Details
Backports
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2098276 | 5.0 | Steve Goldman | P2 | Resolved | Fixed | beta2 |
Description
This bug has two titles:
64-bit hotspot: getfield doesn't sign-extend int (Regression since 1.4.0)
and:
Tableswitch instruction crashes JVM: 64-bit, compiled method returning the switch parameter
The "Tableswitch" title describes the likely impact (the impact we've seen in
the real world) but the first title describes the real problem (ie. maybe
tableswitch is innocent).
Problem:
-------
The tableswitch codelet is entered with the switch value (int)
in o0.
In sparcv9 mode, with a hotspot-compiled method setting the switch paramter,
0x00000000ffffffff is in this register. When the index into the
bytecode table is made, the result is an index way too large resulting
in a SEGV and crash.
An interpreted method will have put 0xffffffffffffffff in o0. This satisfies
the arithmetic for finding the relevant place in the tableswitch bytecode table.
Impact:
------
This has been seen in a production application at a customer site,
and has now been reproduced with the test app below.
1.4.0 FCS and 1.4.0_04 are OK.
1.4.1 and 1.4.2 in FCS and update versions appear bad, tested up to 1.4.2_04.
1.5 beta so far has refused to compile the getInt method in the testcase.
To reproduce:
------------
Save source below as Test.java and compile with:
javac Test.java
Run with:
java -d64 -XX:+PrintCompilation Test prime
As long as the getInt method got comiled, the VM exits with:
cheesypoof(5.9)$ java -d64 -XX:+PrintCompilation Test prime
Priming...
1 Test::<init> (70 bytes)
2 Test::doTest (119 bytes)
1% Test::<init> @ 25 (70 bytes)
3 Test::getInt (5 bytes)
doing test...
i= -1
Unexpected Signal : 11 occurred at PC=0xFFFFFFFF3941572C
Function=[Unknown.]
Library=(N/A)
NOTE: We are unable to locate the function name symbol for the error
just occurred. Please refer to release documentation for possible
reason and solutions.
Current Java thread:
Dynamic libraries:
0x100000000 /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_04/bin/sparcv9/java
0xffffffff7f300000 /usr/lib/64/libthread.so.1
0xffffffff7f500000 /usr/lib/64/libdl.so.1
0xffffffff7ef00000 /usr/lib/64/libc.so.1
0xffffffff7f100000 /usr/platform/SUNW,Sun-Blade-1000/lib/sparcv9/libc_psr.so.1
0xffffffff7e400000 /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_04/jre/lib/sparcv9/server/libjvm.so
0xffffffff7e200000 /usr/lib/64/libCrun.so.1
0xffffffff7e000000 /usr/lib/64/libsocket.so.1
0xffffffff7de00000 /usr/lib/64/libnsl.so.1
0xffffffff7dc00000 /usr/lib/64/libm.so.1
0xffffffff7d900000 /usr/lib/64/libsched.so.1
0xffffffff7ed00000 /usr/lib/64/libw.so.1
0xffffffff7d600000 /usr/lib/64/libmp.so.2
0xffffffff7d400000 /usr/lib/64/librt.so.1
0xffffffff7d100000 /usr/lib/64/libaio.so.1
0xffffffff7cf00000 /usr/lib/64/libmd5.so.1
0xffffffff7cd00000 /usr/platform/SUNW,Sun-Blade-1000/lib/sparcv9/libmd5_psr.so.1
0xffffffff7c900000 /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_04/jre/lib/sparcv9/native_threads/libhpi.so
0xffffffff7c100000 /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_04/jre/lib/sparcv9/libverify.so
0xffffffff7be00000 /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_04/jre/lib/sparcv9/libjava.so
0xffffffff7bc00000 /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_04/jre/lib/sparcv9/libzip.so
0xffffffff2f800000 /usr/lib/locale/en_GB.ISO8859-1/sparcv9/en_GB.ISO8859-1.so.2
Heap at VM Abort:
Heap
def new generation total 2112K, used 155K [0xffffffff2fc00000, 0xffffffff2fe20000, 0xffffffff31150000)
eden space 2048K, 7% used [0xffffffff2fc00000, 0xffffffff2fc26ea0, 0xffffffff2fe00000)
from space 64K, 0% used [0xffffffff2fe00000, 0xffffffff2fe00000, 0xffffffff2fe10000)
to space 64K, 0% used [0xffffffff2fe10000, 0xffffffff2fe10000, 0xffffffff2fe20000)
tenured generation total 1408K, used 0K [0xffffffff31150000, 0xffffffff312b0000, 0xffffffff33c00000)
the space 1408K, 0% used [0xffffffff31150000, 0xffffffff31150000, 0xffffffff31150200, 0xffffffff312b0000)
compacting perm gen total 16384K, used 1515K [0xffffffff33c00000, 0xffffffff34c00000, 0xffffffff37c00000)
the space 16384K, 9% used [0xffffffff33c00000, 0xffffffff33d7af68, 0xffffffff33d7b000, 0xffffffff34c00000)
