Bug ID: 4933131 C2 crash in adjust

4933131 : C2 crash in adjust_check

Details

Type:	Bug	Submit Date:	2003-10-06
Status:	Resolved	Updated Date:	2009-06-25
Project Name:	JDK	Resolved Date:	2003-10-22
Component:	hotspot	OS:	solaris_8
Sub-Component:	compiler	CPU:	sparc
Priority:	P2
Resolution:	Fixed
Affected Versions:	1.4.1_05
Fixed Versions:	1.3.1_11

Related Reports

Backport:	JDK-2075530 - C2 crash in adjust_check
Backport:	JDK-2075532 - C2 crash in adjust_check
Backport:	JDK-2075531 - C2 crash in adjust_check

Sub Tasks

Description

Customer is seeing VM crashes with the following stack trace during their application stress testing. The crash is seen with both 1.4.1_02 and
1.4.1_05.

=>[1] _lwp_kill(0x0, 0xa, 0x0, 0xff33c004, 0xff386000, 0xff340428), at 0xff31ef30
  [2] raise(0x6, 0x0, 0x0, 0xffffffff, 0xff3403b4, 0x0), at 0xff2cb9d4
  [3] abort(0xff33c004, 0xd64fdbc0, 0x0, 0x4, 0x0, 0xd64fdbe1), at 0xff2b58f4
  [4] os::abort(0x1, 0xff14fad6, 0xd64fdc60, 0x0, 0xff1d4ebc, 0xff080e7c), at 0xff082838
  [5] os::handle_unexpected_exception(0x1ac4a0, 0xb, 0xfee1451c, 0xd64fe9c0, 0xfedebac4, 0x0), at 0xff080eec
  [6] JVM_handle_solaris_signal(0xfee1451c, 0xd64fe9c0, 0xd64fe708, 0x4000, 0x416c, 0x0), at 0xfedec334
  [7] __sighndlr(0xb, 0xd64fe9c0, 0xd64fe708, 0xfedeba48, 0x0, 0x0), at 0xff374cc8
  [8] call_user_handler(0xfead1000, 0xa, 0xff3878e0, 0xd64fe708, 0xd64fe9c0, 0xb), at 0xff36fb00
  [9] sigacthandler(0xfead1000, 0xd64fe9c0, 0xd64fe708, 0xff386000, 0xd64fe9c0, 0xb), at 0xff36fccc
  ---- called from signal handler with signal 11 (SIGSEGV) ------
  [10] adjust_check(0x4de2bc, 0x3764a4, 0x5dd458, 0xff1d8da8, 0x0, 0xd64feff8), at 0xfee1451c
  [11] IfNode::Ideal(0x0, 0x0, 0xff18e000, 0xd64feff8, 0x1, 0x4ddda8), at 0xfed1053c
  [12] PhaseIterGVN::transform_old(0xd64feff8, 0x4e3a0c, 0x80, 0xd64ff148, 0x4, 0x507620), at 0xfecd0930
  [13] PhaseIterGVN::optimize(0xd64feff8, 0x0, 0xff1d5ef8, 0x0, 0x0, 0x0), at 0xfeda6d24
  [14] Compile::Optimize(0xd64ff540, 0xd64ff314, 0xd64ff454, 0x43fa50, 0xd64ff454, 0x0), at 0xfee170b0
  [15] Compile::Compile(0x5396d4, 0x2ab698, 0x0, 0x834fe8, 0xffffffff, 0x1), at 0xfee15a6c
  [16] C2Compiler::compile_method(0x2aff8, 0xd64ffd38, 0x0, 0x834fe8, 0xffffffff, 0x0), at 0xfee124a8
  [17] CompileBroker::invoke_compiler_on_method(0x267, 0x0, 0xffffffff, 0x1ac52c, 0xff1cd080, 0x1ac4a0), at 0
xfee11ce8
  [18] CompileBroker::compiler_thread_loop(0x1ac4a0, 0x1ac4a0, 0x1a79b8, 0x1aca40, 0x30beec, 0xfee81ffc), at
0xfeec958c
  [19] JavaThread::run(0x1ac4a0, 0x0, 0x0, 0x0, 0x0, 0x0), at 0xfee82024
  [20] _start(0x1ac4a0, 0xfead1000, 0x0, 0x0, 0x0, 0x0), at 0xfee7e470

VM flags : 
JVM parameter      :  -server
JVM parameter      :  -Xss256k
JVM parameter      :  -Xms100m
JVM parameter      :  -Xmx512m
JVM parameter      :  -XX:SoftRefLRUPolicyMSPerMB=15000
JVM parameter      :  -XX:+OverrideDefaultLibthread
JVM parameter      :  -XX:+UseSignalChaining
JVM parameter      :  -XX:+UseParallelGC

The crash is not seen with client VM.

