Bug ID: JDK-8290781 Segfault at PhaseIdealLoop::clone_loop_handle_data

JDK-8290781 : Segfault at PhaseIdealLoop::clone_loop_handle_data_uses

Type: Bug
Component: hotspot
Sub-Component: compiler
Affected Version: 11.0.16-oracle,17,19,20

Priority: P3
Status: Resolved
Resolution: Fixed
OS: generic
CPU: generic

Submitted: 2022-07-18
Updated: 2022-10-04
Resolved: 2022-08-31

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 17	JDK 19	JDK 20
11.0.18-oracleFixed	17.0.6-oracleFixed	19.0.2Fixed	20 b13Fixed

Related Reports

Relates :	JDK-8287806 - crash with Problematic frame: # V [libjvm.so+0xa851d7] PhaseIdealLoop::clone_loop_handle_data_uses \| OpenJDK 11.0.10
Relates :	JDK-8263303 - C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint

Description

ADDITIONAL SYSTEM INFORMATION :
Arch: x86_64
OS: Ubuntu 20.04.4 LTS
HotSpot
- openjdk version "11.0.17-internal" 2022-10-18
- OpenJDK Runtime Environment (fastdebug build 11.0.17-internal+0-adhoc.congli.my-jdk11u)
- OpenJDK 64-Bit Server VM (fastdebug build 11.0.17-internal+0-adhoc.congli.my-jdk11u, mixed mode)
javac: javac 11.0.17-internal


A DESCRIPTION OF THE PROBLEM :
The problem was found in the repo https://github.com/openjdk/jdk11u-dev (commit 97a472ce), OpenJDK 11.0.17 internal. 

**Note** 
1. The given test may take **~1min** to make HotSpot crash. So please be patient.
2. Sorry, we cannot reduce the test further otherwise it cannot be reproduced.

The following is part of the log:
```
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x00007fcd302ff9fe, pid=900700, tid=900712
#
# JRE version: OpenJDK Runtime Environment (11.0.17) (build 11.0.17-internal+0-adhoc.congli.jdk11u-dev)
# Java VM: OpenJDK 64-Bit Server VM (11.0.17-internal+0-adhoc.congli.jdk11u-dev, mixed mode, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# V  [libjvm.so+0xabf9fe]  PhaseIdealLoop::clone_loop_handle_data_uses(Node*, Node_List&, IdealLoopTree*, IdealLoopTree*, Node_List*&, Node_List*&, Node_List*&, Node_List&, unsigned int, PhaseIdealLoop::CloneLoopMode)+0x51e
#
# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# If you would like to submit a bug report, please visit:
#   https://bugreport.java.com/bugreport/crash.jsp
#

---------------  S U M M A R Y ------------

Command Line: -Xmx1G -XX:-BackgroundCompilation -XX:-PrintWarnings --illegal-access=deny Test

Host: Intel(R) Core(TM) i7-9700K CPU @ 3.60GHz, 8 cores, 15G, Ubuntu 20.04.4 LTS
Time: Mon Jul 18 20:30:48 2022 CEST elapsed time: 1.335015 seconds (0d 0h 0m 1s)

---------------  T H R E A D  ---------------

Current thread (0x00007fcd281d2000):  JavaThread "C2 CompilerThread0" daemon [_thread_in_native, id=900712, stack(0x00007fcd100ae000,0x00007fcd101af000)]


Current CompileTask:
C2:   1335   84 % !b  4       Test::vMeth1 @ 178 (244 bytes)

Stack: [0x00007fcd100ae000,0x00007fcd101af000],  sp=0x00007fcd101a9830,  free space=1006k
Native frames: (J=compiled Java code, A=aot compiled Java code, j=interpreted, Vv=VM code, C=native code)
V  [libjvm.so+0xabf9fe]  PhaseIdealLoop::clone_loop_handle_data_uses(Node*, Node_List&, IdealLoopTree*, IdealLoopTree*, Node_List*&, Node_List*&, Node_List*&, Node_List&, unsigned int, PhaseIdealLoop::CloneLoopMode)+0x51e
V  [libjvm.so+0xac0f0b]  PhaseIdealLoop::clone_loop(IdealLoopTree*, Node_List&, int, PhaseIdealLoop::CloneLoopMode, Node*)+0x100b
V  [libjvm.so+0xa9bfee]  PhaseIdealLoop::do_unroll(IdealLoopTree*, Node_List&, bool)+0x20e
V  [libjvm.so+0xaa1a44]  IdealLoopTree::iteration_split_impl(PhaseIdealLoop*, Node_List&)+0x514
V  [libjvm.so+0xaa1cd6]  IdealLoopTree::iteration_split(PhaseIdealLoop*, Node_List&)+0x1d6
V  [libjvm.so+0xaa1b33]  IdealLoopTree::iteration_split(PhaseIdealLoop*, Node_List&)+0x33
V  [libjvm.so+0xaa1b33]  IdealLoopTree::iteration_split(PhaseIdealLoop*, Node_List&)+0x33
V  [libjvm.so+0xab6332]  PhaseIdealLoop::build_and_optimize()+0x922
V  [libjvm.so+0x634215]  Compile::optimize_loops(int&, PhaseIterGVN&, LoopOptsMode) [clone .part.0]+0x1d5
V  [libjvm.so+0x636849]  Compile::Optimize()+0xc79
V  [libjvm.so+0x638112]  Compile::Compile(ciEnv*, C2Compiler*, ciMethod*, int, bool, bool, bool, bool, DirectiveSet*)+0xf92
V  [libjvm.so+0x55f93f]  C2Compiler::compile_method(ciEnv*, ciMethod*, int, DirectiveSet*)+0x15f
V  [libjvm.so+0x6414b5]  CompileBroker::invoke_compiler_on_method(CompileTask*)+0x3b5
V  [libjvm.so+0x642658]  CompileBroker::compiler_thread_loop()+0x428
V  [libjvm.so+0xd963cf]  JavaThread::thread_main_inner()+0x10f
V  [libjvm.so+0xd92dd0]  Thread::call_run()+0x140
V  [libjvm.so+0xc009ae]  thread_native_entry(Thread*)+0xee
```

