JDK-8233656 : assert(d->is_CFG() && n->is_CFG()) failed: must have CFG nodes
  • Type: Bug
  • Component: hotspot
  • Sub-Component: compiler
  • Affected Version: 11,14
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2019-11-06
  • Updated: 2022-06-27
  • Resolved: 2019-11-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14
11.0.7-oracleFixed 13.0.3Fixed 14 b23Fixed
Related Reports
Relates :  
JDK-8229496 - SIGFPE (division by zero) in C2 OSR compiled method
Description
Test crashed with 

#
# A fatal error has been detected by the Java Runtime Environment:
#
#  Internal Error (open/src/hotspot/share/opto/phaseX.cpp:897), pid=12368, tid=12379
#  assert(d->is_CFG() && n->is_CFG()) failed: must have CFG nodes
#
# JRE version: Java(TM) SE Runtime Environment (14.0+21) (fastdebug build 14-ea+21-927)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (fastdebug 14-ea+21-927, compiled mode, sharing, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# V  [libjvm.so+0x14bf6e4]  PhaseGVN::is_dominator_helper(Node*, Node*, bool) [clone .part.143]+0x94
#
# Core dump will be written. Default location: Core dumps may be processed with "/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e %P %I %h" (or dumping to /tmp/fuzzer.tmp.dKU4CHGepZ/core.12368)
#
# If you would like to submit a bug report, please visit:
#   https://bugreport.java.com/bugreport/crash.jsp
#

---------------  S U M M A R Y ------------

Command Line: -Xmx1G -Xcomp -Xbatch -XX:-TieredCompilation -XX:CompileOnly=Test Test

Host: Intel(R) Xeon(R) CPU E5-2690 0 @ 2.90GHz, 4 cores, 14G, Oracle Linux Server release 7.5
Time: Mon Nov  4 20:50:16 2019 UTC elapsed time: 0 seconds (0d 0h 0m 0s)

---------------  T H R E A D  ---------------

Current thread (0x00007fc224256800):  JavaThread "C2 CompilerThread0" daemon [_thread_in_native, id=12379, stack(0x00007fc214b47000,0x00007fc214c48000)]


Current CompileTask:
C2:    487   67   !b        Test::mainTest (821 bytes)

Stack: [0x00007fc214b47000,0x00007fc214c48000],  sp=0x00007fc214c433f0,  free space=1008k
Native frames: (J=compiled Java code, A=aot compiled Java code, j=interpreted, Vv=VM code, C=native code)
V  [libjvm.so+0x14bf6e4]  PhaseGVN::is_dominator_helper(Node*, Node*, bool) [clone .part.143]+0x94
V  [libjvm.so+0x85db1f]  ConstraintCastNode::dominating_cast(PhaseGVN*, PhaseTransform*) const+0x25f
V  [libjvm.so+0x85e19b]  ConstraintCastNode::Identity(PhaseGVN*)+0x1b
V  [libjvm.so+0x14cc9ef]  PhaseIterGVN::transform_old(Node*)+0x36f
V  [libjvm.so+0x14cd35d]  PhaseIterGVN::optimize()+0x5d
V  [libjvm.so+0x9d6af6]  Compile::Optimize()+0x566
V  [libjvm.so+0x9d8634]  Compile::Compile(ciEnv*, C2Compiler*, ciMethod*, int, bool, bool, bool, DirectiveSet*)+0x1094
V  [libjvm.so+0x81ed30]  C2Compiler::compile_method(ciEnv*, ciMethod*, int, DirectiveSet*)+0x110
V  [libjvm.so+0x9e4ebc]  CompileBroker::invoke_compiler_on_method(CompileTask*)+0x2cc
V  [libjvm.so+0x9e5e68]  CompileBroker::compiler_thread_loop()+0x468
V  [libjvm.so+0x170e3e6]  JavaThread::thread_main_inner()+0x226
V  [libjvm.so+0x1713af6]  Thread::call_run()+0xf6
V  [libjvm.so+0x1434b5e]  thread_native_entry(Thread*)+0x10e

Register to memory mapping:

RAX=0x00007fc22e1fe000 points into unknown readable memory: 58 00 00 00 00 00 00 00
RBX=0x00007fc1e813e788 points into unknown readable memory: a0 1f 4c 2d c2 7f 00 00
RCX=0x00007fc22d16bfbe: <offset 0x0000000001a77fbe> in /scratch/lmesnik/jenkins/workspace/JavaFuzzer/jdk-14/fastdebug/lib/server/libjvm.so at 0x00007fc22b6f4000
RDX=0x00007fc22d0b6198: <offset 0x00000000019c2198> in /scratch/lmesnik/jenkins/workspace/JavaFuzzer/jdk-14/fastdebug/lib/server/libjvm.so at 0x00007fc22b6f4000
RSP=0x00007fc214c433f0 is pointing into the stack for thread: 0x00007fc224256800
RBP=0x00007fc214c43410 is pointing into the stack for thread: 0x00007fc224256800
RSI=0x0000000000000381 is an unknown value
RDI=0x00007fc22d0df528: <offset 0x00000000019eb528> in /scratch/lmesnik/jenkins/workspace/JavaFuzzer/jdk-14/fastdebug/lib/server/libjvm.so at 0x00007fc22b6f4000
R8 =0x0000000000000001 is an unknown value
R9 =0x0000000000000001 is an unknown value
R10=0x00007fc22cbc1d80: <offset 0x00000000014cdd80> in /scratch/lmesnik/jenkins/workspace/JavaFuzzer/jdk-14/fastdebug/lib/server/libjvm.so at 0x00007fc22b6f4000
R11=0x0 is NULL
R12=0x00007fc214c43480 is pointing into the stack for thread: 0x00007fc224256800
R13=0x00007fc1e876a9c8 points into unknown readable memory: 60 85 4e 2d c2 7f 00 00
R14=0x0 is NULL
R15=0x00007fc1e876a710 points into unknown readable memory: 80 69 4b 2d c2 7f 00 00


Registers:
RAX=0x00007fc22e1fe000, RBX=0x00007fc1e813e788, RCX=0x00007fc22d16bfbe, RDX=0x00007fc22d0b6198
RSP=0x00007fc214c433f0, RBP=0x00007fc214c43410, RSI=0x0000000000000381, RDI=0x00007fc22d0df528
R8 =0x0000000000000001, R9 =0x0000000000000001, R10=0x00007fc22cbc1d80, R11=0x0000000000000000
R12=0x00007fc214c43480, R13=0x00007fc1e876a9c8, R14=0x0000000000000000, R15=0x00007fc1e876a710
RIP=0x00007fc22cbb36e4, EFLAGS=0x0000000000010246, CSGSFS=0x0000000000000033, ERR=0x0000000000000006
  TRAPNO=0x000000000000000e

Top of Stack: (sp=0x00007fc214c433f0)
0x00007fc214c433f0:   00007fc1e8558050 00007fc214c43480
0x00007fc214c43400:   00007fc1e802fe98 00007fc214c43450
0x00007fc214c43410:   00007fc214c434e0 00007fc22bf51b1f
0x00007fc214c43420:   00007fc1e813e788 00007fc214c437a0 

Instructions: (pc=0x00007fc22cbb36e4)
0x00007fc22cbb35e4:   41 00 be 37 03 00 00 48 8d 3d 56 36 41 00 48 8b
0x00007fc22cbb35f4:   00 48 89 e5 c6 00 58 31 c0 e8 fe 69 5d ff 5d e9
0x00007fc22cbb3604:   68 ce f6 ff 0f 1f 84 00 00 00 00 00 48 8d 05 09
0x00007fc22cbb3614:   5d 94 00 55 48 8d 0d 31 bf 52 00 48 8d 15 52 bf
0x00007fc22cbb3624:   52 00 be 64 01 00 00 48 8d 3d 96 7d 41 00 48 8b
0x00007fc22cbb3634:   00 48 89 e5 c6 00 58 31 c0 e8 be 69 5d ff 5d e9
0x00007fc22cbb3644:   28 ce f6 ff 0f 1f 84 00 00 00 00 00 55 48 89 e5
0x00007fc22cbb3654:   41 56 41 89 d6 41 55 49 89 fd 41 54 53 48 8b 07
0x00007fc22cbb3664:   48 89 f3 ff 50 10 84 c0 74 52 48 8b 03 48 89 df
0x00007fc22cbb3674:   ff 50 10 84 c0 74 45 45 0f b6 f6 45 31 e4 eb 21
0x00007fc22cbb3684:   0f 1f 40 00 48 89 df 44 89 f6 41 83 c4 01 e8 69
0x00007fc22cbb3694:   5f 8f ff 48 89 c3 48 85 c0 74 59 41 83 fc 63 7f
0x00007fc22cbb36a4:   53 49 39 dd 75 de 5b b8 01 00 00 00 41 5c 41 5d
0x00007fc22cbb36b4:   41 5e 5d c3 0f 1f 84 00 00 00 00 00 48 8d 05 59
0x00007fc22cbb36c4:   5c 94 00 48 8d 0d f0 88 5b 00 48 8d 15 c3 2a 50
0x00007fc22cbb36d4:   00 be 81 03 00 00 48 8d 3d 47 be 52 00 48 8b 00
0x00007fc22cbb36e4:   c6 00 58 31 c0 e8 12 69 5d ff e8 7d cd f6 ff eb
0x00007fc22cbb36f4:   86 0f 1f 00 5b 31 c0 41 5c 41 5d 41 5e 5d c3 90
0x00007fc22cbb3704:   66 66 2e 0f 1f 84 00 00 00 00 00 90 48 8b 0e 48
0x00007fc22cbb3714:   8d 3d 76 e5 00 00 48 89 f0 48 8b 49 20 48 39 f9
0x00007fc22cbb3724:   75 0a c3 66 0f 1f 84 00 00 00 00 00 48 89 d6 48
0x00007fc22cbb3734:   89 c7 ff e1 0f 1f 84 00 00 00 00 00 55 48 89 e5
0x00007fc22cbb3744:   41 54 53 48 89 f3 48 89 d6 48 8d 15 2c e5 00 00
0x00007fc22cbb3754:   48 8b 03 48 8b 40 18 48 39 d0 75 10 48 89 d8 5b
0x00007fc22cbb3764:   41 5c 5d c3 0f 1f 84 00 00 00 00 00 49 89 cc 48
0x00007fc22cbb3774:   89 ca 48 89 df ff d0 48 39 c3 74 e0 48 8b 10 5b
0x00007fc22cbb3784:   4c 89 e6 48 89 c7 41 5c 5d 48 8b 4a 10 31 d2 ff
0x00007fc22cbb3794:   e1 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5
0x00007fc22cbb37a4:   53 48 89 fb 48 83 ec 08 85 f6 74 10 48 8b 03 48
0x00007fc22cbb37b4:   8b 00 48 83 c4 08 5b 5d c3 0f 1f 00 48 8d 05 59
0x00007fc22cbb37c4:   5b 94 00 48 8d 0d 99 e7 57 00 48 8d 15 60 0c 58
0x00007fc22cbb37d4:   00 be 78 01 00 00 48 8d 3d e7 57 41 00 48 8b 00 


