jdk11 SIGSEGV in G1CMTask::make_reference_grey
Vitaly Davidovich
vitalyd at gmail.com
Tue May 10 13:34:56 UTC 2022
Hi all,
I wanted to report a jdk11 SIGSEGV in a G1CMTask on Linux, and see if it's
a known issue/bug (I found a somewhat similar looking report against
Jetbrains JRE but it wasn't identical).
The hotspot crash report output is quite verbose so I've trimmed it down to
the most pertinent (I think) parts for now. If any other section would be
useful, please let me know and I'll try to provide it.
Without further ado, here're the snippets from the report:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x000014f4c6465972, pid=1856501, tid=1856699
#
# JRE version: OpenJDK Runtime Environment Temurin-11.0.12+7 (11.0.12+7)
(build 11.0.12+7)
# Java VM: OpenJDK 64-Bit Server VM Temurin-11.0.12+7 (11.0.12+7, mixed
mode, g1 gc, linux-amd64)
# Problematic frame:
# V [libjvm.so+0x7b8972] G1CMTask::make_reference_grey(oopDesc*)+0x132
--------------- T H R E A D ---------------
Current thread (0x000014dd2403d800): GCTaskThread "GC Thread#30" [stack:
0x000014dc339f6000,0x000014dc33af6000] [id=1856699]
Stack: [0x000014dc339f6000,0x000014dc33af6000], sp=0x000014dc33af4b10,
free space=1018k
Native frames: (J=compiled Java code, A=aot compiled Java code,
j=interpreted, Vv=VM code, C=native code)
V [libjvm.so+0x7b8972] G1CMTask::make_reference_grey(oopDesc*)+0x132
V [libjvm.so+0x7b931a] void
OopOopIterateDispatch<G1CMOopClosure>::Table::oop_oop_iterate<InstanceKlass,
oopDesc*>(G1CMOopClosure*, oopDesc*, Klass*)+0x9a
V [libjvm.so+0x7c7298] void
G1CMTask::process_grey_task_entry<true>(G1TaskQueueEntry)+0xc8
V [libjvm.so+0x7c0440] G1CMTask::drain_local_queue(bool) [clone
.part.158]+0x110
V [libjvm.so+0x7c33e6] G1CMTask::do_marking_step(double, bool, bool)+0x4c6
V [libjvm.so+0x7c860e] G1CMRemarkTask::work(unsigned int)+0x1ee
V [libjvm.so+0xf7675d] GangWorker::loop()+0x4d
V [libjvm.so+0xed863f] Thread::call_run()+0x14f
V [libjvm.so+0xc773fe] thread_native_entry(Thread*)+0xee
siginfo: si_signo: 11 (SIGSEGV), si_code: 128 (SI_KERNEL), si_addr:
0x0000000000000000
Register to memory mapping:
RAX=0x0101010101010164 is an unknown value
RBX=0xfffffffb8277e0a8 is an unknown value
RCX=0x0000007ffffffdc1 is an unknown value
RDX=0x000014f4c023d640 points into unknown readable memory:
0x00000000fffffdc1 | c1 fd ff ff 00 00 00 00
RSP=0x000014dc33af4b10 points into unknown readable memory:
0x000014ed547ea5f0 | f0 a5 7e 54 ed 14 00 00
RBP=0x000014dc33af4b40 points into unknown readable memory:
0x000014dc33af4b90 | 90 4b af 33 dc 14 00 00
RSI=0x000014f4c023b8a0 points into unknown readable memory:
0x000014f4c712fa68 | 68 fa 12 c7 f4 14 00 00
RDI=0x0 is NULL
R8 =0x0 is NULL
R9 =0x000014dd7751f790 points into unknown readable memory:
0x0000200021108844 | 44 88 10 21 00 20 00 00
R10=0x000014dd2403ec20 points into unknown readable memory:
0x0000000000000005 | 05 00 00 00 00 00 00 00
