Details
Description
[Derek White's original report:]
There is a bug in gc.c, expandHandleSpace(). The specific bug is that it trys to
preallocate a huge amount (797K in this case), realizes that this number is so
big that it would put it beyond the mapped address range, so it bails out,
but not before setting the handle allocation pointer to the out-of-bounds
value. So the next handle allocation blows out. Fix described in the "Suggested
Fix" section.
There is a secondary bug in that the gc always uses the "preallocation factor",
never trying lesser values when the first attempt fails.
[Tim, 3/27/96:]
I had a test lying around that blew up the GC in this same way. This can be
used to check against the bug, although it isn't suitable for a regression test
as it always runs the system out of memory. I've been running it with
java_g -verbosegc createObjects 400000 -mx3M, and have verified that it
really does tickle this bug:
class Compute_Seconds {
public static double Compute( long milliseconds ) {
return (double) milliseconds / 1000.0;
}
}
class MyObject {
public long creation_time;
MyObject() {
creation_time = System.currentTimeMillis();
}
}
class createObjects {
public static void main( String args[] ) {
MyObject myArray[];
Long Number_Of_Objects = Long.valueOf( args[0] );
long elapsed_time = 0;
double time_in_seconds = 0.0;
double time_per_object = 0.0;
System.out.println("About to create objects.");
myArray = new MyObject[Number_Of_Objects.intValue()];
for (int i = 0; i < myArray.length; i++) {
myArray[i] = new MyObject();
}
System.out.println("Finished creating objects.");
elapsed_time = myArray[myArray.length-1].creation_time -
myArray[0].creation_time;
System.out.println("Elapsed time = " + elapsed_time + "milliseconds.");
time_in_seconds = Compute_Seconds.Compute( elapsed_time );
System.out.println("Which is " + time_in_seconds + " seconds.");
time_per_object = (double) elapsed_time /
Number_Of_Objects.doubleValue();
System.out.println("Time per object = " + time_per_object +
"milliseconds.");
}
}
[Derek's original test case -- I don't currently have access to this -- Tim]
============= running test case ======
orbit 50 =>java -verbosegc Paraffins
Paraffins (C0H2) with 0 carbon atoms: 1 (1 BCPs and 0 CCPS)
... 1-15 ommited ...
Paraffins (C16H34) with 16 carbon atoms: 10359 (4005 BCPs and 6354 CCPS)
<GC: freed 739 objects, 145240 bytes in 376 msec, 19% free>
<GC: expanded object space by 86016 to 924872 bytes, 27% free>
<GC: freed 1 objects, 20488 bytes in 211 msec, 20% free>
<GC: expanded handle space by 53248 to 262960 bytes, 20% free>
<GC: freed 1 objects, 40968 bytes in 206 msec, 4% free>
<GC: expanded object space by 192512 to 1117384 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 421 msec, 16% free>
<GC: expanded handle space by 69632 to 332592 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 442 msec, 1% free>
<GC: expanded object space by 430080 to 1547464 bytes, 28% free>
<GC: freed 1 objects, 81928 bytes in 282 msec, 20% free>
<GC: expanded handle space by 86016 to 418608 bytes, 20% free>
Paraffins (C17H36) with 17 carbon atoms: 24894 (0 BCPs and 24894 CCPS)
<GC: freed 41 objects, 42136 bytes in 362 msec, 5% free>
<GC: expanded handle space by 106496 to 525104 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 723 msec, 3% free>
<GC: expanded object space by 417792 to 1965256 bytes, 23% free>
<GC: freed 2 objects, 122896 bytes in 442 msec, 8% free>
<GC: expanded handle space by 135168 to 660272 bytes, 20% free>
<GC: freed 9 objects, 20512 bytes in 494 msec, 1% free>
<GC: expanded object space by 471040 to 2436296 bytes, 20% free>
<GC: expanded object space by 471040 to 2436296 bytes, 20% free>
<GC: freed 2 objects, 61456 bytes in 564 msec, 6% free>
<GC: expanded handle space by 167936 to 828208 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 1126 msec, 2% free>