Comments

CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: 1.3.1_11 1.4.1_07 1.4.2_04 generic tiger tiger-beta FIXED IN: 1.3.1_11 1.4.1_07 1.4.2_04 tiger-beta INTEGRATED IN: 1.3.1_11 1.4.1_07 1.4.2_04 tiger-b28 tiger-beta
2004-06-14
SUGGESTED FIX Fix applied for testing: ------- ifnode.cpp ------- * /tmp/sccs.T3aGz1 Tue Oct 14 14:35:35 2003 --- ifnode.cpp Tue Oct 14 13:37:30 2003 *********** * 1,5 **** #ifdef USE_PRAGMA_IDENT_SRC ! #pragma ident "%W% %E% %U% JVM" #endif /* * Copyright 1991-2002 Sun Microsystems, Inc. All rights reserved. --- 1,5 ---- #ifdef USE_PRAGMA_IDENT_SRC ! #pragma ident "@(#)ifnode.cpp 1.44 03/10/14 13:26:59 JVM" #endif /* * Copyright 1991-2002 Sun Microsystems, Inc. All rights reserved. ************* * 421,426 **** --- 421,430 ---- Node iff = proj->in(0); Node bol = iff->in(1); if( bol->is_top() ) return; // In case a partially dead range check appears + // bail (or bomb[ASSERT/DEBUG]) if NOT projection-->IfNode-->BoolNode + NOT_DEBUG( if( !bol->is_Bool() ) return; ) + DEBUG_ONLY( if( !bol->is_Bool() ) { proj->dump(3); fatal("Expect projection-->IfNode-->BoolNode"); } ) + Node cmp = bol->in(1); // Compute a new check Node new_add = gvn->intcon(off_lo); ************* * 646,652 **** if( !prev_chk2 ) return NULL; // 'Widen' the offsets of the 1st and 2nd covering check adjust_check( prev_chk1, range1, index1, flip1, off_lo, igvn ); ! adjust_check( prev_chk2, range1, index1, flip1, off_hi, igvn ); // Test is now covered by prior checks, dominate it out prev_dom = prev_chk2; } else { --- 650,659 ---- if( !prev_chk2 ) return NULL; // 'Widen' the offsets of the 1st and 2nd covering check adjust_check( prev_chk1, range1, index1, flip1, off_lo, igvn ); ! // if equal we've already optimized ! if ( prev_chk1 != prev_chk2 ) { ! adjust_check( prev_chk2, range1, index1, flip1, off_hi, igvn ); ! } // Test is now covered by prior checks, dominate it out prev_dom = prev_chk2; } else { ###@###.### 2003-10-14
2003-10-14
EVALUATION The crashes all occur here: ifnode.cpp: 436 // Else, adjust existing check 436 // Else, adjust existing check 437 Node new_bol = gvn->transform( new (2) BoolNode( new_cmp, bol->is_Bool()->_test._test ) ); Analysis of core cvsm_core.sun4u.1442: [1.4.1_02] t@13 (l@13) terminated by signal ABRT (Abort) [tena/825384/cores:DBX] where current thread: t@13 =>[1] 0xff31ee64(0x6, 0x0, 0x0, 0xffffffff, 0xff3403ac, 0x0), at 0xff31ee63 [2] addsev(0xff33c000, 0xb64fdbe0, 0x0, 0x4, 0x0, 0xb64fdc01), at 0xff2b58e4 [3] os::abort(0x1, 0xff14ce36, 0xb64fdc80, 0x0, 0xff1d0e8c, 0xff07f17c), at 0xff080a90 [4] os::handle_unexpected_exception(0x2582c0, 0xb, 0xfee154f0, 0xb64fe9e0, 0xfedec9c4, 0x0), at 0xff07f1ec [5] JVM_handle_solaris_signal(0xfee154f0, 0xb64fe9e0, 0xb64fe728, 0x4000, 0x4164, 0x0), at 0xfeded234 [6] __sighndlr(0xb, 0xb64fe9e0, 0xb64fe728, 0xfedec948, 0x0, 0x0), at 0xff374cc8 [7] call_user_handler(0xfe7f1600, 0xd, 0xff3878e0, 0xb64fe728, 0xb64fe9e0, 0xb), at 0xff36fb00 [8] sigacthandler(0xfe7f1600, 0xb64fe9e0, 0xb64fe728, 0xff386000, 0xb64fe9e0, 0xb), at 0xff36fccc ---- called from signal handler with signal -25225728 (SIG-25225728) ------ [9] adjust_check(0x31dd9c, 0x7d97cc, 0x7648a0, 0xff1d4d78, 0x0, 0xb64feff8), at 