Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8336095

Use-after-free in Superword leads to memory corruption

    XMLWordPrintable

Details

    • 24
    • b09
    • x86_64
    • windows

    Backports

      Description

        Since ~ middle of (or shortly before middle of) June we see various C1 and C2 compiler crashes on windows x86_64.
        These have been observed with both opt and fastdebug binaries, when running an internal test suite.
        The crashes occured on both test servers (with Windows server OS) and also on Win11 based notebook.
        Unfortunately we cannot easily reproduce them with externally available tests.
        The stacks in hserr files differ a bit. Some examples :

        1)

        # Internal Error (utilities/growableArray.hpp:256), pid=7436, tid=18160
        # Error: ShouldNotReachHere()
        #

        --------------- T H R E A D ---------------

        Current thread (0x000001c7c11059c0): JavaThread "C2 CompilerThread0" daemon [_thread_in_native, id=18160, stack(0x0000009eba000000,0x0000009eba100000) (1024K)]


        Current CompileTask:
        C2:14090 13241 4 sun.font.HBShaper::store_layout_results (440 bytes)

        Stack: [0x0000009eba000000,0x0000009eba100000]
        Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
        V [jvm.dll+0x6fce59] os::win32::platform_print_native_stack+0xd9 (os_windows_x86.cpp:235)
        V [jvm.dll+0x8eda25] VMError::report+0xd95 (vmError.cpp:1011)
        V [jvm.dll+0x8efcdd] VMError::report_and_die+0x5fd (vmError.cpp:1846)
        V [jvm.dll+0x8f0347] VMError::report_and_die+0x47 (vmError.cpp:1611)
        V [jvm.dll+0x28d587] report_vm_error+0x57 (debug.cpp:193)
        V [jvm.dll+0x28d5ac] report_vm_error+0x1c (debug.cpp:149)
        V [jvm.dll+0x28d500] report_should_not_reach_here+0x10 (debug.cpp:240)
        V [jvm.dll+0x260b57] Compile::remove_useless_node+0x3a7 (compile.cpp:403)
        V [jvm.dll+0x724606] PhaseIterGVN::remove_globally_dead_node+0x366 (phaseX.cpp:1304)
        V [jvm.dll+0x724f0a] PhaseIterGVN::subsume_node+0x2ca (phaseX.cpp:1430)
        V [jvm.dll+0x7258fd] PhaseIterGVN::transform_old+0x1bd (phaseX.cpp:1284)
        V [jvm.dll+0x723d12] PhaseIterGVN::optimize+0x182 (phaseX.cpp:1048)
        V [jvm.dll+0x2576b1] Compile::Optimize+0x1101 (compile.cpp:2425)
        V [jvm.dll+0x254d17] Compile::Compile+0xe47 (compile.cpp:853)
        V [jvm.dll+0x1d06ea] C2Compiler::compile_method+0x11a (c2compiler.cpp:145)
        V [jvm.dll+0x264c31] CompileBroker::invoke_compiler_on_method+0x811 (compileBroker.cpp:2306)
        V [jvm.dll+0x262efb] CompileBroker::compiler_thread_loop+0x26b (compileBroker.cpp:1962)
        V [jvm.dll+0x4051f6] JavaThread::run+0x116 (javaThread.cpp:742)
        V [jvm.dll+0x892bf8] Thread::call_run+0xc8 (thread.cpp:235)
        V [jvm.dll+0x6fb695] thread_native_entry+0x95 (os_windows.cpp:553)
        C [ucrtbase.dll+0x1fb80] (no source info available)
        C [KERNEL32.DLL+0x84d4] (no source info available)
        C [ntdll.dll+0x51a11] (no source info available)


        2)

        # EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x00007ffcf58b6202, pid=14520, tid=28428
        #
        # V [jvm.dll+0x156202] LIR_OpVisitState::append+0x52

        --------------- T H R E A D ---------------

        Current thread (0x000001cff5b98820): JavaThread "C1 CompilerThread1" daemon [_thread_in_native, id=28428, stack(0x00000019a9800000,0x00000019a9900000) (1024K)]

        Current CompileTask:
        C1:7053 8888 ! 3 com.pietjonas.wmfwriter2d.WMFGraphics::setGDIFillBrush (231 bytes)

        Stack: [0x00000019a9800000,0x00000019a9900000], sp=0x00000019a98fde40, free space=1015k
        Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
        V [jvm.dll+0x156202] LIR_OpVisitState::append+0x52 (c1_LIR.hpp:2488)
        V [jvm.dll+0x174e83] LIR_OpVisitState::visit+0xd3 (c1_LIR.cpp:928)
        V [jvm.dll+0x19dfc2] LinearScan::build_intervals+0x2e2 (c1_LinearScan.cpp:1364)
        V [jvm.dll+0x19ffb4] LinearScan::do_linear_scan+0x34 (c1_LinearScan.cpp:3099)
        V [jvm.dll+0x158cb2] Compilation::emit_lir+0x132 (c1_Compilation.cpp:277)
        V [jvm.dll+0x1584fe] Compilation::compile_java_method+0x16e (c1_Compilation.cpp:409)
        V [jvm.dll+0x1587bb] Compilation::compile_method+0x1db (c1_Compilation.cpp:484)
        V [jvm.dll+0x157a61] Compilation::Compilation+0x201 (c1_Compilation.cpp:611)
        V [jvm.dll+0x159911] Compiler::compile_method+0xe1 (c1_Compiler.cpp:261)
        V [jvm.dll+0x264c31] CompileBroker::invoke_compiler_on_method+0x811 (compileBroker.cpp:2306)
        V [jvm.dll+0x262efb] CompileBroker::compiler_thread_loop+0x26b (compileBroker.cpp:1962)
        V [jvm.dll+0x4051f6] JavaThread::run+0x116 (javaThread.cpp:742)
        V [jvm.dll+0x892be8] Thread::call_run+0xc8 (thread.cpp:235)
        V [jvm.dll+0x6fb685] thread_native_entry+0x95 (os_windows.cpp:553)
        C [ucrtbase.dll+0x2268a] (no source info available)
        C [KERNEL32.DLL+0x17ac4] (no source info available)
        C [ntdll.dll+0x5a8c1] (no source info available)

