[jdk19] RFR: 8290867: Race freeing remembered set segments
Thomas Schatzl
tschatzl at openjdk.org
Fri Jul 22 10:55:11 UTC 2022
Hi all,
please review this fix for a crash due to a race in remembered set segment deallocation. Here is the description (provided by chaeubl as reported):
- Thread A executes `G1SegmentedArray::create_new_segment` and tries to pop an element from the `_free_segment_list`. For that, thread A executes `LockFreeStack::pop()`
- Thread A reads `LockFreeStack::top()`
- Thread B executes `LockFreeStack::pop()`, also reads `LockFreeStack::top()` and pops that element from the stack
- Thread B executes `Atomic::cmpxchg(&_first, prev, next);` in `G1SegmentedArray::create_new_segment` but it fails because another thread already registered a different segment
- Thread B calls `G1SegmentedArraySegment::delete_segment` and frees the value
- Thread A tries to access `top()->next` in `LockFreeStack::pop()`, which causes a segfault because `top()` was freed by thread B
The fix is to delay the deletion of that memory segment until all readers (i.e. in `G1SegmentedArrayFreeList::get` calling `_list.pop()`) drop the references to that memory segment. The readers are already guarded by a `CriticalSection`.
Testing: tier1-5 running, reproducer that adds extra delays that significantly delays to widen the opportunity this race can occur passes on BigRAMTester
Thanks,
Thomas
-------------
Commit messages:
- initial version
Changes: https://git.openjdk.org/jdk19/pull/152/files
Webrev: https://webrevs.openjdk.org/?repo=jdk19&pr=152&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8290867
Stats: 2 lines in 1 file changed: 2 ins; 0 del; 0 mod
Patch: https://git.openjdk.org/jdk19/pull/152.diff
Fetch: git fetch https://git.openjdk.org/jdk19 pull/152/head:pull/152
PR: https://git.openjdk.org/jdk19/pull/152
More information about the hotspot-gc-dev
mailing list