8283408: Fix a C2 crash when filling arrays with unsafe #7884
Conversation
We recently found a segmentation fault issue in C2 compiler with some
code that uses Java Unsafe API to initialize an array in a loop. It can
be reproduced by below code snippet compiled by C2 on AArch64. It's also
reproducible on x86 with an additional VM option "-XX:+OptimizeFill".
byte[] arr = new byte[size];
int offset = unsafe.arrayBaseOffset(byte[].class);
for (int i = offset; i < offset + size; i++) {
unsafe.putByte(arr, i, val);
}
This issue is caused by a NULL pointer in a C2 loop optimization phase
called intrinsify_fill. In this phase, array filling loop patterns are
recognized and replaced by some intrinsics. But filling operations with
Unsafe API call are not handled very well. From C2 mid-end's point of
view, a difference between an Unsafe call and a normal array access like
`arr[i] = val` is element addressing. For normal array accesses, C2 uses
two AddP nodes for computing an element's address - one for adding array
header size and another for adding the element's relative offset from
the header. But Unsafe calls may have only one AddP node for adding an
absolute offset of an element from the array base. In current code, the
intrinsify_fill phase creates an AddP node but with NULL input for above
case and eventually causes a segmentation fault.
In this patch, we add a check to allow one AddP node in array filling
patterns to be optional. After this fix, the case above can be optimized
by intrinsify_fill as well. We know that the Unsafe call is rarely used
in Java application code and developers should use it at their own risk.
But we still propose this fix because C2 crashes even Unsafe is used in
a correct way.
Jtreg hotspot::hotspot_all_no_apps, jdk::tier1~3 and langtools::tier1
are tested and no issue is found. We also create a new jtreg case within
this patch.
|
👋 Welcome back pli! A progress list of the required criteria for merging this PR into |
Webrevs
|
|
@pfustc This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 30 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
Thanks Roland. Can I have another review? The failure with my latest commit looks like some build system issue. My first patch passes all tests. |
|
/integrate |
|
Going to push as commit a6740c0.
Your commit was automatically rebased without conflicts. |
openjdk
bot
removed
ready
We recently found a segmentation fault issue in C2 compiler with some
code that uses Java Unsafe API to initialize an array in a loop. It can
be reproduced by below code snippet compiled by C2 on AArch64. It's also
reproducible on x86 with an additional VM option "-XX:+OptimizeFill".
This issue is caused by a NULL pointer in a C2 loop optimization phase
called intrinsify_fill. In this phase, array filling loop patterns are
recognized and replaced by some intrinsics. But filling operations with
Unsafe API call are not handled very well. From C2 mid-end's point of
view, a difference between an Unsafe call and a normal array access like
arr[i] = valis element addressing. For normal array accesses, C2 usestwo AddP nodes for computing an element's address - one for adding array
header size and another for adding the element's relative offset from
the header. But Unsafe calls may have only one AddP node for adding an
absolute offset of an element from the array base. In current code, the
intrinsify_fill phase creates an AddP node but with NULL input for above
case and eventually causes a segmentation fault.
In this patch, we add a check to allow one AddP node in array filling
patterns to be optional. After this fix, the case above can be optimized
by intrinsify_fill as well. We know that the Unsafe call is rarely used
in Java application code and developers should use it at their own risk.
But we still propose this fix because C2 crashes even Unsafe is used in
a correct way.
Jtreg hotspot::hotspot_all_no_apps, jdk::tier1~3 and langtools::tier1
are tested and no issue is found. We also create a new jtreg case within
this patch.
Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/7884/head:pull/7884$ git checkout pull/7884Update a local copy of the PR:
$ git checkout pull/7884$ git pull https://git.openjdk.java.net/jdk pull/7884/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 7884View PR using the GUI difftool:
$ git pr show -t 7884Using diff file
Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/7884.diff