JDK-8324833 : Signed integer overflows in ABS
  • Type: Bug
  • Component: hotspot
  • Sub-Component: compiler
  • Affected Version: 8,11,17,21,23
  • Priority: P4
  • Status: Closed
  • Resolution: Won't Fix
  • Submitted: 2024-01-29
  • Updated: 2024-03-28
  • Resolved: 2024-03-28
Related Reports
Relates :  
JDK-8324121 - SIGFPE in PhaseIdealLoop::extract_long_range_checks
Relates :  
JDK-8328934 - Assert that ABS input and output are legal
Relates :  
JDK-8307138 - Fix signed integer overflow in compiler code
Description
JDK-8307138 did lot of work for eliminating the signed overflows. But it looks that more cases showed up recently, because I just tried for mainline:

% bash ./configure --with-debug-level=fastdebug --with-jtreg=../openjdk-jtreg/build/images/jtreg/  --with-gtest=../googletest-1.14.0 --disable-warnings-as-errors --with-extra-cxxflags=-ftrapv
% make test TEST=hotspot:tier1

==============================
Test summary
==============================
   TEST                                              TOTAL  PASS  FAIL ERROR   
>> jtreg:test/hotspot/jtreg:tier1                     2528  2526     2     0 <<
==============================
TEST FAILURE

% grep ^TEST: tiers.log                                                                        
TEST: compiler/c2/MinValueStrideCountedLoop.java#id1
TEST: compiler/c2/MinValueStrideCountedLoop.java#id0

