8335747: C2: fix overflow case for LoopLimit with constant inputs

eme64 · eme64 · commit f0af830f8506 · 2025-01-14T11:55:39.000Z
Reviewed-by: kvn, qamai
diff --git a/src/hotspot/share/opto/loopnode.cpp b/src/hotspot/share/opto/loopnode.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -2552,11 +2552,15 @@ const Type* LoopLimitNode::Value(PhaseGVN* phase) const {
     jlong trip_count = (limit_con - init_con + stride_m)/stride_con;
     jlong final_con  = init_con + stride_con*trip_count;
     int final_int = (int)final_con;
-    // The final value should be in integer range since the loop
-    // is counted and the limit was checked for overflow.
-    // Assert checks for overflow only if all input nodes are ConINodes, as during CCP
-    // there might be a temporary overflow from PhiNodes see JDK-8309266
-    assert((in(Init)->is_ConI() && in(Limit)->is_ConI() && in(Stride)->is_ConI()) ? final_con == (jlong)final_int : true, "final value should be integer");
+    // The final value should be in integer range in almost all cases,
+    // since the loop is counted and the limit was checked for overflow.
+    // There some exceptions, for example:
+    // - During CCP, there might be a temporary overflow from PhiNodes, see JDK-8309266.
+    // - During PhaseIdealLoop::split_thru_phi, the LoopLimitNode floats possibly far above
+    //   the loop and its predicates, and we might get constants on one side of the phi that
+    //   would lead to overflows. Such a code path would never lead us to enter the loop
+    //   because of the loop limit overflow check that happens after the LoopLimitNode
+    //   computation with overflow, but before we enter the loop, see JDK-8335747.
     if (final_con == (jlong)final_int) {
       return TypeInt::make(final_int);
     } else {
@@ -2579,12 +2583,10 @@ Node *LoopLimitNode::Ideal(PhaseGVN *phase, bool can_reshape) {
   if (stride_con == 1)
     return nullptr;  // Identity
 
-  if (in(Init)->is_Con() && in(Limit)->is_Con())
-    return nullptr;  // Value
-
   // Delay following optimizations until all loop optimizations
   // done to keep Ideal graph simple.
   if (!can_reshape || !phase->C->post_loop_opts_phase()) {
+    phase->C->record_for_post_loop_opts_igvn(this);
     return nullptr;
   }
 
diff --git a/test/hotspot/jtreg/compiler/loopopts/TestLoopLimitOverflowDuringSplitThruPhi.java b/test/hotspot/jtreg/compiler/loopopts/TestLoopLimitOverflowDuringSplitThruPhi.java
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8335747
+ * @summary Integer overflow in LoopLimit::Value during PhaseIdealLoop::split_thru_phi
+ * @run main/othervm -Xbatch -XX:CompileCommand=compileonly,TestLoopLimitOverflowDuringSplitThruPhi::test
+ *                   compiler.loopopts.TestLoopLimitOverflowDuringSplitThruPhi
+ * @run driver compiler.loopopts.TestLoopLimitOverflowDuringSplitThruPhi
+ */
+
+package compiler.loopopts;
+
+public class TestLoopLimitOverflowDuringSplitThruPhi {
+    public static void main(String[] args) {
+        int[] a = new int[1005];
+        for (int i = 0; i < 20_000; i++) {
+            test(i % 2 == 0, a);
+        }
+    }
+
+    static void test(boolean flag, int[] a) {
+        int x = flag ? 1000 : 2147483647;
+        // Creates a Phi(1000, 2147483647)
+
+        // We do loop-predication, and add a
+        //   LoopLimitNode(init=0, limit=x, stride=4)
+        //
+        // Later, we find try to PhaseIdealLoop::split_thru_phi
+        // the LoopLimitNode, through the Phi(1000, 2147483647).
+        //
+        // This creates a temporary
+        //   LoopLimitNode(init=0, limit=2147483647, stride=4)
+        //
+        // And then we get this:
+        //   init_con 0
+        //   limit_con 2147483647
+        //   stride_con 4
+        //   trip_count 536870912
+        //   final_int -2147483648
+        //   final_con 2147483648
+        //
+        for (int i = 0; i < x; i+=4 /* works for at least 2..64 */) {
+            // Break before going out of bounds
+            // but with quadratic check to not affect limit.
+            if (i * i > 1000_000) { return; }
+            a[i] = 34;
+        }
+    }
+}
