8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI"

[TobiHartmann]

C2's string concatenation optimization (OptimizeStringConcat) does not correctly handle side effecting instructions between StringBuffer Allocate/Initialize and the call to the constructor. In the failing test, see SideEffectBeforeConstructor::test, a result field is incremented just before the constructor is invoked. The string concatenation optimization still merges the allocation, constructor and toString calls and incorrectly re-wires the store to before the concatenation. As a result, passing null to the constructor will incorrectly increment the field before throwing a NullPointerException. With a debug build, we hit an assert in StringConcat::validate_mem_flow due to the unexpected field store. This is an old bug and an extreme edge case as javac would not generate such code.

The following comment suggests that this case should be covered by StringConcat::validate_control_flow():

jdk/src/hotspot/share/opto/stringopts.cpp

Lines 834 to 838 in 3582fd9

	// For memory that feeds into constructors it's more complicated.
	// However the advantage is that any side effect that happens between the Allocate/Initialize and
	// the constructor will have to be control-dependent on Initialize.
	// So we actually don't have to do anything, since it's going to be caught by the control flow
	// analysis.

However, the control flow analysis does not catch this case. I added the missing check.

Thanks,
Tobias

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI"

Reviewers

• Vladimir Kozlov (@vnkozlov - Reviewer)
• Xin Liu (@navyxliu - Committer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/9589/head:pull/9589
$ git checkout pull/9589

Update a local copy of the PR:
$ git checkout pull/9589
$ git pull https://git.openjdk.org/jdk pull/9589/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 9589

View PR using the GUI difftool:
$ git pr show -t 9589

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/9589.diff

[bridgekeeper]

👋 Welcome back thartmann! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@TobiHartmann The following label will be automatically applied to this pull request:

• hotspot-compiler

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 01: Full - Incremental (d299e2ea)
• 00: Full (e1de6874)

[vnkozlov]

What output of dump(2) you got in your case? It could be more than needed if use has a lot of inputs.
How about next to output only interesting info?:

ptr->in(0)->dump(); // Initialize node
use->dump(1);
tty->cr();

[TobiHartmann]

It prints:

considering toString call in  SideEffectBeforeConstructor::test @ bci:16
unexpected control use of Initialize
  49  ConI  === 0  [[ 50 ]]  #int:1
  48  LoadI  === _ 7 47  [[ 50 ]]  @java/lang/Class:exact+112 *, name=result, idx=11; #int !jvms: SideEffectBeforeConstructor::test @ bci:4
  46  ConL  === 0  [[ 47 ]]  #long:112
  45  ConP  === 0  [[ 47 47 ]]  #java/lang/Class:exact *  Oop:java/lang/Class:exact *
   3  Start  === 3 0  [[ 3 5 6 7 8 9 10 ]]  #{0:control, 1:abIO, 2:memory, 3:rawptr:BotPTR, 4:return_address, 5:java/lang/String:exact *}
  38  Initialize  === 30 1 41 1 1 37  [[ 39 40 ]]  !jvms: SideEffectBeforeConstructor::test @ bci:0
  50  AddI  === _ 48 49  [[ 52 ]]  !jvms: SideEffectBeforeConstructor::test @ bci:8
  47  AddP  === _ 45 45 46  [[ 48 52 ]]   Oop:java/lang/Class:exact+112 * !jvms: SideEffectBeforeConstructor::test @ bci:4
   7  Parm  === 3  [[ 52 48 41 41 24 25 72 41 41 41 ]] Memory  Memory: @BotPTR *+bot, idx=Bot; !jvms: SideEffectBeforeConstructor::test @ bci:-1
  39  Proj  === 38  [[ 53 42 52 ]] #0 !jvms: SideEffectBeforeConstructor::test @ bci:0
  52  StoreI  === 39 7 47 50  [[ 24 ]]  @java/lang/Class:exact+112 *, name=result, idx=11;  Memory: @java/lang/Class:exact+112 *, name=result, idx=11; !jvms: SideEffectBeforeConstructor::test @ bci:9

