6953058: G1: A bigapp crashes with SIGSEGV in compiled code

Summary: In C2's G1 post write barrier, the loads of the buffer and index fields from the DirtyCardQueue structure may be moved across a safepoint. Use the current value of "control" in the C2 IR to limit how far these loads can move.
Reviewed-by: never, iveresov, kvn

1 files changed, 4 insertions, 5 deletions

diff --git a/src/share/vm/opto/graphKit.cpp b/src/share/vm/opto/graphKit.cpp
index 780ac554b..1e710ddb1 100644
--- a/src/share/vm/opto/graphKit.cpp
+++ b/src/share/vm/opto/graphKit.cpp
@@ -3487,7 +3487,6 @@ void GraphKit::g1_write_barrier_post(Node* oop_store,
 
   Node* tls = __ thread(); // ThreadLocalStorage
 
-  Node* no_ctrl = NULL;
   Node* no_base = __ top();
   float likely  = PROB_LIKELY(0.999);
   float unlikely  = PROB_UNLIKELY(0.999);
@@ -3511,10 +3510,10 @@ void GraphKit::g1_write_barrier_post(Node* oop_store,
   Node* index_adr =  __ AddP(no_base, tls, __ ConX(index_offset));
 
   // Now some values
-
-  Node* index  = __ load(no_ctrl, index_adr, TypeInt::INT, T_INT, Compile::AliasIdxRaw);
-  Node* buffer = __ load(no_ctrl, buffer_adr, TypeRawPtr::NOTNULL, T_ADDRESS, Compile::AliasIdxRaw);
-
+  // Use ctrl to avoid hoisting these values past a safepoint, which could
+  // potentially reset these fields in the JavaThread.
+  Node* index  = __ load(__ ctrl(), index_adr, TypeInt::INT, T_INT, Compile::AliasIdxRaw);
+  Node* buffer = __ load(__ ctrl(), buffer_adr, TypeRawPtr::NOTNULL, T_ADDRESS, Compile::AliasIdxRaw);
 
   // Convert the store obj pointer to an int prior to doing math on it
   // Must use ctrl to prevent "integerized oop" existing across safepoint