P2
I am investigating the following crash reported by JetBrains Runtime's performance testing with MapBench on macOS x86_64 only.
This benchmark is GPL2 and available at https://github.com/bourgesl/mapbench/ so I made a simple recipe have an easy reproducer for this problem (see shell scripts).
This crash happens only with JBR 22 corresponding to Openjdk 22, so I tested with the latest OpenJDK 22 EA build from oracle and the crash is reproduced:
Loading drawing commands from file: /Users/llooo/dev/hs-crash-reproducer/mapbench-0.5.0-release/bin/../maps/EllipseTests-fill-true.ser
Loaded DrawingCommands: DrawingCommands{width=2000, height=2000, commands=198}
drawing[EllipseTests-fill-true.ser][width = 2000, height = 2000] ...
cleanup (explicit Full GC): 2,022,908,624 / 2,038,363,416 bytes free.
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x000000011cd38292, pid=2632, tid=26895
#
# JRE version: OpenJDK Runtime Environment (22.0+30) (build 22-ea+30-2287)
# Java VM: OpenJDK 64-Bit Server VM (22-ea+30-2287, mixed mode, sharing, tiered, compressed oops, compressed class ptrs, parallel gc, bsd-amd64)
# Problematic frame:
# J 1059 c2 sun.java2d.marlin.DMarlinRenderingEngine.getAATileGenerator(Ljava/awt/Shape;Ljava/awt/geom/AffineTransform;Lsun/java2d/pipe/Region;Ljava/awt/BasicStroke;ZZ[I)Lsun/java2d/pipe/AATileGenerator; java.desktop@22-ea (382 bytes) @ 0x000000011cd38292 [0x000000011cd37fa0+0x00000000000002f2]
#
# Core dump will be written. Default location: /cores/core.2632
#
# An error report file with more information is saved as:
# /Users/llooo/dev/hs-crash-reproducer/mapbench-0.5.0-release/bin/hs_err_pid2632.log
[48,530s][warning][os] Loading hsdis library failed
#
# If you would like to submit a bug report, please visit:
# https://bugreport.java.com/bugreport/crash.jsp
#
The same benchmark runs well on macOS aarch64 and on ubuntu 20.04 x86_64, so I suspect the bug is related to this specific architecture.
I also tested with -XX:TieredStopAtLevel=3 (C1 full) and the test passed successfully so the C2 compiler is causing the crash.
This benchmark performs graphics rendering tests based on serialzed files in maps.
The crash happens when the scene 'EllipseTests-fill-true.ser' is rendered for the first time after the test 'EllipseTests-fill-false.ser', i.e. draw(ellipse) => fill(ellipse).
This may indicate that deoptimization happened badly.
See attachments for the hotspot crash report and also the JBR crash report made on a slowdebug + hsdis build giving more information about the crash.
My short analysis:
- The crash happens in C2 at 0x000000011efb7564:
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
J 1123 c2 sun.java2d.marlin.DMarlinRenderingEngine.getAATileGenerator(Ljava/awt/Shape;Ljava/awt/geom/AffineTransform;Lsun/java2d/pipe/Region;Ljava/awt/BasicStroke;ZZ[I)Lsun/java2d/pipe/AATileGenerator; java.desktop@23-internal (375 bytes) @ 0x000000011efb7564 [0x000000011efb7220+0x0000000000000344]
- I used a slowdebug build (jbr22) to get more details (jbr-main-test.log), indicating :
implicit exception happened at 0x000000011efb7564
Compiled method (c2) 117185 1123 ! 4 sun.java2d.marlin.DMarlinRenderingEngine::getAATileGenerator (375 bytes)
However this address points to approximative instructions:
0x000000011efb7560: ; implicit exception: dispatches to 0x000000011efb8200
0x000000011efb7560: c5f1 57c9 | c5f2 5a4b
0x000000011efb7568: ;*f2d {reexecute=0 rethrow=0 return_oop=0}
; - sun.java2d.marlin.DMarlinRenderingEngine::strokeTo@40 (line 309)
; - sun.java2d.marlin.DMarlinRenderingEngine::getAATileGenerator@234 (line 961)
0x000000011efb7568: 0c44 8b58
The crash happens in strokeTo() but this specific test 'EllipseTests-fill-true.ser' does not have a stroke, so it means the null check is not respected !
See https://github.com/openjdk/jdk/blob/d89602a53f173e4fc1e0aa10bb0ffdf7232456cb/src/java.desktop/share/classes/sun/java2d/marlin/DMarlinRenderingEngine.java#L952C12-L952C12
Reproducer:
To reproduce the problem, I prepared few shell scripts (macos & linux bash compatible + curl) that should be readable & easy to understand:
- bash install-mapbench-gpl2.sh to download mapbench + maps from github
- bash test.sh to run the crash test (you can edit JAVA_HOME here to adjust to your environment)
This script calls the script in mapbench-0.5.0-release/bin/bench_crash.sh where specific JVM settings can be tested or modified.
