Add missing exception edge for array allocations

Author: Christian Wimmer

compiler/src/org.graalvm.compiler.hotspot/src/org/graalvm/compiler/hotspot/replacements/ClassGetHubNode.java

@@ -128,8 +128,12 @@ public Node canonical(CanonicalizerTool tool) {
     @NodeIntrinsic
     public static native KlassPointer readClass(Class<?> clazzNonNull);
 
+    public static KlassPointer piCastNonNull(KlassPointer object, GuardingNode anchor) {
+        return intrinsifiedPiNode(object, anchor, PiNode.INTRINSIFY_OP_NON_NULL);
+    }
+
     @NodeIntrinsic(PiNode.class)
-    public static native KlassPointer piCastNonNull(Object object, GuardingNode anchor);
+    private static native KlassPointer intrinsifiedPiNode(KlassPointer object, GuardingNode anchor, @ConstantNodeParameter int intrinsifyOp);
 
     @Override
     public ValueNode getValue() {

compiler/src/org.graalvm.compiler.java/src/org/graalvm/compiler/java/BytecodeParser.java

@@ -4626,7 +4626,7 @@ private static Class<?> arrayTypeCodeToClass(int code) {
 
     private void genNewPrimitiveArray(int typeCode) {
         ResolvedJavaType elementType = getMetaAccess().lookupJavaType(arrayTypeCodeToClass(typeCode));
-        ValueNode length = frameState.pop(JavaKind.Int);
+        ValueNode length = maybeEmitExplicitNegativeArraySizeCheck(frameState.pop(JavaKind.Int));
 
         for (NodePlugin plugin : graphBuilderConfig.getPlugins().getNodePlugins()) {
             if (plugin.handleNewArray(this, elementType, length)) {
@@ -4639,14 +4639,10 @@ private void genNewPrimitiveArray(int typeCode) {
 
     private void genNewObjectArray(int cpi) {
         JavaType type = lookupType(cpi, ANEWARRAY);
-        genNewObjectArray(type);
-    }
-
-    private void genNewObjectArray(JavaType type) {
         if (typeIsResolved(type)) {
             genNewObjectArray((ResolvedJavaType) type);
         } else {
-            ValueNode length = frameState.pop(JavaKind.Int);
+            ValueNode length = maybeEmitExplicitNegativeArraySizeCheck(frameState.pop(JavaKind.Int));
             handleUnresolvedNewObjectArray(type, length);
         }
     }
@@ -4658,7 +4654,7 @@ private void genNewObjectArray(ResolvedJavaType resolvedType) {
             classInitializationPlugin.apply(this, resolvedType.getArrayClass(), this::createCurrentFrameState);
         }
 
-        ValueNode length = frameState.pop(JavaKind.Int);
+        ValueNode length = maybeEmitExplicitNegativeArraySizeCheck(frameState.pop(JavaKind.Int));
         for (NodePlugin plugin : graphBuilderConfig.getPlugins().getNodePlugins()) {
             if (plugin.handleNewArray(this, resolvedType, length)) {
                 return;
@@ -4672,15 +4668,11 @@ private void genNewMultiArray(int cpi) {
         JavaType type = lookupType(cpi, MULTIANEWARRAY);
         int rank = getStream().readUByte(bci() + 3);
         ValueNode[] dims = new ValueNode[rank];
-        genNewMultiArray(type, rank, dims);
-    }
-
-    private void genNewMultiArray(JavaType type, int rank, ValueNode[] dims) {
         if (typeIsResolved(type)) {
             genNewMultiArray((ResolvedJavaType) type, rank, dims);
         } else {
             for (int i = rank - 1; i >= 0; i--) {
-                dims[i] = frameState.pop(JavaKind.Int);
+                dims[i] = maybeEmitExplicitNegativeArraySizeCheck(frameState.pop(JavaKind.Int));
             }
             handleUnresolvedNewMultiArray(type, dims);
         }
@@ -4694,7 +4686,7 @@ private void genNewMultiArray(ResolvedJavaType resolvedType, int rank, ValueNode
         }
 
