8332920: C2: Partial Peeling is wrongly applied for CmpU with negative limit

[chhagedorn]

A signed test is wrongly split off an unsigned test during Partial Peeling which results in not entering a loop even though it should.

Idea of Partial Peeling

Partial Peeling rotates a loop with the hope to being able to convert the loop into a counted loop later. It is therefore preferable to use signed tests over unsigned tests because counted loops must use a signed loop exit test (i.e. with a BaseCountedLoopEnd).

Partial Peeling with Unsigned Test

However, if there is only a suitable unsigned test, we can still try to use it for Partial Peeling. The idea is to then split off a signed version of the unsigned test and place it right before the unsigned test which can then be used as a loop exit test and later as BaseCountedLoopEnd:

jdk/src/hotspot/share/opto/loopopts.cpp

Lines 3074 to 3080 in 0ea3bac

	// Loop:
	// <peeled section>
	// Signed Loop Exit Condition i < 0 or i >= limit
	// <-- CUT HERE -->
	// Unsigned Loop Exit Condition i >=u limit
	// <rest of unpeeled section>
	// goto Loop

Requirements for Using an Unsigned Test

The Signed and Unsigned Loop Exit Test do not need have the same result at runtime. It is sufficient if the Signed Loop Exit Test implies the Unsigned Loop Exit Test:

• If the Signed Loop Exit Test is false, then the (original) Unsigned Loop Exit Test will make sure to exit the loop if required.
• If the Signed Loop Exit Test is true, then the (original) Unsigned Loop Exit Test must also be true. Otherwise, we would exit a loop that we should have continued to execute.

The Requirements Are Currently Broken

This strong requirement for splitting off a signed test is currently broken as seen in the test cases (for example, testWhileLTIncr()): We split off the signed loop exit test i >= limit, then partial peel and we get the signed loop exit test i >= limit as entry guard to the loop which is wrong:

jdk/test/hotspot/jtreg/compiler/loopopts/TestPartialPeelAtUnsignedTestsNegativeLimit.java

Lines 159 to 178 in 0ea3bac

	// After Partial Peeling, we have:
	// if (i >= limit) goto Exit
	// Loop:
	// if (i >=u limit) goto Exit
	// ...
	// i++;
	// if (i >= limit) goto Exit
	// goto Loop
	// Exit:
	// ...
	//
	// If init = MAX_VALUE and limit = MIN_VALUE:
	// i >= limit
	// MAX_VALUE >= MIN_VALUE
	// which is true where
	// i >=u limit
	// MAX_VALUE >=u MIN_VALUE
	// MAX_VALUE >=u (uint)(MAX_INT + 1)
	// is false and we wrongly never enter the loop even though we should have.
	// This results in a wrong execution.

Why Are the Requirements Broken?

The reason is that

i >=u limit

can only be converted into the two signed comparisons

i < 0 || i >= limit

if limit is non-negative (i.e. limit >= 0):

jdk/src/hotspot/share/opto/loopopts.cpp

Lines 3054 to 3061 in 0ea3bac

	// Note that this does not hold for limit < 0:
	// Example with i = -3 and limit = -2:
	// i < 0
	// -2 < 0
	// is true and thus also "i < 0 || i >= limit". But
	// i >=u limit
	// -3 >=u -2
	// is false.

This is currently missing and we wrongly use i < 0 or i >= limit as split off signed test.

Fixing the Broken Requirements

To fix this, I've added a bailout when limit could be negative which is the same as checking if the type of limit contains a negative value:

jdk/src/hotspot/share/opto/loopopts.cpp

Lines 3062 to 3066 in 0ea3bac

	Node* limit = cmpu->in(2);
	const TypeInt* type_limit = _igvn.type(limit)->is_int();
	if (type_limit->_lo < 0) {
	return nullptr;
	}

Thanks,
Christian

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8332920: C2: Partial Peeling is wrongly applied for CmpU with negative limit (Bug - P2)(⚠️ The fixVersion in this issue is [23] but the fixVersion in .jcheck/conf is 24, a new backport will be created when this pr is integrated.)

