Bug ID: JDK-8134739 compiler/loopopts/superword/TestVectorizationWithInvariant crashes in loop opts

JDK-8134739 : compiler/loopopts/superword/TestVectorizationWithInvariant crashes in loop opts

Type: Bug
Component: hotspot
Sub-Component: compiler
Affected Version: 8,9

Priority: P2
Status: Closed
Resolution: Fixed

Submitted: 2015-08-31
Updated: 2019-11-11
Resolved: 2015-09-17

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 9	Other
9 b89Fixed	openjdk8u242Fixed

Related Reports

Relates :	JDK-8136547 - CountedLoopEndNode::phi() should only return PhiNodes
Relates :	JDK-8230238 - Add another regression test for JDK-8134739

Description

#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x00000000717742ab, pid=99976, tid=0x000000000000c574
#
# JRE version: Java(TM) SE Runtime Environment (9.0) (build 1.9.0-internal-fastdebug-20150828132249.rwestrel.8134288-b00)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (1.9.0-internal-20150828132249.rwestrel.8134288-b00, compiled mode, compressed oops, g1 gc, windows-amd64)
# Problematic frame:
# V  [jvm.dll+0x7642ab]  CountedLoopEndNode::loopnode+0xeb

V  [jvm.dll+0x7642ab]  CountedLoopEndNode::loopnode+0xeb;;  ?loopnode@CountedLoopEndNode@@QEBAPEAVCountedLoopNode@@XZ+0xeb
V  [jvm.dll+0x82b21a]  SuperWord::get_pre_loop_end+0x16a;;  ?get_pre_loop_end@SuperWord@@AEAAPEAVCountedLoopEndNode@@PEAVCountedLoopNode@@@Z+0x16a
V  [jvm.dll+0x83489e]  SuperWord::transform_loop+0x14e;;  ?transform_loop@SuperWord@@QEAAXPEAVIdealLoopTree@@_N@Z+0x14e
V  [jvm.dll+0x787549]  IdealLoopTree::policy_unroll_slp_analysis+0x69;;  ?policy_unroll_slp_analysis@IdealLoopTree@@QEAAXPEAVCountedLoopNode@@PEAVPhaseIdealLoop@@H@Z+0x69
V  [jvm.dll+0x78735a]  IdealLoopTree::policy_unroll+0x3fa;;  ?policy_unroll@IdealLoopTree@@QEAA_NPEAVPhaseIdealLoop@@@Z+0x3fa
V  [jvm.dll+0x783b3d]  IdealLoopTree::iteration_split_impl+0x1ed;;  ?iteration_split_impl@IdealLoopTree@@QEAA_NPEAVPhaseIdealLoop@@AEAVNode_List@@@Z+0x1ed
V  [jvm.dll+0x7838f8]  IdealLoopTree::iteration_split+0xb8;;  ?iteration_split@IdealLoopTree@@QEAA_NPEAVPhaseIdealLoop@@AEAVNode_List@@@Z+0xb8
V  [jvm.dll+0x78393c]  IdealLoopTree::iteration_split+0xfc;;  ?iteration_split@IdealLoopTree@@QEAA_NPEAVPhaseIdealLoop@@AEAVNode_List@@@Z+0xfc
V  [jvm.dll+0x78393c]  IdealLoopTree::iteration_split+0xfc;;  ?iteration_split@IdealLoopTree@@QEAA_NPEAVPhaseIdealLoop@@AEAVNode_List@@@Z+0xfc
