hzongaro
commented
5 months ago @nbhuiyan, may I ask you to take a look at this?
I think a segfault is happening in a call to the out-of-line TestCase7.norma which has been partially inlined into the main method. This is happening under DLT, though I'm not sure whether the DLT is important. The IL looks a little odd to me, but perhaps I'm just missing something.
During inlining, the IL that's generated for the inlined copy of TestCase7.norma looks like this, in part:
n441n BBStart <block_2> [0x7f81eeb2c990] bci=[0,0,-] rc=0 vc=0 vn=- li=- udi=- nc=0
n455n istore <temp slot 10>[#457 Auto] [flags 0x3 0x0 ] [0x7f81eeb2cdf0] bci=[0,11,-] rc=0 vc=0 vn=- li=- udi=- nc=1
n454n iload <auto slot 0>[#453 Auto] [flags 0x3 0x0 ] [0x7f81eeb2cda0] bci=[0,11,-] rc=1 vc=0 vn=- li=- udi=- nc=0
n445n istore <temp slot 9>[#454 Auto] [flags 0x3 0x0 ] [0x7f81eeb2cad0] bci=[0,1,-] rc=0 vc=0 vn=- li=- udi=- nc=1
n444n iload <auto slot 0>[#453 Auto] [flags 0x3 0x0 ] [0x7f81eeb2ca80] bci=[0,1,-] rc=1 vc=0 vn=- li=- udi=- nc=0
...
n439n BBStart <block_3> (freq 1) (cold) [0x7f81eeb2c8f0] bci=[0,15,-] rc=0 vc=0 vn=- li=- udi=- nc=0
n463n treetop [0x7f81eeb2d070] bci=[0,134,-] rc=0 vc=0 vn=- li=- udi=- nc=1
n464n dcalli TestCase7.norma(I[D)D[#438 virtual Method -64] [flags 0x500 0x0 ] () [0x7f81eeb2d0c0] bci=[-1,247,-] rc=2 vc=57 vn=- li=- udi=- nc=4 flg=0x20
n466n aloadi <vft-symbol>[#346 Shadow] [flags 0x18607 0x0 ] [0x7f81eeb2d160] bci=[0,134,-] rc=1 vc=0 vn=- li=- udi=- nc=1
n465n aload <temp slot 10>[#457 Auto] [flags 0x3 0x0 ] [0x7f81eeb2d110] bci=[0,134,-] rc=1 vc=0 vn=- li=- udi=- nc=0
n467n aload <temp slot 10>[#457 Auto] [flags 0x3 0x0 ] [0x7f81eeb2d1b0] bci=[0,134,-] rc=1 vc=0 vn=- li=- udi=- nc=0
n468n iload <parm 1 I>[#436 Parm] [flags 0x40000103 0x0 ] [0x7f81eeb2d200] bci=[0,134,-] rc=1 vc=0 vn=- li=- udi=- nc=0
n469n aload <parm 2 [D>[#437 Parm] [flags 0x40000107 0x0 ] [0x7f81eeb2d250] bci=[0,134,-] rc=1 vc=0 vn=- li=- udi=- nc=0Notice in particular that the call to the out-of-line method uses an aload of SymRef #457 for the object pointer, which was initialized with an istore. That persists through to code generation, where the aload is performed using a quad-word load, effectively loading the value of #457 and the adjacent four bytes of #454:
============================================================
; Live regs: GPR=0 FPR=0 VRF=0 {}
------------------------------
n455n ( 0) istore <temp slot 10>[#457 Auto] [flags 0x3 0x0 ] [0x7f81eeb2cdf0] bci=[0,11,-] rc=0 vc=66 vn=- li=37 udi=- nc=1
n454n ( 1) iload <auto slot 0>[#453 Auto] [flags 0x3 0x0 ] [0x7f81eeb2cda0] bci=[0,11,-] rc=1 vc=66 vn=- li=37 udi=- nc=0
------------------------------
------------------------------
n455n ( 0) istore <temp slot 10>[#457 Auto] [flags 0x3 0x0 ] [0x7f81eeb2cdf0] bci=[0,11,-] rc=0 vc=66 vn=- li=37 udi=- nc=1
n454n ( 0) iload <auto slot 0>[#453 Auto] [flags 0x3 0x0 ] (in GPR_0177) [0x7f81eeb2cda0] bci=[0,11,-] rc=0 vc=66 vn=- li=37 udi=11552 nc=0
------------------------------
[0x7f81eec12da0] mov GPR_0177, dword ptr [vfp] # L4RegMem, SymRef <auto slot 0>[#542 Auto] [flags 0x3 0x0 ]
[0x7f81eec12ec0] mov dword ptr [vfp], GPR_0177 # S4MemReg, SymRef <temp slot 10>[#543 Auto] [flags 0x3 0x0 ]
============================================================
; Live regs: GPR=0 FPR=0 VRF=0 {}
------------------------------
n445n ( 0) istore <temp slot 9>[#454 Auto] [flags 0x3 0x0 ] [0x7f81eeb2cad0] bci=[0,1,-] rc=0 vc=66 vn=- li=37 udi=- nc=1
n444n ( 1) iload <auto slot 0>[#453 Auto] [flags 0x3 0x0 ] [0x7f81eeb2ca80] bci=[0,1,-] rc=1 vc=66 vn=- li=37 udi=- nc=0
------------------------------
------------------------------
n445n ( 0) istore <temp slot 9>[#454 Auto] [flags 0x3 0x0 ] [0x7f81eeb2cad0] bci=[0,1,-] rc=0 vc=66 vn=- li=37 udi=- nc=1
n444n ( 0) iload <auto slot 0>[#453 Auto] [flags 0x3 0x0 ] (in GPR_0178) [0x7f81eeb2ca80] bci=[0,1,-] rc=0 vc=66 vn=- li=37 udi=13392 nc=0
------------------------------
[0x7f81eec134d0] mov GPR_0178, dword ptr [vfp] # L4RegMem, SymRef <auto slot 0>[#544 Auto] [flags 0x3 0x0 ]
[0x7f81eec135f0] mov dword ptr [vfp], GPR_0178 # S4MemReg, SymRef <temp slot 9>[#545 Auto] [flags 0x3 0x0 ]
...
