-
Bug
-
Resolution: Fixed
-
P3
-
26
-
b14
-------- ORIGINAL REPORT --------------
TEST: javafuzzer_tests/Test_2267.java
TEST RESULT: Failed. Difference in 'STDOUT' stream.
Expected: i34 b1 lArr2 = 0,0,-674306231546582954
Actual : i34 b1 lArr2 = 0,0,-14801518782581705
---------------- PR DESCRIPTION ------------
A CastP2X without ctrl can float. If it floats over a SafePoint (or call), we may GC and move the oop. But the CastP2X value does not end up on the oop-map, and so the pointer is stale (old).
With StressGCM, the aliasing runtime check has one CastP2X that floats over the SafePoint, and another that stays after the SafePoint. Both read the oop of the same array, so instead of getting the same address, we now get the old and the new oop. And so the aliasing runtime check passes (thinks there is no aliasing), even though there is aliasing. We end up vectorizing, which reorders the loads/stores and would only be safe if there is no aliasing.
Fix: add control to the CastP2X so that it cannot float too far.
Details:
rbp = Allcoate array
spill <- rbp + 0x20
call to allocateArrays
-> allocates a lot, and triggers GC. That moves the allocated array behind rbp
-> rbp is oop-mapped, so it is updated automatically to the new oop
-> spill value remains based on the old oop
We now compute the aliasing runtime check:
-> one side of the comparison is computed from rbp (new oop)
-> the other side is computed from the the spill value (old oop)
-> the cmp returns a nonsensical value, and we take the wrong branch
-> vectorize even though we have aliasing!
TEST: javafuzzer_tests/Test_2267.java
TEST RESULT: Failed. Difference in 'STDOUT' stream.
Expected: i34 b1 lArr2 = 0,0,-674306231546582954
Actual : i34 b1 lArr2 = 0,0,-14801518782581705
---------------- PR DESCRIPTION ------------
A CastP2X without ctrl can float. If it floats over a SafePoint (or call), we may GC and move the oop. But the CastP2X value does not end up on the oop-map, and so the pointer is stale (old).
With StressGCM, the aliasing runtime check has one CastP2X that floats over the SafePoint, and another that stays after the SafePoint. Both read the oop of the same array, so instead of getting the same address, we now get the old and the new oop. And so the aliasing runtime check passes (thinks there is no aliasing), even though there is aliasing. We end up vectorizing, which reorders the loads/stores and would only be safe if there is no aliasing.
Fix: add control to the CastP2X so that it cannot float too far.
Details:
rbp = Allcoate array
spill <- rbp + 0x20
call to allocateArrays
-> allocates a lot, and triggers GC. That moves the allocated array behind rbp
-> rbp is oop-mapped, so it is updated automatically to the new oop
-> spill value remains based on the old oop
We now compute the aliasing runtime check:
-> one side of the comparison is computed from rbp (new oop)
-> the other side is computed from the the spill value (old oop)
-> the cmp returns a nonsensical value, and we take the wrong branch
-> vectorize even though we have aliasing!
- caused by
-
JDK-8324751 C2 SuperWord: Aliasing Analysis runtime check
-
- Resolved
-
- links to
-
Commit(master)
openjdk/jdk/2527e9e5
-
Review(master)
openjdk/jdk/27045