search

eclipse-openj9 / openj9

Eclipse OpenJ9: A Java Virtual Machine for OpenJDK that's optimized for small footprint, fast start-up, and high throughput. Builds on Eclipse OMR (https://github.com/eclipse/omr) and combines with the Extensions for OpenJDK for OpenJ9 repo.
Other
3.28k stars 722 forks source link

The array operation caused OpenJ9 to report an incorrect Exception #19124

Open TemporaryRepos opened 8 months ago

TemporaryRepos commented 8 months ago

Affected versions

We found a test case with execution problems. To facilitate analysis, we simplified the test case and the simplified class file can ben found at attachment.

Linux Ubuntu20.04

Java -version output under Linux

openjdk version "1.8.0_402"
IBM Semeru Runtime Open Edition (build 1.8.0_402-b06)
Eclipse OpenJ9 VM (build openj9-0.43.0, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20240131_861 (JIT enabled, AOT enabled)
OpenJ9   - 2c3d78b48
OMR      - ea8124dbc
JCL      - 0fa9d9c532 based on jdk8u402-b06)
openjdk version "11.0.22" 2024-01-16
IBM Semeru Runtime Open Edition 11.0.22.0 (build 11.0.22+7)
Eclipse OpenJ9 VM 11.0.22.0 (build openj9-0.43.0, JRE 11 Linux amd64-64-Bit Compressed References 20240131_966 (JIT enabled, AOT enabled)
OpenJ9   - 2c3d78b48
OMR      - ea8124dbc
JCL      - 7876cac747 based on jdk-11.0.22+7)
openjdk version "17.0.10" 2024-01-16
IBM Semeru Runtime Open Edition 17.0.10.0 (build 17.0.10+7)
Eclipse OpenJ9 VM 17.0.10.0 (build openj9-0.43.0, JRE 17 Linux amd64-64-Bit Compressed References 20240116_670 (JIT enabled, AOT enabled)
OpenJ9   - 2c3d78b48
OMR      - ea8124dbc
JCL      - 2aad089841f based on jdk-17.0.10+7)

Problem summary

In the test case, the array 'var3' is initialized inside the loop and the function 'norma' is called. But when using the Hotspot to execute the test case report ArrayIndexOutOfBoundsException, but using OpenJ9 execution will report a NullPointerException. We also set up - Xint and - Xcomp executes the test cases, the content of the report is correct ArrayIndexOutOfBoundsException.

Steps to Reproduce

java/bin/java TestCase7

Expected Result

ArrayIndexOutOfBoundsException

Actual Result

NullPointerException

Attachment

TestCase7.zip

hzongaro commented 8 months ago

@nbhuiyan, may I ask you to take a look at this?

I think a segfault is happening in a call to the out-of-line TestCase7.norma which has been partially inlined into the main method. This is happening under DLT, though I'm not sure whether the DLT is important. The IL looks a little odd to me, but perhaps I'm just missing something.

During inlining, the IL that's generated for the inlined copy of TestCase7.norma looks like this, in part:

