RFR (S): JDK-8152949: Jigsaw crash when Klass in _fixup_module_field_list is unloaded

Lois Foltan lois.foltan at oracle.com
Wed Apr 20 21:06:03 UTC 2016 

On 4/20/2016 4:23 PM, harold seigel wrote:
> Hi Lois,
>
> Your changes look good.

Thank you Harold for the review!
Lois

>
> Harold
>
> On 4/20/2016 8:24 AM, Coleen Phillimore wrote:
>>
>>
>> On 4/20/16 6:42 AM, Lois Foltan wrote:
>>>
>>> On 4/19/2016 4:24 PM, Coleen Phillimore wrote:
>>>>
>>>> Hi, this is getting long.
>>>>
>>>> On 4/19/16 3:48 PM, Lois Foltan wrote:
>>>>>
>>>>> On 4/18/2016 10:11 PM, David Holmes wrote:
>>>>>> Hi Lois,
>>>>>>
>>>>>> On 19/04/2016 6:25 AM, Lois Foltan wrote:
>>>>>>>
>>>>>>> On 4/18/2016 7:31 AM, Lois Foltan wrote:
>>>>>>>>
>>>>>>>> On 4/18/2016 3:06 AM, Stefan Karlsson wrote:
>>>>>>>>> On 2016-04-15 21:45, Alan Bateman wrote:
>>>>>>>>>>
>>>>>>>>>> On 15/04/2016 18:02, Lois Foltan wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi Stefan,
>>>>>>>>>>>
>>>>>>>>>>> In start up before module system initialization in complete I
>>>>>>>>>>> believe the VM is single threaded, so the increment/decrement
>>>>>>>>>>> reference counts do not need to be atomic. Adding it is a
>>>>>>>>>>> defensive move in case the reference count is ever used passed
>>>>>>>>>>> start up in the future.  It kind of does seem a bit excessive,
>>>>>>>>>>> sounds like you agree?
>>>>>>>>>> There will be a number of threads running before the base 
>>>>>>>>>> module is
>>>>>>>>>> defined to the VM. As things stand the the java threads at this
>>>>>>>>>> point will be the Common-Cleaner, Finalizer, Reference 
>>>>>>>>>> Handler and
>>>>>>>>>> Signal Handler.
>>>>>>>>>
>>>>>>>>> So, are you saying that we need the atomics?
>>>>>>>>>
>>>>>>>>> The java_lang_Class::create_mirror function isn't multi-thread 
>>>>>>>>> safe,
>>>>>>>>> and must already be guarded by a lock (SystemDictionary_lock 
>>>>>>>>> AFAICT).
>>>>>>>>> The increment in Unsafe_DefineAnonymousClass0, will only be done
>>>>>>>>> once, for the single InstanceKlass instance in the CLD. And 
>>>>>>>>> all reads
>>>>>>>>> of _keep_alive from the GC are done during safepoints.
>>>>>>>> The anonymous class is inserted in the fixup mirror and fixup 
>>>>>>>> module
>>>>>>>> lists during java_lang_Class::create_mirror() before it is made 
>>>>>>>> public
>>>>>>>> or "published" as loaded.  So the two instances where the 
>>>>>>>> reference
>>>>>>>> count is incremented, Unsafe_DefineAnonymousClass0 and in
>>>>>>>> java_lang_Class::create_mirror(), are guarded by a lock as well 
>>>>>>>> as the
>>>>>>>> decrement in Unsafe_DefineAnonymousClass0.  No other thread has 
>>>>>>>> access
>>>>>>>> to the class during this time, as it is being loaded.
>>>>>>>>>
>>>>>>>>> How does ModuleEntryTable::patch_javabase_entries guard against
>>>>>>>>> concurrent inserts into the _fixup_module_field_list list?
>>>>>>>> That leaves the decrement in
>>>>>>>> ModuleEntryTable::patch_javabase_entries() as possibly 
>>>>>>>> unguarded. This
>>>>>>>> only occurs when the VM is called to define the module 
>>>>>>>> java.base.  I
>>>>>>>> believe this should be okay but will double check.
>>>>>>>
>>>>>>> One small change in modules.cpp/define_javabase_module() to 
>>>>>>> ensure that
>>>>>>> only one definition attempt of java.base will occur and thus 
>>>>>>> only one
>>>>>>> call to ModuleEntryTable::patch_javabase_entries(). If a situation
>>>>>>> arises where java.base is trying to be multiply defined, 
>>>>>>> according to
>>>>>>> the expected error conditions for JVM_DefineModule(), an
>>>>>>> IllegalArgumentException should be thrown.
>>>>>>>
>>>>>>> I have also added a comment in classfile/classLoaderData.hpp 
>>>>>>> explaining
>>>>>>> why _keep_alive does need to be defined volatile or atomic.
>>>>>>
>>>>>> Can you add assertions to check that _keep_alive is only modified 
