-
Bug
-
Resolution: Fixed
-
P3
-
6
-
mustang
-
sparc
-
solaris_8
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2128303 | 5.0u6 | Chris Phillips | P2 | Closed | Fixed | b01 |
| JDK-2126532 | 1.4.2_10 | Chris Phillips | P3 | Closed | Fixed | b01 |
Running in interpreted mode, the "instanceof" codelet can crash if it has to traverse a list of superclasses which is right at the end of the java heap: it can make a brief but fatal reference to a memory address in an unmapped region.
Native stack with additional info from Serviceability Agent:
[9] libthread.so.1:sigacthandler(0x3d047a00, 0x3437e470, 0x3437e1b8, 0xff388000, 0x3437e470, 0xb), at 0xff36fa7c
---- called from signal handler with signal 11 (SIGSEGV) ------
=>[10] 0xfa016d90(0x3437e5c4, 0xb8, 0x0, 0xfa0122e8, 0x0, 0x0), at 0xfa016d8f
- protected static de.rbg.nbs.app.gkr.peer.model.GKRApplicationModel
checkRefs(de.rbg.nbs.app.gkr.peer.model.GKRApplicationModel) @0xccb89948
@bci = 1, line = 128, pc = 0xfa016d90 (Interpreted)
Which is:
line bci
128 1ááinstanceof #27 [Class de.rbg.nbs.app.gkr.peer.model.AMVorgangDetail]
[11] 0xfa005750(0x3437e654, 0xb8, 0x0, 0xfa016250, 0x4, 0x3437e568), at 0xfa00574f
[12] 0xfa005750(0x3437e6fc, 0xb8, 0x0, 0xfa016250, 0x4, 0x3437e5e0), at 0xfa00574f
[13] 0xfa005750(0x3437e7ac, 0xb8, 0x0, 0xfa015ea0, 0xc, 0x3437e690), at 0xfa00574f
[14] 0xfa005750(0x3437e844, 0xb8, 0x0, 0xfa016250, 0x8, 0x3437e748), at 0xfa00574f
[15] 0xfa005750(0x3437e8f4, 0xb6, 0x0, 0xfa016250, 0x4, 0x3437e7d0), at 0xfa00574f
[16] 0xfa005750(0x3437e99c, 0xb6, 0x0, 0xfa015e50, 0x8, 0x3437e880), at 0xfa00574f
[17] 0xfa005750(0x3437ea34, 0x0, 0x0, 0xfa015e50, 0x4, 0x3437e930), at 0xfa00574f
[18] 0xfa00010c(0x3437eac0, 0x3437ebf8, 0xa, 0xcf21cd10, 0x8, 0x3437e9d0), at 0xfa00010b
[19] libjvm.so:JavaCalls::call_helper(0x3437ebf0, 0x3437ebec, 0x3437ec24, 0xf98000, 0xf98000, 0xfee16b7c), at 0xfed5bcf8
[20] libjvm.so:Reflection::invoke(0x0, 0x3437ed50, 0xff1d5e30, 0x1, 0xcb5f2570, 0xc), at 0xfee16cc4
[21] libjvm.so:Reflection::invoke_method(0x4b51f390, 0x3437edd8, 0x3437edd4, 0xf98000, 0xfeeaa204, 0x0), at 0xfeea2f54
The "instanceof" has got to the code generated by:
void InterpreterMacroAssembler::gen_subtype_check
...to the section that traverses the list of "secondary supertypes"
We are traversing the list of these secondary supertypes, a list of 13 elements in this case.
We are about to exit the loop, but the delay slot for that exit jump loads the NEXT element in the array. This is usually innocuous, but in this case causes a SEGV.
Native stack with additional info from Serviceability Agent:
[9] libthread.so.1:sigacthandler(0x3d047a00, 0x3437e470, 0x3437e1b8, 0xff388000, 0x3437e470, 0xb), at 0xff36fa7c
---- called from signal handler with signal 11 (SIGSEGV) ------
=>[10] 0xfa016d90(0x3437e5c4, 0xb8, 0x0, 0xfa0122e8, 0x0, 0x0), at 0xfa016d8f
- protected static de.rbg.nbs.app.gkr.peer.model.GKRApplicationModel
checkRefs(de.rbg.nbs.app.gkr.peer.model.GKRApplicationModel) @0xccb89948
@bci = 1, line = 128, pc = 0xfa016d90 (Interpreted)
Which is:
line bci
128 1ááinstanceof #27 [Class de.rbg.nbs.app.gkr.peer.model.AMVorgangDetail]
[11] 0xfa005750(0x3437e654, 0xb8, 0x0, 0xfa016250, 0x4, 0x3437e568), at 0xfa00574f
[12] 0xfa005750(0x3437e6fc, 0xb8, 0x0, 0xfa016250, 0x4, 0x3437e5e0), at 0xfa00574f
[13] 0xfa005750(0x3437e7ac, 0xb8, 0x0, 0xfa015ea0, 0xc, 0x3437e690), at 0xfa00574f
[14] 0xfa005750(0x3437e844, 0xb8, 0x0, 0xfa016250, 0x8, 0x3437e748), at 0xfa00574f
[15] 0xfa005750(0x3437e8f4, 0xb6, 0x0, 0xfa016250, 0x4, 0x3437e7d0), at 0xfa00574f
[16] 0xfa005750(0x3437e99c, 0xb6, 0x0, 0xfa015e50, 0x8, 0x3437e880), at 0xfa00574f
[17] 0xfa005750(0x3437ea34, 0x0, 0x0, 0xfa015e50, 0x4, 0x3437e930), at 0xfa00574f
[18] 0xfa00010c(0x3437eac0, 0x3437ebf8, 0xa, 0xcf21cd10, 0x8, 0x3437e9d0), at 0xfa00010b
[19] libjvm.so:JavaCalls::call_helper(0x3437ebf0, 0x3437ebec, 0x3437ec24, 0xf98000, 0xf98000, 0xfee16b7c), at 0xfed5bcf8
[20] libjvm.so:Reflection::invoke(0x0, 0x3437ed50, 0xff1d5e30, 0x1, 0xcb5f2570, 0xc), at 0xfee16cc4
[21] libjvm.so:Reflection::invoke_method(0x4b51f390, 0x3437edd8, 0x3437edd4, 0xf98000, 0xfeeaa204, 0x0), at 0xfeea2f54
The "instanceof" has got to the code generated by:
void InterpreterMacroAssembler::gen_subtype_check
...to the section that traverses the list of "secondary supertypes"
We are traversing the list of these secondary supertypes, a list of 13 elements in this case.
We are about to exit the loop, but the delay slot for that exit jump loads the NEXT element in the array. This is usually innocuous, but in this case causes a SEGV.
- backported by
-
JDK-2128303 JVM crash in "instanceof" codelet, array of secondary supertypes at end of heap.
-
- Closed
-
-
-
- Closed
-