n441n     BBStart <block_2>                                                                   [0x7f81eeb2c990] bci=[0,0,-] rc=0 vc=0 vn=- li=- udi=- nc=0
n455n     istore  <temp slot 10>[#457  Auto] [flags 0x3 0x0 ]                                 [0x7f81eeb2cdf0] bci=[0,11,-] rc=0 vc=0 vn=- li=- udi=- nc=1
n454n       iload  <auto slot 0>[#453  Auto] [flags 0x3 0x0 ]                                 [0x7f81eeb2cda0] bci=[0,11,-] rc=1 vc=0 vn=- li=- udi=- nc=0
n445n     istore  <temp slot 9>[#454  Auto] [flags 0x3 0x0 ]                                  [0x7f81eeb2cad0] bci=[0,1,-] rc=0 vc=0 vn=- li=- udi=- nc=1
n444n       iload  <auto slot 0>[#453  Auto] [flags 0x3 0x0 ]                                 [0x7f81eeb2ca80] bci=[0,1,-] rc=1 vc=0 vn=- li=- udi=- nc=0
...
n439n     BBStart <block_3> (freq 1) (cold)                                                   [0x7f81eeb2c8f0] bci=[0,15,-] rc=0 vc=0 vn=- li=- udi=- nc=0
n463n     treetop                                                                             [0x7f81eeb2d070] bci=[0,134,-] rc=0 vc=0 vn=- li=- udi=- nc=1
n464n       dcalli  TestCase7.norma(I[D)D[#438  virtual Method -64] [flags 0x500 0x0 ] ()     [0x7f81eeb2d0c0] bci=[-1,247,-] rc=2 vc=57 vn=- li=- udi=- nc=4 flg=0x20
n466n         aloadi  <vft-symbol>[#346  Shadow] [flags 0x18607 0x0 ]                         [0x7f81eeb2d160] bci=[0,134,-] rc=1 vc=0 vn=- li=- udi=- nc=1
n465n           aload  <temp slot 10>[#457  Auto] [flags 0x3 0x0 ]                            [0x7f81eeb2d110] bci=[0,134,-] rc=1 vc=0 vn=- li=- udi=- nc=0
n467n         aload  <temp slot 10>[#457  Auto] [flags 0x3 0x0 ]                              [0x7f81eeb2d1b0] bci=[0,134,-] rc=1 vc=0 vn=- li=- udi=- nc=0
n468n         iload  <parm 1 I>[#436  Parm] [flags 0x40000103 0x0 ]                           [0x7f81eeb2d200] bci=[0,134,-] rc=1 vc=0 vn=- li=- udi=- nc=0
n469n         aload  <parm 2 [D>[#437  Parm] [flags 0x40000107 0x0 ]                          [0x7f81eeb2d250] bci=[0,134,-] rc=1 vc=0 vn=- li=- udi=- nc=0

Notice in particular that the call to the out-of-line method uses an aload of SymRef #457 for the object pointer, which was initialized with an istore. That persists through to code generation, where the aload is performed using a quad-word load, effectively loading the value of #457 and the adjacent four bytes of #454:

============================================================
; Live regs: GPR=0 FPR=0 VRF=0 {}
------------------------------
 n455n    (  0)  istore  <temp slot 10>[#457  Auto] [flags 0x3 0x0 ]                                  [0x7f81eeb2cdf0] bci=[0,11,-] rc=0 vc=66 vn=- li=37 udi=- nc=1
 n454n    (  1)    iload  <auto slot 0>[#453  Auto] [flags 0x3 0x0 ]                                  [0x7f81eeb2cda0] bci=[0,11,-] rc=1 vc=66 vn=- li=37 udi=- nc=0
------------------------------
------------------------------
 n455n    (  0)  istore  <temp slot 10>[#457  Auto] [flags 0x3 0x0 ]                                  [0x7f81eeb2cdf0] bci=[0,11,-] rc=0 vc=66 vn=- li=37 udi=- nc=1
 n454n    (  0)    iload  <auto slot 0>[#453  Auto] [flags 0x3 0x0 ] (in GPR_0177)                    [0x7f81eeb2cda0] bci=[0,11,-] rc=0 vc=66 vn=- li=37 udi=11552 nc=0
------------------------------

 [0x7f81eec12da0]       mov     GPR_0177, dword ptr [vfp]               # L4RegMem, SymRef  <auto slot 0>[#542  Auto] [flags 0x3 0x0 ]
 [0x7f81eec12ec0]       mov     dword ptr [vfp], GPR_0177               # S4MemReg, SymRef  <temp slot 10>[#543  Auto] [flags 0x3 0x0 ]

