Details
-
Bug
-
Resolution: Withdrawn
-
P2
-
11.0.14, 17.0.3
-
x86
-
windows
Description
We have found a bug in jvm with our exceptions reporting system in Idea.
It affects jdk11 and jdk17 ( can't say anything about jdk19)
We knows it's a regression, jdk11.0.13 is not affected, jdk11.0.14+ is affected.
Can't say when it appeared in jdk17
In stubGenerator_x86_32.cpp, in
void xmm_copy_forward(Register from, Register to_from, Register qword_count) {
...
} else if (UseAVX == 2) {
__ vmovdqu(xmm0, Address(from, 0));
__ vmovdqu(Address(from, to_from, Address::times_1, 0), xmm0);
__ vmovdqu(xmm1, Address(from, 32)); <--- THIS LINE
__ vmovdqu(Address(from, to_from, Address::times_1, 32), xmm1);
The issue happens when it copies near the bound of mapped memory region
the highlighted line copies 32 bytes, copying first 16 of them would be ok, but secodn 16 bytes would be located in a memory region not mapped in the current process, resuling in a crash.
Few snippets from crash reports:
openjdk11.0.14:
siginfo: EXCEPTION_ACCESS_VIOLATION (0xc0000005), reading address 0x000000009fde4000
RIP=0x0000000005d9f6fc is at begin+124 in a stub
RAX=0x00000000a049b1c2, RBX=0x000000072aa00010, RCX=0x0000000000378039, RDX=0xfffffffffff291ca
RSP=0x0000000091b0c870, RBP=0x0000000091b0c870, RSI=0x000000072b0f0078, RDI=0x00000000a049b1b8
R8 =0x0000000000378039, R9 =0x00000007b97d7a28, R10=0x00000000f72faf61, R11=0x000000072aa00000
R12=0x0000000000000000, R13=0x0000000000000007, R14=0x000000070114d5f8, R15=0x00000000ab516000
RIP=0x0000000005d9f6fc, EFLAGS=0x0000000000010286
disassembly of crash site:
vmovdqu ymm0,YMMWORD PTR [rdi+rdx*8-0x38] --this read is ok
vmovdqu YMMWORD PTR [rsi+rdx*8-0x38],ymm0
vmovdqu ymm1,YMMWORD PTR [rdi+rdx*8-0x18] --this read is bad
vmovdqu YMMWORD PTR [rsi+rdx*8-0x18],ymm1
11.0.15:
siginfo: EXCEPTION_ACCESS_VIOLATION (0xc0000005), reading address 0x00000000c2b6a000
RIP=0x000000000656f6fc is at begin+124 in a stub
StubRoutines::jshort_disjoint_arraycopy [0x000000000656f680, 0x000000000656f738[ (184 bytes)
Registers:
RAX=0x00000000c56f72ae, RBX=0x00000000c2b470d0, RCX=0x00000000015d80c7, RDX=0xffffffffffa8e5af
RSP=0x00000000ca22cda0, RBP=0x00000000ca22cda0, RSI=0x00000007a49b0190, RDI=0x00000000c56f72a0
R8 =0x00000000015d80c7, R9 =0x00000007eae5dd08, R10=0x0000000000000007, R11=0x0000000000000000
R12=0x0000000000000000, R13=0x0000000800001808, R14=0x00000007644e2d78, R15=0x00000000c514a000
RIP=0x000000000656f6fc, EFLAGS=0x0000000000010286
disassembly of crash site:
vmovdqu ymm0,YMMWORD PTR [rdi+rdx*8-0x38] --this read is ok
vmovdqu YMMWORD PTR [rsi+rdx*8-0x38],ymm0
vmovdqu ymm1,YMMWORD PTR [rdi+rdx*8-0x18] --this read is bad
vmovdqu YMMWORD PTR [rsi+rdx*8-0x18],ymm1
17.0.3
siginfo: EXCEPTION_ACCESS_VIOLATION (0xc0000005), reading address 0x0000000197861000
RIP=0x000000000615417c is at begin+284 in a stub
StubRoutines::jlong_disjoint_arraycopy [0x0000000006154060, 0x0000000006154227] (455 bytes)
Registers:
RAX=0x00000001a1683768, RBX=0x00000000b5200000, RCX=0x00000000bf037560, RDX=0xfffffffffec3bb15
RSP=0x000000015883c750, RBP=0x000000015883c750, RSI=0x00000000b5200010, RDI=0x00000001a1683760
R8 =0x00000000013c6eab, R9 =0x000000019524a450, R10=0x00000000061554c0, R11=0x0000000009e37558
R12=0x0000000000000000, R13=0x000000015883c8e8, R14=0x000000010014e5f0, R15=0x000000019524a450
RIP=0x000000000615417c, EFLAGS=0x0000000000010292
Crash site disassembly
vmovdqu ymm0,YMMWORD PTR [rdi+rdx*8-0x38]
vmovdqu YMMWORD PTR [rcx+rdx*8-0x38],ymm0
vmovdqu ymm1,YMMWORD PTR [rdi+rdx*8-0x18] <-- crashes here
vmovdqu YMMWORD PTR [rcx+rdx*8-0x18],ymm1
It affects jdk11 and jdk17 ( can't say anything about jdk19)
We knows it's a regression, jdk11.0.13 is not affected, jdk11.0.14+ is affected.
