JDK-8181921 : C2 crash in CountedLoopEndNode::loopnode() const+0x6f
  • Type: Bug
  • Component: hotspot
  • Sub-Component: compiler
  • Affected Version: 8u92
  • Priority: P2
  • Status: Resolved
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2017-06-12
  • Updated: 2017-08-29
  • Resolved: 2017-08-29
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 9
9 b110Resolved
Related Reports
Duplicate :  
Description
FULL PRODUCT VERSION :
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

FULL OS VERSION :
Windows 8.1 (x64)

A DESCRIPTION OF THE PROBLEM :
When running my program, the HotSpot Java virtual machine crashes, prints error messages, and halts. However, this is pure Java code with nothing tricky, just multidimensional array indexing.

The program does not access any out-of-bounds indexes, so it should not crash at all. Even if any indexes are potentially out of bounds, the JVM should throw ArrayIndexOutOfBoundsException, not crash at the native level.

Also tested to crash:
- Java SE 8 Update 121 x64 on Windows 8.1
- Java SE 8 Update 131 x64 on Windows 8.1
- Java SE 8 Update 131 x64 on Windows 7

Also tested to not crash:
- Java SE 8 Update 92 x64 on Windows 7
- Java SE 8 Update 131 x64 on Windows 8.1 with "-Xint" option

It seems a regression happened between Update 92 and Update 121.

My uninformed guess is that I suspect that the JIT compiler is mishandling this piece of code:
    if (0 <= yy && yy < pixels.length && 0 <= xx && xx < pixels[yy].length)
        value = pixels[yy][xx];

Also, it seems that the variables xreal and yreal are necessary for the crash. Tweaking some numerical constants (e.g. x < 80, y - 15) will also affect whether the JVM crashes or not. The numbers have already been reduced in magnitude compared to the first discovered crashing case.

THE PROBLEM WAS REPRODUCIBLE WITH -Xint FLAG: No

THE PROBLEM WAS REPRODUCIBLE WITH -server FLAG: Yes

REGRESSION.  Last worked in version 8u121

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Simply compile and run the code:
- javac Buggy.java
- java Buggy

EXPECTED VERSUS ACTUAL BEHAVIOR :
Expected behavior: All array accesses are in bounds, the program prints "-37.032725118435685", and exits cleanly.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x00000000719bdc7b, pid=3968, tid=0x0000000000000c34
#
# JRE version: Java(TM) SE Runtime Environment (8.0_131-b11) (build 1.8.0_131-b11)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.131-b11 mixed mode windows-amd64 compressed oops)
# Problematic frame:
# V  [jvm.dll+0x4bdc7b]
#
# Failed to write core dump. Minidumps are not enabled by default on client versions of Windows
#
# If you would like to submit a bug report, please visit:
#   http://bugreport.java.com/bugreport/crash.jsp
#

---------------  T H R E A D  ---------------

Current thread (0x00000000257e0800):  JavaThread "C2 CompilerThread1" daemon [_thread_in_native, id=3124, stack(0x0000000026f20000,0x0000000027020000)]

siginfo: ExceptionCode=0xc0000005, reading address 0x000000000000002c

Registers:
RAX=0x000000002581c970, RBX=0x000000002581b0a0, RCX=0x00000000000001ff, RDX=0x000000002712b6f8
RSP=0x000000002701bcb0, RBP=0x000000002712c500, RSI=0x0000000000000000, RDI=0x0000000000000000
R8 =0x0000000000000002, R9 =0x0000000025835838, R10=0x00000000257cb5e0, R11=0x0000000000000004
R12=0x000000002712cd40, R13=0x000000002701c230, R14=0x00000000000001ff, R15=0x0000000000000002
RIP=0x00000000719bdc7b, EFLAGS=0x0000000000010246

Top of Stack: (sp=0x000000002701bcb0)
0x000000002701bcb0:   0000000025834c30 0000000000000000
0x000000002701bcc0:   00000000271794c0 0000000000000080
0x000000002701bcd0:   000000002701bdf8 00000000719be05a
0x000000002701bce0:   000000002581b0a0 000000002712c500
0x000000002701bcf0:   000000002701c230 00000000719f4d5a
0x000000002701bd00:   0000000000000002 00000000258346e0
0x000000002701bd10:   000000002701be48 000000002701bdd8
0x000000002701bd20:   00000000258347c8 00000000719c3248
0x000000002701bd30:   000000002701c230 00000000258346e0
0x000000002701bd40:   000000002701c250 000000002701bdf8
0x000000002701bd50:   0000000027174000 00000000257a7220
0x000000002701bd60:   0000000000000003 0000000000000002
0x000000002701bd70:   00000000257e49f0 000000002716a000
0x000000002701bd80:   00000000257a7220 000000002701c230
0x000000002701bd90:   000000002701bea0 00000000719c51fb
0x000000002701bda0:   000000002701c230 000000002701bdf8 