V  [jvm.dll+0x78393c]  IdealLoopTree::iteration_split+0xfc;;  ?iteration_split@IdealLoopTree@@QEAA_NPEAVPhaseIdealLoop@@AEAVNode_List@@@Z+0xfc
V  [jvm.dll+0x78393c]  IdealLoopTree::iteration_split+0xfc;;  ?iteration_split@IdealLoopTree@@QEAA_NPEAVPhaseIdealLoop@@AEAVNode_List@@@Z+0xfc
V  [jvm.dll+0x78393c]  IdealLoopTree::iteration_split+0xfc;;  ?iteration_split@IdealLoopTree@@QEAA_NPEAVPhaseIdealLoop@@AEAVNode_List@@@Z+0xfc
V  [jvm.dll+0x78393c]  IdealLoopTree::iteration_split+0xfc;;  ?iteration_split@IdealLoopTree@@QEAA_NPEAVPhaseIdealLoop@@AEAVNode_List@@@Z+0xfc
V  [jvm.dll+0x78393c]  IdealLoopTree::iteration_split+0xfc;;  ?iteration_split@IdealLoopTree@@QEAA_NPEAVPhaseIdealLoop@@AEAVNode_List@@@Z+0xfc
V  [jvm.dll+0x78393c]  IdealLoopTree::iteration_split+0xfc;;  ?iteration_split@IdealLoopTree@@QEAA_NPEAVPhaseIdealLoop@@AEAVNode_List@@@Z+0xfc
V  [jvm.dll+0x78393c]  IdealLoopTree::iteration_split+0xfc;;  ?iteration_split@IdealLoopTree@@QEAA_NPEAVPhaseIdealLoop@@AEAVNode_List@@@Z+0xfc
V  [jvm.dll+0x78393c]  IdealLoopTree::iteration_split+0xfc;;  ?iteration_split@IdealLoopTree@@QEAA_NPEAVPhaseIdealLoop@@AEAVNode_List@@@Z+0xfc
V  [jvm.dll+0x783879]  IdealLoopTree::iteration_split+0x39;;  ?iteration_split@IdealLoopTree@@QEAA_NPEAVPhaseIdealLoop@@AEAVNode_List@@@Z+0x39
V  [jvm.dll+0x75a275]  PhaseIdealLoop::build_and_optimize+0xb55;;  ?build_and_optimize@PhaseIdealLoop@@AEAAX_N0@Z+0xb55
V  [jvm.dll+0x6d2ecc]  Compile::Optimize+0x98c;;  ?Optimize@Compile@@AEAAXXZ+0x98c
V  [jvm.dll+0x6d030c]  Compile::Compile+0xfec;;  ??0Compile@@QEAA@PEAVciEnv@@PEAVC2Compiler@@PEAVciMethod@@H_N33@Z+0xfec
V  [jvm.dll+0x6a4ac7]  C2Compiler::compile_method+0x107;;  ?compile_method@C2Compiler@@UEAAXPEAVciEnv@@PEAVciMethod@@H@Z+0x107
V  [jvm.dll+0x12c95d]  CompileBroker::invoke_compiler_on_method+0x54d;;  ?invoke_compiler_on_method@CompileBroker@@CAXPEAVCompileTask@@@Z+0x54d
V  [jvm.dll+0x12b025]  CompileBroker::compiler_thread_loop+0x385;;  ?compiler_thread_loop@CompileBroker@@SAXXZ+0x385
V  [jvm.dll+0x33f357]  JavaThread::thread_main_inner+0x177;;  ?thread_main_inner@JavaThread@@QEAAXXZ+0x177
V  [jvm.dll+0x33e286]  JavaThread::run+0x1d6;;  ?run@JavaThread@@UEAAXXZ+0x1d6
V  [jvm.dll+0x3dcf9e]  java_start+0xde;;  ?java_start@@YAIPEAVThread@@@Z+0xde

