RFR (XXS): 8016474: Crash in sun.reflect.UnsafeObjectFieldAccessorImpl.get

Christian Thalinger christian.thalinger at oracle.com
Fri Jul 26 14:00:36 PDT 2013 

On Jul 25, 2013, at 11:36 AM, Igor Veresov <iggy.veresov at gmail.com> wrote:

> 
> On Jul 25, 2013, at 9:34 AM, Christian Thalinger <christian.thalinger at oracle.com> wrote:
> 
>> 
>> On Jul 24, 2013, at 10:46 PM, Igor Veresov <iggy.veresov at gmail.com> wrote:
>> 
>>> I haven't looked at it after the perm gen removal but shouldn't all klasses be of type T_METADATA or something?
>>> May be the code wasn't updated since then?
>> 
>> Yes, I think that's the case but T_ADDRESS handles klass pointers right now (see LIR_Assembler::mem2reg).
> 
> Ah, indeed it is. I didn't notice that. Thanks for pointing this out. It's dangerously relying on a specific offset though.
> 
>> 
>>> 
>>> The code dereferences src_klass (line 2301), which is of type T_OBJECT. The value of src_klass is read from memory of type T_ADDRESS. The result of the move seems to have the type of the first argument, so it would seem that if it's T_ADDRESS no decompression is going to happen and the deference is going to be problematic. Or does it work differently?
>> 
>> Why would there be no decoding?  As mentioned above the logic of decoding klass pointers is all in LIR_Assembler::mem2reg.  Maybe we should also change this, though:
>> 
>> -      LIR_Opr src_klass = new_register(T_OBJECT);
>> +      LIR_Opr src_klass = new_register(T_ADDRESS);
>> 
> 
> It probably should be T_METADATA? It can't be T_ADDRESS because it wouldn't be exposed in register maps for GC.

By register maps you mean oop maps?  The read is the G1 pre-barrier code and is only used for a type check. It doesn't live beyond that point.

-- Chris

> 
> igor 
> 
> 
> 
>> -- Chris
>> 
>>> 
>>> igor
>>> 
>>> On Jul 24, 2013, at 2:37 PM, Christian Thalinger <christian.thalinger at oracle.com> wrote:
>>> 
>>>> http://cr.openjdk.java.net/~twisti/8016474
>>>> 
>>>> 8016474: Crash in sun.reflect.UnsafeObjectFieldAccessorImpl.get
>>>> Summary: C1's GetUnsafeObject G1 pre-barrier uses the wrong type to read the klass pointer.
>>>> Reviewed-by:
>>>> 
>>>> There is a bug in C1's GetUnsafeObject G1 pre-barrier code.  If UseCompressedKlassPointers is on we use T_OBJECT to read the klass pointer of the object.  If we also use a different object alignment like 16 or 32 (-XX:ObjectAlignmentInBytes=16) the klass pointer gets decoded with the wrong shift resulting in a wrong pointer and a crash.
>>>> 
>>>> The fix is to always use T_ADDRESS for klass pointer reads.
>>>> 
>>>> src/share/vm/c1/c1_LIRGenerator.cpp
>>>> test/compiler/unsafe/GetUnsafeObjectG1PreBarrier.java
>>>> 
>>> 
>> 
>

More information about the hotspot-compiler-dev mailing list