Instructions: (pc=0x00000000719bdc7b)
0x00000000719bdc5b:   10 83 78 18 03 75 0a 48 8b 40 08 48 8b 40 08 eb
0x00000000719bdc6b:   03 48 8b c7 48 8b 40 08 b9 ff 01 00 00 48 8b 30
0x00000000719bdc7b:   0f b7 46 2c 66 23 c1 b9 60 01 00 00 66 3b c1 75
0x00000000719bdc8b:   48 48 8b 46 08 48 8b 40 10 48 85 c0 74 23 48 8b 


Register to memory mapping:

RAX=0x000000002581c970 is an unknown value
RBX=0x000000002581b0a0 is an unknown value
RCX=0x00000000000001ff is an unknown value
RDX=0x000000002712b6f8 is an unknown value
RSP=0x000000002701bcb0 is pointing into the stack for thread: 0x00000000257e0800
RBP=0x000000002712c500 is an unknown value
RSI=0x0000000000000000 is an unknown value
RDI=0x0000000000000000 is an unknown value
R8 =0x0000000000000002 is an unknown value
R9 =0x0000000025835838 is an unknown value
R10=0x00000000257cb5e0 is an unknown value
R11=0x0000000000000004 is an unknown value
R12=0x000000002712cd40 is an unknown value
R13=0x000000002701c230 is pointing into the stack for thread: 0x00000000257e0800
R14=0x00000000000001ff is an unknown value
R15=0x0000000000000002 is an unknown value


Stack: [0x0000000026f20000,0x0000000027020000],  sp=0x000000002701bcb0,  free space=1007k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
V  [jvm.dll+0x4bdc7b]
V  [jvm.dll+0x4be05a]
V  [jvm.dll+0x4c3248]
V  [jvm.dll+0x4c51fb]
V  [jvm.dll+0x4760a0]
V  [jvm.dll+0x476ed3]
V  [jvm.dll+0x4599f2]
V  [jvm.dll+0xa5de2]
V  [jvm.dll+0xa671f]
V  [jvm.dll+0x24537f]
V  [jvm.dll+0x29cc1a]
C  [msvcr100.dll+0x21d9f]
C  [msvcr100.dll+0x21e3b]
C  [KERNEL32.DLL+0x13d2]
C  [ntdll.dll+0x154e4]


Current CompileTask:
C2:     69   28       4       Buggy::blendPixels (149 bytes)


---------------  P R O C E S S  ---------------

Java Threads: ( => current thread )
  0x000000002583e000 JavaThread "Service Thread" daemon [_thread_blocked, id=2712, stack(0x0000000027520000,0x0000000027620000)]
  0x00000000257e4000 JavaThread "C1 CompilerThread2" daemon [_thread_blocked, id=1752, stack(0x0000000027020000,0x0000000027120000)]
=>0x00000000257e0800 JavaThread "C2 CompilerThread1" daemon [_thread_in_native, id=3124, stack(0x0000000026f20000,0x0000000027020000)]
  0x00000000257dd000 JavaThread "C2 CompilerThread0" daemon [_thread_blocked, id=3632, stack(0x0000000026e20000,0x0000000026f20000)]
  0x00000000257db800 JavaThread "Attach Listener" daemon [_thread_blocked, id=188, stack(0x0000000026d20000,0x0000000026e20000)]
  0x00000000257e7000 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=784, stack(0x0000000026c20000,0x0000000026d20000)]
  0x00000000257ca800 JavaThread "Finalizer" daemon [_thread_blocked, id=364, stack(0x0000000026a40000,0x0000000026b40000)]
  0x0000000002c5f000 JavaThread "Reference Handler" daemon [_thread_blocked, id=1948, stack(0x0000000026940000,0x0000000026a40000)]
  0x0000000002b70800 JavaThread "main" [_thread_in_Java, id=1692, stack(0x00000000029d0000,0x0000000002ad0000)]

Other Threads:
  0x00000000257a7800 VMThread [stack: 0x0000000026840000,0x0000000026940000] [id=244]
  0x0000000027184800 WatcherThread [stack: 0x0000000027620000,0x0000000027720000] [id=3464]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

