JDK-8058847 : C2: EliminateAutoBox regression after 8042786
  • Type: Bug
  • Component: hotspot
  • Sub-Component: compiler
  • Affected Version: 8u40,9
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • CPU: x86_64
  • Submitted: 2014-09-20
  • Updated: 2017-08-24
  • Resolved: 2014-10-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u40Fixed 9 b40Fixed
Related Reports
Relates :  
Relates :  
Relates :  
Description
Originally reported at http://stackoverflow.com/questions/25942010/how-is-arrayoutofboundsexception-possible-in-string-valueofint

The following test case crashes JVM when it should normally runs forever.

public class EliminateAutoBoxCrash {
    private static final int[] values = new int[256];

    public static void main(String[] args) { 
        byte[] bytes = new byte[] {-1};
        while (true) {
            for (Byte b : bytes) { 
                values[b & 0xff]++;
            }
        }
    } 
}

Note autoboxing: Byte b.
Workaround: -XX:-EliminateAutoBox

Initial investigation shows that the bug has been introduced with the fix for JDK-8042786.
Comments
Transformations: AndI (LoadB (... LoadB) 255) =(1)=> LoadUB (... LoadB) =(2)=> AndI (LoadB 255) =(1) => LoadUB Instruction sequence is correct with the fix: movslq %r11d,%r8 movzbl 0x10(%rbx,%r8,1),%r8d ;*iand incl 0x10(%r10,%r8,4) ;*iastore
23-10-2014

Suggested fix: diff --git a/src/share/vm/opto/memnode.cpp b/src/share/vm/opto/memnode.cpp --- a/src/share/vm/opto/memnode.cpp +++ b/src/share/vm/opto/memnode.cpp @@ -1257,6 +1257,11 @@ result = new ConvI2LNode(phase->transform(result)); } #endif + if (this->Opcode() == Op_LoadUB) { + result = new AndINode(phase->transform(result), phase->intcon(0xFF)); + } else (this->Opcode() == Op_LoadUS) { + result = new AndINode(phase->transform(result), phase->intcon(0xFFFF)); + } return result; } }
23-10-2014

The crash occurs in the following code: movsbl 0x10(%r14,%r9,1),%r9d incl 0x10(%r11,%r9,4) R9 = 0xffffffff, but it should be 0xff. The problem is sign extending load instruction. Problematic IR transformation is attached. The problematic transform: AndI (LoadB (... LoadB) 255) =(1)=> LoadUB (... LoadB) =(2)=> LoadB (1): AndI::Ideal() (2): LoadNode::eliminate_autobox() The result should be LoadUB instead. LoadNode::eliminate_autobox() doesn't care whether the node represents signed or unsigned load. That leads to the problem.
23-10-2014

ILW=Generating incorrect code, some scenarios, -XX:-EliminateAutoBox=HML=P2
22-09-2014