Stack slot to memory mapping:
stack at sp + 0 slots: 0x00007fc1e8558050 points into unknown readable memory: 80 69 4b 2d c2 7f 00 00
stack at sp + 1 slots: 0x00007fc214c43480 is pointing into the stack for thread: 0x00007fc224256800
stack at sp + 2 slots: 0x00007fc1e802fe98 points into unknown readable memory: a0 6b 4b 2d c2 7f 00 00
stack at sp + 3 slots: 0x00007fc214c43450 is pointing into the stack for thread: 0x00007fc224256800
stack at sp + 4 slots: 0x00007fc214c434e0 is pointing into the stack for thread: 0x00007fc224256800
stack at sp + 5 slots: 0x00007fc22bf51b1f: <offset 0x000000000085db1f> in /scratch/lmesnik/jenkins/workspace/JavaFuzzer/jdk-14/fastdebug/lib/server/libjvm.so at 0x00007fc22b6f4000
stack at sp + 6 slots: 0x00007fc1e813e788 points into unknown readable memory: a0 1f 4c 2d c2 7f 00 00
stack at sp + 7 slots: 0x00007fc214c437a0 is pointing into the stack for thread: 0x00007fc224256800
Comments
Fix Request for 13u Backporting this patch fixing the C2 issue. Applies cleanly to 13u.
24-03-2020
Fix Request (11u) This fixes the C2 problem, and keeps codebases in sync (I see 11.0.7-oracle). Patch applies cleanly to 11u. Additionally, it passes tier1 and tier2 tests. Risk is low-medium.
16-01-2020
URL: https://hg.openjdk.java.net/jdk/jdk/rev/a8104278b4d0 User: thartmann Date: 2019-11-13 07:44:00 +0000
13-11-2019
http://cr.openjdk.java.net/~thartmann/8233656/webrev.02/
12-11-2019
Summary: During IGVN, we process a CastII node that carries a non-zero dependency from GraphKit::cast_not_null [1]. ConstraintCastNode::dominating_cast then finds another CastII and checks if it's dominating. We assert in PhaseGVN::is_dominator_helper because the other CastII has a ProjNode as control input that has !is_CFG() because it's input is TOP [2]. The input has been replaced in the same round of IGVN and the projection is already on the IGVN worklist but hasn't been processed yet (it will go away). I propose to simply check the control inputs for is_CFG(): http://cr.openjdk.java.net/~thartmann/8233656/webrev.00/ I can reproduce the issue with a complex Javafuzzer generated test (attached to the bug) but minimal changes/simplifications to the test cause the issue to not reproduce anymore because it depends on the order in which nodes are processed by IGVN. So I don't think it makes sense to include that fragile test. This has been triggered by my fix for JDK-8229496 which added additional Cast nodes but I believe it can also happen without these changes. [1] https://hg.openjdk.java.net/jdk/jdk/rev/86b95fc6ca32#l12.40 [2] https://hg.openjdk.java.net/jdk/jdk/file/47c20fc6a517/src/hotspot/share/opto/multnode.cpp#l83
08-11-2019
We fail because the CastII control input is a ProjNode with a top input and therefore is_CFG() returns false: 4307 Proj === 1 [[ 4308 4311 4309 ]] #0 !orig=3729,2080 !jvms: StringConcatHelper::prepend @ bci:4 StringConcatHelper::prepend @ bci:17 0x00000008000a0c40::invokeStatic @ bci:19 0x00000008000a1c40::invoke @ bci:36 0x00000008000a9840::invoke @ bci:136 0x00000008000aa040::linkToTargetMethod @ bci:7 Test::mainTest @ bci:672 4308 CastII === 4307 1 [[ 4205 ]] #int carry dependency !orig=3701,864,[1480] !jvms: StringConcatHelper::prepend @ bci:5 StringConcatHelper::prepend @ bci:17 0x00000008000a0c40::invokeStatic @ bci:19 0x00000008000a1c40::invoke @ bci:36 0x00000008000a9840::invoke @ bci:136 0x00000008000aa040::linkToTargetMethod @ bci:7 Test::mainTest @ bci:672
07-11-2019
Thanks Rahul, I have a look!
07-11-2019
Test, classfiles, hs_err and replay info are attached.
06-11-2019