Can't say when it appeared in jdk17
In stubGenerator_x86_32.cpp, in
void xmm_copy_forward(Register from, Register to_from, Register qword_count) {
...
} else if (UseAVX == 2) {
__ vmovdqu(xmm0, Address(from, 0));
__ vmovdqu(Address(from, to_from, Address::times_1, 0), xmm0);
__ vmovdqu(xmm1, Address(from, 32)); <--- THIS LINE
__ vmovdqu(Address(from, to_from, Address::times_1, 32), xmm1);
The issue happens when it copies near the bound of mapped memory region
the highlighted line copies 32 bytes, copying first 16 of them would be ok, but secodn 16 bytes would be located in a memory region not mapped in the current process, resuling in a crash.
Few snippets from crash reports:
openjdk11.0.14:
siginfo: EXCEPTION_ACCESS_VIOLATION (0xc0000005), reading address 0x000000009fde4000
RIP=0x0000000005d9f6fc is at begin+124 in a stub
RAX=0x00000000a049b1c2, RBX=0x000000072aa00010, RCX=0x0000000000378039, RDX=0xfffffffffff291ca
RSP=0x0000000091b0c870, RBP=0x0000000091b0c870, RSI=0x000000072b0f0078, RDI=0x00000000a049b1b8
R8 =0x0000000000378039, R9 =0x00000007b97d7a28, R10=0x00000000f72faf61, R11=0x000000072aa00000
R12=0x0000000000000000, R13=0x0000000000000007, R14=0x000000070114d5f8, R15=0x00000000ab516000
RIP=0x0000000005d9f6fc, EFLAGS=0x0000000000010286
disassembly of crash site:
vmovdqu ymm0,YMMWORD PTR [rdi+rdx*8-0x38] --this read is ok
vmovdqu YMMWORD PTR [rsi+rdx*8-0x38],ymm0
vmovdqu ymm1,YMMWORD PTR [rdi+rdx*8-0x18] --this read is bad
vmovdqu YMMWORD PTR [rsi+rdx*8-0x18],ymm1
11.0.15:
siginfo: EXCEPTION_ACCESS_VIOLATION (0xc0000005), reading address 0x00000000c2b6a000
RIP=0x000000000656f6fc is at begin+124 in a stub
StubRoutines::jshort_disjoint_arraycopy [0x000000000656f680, 0x000000000656f738[ (184 bytes)
Registers:
RAX=0x00000000c56f72ae, RBX=0x00000000c2b470d0, RCX=0x00000000015d80c7, RDX=0xffffffffffa8e5af
RSP=0x00000000ca22cda0, RBP=0x00000000ca22cda0, RSI=0x00000007a49b0190, RDI=0x00000000c56f72a0
R8 =0x00000000015d80c7, R9 =0x00000007eae5dd08, R10=0x0000000000000007, R11=0x0000000000000000
R12=0x0000000000000000, R13=0x0000000800001808, R14=0x00000007644e2d78, R15=0x00000000c514a000
RIP=0x000000000656f6fc, EFLAGS=0x0000000000010286
disassembly of crash site:
vmovdqu ymm0,YMMWORD PTR [rdi+rdx*8-0x38] --this read is ok
vmovdqu YMMWORD PTR [rsi+rdx*8-0x38],ymm0
vmovdqu ymm1,YMMWORD PTR [rdi+rdx*8-0x18] --this read is bad
vmovdqu YMMWORD PTR [rsi+rdx*8-0x18],ymm1
17.0.3
siginfo: EXCEPTION_ACCESS_VIOLATION (0xc0000005), reading address 0x0000000197861000
RIP=0x000000000615417c is at begin+284 in a stub
StubRoutines::jlong_disjoint_arraycopy [0x0000000006154060, 0x0000000006154227] (455 bytes)
Registers:
RAX=0x00000001a1683768, RBX=0x00000000b5200000, RCX=0x00000000bf037560, RDX=0xfffffffffec3bb15
RSP=0x000000015883c750, RBP=0x000000015883c750, RSI=0x00000000b5200010, RDI=0x00000001a1683760
R8 =0x00000000013c6eab, R9 =0x000000019524a450, R10=0x00000000061554c0, R11=0x0000000009e37558
R12=0x0000000000000000, R13=0x000000015883c8e8, R14=0x000000010014e5f0, R15=0x000000019524a450
RIP=0x000000000615417c, EFLAGS=0x0000000000010292
Crash site disassembly
vmovdqu ymm0,YMMWORD PTR [rdi+rdx*8-0x38]
vmovdqu YMMWORD PTR [rcx+rdx*8-0x38],ymm0
vmovdqu ymm1,YMMWORD PTR [rdi+rdx*8-0x18] <-- crashes here
vmovdqu YMMWORD PTR [rcx+rdx*8-0x18],ymm1