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. javac Test.java
2. java -Xmx1G -XX:-BackgroundCompilation -XX:-PrintWarnings --illegal-access=deny Test


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No segfault
ACTUAL -
Segfault

---------- BEGIN SOURCE ----------
class Test {
  int N = 256;
  long instanceCount;
  int iFld;

  void vMeth1() {
    int i3, i4, i5 = 9020, i6, i7 = 4, i8, i10, i11 = 2, iArr1[] = new int[N];
    float[] fArr = new float[N];
    long[] lArr = new long[N];
    for (i4 = 3; ; ) {
      try {
        i5 = i5 % iArr1[i4];
      } catch (ArithmeticException a_e) {
      }
      for (i6 = 1; i6 < 5; i6++)
        for (i8 = 1; 2 > i8; i8 += 2) {
          iArr1[i8 - 1] = i6;
          fArr[i6] += i6;
          lArr[i4] <<= i5;
          try {
            iArr1[i8] = 467471596 / iArr1[i8 - 1];
            i7 = iArr1[i4 + 1] % i6;
          } catch (ArithmeticException a_e) {
          }
        }
      for (i10 = 1; i10 < 5; i10++) {
        iArr1[i4 + 1] >>= i7;
        iArr1[i10] = (int) instanceCount;
      }
      for (int ax$13 = 2362; ax$13 < 7036; ax$13 += 1)
        try {
          boolean[][] ax$7 = new boolean[2329][1];
          for (int ax$9 = 0; ; ax$9++) ax$7[i11][ax$9] = ax$9 == '.';
        } catch (Throwable ax$12) {
        } finally {
        }
    }
  }

  int iMeth(long l) {
    float fArr1[] = new float[N];
    vMeth1();
    long meth_res = Double.doubleToLongBits(checkSum(fArr1));
    return (int) meth_res;
  }

  void vMeth(int i2) {
    i2 = iMeth(instanceCount);
  }

  void mainTest(String[] strArr1) {
    vMeth(iFld);
  }

  public static void main(String[] strArr) {
    Test _instance = new Test();
    _instance.mainTest(strArr);
  }

  public static double checkSum(float[] a) {
    double sum = 0;
    for (int j = 0; j < a.length; j++) {
      sum += (a[j] / (j + 1) + a[j] % (j + 1));
    }
    return sum;
  }
}
---------- END SOURCE ----------