         for (int i = rank - 1; i >= 0; i--) {
-            dims[i] = frameState.pop(JavaKind.Int);
+            dims[i] = maybeEmitExplicitNegativeArraySizeCheck(frameState.pop(JavaKind.Int));
         }
 
         for (NodePlugin plugin : graphBuilderConfig.getPlugins().getNodePlugins()) {

compiler/src/org.graalvm.compiler.nodes/src/org/graalvm/compiler/nodes/PiNode.java

@@ -33,6 +33,7 @@
 import org.graalvm.compiler.core.common.type.StampFactory;
 import org.graalvm.compiler.core.common.type.TypeReference;
 import org.graalvm.compiler.debug.DebugContext;
+import org.graalvm.compiler.debug.GraalError;
 import org.graalvm.compiler.graph.Node;
 import org.graalvm.compiler.graph.Node.NodeIntrinsicFactory;
 import org.graalvm.compiler.graph.NodeClass;
@@ -125,13 +126,29 @@ public static ValueNode create(ValueNode object, ValueNode guard) {
         return new PiNode(object, stamp, guard);
     }
 
-    public static boolean intrinsify(GraphBuilderContext b, ValueNode object, ValueNode guard) {
-        Stamp stamp = AbstractPointerStamp.pointerNonNull(object.stamp(NodeView.DEFAULT));
-        ValueNode value = canonical(object, stamp, (GuardingNode) guard, null);
+    public static final int INTRINSIFY_OP_NON_NULL = 1;
+    public static final int INTRINSIFY_OP_POSITIVE_INT = 2;
+
+    public static boolean intrinsify(GraphBuilderContext b, ValueNode input, ValueNode guard, int intrinsifyOp) {
+        Stamp stamp;
+        JavaKind pushKind;
+        switch (intrinsifyOp) {
+            case INTRINSIFY_OP_NON_NULL:
+                stamp = AbstractPointerStamp.pointerNonNull(input.stamp(NodeView.DEFAULT));
+                pushKind = JavaKind.Object;
+                break;
+            case INTRINSIFY_OP_POSITIVE_INT:
+                stamp = StampFactory.positiveInt();
+                pushKind = JavaKind.Int;
+                break;
+            default:
+                throw GraalError.shouldNotReachHere();
+        }
+        ValueNode value = canonical(input, stamp, (GuardingNode) guard, null);
         if (value == null) {
-            value = new PiNode(object, stamp, guard);
+            value = new PiNode(input, stamp, guard);
         }
-        b.push(JavaKind.Object, b.append(value));
+        b.push(pushKind, b.append(value));
         return true;
     }
 
@@ -278,19 +295,38 @@ public static Class<?> asNonNullObject(Object object) {
     @NodeIntrinsic(PiNode.Placeholder.class)
     public static native Object piCastToSnippetReplaceeStamp(Object object);
 
+    /**
+     * Changes the stamp of a primitive value and ensures the newly stamped value is positive and
+     * does not float above a given guard.
+     */
+    public static int piCastPositive(int value, GuardingNode guard) {
+        return intrinsified(value, guard, INTRINSIFY_OP_POSITIVE_INT);
+    }
+
+    @NodeIntrinsic
+    private static native int intrinsified(int value, GuardingNode guard, @ConstantNodeParameter int intrinsifyOp);
+
     /**
      * Changes the stamp of an object and ensures the newly stamped value is non-null and does not
      * float above a given guard.
      */
+    public static Object piCastNonNull(Object object, GuardingNode guard) {
+        return intrinsified(object, guard, INTRINSIFY_OP_NON_NULL);
+    }
+
     @NodeIntrinsic
-    public static native Object piCastNonNull(Object object, GuardingNode guard);
+    private static native Object intrinsified(Object object, GuardingNode guard, @ConstantNodeParameter int intrinsifyOp);
 
