C2 hits the assertion assert(base>is_AddP()) failed: should be addp but is Phi

https://bugs.openjdk.java.net/browse/JDK-8262831

#
# A fatal error has been detected by the Java Runtime Environment:
#
#  Internal Error (/home/qingfeng.yy/valhalla/src/hotspot/share/opto/memnode.cpp:3913), pid=83262, tid=83348
#  assert(base->is_AddP()) failed: should be addp but is Phi
#
# JRE version: OpenJDK Runtime Environment (17.0) (slowdebug build 17-internal+0-adhoc.qingfengyy.valhalla)
# Java VM: OpenJDK 64-Bit Server VM (slowdebug 17-internal+0-adhoc.qingfengyy.valhalla, mixed mode, sharing, compressed oops, compressed class ptrs, g1 gc, linux-amd64)
# Problematic frame:
# V  [libjvm.so+0xf57fac]  InitializeNode::can_capture_store(StoreNode*, PhaseGVN*, bool)+0x5c4
#
# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# If you would like to submit a bug report, please visit:
#   https://bugreport.java.com/bugreport/crash.jsp
#

---------------  S U M M A R Y ------------

Command Line: -XX:+TraceIterativeGVN -XX:+Verbose -XX:+PrintIdeal -XX:-TieredCompilation -XX:TieredStopAtLevel=4 MainClass

Host: e69e13043.et15sqa, Intel(R) Xeon(R) Platinum 8163 CPU @ 2.50GHz, 96 cores, 503G, Alibaba Group Enterprise Linux Server release 7.2 (Paladin)
Time: Tue Mar  9 22:51:59 2021 CST elapsed time: 1.543516 seconds (0d 0h 0m 1s)

---------------  T H R E A D  ---------------

Current thread (0x00007ffff03f5c50):  JavaThread "C2 CompilerThread0" daemon [_thread_in_native, id=83348, stack(0x00007fff85bfc000,0x00007fff85cfd000)]


Current CompileTask:
C2:   1543 148 148    1 %           MainClass::test @ 10 (88 bytes)

Stack: [0x00007fff85bfc000,0x00007fff85cfd000],  sp=0x00007fff85cf7500,  free space=1005k
Native frames: (J=compiled Java code, A=aot compiled Java code, j=interpreted, Vv=VM code, C=native code)
V  [libjvm.so+0xf57fac]  InitializeNode::can_capture_store(StoreNode*, PhaseGVN*, bool)+0x5c4
V  [libjvm.so+0xf537ff]  StoreNode::Ideal(PhaseGVN*, bool)+0x5ab
V  [libjvm.so+0x108eff3]  PhaseGVN::apply_ideal(Node*, bool)+0x6f
V  [libjvm.so+0x10906b5]  PhaseIterGVN::transform_old(Node*)+0x105
V  [libjvm.so+0x109043c]  PhaseIterGVN::optimize()+0x162
V  [libjvm.so+0x8150bb]  PhaseIdealLoop::optimize(PhaseIterGVN&, LoopOptsMode)+0x77
V  [libjvm.so+0x8085e4]  Compile::Optimize()+0x744
V  [libjvm.so+0x7ff10f]  Compile::Compile(ciEnv*, ciMethod*, int, bool, bool, bool, bool, DirectiveSet*)+0x13ef
V  [libjvm.so+0x6e2d3d]  C2Compiler::compile_method(ciEnv*, ciMethod*, int, bool, DirectiveSet*)+0x11f
V  [libjvm.so+0x81eb7c]  CompileBroker::invoke_compiler_on_method(CompileTask*)+0x88a
V  [libjvm.so+0x81d7af]  CompileBroker::compiler_thread_loop()+0x3df
V  [libjvm.so+0x84021d]  CompilerThread::thread_entry(JavaThread*, Thread*)+0x69
V  [libjvm.so+0x12ffe52]  JavaThread::thread_main_inner()+0x14c
V  [libjvm.so+0x12ffcfe]  JavaThread::run()+0x11e
V  [libjvm.so+0x12fcfde]  Thread::call_run()+0x180
V  [libjvm.so+0x102b504]  thread_native_entry(Thread*)+0x1e4

primitive class MyValue {
    int b = 22;
}

public class MainClass {

    int iField;
    MyValue c;
    MyValue t;
  
    void test(MyValue[] array) {
        for (int i = 0; i < 10; ++i) {
            for (int j = 0; j < 10; ++j) {
                iField = 6;
            }
            for (int j = 0; j < 2; ++j) {
                iField += array[0].b;
            }
            MyValue[] array2 = {new MyValue()};
            c = array[0];
            array2[0] = t;
        }
    }

    public static void main(String[] args) {
        MainClass q = new MainClass();
        MyValue[] array = {new MyValue()};
        for (int i = 0; i < 50_000; ++i) {
            q.test(array);
        }
    }
}

The following test case is crashed at (5):

   void test(MyValue[] array) {
        for (int i = 0; i < 10; ++i) {
            for (int j = 0; j < 10; ++j) {     (1)
                iField = 6;                      (2)
            }                                       (3)
            for (int j = 0; j < 2; ++j) {
                iField += array[0].b;
            }
            MyValue[] array2 = {new MyValue()};   (4)
            c = array[0];                                    (5) // hit the assertion
            array2[0] = t;                                   (6)
        }
    }

I did some investigations. C2 wants to check whether there are other Mem nodes between (4) and (6) that read or write the array2, because it hopes to merge (4) and (6) into an InitializeNode. If it finds that there are any reads or writes, such as LoadI in (5), then its Address input must be an AddPNode.

But in fact, it may be a PhiNode(570), so an assertion is hit.

Why does PhiNode appear on (5) as the input of LoadINode? Because the loop unrolling (PhaseIdealLoop::do_unroll) occurred in (1)-(3), it produced a cloned node(550) of the parameter array(not as straightforward as I said, actually it's a CastPPNode which produced via extra steps), and then the parameter array(281) and the cloned nodes(535) were merged, thus a PhiNode(570) node appeared.

Thanks Tobias for pointing out that this scenario is not reproducible in mainline JDK because we can't perform such aggressive scalarization for non-inline types. So we'd better to fix it in Valhalla for now.