>>>>>> under the protection of the lock (with a special case perhaps for 
>>>>>> the unguarded java.base case) ?
>>>>>
>>>>> Hi David,
>>>>>
>>>>> Thanks for the review.  I misspoke when I indicated that the two 
>>>>> increments and the one decrement of the reference counter that 
>>>>> occur during a call to the Unsafe_DefineAnonymous0() method were 
>>>>> guarded under a lock. However, due to the way anonymous classes 
>>>>> are created only a single non-GC thread will have access to the 
>>>>> _keep_alive field during this time.  And as Stefan indicates 
>>>>> above, all reads of _keep_alive from the GC are done during 
>>>>> safepoints.  Each anonymous class, when defined, has a dedicated 
>>>>> ClassLoaderData created for it. No other class shares the 
>>>>> anonymous class' name or CLD. Due to this uniqueness, no other 
>>>>> thread has knowledge about this anonymous class while it is being 
>>>>> defined.  It is only upon return from Unsafe_DefineAnonymous0(), 
>>>>> that the anonymous class exists and other threads, at that point, 
>>>>> can potentially access it.
>>>>>
>>>>
>>>> Ah interesting.  Currently, this is true and why this is safe. If 
>>>> we change the JVM to have *some* anonymous classes share CLD with 
>>>> their host_class because the lifetimes are the same, then we'll 
>>>> have to use atomic operations.
>>>>
>>>> http://cr.openjdk.java.net/~lfoltan/bug_jdk8152949_1/src/share/vm/classfile/classLoaderData.cpp.udiff.html 
>>>>
>>>>
>>>> Can you put one comment directly above the inc_keep_alive() and 
>>>> dec_keep_alive() functions to this effect here, just so we remember?
>>>
>>> Hi Coleen,
>>>
>>> I will add the comment before I commit.  I might expand a bit on 
>>> your last sentence a bit.
>>
>> Apparently the comment is false because we don't need the alive count 
>> for non-anonymous ClassLoaderData ... there are more replies to this 
>> thread.
>>
>> So maybe take out my last suggested sentence.
>>
>> Coleen
>>>
>>>>
>>>> // Anonymous classes have their own ClassLoaderData that is marked 
>>>> to keep alive while the class is being parsed, and
>>>> // if the class appears on the module fixup list.
>>>> // If anonymous classes are changed to share with host_class, this 
>>>> refcount needs to be changed to use atomic operations.
>>>>
>>>> *+ void ClassLoaderData::inc_keep_alive() {*
>>>> *+ assert(_keep_alive >= 0, "Invalid keep alive count");*
>>>> *+ _keep_alive++;*
>>>> *+ }*
>>>> *+ *
>>>> *+ void ClassLoaderData::dec_keep_alive() {*
>>>> *+ assert(_keep_alive > 0, "Invalid keep alive count");*
>>>> *+ _keep_alive--;*
>>>> *+ }*
>>>> *+ *
>>>>
>>>> More below.
>>>>
>>>>> Thanks,
>>>>> Lois
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> David
>>>>>>
>>>>>>> Please review at:
>>>>>>>
>>>>>>> http://cr.openjdk.java.net/~lfoltan/bug_jdk8152949_1/
>>>>
>>>> http://cr.openjdk.java.net/~lfoltan/bug_jdk8152949_1/src/share/vm/classfile/modules.cpp.frames.html 
>>>>
>>>>
>>>> I'm not sure how this relates to the bug.
>>>
>>> This change ensures that java.base will not be multiply defined and 
>>> thus only one call to ModuleEntryTable::patch_javabase_entries() 
>>> will occur.  A decrement of the reference count happens when an 
>>> anonymous class is on the fixup module list post patching it with 
>>> java.base
>>>
>>>>
>>>> Otherwise, the change looks good.
>>>
>>> Thanks again!
>>>
>>>>
>>>> Thanks,
>>>> Coleen
>>>>
>>>>
>>>>>>>
>>>>>>> Retesting in progress.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Lois
>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Lois
>>>>>>>>
>>>>>>>>>
>>>>>>>>> thanks,
>>>>>>>>> StefanK
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -Alan
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>>
>>>
>>
>

More information about the hotspot-dev mailing list