-
Bug
-
Resolution: Fixed
-
P3
-
21, 22
-
b04
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8323310 | 22.0.1 | Patricio Chilano Mateo | P3 | Resolved | Fixed | b02 |
| JDK-8322307 | 22 | Patricio Chilano Mateo | P3 | Resolved | Fixed | b31 |
| JDK-8327643 | 21.0.4-oracle | Calvin Cheung | P3 | Resolved | Fixed | b01 |
| JDK-8326928 | 21.0.4 | Aleksey Shipilev | P3 | Resolved | Fixed | b01 |
While working on Loom I run into the following crash when running applications/jetty/Jetty.java:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# Internal Error open/src/hotspot/share/oops/stackChunkOop.cpp:506), pid=2390677, tid=2390742
# assert(_chunk->bitmap().at(index)) failed: Bit not set at index 447 corresponding to 0x00000006ff888ba4
Current thread (0x00007eff202fa6a0): JavaThread "ForkJoinPool-1-worker-2" daemon [_thread_in_Java, id=2390742, stack(0x00007efee3eff000,0x00007efee4000000) (1028K)]
Stack: [0x00007efee3eff000,0x00007efee4000000], sp=0x00007efee3ffc600, free space=1013k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
V [libjvm.so+0x166d363] void StackChunkVerifyOopsClosure::do_oop_work<narrowOop>(narrowOop*)+0x2a3 (stackChunkOop.cpp:506)
V [libjvm.so+0x16759e5] bool VerifyStackChunkFrameClosure::do_frame<(ChunkFrames)0, SmallRegisterMap>(StackChunkFrameStream<(ChunkFrames)0> const&, SmallRegisterMap const*) [clone .isra.0]+0x585 (stackChunkOop.cpp:498)
V [libjvm.so+0x167681f] void stackChunkOopDesc::iterate_stack<(ChunkFrames)0, VerifyStackChunkFrameClosure>(VerifyStackChunkFrameClosure*)+0x9f (stackChunkOop.inline.hpp:258)
V [libjvm.so+0x1667775] stackChunkOopDesc::verify(unsigned long*, int*, int*, int*)+0x555 (stackChunkOop.inline.hpp:226)
V [libjvm.so+0xa4b3a8] Continuation::debug_verify_continuation(oop)+0x188 (continuation.cpp:629)
V [libjvm.so+0xa51c9d] verify_continuation(oop) [clone .isra.0]+0x3d (continuationFreezeThaw.cpp:180)
V [libjvm.so+0xa7235e] long* thaw_internal<Config<(oop_kind)0, G1BarrierSet> >(JavaThread*, Continuation::thaw_kind)+0x47e (continuationFreezeThaw.cpp:3044)
V [libjvm.so+0xa72b5e] long* thaw<Config<(oop_kind)0, G1BarrierSet> >(JavaThread*, int)+0x5e (continuationFreezeThaw.cpp:267)
v ~StubRoutines::Cont thaw return barrier 0x00007effcf86c70b
Registers:
The assert fails while verifying the frame(c2 compiled) at the top of the stackChunk. The stackChunk is in gc mode but we found a narrowoop for this frame that doesn't have its corresponding bit set. The problem is that while thawing its callee we cleared the bitmap range associated with the argument area but the narrow oop happens to land at the very last stack slot of this area.
Loom code assumes the size of the argument area is always a multiple of a word, as SharedRuntime::java_calling_convention() indicates. But c2 doesn't seem to follow this convention and knowing the last argument is a boolean and that it only takes one stack slot, it's using the remaining space to store a narrow oop for this frame.
