stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8259227: C2 crashes with SIGFPE due to a division that floats above its zero check

Browse Source 
Reviewed-by: kvn, thartmann
This commit is contained in:
Christian Hagedorn 2021-01-07 15:02:45 +00:00
parent 484e23b92a
commit c1fb521694
7 changed files with 109 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/hotspot/share/opto/ifnode.cpp
View File

@ -1477,14 +1477,16 @@ Node* IfNode::dominated_by(Node* prev_dom, PhaseIterGVN *igvn) {
// Loop ends when projection has no more uses.
for (DUIterator_Last jmin, j = ifp->last_outs(jmin); j >= jmin; --j) {
Node* s = ifp->last_out(j); // Get child of IfTrue/IfFalse
if( !s->depends_only_on_test() ) {
if (s->depends_only_on_test() && igvn->no_dependent_zero_check(s)) {
// For control producers.
// Do not rewire Div and Mod nodes which could have a zero divisor to avoid skipping their zero check.
igvn->replace_input_of(s, 0, data_target); // Move child to data-target
} else {
// Find the control input matching this def-use edge.
// For Regions it may not be in slot 0.
uint l;
for( l = 0; s->in(l) != ifp; l++ ) { }
for (l = 0; s->in(l) != ifp; l++) { }
igvn->replace_input_of(s, l, ctrl_target);
} else { // Else, for control producers,
igvn->replace_input_of(s, 0, data_target); // Move child to data-target
}
} // End for each child of a projection

1
src/hotspot/share/opto/loopnode.hpp
View File

@ -1451,7 +1451,6 @@ public:
// Mark an IfNode as being dominated by a prior test,
// without actually altering the CFG (and hence IDOM info).
void dominated_by( Node *prevdom, Node *iff, bool flip = false, bool exclude_loop_predicate = false );
bool no_dependent_zero_check(Node* n) const;
// Split Node 'n' through merge point
Node *split_thru_region( Node *n, Node *region );

21
src/hotspot/share/opto/loopopts.cpp
View File

@ -283,7 +283,7 @@ void PhaseIdealLoop::dominated_by( Node *prevdom, Node *iff, bool flip, bool exc
for (DUIterator_Fast imax, i = dp->fast_outs(imax); i < imax; i++) {
Node* cd = dp->fast_out(i); // Control-dependent node
// Do not rewire Div and Mod nodes which could have a zero divisor to avoid skipping their zero check.
if (cd->depends_only_on_test() && no_dependent_zero_check(cd)) {
if (cd->depends_only_on_test() && _igvn.no_dependent_zero_check(cd)) {
assert(cd->in(0) == dp, "");
_igvn.replace_input_of(cd, 0, prevdom);
set_early_ctrl(cd, false);
@ -302,25 +302,6 @@ void PhaseIdealLoop::dominated_by( Node *prevdom, Node *iff, bool flip, bool exc
}
}
// Check if the type of a divisor of a Div or Mod node includes zero.
bool PhaseIdealLoop::no_dependent_zero_check(Node* n) const {
switch (n->Opcode()) {
case Op_DivI:
case Op_ModI: {
// Type of divisor includes 0?
const TypeInt* type_divisor = _igvn.type(n->in(2))->is_int();
return (type_divisor->_hi < 0 || type_divisor->_lo > 0);
}
case Op_DivL:
case Op_ModL: {
// Type of divisor includes 0?
const TypeLong* type_divisor = _igvn.type(n->in(2))->is_long();
return (type_divisor->_hi < 0 || type_divisor->_lo > 0);
}
}
return true;
}
//------------------------------has_local_phi_input----------------------------
// Return TRUE if 'n' has Phi inputs from its local block and no other
// block-local inputs (all non-local-phi inputs come from earlier blocks)