     /**
      * Changes the stamp of an object and ensures the newly stamped value is non-null and does not
      * float above a given guard.
      */
+    public static Class<?> piCastNonNullClass(Class<?> type, GuardingNode guard) {
+        return intrinsified(type, guard, INTRINSIFY_OP_NON_NULL);
+    }
+
     @NodeIntrinsic
-    public static native Class<?> piCastNonNullClass(Class<?> type, GuardingNode guard);
+    private static native Class<?> intrinsified(Class<?> object, GuardingNode guard, @ConstantNodeParameter int intrinsifyOp);
 
     /**
      * Changes the stamp of an object to represent a given type and to indicate that the object is

compiler/src/org.graalvm.compiler.nodes/src/org/graalvm/compiler/nodes/extended/BytecodeExceptionNode.java

@@ -122,6 +122,11 @@ public enum BytecodeExceptionKind {
          */
         ILLEGAL_ARGUMENT_EXCEPTION_ARGUMENT_IS_NOT_AN_ARRAY(0, IllegalArgumentException.class, "Argument is not an array"),
 
+        /**
+         * Represents a {@link NegativeArraySizeException}. No arguments are allowed.
+         */
+        NEGATIVE_ARRAY_SIZE(0, NegativeArraySizeException.class),
+
         /**
          * Represents a {@link ArithmeticException}, with the exception message indicating a
          * division by zero. No arguments are allowed.

compiler/src/org.graalvm.compiler.nodes/src/org/graalvm/compiler/nodes/graphbuilderconf/GraphBuilderContext.java

@@ -56,6 +56,7 @@
 import org.graalvm.compiler.nodes.StructuredGraph;
 import org.graalvm.compiler.nodes.ValueNode;
 import org.graalvm.compiler.nodes.calc.IntegerEqualsNode;
+import org.graalvm.compiler.nodes.calc.IntegerLessThanNode;
 import org.graalvm.compiler.nodes.calc.IsNullNode;
 import org.graalvm.compiler.nodes.calc.NarrowNode;
 import org.graalvm.compiler.nodes.calc.SignExtendNode;
@@ -333,6 +334,21 @@ default ValueNode nullCheckedValue(ValueNode value, DeoptimizationAction action)
         return value;
     }
 
+    /**
+     * When {@link #needsExplicitException} is true, the method returns a node with a stamp that is
+     * always positive and emits code that trows a {@link NegativeArraySizeException} for a negative
+     * length.
+     */
+    default ValueNode maybeEmitExplicitNegativeArraySizeCheck(ValueNode arrayLength) {
+        if (!needsExplicitException() || ((IntegerStamp) arrayLength.stamp(NodeView.DEFAULT)).isPositive()) {
+            return arrayLength;
+        }
+        ConstantNode zero = add(ConstantNode.defaultForKind(arrayLength.getStackKind()));
+        LogicNode condition = add(IntegerLessThanNode.create(getConstantReflection(), getMetaAccess(), getOptions(), null, arrayLength, zero, NodeView.DEFAULT));
+        GuardingNode guardingNode = emitBytecodeExceptionCheck(condition, false, BytecodeExceptionKind.NEGATIVE_ARRAY_SIZE);
+        return getGraph().addOrUniqueWithInputs(PiNode.create(arrayLength, StampFactory.positiveInt(), guardingNode.asNode()));
+    }
+
     default GuardingNode maybeEmitExplicitDivisionByZeroCheck(ValueNode divisor) {
         if (!needsExplicitException() || !((IntegerStamp) divisor.stamp(NodeView.DEFAULT)).contains(0)) {
             return null;

compiler/src/org.graalvm.compiler.replacements/src/org/graalvm/compiler/replacements/StandardGraphBuilderPlugins.java

