JDK-8057758 : Tests run TypeProfileLevel=222 crash with guarantee(0) failed: must find derived/base pair
  • Type: Bug
  • Component: hotspot
  • Sub-Component: compiler
  • Affected Version: 9
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2014-09-08
  • Updated: 2017-08-07
  • Resolved: 2014-09-09
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
8u40Fixed 9 b32Fixed
Related Reports
Relates :  
Relates :  
#  Internal Error (/space/rwestrel/jdk9-repo/hotspot/src/share/vm/opto/buildOopMap.cpp:295), pid=28993, tid=140587863893760
#  guarantee(0) failed: must find derived/base pair

when running  vm/compiler/AESIntrinsics/CheckIntrinsics for instance with -Xcomp -XX:TypeProfileLevel=222
Verified the fix with: /net/sqenfs-1/export1/tools/ute/bin/ute -component vm -jdk $JAVA_HOME -bits d64 -vmflavor server -vmmode comp -vmopts "-d64 -Xcomp -XX:TypeProfileLevel=222" -jdkarch solaris-amd64 -test vm/compiler/AESIntrinsics/CheckIntrinsics

It produces the same array type as in original suggested fix.

I am pushing this fix: +++ b/src/share/vm/opto/library_call.cpp @@ -4984,7 +4984,8 @@ // Allocate the result array Node* zlen = _gvn.transform(new AddINode(xlen, ylen)); - Node* klass_node = makecon(TypeKlassPtr::make(ciTypeArrayKlass::make(T_INT))); + ciKlass* klass = ciTypeArrayKlass::make(T_INT); + Node* klass_node = makecon(TypeKlassPtr::make(klass)); IdealKit ideal(this); @@ -5018,7 +5019,8 @@ sync_kit(ideal); z = __ value(z_alloc); - _gvn.set_type(z, TypeAryPtr::INTS); + // Can't use TypeAryPtr::INTS which uses Bottom offset. + _gvn.set_type(z, TypeOopPtr::make_from_klass(klass)); // Final sync IdealKit and GraphKit. final_sync(ideal); #undef __

Roland, how it is different from LibraryCallKit::string_indexOf() where we also use Type::OffsetBot for array type? Should we fix it too?

Where is vm/compiler/AESIntrinsics/CheckIntrinsics?

Roland, it is reasonable fix.

ILW=Crash, reproducable, -XX:-UseBMI2Instructions =HML=P2

The flag turn on add of the intrinsic is called UseBMI2Instructions (not UseMultiplyToLenIntrinsic).

Crash goes away when run with -XX:-UseMultiplyToLenIntrinsic After intrinsification of MultiplyToLen, type speculation registers the fact that profiling reported non null objects being returned. It adds a CheckCastPP node for that. The MultiplyToLen sets its return type to TypeAryPtr::INTS. The CheckCastPP that is created by type speculation casts the non speculative type to TypeAryPtr::INTS which has an offset of Type::OffsetBot. Even after the speculative part of the CheckCastPP is removed, the CheckCastPP is not optimized out and the buildOopMap code wrongly assumes the result of the CheckCastPP to be a derived pointer. The crash goes away with this: diff --git a/src/share/vm/opto/library_call.cpp b/src/share/vm/opto/library_call.cpp --- a/src/share/vm/opto/library_call.cpp +++ b/src/share/vm/opto/library_call.cpp @@ -5079,7 +5079,7 @@ sync_kit(ideal); z = __ value(z_alloc); - _gvn.set_type(z, TypeAryPtr::INTS); + _gvn.set_type(z, TypeAryPtr::make(TypePtr::BotPTR, TypeAry::make(TypeInt::INT, TypeInt::POS), ciTypeArrayKlass::make(T_INT), true, 0)); // Final sync IdealKit and GraphKit. final_sync(ideal); #undef __