-
Bug
-
Resolution: Fixed
-
P3
-
6
-
b95
-
sparc
-
solaris_9
I got a crash running JBB under the collector.
On inspection of the crash log, I found that the code in forte.cpp which validates the Lmethod of an interpreter frame is not cautious enough.
static inline bool forte_is_valid_method(methodOop method) {
if (method == NULL ||
// The methodOop is extracted via an offset from the current
// interpreter frame. With AsyncGetCallTrace() the interpreter
// frame may still be under construction so we need to make
// sure that we got an aligned oop before we try to use it.
!Space::is_aligned(method) ||
!Universe::heap()->is_in_reserved((void*)method) ||
// See if GC became active after we entered AsyncGetCallTrace()
// and before we try to use the methodOop. This routine is
// used in validation of the top_frame so we don't have any
// other data to flush if we bail due to GC here.
// Yes, there is still a window after this check and before
// we use methodOop below, but we can't lock out GC so that
// has to be an acceptable risk.
Universe::heap()->is_gc_active() ||
// klass() does not need vtable dispatch so check before is_perm()
oop(method)->klass() != Universe::methodKlassObj() ||
!method->is_perm() ||
!method->is_method()) {
return false; // doesn't look good
}
return true; // hopefully this is a method indeed
}
In the above method, the is_perm call must come before the klass check.
If not, you can get a method pointing into the unmapped part of the heap's reserved area (e.g., a very high address just within bounds), and the instruction which loads the class will SEGV. This is what happened to me.
(You should remove the comment about a vtable, which appears to be a thoughtless and useless optimization. Nobody cares which order the tests come in, since in most cases both tests are going to be run, since most frame collection attempts are successful.)
On inspection of the crash log, I found that the code in forte.cpp which validates the Lmethod of an interpreter frame is not cautious enough.
static inline bool forte_is_valid_method(methodOop method) {
if (method == NULL ||
// The methodOop is extracted via an offset from the current
// interpreter frame. With AsyncGetCallTrace() the interpreter
// frame may still be under construction so we need to make
// sure that we got an aligned oop before we try to use it.
!Space::is_aligned(method) ||
!Universe::heap()->is_in_reserved((void*)method) ||
// See if GC became active after we entered AsyncGetCallTrace()
// and before we try to use the methodOop. This routine is
// used in validation of the top_frame so we don't have any
// other data to flush if we bail due to GC here.
// Yes, there is still a window after this check and before
// we use methodOop below, but we can't lock out GC so that
// has to be an acceptable risk.
Universe::heap()->is_gc_active() ||
// klass() does not need vtable dispatch so check before is_perm()
oop(method)->klass() != Universe::methodKlassObj() ||
!method->is_perm() ||
!method->is_method()) {
return false; // doesn't look good
}
return true; // hopefully this is a method indeed
}
In the above method, the is_perm call must come before the klass check.
If not, you can get a method pointing into the unmapped part of the heap's reserved area (e.g., a very high address just within bounds), and the instruction which loads the class will SEGV. This is what happened to me.
(You should remove the comment about a vtable, which appears to be a thoughtless and useless optimization. Nobody cares which order the tests come in, since in most cases both tests are going to be run, since most frame collection attempts are successful.)
- relates to
-
-
- Resolved
-
-
-
- Resolved
-
-
JDK-6272349 Use C1 as fast compiler in a tiered system with C2
-
- Closed
-