@@ -450,7 +450,9 @@ private static void registerArrayPlugins(InvocationPlugins plugins, Replacements
         r.register2("newInstance", Class.class, int.class, new InvocationPlugin() {
             @Override
             public boolean apply(GraphBuilderContext b, ResolvedJavaMethod targetMethod, Receiver unused, ValueNode componentType, ValueNode length) {
-                b.addPush(JavaKind.Object, new DynamicNewArrayNode(componentType, length, true));
+                ValueNode componentTypeNonNull = b.nullCheckedValue(componentType);
+                ValueNode lengthPositive = b.maybeEmitExplicitNegativeArraySizeCheck(length);
+                b.addPush(JavaKind.Object, new DynamicNewArrayNode(componentTypeNonNull, lengthPositive, true));
                 return true;
             }
         });

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/graal/snippets/NonSnippetLowerings.java

@@ -140,6 +140,7 @@ protected NonSnippetLowerings(RuntimeConfiguration runtimeConfig, Predicate<Reso
         getCachedExceptionDescriptors.put(BytecodeExceptionKind.ARRAY_STORE, ImplicitExceptions.GET_CACHED_ARRAY_STORE_EXCEPTION);
         getCachedExceptionDescriptors.put(BytecodeExceptionKind.ILLEGAL_ARGUMENT_EXCEPTION_NEGATIVE_LENGTH, ImplicitExceptions.GET_CACHED_ILLEGAL_ARGUMENT_EXCEPTION);
         getCachedExceptionDescriptors.put(BytecodeExceptionKind.ILLEGAL_ARGUMENT_EXCEPTION_ARGUMENT_IS_NOT_AN_ARRAY, ImplicitExceptions.GET_CACHED_ILLEGAL_ARGUMENT_EXCEPTION);
+        getCachedExceptionDescriptors.put(BytecodeExceptionKind.NEGATIVE_ARRAY_SIZE, ImplicitExceptions.GET_CACHED_NEGATIVE_ARRAY_SIZE_EXCEPTION);
         getCachedExceptionDescriptors.put(BytecodeExceptionKind.DIVISION_BY_ZERO, ImplicitExceptions.GET_CACHED_ARITHMETIC_EXCEPTION);
         getCachedExceptionDescriptors.put(BytecodeExceptionKind.ASSERTION_ERROR_NULLARY, ImplicitExceptions.GET_CACHED_ASSERTION_ERROR);
         getCachedExceptionDescriptors.put(BytecodeExceptionKind.ASSERTION_ERROR_OBJECT, ImplicitExceptions.GET_CACHED_ASSERTION_ERROR);
@@ -152,6 +153,7 @@ protected NonSnippetLowerings(RuntimeConfiguration runtimeConfig, Predicate<Reso
         createExceptionDescriptors.put(BytecodeExceptionKind.ARRAY_STORE, ImplicitExceptions.CREATE_ARRAY_STORE_EXCEPTION);
         createExceptionDescriptors.put(BytecodeExceptionKind.ILLEGAL_ARGUMENT_EXCEPTION_NEGATIVE_LENGTH, ImplicitExceptions.CREATE_ILLEGAL_ARGUMENT_EXCEPTION);
         createExceptionDescriptors.put(BytecodeExceptionKind.ILLEGAL_ARGUMENT_EXCEPTION_ARGUMENT_IS_NOT_AN_ARRAY, ImplicitExceptions.CREATE_ILLEGAL_ARGUMENT_EXCEPTION);
+        createExceptionDescriptors.put(BytecodeExceptionKind.NEGATIVE_ARRAY_SIZE, ImplicitExceptions.CREATE_NEGATIVE_ARRAY_SIZE_EXCEPTION);