<GC: expanded object space by 724992 to 3161288 bytes, 24% free>
<GC: freed 1 objects, 81928 bytes in 713 msec, 9% free>
<GC: expanded handle space by 208896 to 1037104 bytes, 20% free>
Paraffins (C18H38) with 18 carbon atoms: 60523 (22366 BCPs and 38157 CCPS)
<GC: freed 47 objects, 42216 bytes in 798 msec, 1% free>
<GC: expanded object space by 749568 to 3910856 bytes, 20% free>
<GC: freed 2 objects, 122896 bytes in 901 msec, 6% free>
<GC: expanded handle space by 262144 to 1299248 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 1971 msec, 0% free>
<GC: expanded object space by 978944 to 4889800 bytes, 20% free>
<GC: freed 1 objects, 163848 bytes in 1127 msec, 5% free>
<GC: expanded handle space by 327680 to 1626928 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 2110 msec, 0% free>
<GC: expanded object space by 1224704 to 6114504 bytes, 20% free>
<GC: freed 1 objects, 327688 bytes in 1382 msec, 5% free>
<GC: expanded object space by 1204224 to 7318728 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 2529 msec, 19% free>
<GC: expanded handle space by 409600 to 2036528 bytes, 20% free>
Paraffins (C19H40) with 19 carbon atoms: 148284 (0 BCPs and 148284 CCPS)
<GC: freed 41 objects, 11560 bytes in 1792 msec, 2% free>
<GC: expanded handle space by 512000 to 2548528 bytes, 20% free>
<GC: freed 2 objects, 30736 bytes in 1889 msec, 0% free>
<GC: expanded object space by 1802240 to 9120968 bytes, 20% free>
<GC: freed 3 objects, 286744 bytes in 2171 msec, 6% free>
<GC: expanded handle space by 638976 to 3187504 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 4539 msec, 4% free>
<GC: expanded object space by 2560000 to 11680968 bytes, 25% free>
<GC: freed 12 objects, 409656 bytes in 2659 msec, 11% free>
<GC: tried to expand handle space over limit>
<GC: totally out of heap space>
SIGSEGV 11* segmentation violation
si_signo [11]: SIGSEGV 11* segmentation violation
si_errno [0]: Error 0
si_code [1]: SEGV_ACCERR [addr: 0xedf66794]
stackbase=EFFFF99C, stackpointer=EFFFF680
Full thread dump:
"Finalizer thread" (TID:0xee300370, sys_thread_t:0xef460de0) prio=1
"Async Garbage Collector" (TID:0xee300318, sys_thread_t:0xef490de0) prio=1
"Idle thread" (TID:0xee3002a0, sys_thread_t:0xef4c0de0) prio=0
"clock handler" (TID:0xee3001f8, sys_thread_t:0xef4f0de0) prio=11
"main" (TID:0xee3000a0, sys_thread_t:0x74528) prio=5 *current thread*
java.lang.StringBuffer.ensureCapacity(StringBuffer.java)
java.lang.StringBuffer.append(StringBuffer.java)
java.lang.Throwable.toString(Throwable.java)
java.io.PrintStream.print(PrintStream.java)
java.io.PrintStream.println(PrintStream.java)
java.lang.Throwable.printStackTrace(Throwable.java)
java.lang.ThreadGroup.uncaughtException(ThreadGroup.java)
java.lang.ThreadGroup.uncaughtException(ThreadGroup.java)
Monitor Cache Dump:
java.io.PrintStream@EE3001D8/EE333970 (key=0xee3001d8): monitor owner: "main"
java.lang.StringBuffer@EE111F48/EEAE20E0 (key=0xee111f48): monitor owner: "main"
Registered Monitor Dump:
Finalize me queue lock: unowned
Thread queue lock: unowned
Class lock: unowned
Java stack lock: unowned
Code rewrite lock: unowned
Heap lock: monitor owner: "main"
Has finalization queue lock: unowned
Monitor IO lock: unowned
Child death monitor: unowned
Event monitor: unowned
I/O monitor: unowned
Alarm monitor: unowned
Waiting to be notified:
"clock handler"
Sbrk lock: unowned
Monitor cache lock: unowned
Monitor registry: monitor owner: "main"
Thread Alarm Q:
Abort
orbit 51 =>
============= test case code (from steve.heller@east) ======
is attatched in /export/bugtraq/etc/attached
The description field as copied from bug report 1228006 follows:
The following code causes a segv during runtime. The command to execute the code
is given following the code.