This is probably JDK-8314191.
Comments
Abandoning this work in favor of per-case fixes: https://github.com/openjdk/jdk/pull/17617#pullrequestreview-1965226153
28-03-2024
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/17617 Date: 2024-01-29 15:59:49 +0000
31-01-2024
Agree this does not look recent. But I am not sure about this being harmless, as there are other places where ABS result is used as the number, assuming (?) it works well and never reports negative values. The fact that new assert trips even during the build in loop opts worries me quite a bit. I have a draft fix for it, testing it now: https://github.com/openjdk/jdk/pull/17617.
30-01-2024
Oops, it is more widespread than a single test. Even the basic macos-aarch64-server-fastdebug build fails with that assert at: ``` Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code) V [libjvm.dylib+0x122d720] VMError::report_and_die(int, char const*, char const*, char*, Thread*, unsigned char*, void*, void*, char const*, int, unsigned long)+0x554 (globalDefinitions.hpp:1114) V [libjvm.dylib+0x122df2c] VMError::report_and_die(Thread*, unsigned int, unsigned char*, void*, void*)+0x0 V [libjvm.dylib+0x560c48] print_error_for_unit_test(char const*, char const*, char*)+0x0 V [libjvm.dylib+0x8337ac] Node::as_IfProj() const+0x0 V [libjvm.dylib+0x8333e4] RangeCheckNode::Ideal(PhaseGVN*, bool)+0x1ec V [libjvm.dylib+0xe9f940] PhaseIterGVN::transform_old(Node*)+0x164 V [libjvm.dylib+0xe9ee28] PhaseIterGVN::optimize()+0xf4 V [libjvm.dylib+0x4c2680] PhaseIdealLoop::optimize(PhaseIterGVN&, LoopOptsMode)+0xe0 V [libjvm.dylib+0x4bbad4] Compile::Optimize()+0x60c V [libjvm.dylib+0x4ba2d8] Compile::Compile(ciEnv*, ciMethod*, int, Options, DirectiveSet*)+0x11ec V [libjvm.dylib+0x388160] C2Compiler::compile_method(ciEnv*, ciMethod*, int, bool, DirectiveSet*)+0x1e4 V [libjvm.dylib+0x4d7bc4] CompileBroker::invoke_compiler_on_method(CompileTask*)+0x98c V [libjvm.dylib+0x4d6ec8] CompileBroker::compiler_thread_loop()+0x340 V [libjvm.dylib+0x8be7fc] JavaThread::thread_main_inner() ```
30-01-2024
The code in PhaseIdealLoop::exact_limit is quite old, this is not a recent regression. Looks harmless to me because the ABS result would need to be 1 for something bad to happen which seems unlikely. ILW = Potential undefined behavior in C2 code, never observed, no workaround but disable compilation of affected method = MLM = P4
30-01-2024
JDK-8214189 added uabs methods that we can probably use here.
29-01-2024
Easy to trigger with: ``` diff --git a/src/hotspot/share/utilities/globalDefinitions.hpp b/src/hotspot/share/utilities/globalDefinitions.hpp index 08eb2582870..6cfdc3c67c9 100644 --- a/src/hotspot/share/utilities/globalDefinitions.hpp +++ b/src/hotspot/share/utilities/globalDefinitions.hpp @@ -1106,7 +1106,15 @@ template<class T> constexpr T MIN3(T a, T b, T c) { return MIN2(MIN2(a, b), template<class T> constexpr T MAX4(T a, T b, T c, T d) { return MAX2(MAX3(a, b, c), d); } template<class T> constexpr T MIN4(T a, T b, T c, T d) { return MIN2(MIN3(a, b, c), d); } -template<class T> inline T ABS(T x) { return (x > 0) ? x : -x; } +template<class T> inline T ABS(T x) { + if (x > 0) { + return x; + } else { + T nx = -x; + assert(nx != x, "sanity"); + return nx; + } +} // Return the given value clamped to the range [min ... max] template<typename T> ```
29-01-2024
The overflow is here: ``` if (ABS(cl->stride_con()) == 1 || cl->limit()->Opcode() == Op_LoopLimit) { template<class T> inline T ABS(T x) { return (x > 0) ? x : -x; } ``` It apparently is just tickled by the test that comes in with MIN_VALUE as the stride_con().
29-01-2024
``` (gdb) bt #0 0x00007f394e66fca0 in raise () from /lib64/libc.so.6 #1 0x00007f394e671148 in abort () from /lib64/libc.so.6 #2 0x00007f394dd3d2d3 in __subvsi3 () from /local/home/shipilev/shipilev-jdk/build/linux-x86_64-server-fastdebug/images/jdk/lib/server/libjvm.so #3 0x00007f394d4c03a8 in ABS<int> (x=<optimized out>) at /home/shipilev/shipilev-jdk/src/hotspot/share/utilities/globalDefinitions.hpp:1109 #4 PhaseIdealLoop::exact_limit (this=this@entry=0x7f3914b661f0, loop=loop@entry=0x7f3899bba0c8) at /home/shipilev/shipilev-jdk/src/hotspot/share/opto/loopnode.cpp:2344 #5 0x00007f394d486ac8 in PhaseIdealLoop::loop_predication_impl_helper (this=this@entry=0x7f3914b661f0, loop=loop@entry=0x7f3899bba0c8, if_success_proj=if_success_proj@entry=0x7f389ad471c0, parse_predicate_proj=0x7f389ad43c00, cl=cl@entry=0x7f3898156c58, zero=zero@entry=0x7f389ad42dc8, invar=..., reason=Deoptimization::Reason_predicate) at /home/shipilev/shipilev-jdk/src/hotspot/share/opto/loopPredicate.cpp:1238 #6 0x00007f394d489a55 in PhaseIdealLoop::loop_predication_impl (this=this@entry=0x7f3914b661f0, loop=loop@entry=0x7f3899bba0c8) at /home/shipilev/shipilev-jdk/src/hotspot/share/opto/loopPredicate.cpp:1464 #7 0x00007f394d489e56 in IdealLoopTree::loop_predication (this=0x7f3899bba0c8, phase=0x7f3914b661f0) at /home/shipilev/shipilev-jdk/src/hotspot/share/opto/loopPredicate.cpp:1551 #8 0x00007f394d489e82 in IdealLoopTree::loop_predication (this=0x7f3899bbb9f0, phase=phase@entry=0x7f3914b661f0) at /home/shipilev/shipilev-jdk/src/hotspot/share/opto/loopPredicate.cpp:1546 #9 0x00007f394d4c8f7b in PhaseIdealLoop::build_and_optimize (this=this@entry=0x7f3914b661f0) at /home/shipilev/shipilev-jdk/src/hotspot/share/opto/loopnode.cpp:4806 #10 0x00007f394ccb16ce in PhaseIdealLoop::PhaseIdealLoop (mode=LoopOptsDefault, igvn=..., this=0x7f3914b661f0) at /home/shipilev/shipilev-jdk/src/hotspot/share/opto/loopnode.hpp:1112 #11 PhaseIdealLoop::optimize (igvn=..., mode=mode@entry=LoopOptsDefault) at /home/shipilev/shipilev-jdk/src/hotspot/share/opto/loopnode.hpp:1191 #12 0x00007f394ccad595 in Compile::Optimize (this=this@entry=0x7f3914b68830) at /home/shipilev/shipilev-jdk/src/hotspot/share/opto/compile.cpp:2385 #13 0x00007f394ccafd39 in Compile::Compile (this=0x7f3914b68830, ci_env=<optimized out>, target=<optimized out>, osr_bci=<optimized out>, options=..., directive=0x7f394415f480) at /home/shipilev/shipilev-jdk/src/hotspot/share/opto/compile.cpp:860 #14 0x00007f394cb17645 in C2Compiler::compile_method (this=<optimized out>, env=0x7f3914b696e0, target=0x7f3898861770, entry_bci=-1, install_code=true, directive=0x7f394415f480) at /home/shipilev/shipilev-jdk/src/hotspot/share/opto/c2compiler.cpp:142 #15 0x00007f394ccbad57 in CompileBroker::invoke_compiler_on_method (task=task@entry=0x7f394424f6e0) at /home/shipilev/shipilev-jdk/src/hotspot/share/compiler/compileBroker.cpp:2299 #16 0x00007f394ccbbc97 in CompileBroker::compiler_thread_loop () at /home/shipilev/shipilev-jdk/src/hotspot/share/compiler/compileBroker.cpp:1958 #17 0x00007f394d1144c7 in JavaThread::thread_main_inner (this=0x7f3944245350) at /home/shipilev/shipilev-jdk/src/hotspot/share/runtime/javaThread.cpp:721 #18 0x00007f394da8513f in Thread::call_run (this=this@entry=0x7f3944245350) at /home/shipilev/shipilev-jdk/src/hotspot/share/runtime/thread.cpp:221 #19 0x00007f394d6ada40 in thread_native_entry (thread=0x7f3944245350) at /home/shipilev/shipilev-jdk/src/hotspot/os/linux/os_linux.cpp:789 #20 0x00007f394ebf444b in start_thread () from /lib64/libpthread.so.0 #21 0x00007f394e72b52f in clone () from /lib64/libc.so.6 ```
29-01-2024