Heap:
 PSYoungGen      total 152576K, used 5242K [0x0000000716100000, 0x0000000720b00000, 0x00000007c0000000)
  eden space 131072K, 4% used [0x0000000716100000,0x000000071661eba8,0x000000071e100000)
  from space 21504K, 0% used [0x000000071f600000,0x000000071f600000,0x0000000720b00000)
  to   space 21504K, 0% used [0x000000071e100000,0x000000071e100000,0x000000071f600000)
 ParOldGen       total 348160K, used 0K [0x00000005c2200000, 0x00000005d7600000, 0x0000000716100000)
  object space 348160K, 0% used [0x00000005c2200000,0x00000005c2200000,0x00000005d7600000)
 Metaspace       used 2599K, capacity 4486K, committed 4864K, reserved 1056768K
  class space    used 284K, capacity 386K, committed 512K, reserved 1048576K

Card table byte_map: [0x0000000012030000,0x0000000013020000] byte_map_base: 0x000000000f21f000

Marking Bits: (ParMarkBitMap*) 0x0000000071d1c720
 Begin Bits: [0x0000000013ec0000, 0x000000001be38000)
 End Bits:   [0x000000001be38000, 0x0000000023db0000)

Polling page: 0x00000000029a0000

CodeCache: size=245760Kb used=1113Kb max_used=1117Kb free=244646Kb
 bounds [0x0000000002c70000, 0x0000000002ee0000, 0x0000000011c70000]
 total_blobs=258 nmethods=27 adapters=145
 compilation: enabled

Compilation events (10 events):
Event: 0.047 Thread 0x00000000257e4000 nmethod 23 0x0000000002d84590 code [0x0000000002d84700, 0x0000000002d84908]
Event: 0.048 Thread 0x00000000257e4000   24       3       java.lang.StringBuilder::append (8 bytes)
Event: 0.048 Thread 0x00000000257e4000 nmethod 24 0x0000000002d83c10 code [0x0000000002d83d80, 0x0000000002d83f08]
Event: 0.049 Thread 0x00000000257e4000   25       3       Buggy::blendPixels (149 bytes)
Event: 0.049 Thread 0x00000000257e4000 nmethod 25 0x0000000002d82c10 code [0x0000000002d82de0, 0x0000000002d83910]
Event: 0.052 Thread 0x00000000257e0800   26       4       Buggy::blendPixels (149 bytes)
Event: 0.054 Thread 0x00000000257e0800 nmethod 26 0x0000000002d86b10 code [0x0000000002d86c80, 0x0000000002d872b8]
Event: 0.054 Thread 0x00000000257dd000   27 %     4       Buggy::blendPixels @ 58 (149 bytes)
Event: 0.057 Thread 0x00000000257dd000 nmethod 27% 0x0000000002d873d0 code [0x0000000002d87560, 0x0000000002d87a58]
Event: 0.057 Thread 0x00000000257e0800   28       4       Buggy::blendPixels (149 bytes)

GC Heap History (0 events):
No events

Deoptimization events (1 events):
Event: 0.054 Thread 0x0000000002b70800 Uncommon trap: reason=predicate action=maybe_recompile pc=0x0000000002d87238 method=Buggy.blendPixels(II)D @ 58

Internal exceptions (2 events):
Event: 0.022 Thread 0x0000000002b70800 Exception <a 'java/lang/NoSuchMethodError': Method sun.misc.Unsafe.defineClass(Ljava/lang/String;[BII)Ljava/lang/Class; name or signature does not match> (0x0000000716107ca8) thrown at [C:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u131\8869\hotspot\
Event: 0.022 Thread 0x0000000002b70800 Exception <a 'java/lang/NoSuchMethodError': Method sun.misc.Unsafe.prefetchRead(Ljava/lang/Object;J)V name or signature does not match> (0x0000000716107f90) thrown at [C:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u131\8869\hotspot\src\share\vm\prims

Events (10 events):
Event: 0.048 loading class java/security/BasicPermissionCollection done
Event: 0.048 loading class sun/launcher/LauncherHelper$FXHelper
Event: 0.048 loading class sun/launcher/LauncherHelper$FXHelper done
Event: 0.048 loading class java/lang/Class$MethodArray
Event: 0.048 loading class java/lang/Class$MethodArray done
Event: 0.049 loading class java/lang/Void
Event: 0.049 loading class java/lang/Void done
Event: 0.054 Thread 0x0000000002b70800 Uncommon trap: trap_request=0xffffff86 fr.pc=0x0000000002d87238
Event: 0.054 Thread 0x0000000002b70800 DEOPT PACKING pc=0x0000000002d87238 sp=0x0000000002acf5f0
Event: 0.054 Thread 0x0000000002b70800 DEOPT UNPACKING pc=0x0000000002cb582a sp=0x0000000002acf590 mode 2


