JDK-7174363 : Arrays.copyOfRange leads to VM crash with -Xcomp -server if executed by testing framework
  • Type: Bug
  • Component: hotspot
  • Sub-Component: compiler
  • Affected Version: 8
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2012-06-05
  • Updated: 2013-06-26
  • Resolved: 2012-07-03
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 Other
7u40Resolved 8Fixed hs23.2Fixed
Description
-- Please redispatch to VM if needed ----------

The VM crash happens with "-Xcomp -server" on

OS: Windows, Solaris
JDK: 6u21, 6u23, 7b147RI, 7u3, 8b32, 8b40, 8b41
-----------------------------------------------

! Crash is NOT reproducible on:
! JDK 1.6b105RI, 8b20


To see the crash please compile and execute 
the attached standalone code sample CopyOfObject.java
with "-Xcomp -server"
which includes the testcase itself and the testing framework embedded.

The problem happens with method

     Arrays.copyOfRange()

when ArrayIndexOutOfBoundsException is expected by the testcase.

VM crash happens only when some setup work is done by the testing framework 
and the testcase is executed by the framework, not directly.


Please note that the "testing framework" bundled together with test sample is not functional - it serves only for crash reproduction.
The tests are quite new in JCK8. 
To reproduce the failure one could use the following command:

/set/java/re/jdk/6/promoted/latest/binaries/solaris-i586/bin/java -jar /set/java/re/jck/8/nightly/binaries/b10-2012-06-07/JCK-runtime-8/lib/jtjck.jar -verbose -extra:/set/java/re/jck/8/promoted/latest/extra -mode:multi -JDK:/set/java/re/jdk/8/promoted/latest/binaries/solaris-i586 -nojtx -vmoptions:"-Xcomp" api/java_util/Arrays/CopyOfObjectTests_indexTGF.html#CopyOfObjectTests
The JCK test triggers another problem with Arrays.CopyOfRange():

Expected exception java.lang.IllegalArgumentException was not thrown by testcase "copyOfRange004A"
"java.lang.NegativeArraySizeException" was thrown instead
java.lang.NegativeArraySizeException
        at javasoft.sqe.tests.api.java.util.Arrays.CopyOfObjectTests.copyOfRange004A(CopyOfObjectTests.java:373)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:474)
        at com.sun.tck.lib.tgf.Util.invokeMethod(Util.java:352)
        at com.sun.tck.lib.tgf.Runner.invokeTestCase(Runner.java:276)
        at com.sun.tck.lib.tgf.Runner.performRunWithData(Runner.java:246)
        at com.sun.tck.lib.tgf.Runner.getDataAndRun(Runner.java:185)
        at com.sun.tck.lib.tgf.Runner.executeTestMethods(Runner.java:130)
        at com.sun.tck.lib.tgf.Runner.run(Runner.java:116)
        at com.sun.tck.lib.tgf.Runner.execute(Runner.java:108)
        at com.sun.tck.lib.tgf.TGFTest.run(TGFTest.java:58)
        at com.sun.tck.lib.tgf.TGFTest.run(TGFTest.java:64)
        at javasoft.sqe.tests.api.java.util.Arrays.CopyOfObjectTests.main(CopyOfObjectTests.java:29)
Testcase "copyOfRange004A" failed with arguments [7, 6]
copyOfRange004A: Failed. test cases: 2; passed: 1; failed: 1; first test case failure: copyOfRange004A
The testcase source:

    @TestCase
    @TestData("illegalArgument")
    @ExpectedExceptions(IllegalArgumentException.class)
    public void copyOfRange004A(int from, int to) {
        final Object[] array = {"6", "7", "8", "9", "10"};
        Arrays.copyOfRange(array, from, to, String[].class);
    }

Comments
EVALUATION http://hg.openjdk.java.net/lambda/lambda/hotspot/rev/eeb819cf36e5
29-06-2012

EVALUATION http://hg.openjdk.java.net/hsx/hsx23.2/hotspot/rev/abddf1ce3c6b
27-06-2012

EVALUATION http://hg.openjdk.java.net/hsx/hotspot-comp/hotspot/rev/eeb819cf36e5
18-06-2012

EVALUATION Also: if from > to in copyOfRange(..., int from, int to) the intrinsics code lets the array allocation handle the negative length to - from which results in the wrong exception being thrown.
12-06-2012

EVALUATION The intrinsified Arrays.copyOfRange(original, from, to) uses min(original.length - from, allocated_array.length) as the number of elements to copy. If from > original.length, this number is negative but generate_arraycopy() is called with length_never_negative set to true.
07-06-2012