float[] arr = new float[10];
                for (int i = 0; i < 10; i++) {
                    if (m2()) {
                        arr = null;
                    }
                    m3(arr);
                    int j = arr.length;
                    int k = 0;
                    for (k = 9; k < j; k++) {
                    }
                    if (k == 10) {
                        if (aa instanceof B) {
                        }
                    }
                    res += arr[0];
                    res += arr[1];
                }
                return res;
            }

            static public void main(String args[]) {
                A a = new A();
                B b = new B();
                for (int i = 0; i < 20000; i++) {
                    m1(a);
                }
                crash = true;
                m1(a);
            }
        }


        ran with:
        java -XX:CompileOnly=TestPredicate.m1 -Xcomp TestPredicate
        crashes with -XX:+StressGCM (but not with recent builds) or apply following patch:

        diff --git a/src/share/vm/opto/gcm.cpp b/src/share/vm/opto/gcm.cpp
        --- a/src/share/vm/opto/gcm.cpp
        +++ b/src/share/vm/opto/gcm.cpp
        @@ -1068,6 +1068,7 @@
         #endif
             cand_cnt++;
             if (LCA_freq < least_freq || // Better Frequency
        + (UseNewCode2 && mach && mach->ideal_Opcode() == Op_AddF) ||
                 (StressGCM && Compile::randomized_select(cand_cnt)) || // Should be randomly accepted in stress mode
                  (!StressGCM && // Otherwise, choose with latency
                   !in_latency && // No block containing latency

        and run with -XX:+UseNewCode2

        Array accesses are not longer dependent on their null check.

        ILW = H (could crash) L (have to use stress options to trigger the crash) M (disable compilation of method or disable predicates) = P3

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  roland Roland Westrelin
                  Reporter:
                  roland Roland Westrelin
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: