Bug ID: JDK-8154831 CastII/ConvI2L for a range check is prematurely eliminated

JDK-8154831 : CastII/ConvI2L for a range check is prematurely eliminated

Type: Bug
Component: hotspot
Sub-Component: compiler
Affected Version: 8u92,9

Priority: P2
Status: Resolved
Resolution: Fixed

Submitted: 2016-04-21
Updated: 2020-12-08
Resolved: 2016-05-20

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 7	JDK 8	JDK 9	Other
7u241Fixed	8u112Fixed	9 b122Fixed	openjdk7uFixed

Related Reports

Duplicate :	JDK-8172708 - C2 crash in org.eclipse.jdt.internal.compiler.parser.TypeConverter::decodeType
Duplicate :	JDK-8189414 - C2 crash org.eclipse.jdt.internal.compiler.parser.TypeConverter::decodeType
Duplicate :	JDK-8169933 - JVM crash when running Eclipse
Duplicate :	JDK-8169194 - C2 crash in V [jvm.dll+0x4c0ddf]
Duplicate :	JDK-8169046 - Eclipse crsh in C2: org.eclipse.jdt.internal.compiler.parser.TypeConverter::decodeType
Duplicate :	JDK-8168833 - Eclipse Crash
Duplicate :	JDK-8166943 - Eclipse Mars 2 crashes frequently with jdk1.8.0_102
Duplicate :	JDK-8169047 - Eclipse crash in C2 org.eclipse.jdt.internal.compiler.parser.TypeConverter::decodeType
Duplicate :	JDK-8166818 - Eclipse crash in C2 org.eclipse.jdt.internal.compiler.parser.TypeConverter::decodeType
Duplicate :	JDK-8166192 - eclipse sometime exit suddenly without any notice
Duplicate :	JDK-8164713 - Eclipse crashes very often
Duplicate :	JDK-8162115 - new and unexpected crashes in eclipse
Duplicate :	JDK-8161643 - Segmentation fault / memory access violation
Duplicate :	JDK-8160227 - C2 compiler crash occurs in random Windows machines
Duplicate :	JDK-8159434 - C2 Compiler causes EXCEPTION_ACCESS_VIOLATION when running Eclipse Mars
Duplicate :	JDK-8130475 - C2 Crash in PhaseIdealLoop::build_loop_late_post(Node*)
Duplicate :	JDK-8129536 - SIGSEGV in PhaseIdealLoop::build_loop_late_post while debugging
Duplicate :	JDK-8210812 - C2 crash in org.eclipse.jdt.internal.compiler.parser.TypeConverter::decodeType
Duplicate :	JDK-8172233 - Eclipse Luna closing while loading Projects
Duplicate :	JDK-8167285 - Eclipse crash - org.eclipse.jdt.internal.compiler.parser.TypeConverter::decodeType
Duplicate :	JDK-8158740 - After installing JRE and JDK 8.0_92-b14 Eclipse repeatedly exits with an EXCEPTION_ACCESS_VIOLATION
Duplicate :	JDK-8155583 - jvm running Eclipse Mars.2 crashes after upgrade to patch 92
Duplicate :	JDK-8187604 - Eclipse crash
Duplicate :	JDK-8191008 - C2 crash in org.eclipse.jdt.internal.compiler.parser.TypeConverter::decodeType
Duplicate :	JDK-8192948 - Eclipse crash in C2 compiler
Duplicate :	JDK-8155200 - segmentation fault
Duplicate :	JDK-8156107 - Eclipse crashes on Java8u92
Duplicate :	JDK-8160243 - jvm crashes randomly with using debug in eclipse
Duplicate :	JDK-8164289 - Eclipse crash - org.eclipse.jdt.internal.compiler.parser.TypeConverter::decodeType
Duplicate :	JDK-8160224 - jvm crashes randomly with using eclipse
Duplicate :	JDK-8161555 - Eclipse crashes on Ctrl + shift + G.
Duplicate :	JDK-8171196 - Eclipse crashes frequently
Relates :	JDK-6675699 - need comprehensive fix for unconstrained ConvI2L with narrowed type
Relates :	JDK-8156110 - A fatal error has been detected by the Java Runtime Environment
Relates :	JDK-8177095 - Range check dependent CastII/ConvI2L is prematurely eliminated
Relates :	JDK-8189414 - C2 crash org.eclipse.jdt.internal.compiler.parser.TypeConverter::decodeType

Description

FULL PRODUCT VERSION :
java version "1.8.0_92"
Java(TM) SE Runtime Environment (build 1.8.0_92-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.92-b14, mixed mode)

FULL OS VERSION :
Microsoft Windows [Version 6.1.7601]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Eclipse Java EE IDE for Web Developers.

Version: Mars.2 Release (4.5.2)
Build id: 20160218-0600

A DESCRIPTION OF THE PROBLEM :
Attempt to use "Quick Outline" (Ctrl + O) on a big source file crashes IDE. After the crash 2 files are produced: hs_err_pid5920.log and replay_pid5920.log.

Everything works fine with JDK8u77 and JDK8u91.

THE PROBLEM WAS REPRODUCIBLE WITH -Xint FLAG: No

THE PROBLEM WAS REPRODUCIBLE WITH -server FLAG: Yes

REGRESSION.  Last worked in version 8u91

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Start Eclipse IDE
2. Open big source file
3. Open "Quick Outline" and type some characters -> crash

EXPECTED VERSUS ACTUAL BEHAVIOR :
Expected: IDE works

Actual: IDE exists due to JVM crash
ERROR MESSAGES/STACK TRACES THAT OCCUR :
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x000000006f91c8df, pid=5920, tid=0x0000000000001dd8
#
# JRE version: Java(TM) SE Runtime Environment (8.0_92-b14) (build 1.8.0_92-b14)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.92-b14 mixed mode windows-amd64 compressed oops)
# Problematic frame:
# V  [jvm.dll+0x4bc8df]
#
# Failed to write core dump. Minidumps are not enabled by default on client versions of Windows
#
# If you would like to submit a bug report, please visit:
#   http://bugreport.java.com/bugreport/crash.jsp
#

---------------  T H R E A D  ---------------

Current thread (0x0000000058d09000):  JavaThread "C2 CompilerThread1" daemon [_thread_in_native, id=7640, stack(0x000000005a020000,0x000000005a120000)]

siginfo: ExceptionCode=0xc0000005, reading address 0x0000000000000008

...

Current CompileTask:
C2:  23368 19417       4       org.eclipse.jdt.internal.compiler.parser.TypeConverter::decodeType (1094 bytes)


REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
Switch to older JDK version, e.g. JDK8u77.

Comments

CastII node prematurely goes away and causes a cascade of other eliminations which severely corrupts the graph (the actual crash happens due to a memory edge coming from a non-dominating region). CastII is replaced with TOP due to a type conflict (ranges don't intersect) between the actual type of the value being range checked and the type CastII tries to assign. It happens on effectively dead path (range check always fails) which C2 can't eliminate due to a missing transformation for CmpU: Bool [lt] (CmpU (ConI #-1) (�� #int)) => (ConI #0) The fix is to add the missing case in CmpUNode::sub(). It enables dead path elimination along with CastII.
19-05-2016
noreg-hard: wasn't able to write a regression test. Very peculiar IR shape is required to trigger the bug.
19-05-2016
Okay, maybe we forgot to backport something or it's just not triggered with 9 for another reason.
13-05-2016
FYI I was able to replay the compilation w/ 9 and it finishes successfully.
12-05-2016
I can't reproduce it with 9, but due to unrelated problem: compilation replay doesn't work because profiling data layout isn't compatible between 8u & 9. I'll try to adapt the replay log to 9.
12-05-2016
$ java -XX:+TraceLoopOpts -XX:+VerifyLoopOptimizations ... Counted Loop: N3115/N1572 limit_check predicated counted [1,6),+1 (-1 iters) Counted Loop: N3121/N1582 limit_check predicated counted [1,8),+1 (-1 iters) Counted Loop: N3127/N1954 limit_check predicated counted [0,int),+1 (-1 iters) Counted Loop: N3133/N1986 limit_check predicated counted [0,int),+1 (-1 iters) Counted Loop: N3139/N1998 limit_check predicated counted [0,2),+1 (-1 iters) Counted Loop: N3145/N1720 limit_check predicated counted [0,2),+1 (-1 iters) Counted Loop: N3151/N2028 limit_check predicated counted [0,int),+1 (-1 iters) Counted Loop: N3157/N1900 limit_check predicated counted [0,int),+1 (-1 iters) sfpts={ 2605 } Counted Loop: N3163/N1904 limit_check predicated counted [0,int),+1 (-1 iters) Loop: N0/N0 has_call has_sfpt Loop: N3098/N1546 limit_check predicated has_call sfpts={ 2428 1777 } Loop: N3099/N2146 limit_check predicated has_call sfpts={ 1891 } Loop: N3100/N2096 limit_check predicated sfpts={ 2541 } Loop: N3115/N1572 limit_check predicated counted [1,6),+1 (-1 iters) has_sfpt Loop: N3121/N1582 limit_check predicated counted [1,8),+1 (-1 iters) has_sfpt Loop: N3127/N1954 limit_check predicated counted [0,int),+1 (-1 iters) has_sfpt Loop: N3133/N1986 limit_check predicated counted [0,int),+1 (-1 iters) has_sfpt Loop: N3139/N1998 limit_check predicated counted [0,2),+1 (-1 iters) has_sfpt Loop: N3145/N1720 limit_check predicated counted [0,2),+1 (-1 iters) has_sfpt Loop: N3151/N2028 limit_check predicated counted [0,int),+1 (-1 iters) has_sfpt Loop: N3157/N1900 limit_check predicated counted [0,int),+1 (-1 iters) has_sfpt sfpts={ 2605 } Loop: N3163/N1904 limit_check predicated counted [0,int),+1 (-1 iters) has_sfpt Loop: N0/N0 has_call has_sfpt Loop: N3098/N1546 limit_check predicated has_call sfpts={ 2428 } Loop: N3099/N2146 limit_check predicated has_call sfpts={ 1891 } Loop: N3100/N2096 limit_check predicated sfpts={ 2541 } Loop: N3115/N1572 limit_check predicated counted [1,6),+1 (-1 iters) has_sfpt Loop: N3121/N1582 limit_check predicated counted [1,8),+1 (-1 iters) has_sfpt Loop: N3127/N1954 limit_check predicated counted [0,int),+1 (-1 iters) has_sfpt Loop: N3133/N1986 limit_check predicated counted [0,int),+1 (-1 iters) has_sfpt Loop: N3139/N1998 limit_check predicated counted [0,2),+1 (-1 iters) has_sfpt Loop: N3145/N1720 limit_check predicated counted [0,2),+1 (-1 iters) has_sfpt Loop: N3151/N2028 limit_check predicated counted [0,int),+1 (-1 iters) has_sfpt Loop: N3157/N1900 limit_check predicated counted [0,int),+1 (-1 iters) has_sfpt Loop: N3163/N1904 limit_check predicated counted [0,int),+1 (-1 iters) has_sfpt Mismatched control setting for: 2793 AddP === _ 955 955 1542 [[ 2628 ]] !jvms: Arrays::copyOf @ bci:6 ArrayList::grow @ bci:38 ArrayList::ensureExplicitCapacity @ bci:22 ArrayList::ensureCapacityInternal @ bci:19 ArrayList::add @ bci:7 TypeConverter::decodeTypeArguments @ bci:36 TypeConverter::decodeType @ bci:526 We have it as: 1508 IfTrue === 1506 [[ 1507 ]] #1 !jvms: Statement::<init> @ bci:1 Expression::<init> @ bci:1 TypeReference::<init> @ bci:1 SingleTypeReference::<init> @ bci:1 Wildcard::<init> @ bci:5 TypeConverter::decodeType @ bci:327 Verify thinks: 1476 IfTrue === 1474 [[ 1475 906 955 ]] #1 !jvms: ASTNode::<init> @ bci:1 Statement::<init> @ bci:1 Expression::<init> @ bci:1 TypeReference::<init> @ bci:1 SingleTypeReference::<init> @ bci:1 Wildcard::<init> @ bci:5 TypeConverter::decodeType @ bci:327 Mismatched control setting for: 2628 LoadRange === _ 467 2793 [[ 2406 ]] @bottom[int:>=0]+12 * [narrow], idx=5; #int:>=0 !jvms: ArrayList::grow @ bci:4 ArrayList::ensureExplicitCapacity @ bci:22 ArrayList::ensureCapacityInternal @ bci:19 ArrayList::add @ bci:7 TypeConverter::decodeTypeArguments @ bci:36 TypeConverter::decodeType @ bci:526 We have it as: 1508 IfTrue === 1506 [[ 1507 ]] #1 !jvms: Statement::<init> @ bci:1 Expression::<init> @ bci:1 TypeReference::<init> @ bci:1 SingleTypeReference::<init> @ bci:1 Wildcard::<init> @ bci:5 TypeConverter::decodeType @ bci:327 Verify thinks: 1476 IfTrue === 1474 [[ 1475 906 955 ]] #1 !jvms: ASTNode::<init> @ bci:1 Statement::<init> @ bci:1 Expression::<init> @ bci:1 TypeReference::<init> @ bci:1 SingleTypeReference::<init> @ bci:1 Wildcard::<init> @ bci:5 TypeConverter::decodeType @ bci:327 Mismatched control setting for: 3263 LoadN === _ 682 2383 [[ 3261 ]] @java/util/ArrayList+20 * [narrow], name=elementData, idx=23; #narrowoop: narrowoop: java/lang/Object [int:>=0] !orig=[2014] !jvms: ArrayList::toArray @ bci:39 TypeConverter::decodeTypeArguments @ bci:94 TypeConverter::decodeType @ bci:526 We have it as: 1720 IfTrue === 3144 [[ 3145 ]] #1 !jvms: ArrayList::<init> @ bci:-1 TypeConverter::decodeType @ bci:461 Verify thinks: 1215 Region === 1215 1722 1723 [[ 1215 3144 1198 635 1224 665 674 678 682 688 1516 ]] !orig=2213 !jvms: Object::<init> @ bci:0 ASTNode::<init> @ bci:1 Statement::<init> @ bci:1 Expression::<init> @ bci:1 TypeReference::<init> @ bci:1 SingleTypeReference::<init> @ bci:1 Wildcard::<init> @ bci:5 TypeConverter::decodeType @ bci:369 Mismatched control setting for: 3260 LoadI === _ 678 1472 [[ 3258 ]] @java/util/ArrayList+16 *, name=size, idx=22; #int !orig=[971] !jvms: ArrayList::toArray @ bci:39 TypeConverter::decodeTypeArguments @ bci:94 TypeConverter::decodeType @ bci:526 We have it as: 1720 IfTrue === 3144 [[ 3145 ]] #1 !jvms: ArrayList::<init> @ bci:-1 TypeConverter::decodeType @ bci:461 Verify thinks: 1215 Region === 1215 1722 1723 [[ 1215 3144 1198 635 1224 665 674 678 682 688 1516 ]] !orig=2213 !jvms: Object::<init> @ bci:0 ASTNode::<init> @ bci:1 Statement::<init> @ bci:1 Expression::<init> @ bci:1 TypeReference::<init> @ bci:1 SingleTypeReference::<init> @ bci:1 Wildcard::<init> @ bci:5 TypeConverter::decodeType @ bci:369 # Internal Error (/scratch/vlivanov/ECLIPSE/jdk8u-dev/hotspot/src/share/vm/opto/loopnode.cpp:2476), pid=64195, tid=0x00007fffce3e3700 # assert(fail == 0) failed: verify loops failed PhaseIdealLoop::verify (this=0x7fffce3df410) at .../loopnode.cpp:2476 PhaseIdealLoop::split_if_with_blocks_post (this=0x7fffce3df410, n=0x7ffeb83bd498) at .../loopopts.cpp:933 PhaseIdealLoop::split_if_with_blocks (this=0x7fffce3df410, visited=..., nstack=...) at .../loopopts.cpp:1078 PhaseIdealLoop::build_and_optimize (this=0x7fffce3df410, do_split_ifs=true, skip_loop_opts=false) at .../loopnode.cpp:2368 PhaseIdealLoop::PhaseIdealLoop (this=0x7fffce3df410, igvn=..., do_split_ifs=true, skip_loop_opts=false) at .../loopnode.hpp:790
11-05-2016
Fastdebug build asserts with the following error: # Internal Error (P:\projects\oss\jdk8u-dev\hotspot\src\share\vm\opto\loopnode.cpp:3563), pid=18872, tid=0x00000000000049a0 # assert(false) failed: Bad graph detected in build_loop_late
29-04-2016
Issue has been reproduced internally
27-04-2016
ILW = HLH = P2
27-04-2016
It appears submitter is able to reproduce the bug. Re-opening it to get additional information.
26-04-2016
Verified with Eclipse IDE no crash observed. Hence closing as not an issue
21-04-2016