Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8290867

Race freeing remembered set segments

    XMLWordPrintable

Details

    • gc
    • 18
    • b34

    Backports

      Description

        There is a race in remembered set memory management that can lead to crashes:

        - Thread A executes G1SegmentedArray::create_new_segment and tries to pop an element from the _free_segment_list. For that, thread A executes LockFreeStack::pop()
        - Thread A reads LockFreeStack::top()
        - Thread B executes LockFreeStack::pop(), also reads LockFreeStack::top() and pops that element from the stack
        - Thread B executes Atomic::cmpxchg(&_first, prev, next); in G1SegmentedArray::create_new_segment but it fails because another thread already registered a different segment
        - Thread B calls G1SegmentedArraySegment::delete_segment and frees the value
        - Thread A tries to access top()->next in LockFreeStack::pop(), which causes a segfault because top() was freed by thread B

        (Reported by [~chaeubl])

        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8291870 Race freeing remembered set segments

            • P2 - Crashes, loss of data, severe memory leak.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8292125 Race freeing remembered set segments

            • P2 - Crashes, loss of data, severe memory leak.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8292149 Race freeing remembered set segments

            • P2 - Crashes, loss of data, severe memory leak.
            • Resolved
            relates to

            Enhancement - null JDK-8292030 Fix GlobalCounter shutdown problem with remembered set

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Open
            links to

            Commit Commit openjdk/jdk19/e265b2a2

            Review Review openjdk/jdk19/152

            Activity

              People

                tschatzl Thomas Schatzl
                tschatzl Thomas Schatzl
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: