ADDITIONAL SYSTEM INFORMATION :
Software:
System Software Overview:
System Version: Ubuntu 22.04.4 LTS
Kernel Version: 4.15.0-45-generic
Boot Volume: overlay
Boot Mode: Legacy BIOS
Computer Name: 899309ef3feb
User Name: root
Time since boot: 21 weeks, 2 days, 6 hours, 47 minutes
Hardware:
Hardware Overview:
Model: Unknown
Model Identifier: Unknown
Chip: Intel(R) Xeon(R) CPU E5-2640 v4 @ 2.40GHz
Total Number of Cores: 40 (10 physical x 2 logical)
Memory: 125Gi
System Firmware Version: Unknown
A DESCRIPTION OF THE PROBLEM :
I discovered a correctness bug in HotSpot where the JIT compiler fails to execute the catch block correctly in a hot loop, leading to an incorrect integer result.
The test case involves a loop that iterates 10,000 times. Inside the loop, new StringBuilder(-1) is called, which is guaranteed to throw a NegativeArraySizeException (an implicit runtime exception). The catch block increments a counter (sum) by 10 for each iteration.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Compile Test.java.
2. Run java -Xcomp Test.
---------- BEGIN SOURCE ----------
public class Test {
static String m() {
StringBuilder sb = new StringBuilder(-1);
return sb.toString();
}
public static void main(String[] args) {
int sum = 0;
for (int i = 0; i < 10000; ++i) {
try {
m();
} catch (Throwable e) {
for (int j = 0; j < 10; j++) {
sum += 1;
}
}
}
System.out.println(sum);
}
}
---------- END SOURCE ----------
FREQUENCY :
ALWAYS
Software:
System Software Overview:
System Version: Ubuntu 22.04.4 LTS
Kernel Version: 4.15.0-45-generic
Boot Volume: overlay
Boot Mode: Legacy BIOS
Computer Name: 899309ef3feb
User Name: root
Time since boot: 21 weeks, 2 days, 6 hours, 47 minutes
Hardware:
Hardware Overview:
Model: Unknown
Model Identifier: Unknown
Chip: Intel(R) Xeon(R) CPU E5-2640 v4 @ 2.40GHz
Total Number of Cores: 40 (10 physical x 2 logical)
Memory: 125Gi
System Firmware Version: Unknown
A DESCRIPTION OF THE PROBLEM :
I discovered a correctness bug in HotSpot where the JIT compiler fails to execute the catch block correctly in a hot loop, leading to an incorrect integer result.
The test case involves a loop that iterates 10,000 times. Inside the loop, new StringBuilder(-1) is called, which is guaranteed to throw a NegativeArraySizeException (an implicit runtime exception). The catch block increments a counter (sum) by 10 for each iteration.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Compile Test.java.
2. Run java -Xcomp Test.
---------- BEGIN SOURCE ----------
public class Test {
static String m() {
StringBuilder sb = new StringBuilder(-1);
return sb.toString();
}
public static void main(String[] args) {
int sum = 0;
for (int i = 0; i < 10000; ++i) {
try {
m();
} catch (Throwable e) {
for (int j = 0; j < 10; j++) {
sum += 1;
}
}
}
System.out.println(sum);
}
}
---------- END SOURCE ----------
FREQUENCY :
ALWAYS
- duplicates
-
JDK-8271459 C2: Missing NegativeArraySizeException when creating StringBuilder with negative capacity
-
- Closed
-