Reviewers

• Vladimir Kozlov (@vnkozlov - Reviewer) ⚠️ Review applies to e0a18f06
• Tobias Hartmann (@TobiHartmann - Reviewer) ⚠️ Review applies to 33d89249
• Emanuel Peter (@eme64 - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/19522/head:pull/19522
$ git checkout pull/19522

Update a local copy of the PR:
$ git checkout pull/19522
$ git pull https://git.openjdk.org/jdk.git pull/19522/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 19522

View PR using the GUI difftool:
$ git pr show -t 19522

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/19522.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back chagedorn! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@chhagedorn This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8332920: C2: Partial Peeling is wrongly applied for CmpU with negative limit

Reviewed-by: kvn, thartmann, epeter

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 81 new commits pushed to the master branch:

• 2a37764: 8333743: Change .jcheck/conf branches property to match valid branches
• 75dc2f8: 8330182: Start of release updates for JDK 24
• 054362a: 8332550: [macos] Voice Over: java.awt.IllegalComponentStateException: component must be showing on the screen to determine its location
• 9b436d0: 8333674: Disable CollectorPolicy.young_min_ergo_vm for PPC64
• 487c477: 8333647: C2 SuperWord: some additional PopulateIndex tests
• d02cb74: 8333270: HandlersOnComplexResetUpdate and HandlersOnComplexUpdate tests fail with "Unexpected reference" if timeoutFactor is less than 1/3
• 02f2404: 8333560: -Xlint:restricted does not work with --release
• 606df44: 8332670: C1 clone intrinsic needs memory barriers
• 33fd6ae: 8333622: ubsan: relocInfo_x86.cpp:101:56: runtime error: pointer index expression with base (-1) overflowed
• 8de5d20: 8332865: ubsan: os::attempt_reserve_memory_between reports overflow
• ... and 71 more: https://git.openjdk.org/jdk/compare/91101f0d4fc8e06d0d74e06361db6ac87efeeb8e...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[openjdk]

@chhagedorn The following label will be automatically applied to this pull request:

• hotspot-compiler

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 04: Full - Incremental (fe4b8131)
• 03: Full - Incremental (e0a18f06)
• 02: Full - Incremental (21201f4e)
• 01: Full - Incremental (33d89249)
• 00: Full (0ea3bacf)

[vnkozlov]

Looks good.

[chhagedorn]

Thanks Vladimir for your review!

[TobiHartmann]

If the Signed Loop Exit Test is false, then the (original) Unsigned Loop Exit Test will make sure to exit the loop if required.

Is that comment incorrect then?

jdk/src/hotspot/share/opto/loopopts.cpp

Lines 2993 to 2994 in 2edb6d9

	// if and it's projections. The original if test is replaced with
	// a constant to force the stay-in-loop path.

[eme64]

More to come later

[eme64]

Could we come up with an alternative equation if limit < 0? And maybe even a combined condition? Not sure if that is helpful, but I'd like to think about it. Could also be a follow-up RFE.

[chhagedorn]

I have not thought about it, yet, but I also have a feeling that we might can do better. Since this is a P2 bug fix, I propose to do that separately in an RFE as you suggested.

[eme64]

Suggested change

	// - Stride < 0:
	// - stride < 0:

Stylistic decision, leave this to your

[eme64]

Suggested change

	// For stride < 0, we split off the signed loop exit condition
	// For stride < 0, we insert off the signed loop exit condition

Why do you say "split", we are inserting this extra check, right? Or is the idea that the "rotation" puts this new condition as the last check, hence the exit check in the loop body? Being a big more explicit could help here.

[eme64]

There is not litterally an OR here, right? It's a bit confusing.

[TobiHartmann]

Looks great otherwise. Nice test and proof!

[TobiHartmann]

Suggested change

	// Signed Loop Exit Condition i < 0 or i >= limit
	// Signed Loop Exit Condition i < 0 (or i >= limit)

[TobiHartmann]

Suggested change

	// Signed Loop Exit Condition i < 0 or i >= limit
	// Signed Loop Exit Condition i < 0 (or i >= limit)

[TobiHartmann]

Suggested change

	// Signed Loop Exit Condition i < 0 or i >= limit
	// Signed Loop Exit Condition i < 0 (or i >= limit)

[TobiHartmann]

As we discussed, rephrase this as counterexample.

[TobiHartmann]

As we discussed, an intermediate step in the proof would be good here.

[TobiHartmann]

Nice! That looks good to me.

[chhagedorn]

Thanks Tobias for your review!

[eme64]

what is this?

