Mercurial > hg > graal-compiler
comparison src/share/vm/opto/loopTransform.cpp @ 20680:5b8e0f84f00f
8054478: C2: Incorrectly compiled char[] array access crashes JVM
Summary: dead backbranch in main loop results in erroneous array access
Reviewed-by: kvn, iveresov
| author | roland |
|---|---|
| date | Mon, 01 Dec 2014 22:27:00 +0100 |
| parents | 9e69e8d1c900 |
| children | 7848fc12602b |
comparison
equal
deleted
inserted
replaced
| 20678:97f4214e9a70 | 20680:5b8e0f84f00f |
|---|---|
| 879 set_ctrl( n, find_non_split_ctrl(back_ctrl->in(0)) ); | 879 set_ctrl( n, find_non_split_ctrl(back_ctrl->in(0)) ); |
| 880 } | 880 } |
| 881 return n; | 881 return n; |
| 882 } | 882 } |
| 883 | 883 |
| 884 bool PhaseIdealLoop::cast_incr_before_loop(Node* incr, Node* ctrl, Node* loop) { | |
| 885 Node* castii = new (C) CastIINode(incr, TypeInt::INT, true); | |
| 886 castii->set_req(0, ctrl); | |
| 887 register_new_node(castii, ctrl); | |
| 888 for (DUIterator_Fast imax, i = incr->fast_outs(imax); i < imax; i++) { | |
| 889 Node* n = incr->fast_out(i); | |
| 890 if (n->is_Phi() && n->in(0) == loop) { | |
| 891 int nrep = n->replace_edge(incr, castii); | |
| 892 return true; | |
| 893 } | |
| 894 } | |
| 895 return false; | |
| 896 } | |
| 897 | |
| 884 //------------------------------insert_pre_post_loops-------------------------- | 898 //------------------------------insert_pre_post_loops-------------------------- |
| 885 // Insert pre and post loops. If peel_only is set, the pre-loop can not have | 899 // Insert pre and post loops. If peel_only is set, the pre-loop can not have |
| 886 // more iterations added. It acts as a 'peel' only, no lower-bound RCE, no | 900 // more iterations added. It acts as a 'peel' only, no lower-bound RCE, no |
| 887 // alignment. Useful to unroll loops that do no array accesses. | 901 // alignment. Useful to unroll loops that do no array accesses. |
| 888 void PhaseIdealLoop::insert_pre_post_loops( IdealLoopTree *loop, Node_List &old_new, bool peel_only ) { | 902 void PhaseIdealLoop::insert_pre_post_loops( IdealLoopTree *loop, Node_List &old_new, bool peel_only ) { |
| 1076 visited, clones); | 1090 visited, clones); |
| 1077 _igvn.hash_delete(main_phi); | 1091 _igvn.hash_delete(main_phi); |
| 1078 main_phi->set_req( LoopNode::EntryControl, fallpre ); | 1092 main_phi->set_req( LoopNode::EntryControl, fallpre ); |
| 1079 } | 1093 } |
| 1080 } | 1094 } |
| 1095 | |
| 1096 // Nodes inside the loop may be control dependent on a predicate | |
| 1097 // that was moved before the preloop. If the back branch of the main | |
| 1098 // or post loops becomes dead, those nodes won't be dependent on the | |
| 1099 // test that guards that loop nest anymore which could lead to an | |
| 1100 // incorrect array access because it executes independently of the | |
| 1101 // test that was guarding the loop nest. We add a special CastII on | |
| 1102 // the if branch that enters the loop, between the input induction | |
| 1103 // variable value and the induction variable Phi to preserve correct | |
| 1104 // dependencies. | |
| 1105 | |
| 1106 // CastII for the post loop: | |
| 1107 bool inserted = cast_incr_before_loop(zer_opaq->in(1), zer_taken, post_head); | |
| 1108 assert(inserted, "no castII inserted"); | |
| 1109 | |
| 1110 // CastII for the main loop: | |
| 1111 inserted = cast_incr_before_loop(pre_incr, min_taken, main_head); | |
| 1112 assert(inserted, "no castII inserted"); | |
| 1081 | 1113 |
| 1082 // Step B4: Shorten the pre-loop to run only 1 iteration (for now). | 1114 // Step B4: Shorten the pre-loop to run only 1 iteration (for now). |
| 1083 // RCE and alignment may change this later. | 1115 // RCE and alignment may change this later. |
| 1084 Node *cmp_end = pre_end->cmp_node(); | 1116 Node *cmp_end = pre_end->cmp_node(); |
| 1085 assert( cmp_end->in(2) == limit, "" ); | 1117 assert( cmp_end->in(2) == limit, "" ); |