============================================================
; Live regs: GPR=0 FPR=0 VRF=0 {}
------------------------------ 
 n445n    (  0)  istore  <temp slot 9>[#454  Auto] [flags 0x3 0x0 ]                                   [0x7f81eeb2cad0] bci=[0,1,-] rc=0 vc=66 vn=- li=37 udi=- nc=1
 n444n    (  1)    iload  <auto slot 0>[#453  Auto] [flags 0x3 0x0 ]                                  [0x7f81eeb2ca80] bci=[0,1,-] rc=1 vc=66 vn=- li=37 udi=- nc=0
------------------------------
------------------------------
 n445n    (  0)  istore  <temp slot 9>[#454  Auto] [flags 0x3 0x0 ]                                   [0x7f81eeb2cad0] bci=[0,1,-] rc=0 vc=66 vn=- li=37 udi=- nc=1
 n444n    (  0)    iload  <auto slot 0>[#453  Auto] [flags 0x3 0x0 ] (in GPR_0178)                    [0x7f81eeb2ca80] bci=[0,1,-] rc=0 vc=66 vn=- li=37 udi=13392 nc=0
------------------------------

 [0x7f81eec134d0]       mov     GPR_0178, dword ptr [vfp]               # L4RegMem, SymRef  <auto slot 0>[#544  Auto] [flags 0x3 0x0 ]
 [0x7f81eec135f0]       mov     dword ptr [vfp], GPR_0178               # S4MemReg, SymRef  <temp slot 9>[#545  Auto] [flags 0x3 0x0 ]
...
============================================================
; Live regs: GPR=0 FPR=0 VRF=0 {}
------------------------------
 n463n    (  0)  treetop                                                                              [0x7f81eeb2d070] bci=[0,134,-] rc=0 vc=66 vn=- li=36 udi=- nc=1
 n464n    (  1)    dcalli  TestCase7.norma(I[D)D[#438  virtual Method -64] [flags 0x500 0x0 ] ()      [0x7f81eeb2d0c0] bci=[-1,247,-] rc=1 vc=66 vn=- li=36 udi=- nc=4 flg=0x20
 n466n    (  1)      aloadi  <vft-symbol>[#346  Shadow] [flags 0x18607 0x0 ]                          [0x7f81eeb2d160] bci=[0,134,-] rc=1 vc=66 vn=- li=36 udi=- nc=1
 n465n    (  1)        aload  <temp slot 10>[#457  Auto] [flags 0x3 0x0 ]                             [0x7f81eeb2d110] bci=[0,134,-] rc=1 vc=66 vn=- li=36 udi=- nc=0
 n467n    (  1)      aload  <temp slot 10>[#457  Auto] [flags 0x3 0x0 ]                               [0x7f81eeb2d1b0] bci=[0,134,-] rc=1 vc=66 vn=- li=36 udi=- nc=0
 n482n    (  1)      iconst 20 (X!=0 X>=0 )                                                           [0x7f81eeb2d660] bci=[-1,244,-] rc=1 vc=66 vn=- li=36 udi=- nc=0 flg=0x104
 n469n    (  1)      aload  <auto slot 3>[#424  Auto] [flags 0x7 0x0 ]                                [0x7f81eeb2d250] bci=[0,134,-] rc=1 vc=66 vn=- li=36 udi=- nc=0
------------------------------
------------------------------
 n463n    (  0)  treetop                                                                              [0x7f81eeb2d070] bci=[0,134,-] rc=0 vc=66 vn=- li=36 udi=- nc=1
 n464n    (  0)    dcalli  TestCase7.norma(I[D)D[#438  virtual Method -64] [flags 0x500 0x0 ] (in FPR_0209) ()  [0x7f81eeb2d0c0] bci=[-1,247,-] rc=0 vc=66 vn=- li=36 udi=30896 nc=4 flg=0x20
 n466n    (  0)      aloadi  <vft-symbol>[#346  Shadow] [flags 0x18607 0x0 ] (in GPR_0196)            [0x7f81eeb2d160] bci=[0,134,-] rc=0 vc=66 vn=- li=36 udi=26512 nc=1
 n465n    (  0)        aload  <temp slot 10>[#457  Auto] [flags 0x3 0x0 ] (in &GPR_0195)              [0x7f81eeb2d110] bci=[0,134,-] rc=0 vc=66 vn=- li=36 udi=26240 nc=0
 n467n    (  0)      aload  <temp slot 10>[#457  Auto] [flags 0x3 0x0 ] (in &GPR_0192)                [0x7f81eeb2d1b0] bci=[0,134,-] rc=0 vc=66 vn=- li=36 udi=24992 nc=0
 n482n    (  0)      iconst 20 (X!=0 X>=0 )                                                           [0x7f81eeb2d660] bci=[-1,244,-] rc=0 vc=66 vn=- li=36 udi=- nc=0 flg=0x104
 n469n    (  0)      aload  <auto slot 3>[#424  Auto] [flags 0x7 0x0 ] (in &GPR_0194)                 [0x7f81eeb2d250] bci=[0,134,-] rc=0 vc=66 vn=- li=36 udi=25680 nc=0
------------------------------

