JDK-8147876 : ciTypeFlow::is_dominated_by() writes outside dominated array
  • Type: Bug
  • Component: hotspot
  • Sub-Component: compiler
  • Affected Version: 9,9-repo-jigsaw
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: linux,windows
  • Submitted: 2016-01-20
  • Updated: 2017-08-07
  • Resolved: 2016-01-26
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 9
9 b105Fixed
Related Reports
Relates :  
JDK-8146263 - tools/pack200/Pack200Test.java failed intermittently with "Unexpected exit from test [exit code: -1073740940]"
Relates :  
JDK-8140574 - C2 must re-execute checks after deoptimizing from merged uncommon traps
Description
----------System.out:(28/1588)*----------
## nof_mallocs = 652975, nof_frees = 524884
## memory stomp:
GuardedMemory(0x000000187d68b280) base_addr=0x0000001887278400 tag=0x0000000000000000 user_size=43 user_data=0x0000001887278420
  Header guard @0x0000001887278400 is OK
  Trailer guard @0x000000188727844b is BROKEN
  User data appears to be in use
# To suppress the following error report, specify this argument
# after -XX: or in .hotspotrc:  SuppressErrorAt=\\os.cpp:517
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  Internal Error (C:\\jprt\\T\\P1\\020259.christian\\s\\hotspot\\src\\share\\vm\\runtime\\os.cpp:517), pid=132060, tid=79812
#  fatal error: memory stomping error
#
# JRE version: Java(TM) SE Runtime Environment (9.0) (build 9-internal+0-2016-01-20-020259.christian.jake-nightly2)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (9-internal+0-2016-01-20-020259.christian.jake-nightly2, mixed mode, tiered, compressed oops, g1 gc, windows-amd64)
# Core dump will be written. Default location: C:\\Users\\aurora\\sandbox\\results\\workDir\\runtime\\8007475\\StackMapFrameTest\\hs_err_pid132060.mdmp
#
# An error report file with more information is saved as:
# C:\\Users\\aurora\\sandbox\\results\\workDir\\runtime\\8007475\\StackMapFrameTest\\hs_err_pid132060.log
#
# Compiler replay data is saved as:
# C:\\Users\\aurora\\sandbox\\results\\workDir\\runtime\\8007475\\StackMapFrameTest\\replay_pid132060.log
#
# If you would like to submit a bug report, please visit:
#   http://bugreport.java.com/bugreport/crash.jsp
#
Timeout signalled after 1,920 seconds
----------System.err:(0/0)----------
Comments
Fix verified by manual testing.
07-08-2017
This bug is not related to jigsaw. I'm able to reproduce the issue with the latest hs-comp build. Fix is out for review. I set the due date accordingly.
25-01-2016
The number of ciBlocks is not equal to the Blocks used by ciTypeFlow: (gdb) print block_count() $57 = 44 (gdb) print _methodBlocks->_num_blocks $58 = 43 There is a 1:n relation between ciBlocks and Blocks: (gdb) print _idx_to_blocklist[19]->_len $54 = 2 Therefore, ciTypeFlow::is_dominated_by() should use block_count() instead of _methodBlocks->num_blocks().
25-01-2016
is_dominated_by() writes outside the dominated array. The dominated array is allocated to be _methodBlocks->num_blocks() big, which in my case is 43 and then later on writes to dominated[43] . Code was introduced in JDK-8140574 Reproduces all the time in Jake, using the StackMapFrameTest: java -XX:+UseMallocOnly StackMapFrameTest
21-01-2016
Test also failed on Linux. See attached hs_err file.