0xfee154f0 [10] IfNode::Ideal(0x0, 0x0, 0xff18a000, 0xb64feff8, 0x1, 0x31d888), at 0xfed10690 [11] PhaseIterGVN::transform_old(0xb64feff8, 0x3234ec, 0x80, 0xb64ff148, 0x4, 0x247910), at 0xfecd0844 [12] PhaseIterGVN::optimize(0xb64feff8, 0x0, 0xff1d1ec8, 0x0, 0x0, 0x0), at 0xfeda7dfc [13] Compile::Optimize(0xb64ff540, 0xb64ff314, 0xb64ff454, 0x3825f8, 0xb64ff454, 0x0), at 0xfee18084 [14] Compile::Compile(0x97e274, 0x2d86f8, 0x0, 0xa86b78, 0xffffffff, 0x1), at 0xfee16a40 [15] C2Compiler::compile_method(0x2b0c8, 0xb64ffd38, 0x0, 0xa86b78, 0xffffffff, 0x0), at 0xfee1347c [16] CompileBroker::invoke_compiler_on_method(0x2ac, 0x0, 0xffffffff, 0x25834c, 0xff1c907c, 0x2582c0), at 0xfee12cbc [17] CompileBroker::compiler_thread_loop(0x2582c0, 0x2582c0, 0x2548c8, 0x258860, 0x30603c, 0xfee83eac), at 0xfeecad58 [18] JavaThread::run(0x2582c0, 0x0, 0x0, 0x0, 0x0, 0x0), at 0xfee83ed4 [19] _start(0x2582c0, 0xfe7f1600, 0x0, 0x0, 0x0, 0x0), at 0xfee80320 0xfee15154: adjust_check : save %sp, -0x70, %sp 0xfee15158: adjust_check+0x0004: ld [%i0 + 0x4], %g2 ... 0xfee154d0: adjust_check+0x037c: st %g3, [%g4 + 0xac] 0xfee154d4: adjust_check+0x0380: addcc %l4, 0x8, %l7 0xfee154d8: adjust_check+0x0384: be,a adjust_check+0x3c8 0xfee154dc: adjust_check+0x0388: ld [%i5], %g2 0xfee154e0: adjust_check+0x038c: ld [%l2], %g2 0xfee154e4: adjust_check+0x0390: ld [%g2 + 0x18], %l0 0xfee154e8: adjust_check+0x0394: jmpl %l0, %o7 0xfee154ec: adjust_check+0x0398: mov %l2, %o0 0xfee154f0: adjust_check+0x039c: ld [%o0 + 0x20], %l0 ifnode.s: / 0x0344 437 / be,a,pt %icc,.L900000720 / 0x0348 / ld [%i5],%g2 / 0x034c / ld [%l2],%g2 / 0x0350 / ld [%g2+24],%l0 / 0x0354 / jmpl %l0,%o7 / 0x0358 / or %g0,%l2,%o0 / 0x035c / or %g0,%o0,%g2 / 0x0360 / or %g0,%l7,%o0 / 0x0364 / ld [%g2+32],%l0 ifnode.cpp: 436 // Else, adjust existing check 437 Node new_bol = gvn->transform( new (2) BoolNode( new_cmp, bol->is_Bool()->_test._test ) ); [tena/825384/cores:DBX] frame 9 0xfee154f0: adjust_check+0x039c: ld [%o0 + 0x20], %l0 [tena/825384/cores:DBX] regs current thread: t@13 current frame: [9] g0-g3 0x00000000 0x00005800 0xff1baf04 0x006f5558 g4-g7 0xb64ff540 0x00000000 0x00000000 0xfe7f1600 o0-o3 0x00000000 0x006f54a8 0x007648a0 0x007d97cc o4-o7 0x0032391c 0x00000000 0xb64fea60 0xfee154e8 l0-l3 0xfedff4a0 0x00000000 0x007d3f0c 0x0031d888 l4-l7 0x006f552c 0xff18a000 0x006f54cc 0x006f5534 i0-i3 0x0031dd9c 0x007d97cc 0x007648a0 0xff1d4d78 i4-i7 0x00000000 0xb64feff8 0xb64fead0 0xfed10690 y 0x00000000 ccr 0x00000000 pc 0xfee154f0:adjust_check+0x39c ld [%o0 + 0x20], %l0 npc 0xfee154f4:adjust_check+0x3a0 mov %l7, %o0 [tena/825384/cores:DBX] frame 10 0xfed10690: Ideal+0x02c4: call adjust_check [tena/825384/cores:DBX] regs current thread: t@13 current frame: [10] g0-g3 0x00000000 0x00005800 0xff1baf04 0x006f5558 g4-g7 0xb64ff540 0x00000000 0x00000000 0xfe7f1600 o0-o3 0x0031dd9c 0x007d97cc 0x007648a0 0xff1d4d78 o4-o7 0x00000000 0xb64feff8 0xb64fead0 0xfed10690 l0-l3 0xfecd2174 0x003234ec 0xb64feff8 0x0076b924 l4-l7 0x0031dd9c 0x0031dd9c 0x0031dd9c 0x00000007 i0-i3 0x00000000 0x00000000 0xff18a000 0xb64feff8 i4-i7 0x00000001 0x0031d888 0xb64feb50 0xfecd0844 y 0x00000000 ccr 0x00000000 pc 0xfed10690:Ideal+0x2c4 call adjust_check npc 0xfee154f4:adjust_check+0x3a0 mov %l7, %o0 ifnode.s: /* 0x02b0 649 / ld [%fp-4],%o1 / 0x02b4 / or %g0,%l4,%o0 / 0x02b8 / or %g0,%i4,%o3 / 0x02bc / or %g0,%i0,%o4 / 0x02c0 / or %g0,%i3,%o5 / 0x02c4 / call void adjust_check(Node,Node,Node,int,int,PhaseIterGVN) ! params = %o0 ifnode.cpp: 644 if( index1 ) { 645 // Didn't find 2 prior covering checks, so cannot remove anything. 