Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8255452

Doing GC during JVMTI MethodExit event posting breaks return oop

    XMLWordPrintable

Details

    • b24
    • linux

    Backports

      Description

        While stress testing some JVMTI tagmap table changes, we've found a few crashes with stack traces similar to this:

        # assert(Universe::heap()->is_in_or_null(r)) failed: bad receiver: 0x00000800014401b0 (8796114256304)
        ...
        Stack: [0x00007fad771f1000,0x00007fad772f2000], sp=0x00007fad772ebef0, free space=1003k
        Native frames: (J=compiled Java code, A=aot compiled Java code, j=interpreted, Vv=VM code, C=native code)
        V [libjvm.so+0xd40b44] HandleArea::allocate_handle(oop)+0x144
        V [libjvm.so+0x16c7b86] SharedRuntime::find_callee_info_helper(JavaThread*, vframeStream&, Bytecodes::Code&, CallInfo&, Thread*)+0x796
        V [libjvm.so+0x16cbf5a] SharedRuntime::handle_ic_miss_helper(JavaThread*, Thread*)+0xfa
        V [libjvm.so+0x16cccfe] SharedRuntime::handle_wrong_method_ic_miss(JavaThread*)+0x1ce
        v ~RuntimeStub::ic_miss_stub
        J 413 c1 java.lang.StringConcatHelper.stringOf(Ljava/lang/Object;)Ljava/lang/String; java.base@16-internal (20 bytes) @ 0x00007fb0491fcba4 [0x00007fb0491fca60+0x0000000000000144]
        j java.lang.invoke.DirectMethodHandle$Holder.invokeStatic(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;+10 java.base@16-internal
        j java.lang.invoke.LambdaForm$MH+0x0000000800c17400.invoke(Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;+28 java.base@16-internal
        j java.lang.invoke.Invokers$Holder.linkToTargetMethod(Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;+7 java.base@16-internal
        j nsk.share.jpda.ForceEarlyReturnTestThread.executeMethod(Ljava/lang/String;)V+983
        j nsk.share.jpda.ForceEarlyReturnTestThread.run()V+69
        v ~StubRoutines::call_stub
        V [libjvm.so+0xe39105] JavaCalls::call_helper(JavaValue*, methodHandle const&, JavaCallArguments*, Thread*)+0x595
        V [libjvm.so+0xe39985] JavaCalls::call_virtual(JavaValue*, Klass*, Symbol*, Symbol*, JavaCallArguments*, Thread*)+0x4c5
        V [libjvm.so+0xe39e2c] JavaCalls::call_virtual(JavaValue*, Handle, Klass*, Symbol*, Symbol*, Thread*)+0xac
        V [libjvm.so+0xfcafeb] thread_entry(JavaThread*, Thread*)+0x12b
        V [libjvm.so+0x185a396] JavaThread::thread_main_inner()+0x256
        V [libjvm.so+0x18611c0] Thread::call_run()+0x100
        V [libjvm.so+0x154f746] thread_native_entry(Thread*)+0x116

        This can be reproduced with ZGC with the following command line:
        while true; do make --no-print-directory -C ../build/fastdebug/ test TEST=test/hotspot/jtreg/vmTestbase/nsk/jdi/MethodExitEvent/returnValue/returnValue003/returnValue003.java JTREG="JAVA_OPTIONS=-XX:+UseZGC -Xmx2g -XX:ZCollectionInterval=0.0001 -XX:ZFragmentationLimit=0.01 -XX:-ShowMessageBoxOnError" JTREG_EXTRA_PROBLEM_LISTS=ProblemList-zgc.txt; done

        Or with G1 and Serial by running a jcmd loop to externally trigger System.gc:
        while true; do jcmd nsk.jdi.MethodExitEvent.returnValue.returnValue003.returnValue003a GC.run; done

        While investigating the G1 crash I saw a crash here:
           0x00007f18489bc3f5: addq $0x1,0x30(%r14)
           0x00007f18489bc3fa: sbbq $0x0,0x30(%r14)
           0x00007f18489bc3ff: jmpq 0x7f18489bc411
           0x00007f18489bc404: mov %rax,0x18(%r14)
           0x00007f18489bc408: mov $0x1,%edx
           0x00007f18489bc40d: mov %rdx,0x20(%r14)
           0x00007f18489bc411: add $0x38,%r14
           0x00007f18489bc415: mov %r14,-0x28(%rbp)
        => 0x00007f18489bc419: mov 0x1e0(%rax,%rbx,8),%rbx
           0x00007f18489bc421: mov -0x28(%rbp),%rdx
           0x00007f18489bc425: test %rdx,%rdx
           0x00007f18489bc428: je 0x7f18489bc5a9
           0x00007f18489bc42e: cmpb $0xb,-0x38(%rdx)
           0x00007f18489bc432: jne 0x7f18489bc5a9

        With a broken rax:
        (gdb) p /x $rax
        $2 = 0xdd56dd5f0

        Coming from a decoding of a compressed klass pointer:
           0x00007f18489bc363: mov 0x8(%rcx),%eax
           0x00007f18489bc366: shl $0x3,%rax
           0x00007f18489bc36a: movabs $0x800000000,%r10
           0x00007f18489bc374: add %r10,%rax
           0x00007f18489bc377: mov -0x28(%rbp),%r14
           0x00007f18489bc37b: test %r14,%r14
           0x00007f18489bc37e: je 0x7f18489bc419

        Reversing decoding of rax gives:
        (gdb) p /x 0xdd56dd5f0 - 0x800000000
        $6 = 0x5d56dd5f0
        (gdb) p /x (0xdd56dd5f0 - 0x800000000) >> 3
        $7 = 0xbaadbabe

        The object is in rcx:
          0x00007f18489bc363: mov 0x8(%rcx),%eax

        Whichs contains the infamouss baadbabe:
        (gdb) x /x $rcx
        0x80502218: 0xbaadbabebaadbabe

        Attachments

          Issue Links

            Activity

              People

                eosterlund Erik Ă–sterlund
                stefank Stefan Karlsson
                Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: