1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @requires vm.gc.Z & !vm.graal.enabled
* @bug 8237859
* @summary A LoadP node has a wrong control input (too early) which results in an out-of-bounds read of an object array with ZGC.
*
* @run main/othervm -Xmx256m -XX:+UnlockExperimentalVMOptions -XX:+UseZGC compiler.loopopts.TestRangeCheckPredicatesControl
* @run main/othervm -Xmx256m -XX:+UnlockExperimentalVMOptions -XX:+UseZGC -XX:+UnlockDiagnosticVMOptions -XX:+IgnoreUnrecognizedVMOptions -XX:+StressGCM compiler.loopopts.TestRangeCheckPredicatesControl
*/
package compiler.loopopts;
public class TestRangeCheckPredicatesControl {
static Wrapper w1 = new Wrapper();
static Wrapper w2 = new Wrapper();
static Wrapper w3 = new Wrapper();
public static void main(String[] args) {
for (int x = 0; x < 10000000; x++) {
test(x % 2 == 0);
test2(x % 2 == 0, x % 3 == 0);
test3(x % 2 == 0);
test4(x % 2 == 0);
}
}
private static class Wrapper {
long longs;
int a;
public void maybeMaskBits(boolean b) {
if (b) {
longs &= 0x1F1F1F1F;
}
}
public void maybeMaskBits2(boolean b, boolean c) {
if (b) {
longs &= 0x1F1F1F1F;
}
if (c) {
a += 344;
}
}
}
private static void test(boolean flag) {
Wrapper[] wrappers_array;
if (flag) {
wrappers_array = new Wrapper[] {w1, w2};
} else {
wrappers_array = new Wrapper[] {w1, w2, w3};
}
// This loop is first unswitched and then pre/main/post loops are created for both unswitched loops.
// Both loops are unrolled once (two iterations in main loop, one in pre loop). As a result, the main
// loop contains an access of wrappers_array[1] and wrappers_array[2]. If 'flag' is false, then the
// main loop is not entered. But the load for wrappers_array[2] is wrongly scheduled before deciding
// if the main loop is executed or not due to a wrong control input of the corresponding LoadP node.
// The LoadP node still has a control input from a loop predicate of the original loop to be unswitched.
// As a consequence, the access wrappers_array[2] is executed regardless of the value of 'flag' resulting
// in a segfault. This fix addresses the problem of not updating the control inputs for data nodes
// from a predicate before the pre loop to the main and post loop. The fix for JDK-8240227 updates the
// control dependencies to predicates of the original loop to be unswitched to newly cloned predicates
// of the unswitched loops.
for (int i = 0; i < wrappers_array.length; i++) {
wrappers_array[i].maybeMaskBits(flag);
}
}
// This test unswitches two times
private static void test2(boolean flag, boolean flag2) {
Wrapper[] wrappers_array;
Wrapper[] wrappers_array2;
if (flag) {
wrappers_array = new Wrapper[] {w1, w2};
wrappers_array2 = new Wrapper[] {w1, w2};
} else {
wrappers_array = new Wrapper[] {w1, w2, w3};
wrappers_array2 = new Wrapper[] {w1, w2, w3};
}
for (int i = 0; i < wrappers_array.length; i++) {
wrappers_array[i].maybeMaskBits(flag);
wrappers_array2[i].maybeMaskBits2(flag, flag2);
}
}
// Test without unswitching but wrong control dependencies for data nodes to predicates before the pre loop.
// There is no update for the data nodes belonging to main and post loop after pre/main/post loops are created.
private static void test3(boolean flag) {
Wrapper[] wrappers_array;
if (flag) {
wrappers_array = new Wrapper[] {w1, w2};
} else {
wrappers_array = new Wrapper[] {w1, w2, w3};
}
for (int i = 0; i < wrappers_array.length; i++) {
wrappers_array[i].longs &= 0x1F1F1F1F;
}
}
private static void test4(boolean flag) {
Wrapper[] wrappers_array;
Wrapper[] wrappers_array2;
if (flag) {
wrappers_array = new Wrapper[] {w1, w2};
wrappers_array2 = new Wrapper[] {w1, w2};
} else {
wrappers_array = new Wrapper[] {w1, w2, w3};
wrappers_array2 = new Wrapper[] {w1, w2, w3};
}
for (int i = 0; i < wrappers_array.length; i++) {
wrappers_array[i].longs &= 0x1F1F1F1F;
wrappers_array2[i].longs &= 0x1F1F1F1F;
}
}
}
|