--------------
class Compute_Seconds {
public static double Compute( long milliseconds ) {
return (double) milliseconds / 1000.0;
}
}
class MyObject {
public long creation_time;
MyObject() {
creation_time = System.currentTimeMillis();
}
}
class createObjects {
public static void main( String args[] ) {
MyObject myArray[];
Long Number_Of_Objects = Long.valueOf( args[0] );
long elapsed_time = 0;
double time_in_seconds = 0.0;
double time_per_object = 0.0;
System.out.println("About to create objects.");
myArray = new MyObject[Number_Of_Objects.intValue()];
for (int i = 0; i < myArray.length; i++) {
myArray[i] = new MyObject();
}
System.out.println("Finished creating objects.");
elapsed_time = myArray[myArray.length-1].creation_time -
myArray[0].creation_time;
System.out.println("Elapsed time = " + elapsed_time + "milliseconds.");
time_in_seconds = Compute_Seconds.Compute( elapsed_time );
System.out.println("Which is " + time_in_seconds + " seconds.");
time_per_object = (double) elapsed_time /
Number_Of_Objects.doubleValue();
System.out.println("Time per object = " + time_per_object +
"milliseconds.");
}
}
-----------------------
Command: java createObjects 400000
--------
Output:
------
[216][wspace] ? java createObjects 400000
About to create objects.
SIGSEGV 11* segmentation violation
si_signo [11]: SIGSEGV 11* segmentation violation
si_errno [0]: Error 0
si_code [1]: SEGV_ACCERR [addr: 0xedf66734]
stackbase=EFFFF63C, stackpointer=EFFFF320
Full thread dump:
"Finalizer thread" (TID:0xee300358, sys_thread_t:0xef490de8) prio=1
"Async Garbage Collector" (TID:0xee300308, sys_thread_t:0xef4c0de8) prio=1
"Idle thread" (TID:0xee300290, sys_thread_t:0xef4f0de8) prio=0
"clock handler" (TID:0xee300098, sys_thread_t:0xef5b0de8) prio=11
"main" (TID:0xee300048, sys_thread_t:0x63dc0) prio=5 *current thread*
createObjects.main(createObjects.java:27)
Monitor Cache Dump:
Registered Monitor Dump:
Finalize me queue lock: unowned
Thread queue lock: unowned
Class lock: unowned
Java stack lock: unowned
Code rewrite lock: unowned
Heap lock: monitor owner: "main"
Has finalization queue lock: unowned
Monitor IO lock: unowned
Child death monitor: unowned
Event monitor: unowned
I/O monitor: unowned
Alarm monitor: unowned
Waiting to be notified:
"clock handler"
Sbrk lock: unowned
Monitor cache lock: unowned
Monitor registry: monitor owner: "main"
Thread Alarm Q:
Segmentation fault
There is a bug in gc.c, expandHandleSpace(). The specific bug is that it trys to
preallocate a huge amount (797K in this case), realizes that this number is so
big that it would put it beyond the mapped address range, so it bails out,
but not before setting the handle allocation pointer to the out-of-bounds
value. So the next handle allocation blows out. Fix described in the "Suggested
Fix" section.
There is a secondary bug in that the gc always uses the "preallocation factor",
never trying lesser values when the first attempt fails.
[Tim, 3/27/96:]
I had a test lying around that blew up the GC in this same way. This can be
used to check against the bug, although it isn't suitable for a regression test
as it always runs the system out of memory. I've been running it with
java_g -verbosegc createObjects 400000 -mx3M, and have verified that it
really does tickle this bug:
class Compute_Seconds {
public static double Compute( long milliseconds ) {
return (double) milliseconds / 1000.0;
}
}
class MyObject {
public long creation_time;
MyObject() {
creation_time = System.currentTimeMillis();
}
}
class createObjects {
public static void main( String args[] ) {
MyObject myArray[];
Long Number_Of_Objects = Long.valueOf( args[0] );
long elapsed_time = 0;
double time_in_seconds = 0.0;
double time_per_object = 0.0;
System.out.println("About to create objects.");
myArray = new MyObject[Number_Of_Objects.intValue()];
for (int i = 0; i < myArray.length; i++) {
myArray[i] = new MyObject();
}
System.out.println("Finished creating objects.");
elapsed_time = myArray[myArray.length-1].creation_time -
myArray[0].creation_time;
System.out.println("Elapsed time = " + elapsed_time + "milliseconds.");
time_in_seconds = Compute_Seconds.Compute( elapsed_time );
System.out.println("Which is " + time_in_seconds + " seconds.");
time_per_object = (double) elapsed_time /
Number_Of_Objects.doubleValue();
System.out.println("Time per object = " + time_per_object +
"milliseconds.");
}
}
[Derek's original test case -- I don't currently have access to this -- Tim]
============= running test case ======
orbit 50 =>java -verbosegc Paraffins
Paraffins (C0H2) with 0 carbon atoms: 1 (1 BCPs and 0 CCPS)
... 1-15 ommited ...
