Skip to content

Commit

Permalink
8269795: C2: Out of bounds array load floats above its range check in…
Browse files Browse the repository at this point in the history
… loop peeling resulting in SEGV

Reviewed-by: roland
Backport-of: 040c02b
  • Loading branch information
TheRealMDoerr committed Jul 28, 2021
1 parent 69697b3 commit 6e60332
Show file tree
Hide file tree
Showing 2 changed files with 89 additions and 18 deletions.
40 changes: 22 additions & 18 deletions src/hotspot/share/opto/loopTransform.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -381,35 +381,39 @@ bool IdealLoopTree::policy_peeling( PhaseIdealLoop *phase ) const {
// If we got the effect of peeling, either by actually peeling or by making
// a pre-loop which must execute at least once, we can remove all
// loop-invariant dominated tests in the main body.
void PhaseIdealLoop::peeled_dom_test_elim( IdealLoopTree *loop, Node_List &old_new ) {
void PhaseIdealLoop::peeled_dom_test_elim(IdealLoopTree* loop, Node_List& old_new) {
bool progress = true;
while( progress ) {
progress = false; // Reset for next iteration
Node *prev = loop->_head->in(LoopNode::LoopBackControl);//loop->tail();
Node *test = prev->in(0);
while( test != loop->_head ) { // Scan till run off top of loop

while (progress) {
progress = false; // Reset for next iteration
Node* prev = loop->_head->in(LoopNode::LoopBackControl); // loop->tail();
Node* test = prev->in(0);
while (test != loop->_head) { // Scan till run off top of loop
int p_op = prev->Opcode();
if( (p_op == Op_IfFalse || p_op == Op_IfTrue) &&
test->is_If() && // Test?
!test->in(1)->is_Con() && // And not already obvious?
// Condition is not a member of this loop?
!loop->is_member(get_loop(get_ctrl(test->in(1))))){
assert(test != NULL, "test cannot be NULL");
Node* test_cond = NULL;
if ((p_op == Op_IfFalse || p_op == Op_IfTrue) && test->is_If()) {
test_cond = test->in(1);
}
if (test_cond != NULL && // Test?
!test_cond->is_Con() && // And not already obvious?
// And condition is not a member of this loop?
!loop->is_member(get_loop(get_ctrl(test_cond)))) {
// Walk loop body looking for instances of this test
for( uint i = 0; i < loop->_body.size(); i++ ) {
Node *n = loop->_body.at(i);
if( n->is_If() && n->in(1) == test->in(1) /*&& n != loop->tail()->in(0)*/ ) {
for (uint i = 0; i < loop->_body.size(); i++) {
Node* n = loop->_body.at(i);
// Check against cached test condition because dominated_by()
// replaces the test condition with a constant.
if (n->is_If() && n->in(1) == test_cond) {
// IfNode was dominated by version in peeled loop body
progress = true;
dominated_by( old_new[prev->_idx], n );
dominated_by(old_new[prev->_idx], n);
}
}
}
prev = test;
test = idom(test);
} // End of scan tests in loop

} // End of while( progress )
} // End of while (progress)
}

//------------------------------do_peeling-------------------------------------
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
/*
* Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

/*
* @test
* @key stress
* @requires vm.compiler2.enabled
* @bug 8269795
* @summary PhaseIdealLoop::peeled_dom_test_elim wrongly moves a non-dominated test out of a loop together with control dependent data nodes.
* This results in a crash due to an out of bounds read of an array.
* @run main/othervm -XX:+UnlockDiagnosticVMOptions -Xcomp -XX:-TieredCompilation -XX:+StressGCM
* -XX:CompileCommand=compileonly,compiler.loopopts.TestPeelingRemoveDominatedTest compiler.loopopts.TestPeelingRemoveDominatedTest
*/

package compiler.loopopts;

public class TestPeelingRemoveDominatedTest {
public static int N = 400;
static boolean bFld = true;
static int iArrFld[] = new int[N];

public static void main(String[] strArr) {
TestPeelingRemoveDominatedTest _instance = new TestPeelingRemoveDominatedTest();
for (int i = 0; i < 10; i++) {
_instance.mainTest();
}
}

public void mainTest() {
vMeth();
}


static void vMeth() {
iArrFld[1] = 2;
int i6 = 2;
while (--i6 > 0) {
try {
int i3 = (iArrFld[i6 - 1] / 56);
iArrFld[1] = (-139 % i3);
} catch (ArithmeticException a_e) {
}
if (bFld) {
}
}
}
}

1 comment on commit 6e60332

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.