This benchmark is GPL2 and available at https://github.com/bourgesl/mapbench/ so I made a simple recipe have an easy reproducer for this problem (see shell scripts).
This crash happens only with JBR 22 corresponding to Openjdk 22, so I tested with the latest OpenJDK 22 EA build from oracle and the crash is reproduced:
Loading drawing commands from file: /Users/llooo/dev/hs-crash-reproducer/mapbench-0.5.0-release/bin/../maps/EllipseTests-fill-true.ser
Loaded DrawingCommands: DrawingCommands{width=2000, height=2000, commands=198}
drawing[EllipseTests-fill-true.ser][width = 2000, height = 2000] ...
cleanup (explicit Full GC): 2,022,908,624 / 2,038,363,416 bytes free.
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x000000011cd38292, pid=2632, tid=26895
#
# JRE version: OpenJDK Runtime Environment (22.0+30) (build 22-ea+30-2287)
# Java VM: OpenJDK 64-Bit Server VM (22-ea+30-2287, mixed mode, sharing, tiered, compressed oops, compressed class ptrs, parallel gc, bsd-amd64)
# Problematic frame:
# J 1059 c2 sun.java2d.marlin.DMarlinRenderingEngine.getAATileGenerator(Ljava/awt/Shape;Ljava/awt/geom/AffineTransform;Lsun/java2d/pipe/Region;Ljava/awt/BasicStroke;ZZ[I)Lsun/java2d/pipe/AATileGenerator; java.desktop@22-ea (382 bytes) @ 0x000000011cd38292 [0x000000011cd37fa0+0x00000000000002f2]
#
# Core dump will be written. Default location: /cores/core.2632
#
# An error report file with more information is saved as:
# /Users/llooo/dev/hs-crash-reproducer/mapbench-0.5.0-release/bin/hs_err_pid2632.log
[48,530s][warning][os] Loading hsdis library failed
#
# If you would like to submit a bug report, please visit:
# https://bugreport.java.com/bugreport/crash.jsp
#
The same benchmark runs well on macOS aarch64 and on ubuntu 20.04 x86_64, so I suspect the bug is related to this specific architecture.
I also tested with -XX:TieredStopAtLevel=3 (C1 full) and the test passed successfully so the C2 compiler is causing the crash.
This benchmark performs graphics rendering tests based on serialzed files in maps.
The crash happens when the scene 'EllipseTests-fill-true.ser' is rendered for the first time after the test 'EllipseTests-fill-false.ser', i.e. draw(ellipse) => fill(ellipse).
This may indicate that deoptimization happened badly.
See attachments for the hotspot crash report and also the JBR crash report made on a slowdebug + hsdis build giving more information about the crash.
My short analysis:
- The crash happens in C2 at 0x000000011efb7564:
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
J 1123 c2 sun.java2d.marlin.DMarlinRenderingEngine.getAATileGenerator(Ljava/awt/Shape;Ljava/awt/geom/AffineTransform;Lsun/java2d/pipe/Region;Ljava/awt/BasicStroke;ZZ[I)Lsun/java2d/pipe/AATileGenerator; java.desktop@23-internal (375 bytes) @ 0x000000011efb7564 [0x000000011efb7220+0x0000000000000344]
- I used a slowdebug build (jbr22) to get more details (jbr-main-test.log), indicating :
implicit exception happened at 0x000000011efb7564
Compiled method (c2) 117185 1123 ! 4 sun.java2d.marlin.DMarlinRenderingEngine::getAATileGenerator (375 bytes)
However this address points to approximative instructions:
0x000000011efb7560: ; implicit exception: dispatches to 0x000000011efb8200
0x000000011efb7560: c5f1 57c9 | c5f2 5a4b
0x000000011efb7568: ;*f2d {reexecute=0 rethrow=0 return_oop=0}
; - sun.java2d.marlin.DMarlinRenderingEngine::strokeTo@40 (line 309)
; - sun.java2d.marlin.DMarlinRenderingEngine::getAATileGenerator@234 (line 961)
0x000000011efb7568: 0c44 8b58
The crash happens in strokeTo() but this specific test 'EllipseTests-fill-true.ser' does not have a stroke, so it means the null check is not respected !
See https://github.com/openjdk/jdk/blob/d89602a53f173e4fc1e0aa10bb0ffdf7232456cb/src/java.desktop/share/classes/sun/java2d/marlin/DMarlinRenderingEngine.java#L952C12-L952C12
Reproducer:
To reproduce the problem, I prepared few shell scripts (macos & linux bash compatible + curl) that should be readable & easy to understand:
- bash install-mapbench-gpl2.sh to download mapbench + maps from github
- bash test.sh to run the crash test (you can edit JAVA_HOME here to adjust to your environment)
This script calls the script in mapbench-0.5.0-release/bin/bench_crash.sh where specific JVM settings can be tested or modified.
- duplicates
-
JDK-8322985 [BACKOUT] 8318562: Computational test more than 2x slower when AVX instructions are used
-
- Resolved
-