        3)

        # Internal Error (node.cpp:2955), pid=9520, tid=7900
        # Error: ShouldNotReachHere()

        Current thread (0x0000015428937860): JavaThread "C2 CompilerThread0" daemon [_thread_in_native, id=7900, stack(0x000000336c400000,0x000000336c500000) (1024K)]

        Current CompileTask:
        C2:10741 8161 4 sun.font.HBShaper::get_nominal_glyph (57 bytes)

        Stack: [0x000000336c400000,0x000000336c500000]
        Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
        V [jvm.dll+0x6fce49] os::win32::platform_print_native_stack+0xd9 (os_windows_x86.cpp:235)
        V [jvm.dll+0x8eda15] VMError::report+0xd95 (vmError.cpp:1011)
        V [jvm.dll+0x8efccd] VMError::report_and_die+0x5fd (vmError.cpp:1846)
        V [jvm.dll+0x8f0337] VMError::report_and_die+0x47 (vmError.cpp:1611)
        V [jvm.dll+0x28d587] report_vm_error+0x57 (debug.cpp:193)
        V [jvm.dll+0x28d5ac] report_vm_error+0x1c (debug.cpp:149)
        V [jvm.dll+0x28d500] report_should_not_reach_here+0x10 (debug.cpp:240)
        V [jvm.dll+0x6d7e15] Unique_Node_List::remove+0xc5 (node.cpp:2955)
        V [jvm.dll+0x7245ea] PhaseIterGVN::remove_globally_dead_node+0x35a (phaseX.cpp:1380)
        V [jvm.dll+0x724efa] PhaseIterGVN::subsume_node+0x2ca (phaseX.cpp:1430)
        V [jvm.dll+0x3cc525] idealize_test+0x1c5 (ifnode.cpp:1919)
        V [jvm.dll+0x3cadae] IfNode::Ideal_common+0x6e (ifnode.cpp:1479)
        V [jvm.dll+0x3ca885] IfNode::Ideal+0x15 (ifnode.cpp:1494)
        V [jvm.dll+0x72578e] PhaseIterGVN::transform_old+0x5e (phaseX.cpp:1198)
        V [jvm.dll+0x723d02] PhaseIterGVN::optimize+0x182 (phaseX.cpp:1048)
        V [jvm.dll+0x2567b4] Compile::Optimize+0x204 (compile.cpp:2239)
        V [jvm.dll+0x254d17] Compile::Compile+0xe47 (compile.cpp:853)
        V [jvm.dll+0x1d06ea] C2Compiler::compile_method+0x11a (c2compiler.cpp:145)
        V [jvm.dll+0x264c31] CompileBroker::invoke_compiler_on_method+0x811 (compileBroker.cpp:2306)
        V [jvm.dll+0x262efb] CompileBroker::compiler_thread_loop+0x26b (compileBroker.cpp:1962)
        V [jvm.dll+0x4051f6] JavaThread::run+0x116 (javaThread.cpp:742)
        V [jvm.dll+0x892be8] Thread::call_run+0xc8 (thread.cpp:235)
        V [jvm.dll+0x6fb685] thread_native_entry+0x95 (os_windows.cpp:553)
        C [ucrtbase.dll+0x1fb80] (no source info available)
        C [KERNEL32.DLL+0x84d4] (no source info available)
        C [ntdll.dll+0x51a11] (no source info available)




        Attachments

          1. assert.patch
            2 kB
          2. replay_pid23516.log
            581 kB
          3. stress.patch
            2 kB

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8336734 Use-after-free in Superword leads to memory corruption

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed
            relates to

            Sub-task - The sub-task of the issue JDK-8333684 C2 SuperWord: multiple smaller refactorings in preparation for JDK-8332163

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Bug - A problem which impairs or prevents the functions of the product. JDK-8337319 EXCEPTION_ACCESS_VIOLATION in PhaseChaitin::Split

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Closed

            Enhancement - null JDK-8337015 Revisit resource arena allocations in C2

            • P2 - Crashes, loss of data, severe memory leak.
            • Open

            Enhancement - null JDK-8336999 Verification for resource area allocated data structures in C2

            • P2 - Crashes, loss of data, severe memory leak.
            • Resolved
            links to

            Commit Commit(master) openjdk/jdk/90641a60

            Review Review(master) openjdk/jdk/20297

            Activity

              People

                thartmann Tobias Hartmann
                mbaesken Matthias Baesken
                Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: