RFR (XXS): 8016474: Crash in sun.reflect.UnsafeObjectFieldAccessorImpl.get

Igor Veresov iggy.veresov at gmail.com
Wed Jul 24 22:46:09 PDT 2013


I haven't looked at it after the perm gen removal but shouldn't all klasses be of type T_METADATA or something?
May be the code wasn't updated since then?

 The code dereferences src_klass (line 2301), which is of type T_OBJECT. The value of src_klass is read from memory of type T_ADDRESS. The result of the move seems to have the type of the first argument, so it would seem that if it's T_ADDRESS no decompression is going to happen and the deference is going to be problematic. Or does it work differently?

igor

On Jul 24, 2013, at 2:37 PM, Christian Thalinger <christian.thalinger at oracle.com> wrote:

> http://cr.openjdk.java.net/~twisti/8016474
> 
> 8016474: Crash in sun.reflect.UnsafeObjectFieldAccessorImpl.get
> Summary: C1's GetUnsafeObject G1 pre-barrier uses the wrong type to read the klass pointer.
> Reviewed-by:
> 
> There is a bug in C1's GetUnsafeObject G1 pre-barrier code.  If UseCompressedKlassPointers is on we use T_OBJECT to read the klass pointer of the object.  If we also use a different object alignment like 16 or 32 (-XX:ObjectAlignmentInBytes=16) the klass pointer gets decoded with the wrong shift resulting in a wrong pointer and a crash.
> 
> The fix is to always use T_ADDRESS for klass pointer reads.
> 
> src/share/vm/c1/c1_LIRGenerator.cpp
> test/compiler/unsafe/GetUnsafeObjectG1PreBarrier.java
> 



More information about the hotspot-compiler-dev mailing list