21-01-2016
00 0000007b`3a04add8 00000000`5d3faded ntdll!NtGetContextThread+0xa 01 0000007b`3a04ade0 00000000`5d3e1ffa jvm!VMError::report_and_die+0x5d [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\utilities\vmerror.cpp @ 1076] 02 0000007b`3a04ae50 00000000`5d367052 jvm!report_fatal+0x7a [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\utilities\debug.cpp @ 229] 03 0000007b`3a04ae90 00000000`5d36398a jvm!verify_memory+0xf2 [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\runtime\os.cpp @ 517] 04 0000007b`3a04aed0 00000000`5d1c150d jvm!os::free+0x6a [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\runtime\os.cpp @ 681] 05 (Inline Function) --------`-------- jvm!Arena::free_all+0x15 06 0000007b`3a04af00 00000000`5d02f2c0 jvm!Arena::free_malloced_objects+0x27d [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\memory\allocation.cpp @ 786] 07 0000007b`3a04af70 00000000`5d0afc89 jvm!ResourceMark::reset_to_mark+0x20 [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\memory\resourcearea.hpp @ 139] 08 (Inline Function) --------`-------- jvm!ResourceMark::{dtor}+0x4d [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\memory\resourcearea.hpp @ 159] 09 0000007b`3a04afa0 00000000`5d7c757a jvm!ciTypeFlow::is_dominated_by+0x529 [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\ci\citypeflow.cpp @ 2973] 0a 0000007b`3a04b050 00000000`5d7c67c8 jvm!IfNode::has_only_uncommon_traps+0x21a [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\opto\ifnode.cpp @ 822] 0b 0000007b`3a04b0b0 00000000`5d7c4ec0 jvm!IfNode::fold_compares+0x1d8 [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\opto\ifnode.cpp @ 1275] 0c 0000007b`3a04b110 00000000`5d88b5e0 jvm!IfNode::Ideal+0x80 [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\opto\ifnode.cpp @ 1403] 0d 0000007b`3a04b150 00000000`5d8895da jvm!PhaseIterGVN::transform_old+0xd0 [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\opto\phasex.cpp @ 1190] 0e 0000007b`3a04b1a0 00000000`5d7727aa jvm!PhaseIterGVN::optimize+0x1aa [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\opto\phasex.cpp @ 1137] 0f 0000007b`3a04b1f0 00000000`5d77030d jvm!Compile::Optimize+0x21a [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\opto\compile.cpp @ 2124] 10 0000007b`3a04d7d0 00000000`5d746262 jvm!Compile::Compile+0xe0d [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\opto\compile.cpp @ 855] 11 0000007b`3a04e530 00000000`5d1541c7 jvm!C2Compiler::compile_method+0x112 [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\opto\c2compiler.cpp @ 109] 12 0000007b`3a04f190 00000000`5d152926 jvm!CompileBroker::invoke_compiler_on_method+0x787 [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\compiler\compilebroker.cpp @ 1804] 13 0000007b`3a04f540 00000000`5d3a0ca8 jvm!CompileBroker::compiler_thread_loop+0x336 [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\compiler\compilebroker.cpp @ 1552] 14 0000007b`3a04f650 00000000`5d39fbf5 jvm!JavaThread::thread_main_inner+0x1a8 [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\runtime\thread.cpp @ 1707] 15 0000007b`3a04f700 00000000`5d44d316 jvm!JavaThread::run+0x1f5 [c:\jprt\t\p1\020412.christian\s\hotspot\src\share\vm\runtime\thread.cpp @ 1689] 16 0000007b`3a04f770 00007ffc`7fde4f7f jvm!java_start+0xe6 [c:\jprt\t\p1\020412.christian\s\hotspot\src\os\windows\vm\os_windows.cpp @ 445] 17 0000007b`3a04f7b0 00007ffc`7fde5126 msvcr120!_callthreadstartex+0x17 [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 376] 18 0000007b`3a04f7e0 00007ffc`8ec713d2 msvcr120!_threadstartex+0x102 [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 354] 19 0000007b`3a04f810 00007ffc`8edc5454 kernel32!BaseThreadInitThunk+0x22 1a 0000007b`3a04f840 00000000`00000000 ntdll!RtlUserThreadStart+0x34
21-01-2016