Here is the relevant layout for both frames (values are from a different debugging run):
[stress.process.err] 0x00007f1961d261d0: 0x00007f1961d26250 #15 nmethod 0x00007f19e5227010 for method J org.jvnet.hk2.internal.ServiceLocatorImpl.addConfiguration(Lorg/jvnet/hk2/internal/DynamicConfigurationImpl;)V
[stress.process.err] - #0 scope org.jvnet.hk2.internal.ServiceLocatorImpl.addConfiguration(Lorg/jvnet/hk2/internal/DynamicConfigurationImpl;)V @ 64
[stress.process.err] unextended_sp for #16
[stress.process.err] sp for #16
[stress.process.err] 0x00007f1961d261c8: 0x00007f19dd70021c return address
[stress.process.err] 0x00007f1961d261c0: 0x0000000535d73528 saved fp
[stress.process.err] 0x00007f1961d261b8: 0x00007f1961d26250
[stress.process.err] 0x00007f1961d261b0: 0x00000000000000d8
[stress.process.err] 0x00007f1961d261a8: 0x000000061e836758 oop for #15
[stress.process.err] 0x00007f1961d261a0: 0x00007f1961d261b0
[stress.process.err] 0x00007f1961d26198: 0x0000000535d74148
[stress.process.err] 0x00007f1961d26190: 0x00007f1961d261c0
[stress.process.err] 0x00007f1961d26188: 0x00007f191c69dcb1
[stress.process.err] 0x00007f1961d26180: 0x0000000535d6be90 local 0 for #15 (scope 0)
[stress.process.err] oop for #15
[stress.process.err] 0x00007f1961d26178: 0x0000000535da8a10 local 2 for #15 (scope 0)
[stress.process.err] oop for #15
[stress.process.err] 0x00007f1961d26170: 0x0000000535d740e8
[stress.process.err] 0x00007f1961d26168: 0x0000000000000000
[stress.process.err] 0x00007f1961d26164: 0x0000000000000000 narrow oop for #15
[stress.process.err] 0x00007f1961d26160: 0x0000000000000000 local 8 for #14 (scope 7)
[stress.process.err] param 7 boolean for #14
[stress.process.err] 0x00007f1961d26158: 0x0000000535db1970 param 6 object for #14
[stress.process.err] 0x00007f1961d26150: 0xa6bad86200000000 #14 nmethod 0x00007f19e5178290 for method J org.jvnet.hk2.internal.ServiceLocatorImpl.reup(Ljava/util/List;ZZZZZLjava/util/HashSet;Z)V
[stress.process.err] - #7 scope org.jvnet.hk2.internal.ServiceLocatorImpl.reup(Ljava/util/List;ZZZZZLjava/util/HashSet;Z)V @ 61
[stress.process.err] - #6 scope org.jvnet.hk2.internal.ServiceLocatorImpl.reupClassAnalyzers()V @ 8
[stress.process.err] - #5 scope org.jvnet.hk2.internal.ServiceLocatorImpl.protectedGetAllServiceHandles(Ljava/lang/reflect/Type;[Ljava/lang/annotation/Annotation;)Ljava/util/List; @ 10
[stress.process.err] - #4 scope java.security.AccessController.doPrivileged(Ljava/security/PrivilegedAction;)Ljava/lang/Object; @ 5
[stress.process.err] - #3 scope java.security.AccessController.executePrivileged(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;Ljava/lang/Class;)Ljava/lang/Object; @ 29
[stress.process.err] - #2 scope org.jvnet.hk2.internal.ServiceLocatorImpl$7.run()Ljava/lang/Object; @ 1
[stress.process.err] - #1 scope org.jvnet.hk2.internal.ServiceLocatorImpl$7.run()Ljava/util/List; @ 12
[stress.process.err] - #0 scope org.jvnet.hk2.internal.ServiceLocatorImpl.getAllServiceHandles(Ljava/lang/reflect/Type;[Ljava/lang/annotation/Annotation;)Ljava/util/List; @ 5
[stress.process.err] param 5 boolean for #14
[stress.process.err] unextended_sp for #15
[stress.process.err] sp for #15
[stress.process.err] 0x00007f1961d26148: 0x00007f19e5227b74 return address
[stress.process.err] 0x00007f1961d26140: 0x0000000535d73528 saved fp
[stress.process.err] 0x00007f1961d26130: 0x00007f1961d26170
[stress.process.err] 0x00007f1961d26128: 0x00007f197ca61e30
[stress.process.err] 0x00007f1961d26120: 0x000000053658b8dc
[stress.process.err] 0x00007f1961d26118: 0x0000000535db0d40
The callee (org.jvnet.hk2.internal.ServiceLocatorImpl.reup()) receives 8 arguments. The last 3, a boolean, an object reference, an another boolean are passed through the stack. We can see that param5(boolean) is passed in 0x00007f1961d26150, param6(object) in 0x00007f1961d26158, and param7(boolean) is passed in 0x00007f1961d26160. But 0x00007f1961d26164 contains a narrow oop for the caller (org.jvnet.hk2.internal.ServiceLocatorImpl.addConfiguration).