Paraffins (C16H34) with 16 carbon atoms: 10359 (4005 BCPs and 6354 CCPS)
<GC: freed 739 objects, 145240 bytes in 376 msec, 19% free>
<GC: expanded object space by 86016 to 924872 bytes, 27% free>
<GC: freed 1 objects, 20488 bytes in 211 msec, 20% free>
<GC: expanded handle space by 53248 to 262960 bytes, 20% free>
<GC: freed 1 objects, 40968 bytes in 206 msec, 4% free>
<GC: expanded object space by 192512 to 1117384 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 421 msec, 16% free>
<GC: expanded handle space by 69632 to 332592 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 442 msec, 1% free>
<GC: expanded object space by 430080 to 1547464 bytes, 28% free>
<GC: freed 1 objects, 81928 bytes in 282 msec, 20% free>
<GC: expanded handle space by 86016 to 418608 bytes, 20% free>
Paraffins (C17H36) with 17 carbon atoms: 24894 (0 BCPs and 24894 CCPS)
<GC: freed 41 objects, 42136 bytes in 362 msec, 5% free>
<GC: expanded handle space by 106496 to 525104 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 723 msec, 3% free>
<GC: expanded object space by 417792 to 1965256 bytes, 23% free>
<GC: freed 2 objects, 122896 bytes in 442 msec, 8% free>
<GC: expanded handle space by 135168 to 660272 bytes, 20% free>
<GC: freed 9 objects, 20512 bytes in 494 msec, 1% free>
<GC: expanded object space by 471040 to 2436296 bytes, 20% free>
<GC: expanded object space by 471040 to 2436296 bytes, 20% free>
<GC: freed 2 objects, 61456 bytes in 564 msec, 6% free>
<GC: expanded handle space by 167936 to 828208 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 1126 msec, 2% free>
<GC: expanded object space by 724992 to 3161288 bytes, 24% free>
<GC: freed 1 objects, 81928 bytes in 713 msec, 9% free>
<GC: expanded handle space by 208896 to 1037104 bytes, 20% free>
Paraffins (C18H38) with 18 carbon atoms: 60523 (22366 BCPs and 38157 CCPS)
<GC: freed 47 objects, 42216 bytes in 798 msec, 1% free>
<GC: expanded object space by 749568 to 3910856 bytes, 20% free>
<GC: freed 2 objects, 122896 bytes in 901 msec, 6% free>
<GC: expanded handle space by 262144 to 1299248 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 1971 msec, 0% free>
<GC: expanded object space by 978944 to 4889800 bytes, 20% free>
<GC: freed 1 objects, 163848 bytes in 1127 msec, 5% free>
<GC: expanded handle space by 327680 to 1626928 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 2110 msec, 0% free>
<GC: expanded object space by 1224704 to 6114504 bytes, 20% free>
<GC: freed 1 objects, 327688 bytes in 1382 msec, 5% free>
<GC: expanded object space by 1204224 to 7318728 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 2529 msec, 19% free>
<GC: expanded handle space by 409600 to 2036528 bytes, 20% free>
Paraffins (C19H40) with 19 carbon atoms: 148284 (0 BCPs and 148284 CCPS)
<GC: freed 41 objects, 11560 bytes in 1792 msec, 2% free>
<GC: expanded handle space by 512000 to 2548528 bytes, 20% free>
<GC: freed 2 objects, 30736 bytes in 1889 msec, 0% free>
<GC: expanded object space by 1802240 to 9120968 bytes, 20% free>
<GC: freed 3 objects, 286744 bytes in 2171 msec, 6% free>
<GC: expanded handle space by 638976 to 3187504 bytes, 20% free>
<GC: freed 0 objects, 0 bytes in 4539 msec, 4% free>
<GC: expanded object space by 2560000 to 11680968 bytes, 25% free>
<GC: freed 12 objects, 409656 bytes in 2659 msec, 11% free>
<GC: tried to expand handle space over limit>
<GC: totally out of heap space>
SIGSEGV 11* segmentation violation
si_signo [11]: SIGSEGV 11* segmentation violation
si_errno [0]: Error 0
si_code [1]: SEGV_ACCERR [addr: 0xedf66794]
stackbase=EFFFF99C, stackpointer=EFFFF680
Full thread dump:
"Finalizer thread" (TID:0xee300370, sys_thread_t:0xef460de0) prio=1
"Async Garbage Collector" (TID:0xee300318, sys_thread_t:0xef490de0) prio=1
"Idle thread" (TID:0xee3002a0, sys_thread_t:0xef4c0de0) prio=0
"clock handler" (TID:0xee3001f8, sys_thread_t:0xef4f0de0) prio=11
