8257822: C2 crashes with SIGFPE due to a division that floats above its zero check

Reviewed-by: kvn, thartmann
2026-03-20 04:43:32 +00:00 · 2020-12-15 15:14:34 +00:00 · 2020-12-15 15:14:34 +00:00 · ce36aeaac3
commit ce36aeaac3
parent fa1cbb47aa
3 changed files with 96 additions and 5 deletions
--- a/src/hotspot/share/opto/loopnode.hpp
+++ b/src/hotspot/share/opto/loopnode.hpp
@ -1451,6 +1451,7 @@ public:
  // Mark an IfNode as being dominated by a prior test,
  // without actually altering the CFG (and hence IDOM info).
  void dominated_by( Node *prevdom, Node *iff, bool flip = false, bool exclude_loop_predicate = false );
+  bool no_dependent_zero_check(Node* n) const;

  // Split Node 'n' through merge point
  Node *split_thru_region( Node *n, Node *region );
--- a/src/hotspot/share/opto/loopopts.cpp
+++ b/src/hotspot/share/opto/loopopts.cpp
@ -278,18 +278,23 @@ void PhaseIdealLoop::dominated_by( Node *prevdom, Node *iff, bool flip, bool exc
    return; // Let IGVN transformation change control dependence.
  }

-  IdealLoopTree *old_loop = get_loop(dp);
+  IdealLoopTree* old_loop = get_loop(dp);

  for (DUIterator_Fast imax, i = dp->fast_outs(imax); i < imax; i++) {
    Node* cd = dp->fast_out(i); // Control-dependent node
-    if (cd->depends_only_on_test()) {
+    // Do not rewire Div and Mod nodes which could have a zero divisor to avoid skipping their zero check.
+    if (cd->depends_only_on_test() && no_dependent_zero_check(cd)) {
      assert(cd->in(0) == dp, "");
      _igvn.replace_input_of(cd, 0, prevdom);
      set_early_ctrl(cd, false);
-      IdealLoopTree *new_loop = get_loop(get_ctrl(cd));
+      IdealLoopTree* new_loop = get_loop(get_ctrl(cd));
      if (old_loop != new_loop) {
-        if (!old_loop->_child) old_loop->_body.yank(cd);
-        if (!new_loop->_child) new_loop->_body.push(cd);
+        if (!old_loop->_child) {
+          old_loop->_body.yank(cd);
+        }
+        if (!new_loop->_child) {
+          new_loop->_body.push(cd);
+        }
      }
      --i;
      --imax;
@ -297,6 +302,25 @@ void PhaseIdealLoop::dominated_by( Node *prevdom, Node *iff, bool flip, bool exc
  }
 }

+// Check if the type of a divisor of a Div or Mod node includes zero.
+bool PhaseIdealLoop::no_dependent_zero_check(Node* n) const {
+  switch (n->Opcode()) {
+    case Op_DivI:
+    case Op_ModI: {
+      // Type of divisor includes 0?
+      const TypeInt* type_divisor = _igvn.type(n->in(2))->is_int();
+      return (type_divisor->_hi < 0 || type_divisor->_lo > 0);
+    }
+    case Op_DivL:
+    case Op_ModL: {
+      // Type of divisor includes 0?
+      const TypeLong* type_divisor = _igvn.type(n->in(2))->is_long();
+      return (type_divisor->_hi < 0 || type_divisor->_lo > 0);
+    }
+  }
+  return true;
+}
+
 //------------------------------has_local_phi_input----------------------------
 // Return TRUE if 'n' has Phi inputs from its local block and no other
 // block-local inputs (all non-local-phi inputs come from earlier blocks)
--- a/test/hotspot/jtreg/compiler/loopopts/TestDivZeroWithSplitIf.java
+++ b/test/hotspot/jtreg/compiler/loopopts/TestDivZeroWithSplitIf.java
@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ *
+ */
+
+/*
+ * @test
+ * @bug 8257822
+ * @summary Verify that zero check is executed before division/modulo operation.
+ * @requires vm.compiler2.enabled
+ * @run main/othervm -Xcomp -XX:-TieredCompilation -XX:CompileOnly=compiler/loopopts/TestDivZeroWithSplitIf::test
+ *                   -XX:+StressGCM -XX:StressSeed=873732072 compiler.loopopts.TestDivZeroWithSplitIf
+ */
+
+package compiler.loopopts;
+
+public class TestDivZeroWithSplitIf {
+    public static int iArrFld[] = new int[10];
+
+    public static void test() {
+        int x = 20;
+        int y = 0;
+        int z = 10;
+        for (int i = 9; i < 99; i += 2) {
+            for (int j = 3; j < 100; j++) {
+                for (int k = 1; k < 2; k++) {
+                    try {
+                        x = (-65229 / y); // Division by zero
+                        z = (iArrFld[5] / 8); // RangeCheckNode
+                    } catch (ArithmeticException a_e) {}
+                    try {
+                        y = (-38077 / y);
+                        z = (y / 9);
+                    } catch (ArithmeticException a_e) {}
+                    y = 8;
+                    z += k;
+                }
+            }
+        }
+    }
+    public static void main(String[] strArr) {
+        for (int i = 0; i < 10; i++) {
+            test();
+        }
+    }
+}
+