Comments

8u Fix Request Backporting this patch fixes a crash in C2. Patch does not apply cleanly and requires adjustments. RFR: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-October/010428.html
25-10-2019
Fuzzer managed to hit this on 8u, which gives us a regression test (0021.tar.gz). Adapted the patch to 8u, and fuzzed tests start to pass. Here it is: http://cr.openjdk.java.net/~shade/8134739/webrev.8u.01/. Edit: Minimized 0021.tar.gz to JDK-8230238, backported it. During backports, realized the 8u version above includes JDK-8010500 fix, which does fix the 0021.tar.gz test. Which means it is not a proper regression test for this issue, and this issue should be considered separately.
08-10-2019
verified by nightly testing
26-07-2017
Roland asked (off-thread) why we still optimize the empty loop after replacing the PhiNode to collapse it. Here is a more detailed trace of events to clarify this. We have the following loops: Loop: N2433/N2436 limit_check predicated counted [0,int),+8 (4 iters) pre Loop: N2484/N1546 counted [int,92),+16 (-2147483648 iters) main Loop: N2388/N2391 counted [int,100),+8 (4 iters) post IdealLoopTree::iteration_split() first looks a the pre-loop and removes it because it's empty: IdealLoopTree::iteration_split IdealLoopTree::iteration_split_impl IdealLoopTree::policy_do_remove_empty_loop Empty with zero trip guard Loop: N2433/N2436 limit_check predicated counted [0,100),+8 (4 iters) pre We do not continue optimizing the pre-loop but bail out when returning from IdealLoopTree::policy_do_remove_empty_loop() and continue with the main-loop: IdealLoopTree::iteration_split IdealLoopTree::iteration_split_impl IdealLoopTree::policy_unroll IdealLoopTree::policy_unroll_slp_analysis SuperWord::transform_loop(IdealLoopTree* lpt) SuperWord::get_pre_loop_end(CountedLoopNode* cl) // Check for pre-loop ending with CountedLoopEnd(Bool(Cmp(x,Opaque1(limit)))) The SuperWordLoopUnrollAnalysis now looks at the pre-loop again and fails because the PhiNode was replaced.
09-09-2015
The VM crashes during loop optimizations in CountedLoopEndNode::loopnode() because CountedLoopEndNode::phi() does not return a PhiNode but a SubINode. The problem is that the phi (2432 PhiNode) was replaced by the final value of the last loop iteration (2881 SubINode) to collapse the empty loop in IdealLoopTree::policy_do_remove_empty_loop(). See before [1] and after [2]. [1] https://bugs.openjdk.java.net/secure/attachment/52878/emptyLoop1.png [2] https://bugs.openjdk.java.net/secure/attachment/52879/emptyLoop2.png
07-09-2015
I was able to reproduce the problem on Linux with replay compilation and the following replay file [1]: java -Xcomp -XX:+ReplayCompiles -XX:+ReplayIgnoreInitErrors -XX:ReplayDataFile=replay_pid99976.log -cp JTwork/classes/compiler/loopopts/superword/ [1] http://aurora-ds3.us.oracle.com:9502/runs/01101/1101329.JAVASE.NIGHTLY.VM.Comp_Baseline-NonTiered.2015-08-28/1101329.JAVASE.NIGHTLY.VM.Comp_Baseline-NonTiered.2015-08-28-166/results/workDir/compiler/loopopts/superword/TestVectorizationWithInvariant/replay_pid99976.log
03-09-2015
I was not (yet) able to reproduce this. The assembly code suggest that we fail in CountedLoopEndNode::loopnode() while executing Node ln = phi()->in(0); if (ln->is_CountedLoop() && ...) because ln is NULL. Not yet sure how this can happen. 0000000000000000 44004c8b08 add [rbx+rcx4+0x8], r9b 0000000000000005 ba64010000 mov edx, 0x164 000000000000000a e8f6bbc1ff call 0xffffffffffc1bc05 000000000000000f e8a1ccc7ff call 0xffffffffffc7ccb5 0000000000000014 488b4308 mov rax, [rbx+0x8] 0000000000000018 488b18 mov rbx, [rax] 000000000000001b b8ff010000 mov eax, 0x1ff We fail here -> 0000000000000020 0fb74b2c movzx ecx, word [rbx+0x2c] 0000000000000024 6623c8 and cx, ax 0000000000000027 b860010000 mov eax, 0x160 000000000000002c 663bc8 cmp cx, ax 000000000000002f 751c jnz 0x4d 0000000000000031 488bcb mov rcx, rbx 0000000000000034 e81c9af5ff call 0xfffffffffff59a55 0000000000000039 483b442440 cmp rax, [rsp+0x40] 000000000000003e 750d jnz 0x4d
03-09-2015