"main" (TID:0xee3000a0, sys_thread_t:0x74528) prio=5 *current thread*
java.lang.StringBuffer.ensureCapacity(StringBuffer.java)
java.lang.StringBuffer.append(StringBuffer.java)
java.lang.Throwable.toString(Throwable.java)
java.io.PrintStream.print(PrintStream.java)
java.io.PrintStream.println(PrintStream.java)
java.lang.Throwable.printStackTrace(Throwable.java)
java.lang.ThreadGroup.uncaughtException(ThreadGroup.java)
java.lang.ThreadGroup.uncaughtException(ThreadGroup.java)
Monitor Cache Dump:
java.io.PrintStream@EE3001D8/EE333970 (key=0xee3001d8): monitor owner: "main"
java.lang.StringBuffer@EE111F48/EEAE20E0 (key=0xee111f48): monitor owner: "main"
Registered Monitor Dump:
Finalize me queue lock: unowned
Thread queue lock: unowned
Class lock: unowned
Java stack lock: unowned
Code rewrite lock: unowned
Heap lock: monitor owner: "main"
Has finalization queue lock: unowned
Monitor IO lock: unowned
Child death monitor: unowned
Event monitor: unowned
I/O monitor: unowned
Alarm monitor: unowned
Waiting to be notified:
"clock handler"
Sbrk lock: unowned
Monitor cache lock: unowned
Monitor registry: monitor owner: "main"
Thread Alarm Q:
Abort
orbit 51 =>
============= test case code (from steve.heller@east) ======
is attatched in /export/bugtraq/etc/attached
The description field as copied from bug report 1228006 follows:
The following code causes a segv during runtime. The command to execute the code
is given following the code.
--------------
class Compute_Seconds {
public static double Compute( long milliseconds ) {
return (double) milliseconds / 1000.0;
}
}
class MyObject {
public long creation_time;
MyObject() {
creation_time = System.currentTimeMillis();
}
}
class createObjects {
public static void main( String args[] ) {
MyObject myArray[];
Long Number_Of_Objects = Long.valueOf( args[0] );
long elapsed_time = 0;
double time_in_seconds = 0.0;
double time_per_object = 0.0;
System.out.println("About to create objects.");
myArray = new MyObject[Number_Of_Objects.intValue()];
for (int i = 0; i < myArray.length; i++) {
myArray[i] = new MyObject();
}
System.out.println("Finished creating objects.");
elapsed_time = myArray[myArray.length-1].creation_time -
myArray[0].creation_time;
System.out.println("Elapsed time = " + elapsed_time + "milliseconds.");
time_in_seconds = Compute_Seconds.Compute( elapsed_time );
System.out.println("Which is " + time_in_seconds + " seconds.");
time_per_object = (double) elapsed_time /
Number_Of_Objects.doubleValue();
System.out.println("Time per object = " + time_per_object +
"milliseconds.");
}
}
-----------------------
Command: java createObjects 400000
--------
Output:
------
[216][wspace] ? java createObjects 400000
About to create objects.
SIGSEGV 11* segmentation violation
si_signo [11]: SIGSEGV 11* segmentation violation
si_errno [0]: Error 0
si_code [1]: SEGV_ACCERR [addr: 0xedf66734]
stackbase=EFFFF63C, stackpointer=EFFFF320
Full thread dump:
"Finalizer thread" (TID:0xee300358, sys_thread_t:0xef490de8) prio=1
"Async Garbage Collector" (TID:0xee300308, sys_thread_t:0xef4c0de8) prio=1
"Idle thread" (TID:0xee300290, sys_thread_t:0xef4f0de8) prio=0
"clock handler" (TID:0xee300098, sys_thread_t:0xef5b0de8) prio=11
"main" (TID:0xee300048, sys_thread_t:0x63dc0) prio=5 *current thread*
createObjects.main(createObjects.java:27)
Monitor Cache Dump:
Registered Monitor Dump:
Finalize me queue lock: unowned
Thread queue lock: unowned
Class lock: unowned
Java stack lock: unowned
Code rewrite lock: unowned
Heap lock: monitor owner: "main"
Has finalization queue lock: unowned
Monitor IO lock: unowned
Child death monitor: unowned
Event monitor: unowned
I/O monitor: unowned
Alarm monitor: unowned
Waiting to be notified:
"clock handler"
Sbrk lock: unowned
Monitor cache lock: unowned
Monitor registry: monitor owner: "main"
Thread Alarm Q:
Segmentation fault
Attachments
Issue Links
- duplicates
-
JDK-1228006 large number of objects causes crash.
-
- Closed
-