You are right, dump(1) is sufficient:

considering toString call in  SideEffectBeforeConstructor::test @ bci:16
unexpected control use of Initialize
  38  Initialize  === 30 1 41 1 1 37  [[ 39 40 ]]  !jvms: SideEffectBeforeConstructor::test @ bci:0
  50  AddI  === _ 48 49  [[ 52 ]]  !jvms: SideEffectBeforeConstructor::test @ bci:8
  47  AddP  === _ 45 45 46  [[ 48 52 ]]   Oop:java/lang/Class:exact+112 * !jvms: SideEffectBeforeConstructor::test @ bci:4
   7  Parm  === 3  [[ 52 48 41 41 24 25 72 41 41 41 ]] Memory  Memory: @BotPTR *+bot, idx=Bot; !jvms: SideEffectBeforeConstructor::test @ bci:-1
  39  Proj  === 38  [[ 53 42 52 ]] #0 !jvms: SideEffectBeforeConstructor::test @ bci:0
  52  StoreI  === 39 7 47 50  [[ 24 ]]  @java/lang/Class:exact+112 *, name=result, idx=11;  Memory: @java/lang/Class:exact+112 *, name=result, idx=11; !jvms: SideEffectBeforeConstructor::test @ bci:9

The tty->cr(); is not needed because it's printed by this code just below:

jdk/src/hotspot/share/opto/stringopts.cpp

Lines 1075 to 1077 in 3582fd9

	if (PrintOptimizeStringConcat && fail) {
	tty->cr();
	}

[vnkozlov]

Good.

[openjdk]

@TobiHartmann This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8290705: StringConcat::validate_mem_flow asserts with "unexpected user: StoreI"

Reviewed-by: kvn, xliu

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 44 new commits pushed to the master branch:

• 4d796ee: 8290887: Unused private method in TrustManagerFactoryImpl
• f0f78a9: 8290894: Reduce runtime of vm.lang microbenchmarks
• 1451642: 8244976: vmTestbase/nsk/jdi/Event/request/request001.java doesn' initialize eName
• 8159a1a: 8290706: Remove the support for inline contiguous allocations
• 7318b22: 8289551: Conversions between bit representations of half precision values and floats
• 2ae8e31: 8290669: Fix wording in sun.security.ec
• 8939095: 8289996: Fix array range check hoisting for some scaled loop iv
• da9cc5c: 8290806: Only add eager reclaim task to G1 post evacuate tasks if there were candidates
• 330adc0: 8290969: DumpClassListCLDClosure incorrectly uses ResizeableResourceHashtable
• 28bbdc5: 8290972: ProblemList java/lang/ProcessBuilder/PipelineLeaksFD.java
• ... and 34 more: https://git.openjdk.org/jdk/compare/3582fd9e93d9733c6fdf1f3848e0a093d44f6865...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[TobiHartmann]

Thanks, Vladimir!

[TobiHartmann]

Anyone up for a second review?

[navyxliu]

hi, @TobiHartmann ,
Is here the reason why you said "javac would not generate such code"?
I don't think javac will insert "SideEffectBeforeConstructor::result++" btween new and invokespecial.

[navyxliu]

I tried that. I don't think there's a way to generate code like that using javac.
So we fix this bug because somebody may emit weird bytecode sequences using asm?

[TobiHartmann]

Yes, I don't think javac would ever put something between new and the invokespecial of the constructor. At least I was not able to trigger that.

So we fix this bug because somebody may emit weird bytecode sequences using asm?

Yes. The JVM needs to handle all valid bytecode, not only bytecode generated by javac. Not only are there other Java compilers but also different languages (like Scala) that compile to bytecode and run on the JVM.

[navyxliu]

This fix is reasonable. LGTM. (I am not a reviewer).

A side node to myself: any nodes with side effect between Initialize and () must commit because may throw an exception.

[TobiHartmann]

Thanks for the review, @navyxliu!

[TobiHartmann]

/integrate

[openjdk]

Going to push as commit 61e072d.
Since your change was applied there have been 46 commits pushed to the master branch:

• 2bd90c2: 8284990: AArch64: Remove STXR_PREFETCH from CPU features
• 2a1d9cf: 8289137: Automatically adapt Young/OldPLABSize and when setting only MinTLABSize
• 4d796ee: 8290887: Unused private method in TrustManagerFactoryImpl
• f0f78a9: 8290894: Reduce runtime of vm.lang microbenchmarks
• 1451642: 8244976: vmTestbase/nsk/jdi/Event/request/request001.java doesn' initialize eName
• 8159a1a: 8290706: Remove the support for inline contiguous allocations
• 7318b22: 8289551: Conversions between bit representations of half precision values and floats
• 2ae8e31: 8290669: Fix wording in sun.security.ec
• 8939095: 8289996: Fix array range check hoisting for some scaled loop iv
• da9cc5c: 8290806: Only add eager reclaim task to G1 post evacuate tasks if there were candidates
• ... and 36 more: https://git.openjdk.org/jdk/compare/3582fd9e93d9733c6fdf1f3848e0a093d44f6865...master

Your commit was automatically rebased without conflicts.

[openjdk]

@TobiHartmann Pushed as commit 61e072d.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.