8016474: Crash in sun.reflect.UnsafeObjectFieldAccessorImpl.get

C1's GetUnsafeObject G1 pre-barrier uses the wrong type to read the klass pointer. Reviewed-by: iveresov, kvn
2013-07-29 16:32:38 -07:00 · 2013-07-29 16:32:38 -07:00 · 5555a381fb
commit 5555a381fb
parent 16b4f55129
2 changed files with 72 additions and 1 deletions
--- a/hotspot/src/share/vm/c1/c1_LIRGenerator.cpp
+++ b/hotspot/src/share/vm/c1/c1_LIRGenerator.cpp
@ -2295,7 +2295,7 @@ void LIRGenerator::do_UnsafeGetObject(UnsafeGetObject* x) {
      if (gen_type_check) {
        // We have determined that offset == referent_offset && src != null.
        // if (src->_klass->_reference_type == REF_NONE) -> continue
-        __ move(new LIR_Address(src.result(), oopDesc::klass_offset_in_bytes(), UseCompressedKlassPointers ? T_OBJECT : T_ADDRESS), src_klass);
+        __ move(new LIR_Address(src.result(), oopDesc::klass_offset_in_bytes(), T_ADDRESS), src_klass);
        LIR_Address* reference_type_addr = new LIR_Address(src_klass, in_bytes(InstanceKlass::reference_type_offset()), T_BYTE);
        LIR_Opr reference_type = new_register(T_INT);
        __ move(reference_type_addr, reference_type);
--- a/hotspot/test/compiler/unsafe/GetUnsafeObjectG1PreBarrier.java
+++ b/hotspot/test/compiler/unsafe/GetUnsafeObjectG1PreBarrier.java
@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8016474
+ * @summary The bug only happens with C1 and G1 using a different ObjectAlignmentInBytes than KlassAlignmentInBytes (which is 8)
+ * @run main/othervm -Xbatch -XX:ObjectAlignmentInBytes=32 GetUnsafeObjectG1PreBarrier
+ */
+
+import java.lang.reflect.Field;
+
+import sun.misc.Unsafe;
+
+public class GetUnsafeObjectG1PreBarrier {
+    private static final Unsafe unsafe;
+    private static final int N = 100_000;
+
+    static {
+        try {
+            Field theUnsafe = Unsafe.class.getDeclaredField("theUnsafe");
+            theUnsafe.setAccessible(true);
+            unsafe = (Unsafe) theUnsafe.get(null);
+        } catch (NoSuchFieldException | IllegalAccessException e) {
+            throw new IllegalStateException(e);
+        }
+    }
+
+    public Object a;
+
+    public static void main(String[] args) throws Throwable {
+        new GetUnsafeObjectG1PreBarrier();
+    }
+
+    public GetUnsafeObjectG1PreBarrier() throws Throwable {
+        doit();
+    }
+
+    private void doit() throws Throwable {
+        Field field = GetUnsafeObjectG1PreBarrier.class.getField("a");
+        long fieldOffset = unsafe.objectFieldOffset(field);
+
+        for (int i = 0; i < N; i++) {
+            readField(this, fieldOffset);
+        }
+    }
+
+    private void readField(Object o, long fieldOffset) {
+        unsafe.getObject(o, fieldOffset);
+    }
+}