RFR(s): AARCH64: 8147805: C1 segmentation fault due to inline Unsafe::getAndSetObject

Hui Shi hui.shi at linaro.org
Wed Jan 20 13:30:31 UTC 2016

Hi All,

Could some one help review this AArch64 C1 issue? Issue happens when inline
unsafe.getAndSet(data) in C1 and UseCompressedOops flag is true, register
is compressed for store, but it is not restored into decompressed form.
Later compressed result is used as reference address and goes wrong.

Bug:  https://bugs.openjdk.java.net/browse/JDK-8147805
webrev: http://cr.openjdk.java.net/~hshi/8147805/webrev/
Small test case in http://cr.openjdk.java.net/~hshi/8147805/TestUnsafe.java
Crash can be reproduced by java -XX:TieredStopAtLevel=3
-XX:+TieredCompilation -Xms4G -Xmx4G TestUnsafe

In following method, n is stored two times, first in unsafe.getAndSet,
second when store old.next.
  public Node foo(Node n) {
    Node old;
    old = this.getAndSet(n); // inline sun.misc.Unsafe::getAndSetObject
here, shift first time for store
    old.next = n;                 // n is used again and store into
old.next, shift again for store
    return old;

In generated assemlby,  can see "x2" is shifted but not restored
  0x0000007f943af3dc: lsr       x2, x2, #3    // x2 is shifted but not
  0x0000007f943af3e0: add       x4, x1, #0xc
  0x0000007f943af3e4: ldaxr     w3, [x4]
  0x0000007f943af3e8: stlxr     w9, w2, [x4]
  0x0000007f943af3ec: cbnz      w9, 0x0000007f943af3e4
  0x0000007f943af3f0: lsl       x3, x3, #3
  0x0000007f943af3f4: dmb       ish

  0x0000007f943af504: lsr       x8, x2, #3  // x2 is shifted again and wrong
  0x0000007f943af508: str       w8, [x0,#16]
  0x0000007f943af50c: lsr       x2, x0, #9
  0x0000007f943af510: strb      wzr, [x2,x1,lsl #0]  ;*putfield next
                                                ; - TestUnsafe::foo at 11
(line 25)

Patch is using rscratch1 to hold heap_oop address for store when
UseCompressedOops is true.
So later use still get correct object address.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/hotspot-compiler-dev/attachments/20160120/81d0b03d/attachment-0001.html>

More information about the hotspot-compiler-dev mailing list