         createExceptionDescriptors.put(BytecodeExceptionKind.DIVISION_BY_ZERO, ImplicitExceptions.CREATE_DIVISION_BY_ZERO_EXCEPTION);
         createExceptionDescriptors.put(BytecodeExceptionKind.ASSERTION_ERROR_NULLARY, ImplicitExceptions.CREATE_ASSERTION_ERROR_NULLARY);
         createExceptionDescriptors.put(BytecodeExceptionKind.ASSERTION_ERROR_OBJECT, ImplicitExceptions.CREATE_ASSERTION_ERROR_OBJECT);
@@ -164,6 +166,7 @@ protected NonSnippetLowerings(RuntimeConfiguration runtimeConfig, Predicate<Reso
         throwCachedExceptionDescriptors.put(BytecodeExceptionKind.ARRAY_STORE, ImplicitExceptions.THROW_CACHED_ARRAY_STORE_EXCEPTION);
         throwCachedExceptionDescriptors.put(BytecodeExceptionKind.ILLEGAL_ARGUMENT_EXCEPTION_NEGATIVE_LENGTH, ImplicitExceptions.THROW_CACHED_ILLEGAL_ARGUMENT_EXCEPTION);
         throwCachedExceptionDescriptors.put(BytecodeExceptionKind.ILLEGAL_ARGUMENT_EXCEPTION_ARGUMENT_IS_NOT_AN_ARRAY, ImplicitExceptions.THROW_CACHED_ILLEGAL_ARGUMENT_EXCEPTION);
+        throwCachedExceptionDescriptors.put(BytecodeExceptionKind.NEGATIVE_ARRAY_SIZE, ImplicitExceptions.THROW_CACHED_NEGATIVE_ARRAY_SIZE_EXCEPTION);
         throwCachedExceptionDescriptors.put(BytecodeExceptionKind.DIVISION_BY_ZERO, ImplicitExceptions.THROW_CACHED_ARITHMETIC_EXCEPTION);
         throwCachedExceptionDescriptors.put(BytecodeExceptionKind.ASSERTION_ERROR_NULLARY, ImplicitExceptions.THROW_CACHED_ASSERTION_ERROR);
         throwCachedExceptionDescriptors.put(BytecodeExceptionKind.ASSERTION_ERROR_OBJECT, ImplicitExceptions.THROW_CACHED_ASSERTION_ERROR);
@@ -176,6 +179,7 @@ protected NonSnippetLowerings(RuntimeConfiguration runtimeConfig, Predicate<Reso
         throwNewExceptionDescriptors.put(BytecodeExceptionKind.ARRAY_STORE, ImplicitExceptions.THROW_NEW_ARRAY_STORE_EXCEPTION_WITH_ARGS);
         throwNewExceptionDescriptors.put(BytecodeExceptionKind.ILLEGAL_ARGUMENT_EXCEPTION_NEGATIVE_LENGTH, ImplicitExceptions.THROW_NEW_ILLEGAL_ARGUMENT_EXCEPTION_WITH_ARGS);
         throwNewExceptionDescriptors.put(BytecodeExceptionKind.ILLEGAL_ARGUMENT_EXCEPTION_ARGUMENT_IS_NOT_AN_ARRAY, ImplicitExceptions.THROW_NEW_ILLEGAL_ARGUMENT_EXCEPTION_WITH_ARGS);
+        throwNewExceptionDescriptors.put(BytecodeExceptionKind.NEGATIVE_ARRAY_SIZE, ImplicitExceptions.THROW_NEW_NEGATIVE_ARRAY_SIZE_EXCEPTION);
         throwNewExceptionDescriptors.put(BytecodeExceptionKind.DIVISION_BY_ZERO, ImplicitExceptions.THROW_NEW_DIVISION_BY_ZERO_EXCEPTION);
         throwNewExceptionDescriptors.put(BytecodeExceptionKind.ASSERTION_ERROR_NULLARY, ImplicitExceptions.THROW_NEW_ASSERTION_ERROR_NULLARY);
         throwNewExceptionDescriptors.put(BytecodeExceptionKind.ASSERTION_ERROR_OBJECT, ImplicitExceptions.THROW_NEW_ASSERTION_ERROR_OBJECT);