JBS: https://bugs.openjdk.java.net/browse/JDK-8262831
primitive class MyValue {
int b = 22;
}
public class MainClass {
int iField;
MyValue c;
MyValue t;
void test(MyValue[] array) {
for (int i = 0; i < 10; ++i) {
for (int j = 0; j < 10; ++j) {
iField = 6;
}
for (int j = 0; j < 2; ++j) {
iField += array[0].b;
}
MyValue[] array2 = {new MyValue()};
c = array[0];
array2[0] = t;
}
}
public static void main(String[] args) {
MainClass q = new MainClass();
MyValue[] array = {new MyValue()};
for (int i = 0; i < 50_000; ++i) {
q.test(array);
}
}
}
Investigation
The following test case is crashed at (5):
void test(MyValue[] array) {
for (int i = 0; i < 10; ++i) {
for (int j = 0; j < 10; ++j) { (1)
iField = 6; (2)
} (3)
for (int j = 0; j < 2; ++j) {
iField += array[0].b;
}
MyValue[] array2 = {new MyValue()}; (4)
c = array[0]; (5) // hit the assertion
array2[0] = t; (6)
}
}
I did some investigations. C2 wants to check whether there are other Mem nodes between (4) and (6) that read or write the array2, because it hopes to merge (4) and (6) into an InitializeNode. If it finds that there are any reads or writes, such as LoadI in (5), then its Address input must be an AddPNode.
But in fact, it may be a PhiNode(570), so an assertion is hit.
Why does PhiNode appear on (5) as the input of LoadINode? Because the loop unrolling (PhaseIdealLoop::do_unroll) occurred in (1)-(3), it produced a cloned node(550) of the parameter array(not as straightforward as I said, actually it's a CastPPNode which produced via extra steps), and then the parameter array(281) and the cloned nodes(535) were merged, thus a PhiNode(570) node appeared.