FREQUENCY : always

Comments

A pull request was submitted for review. URL: https://git.openjdk.org/jdk17u-dev/pull/764 Date: 2022-10-02 07:09:09 +0000
02-10-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk11u-dev/pull/1382 Date: 2022-10-02 07:08:48 +0000
02-10-2022
Fix request [17u] Backport for parity with 17.0.6-oracle. Fixes a crash during C2 compilation. The fix is low risk and applies cleanly. Already tested and backported to JDK 19u, Oracle JDK 11u and Oracle JDK 17u. Tested by * running jtreg tier1, tier2, jck runtime on linux x64, aarch64 * manually ran test from the JBS description with specified parameters Risk of the backport to break the VM: low
02-10-2022
Fix request [11u] Backport for parity with 11.0.18-oracle. Fixes a crash during C2 compilation. The fix is low risk and applies cleanly. Already tested and backported to JDK 19u, Oracle JDK 11u and Oracle JDK 17u. Tested by * running jtreg tier1, tier2, jck runtime on linux x64, x86, aarch64 * manually ran test from the JBS description with specified parameters Risk of the backport to break the VM: low
02-10-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk19u/pull/31 Date: 2022-09-22 13:25:44 +0000
22-09-2022
Fix Request (JDK 19u) Fixes a crash during C2 compilation. The fix is low risk and applies cleanly. Already tested and backported to Oracle JDK 11u and 17u.
22-09-2022
Changeset: 4c90e87a Author: Roland Westrelin <roland@openjdk.org> Date: 2022-08-31 09:23:41 +0000 URL: https://git.openjdk.org/jdk/commit/4c90e87a6fa83a66fdb8767b999879600629f1f6
31-08-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/9997 Date: 2022-08-24 07:58:11 +0000
24-08-2022
According to binary search with TestLSMBadControlOverride, the issue was introduced by JDK-8263303 in JDK 17 b26.
22-07-2022
This applies to latest jdk as well I think. I attached a test that crashes the same way with a recent build as well when run with: java -XX:-TieredCompilation -XX:-BackgroundCompilation -XX:-UseOnStackReplacement -XX:CompileOnly=TestLSMBadControlOverride::test TestLSMBadControlOverride
22-07-2022
Issue is reproduced on JDK 11.0.16 OS: Windows 10 JDK 11.0.15.1: Pass JDK 11.0.16: Fail JDK 17.0.4: Pass JDK 18.0.2: Pass JDK 20ea6: Pass Crash is observed on JDK 11.0.16, hs_err_pid.log file is attached, moving it to dev team for further analysis
22-07-2022
Running the test with a debug build crashes like this: # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x00007f9911c06827, pid=826177, tid=826189 # # JRE version: Java(TM) SE Runtime Environment 18.9 (11.0.17+3) (fastdebug build 11.0.17-ea+3-LTS-226) # Java VM: Java HotSpot(TM) 64-Bit Server VM 18.9 (fastdebug 11.0.17-ea+3-LTS-226, mixed mode, tiered, compressed oops, g1 gc, linux-amd64) # Problematic frame: # V [libjvm.so+0x128f827] Node::in(unsigned int) const [clone .isra.25] [clone .constprop.107]+0x7 Current CompileTask: C2: 6225 807 % ! 4 Test::vMeth1 @ 178 (244 bytes) Stack: [0x00007f98d5cfd000,0x00007f98d5dfe000], sp=0x00007f98d5df7470, free space=1001k Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code) V [libjvm.so+0x128f827] Node::in(unsigned int) const [clone .isra.25] [clone .constprop.107]+0x7 V [libjvm.so+0x1297ae6] PhaseIdealLoop::set_ctrl(Node, Node)+0x56 V [libjvm.so+0x12e2c05] PhaseIdealLoop::clone_loop(IdealLoopTree, Node_List&, int, PhaseIdealLoop::CloneLoopMode, Node)+0x225 V [libjvm.so+0x12a6c6c] PhaseIdealLoop::do_unroll(IdealLoopTree, Node_List&, bool)+0x2bc V [libjvm.so+0x12af7a5] IdealLoopTree::iteration_split_impl(PhaseIdealLoop, Node_List&)+0x515 V [libjvm.so+0x12afb48] IdealLoopTree::iteration_split(PhaseIdealLoop, Node_List&)+0x308 V [libjvm.so+0x12af9bd] IdealLoopTree::iteration_split(PhaseIdealLoop, Node_List&)+0x17d V [libjvm.so+0x12afb33] IdealLoopTree::iteration_split(PhaseIdealLoop, Node_List&)+0x2f3 V [libjvm.so+0x12af9bd] IdealLoopTree::iteration_split(PhaseIdealLoop, Node_List&)+0x17d V [libjvm.so+0x12d6259] PhaseIdealLoop::build_and_optimize(LoopOptsMode)+0xf59 V [libjvm.so+0xa39411] Compile::optimize_loops(int&, PhaseIterGVN&, LoopOptsMode) [clone .part.440]+0x2d1 V [libjvm.so+0xa3cdc7] Compile::Optimize()+0xca7 V [libjvm.so+0xa3df50] Compile::Compile(ciEnv, C2Compiler, ciMethod, int, bool, bool, bool, bool, DirectiveSet)+0xf60 V [libjvm.so+0x83a9eb] C2Compiler::compile_method(ciEnv, ciMethod, int, DirectiveSet)+0xfb V [libjvm.so+0xa4b504] CompileBroker::invoke_compiler_on_method(CompileTask)+0x304 V [libjvm.so+0xa4c6f8] CompileBroker::compiler_thread_loop()+0x568 V [libjvm.so+0x180ee3b] JavaThread::thread_main_inner()+0x20b V [libjvm.so+0x180a81a] Thread::call_run()+0x19a V [libjvm.so+0x151a25e] thread_native_entry(Thread*)+0xfe
21-07-2022
ILW = Crash during C2 compilation (related to loop strip mining JDK-8186027), with generated test, disable loop strip mining (-XX:LoopStripMiningIter=0) = HLM = P3
21-07-2022