[8u/9] RFR(S): 8159244: Partially initialized string object created by C2's string concat optimization may escape

Tobias Hartmann tobias.hartmann at oracle.com
Mon Jun 13 09:26:40 UTC 2016


please review the following patch:


C2's String concatenation optimization replaces a series of StringBuilder.append() calls by creating a single char buffer array (or byte array with Compact Strings) and emitting direct loads/stores to/from this array. The final StringBuilder.toString() call is replaced by a new String allocation which is initialized to the buffer array (see [1] -> [2], CallStaticJava is replaced).
Depending on the scheduling of instructions, it may happen that a reference to the newly allocated String object escapes before the String.value field is initialized (see [2], '334 StoreP' stores the String object, '514 StoreP' initializes the String.value field). In a highly concurrent setting, another thread may try to dereference String.value from such a partially initialized String object and crash.

The solution is to add a StoreStore barrier after the String object initialization to prevent subsequent stores to float above (we do the same for the Object.clone intrinsic). I verified correctness of the C2 graph (see [3]) and the generated assembly code (compare baseline [7] and fix [8]).

TestStringObjectInitialization.java reproduces this problem with JDK 7, 8 and 9 (see [4], [5], [6]) in approximately 1 out of 10 runs. I had to disable Indify String Concat, Compressed Oops and G1 to trigger the bug with JDK 9. Tested with JPRT and RBT.


[1] https://bugs.openjdk.java.net/secure/attachment/60305/graph_baseline_before%20SC.png
[2] https://bugs.openjdk.java.net/secure/attachment/60306/graph_baseline_after_sc.png
[3] https://bugs.openjdk.java.net/secure/attachment/60304/graph_fix.png
[4] https://bugs.openjdk.java.net/secure/attachment/60298/JDK7_hs_err_pid17491.log
[5] https://bugs.openjdk.java.net/secure/attachment/60264/JDK8u_hs_err_pid23015.log
[6] https://bugs.openjdk.java.net/secure/attachment/60263/JDK9_hs_err_pid383.log
[7] https://bugs.openjdk.java.net/secure/attachment/60303/baseline.asm
[8] https://bugs.openjdk.java.net/secure/attachment/60302/fix.asm

More information about the hotspot-compiler-dev mailing list