Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8327036

[macosx-aarch64] SIGBUS in MarkActivationClosure::do_code_blob reached from Unsafe_CopySwapMemory0

XMLWordPrintable

    • b01
    • aarch64
    • os_x

        Unsafe_CopySwapMemory0 uses JVM_ENTRY_FROM_LEAF which transitions form native into the vm using ThreadInVMfromNative.
        It is an invariant on Mac OS AARCH64 that a thread must have WXWrite before doing the transition into the vm [1].

        In Unsafe_CopySwapMemory0 we don't switch to WXWrite. Because of this we can get at SIGBUS if a handshake is pending where we modify a nmethod in MarkActivationClosure::do_code_blob

        Stack: [0x0000000171f24000,0x0000000172127000], sp=0x0000000172124cd0, free space=2051k
        Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
        V [libjvm.dylib+0xfc6c60] MarkActivationClosure::do_code_blob(CodeBlob*)+0x74
        V [libjvm.dylib+0x1022a84] JavaThread::nmethods_do(CodeBlobClosure*)+0x114
        V [libjvm.dylib+0x75c4f8] HandshakeOperation::do_handshake(JavaThread*)+0x70
        V [libjvm.dylib+0x75e054] HandshakeState::process_by_self(bool)+0x3a8
        V [libjvm.dylib+0xe0f130] SafepointMechanism::process(JavaThread*, bool)+0x5c
        V [libjvm.dylib+0x535758] ThreadStateTransition::transition_from_native(JavaThread*, JavaThreadState)+0x1f8
        V [libjvm.dylib+0x4334f0] ThreadInVMfromNative::ThreadInVMfromNative(JavaThread*)+0xb0
        V [libjvm.dylib+0x106832c] Unsafe_CopySwapMemory0(JNIEnv_*, _jobject*, _jobject*, long, _jobject*, long, long, long)+0xdc
        J 915 jdk.internal.misc.Unsafe.copySwapMemory0(Ljava/lang/Object;JLjava/lang/Object;JJJ)V java.base@17.0.11-internal (0 bytes) @ 0x0000000115f636dc [0x0000000115f63640+0x000000000000009c]
        [...]

        While we cannot get the very same crash in jdk21 (nmethod sweeper was removed in jdk20 with JDK-8290025) other handshakes that modify the code cache (e.g. DeoptimizeMarkedClosure) will crash too.

        Reproduce:
        It's not easy to reproduce this directly but when running test/jdk/sun/nio/cs/FindDecoderBugs.java with -XX:+AssertWXAtThreadSync on Mac OS AARCH64 a corresponding assertion fails because of the issue.

        Note that the issue is fixed with JDK-8310644 in JDK 22 and later as mdoerr pointed out in his comment below.
        JDK 11 is not affected because there's no backport of JDK-8302736 to JDK 11 which removes switching to WXWrite from VM_LEAF_BASE used by UNSAFE_LEAF.

        [1] https://github.com/openjdk/jdk/blob/0583f7357480c0500daa82f490b2fcc05f2fb65a/src/hotspot/share/runtime/interfaceSupport.inline.hpp#L253-L259

              rrich Richard Reingruber
              rrich Richard Reingruber
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: