JDK-8134918 : C2: Type speculation produces mismatched unsafe accesses
  • Type: Bug
  • Component: hotspot
  • Sub-Component: compiler
  • Affected Version: 8u60,9
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: linux_ubuntu
  • CPU: x86_64
  • Submitted: 2015-08-27
  • Updated: 2017-11-29
  • Resolved: 2016-04-25
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u152Fixed 9 b120Fixed
Related Reports
Relates :  
JDK-8020750 - Node::get_int: guarantee(t != NULL) failed: must be con
Description
FULL PRODUCT VERSION :
JRE version: Java(TM) SE Runtime Environment (8.0_60-b27) (build 1.8.0_60-b27)

FULL OS VERSION :
Linux XXXXXXXX 3.13.0-33-generic #58-Ubuntu SMP Tue Jul 29 16:45:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

A DESCRIPTION OF THE PROBLEM :
During application start a file is loaded and deserialized which leads reproducible to the crash.

	public void readSomeFile(File dir) {
		final long start = System.currentTimeMillis();
		try (FileInputStream fis = new FileInputStream(new File(dir, FILENAME_XXX)); ObjectInputStream in = new ObjectInputStream(fis)) {
			snap = (XXXMap<String, Map<String, Map<Transaction, Map<ACounter, ACounter>>>>) in
					.readObject();
			logSnap();
		} catch (Exception e) {
			log.info("cannot read snap " + ExceptionHelper.getMessage(e));
			snap = null;
		}
	}

THE PROBLEM WAS REPRODUCIBLE WITH -Xint FLAG: Did not try

THE PROBLEM WAS REPRODUCIBLE WITH -server FLAG: Yes

REGRESSION.  Last worked in version 7u80

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
See code snippet -> snap

ERROR MESSAGES/STACK TRACES THAT OCCUR :
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  Internal Error (node.hpp:960), pid=20216, tid=140385568417536
#  guarantee(t != NULL) failed: must be con
#
# JRE version: Java(TM) SE Runtime Environment (8.0_60-b27) (build 1.8.0_60-b27)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.60-b23 mixed mode linux-amd64 compressed oops)
# Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# If you would like to submit a bug report, please visit:
#   http://bugreport.java.com/bugreport/crash.jsp
#

---------------  T H R E A D  ---------------

Current thread (0x00007fafb189b800):  JavaThread "C2 CompilerThread8" daemon [_thread_in_native, id=20309, stack(0x00007fae0fdfe000,0x00007fae0feff000)]

Stack: [0x00007fae0fdfe000,0x00007fae0feff000],  sp=0x00007fae0fef9c30,  free space=1007k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
V  [libjvm.so+0xab97ea]  VMError::report_and_die()+0x2ba
V  [libjvm.so+0x4f93c2]  report_vm_error(char const*, int, char const*, char const*)+0x62
V  [libjvm.so+0x2b0eaf]  Node::get_int() const+0x3f
V  [libjvm.so+0x634409]  IfNode::fold_compares(PhaseGVN*)+0xa9
V  [libjvm.so+0x6356c7]  IfNode::Ideal(PhaseGVN*, bool)+0x627
V  [libjvm.so+0x966e2c]  PhaseIterGVN::transform_old(Node*)+0x7c
V  [libjvm.so+0x9645ec]  PhaseIterGVN::optimize()+0x1bc
V  [libjvm.so+0x4a1019]  Compile::Optimize()+0x159
V  [libjvm.so+0x4a2e5a]  Compile::Compile(ciEnv*, C2Compiler*, ciMethod*, int, bool, bool, bool)+0x13ca
V  [libjvm.so+0x3f0718]  C2Compiler::compile_method(ciEnv*, ciMethod*, int)+0x198
V  [libjvm.so+0x4ad34a]  CompileBroker::invoke_compiler_on_method(CompileTask*)+0xc9a
V  [libjvm.so+0x4ae2f6]  CompileBroker::compiler_thread_loop()+0x5d6
V  [libjvm.so+0xa68f3f]  JavaThread::thread_main_inner()+0xdf
V  [libjvm.so+0xa6906c]  JavaThread::run()+0x11c
V  [libjvm.so+0x91cb88]  java_start(Thread*)+0x108
C  [libpthread.so.0+0x8182]  start_thread+0xc2


Current CompileTask:
C2:  12142 4786   !   4       java.io.ObjectInputStream::readObject0 (554 bytes)

REPRODUCIBILITY :
This bug can be reproduced always.
Comments
Workaround: -XX:-UseTypeSpeculation
31-03-2016
With fastdebug binaries it hits an assert first: # Internal Error (/home/prod/jdk8u/hotspot/src/share/vm/opto/type.hpp:1567), pid=8652, tid=0x00007f391c6d2700 # assert(_base >= OopPtr && _base <= AryPtr) failed: Not a Java pointer V [libjvm.so+0x5a2881] Type::is_oopptr() const+0x61 V [libjvm.so+0x8ae305] GraphKit::store_oop_to_unknown(Node*, Node*, Node*, TypePtr const*, Node*, BasicType, MemNode::MemOrd)+0x325 V [libjvm.so+0xb91d4a] LibraryCallKit::inline_unsafe_access(bool, bool, BasicType, bool)+0xc6a V [libjvm.so+0xba571c] LibraryCallKit::try_to_inline(int)+0x80c V [libjvm.so+0xba5de2] LibraryIntrinsic::generate(JVMState*)+0x1f2 V [libjvm.so+0x7c0668] Parse::do_call()+0x448 4 java.io.ObjectInputStream::readOrdinaryObject (277 bytes) @ 181 java.io.ObjectInputStream::readSerialData (292 bytes) @ 223 java.io.ObjectInputStream::defaultReadFields (199 bytes) @ 189 java.io.ObjectStreamClass::setObjFieldValues (10 bytes) @ 6 java.io.ObjectStreamClass$FieldReflector::setObjFieldValues (248 bytes) @ 227 sun.misc.Unsafe::putObject (0 bytes) (intrinsic) Unsafe::putObject intrinsic tries to store an oop into int[]: Node* GraphKit::store_oop_to_unknown(Node* ctl, Node* obj, // containing obj Node* adr, // actual adress to store val at const TypePtr* adr_type, Node* val, BasicType bt, MemNode::MemOrd mo) { adr_type: int[int:>=0]:NotNull:exact+any * obj: 11368 CheckCastPP === 11366 8996 #int[int:>=0]:NotNull:exact * !jvms: ObjectInputStream::defaultReadFields @ bci:15 ObjectInputStream::readSerialData @ bci:223 ObjectInputStream::readOrdinaryObject @ bci:181 8996 CastPP === 8995 1629 # Oop:java/lang/Object:NotNull * (speculative=int[int:>=0]:NotNull:exact * (inline_depth=2)) !jvms: ObjectInputStream::readSerialData @ bci:35 ObjectInputStream::readOrdinaryObject @ bci:181
31-03-2016
Not enough information provided to find the root cause.
01-03-2016