Dynamic libraries:
0x00007ff6b33f0000 - 0x00007ff6b3427000 	C:\Program Files\Java\jdk1.8.0_131\bin\java.exe
0x00007ffbd5d80000 - 0x00007ffbd5f2d000 	C:\Windows\SYSTEM32\ntdll.dll
0x00007ffbd54b0000 - 0x00007ffbd55ee000 	C:\Windows\system32\KERNEL32.DLL
0x00007ffbd3230000 - 0x00007ffbd3345000 	C:\Windows\system32\KERNELBASE.dll
0x00007ffbd1a60000 - 0x00007ffbd1aee000 	C:\Windows\system32\apphelp.dll
0x00007ffbb9ff0000 - 0x00007ffbba043000 	C:\Windows\AppPatch\AppPatch64\AcGenral.DLL
0x00007ffbd3860000 - 0x00007ffbd390a000 	C:\Windows\system32\msvcrt.dll
0x00007ffbd3200000 - 0x00007ffbd322e000 	C:\Windows\system32\SspiCli.dll
0x00007ffbd5c50000 - 0x00007ffbd5ca4000 	C:\Windows\system32\SHLWAPI.dll
0x00007ffbd3550000 - 0x00007ffbd36c7000 	C:\Windows\system32\USER32.dll
0x00007ffbd5a50000 - 0x00007ffbd5be4000 	C:\Windows\system32\ole32.dll
0x00007ffbd3910000 - 0x00007ffbd4e38000 	C:\Windows\system32\SHELL32.dll
0x00007ffbd24c0000 - 0x00007ffbd24e1000 	C:\Windows\SYSTEM32\USERENV.dll
0x00007ffbd5090000 - 0x00007ffbd513a000 	C:\Windows\system32\ADVAPI32.dll
0x00007ffbc9630000 - 0x00007ffbc964e000 	C:\Windows\SYSTEM32\MPR.dll
0x00007ffbd57b0000 - 0x00007ffbd58f0000 	C:\Windows\system32\RPCRT4.dll
0x00007ffbd5440000 - 0x00007ffbd5499000 	C:\Windows\SYSTEM32\sechost.dll
0x00007ffbd5140000 - 0x00007ffbd5352000 	C:\Windows\SYSTEM32\combase.dll
0x00007ffbd36d0000 - 0x00007ffbd381f000 	C:\Windows\system32\GDI32.dll
0x00007ffbd2ea0000 - 0x00007ffbd2eb5000 	C:\Windows\SYSTEM32\profapi.dll
0x00007ffbd1510000 - 0x00007ffbd15c2000 	C:\Windows\SYSTEM32\SHCORE.dll
0x00007ffbd3820000 - 0x00007ffbd3856000 	C:\Windows\system32\IMM32.DLL
0x00007ffbd58f0000 - 0x00007ffbd5a42000 	C:\Windows\system32\MSCTF.dll
0x00007ffbd0e00000 - 0x00007ffbd107b000 	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll
0x0000000071260000 - 0x0000000071332000 	C:\Program Files\Java\jdk1.8.0_131\jre\bin\msvcr100.dll
0x0000000071500000 - 0x0000000071d9c000 	C:\Program Files\Java\jdk1.8.0_131\jre\bin\server\jvm.dll
0x00007ffbc0340000 - 0x00007ffbc0349000 	C:\Windows\SYSTEM32\WSOCK32.dll
0x00007ffbc8c60000 - 0x00007ffbc8c82000 	C:\Windows\SYSTEM32\WINMM.dll
0x00007ffbcdf70000 - 0x00007ffbcdf7a000 	C:\Windows\SYSTEM32\VERSION.dll
0x00007ffbd54a0000 - 0x00007ffbd54a7000 	C:\Windows\system32\PSAPI.DLL
0x00007ffbd5bf0000 - 0x00007ffbd5c4a000 	C:\Windows\system32\WS2_32.dll
0x00007ffbc8c30000 - 0x00007ffbc8c5a000 	C:\Windows\SYSTEM32\WINMMBASE.dll
0x00007ffbd3400000 - 0x00007ffbd3409000 	C:\Windows\system32\NSI.dll
0x00007ffbd33b0000 - 0x00007ffbd33ff000 	C:\Windows\SYSTEM32\cfgmgr32.dll
0x00007ffbd1cd0000 - 0x00007ffbd1cf8000 	C:\Windows\SYSTEM32\DEVOBJ.dll
0x0000000071410000 - 0x000000007141f000 	C:\Program Files\Java\jdk1.8.0_131\jre\bin\verify.dll
0x00000000713e0000 - 0x0000000071409000 	C:\Program Files\Java\jdk1.8.0_131\jre\bin\java.dll
0x00000000713c0000 - 0x00000000713d6000 	C:\Program Files\Java\jdk1.8.0_131\jre\bin\zip.dll
0x00007ffbc0620000 - 0x00007ffbc07a9000 	C:\Windows\SYSTEM32\dbghelp.dll

VM Arguments:
java_command: Buggy
java_class_path (initial): .
Launcher Type: SUN_STANDARD

Environment Variables:
CLASSPATH=.
PATH=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Common Files\Adobe\AGL;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Java\jdk1.8.0_131\bin;C:\Program Files\Python35;C:\Program Files (x86)\Portable\Utilities;C:\Windows\Microsoft.NET\Framework64\v4.0.30319
USERNAME=user
OS=Windows_NT
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 60 Stepping 3, GenuineIntel



---------------  S Y S T E M  ---------------

OS: Windows 8.1 , 64 bit Build 9600 (6.3.9600.17415)

CPU:total 4 (initial active 4) (4 cores per cpu, 1 threads per core) family 6 model 60 stepping 3, cmov, cx8, fxsr, mmx, sse, sse2, sse3, ssse3, sse4.1, sse4.2, popcnt, avx, avx2, aes, clmul, erms, lzcnt, tsc, tscinvbit, bmi1, bmi2

Memory: 4k page, physical 33413128k(29389660k free), swap 33429512k(28245200k free)

vm_info: Java HotSpot(TM) 64-Bit Server VM (25.131-b11) for windows-amd64 JRE (1.8.0_131-b11), built on Mar 15 2017 01:23:53 by "java_re" with MS VC++ 10.0 (VS2010)

time: Mon Jun 12 00:47:05 2017
elapsed time: 0 seconds (0d 0h 0m 0s)

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
public class Buggy {
    
    public static void main(String[] args) {
        double sum = 0;
        for (int y = 0; y < 80; y++) {
            for (int x = 0; x < 80; x++) {
                sum += blendPixels(x, y - 15);
            }
        }
        System.out.println(sum);
    }
    
    private static double[][] pixels = new double[30][30];
    private static int filterLength = 4;
    
    private static double blendPixels(int x, int y) {
        int xstart = x - filterLength / 2;
        int xend   = x + filterLength / 2;
        int ystart = y - filterLength / 2;
        int yend   = y + filterLength / 2;
        
        double sum = 0;
        for (int yy = ystart; yy <= yend; yy++) {
            double yreal = Math.sin(yy);
            
            for (int xx = xstart; xx <= xend; xx++) {
                double xreal = Math.sin(xx);
                
                //Uncommenting the print will make the program not crash
                //System.out.println(xx+" "+yy);
                double value;
                if (0 <= yy && yy < pixels.length && 0 <= xx && xx < pixels[yy].length)
                    value = pixels[yy][xx];
                else
                    value = 1;
                sum += value * xreal * yreal;
            }
        }
        return sum;
    }
}
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
- Use interpreted mode, at a great cost to image processing speed.
- Use the older version Java SE 8 Update 92, which runs this program without crashing.
- Maybe change logic to use 1-dimension arrays?


Comments
The crash is because of null pointer deference at line# 273 because 'ln' may be null. In case if 'ln' is null, first argument of method is_CountedLoop will be null i.e. this pointer is null. /src/share/vm/opto/loopnode.hpp: . . . 272 Node *ln = phi()->in(0); 273 if (ln->is_CountedLoop() && ln->as_CountedLoop()->loopexit() == this) { 274 return (CountedLoopNode*)ln; 275 } So while accessing the _class_id [this->_class_id] we will crash. bool is_CountedLoop() const { return ((_class_id & ClassMask_CountedLoop) == Class_CountedLoop); } I am not sure why ' phi()->in(0)' returns null but it is returning null as I got below output phi()->in(0) is null phi()->in(0) is null phi()->in(0) is null -37.032725118435685 after doing below change. diff -r 08a21c47c565 src/share/vm/opto/loopnode.hpp --- a/src/share/vm/opto/loopnode.hpp Fri Jun 02 15:25:47 2017 -0700 +++ b/src/share/vm/opto/loopnode.hpp Tue Jun 13 03:56:24 2017 -0700 @@ -270,9 +270,11 @@ return NULL; } Node *ln = phi()->in(0); - if (ln->is_CountedLoop() && ln->as_CountedLoop()->loopexit() == this) { + if (ln && ln->is_CountedLoop() && ln->as_CountedLoop()->loopexit() == this) { return (CountedLoopNode*)ln; } + if( ln == NULL) + printf("phi()->in(0) is null \n"); return NULL; }
13-06-2017