#
# A fatal error has been detected by the Java Runtime Environment:
#
# Internal Error open/src/hotspot/share/oops/stackChunkOop.cpp:506), pid=2390677, tid=2390742
# assert(_chunk->bitmap().at(index)) failed: Bit not set at index 447 corresponding to 0x00000006ff888ba4
Current thread (0x00007eff202fa6a0): JavaThread "ForkJoinPool-1-worker-2" daemon [_thread_in_Java, id=2390742, stack(0x00007efee3eff000,0x00007efee4000000) (1028K)]
Stack: [0x00007efee3eff000,0x00007efee4000000], sp=0x00007efee3ffc600, free space=1013k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
V [libjvm.so+0x166d363] void StackChunkVerifyOopsClosure::do_oop_work<narrowOop>(narrowOop*)+0x2a3 (stackChunkOop.cpp:506)
V [libjvm.so+0x16759e5] bool VerifyStackChunkFrameClosure::do_frame<(ChunkFrames)0, SmallRegisterMap>(StackChunkFrameStream<(ChunkFrames)0> const&, SmallRegisterMap const*) [clone .isra.0]+0x585 (stackChunkOop.cpp:498)
V [libjvm.so+0x167681f] void stackChunkOopDesc::iterate_stack<(ChunkFrames)0, VerifyStackChunkFrameClosure>(VerifyStackChunkFrameClosure*)+0x9f (stackChunkOop.inline.hpp:258)
V [libjvm.so+0x1667775] stackChunkOopDesc::verify(unsigned long*, int*, int*, int*)+0x555 (stackChunkOop.inline.hpp:226)
V [libjvm.so+0xa4b3a8] Continuation::debug_verify_continuation(oop)+0x188 (continuation.cpp:629)
V [libjvm.so+0xa51c9d] verify_continuation(oop) [clone .isra.0]+0x3d (continuationFreezeThaw.cpp:180)
V [libjvm.so+0xa7235e] long* thaw_internal<Config<(oop_kind)0, G1BarrierSet> >(JavaThread*, Continuation::thaw_kind)+0x47e (continuationFreezeThaw.cpp:3044)
V [libjvm.so+0xa72b5e] long* thaw<Config<(oop_kind)0, G1BarrierSet> >(JavaThread*, int)+0x5e (continuationFreezeThaw.cpp:267)
v ~StubRoutines::Cont thaw return barrier 0x00007effcf86c70b
Registers:
The assert fails while verifying the frame(c2 compiled) at the top of the stackChunk. The stackChunk is in gc mode but we found a narrowoop for this frame that doesn't have its corresponding bit set. The problem is that while thawing its callee we cleared the bitmap range associated with the argument area but the narrow oop happens to land at the very last stack slot of this area.
Loom code assumes the size of the argument area is always a multiple of a word, as SharedRuntime::java_calling_convention() indicates. But c2 doesn't seem to follow this convention and knowing the last argument is a boolean and that it only takes one stack slot, it's using the remaining space to store a narrow oop for this frame.
