JDK-8077504 : Unsafe load can loose control dependency and cause crash
- Type: Bug
- Component: hotspot
- Sub-Component: compiler
- Affected Version: 9
- Priority: P3
- Status: Resolved
- Resolution: Fixed
- Submitted: 2015-04-10
- Updated: 2015-09-29
- Resolved: 2015-05-21
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 8 | JDK 9 |
|---|---|
8u60Fixed  |
9 b69Fixed |
Description
In this example:
static void test1(int[] a, boolean[] flags, boolean flag, long j) {
for (int i = 0; i < 10; i++) {
if (flags[i]) {
if (flag) {
long address = (j << 2) + UNSAFE.ARRAY_INT_BASE_OFFSET;
int v = UNSAFE.getInt(a, address);
val = v;
}
}
}
}
the load's control is set to the true branch of if (flag). if (flag) is loop invariant and can be moved out of the loop. Because Node::depends_only_on_test() returns true for loads, the load keeps the true branch of if(flag) as a control and can execute independently of the test if (flags[i]).
ILW=H(crash) L(never seen) M(disable unsafe intrinsics)=P3