RFR: JDK-8222545: Safe klass asserts

Per Liden per.liden at oracle.com
Thu Apr 18 12:45:33 UTC 2019 

Hi Roman,

On 4/18/19 1:45 PM, Roman Kennke wrote:
>>> To add a little more detail, I could move the change up into 
>>> is_objArray(), but I don't want to expose it to any non-assert paths. 
>>> Therefore I could do 2 different impls there, guarded by #ifdef 
>>> ASSERT but I don't think it's a good idea to behave differently under 
>>> ASSERT, that kindof defeats the point of assert, right?
>>>
>>> What do you think ?
>>
>> I don't follow your argument. Under asserts you need to access the 
>> klass pointer "safely" but otherwise you do not. So there are two 
>> behaviours related to accessing the klass pointer anyway. I'd rather 
>> see that encapsulated in the accessor.
>>
>> I assume it's not just asserts but any debug only code that wants to 
>> access the klass pointer.
> 
> In general, for any runtime calls into oopDesc::klass() the access 
> should be safe. The acrobatics is only necessary for *GC-internal* 

This is the part I don't quite understand, and goes back to my initial 
question. Why are you doing these operations on from-space objects? I'm 
thinking you should be in a position in the GC to make sure this can 
never happen. If you need to do that in the GC (which is fine), then the 
GC could apply a "resolve" function to get the to-space object, and call 
size() (or whatever) on that object. This shouldn't have to leak out of 
the GC, right?

cheers,
Per

> calls, which can happen in 'unsafe' situations, where decoding the 
> Klass* would be necessary. The way I do it is to call into acccessors 
> like size_given_klass() or the oop_oop_iterate() methods, that take a 
> pre-resolved Klass* as argument. But that only works if those code-paths 
> don't call into klass() themselves. This is what this patch addresses.
> 
> I guess we could put the call via safe_klass() into the accessors, but 
> it would widen its exposure unnecessarily. If we don't want special 
> paths for ASSERT via non-ASSERT there, it could actually be done in the 
> GC backend I suppose, but the way I proposed it seems minimal exposure 
> of GC fluff.
> 
> Alternatively, it could be argued that we're in the Klass* instance 
> already anyway, and what is the point of asserting it again, but I also 
> see that we might want to ensure that we're not calling anything 
> typeArray-ish on an objArray by accident.
> 
> Roman
> 
>> Thanks,
>> David
>> -----
>>
>>> Roman
>>>
>>>
>>> Am 17. April 2019 18:59:09 MESZ schrieb Roman Kennke 
>>> <rkennke at redhat.com>:
>>>
>>>             Various code paths in oopDesc, Klass and their subclasses 
>>> assert
>>>             something that fetches the object's _klass field. With 
>>> upcoming
>>>             Shenandoah's changes this is not always safe and requires an
>>>             additional
>>>             indirection.
>>>
>>>             The trouble here is that we can, for example, call
>>>             Klass::oop_oop_iterate() with a pre-resolved Klass*, 
>>> instead of
>>>             oopDesc::oop_iterate() which would call oopDesc::klass() on
>>>             its own,
>>>             which would be racy on some GC internal call paths, but 
>>> we can't
>>>             (currently) control some calls to klass() further down the
>>>             call stack
>>>             (all in asserts).
>>>
>>>             We'd also like a way to ensure that non-GC calls to klass()
>>>             are sane.
>>>
>>>             Bug:
>>>             https://bugs.openjdk.java.net/browse/JDK-8222545
>>>             Webrev:
>>>             http://cr.openjdk.java.net/~rkennke/JDK-8222545/webrev.00/
>>>             Testing:
>>>             hotspot_gc_shenandoah with and without the prototype,
>>>             hotspot/tier1
>>>
>>>             The change introduces only two ASSERT-level GC-interfaces,
>>>             and afaict,
>>>             this with JDK-8222537 will be all that we need for the 
>>> upcoming
>>>             elimination of forward pointers in Shenandoah. Notice that
>>>             one assert in
>>>             objArrayKlass is strengthened from is_array() to
>>>             is_objArray(), but that
>>>             seems only sane in that context.
>>>
>>>             Can I please get reviews?
>>>
>>>
>>>         This looks very awkward to me. Using:
>>>
>>>         Universe::heap()->safe_klass(obj)->is_objArray_klass()
>>>
>>>         instead of the obvious:
>>>
>>>         obj->is_objArray()
>>>
>>>         is very unintuitive. Can this not be handled inside is_objArray
>>>         (and
>>>         is_typeArray) ?
>>>
>>>
>>>     Not really. Then it would get exposed to many more code paths, 
>>> most of
>>>     which don't actually need it/don't want it, and many of which are
>>>     outside of asserts, and rely on the usual klass() with the sanity 
>>> assert
>>>     there instead. I am open for suggestions, but it would have to be
>>>     restricted to ASSERT code IMO, and ideally with as few as 
>>> possible GC
>>>     interface additions.
>>>
>>>     Roman
>>>
>>>
>>> -- 
>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

More information about the hotspot-gc-dev mailing list