646 if( !prev_chk2 ) return NULL; 647 // 'Widen' the offsets of the 1st and 2nd covering check 648 adjust_check( prev_chk1, range1, index1, flip1, off_lo, igvn ); 649 adjust_check( prev_chk2, range1, index1, flip1, off_hi, igvn ); 650 // Test is now covered by prior checks, dominate it out 651 prev_dom = prev_chk2; [tena/825384/cores:DBX] Get14C2methNClass 0xfee1347c: compile_method+0x0064: call Compile #Nvariant 1 Class: com/objy/pm/util/WeakKeyHashtable Method: put I have attached the short versions of data from the other 2 core files. ###@###.### From Mike Paleczny's <###@###.###> email discussion of a proposed fix: Yes, the additional restriction should fix this problem. Here is the explanation from looking at adjust_check()'s call-sites in IfNode::Ideal() 1) The problem parameters to adjust_check() are 'prev_chk1' and 'prev_chk2' 2) These are only given the values NULL and 'prev_dom' 3) prev_dom is only given the value of 'dom' or the initial 'this' pointer 4a) I initially suspected that prev_dom might not be a projection that points to an IfNode. I've convinced myself that it is, even in the case that fails! 4b) The trick is the following two pieces of code in IfNode::Ideal() // If we match the test exactly, then the top test covers // both our lower and upper bounds. if( dom->in(1) == in(1) ) prev_chk2 = prev_chk1; and at the end of adjust_check() // Else, adjust existing check Node new_bol = gvn->transform( new (2) BoolNode( new_cmp, bol->is_Bool()->_test._test ) ); igvn->hash_delete( iff ); iff->set_req_X( 1, new_bol, igvn ); 5a) Theory: both prev_chk1 and prev_chk2 are set to the same value by the code in IfNode::Ideal that checks for an exact match 5b) The code at the end of adjust_check() optimizes the BoolNode to a constant answer using BoolNode::Value() 5c) The second call to adjust_check() in IfNode::Ideal() if( index1 ) { // Didn't find 2 prior covering checks, so cannot remove anything. if( !prev_chk2 ) return NULL; // 'Widen' the offsets of the 1st and 2nd covering check adjust_check( prev_chk1, range1, index1, flip1, off_lo, igvn ); adjust_check( prev_chk2, range1, index1, flip1, off_hi, igvn ); is expecting prev_chk2 to point to an IfNode which has a canonical structure. However, the canonical structure was modified by the first adjust_check() call since prev_chk1 == prev_chk2. Alternate Fix: Do not call adjust_check() twice when prev_chk1 == prev_chk2 Regards, Mike. Chris Phillips - Member Technical Staff wrote: > Hmmm - No response? > > Is there anyone out there? Maybe I should use the hs-compiler alias... > > Additionally: > > I am now thinking of trying the following simplistic extension of the change > added to fix bug 4780201 - > ifnode.cpp: > > 423 if( bol->is_top() ) return; // In case a partially dead range check > appears > to > 423 if( bol->is_top() \|\| !