 [0x7f81eec16220]       mov     &GPR_0192, qword ptr [vfp]              # L8RegMem, SymRef  <temp slot 10>[#550  Auto] [flags 0x3 0x0 ]
 [0x7f81eec16330]       mov     GPR_0193, 0x00000014    # MOV4RegImm4
 [0x7f81eec164d0]       mov     &GPR_0194, qword ptr [vfp]              # L8RegMem, SymRef  <auto slot 3>[#551  Auto] [flags 0x7 0x0 ]
 [0x7f81eec16700]       mov     &GPR_0195, qword ptr [vfp]              # L8RegMem, SymRef  <temp slot 10>[#553  Auto] [flags 0x3 0x0 ]
 [0x7f81eec16810]       mov     GPR_0196, dword ptr [&GPR_0195]         # L4RegMem, SymRef  <vft-symbol>[#346  Shadow] [flags 0x18607 0x0 ]
 [0x7f81eec168a0]       and     GPR_0196, 0xffffffffffffff00    # AND8RegImm4
nbhuiyan commented 2 months ago

This failure is reproducible with optLevel=noOpt and limiting compilation to just main. With that, I observe the following regarding the observation from the last comment where an iload-initialized slot was being loaded using aload:

initialization:

n59n      astore  <parm 0 [Ljava/lang/String;>[#422  Parm] [flags 0x40000107 0x0 ]            [0x7fae0f070230] bci=[-1,32,-] rc=0 vc=0 vn=- li=- udi=- nc=1
n55n        ==>new

use as an arg of norma:

n176n     BBStart <block_26>                                                                  [0x7fae0f0726c0] bci=[-1,243,-] rc=0 vc=0 vn=- li=- udi=- nc=0
n184n     NULLCHK on n179n [#32]                                                              [0x7fae0f072940] bci=[-1,247,-] rc=0 vc=0 vn=- li=- udi=- nc=1
n183n       dcalli  TestCase7.norma(I[D)D[#438  virtual Method -64] [flags 0x500 0x0 ] ()     [0x7fae0f0728f0] bci=[-1,247,-] rc=1 vc=0 vn=- li=- udi=- nc=4 flg=0x20
n182n         aloadi  <vft-symbol>[#346  Shadow] [flags 0x18607 0x0 ]                         [0x7fae0f0728a0] bci=[-1,247,-] rc=1 vc=0 vn=- li=- udi=- nc=1
n179n           aload  <parm 0 [Ljava/lang/String;>[#422  Parm] [flags 0x40000107 0x0 ]       [0x7fae0f0727b0] bci=[-1,243,-] rc=2 vc=0 vn=- li=- udi=- nc=0
n179n         ==>aload
n180n         iconst 20 (X!=0 X>=0 )                                                          [0x7fae0f072800] bci=[-1,244,-] rc=1 vc=0 vn=- li=- udi=- nc=0 flg=0x104
n181n         aload  <auto slot 3>[#424  Auto] [flags 0x7 0x0 ]                               [0x7fae0f072850] bci=[-1,246,-] rc=1 vc=0 vn=- li=- udi=- nc=0
n185n     return                                                                              [0x7fae0f072990] bci=[-1,251,-] rc=0 vc=0 vn=- li=- udi=- nc=0
n177n     BBEnd </block_26>                                                                   [0x7fae0f072710] bci=[-1,251,-] rc=0 vc=0 vn=- li=- udi=- nc=0

Even with this, the failure is still reproducible, so perhaps the issue lies elsewhere.