[chhagedorn]

This dummy-if is created with insert_region_before_proj() such that we can have a region between the exit projection (exit-proj) of the original unsigned loop exit test and the If node while keeping both the If and the exit-proj. Also see:

jdk/src/hotspot/share/opto/loopopts.cpp

Lines 2934 to 2960 in cbb6747

	//------------------------------ insert_region_before_proj -------------------------------------
	// Insert a region before an if projection (* - new node)
	//
	// before
	// if(test)
	// / |
	// v |
	// proj v
	// other-proj
	//
	// after
	// if(test)
	// / |
	// v |
	// * proj-clone v
	// | other-proj
	// v
	// * new-region
	// |
	// v
	// * dum_if
	// / \
	// v \
	// * dum-proj v
	// proj
	//
	RegionNode* PhaseIdealLoop::insert_region_before_proj(ProjNode* proj) {

[eme64]

Could you also add a randomized input test here, that plays close to the boundaries? Just to make sure we would catch things like some off-by one errors.

[chhagedorn]

Good idea, I've added some random test and computed the number of iteration that I expect. I only did it for the interesting cases.

[vnkozlov]

Update is good.

[eme64]

Nice work with the proofs, good work @chhagedorn !

[eme64]

Still, I don't see this dummy-if mentioned in any of the comments. Can you add a comment line about what this is, and where it comes from?

[chhagedorn]

Fair point, added a note.

[chhagedorn]

Thanks Vladimir and Emanuel for your reviews!

I've submitted some sanity performance testing since we could now be bailing out more. I'm not sure though how much else we could do if there are some performance regressions.

[chhagedorn]

Performance testing looked good. Thanks again for your careful reviews!

/integrate

[openjdk]

Going to push as commit ef101f1.
Since your change was applied there have been 131 commits pushed to the master branch:

• 2843745: 8333972: Parallel: Remove unused methods in PSOldGen
• 93f3918: 8333954: Parallel: Remove unused arguments of type ParCompactionManager*
• 788b876: 8333917: G1: Refactor G1CollectedHeap::register_old_region_with_region_attr
• 0e4d4a0: 8320725: AArch64: C2: Add "requires_strict_order" flag for floating-point add and mul reduction
• badf1cb: 8331675: gtest CollectorPolicy.young_min_ergo_vm fails after 8272364
• 4d6064a: 8333649: Allow different NativeCall encodings
• fe9c63c: 8333931: Problemlist serviceability/jvmti/vthread/CarrierThreadEventNotification
• 41c88bc: 8333756: java/lang/instrument/NativeMethodPrefixApp.java failed due to missing intrinsic
• 3a01b47: 8330205: Initial troff manpage generation for JDK 24
• 9691153: 8329141: Obsolete RTM flags and code
• ... and 121 more: https://git.openjdk.org/jdk/compare/91101f0d4fc8e06d0d74e06361db6ac87efeeb8e...master

Your commit was automatically rebased without conflicts.

[openjdk]

@chhagedorn Pushed as commit ef101f1.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

[chhagedorn]

/backport jdk:jdk23

[openjdk]

@chhagedorn the backport was successfully created on the branch backport-chhagedorn-ef101f1b-jdk23 in my personal fork of openjdk/jdk. To create a pull request with this backport targeting openjdk/jdk:jdk23, just click the following link:

➡️ Create pull request

The title of the pull request is automatically filled in correctly and below you find a suggestion for the pull request body:

Hi all,

This pull request contains a backport of commit ef101f1b from the openjdk/jdk repository.

The commit being backported was authored by Christian Hagedorn on 11 Jun 2024 and was reviewed by Vladimir Kozlov, Tobias Hartmann and Emanuel Peter.

Thanks!

If you need to update the source branch of the pull then run the following commands in a local clone of your personal fork of openjdk/jdk:

$ git fetch https://github.com/openjdk-bots/jdk.git backport-chhagedorn-ef101f1b-jdk23:backport-chhagedorn-ef101f1b-jdk23
$ git checkout backport-chhagedorn-ef101f1b-jdk23
# make changes
$ git add paths/to/changed/files
$ git commit --message 'Describe additional changes made'
$ git push https://github.com/openjdk-bots/jdk.git backport-chhagedorn-ef101f1b-jdk23

⚠️ @chhagedorn You are not yet a collaborator in my fork openjdk-bots/jdk. An invite will be sent out and you need to accept it before you can proceed.