19
src/hotspot/share/opto/phaseX.cpp
View File

@ -1659,6 +1659,25 @@ void PhaseIterGVN::remove_speculative_types() {
_table.check_no_speculative_types();
}
// Check if the type of a divisor of a Div or Mod node includes zero.
bool PhaseIterGVN::no_dependent_zero_check(Node* n) const {
switch (n->Opcode()) {
case Op_DivI:
case Op_ModI: {
// Type of divisor includes 0?
const TypeInt* type_divisor = type(n->in(2))->is_int();
return (type_divisor->_hi < 0 || type_divisor->_lo > 0);
}
case Op_DivL:
case Op_ModL: {
// Type of divisor includes 0?
const TypeLong* type_divisor = type(n->in(2))->is_long();
return (type_divisor->_hi < 0 || type_divisor->_lo > 0);
}
}
return true;
}
//=============================================================================
#ifndef PRODUCT
uint PhaseCCP::_total_invokes = 0;

1
src/hotspot/share/opto/phaseX.hpp
View File

@ -546,6 +546,7 @@ public:
}
bool is_dominator(Node *d, Node *n) { return is_dominator_helper(d, n, false); }
bool no_dependent_zero_check(Node* n) const;
#ifndef PRODUCT
protected:

78
test/hotspot/jtreg/compiler/loopopts/TestDivZeroDominatedBy.java Normal file
View File

@ -0,0 +1,78 @@
/*
* Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*
*/
/*
* @test
* @key stress randomness
* @bug 8259227
* @summary Verify that zero check is executed before division/modulo operation.
* @requires vm.compiler2.enabled
* @run main/othervm -Xcomp -XX:-TieredCompilation -XX:CompileOnly=compiler/loopopts/TestDivZeroDominatedBy::test
* -XX:+UnlockDiagnosticVMOptions -XX:+StressGCM -XX:StressSeed=917280111 compiler.loopopts.TestDivZeroDominatedBy
* @run main/othervm -Xcomp -XX:-TieredCompilation -XX:CompileOnly=compiler/loopopts/TestDivZeroDominatedBy::test
* -XX:+UnlockDiagnosticVMOptions -XX:+StressGCM compiler.loopopts.TestDivZeroDominatedBy
*/
package compiler.loopopts;
public class TestDivZeroDominatedBy {
public static int iFld = 1;
public static int iFld1 = 2;
public static int iFld2 = 3;
public static int iArrFld[] = new int[10];
public static double dFld = 1.0;
public static void test() {
int x = 1;
int y = 2;
int z = 3;
iFld = y;
iArrFld[5] += iFld1;
int i = 1;
do {
for (int j = 0; j < 10; j++) {
iFld2 += iFld2;
iFld1 = iFld2;
int k = 1;
do {
iArrFld[k] = y;
z = iFld2;
dFld = x;
try {
y = iArrFld[k];
iArrFld[8] = 5;
iFld = (100 / z);
} catch (ArithmeticException a_e) {}
} while (++k < 2);
}
} while (++i < 10);
}
public static void main(String[] strArr) {
test();
}
}

5
test/hotspot/jtreg/compiler/loopopts/TestDivZeroWithSplitIf.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -24,11 +24,14 @@
/*
* @test
* @key stress randomness
* @bug 8257822
* @summary Verify that zero check is executed before division/modulo operation.
* @requires vm.compiler2.enabled
* @run main/othervm -Xcomp -XX:-TieredCompilation -XX:CompileOnly=compiler/loopopts/TestDivZeroWithSplitIf::test
* -XX:+UnlockDiagnosticVMOptions -XX:+StressGCM -XX:StressSeed=873732072 compiler.loopopts.TestDivZeroWithSplitIf
* @run main/othervm -Xcomp -XX:-TieredCompilation -XX:CompileOnly=compiler/loopopts/TestDivZeroWithSplitIf::test
* -XX:+UnlockDiagnosticVMOptions -XX:+StressGCM compiler.loopopts.TestDivZeroWithSplitIf
*/
package compiler.loopopts;