8148752: Compiled StringBuilder code throws StringIndexOutOfBoundsException
Summary: Fixed handling of long/double MH arguments in GraphBuilder::try_method_handle_inline().
Reviewed-by: roland, shade, vlivanov, kvn, twisti
--- a/hotspot/src/share/vm/opto/callGenerator.cpp Mon Feb 08 18:52:03 2016 +0100
+++ b/hotspot/src/share/vm/opto/callGenerator.cpp Wed Feb 10 07:54:26 2016 +0100
@@ -867,17 +867,18 @@
}
}
// Cast reference arguments to its type.
- for (int i = 0; i < signature->count(); i++) {
+ for (int i = 0, j = 0; i < signature->count(); i++) {
ciType* t = signature->type_at(i);
if (t->is_klass()) {
- Node* arg = kit.argument(receiver_skip + i);
+ Node* arg = kit.argument(receiver_skip + j);
const TypeOopPtr* arg_type = arg->bottom_type()->isa_oopptr();
const Type* sig_type = TypeOopPtr::make_from_klass(t->as_klass());
if (arg_type != NULL && !arg_type->higher_equal(sig_type)) {
Node* cast_obj = gvn.transform(new CheckCastPPNode(kit.control(), arg, sig_type));
- kit.set_argument(receiver_skip + i, cast_obj);
+ kit.set_argument(receiver_skip + j, cast_obj);
}
}
+ j += t->size(); // long and double take two slots
}
// Try to get the most accurate receiver type
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hotspot/test/compiler/jsr292/LongReferenceCastingTest.java Wed Feb 10 07:54:26 2016 +0100
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ *
+ */
+
+import java.lang.invoke.*;
+
+/**
+ * @test
+ * @bug 8148752
+ * @summary Test correct casting of MH arguments during inlining.
+ * @run main LongReferenceCastingTest
+ */
+public class LongReferenceCastingTest {
+ static final String MY_STRING = "myString";
+ static final MethodHandle MH;
+
+ static {
+ try {
+ MethodHandles.Lookup lookup = MethodHandles.lookup();
+ MethodType mt = MethodType.methodType(String.class, long.class, Object.class, String.class);
+ MH = lookup.findVirtual(LongReferenceCastingTest.class, "myMethod", mt);
+ } catch (Exception e) {
+ throw new Error(e);
+ }
+ }
+
+ public String myMethod(long l, Object o, String s) {
+ // The long argument occupies two stack slots, causing C2 to treat it as
+ // two arguments and casting the fist one two long and the second one to Object.
+ // As a result, Object o is casted to String and the o.toString() call is
+ // inlined as String::toString(). We fail at runtime because 'o' is not a String.
+ return o.toString();
+ }
+
+ public String toString() {
+ return MY_STRING;
+ }
+
+ public static void main(String[] args) throws Exception {
+ LongReferenceCastingTest test = new LongReferenceCastingTest();
+ try {
+ for (int i = 0; i < 20_000; ++i) {
+ if (!test.invoke().equals(MY_STRING)) {
+ throw new RuntimeException("Invalid string");
+ }
+ }
+ } catch (Throwable t) {
+ throw new RuntimeException("Test failed", t);
+ }
+ }
+
+ public String invoke() throws Throwable {
+ return (String) MH.invokeExact(this, 0L, (Object)this, MY_STRING);
+ }
+}