Local Time = Tue Apr 20 10:47:16 2004
Elapsed Time = 2
#
# HotSpot Virtual Machine Error : 11
# Error ID : 4F530E43505002EF 01
# Please report this error at
# http://java.sun.com/cgi-bin/bugreport.cgi
#
# Java VM: Java HotSpot(TM) 64-Bit Server VM (1.4.2_04-b05 mixed mode)
#
# An error report file has been saved as hs_err_pid6072.log.
# Please refer to the file for further information.
#
Abort(coredump)
cheesypoof(5.9)$
If the getInt method did not get hotspot-compiled, the app will not crash
the VM: this often happens the first time you run that version of java
with the testcase. Running it a second time is generally faster due to caching,
so will usually compile getInt and show the crash...
That test application code in full:
=================================================================
//
// Crash the VM in a TableSwitch interpreter codelet
// java -d64 -XX:+PrintCompilation Test prime
//
// To NOT crash, run without -d64
// or without the "prime" flag to avoid hotspotting the getInt method
//
//
class Test {
private int someInt = -1;
private int getInt() {
return someInt;
}
private void doTest(int delay) {
int i = 0xffffffff;
if (delay==0)
return;
i = getInt();
System.out.println("i= " + i);
switch (getInt()) {
case -1:
System.out.println("was -1");
break;
case 0:
case 1:
case 2:
case 3:
case 4:
System.out.println("was NOT -1");
break;
default:
System.out.println("was NOT -1");
break;
} // end switch
System.out.println("done switch");
}
Test(boolean prime) {
int i=0;
if (prime) {
System.out.println("Priming...");
for (int j=0; j<50000;j++) {
i = getInt();
doTest(0);
}
delay(2000);
}
System.out.println("doing test...");
doTest(5000);
}
public static void main(String args[]) {
Test t;
if (args.length>0) {
t = new Test(true);
} else {
t = new Test(false);
}
}
private void delay(int time) {
try { Thread.sleep(time);
} catch (InterruptedException e) {
System.out.println("Interrupted!");
e.printStackTrace();
}
}
}
=================================================================
64-bit hotspot: getfield doesn't sign-extend int (Regression since 1.4.0)
and:
Tableswitch instruction crashes JVM: 64-bit, compiled method returning the switch parameter
The "Tableswitch" title describes the likely impact (the impact we've seen in
the real world) but the first title describes the real problem (ie. maybe
tableswitch is innocent).
Problem:
-------
The tableswitch codelet is entered with the switch value (int)
in o0.
In sparcv9 mode, with a hotspot-compiled method setting the switch paramter,
0x00000000ffffffff is in this register. When the index into the
bytecode table is made, the result is an index way too large resulting
in a SEGV and crash.
An interpreted method will have put 0xffffffffffffffff in o0. This satisfies
the arithmetic for finding the relevant place in the tableswitch bytecode table.
Impact:
------
This has been seen in a production application at a customer site,
and has now been reproduced with the test app below.
1.4.0 FCS and 1.4.0_04 are OK.
1.4.1 and 1.4.2 in FCS and update versions appear bad, tested up to 1.4.2_04.
1.5 beta so far has refused to compile the getInt method in the testcase.
To reproduce:
------------
Save source below as Test.java and compile with:
javac Test.java
Run with:
java -d64 -XX:+PrintCompilation Test prime
As long as the getInt method got comiled, the VM exits with:
cheesypoof(5.9)$ java -d64 -XX:+PrintCompilation Test prime
Priming...
1 Test::<init> (70 bytes)
2 Test::doTest (119 bytes)
1% Test::<init> @ 25 (70 bytes)
3 Test::getInt (5 bytes)
doing test...
i= -1
Unexpected Signal : 11 occurred at PC=0xFFFFFFFF3941572C
Function=[Unknown.]
Library=(N/A)
NOTE: We are unable to locate the function name symbol for the error
just occurred. Please refer to release documentation for possible
reason and solutions.
