196 lines
6.2 KiB
Java
196 lines
6.2 KiB
Java
/*
|
|
* Copyright (c) 2023, Red Hat, Inc. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
/*
|
|
* @test
|
|
* @bug 8303737
|
|
* @summary C2: Load can bypass subtype check that enforces it's from the right object type
|
|
* @requires vm.gc.Parallel
|
|
* @requires vm.compiler2.enabled
|
|
* @run main/othervm -XX:-TieredCompilation -XX:-BackgroundCompilation -XX:-UseOnStackReplacement -XX:CompileOnly=TestLoadBypassesClassCast::test
|
|
* -XX:CompileThreshold=20000 -XX:LoopMaxUnroll=1 -XX:-LoopUnswitching -XX:+UseParallelGC TestLoadBypassesClassCast
|
|
*
|
|
*/
|
|
|
|
public class TestLoadBypassesClassCast {
|
|
private static Object saved_o;
|
|
private static Object field_o = new A();
|
|
private static Object saved_casted_o;
|
|
private static float barrier;
|
|
private static Object[] memory = new Object[100];
|
|
|
|
public static void main(String[] args) {
|
|
float[] array = new float[100];
|
|
A a = new A();
|
|
B b = new B();
|
|
C c = new C();
|
|
D d = new D();
|
|
|
|
// create garbage so GC runs
|
|
Thread thread = new Thread() {
|
|
public void run() {
|
|
while (true) {
|
|
int[] array = new int[1000];
|
|
}
|
|
}
|
|
};
|
|
|
|
thread.setDaemon(true);
|
|
thread.start();
|
|
|
|
for (int i = 0; i < 20_000; i++) {
|
|
test(true, a, array, true, false);
|
|
test(false, b, array, true, false);
|
|
test(false, d, array, true, true);
|
|
test(true, a, array, false, false);
|
|
test(false, b, array, false, false);
|
|
testHelper2(42);
|
|
testHelper3(true, 42);
|
|
}
|
|
for (int j = 0; j < 1000; j++) {
|
|
for (int i = 0; i < 1_000_000; i++) {
|
|
test(false, d, array, true, true);
|
|
}
|
|
}
|
|
}
|
|
|
|
private static int test(boolean flag, Object o, float[] array, boolean flag2, boolean flag3) {
|
|
int ret = (int)array[2];
|
|
if (o == null) {
|
|
}
|
|
saved_o = o; // (CastPP o): cast to not null
|
|
|
|
// A.objectField load from o hosted here even though o was not checked to be of type A
|
|
// result of the load doesn't hold an oop if o is not an A
|
|
if (flag2) {
|
|
for (int i = 1; i < 100; i *= 2) {
|
|
// safepoint here with result of load above live and expected to be an oop. Not the case
|
|
// if o is of type D: crash in gc code
|
|
}
|
|
|
|
if (flag3) {
|
|
} else {
|
|
saved_casted_o = (A) o; // (CheckCastPP (CastPP o)): cast to not null A
|
|
|
|
int j;
|
|
for (j = 1; j < 2; j *= 2) {
|
|
|
|
}
|
|
|
|
testHelper3(flag, j); // goes away after CCP
|
|
|
|
int i;
|
|
for (i = 0; i < 2; i++) {
|
|
}
|
|
// array[2] after one round of loop opts, control
|
|
// dependent on range check, range check replaced by
|
|
// array[2] range check above, control dependent
|
|
// nodes become control dependent on that range check
|
|
ret += array[i];
|
|
|
|
Object o2;
|
|
if (flag) {
|
|
o2 = saved_casted_o; // (CheckCastPP (CastPP o)): cast to to not null A
|
|
} else {
|
|
o2 = testHelper2(i); // (CastPP o) after 1 round of loop opts: cast to not null
|
|
}
|
|
// subtype check split thru Phi. CheckCastPP becomes control dependent on merge point
|
|
// phi becomes (CastPP o) after 1 round of loop opts: cast to not null
|
|
// subtype check from split thru phi in one branch of the if replaced by dominating one
|
|
// empty if blocks, if goes away. CheckCastPP becomes control dependent on range check above
|
|
// CastPP replaced by dominating CastPP for null check
|
|
A a = (A) o2;
|
|
ret += a.objectField.intField;
|
|
}
|
|
} else {
|
|
// same logic as above so if this a.objectField load and
|
|
// the one above lose their dependency on the type check
|
|
// they common above all ifs
|
|
saved_casted_o = (A) o;
|
|
|
|
int j;
|
|
for (j = 1; j < 2; j *= 2) {
|
|
|
|
}
|
|
|
|
testHelper3(flag, j);
|
|
|
|
int i;
|
|
for (i = 0; i < 2; i++) {
|
|
}
|
|
ret += array[i];
|
|
|
|
Object o2;
|
|
if (flag) {
|
|
o2 = saved_casted_o;
|
|
} else {
|
|
o2 = testHelper2(i);
|
|
}
|
|
A a = (A) o2;
|
|
ret += a.objectField.intField;
|
|
ret += barrier;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
private static void testHelper3(boolean flag, int j) {
|
|
if (j == 2) {
|
|
if (flag) {
|
|
barrier = 42;
|
|
}
|
|
}
|
|
}
|
|
|
|
private static Object testHelper2(int i) {
|
|
Object o2;
|
|
if (i == 2) {
|
|
o2 = saved_o;
|
|
} else {
|
|
o2 = field_o;
|
|
if (o2 == null) {
|
|
}
|
|
}
|
|
return o2;
|
|
}
|
|
|
|
private static class C {
|
|
}
|
|
|
|
private static class A extends C {
|
|
public E objectField = new E();
|
|
}
|
|
|
|
private static class B extends A {
|
|
}
|
|
|
|
private static class D extends C {
|
|
public int neverAccessedField = 0x12345678;
|
|
|
|
}
|
|
|
|
private static class E {
|
|
public int intField;
|
|
}
|
|
|
|
}
|