-
Bug
-
Resolution: Unresolved
-
P4
-
None
-
17
-
Two different Intel x64 hosts, Ubuntu and Alpine Linux, Corretto 17.0.9.8.1 and Corretto 17.0.14.7.1.
We've had two reports in Corretto 17 of crashes in C2 while compiling Oracle ojdbc code. I haven't been able to reproduce, but it seems like a C2 issue not specific to Corretto so reporting it here.
The crashing stack in both cases is:
```
V [libjvm.so+0xb05900] PhaseIdealLoop::identical_backtoback_ifs(Node*)+0x70
V [libjvm.so+0xb06db9] PhaseIdealLoop::split_if_with_blocks_post(Node*)+0x39
V [libjvm.so+0xb0769b] PhaseIdealLoop::split_if_with_blocks(VectorSet&, Node_Stack&)+0xdb
V [libjvm.so+0xafe99b] PhaseIdealLoop::build_and_optimize()+0x104b
V [libjvm.so+0x5d65df] PhaseIdealLoop::optimize(PhaseIterGVN&, LoopOptsMode)+0x17f
V [libjvm.so+0x5d3f9f] Compile::Optimize()+0x50f
V [libjvm.so+0x5d5e94] Compile::Compile(ciEnv*, ciMethod*, int, bool, bool, bool, bool, bool, DirectiveSet*)+0x1054
V [libjvm.so+0x511ba8] C2Compiler::compile_method(ciEnv*, ciMethod*, int, bool, DirectiveSet*)+0x118
```
Case 1:
```
Current CompileTask:
C2:188545244 35606 ! 4 oracle.net.resolver.NavAddress::navigate (97 bytes)
```
Case 2:
```
Current CompileTask:
C2:1089260 32392 ! 4 oracle.net.resolver.AddrResolution::resolveAddrTree (232 bytes)
```
```
siginfo: si_signo: 11 (SIGSEGV), si_code: 1 (SEGV_MAPERR), si_addr: 0x0000000000000020
```
Disassembling the instructions, in both cases it appears the crash comes from the second clause in https://github.com/openjdk/jdk17u-dev/blob/845a11ef68ccc37933b256e423aa42b6226e2ee5/src/hotspot/share/opto/loopopts.cpp#L1206, `n_if->proj_out(1)->outcnt() > 1`. IfNode->proj_out(1) is returning null, so the outcnt deref accesses null+offset, causing the SIGSEGV.
I tried to reproduce using ojdbc8 23.5.0.24.07 and -Xcomp, but the methods both compiled without crashing.
Original reports:
https://github.com/corretto/corretto-17/issues/221
https://github.com/corretto/corretto-17/issues/219
The crashing stack in both cases is:
```
V [libjvm.so+0xb05900] PhaseIdealLoop::identical_backtoback_ifs(Node*)+0x70
V [libjvm.so+0xb06db9] PhaseIdealLoop::split_if_with_blocks_post(Node*)+0x39
V [libjvm.so+0xb0769b] PhaseIdealLoop::split_if_with_blocks(VectorSet&, Node_Stack&)+0xdb
V [libjvm.so+0xafe99b] PhaseIdealLoop::build_and_optimize()+0x104b
V [libjvm.so+0x5d65df] PhaseIdealLoop::optimize(PhaseIterGVN&, LoopOptsMode)+0x17f
V [libjvm.so+0x5d3f9f] Compile::Optimize()+0x50f
V [libjvm.so+0x5d5e94] Compile::Compile(ciEnv*, ciMethod*, int, bool, bool, bool, bool, bool, DirectiveSet*)+0x1054
V [libjvm.so+0x511ba8] C2Compiler::compile_method(ciEnv*, ciMethod*, int, bool, DirectiveSet*)+0x118
```
Case 1:
```
Current CompileTask:
C2:188545244 35606 ! 4 oracle.net.resolver.NavAddress::navigate (97 bytes)
```
Case 2:
```
Current CompileTask:
C2:1089260 32392 ! 4 oracle.net.resolver.AddrResolution::resolveAddrTree (232 bytes)
```
```
siginfo: si_signo: 11 (SIGSEGV), si_code: 1 (SEGV_MAPERR), si_addr: 0x0000000000000020
```
Disassembling the instructions, in both cases it appears the crash comes from the second clause in https://github.com/openjdk/jdk17u-dev/blob/845a11ef68ccc37933b256e423aa42b6226e2ee5/src/hotspot/share/opto/loopopts.cpp#L1206, `n_if->proj_out(1)->outcnt() > 1`. IfNode->proj_out(1) is returning null, so the outcnt deref accesses null+offset, causing the SIGSEGV.
I tried to reproduce using ojdbc8 23.5.0.24.07 and -Xcomp, but the methods both compiled without crashing.
Original reports:
https://github.com/corretto/corretto-17/issues/221
https://github.com/corretto/corretto-17/issues/219