JVM crashes in JIT compiled code without hs_err_pid file

Alexandr Miloslavskiy alexandr.miloslavskiy at syntevo.com
Sat Feb 18 21:13:38 UTC 2023 

A single customer reports frequent crashes where hs_err_pid file is not 
created.

The JDK is Zulu17.32+13-CA (build 17.0.2+8-LTS).

We have studied Windows Event log and it indeed shows numerous crashes.
We have then configured WER to capture a minidump and I studied it.

The crash occurs in JIT generated code:
----
00000000`0e11f2c1 49ba401a3f93fd7f0000 mov r10,offset jvm+0x2d1a40 
(00007ffd`933f1a40)
00000000`0e11f2cb 41ffd2          call    r10
00000000`0e11f2ce 6690            nop
00000000`0e11f2d0 41b801000000    mov     r8d,1
00000000`0e11f2d6 448b542424      mov     r10d,dword ptr [rsp+24h]
00000000`0e11f2db 4183c230        add     r10d,30h
00000000`0e11f2df 90              nop
00000000`0e11f2e0 443b542428      cmp     r10d,dword ptr [rsp+28h]
00000000`0e11f2e5 0f8d81160000    jge     00000000`0e12096c
00000000`0e11f2eb 418bd8          mov     ebx,r8d
00000000`0e11f2ee 448b5c2420      mov     r11d,dword ptr [rsp+20h]
00000000`0e11f2f3 488b742458      mov     rsi,qword ptr [rsp+58h]
00000000`0e11f2f8 8b4c2428        mov     ecx,dword ptr [rsp+28h]
00000000`0e11f2fc 4c8b442460      mov     r8,qword ptr [rsp+60h]
00000000`0e11f301 8bc3            mov     eax,ebx
00000000`0e11f303 4c8b6c2468      mov     r13,qword ptr [rsp+68h]
00000000`0e11f308 43807c131070    cmp     byte ptr [r11+r10+10h],70h
00000000`0e11f30e 0f8471000000    je      00000000`0e11f385
00000000`0e11f314 418b5e2c        mov     ebx,dword ptr [r14+2Ch]
00000000`0e11f318 8b6b0c          mov     ebp,dword ptr [rbx+0Ch]
00000000`0e11f31b 3bc5            cmp     eax,ebp
00000000`0e11f31d 666690          nop
00000000`0e11f320 0f85df0c0000    jne     00000000`0e120005
00000000`0e11f326 4c8b4c2430      mov     r9,qword ptr [rsp+30h]
00000000`0e11f32b 418b410c        mov     eax,dword ptr [r9+0Ch]
----

It crashes on this instruction:
00000000`0e11f32b 418b410c        mov     eax,dword ptr [r9+0Ch]

Because r9 is NULL. Looks like implicit null exception to me, which 
should have been handled by JVM.

I have then investigated if JVM's crash handler is installed properly.
In the minidump, the following can be seen in 'FunctionTableStream'
* MinimumAddress=0000000005CD0000 MaximumAddress=0000000014CD0000 
BaseAddress=0000000005CD0000
* * BeginAddress=0000000000000000 EndAddress=000000000F000000 
UnwindData=000000000000039C

This looks like valid handler installed via 'os::register_code_area'. At 
least when I inspect 'os::register_code_area' on my machine, it 
registers very similar values.

At this point, I think I need advice. What could go wrong in JVM so that 
it neither handles this exception nor crashes into hs_err_pid and 
instead lets Windows handle the crash?

More information about the hotspot-dev mailing list