Here is the relevant layout for both frames (values are from a different debugging run):
[stress.process.err] 0x00007f1961d261d0: 0x00007f1961d26250 #15 nmethod 0x00007f19e5227010 for method J org.jvnet.hk2.internal.ServiceLocatorImpl.addConfiguration(Lorg/jvnet/hk2/internal/DynamicConfigurationImpl;)V
[stress.process.err] - #0 scope org.jvnet.hk2.internal.ServiceLocatorImpl.addConfiguration(Lorg/jvnet/hk2/internal/DynamicConfigurationImpl;)V @ 64
[stress.process.err] unextended_sp for #16
[stress.process.err] sp for #16
[stress.process.err] 0x00007f1961d261c8: 0x00007f19dd70021c return address
[stress.process.err] 0x00007f1961d261c0: 0x0000000535d73528 saved fp
[stress.process.err] 0x00007f1961d261b8: 0x00007f1961d26250
[stress.process.err] 0x00007f1961d261b0: 0x00000000000000d8
[stress.process.err] 0x00007f1961d261a8: 0x000000061e836758 oop for #15
[stress.process.err] 0x00007f1961d261a0: 0x00007f1961d261b0
[stress.process.err] 0x00007f1961d26198: 0x0000000535d74148
[stress.process.err] 0x00007f1961d26190: 0x00007f1961d261c0
[stress.process.err] 0x00007f1961d26188: 0x00007f191c69dcb1
[stress.process.err] 0x00007f1961d26180: 0x0000000535d6be90 local 0 for #15 (scope 0)
[stress.process.err] oop for #15
[stress.process.err] 0x00007f1961d26178: 0x0000000535da8a10 local 2 for #15 (scope 0)
[stress.process.err] oop for #15
[stress.process.err] 0x00007f1961d26170: 0x0000000535d740e8
[stress.process.err] 0x00007f1961d26168: 0x0000000000000000
[stress.process.err] 0x00007f1961d26164: 0x0000000000000000 narrow oop for #15
[stress.process.err] 0x00007f1961d26160: 0x0000000000000000 local 8 for #14 (scope 7)
[stress.process.err] param 7 boolean for #14
[stress.process.err] 0x00007f1961d26158: 0x0000000535db1970 param 6 object for #14
[stress.process.err] 0x00007f1961d26150: 0xa6bad86200000000 #14 nmethod 0x00007f19e5178290 for method J org.jvnet.hk2.internal.ServiceLocatorImpl.reup(Ljava/util/List;ZZZZZLjava/util/HashSet;Z)V
[stress.process.err] - #7 scope org.jvnet.hk2.internal.ServiceLocatorImpl.reup(Ljava/util/List;ZZZZZLjava/util/HashSet;Z)V @ 61
[stress.process.err] - #6 scope org.jvnet.hk2.internal.ServiceLocatorImpl.reupClassAnalyzers()V @ 8
[stress.process.err] - #5 scope org.jvnet.hk2.internal.ServiceLocatorImpl.protectedGetAllServiceHandles(Ljava/lang/reflect/Type;[Ljava/lang/annotation/Annotation;)Ljava/util/List; @ 10
[stress.process.err] - #4 scope java.security.AccessController.doPrivileged(Ljava/security/PrivilegedAction;)Ljava/lang/Object; @ 5
[stress.process.err] - #3 scope java.security.AccessController.executePrivileged(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;Ljava/lang/Class;)Ljava/lang/Object; @ 29
[stress.process.err] - #2 scope org.jvnet.hk2.internal.ServiceLocatorImpl$7.run()Ljava/lang/Object; @ 1
[stress.process.err] - #1 scope org.jvnet.hk2.internal.ServiceLocatorImpl$7.run()Ljava/util/List; @ 12
[stress.process.err] - #0 scope org.jvnet.hk2.internal.ServiceLocatorImpl.getAllServiceHandles(Ljava/lang/reflect/Type;[Ljava/lang/annotation/Annotation;)Ljava/util/List; @ 5
[stress.process.err] param 5 boolean for #14
[stress.process.err] unextended_sp for #15
[stress.process.err] sp for #15
[stress.process.err] 0x00007f1961d26148: 0x00007f19e5227b74 return address
[stress.process.err] 0x00007f1961d26140: 0x0000000535d73528 saved fp
[stress.process.err] 0x00007f1961d26130: 0x00007f1961d26170
[stress.process.err] 0x00007f1961d26128: 0x00007f197ca61e30
[stress.process.err] 0x00007f1961d26120: 0x000000053658b8dc
[stress.process.err] 0x00007f1961d26118: 0x0000000535db0d40
The callee (org.jvnet.hk2.internal.ServiceLocatorImpl.reup()) receives 8 arguments. The last 3, a boolean, an object reference, an another boolean are passed through the stack. We can see that param5(boolean) is passed in 0x00007f1961d26150, param6(object) in 0x00007f1961d26158, and param7(boolean) is passed in 0x00007f1961d26160. But 0x00007f1961d26164 contains a narrow oop for the caller (org.jvnet.hk2.internal.ServiceLocatorImpl.addConfiguration).
- backported by
-
JDK-8322307 assert(_chunk->bitmap().at(index)) failed: Bit not set at index
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- relates to
-
-
- Resolved
-
- links to
-
Commit
openjdk/jdk21u-dev/677556d2
-
Commit
openjdk/jdk22/01cb043b
-
Commit
openjdk/jdk/e9e694f4
-
Review
openjdk/jdk21u-dev/131
-
Review
openjdk/jdk22/29
-
Review
openjdk/jdk/16837
(6 links to)