JDK-8077504 : Unsafe load can loose control dependency and cause crash
  • Type: Bug
  • Component: hotspot
  • Sub-Component: compiler
  • Affected Version: 9
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2015-04-10
  • Updated: 2015-09-29
  • Resolved: 2015-05-21
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u60Fixed 9 b69Fixed
Description
In this example:

    static void test1(int[] a, boolean[] flags, boolean flag, long j) {
        for (int i = 0; i < 10; i++) {
            if (flags[i]) {
                if (flag) {
                    long address = (j << 2) + UNSAFE.ARRAY_INT_BASE_OFFSET;
                    int v = UNSAFE.getInt(a, address);
                    val = v;
                }
            }
        }
    }

the load's control is set to the true branch of if (flag). if (flag) is loop invariant and can be moved out of the loop. Because Node::depends_only_on_test() returns true for loads, the load keeps the true branch of if(flag) as a control and can execute independently of the test if (flags[i]). 

ILW=H(crash) L(never seen) M(disable unsafe intrinsics)=P3