| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8260782 | openjdk8u292 | Andrew Hughes | P4 | Resolved | Fixed | b01 |
One of our partners has reported SEGV running Spark Terasort.
The problem occurs in gen_write_ref_array_post_barrier in the following code
__ BIND(L_loop);
__ strb(zr, Address(start, count));
__ subs(count, count, 1);
__ br(Assembler::HS, L_loop);
which, when given a count of 0 will continue zeroing memory beyond the end of the byte map because of the use of unsigned comparison.
Here is the partners report
"
I find that in certain cases StubRoutines::_generic_arraycopy can be passed an element count of zero.
And this zero element count may be further passed to StubRoutines::_arrayof_oop_disjoint_arraycopy.
In that case, it will trigger a segmentation fault in native code generated by gen_write_ref_array_post_barrier.
The reason is that we got a zero count before entering the following loop, but we are using unsigned compare here to check the loop condition.
710 __ BIND(L_loop);
711 __ strb(zr, Address(start, count));
712 __ subs(count, count, 1);
713 __ br(Assembler::HS, L_loop);
714 }
I checked X86 and Sparc port, they both use signed compare with zero here.
Patch was generated from the the latest jdk9 hs-comp repo:
diff -r 7f42e988b083 src/cpu/aarch64/vm/stubGenerator_aarch64.cpp
--- a/src/cpu/aarch64/vm/stubGenerator_aarch64.cpp Thu Jun 02 17:52:42 2016 +0000
+++ b/src/cpu/aarch64/vm/stubGenerator_aarch64.cpp Mon Jun 06 13:51:51 2016 +0800
@@ -710,7 +710,7 @@
__ BIND(L_loop);
__ strb(zr, Address(start, count));
__ subs(count, count, 1);
- __ br(Assembler::HS, L_loop);
+ __ br(Assembler::GE, L_loop);
}
break;
default:
"
The problem occurs in gen_write_ref_array_post_barrier in the following code
__ BIND(L_loop);
__ strb(zr, Address(start, count));
__ subs(count, count, 1);
__ br(Assembler::HS, L_loop);
which, when given a count of 0 will continue zeroing memory beyond the end of the byte map because of the use of unsigned comparison.
Here is the partners report
"
I find that in certain cases StubRoutines::_generic_arraycopy can be passed an element count of zero.
And this zero element count may be further passed to StubRoutines::_arrayof_oop_disjoint_arraycopy.
In that case, it will trigger a segmentation fault in native code generated by gen_write_ref_array_post_barrier.
The reason is that we got a zero count before entering the following loop, but we are using unsigned compare here to check the loop condition.
710 __ BIND(L_loop);
711 __ strb(zr, Address(start, count));
712 __ subs(count, count, 1);
713 __ br(Assembler::HS, L_loop);
714 }
I checked X86 and Sparc port, they both use signed compare with zero here.
Patch was generated from the the latest jdk9 hs-comp repo:
diff -r 7f42e988b083 src/cpu/aarch64/vm/stubGenerator_aarch64.cpp
--- a/src/cpu/aarch64/vm/stubGenerator_aarch64.cpp Thu Jun 02 17:52:42 2016 +0000
+++ b/src/cpu/aarch64/vm/stubGenerator_aarch64.cpp Mon Jun 06 13:51:51 2016 +0800
@@ -710,7 +710,7 @@
__ BIND(L_loop);
__ strb(zr, Address(start, count));
__ subs(count, count, 1);
- __ br(Assembler::HS, L_loop);
+ __ br(Assembler::GE, L_loop);
}
break;
default:
"
- backported by
-
JDK-8260782 aarch64: SEGV running Spark terasort
-
- Resolved
-
- relates to
-
JDK-8257192 Integrate AArch64 JIT port into 8u
-
- Resolved
-