Hi, as I mentioned, I backed out JDK-8158431 (the backport of JDK-8063086) and the test still fails. (I've attached the backout changeset so it's documented what I did.) Also, the changes by JDK-8063086 affect the macro-assembler, therefore it's hard to see how they can be related to a crash in loop optimizations. It can happen that even builds < b32 contain the problem but the attached test does not reproduce it. It can also be the case that some non-HotSpot changes (e.g., changes in the class library) trigger this failure (e.g., because some class library changes now trigger a graph shape that did not appear before). Best regards, Zoltan
13-06-2017

Hi Shafi, as we've discussed, I assigned this issue to you. Best wishes, Zoltan
13-06-2017

in jdk9 it is not failing may be because the evaluation of Phi node is more strict in jdk9 code compare to jdk8 code. jdk9 code: ======= 307 PhiNode *phi() const { 308 Node *tmp = incr(); 309 if (tmp && tmp->req() == 3) { 310 Node* phi = tmp->in(1); 311 if (phi->is_Phi()) { 312 return phi->as_Phi(); 313 } 314 } 315 return NULL; 316 } jdk8 code: ======= Node *phi() const { Node *tmp = incr(); return (tmp && tmp->req()==3) ? tmp->in(1) : NULL; } See if-check of phi->is_Phi() in jdk9 code. I will check by removing this if-check in jdk9 code, just to confirm we are generating same IR with both jdk9 and jdk8.
13-06-2017

Here are the fixes that went in b32: https://bugs.openjdk.java.net/issues/?jql=fixversion%20%3D8u92%20and%20%22Resolved%20In%20Build%22%20%3D%20b32 seems like https://bugs.openjdk.java.net/browse/JDK-8158431 could have caused the regression
12-06-2017

The reason is not JDK-8063086. I backed out JDK-8063086 and the issue still reproduces.
12-06-2017

I was able to reproduce the crash with 1.8.0_122-fastdebug but not with 9.
12-06-2017

ILW=crash,single test so far,no workaround=HLH=P2
12-06-2017

C2 crash in CountedLoopEndNode::loopnode() == Stack: [0x00007f06229a8000,0x00007f0622aa9000], sp=0x00007f0622aa33b0, free space=1004k Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code) V [libjvm.so+0x8200ff] CountedLoopEndNode::loopnode() const+0x6f V [libjvm.so+0x81879b] PhaseIdealLoop::get_early_ctrl_for_expensive(Node*, Node*)+0x38b V [libjvm.so+0x8196ec] PhaseIdealLoop::build_loop_early(VectorSet&, Node_List&, Node_Stack&)+0x3fc V [libjvm.so+0x81f705] PhaseIdealLoop::build_and_optimize(bool, bool)+0x765 V [libjvm.so+0x4a4fc0] Compile::Optimize()+0xbe0 V [libjvm.so+0x4a7a49] Compile::Compile(ciEnv*, C2Compiler*, ciMethod*, int, bool, bool, bool)+0x13c9 V [libjvm.so+0x3f3c65] C2Compiler::compile_method(ciEnv*, ciMethod*, int)+0x1f5 V [libjvm.so+0x4b208a] CompileBroker::invoke_compiler_on_method(CompileTask*)+0xc9a V [libjvm.so+0x4b3036] CompileBroker::compiler_thread_loop()+0x5d6 V [libjvm.so+0xa79b03] JavaThread::thread_main_inner()+0x103 V [libjvm.so+0xa79c4c] JavaThread::run()+0x11c V [libjvm.so+0x929ce8] java_start(Thread*)+0x108 C [libpthread.so.0+0x7df5] start_thread+0xc5 Below are the results 9 ea b173 - Pass 8u92 fcs- Pass 8u92 b31 - Pass 8u92 b32 - Fail 8u101 - Fail 8u131 - Fail 8u152 - Fail
12-06-2017