JDK-8312456 : Potential null pointer access in LoadNode::split_through_phi after JDK-8287061
  • Type: Bug
  • Component: hotspot
  • Sub-Component: compiler
  • Affected Version: 22
  • Priority: P4
  • Status: Closed
  • Resolution: Not an Issue
  • Submitted: 2023-07-20
  • Updated: 2023-07-21
  • Resolved: 2023-07-21
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 22
22Resolved
Related Reports
Relates :  
JDK-8287061 - Support for rematerializing scalar replaced objects participating in allocation merges
Description
SonarCloud reports "base" can be null on this path after JDK-8287061:

```
  Node* phi = nullptr;
  const Type* this_type = this->bottom_type();
  PhaseIterGVN* igvn = phase->is_IterGVN();
  if (t_oop != nullptr && (t_oop->is_known_instance_field() || load_boxed_values)) {
    int this_index = C->get_alias_index(t_oop);
    int this_offset = t_oop->offset();
    int this_iid = t_oop->is_known_instance_field() ? t_oop->instance_id() : base->_idx;  // <------ HERE
    phi = new PhiNode(region, this_type, nullptr, mem->_idx, this_iid, this_index, this_offset);
  } else if (ignore_missing_instance_id) {
    phi = new PhiNode(region, this_type, nullptr, mem->_idx);
  } else {
    return nullptr;
  }
```

This might be a false positive, but I don't clearly see what guarantees `base` not to be `nullptr` on that path. Previous code checks for `base_is_phi` (which does the nullcheck for `base`) before accessing `base` fields.

Is this a bug, Cesar? Feel free to close as "Not an Issue" if this is a false positive.
Comments
Ah yes. I agree!
20-07-2023
To enter that block either `t_oop->is_known_instance_field()` or `load_boxed_values` needs to be true. If `t_oop->is_known_instance_field()` is true the `base` isn't really used. If `load_boxed_values` is true it means `base` isn't `nullptr` (see initialization of `load_boxed_values`). I think we may close this as a false positive.
20-07-2023
ILW = Possible null pointer leading to a crash, not observed yet to be a problem, no workaround = MLH = P4
20-07-2023