============================================================
; Live regs: GPR=0 FPR=0 VRF=0 {}
------------------------------
n463n ( 0) treetop [0x7f81eeb2d070] bci=[0,134,-] rc=0 vc=66 vn=- li=36 udi=- nc=1
n464n ( 1) dcalli TestCase7.norma(I[D)D[#438 virtual Method -64] [flags 0x500 0x0 ] () [0x7f81eeb2d0c0] bci=[-1,247,-] rc=1 vc=66 vn=- li=36 udi=- nc=4 flg=0x20
n466n ( 1) aloadi <vft-symbol>[#346 Shadow] [flags 0x18607 0x0 ] [0x7f81eeb2d160] bci=[0,134,-] rc=1 vc=66 vn=- li=36 udi=- nc=1
n465n ( 1) aload <temp slot 10>[#457 Auto] [flags 0x3 0x0 ] [0x7f81eeb2d110] bci=[0,134,-] rc=1 vc=66 vn=- li=36 udi=- nc=0
n467n ( 1) aload <temp slot 10>[#457 Auto] [flags 0x3 0x0 ] [0x7f81eeb2d1b0] bci=[0,134,-] rc=1 vc=66 vn=- li=36 udi=- nc=0
n482n ( 1) iconst 20 (X!=0 X>=0 ) [0x7f81eeb2d660] bci=[-1,244,-] rc=1 vc=66 vn=- li=36 udi=- nc=0 flg=0x104
n469n ( 1) aload <auto slot 3>[#424 Auto] [flags 0x7 0x0 ] [0x7f81eeb2d250] bci=[0,134,-] rc=1 vc=66 vn=- li=36 udi=- nc=0
------------------------------
------------------------------
n463n ( 0) treetop [0x7f81eeb2d070] bci=[0,134,-] rc=0 vc=66 vn=- li=36 udi=- nc=1
n464n ( 0) dcalli TestCase7.norma(I[D)D[#438 virtual Method -64] [flags 0x500 0x0 ] (in FPR_0209) () [0x7f81eeb2d0c0] bci=[-1,247,-] rc=0 vc=66 vn=- li=36 udi=30896 nc=4 flg=0x20
n466n ( 0) aloadi <vft-symbol>[#346 Shadow] [flags 0x18607 0x0 ] (in GPR_0196) [0x7f81eeb2d160] bci=[0,134,-] rc=0 vc=66 vn=- li=36 udi=26512 nc=1
n465n ( 0) aload <temp slot 10>[#457 Auto] [flags 0x3 0x0 ] (in &GPR_0195) [0x7f81eeb2d110] bci=[0,134,-] rc=0 vc=66 vn=- li=36 udi=26240 nc=0
n467n ( 0) aload <temp slot 10>[#457 Auto] [flags 0x3 0x0 ] (in &GPR_0192) [0x7f81eeb2d1b0] bci=[0,134,-] rc=0 vc=66 vn=- li=36 udi=24992 nc=0
n482n ( 0) iconst 20 (X!=0 X>=0 ) [0x7f81eeb2d660] bci=[-1,244,-] rc=0 vc=66 vn=- li=36 udi=- nc=0 flg=0x104
n469n ( 0) aload <auto slot 3>[#424 Auto] [flags 0x7 0x0 ] (in &GPR_0194) [0x7f81eeb2d250] bci=[0,134,-] rc=0 vc=66 vn=- li=36 udi=25680 nc=0
------------------------------
[0x7f81eec16220] mov &GPR_0192, qword ptr [vfp] # L8RegMem, SymRef <temp slot 10>[#550 Auto] [flags 0x3 0x0 ]
[0x7f81eec16330] mov GPR_0193, 0x00000014 # MOV4RegImm4
[0x7f81eec164d0] mov &GPR_0194, qword ptr [vfp] # L8RegMem, SymRef <auto slot 3>[#551 Auto] [flags 0x7 0x0 ]
[0x7f81eec16700] mov &GPR_0195, qword ptr [vfp] # L8RegMem, SymRef <temp slot 10>[#553 Auto] [flags 0x3 0x0 ]
[0x7f81eec16810] mov GPR_0196, dword ptr [&GPR_0195] # L4RegMem, SymRef <vft-symbol>[#346 Shadow] [flags 0x18607 0x0 ]
[0x7f81eec168a0] and GPR_0196, 0xffffffffffffff00 # AND8RegImm4
Affected versions
We found a test case with execution problems. To facilitate analysis, we simplified the test case and the simplified class file can ben found at attachment.
Linux Ubuntu20.04
Java -version output under Linux
Problem summary
In the test case, the array 'var3' is initialized inside the loop and the function 'norma' is called. But when using the Hotspot to execute the test case report ArrayIndexOutOfBoundsException, but using OpenJ9 execution will report a NullPointerException. We also set up - Xint and - Xcomp executes the test cases, the content of the report is correct ArrayIndexOutOfBoundsException.
Steps to Reproduce
Expected Result
Actual Result
Attachment
TestCase7.zip