United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-7174363 Arrays.copyOfRange leads to VM crash with -Xcomp -server if executed by testing framework
JDK-7174363 : Arrays.copyOfRange leads to VM crash with -Xcomp -server if executed by testing framework

Details
Type:
Bug
Submit Date:
2012-06-05
Status:
Resolved
Updated Date:
2013-04-25
Project Name:
JDK
Resolved Date:
2012-07-03
Component:
hotspot
OS:
generic
Sub-Component:
compiler
CPU:
generic
Priority:
P2
Resolution:
Fixed
Affected Versions:
8
Fixed Versions:
hs24 (b15)

Related Reports
Backport:
Backport:
Backport:
Backport:
Backport:

Sub Tasks

Description
-- Please redispatch to VM if needed ----------

The VM crash happens with "-Xcomp -server" on

OS: Windows, Solaris
JDK: 6u21, 6u23, 7b147RI, 7u3, 8b32, 8b40, 8b41
-----------------------------------------------

! Crash is NOT reproducible on:
! JDK 1.6b105RI, 8b20


To see the crash please compile and execute 
the attached standalone code sample CopyOfObject.java
with "-Xcomp -server"
which includes the testcase itself and the testing framework embedded.

The problem happens with method

     Arrays.copyOfRange()

when ArrayIndexOutOfBoundsException is expected by the testcase.

VM crash happens only when some setup work is done by the testing framework 
and the testcase is executed by the framework, not directly.


Please note that the "testing framework" bundled together with test sample is not functional - it serves only for crash reproduction.
The tests are quite new in JCK8. 
To reproduce the failure one could use the following command:

/set/java/re/jdk/6/promoted/latest/binaries/solaris-i586/bin/java -jar /set/java/re/jck/8/nightly/binaries/b10-2012-06-07/JCK-runtime-8/lib/jtjck.jar -verbose -extra:/set/java/re/jck/8/promoted/latest/extra -mode:multi -JDK:/set/java/re/jdk/8/promoted/latest/binaries/solaris-i586 -nojtx -vmoptions:"-Xcomp" api/java_util/Arrays/CopyOfObjectTests_indexTGF.html#CopyOfObjectTests
The JCK test triggers another problem with Arrays.CopyOfRange():

Expected exception java.lang.IllegalArgumentException was not thrown by testcase "copyOfRange004A"
"java.lang.NegativeArraySizeException" was thrown instead
java.lang.NegativeArraySizeException
        at javasoft.sqe.tests.api.java.util.Arrays.CopyOfObjectTests.copyOfRange004A(CopyOfObjectTests.java:373)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:474)
        at com.sun.tck.lib.tgf.Util.invokeMethod(Util.java:352)
        at com.sun.tck.lib.tgf.Runner.invokeTestCase(Runner.java:276)
        at com.sun.tck.lib.tgf.Runner.performRunWithData(Runner.java:246)
        at com.sun.tck.lib.tgf.Runner.getDataAndRun(Runner.java:185)
        at com.sun.tck.lib.tgf.Runner.executeTestMethods(Runner.java:130)
        at com.sun.tck.lib.tgf.Runner.run(Runner.java:116)
        at com.sun.tck.lib.tgf.Runner.execute(Runner.java:108)
        at com.sun.tck.lib.tgf.TGFTest.run(TGFTest.java:58)
        at com.sun.tck.lib.tgf.TGFTest.run(TGFTest.java:64)
        at javasoft.sqe.tests.api.java.util.Arrays.CopyOfObjectTests.main(CopyOfObjectTests.java:29)
Testcase "copyOfRange004A" failed with arguments [7, 6]
copyOfRange004A: Failed. test cases: 2; passed: 1; failed: 1; first test case failure: copyOfRange004A
The testcase source:

    @TestCase
    @TestData("illegalArgument")
    @ExpectedExceptions(IllegalArgumentException.class)
    public void copyOfRange004A(int from, int to) {
        final Object[] array = {"6", "7", "8", "9", "10"};
        Arrays.copyOfRange(array, from, to, String[].class);
    }

                                    

Comments
EVALUATION

The intrinsified Arrays.copyOfRange(original, from, to) uses min(original.length - from, allocated_array.length) as the number of elements to copy. If from > original.length, this number is negative but generate_arraycopy() is called with length_never_negative set to true.
                                     
2012-06-07
EVALUATION

Also: if from > to in copyOfRange(..., int from, int to) the intrinsics code lets the array allocation handle the negative length to - from which results in the wrong exception being thrown.
                                     
2012-06-12
EVALUATION

http://hg.openjdk.java.net/hsx/hotspot-comp/hotspot/rev/eeb819cf36e5
                                     
2012-06-18
EVALUATION

http://hg.openjdk.java.net/hsx/hsx23.2/hotspot/rev/abddf1ce3c6b
                                     
2012-06-27
EVALUATION

http://hg.openjdk.java.net/lambda/lambda/hotspot/rev/eeb819cf36e5
                                     
2012-06-29



Hardware and Software, Engineered to Work Together