(bol->is_Bool())) return; // In case a > partially dead range check or non bool input appears > > Comments? > > Chris > > http://qtool.sfbay.sun.com/bin/esc_query.cgi?esc=548662 > http://sdn.sfbay.sun.com/cgi-bin/bug2html?4780201 > http://sdn.sfbay.sun.com/cgi-bin/bug2html?4933131 > http://loon.east:8888/altair/jpse/bugtraq/4933131/ifnode.cpp > > ------------- Begin Forwarded Message ------------- > > Let me re-phrase the question... > Given: > [tena/825384/cores:DBX] frame 8 > 0xff36fccc: sigacthandler+0x0064: call call_user_handler > > i0-i3 0xfead1000 0xd64fe9c0 0xd64fe708 0xff386000 > siginfo ptr > [tena/825384/cores:DBX] x 0xd64fe9c0/4X > 0xd64fe9c0: 0x0000000b 0x00000001 0x00000000 0x00000020 > Faulting address: __________ > So we faulted on a refernce to 0x20. > > 1 node.hpp 356 virtual BoolNode is_Bool () { return 0; } > 2 subnode.hpp 256 virtual BoolNode is_Bool() { return this; } > > [tena/825384/cores:DBX] frame 9 > 0xfee1451c: adjust_check+0x039c: ld [%o0 + 0x20], %l0 > > 0xfee14500: adjust_check+0x0380: addcc %l4, 0x8, %l7 > 0xfee14504: adjust_check+0x0384: be,a adjust_check+0x3c8 > 0xfee14508: adjust_check+0x0388: ld [%i5], %g2 > 0xfee1450c: adjust_check+0x038c: ld [%l2], %g2 > 0xfee14510: adjust_check+0x0390: ld [%g2 + 0x18], %l0 > 0xfee14514: adjust_check+0x0394: jmpl %l0, %o7 -> is_Bool > 0xfee14518: adjust_check+0x0398: mov %l2, %o0 > 0xfee1451c: adjust_check+0x039c: ld [%o0 + 0x20], %l0 > 0xfee14514: adjust_check+0x0394: jmpl %l0, %o7 > > >>l0-l3 0xfedfe558 0x00000000 0x00370be4 0x004ddda8 > > [tena/825384/cores:DBX] x 0xfedfe558/i > 0xfedfe558: is_Bool : jmp %o7 + 0x8 > 0xfedfe55c: is_Bool+0x0004: clr %o0 > > >>o4-o7 0x004e3e3c 0x00000000 0xd64fea40 0xfee14514 > > [tena/825384/cores:DBX] x 0xfee14514+8/i > 0xfee1451c: adjust_check+0x039c: ld [%o0 + 0x20], %l0 > > Then: > > What is the significance of the NULL returned from is_Bool ? > > My attempt at interpretation: > We've got the node.hpp version above and therefore we > have the wrong node? > [If so does that mean we need an additional restriction in adjust_check or > does it more likely mean we have a problem higher up?] > > Any help, suggestions comments (thats pure BS gladly accepted...) > > Cheers! > Chris > > \|Date: Tue, 7 Oct 2003 14:24:39 -0400 (EDT) > \|From: Chris Phillips - Member Technical Staff <chrisph> > \|Hi, > \| > \|\| Evaluation: > \|\|The crashes all occur here: > \|\|ifnode.cpp: > \|\| 436 // Else, adjust existing check > \|\| 436 // Else, adjust existing check > \|\| 437 Node *new_bol = gvn->transform( new (2) BoolNode( new_cmp, > \|bol->is_Bool()->_test._test ) ); > \|\| > \| > \|Any idea as to what would be the significance of the > \| bol->is_Bool()->_test._test above returning a Null? > \| > \|Chris ###@###.### 2003-10-09
2003-10-09
WORK AROUND use client VM. Possible second work around: All the cores show the crash when compiling: Class: com/objy/pm/util/WeakKeyHashtable Method: put so add a .hotspot_compiler file containing the following directive: exclude com/objy/pm/util/WeakKeyHashtable put to see if that avoids the crash. ###@###.### 2003-10-07
2003-10-07

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together