Current Java thread:
Dynamic libraries:
0x100000000 /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_04/bin/sparcv9/java
0xffffffff7f300000 /usr/lib/64/libthread.so.1
0xffffffff7f500000 /usr/lib/64/libdl.so.1
0xffffffff7ef00000 /usr/lib/64/libc.so.1
0xffffffff7f100000 /usr/platform/SUNW,Sun-Blade-1000/lib/sparcv9/libc_psr.so.1
0xffffffff7e400000 /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_04/jre/lib/sparcv9/server/libjvm.so
0xffffffff7e200000 /usr/lib/64/libCrun.so.1
0xffffffff7e000000 /usr/lib/64/libsocket.so.1
0xffffffff7de00000 /usr/lib/64/libnsl.so.1
0xffffffff7dc00000 /usr/lib/64/libm.so.1
0xffffffff7d900000 /usr/lib/64/libsched.so.1
0xffffffff7ed00000 /usr/lib/64/libw.so.1
0xffffffff7d600000 /usr/lib/64/libmp.so.2
0xffffffff7d400000 /usr/lib/64/librt.so.1
0xffffffff7d100000 /usr/lib/64/libaio.so.1
0xffffffff7cf00000 /usr/lib/64/libmd5.so.1
0xffffffff7cd00000 /usr/platform/SUNW,Sun-Blade-1000/lib/sparcv9/libmd5_psr.so.1
0xffffffff7c900000 /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_04/jre/lib/sparcv9/native_threads/libhpi.so
0xffffffff7c100000 /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_04/jre/lib/sparcv9/libverify.so
0xffffffff7be00000 /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_04/jre/lib/sparcv9/libjava.so
0xffffffff7bc00000 /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_04/jre/lib/sparcv9/libzip.so
0xffffffff2f800000 /usr/lib/locale/en_GB.ISO8859-1/sparcv9/en_GB.ISO8859-1.so.2
Heap at VM Abort:
Heap
def new generation total 2112K, used 155K [0xffffffff2fc00000, 0xffffffff2fe20000, 0xffffffff31150000)
eden space 2048K, 7% used [0xffffffff2fc00000, 0xffffffff2fc26ea0, 0xffffffff2fe00000)
from space 64K, 0% used [0xffffffff2fe00000, 0xffffffff2fe00000, 0xffffffff2fe10000)
to space 64K, 0% used [0xffffffff2fe10000, 0xffffffff2fe10000, 0xffffffff2fe20000)
tenured generation total 1408K, used 0K [0xffffffff31150000, 0xffffffff312b0000, 0xffffffff33c00000)
the space 1408K, 0% used [0xffffffff31150000, 0xffffffff31150000, 0xffffffff31150200, 0xffffffff312b0000)
compacting perm gen total 16384K, used 1515K [0xffffffff33c00000, 0xffffffff34c00000, 0xffffffff37c00000)
the space 16384K, 9% used [0xffffffff33c00000, 0xffffffff33d7af68, 0xffffffff33d7b000, 0xffffffff34c00000)
Local Time = Tue Apr 20 10:47:16 2004
Elapsed Time = 2
#
# HotSpot Virtual Machine Error : 11
# Error ID : 4F530E43505002EF 01
# Please report this error at
# http://java.sun.com/cgi-bin/bugreport.cgi
#
# Java VM: Java HotSpot(TM) 64-Bit Server VM (1.4.2_04-b05 mixed mode)
#
# An error report file has been saved as hs_err_pid6072.log.
# Please refer to the file for further information.
#
Abort(coredump)
cheesypoof(5.9)$
If the getInt method did not get hotspot-compiled, the app will not crash
the VM: this often happens the first time you run that version of java
with the testcase. Running it a second time is generally faster due to caching,
so will usually compile getInt and show the crash...
That test application code in full:
=================================================================
//
// Crash the VM in a TableSwitch interpreter codelet
// java -d64 -XX:+PrintCompilation Test prime
//
// To NOT crash, run without -d64
// or without the "prime" flag to avoid hotspotting the getInt method
//
//
class Test {
private int someInt = -1;
private int getInt() {
return someInt;
}
private void doTest(int delay) {
int i = 0xffffffff;
if (delay==0)
return;
i = getInt();
System.out.println("i= " + i);
switch (getInt()) {
case -1:
System.out.println("was -1");
break;
case 0:
case 1:
case 2:
case 3:
case 4:
System.out.println("was NOT -1");
break;
default:
System.out.println("was NOT -1");
break;
} // end switch
System.out.println("done switch");
}
Test(boolean prime) {
int i=0;
if (prime) {
System.out.println("Priming...");
for (int j=0; j<50000;j++) {
i = getInt();
doTest(0);
}
delay(2000);
}
System.out.println("doing test...");
doTest(5000);
}
public static void main(String args[]) {
Test t;
if (args.length>0) {
t = new Test(true);
} else {
t = new Test(false);
}
}
private void delay(int time) {
try { Thread.sleep(time);
} catch (InterruptedException e) {
System.out.println("Interrupted!");
e.printStackTrace();
}
}
}
=================================================================
Attachments
Issue Links
- backported by
-
JDK-2098276 64-bit hotspot: getfield doesn't sign-extend int (Regression since 1.4.0)
-
- Resolved
-