-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
P3
-
Affects Version/s: 26
-
Component/s: hotspot
Found by Olivier Mattmann <olivier.mattmann@bluewin.ch> during work on this Master thesis where he is working on a fuzzer for C2.
Running the attached reproducer in a debug build asserts during code generation on x64 and aarch64. The test case should compile to an infinite loop. The reproducer is derived from compiler/allocation/TestNewArrayBadSize.java. The first commit that fails isJDK-8354383.
java -Xbatch -XX:-TieredCompilation -XX:CompileCommand=compileonly,Test.test Test.java
# A fatal error has been detected by the Java Runtime Environment:
#
# Internal Error (/jdk/src/hotspot/share/opto/output.cpp:729), pid=130198, tid=130213
# assert(local == C->top()) failed: LocArray collision
#
# JRE version: Java(TM) SE Runtime Environment (27.0) (fastdebug build 27-internal-mhassig.open)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (fastdebug 27-internal-mhassig.open, mixed mode, compressed oops, compressed class ptrs, g1 gc, linux-amd64)
# Problematic frame:
# V [libjvm.so+0x1822f31] PhaseOutput::FillLocArray(int, MachSafePointNode*, Node*, GrowableArray<ScopeValue*>*, GrowableArray<ScopeValue*>*)+0x231
Current CompileTask:
C2:1885 101 % !b Test::test @ 4 (37 bytes)
Stack: [0x00007f9e978fa000,0x00007f9e979fa000], sp=0x00007f9e979f5690, free space=1005k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
V [libjvm.so+0x1822f31] PhaseOutput::FillLocArray(int, MachSafePointNode*, Node*, GrowableArray<ScopeValue*>*, GrowableArray<ScopeValue*>*)+0x231 (output.cpp:729)
V [libjvm.so+0x1824acb] PhaseOutput::Process_OopMap_Node(MachNode*, int)+0x31b (output.cpp:1046)
V [libjvm.so+0x182871f] PhaseOutput::fill_buffer(C2_MacroAssembler*, unsigned int*)+0xe7f (output.cpp:1566)
V [libjvm.so+0x182b4f9] PhaseOutput::Output()+0xc59 (output.cpp:350)
V [libjvm.so+0xbacae7] Compile::Code_Gen()+0xa57 (compile.cpp:3135)
V [libjvm.so+0xbb2033] Compile::Compile(ciEnv*, ciMethod*, int, Options, DirectiveSet*)+0x2123 (compile.cpp:893)
V [libjvm.so+0x9cc6e8] C2Compiler::compile_method(ciEnv*, ciMethod*, int, bool, DirectiveSet*)+0x498 (c2compiler.cpp:147)
V [libjvm.so+0xbc1420] CompileBroker::invoke_compiler_on_method(CompileTask*)+0x780 (compileBroker.cpp:2345)
V [libjvm.so+0xbc2c80] CompileBroker::compiler_thread_loop()+0x530 (compileBroker.cpp:1989)
V [libjvm.so+0x1124d7b] JavaThread::thread_main_inner()+0x13b (javaThread.cpp:776)
V [libjvm.so+0x1ba9036] Thread::call_run()+0xb6 (thread.cpp:242)
V [libjvm.so+0x17fe7d8] thread_native_entry(Thread*)+0x118 (os_linux.cpp:860)
Running the attached reproducer in a debug build asserts during code generation on x64 and aarch64. The test case should compile to an infinite loop. The reproducer is derived from compiler/allocation/TestNewArrayBadSize.java. The first commit that fails is
java -Xbatch -XX:-TieredCompilation -XX:CompileCommand=compileonly,Test.test Test.java
# A fatal error has been detected by the Java Runtime Environment:
#
# Internal Error (/jdk/src/hotspot/share/opto/output.cpp:729), pid=130198, tid=130213
# assert(local == C->top()) failed: LocArray collision
#
# JRE version: Java(TM) SE Runtime Environment (27.0) (fastdebug build 27-internal-mhassig.open)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (fastdebug 27-internal-mhassig.open, mixed mode, compressed oops, compressed class ptrs, g1 gc, linux-amd64)
# Problematic frame:
# V [libjvm.so+0x1822f31] PhaseOutput::FillLocArray(int, MachSafePointNode*, Node*, GrowableArray<ScopeValue*>*, GrowableArray<ScopeValue*>*)+0x231
Current CompileTask:
C2:1885 101 % !b Test::test @ 4 (37 bytes)
Stack: [0x00007f9e978fa000,0x00007f9e979fa000], sp=0x00007f9e979f5690, free space=1005k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
V [libjvm.so+0x1822f31] PhaseOutput::FillLocArray(int, MachSafePointNode*, Node*, GrowableArray<ScopeValue*>*, GrowableArray<ScopeValue*>*)+0x231 (output.cpp:729)
V [libjvm.so+0x1824acb] PhaseOutput::Process_OopMap_Node(MachNode*, int)+0x31b (output.cpp:1046)
V [libjvm.so+0x182871f] PhaseOutput::fill_buffer(C2_MacroAssembler*, unsigned int*)+0xe7f (output.cpp:1566)
V [libjvm.so+0x182b4f9] PhaseOutput::Output()+0xc59 (output.cpp:350)
V [libjvm.so+0xbacae7] Compile::Code_Gen()+0xa57 (compile.cpp:3135)
V [libjvm.so+0xbb2033] Compile::Compile(ciEnv*, ciMethod*, int, Options, DirectiveSet*)+0x2123 (compile.cpp:893)
V [libjvm.so+0x9cc6e8] C2Compiler::compile_method(ciEnv*, ciMethod*, int, bool, DirectiveSet*)+0x498 (c2compiler.cpp:147)
V [libjvm.so+0xbc1420] CompileBroker::invoke_compiler_on_method(CompileTask*)+0x780 (compileBroker.cpp:2345)
V [libjvm.so+0xbc2c80] CompileBroker::compiler_thread_loop()+0x530 (compileBroker.cpp:1989)
V [libjvm.so+0x1124d7b] JavaThread::thread_main_inner()+0x13b (javaThread.cpp:776)
V [libjvm.so+0x1ba9036] Thread::call_run()+0xb6 (thread.cpp:242)
V [libjvm.so+0x17fe7d8] thread_native_entry(Thread*)+0x118 (os_linux.cpp:860)
- caused by
-
JDK-8354383 C2: enable sinking of Type nodes out of loop
-
- Resolved
-
- duplicates
-
-
- Closed
-
- relates to
-
-
- Open
-