[jdk19] Integrated: 8290867: Race freeing remembered set segments

[Thomas Schatzl]

On Fri, 22 Jul 2022 10:43:19 GMT, Thomas Schatzl <tschatzl at openjdk.org> wrote:

> Hi all,
> 
>   please review this fix for a crash due to a race in remembered set segment deallocation. Here is the description (provided by chaeubl as reported):
> 
>  - Thread A executes `G1SegmentedArray::create_new_segment` and tries to pop an element from the `_free_segment_list`. For that, thread A executes `LockFreeStack::pop()`
> - Thread A reads `LockFreeStack::top()`
> - Thread B executes `LockFreeStack::pop()`, also reads `LockFreeStack::top()` and pops that element from the stack
> - Thread B executes `Atomic::cmpxchg(&_first, prev, next);` in `G1SegmentedArray::create_new_segment` but it fails because another thread already registered a different segment
> - Thread B calls `G1SegmentedArraySegment::delete_segment` and frees the value
> - Thread A tries to access `top()->next` in `LockFreeStack::pop()`, which causes a segfault because `top()` was freed by thread B 
> 
> The fix is to delay the deletion of that memory segment until all readers (i.e. in `G1SegmentedArrayFreeList::get` calling `_list.pop()`) drop the references to that memory segment. The readers are already guarded by a `CriticalSection`.
> 
> Testing: tier1-5 running, reproducer that adds extra delays that significantly delays to widen the opportunity this race can occur passes on BigRAMTester (otherwise crashes in a few seconds)
> 
> Thanks,
>   Thomas

This pull request has now been integrated.

Changeset: e265b2a2
Author:    Thomas Schatzl <tschatzl at openjdk.org>
URL:       https://git.openjdk.org/jdk19/commit/e265b2a2918f39a1d9afdb6a473c2d8d657cbb8c
Stats:     6 lines in 1 file changed: 6 ins; 0 del; 0 mod

8290867: Race freeing remembered set segments

Reviewed-by: kbarrett, sangheki

-------------

PR: https://git.openjdk.org/jdk19/pull/152