R11=0x0000000000000246 is an unknown value
R12=0x0000000000000023 is an unknown value
R13=0x000014d99277e0a0 is pointing into metadata
R14=0x000014d99277e0a8 is pointing into metadata
R15=0x000014ed547de538 is pointing into object: <REDACTED>
{0x000014ed547de4e8} - klass: '<REDACTED>'
Registers:
RAX=0x0101010101010164, RBX=0xfffffffb8277e0a8, RCX=0x0000007ffffffdc1,
RDX=0x000014f4c023d640
RSP=0x000014dc33af4b10, RBP=0x000014dc33af4b40, RSI=0x000014f4c023b8a0,
RDI=0x0000000000000000
R8 =0x0000000000000000, R9 =0x000014dd7751f790, R10=0x000014dd2403ec20,
R11=0x0000000000000246
R12=0x0000000000000023, R13=0x000014d99277e0a0, R14=0x000014d99277e0a8,
R15=0x000014ed547de538
RIP=0x000014f4c6465972, EFLAGS=0x0000000000010206,
CSGSFS=0x002b000000000033, ERR=0x0000000000000000
TRAPNO=0x000000000000000d
Top of Stack: (sp=0x000014dc33af4b10)
0x000014dc33af4b10: 000014ed547ea5f0 0000000000000000
0x000014dc33af4b20: 000014ed547de568 000014dc33af4c90
0x000014dc33af4b30: 000014d99277e0a0 000014d99277e0a8
0x000014dc33af4b40: 000014dc33af4b90 000014f4c646631a
Instructions: (pc=0x000014f4c6465972)
0x000014f4c6465872: 01 00 00 72 19 48 83 c4 10 31 c0 5b 41 5c 41 5d
0x000014f4c6465882: 41 5e 5d c3 66 2e 0f 1f 84 00 00 00 00 00 48 8b
0x000014f4c6465892: 93 90 00 00 00 48 89 f1 44 8b 67 10 48 2b 0a 48
0x000014f4c64658a2: 89 c8 8b 4a 10 48 c1 e8 03 48 d3 e8 48 89 c1 49
0x000014f4c64658b2: 89 c0 48 8b 42 18 49 c1 e8 06 83 e1 3f 4e 8d 0c
0x000014f4c64658c2: c0 41 b8 01 00 00 00 49 d3 e0 49 8b 09 eb 17 0f
0x000014f4c64658d2: 1f 80 00 00 00 00 48 89 c8 f0 49 0f b1 11 48 39
0x000014f4c64658e2: c1 74 13 48 89 c1 4c 89 c2 48 09 ca 48 39 d1 75
0x000014f4c64658f2: e5 eb 82 0f 1f 00 49 89 fd 48 89 f7 49 89 f6 e8
0x000014f4c6465902: 4a 5e ea ff 48 8b 93 f0 02 00 00 48 8d 0d 90 21
0x000014f4c6465912: dd 00 4c 89 f3 48 98 4a 8b 34 e2 8b 09 48 8b 56
0x000014f4c6465922: 18 48 2b 5a 10 48 89 da 48 d3 ea 48 89 d1 23 56
0x000014f4c6465932: 68 48 c1 e2 04 48 03 56 48 8b 3a 39 f9 0f 84 8b
0x000014f4c6465942: 01 00 00 4c 8b 42 08 4d 85 c0 74 0d 4c 8b 4e 38
0x000014f4c6465952: 49 8d 3c f9 f0 4c 0f c1 07 48 c7 42 08 00 00 00
0x000014f4c6465962: 00 89 0a 48 83 46 60 01 48 01 42 08 49 8b 45 20
0x000014f4c6465972: 48 8b 90 d8 02 00 00 49 8b 85 98 00 00 00 48 85
0x000014f4c6465982: c0 74 12 49 39 c6 72 16 4d 3b b5 a0 00 00 00 0f
0x000014f4c6465992: 82 97 00 00 00 49 39 d6 0f 83 8e 00 00 00 48 8d
0x000014f4c64659a2: 05 45 0e dd 00 80 38 00 0f 84 90 00 00 00 48 8d
0x000014f4c64659b2: 15 59 3e da 00 41 8b 46 08 8b 4a 08 48 d3 e0 48
0x000014f4c64659c2: 03 02 81 78 08 ff ff ff bf 0f 86 7c 00 00 00 49
0x000014f4c64659d2: 8b 85 b0 00 00 00 49 39 85 a8 00 00 00 73 10 49
0x000014f4c64659e2: 8b 85 c8 00 00 00 49 39 85 c0 00 00 00 72 3d 4c
0x000014f4c64659f2: 89 ef e8 47 73 00 00 48 83 c4 10 b8 01 00 00 00
0x000014f4c6465a02: 5b 41 5c 41 5d 41 5e 5d c3 0f 1f 44 00 00 48 8b
0x000014f4c6465a12: 91 88 00 00 00 89 c6 48 8d 14 f2 48 8b 75 d0 83
0x000014f4c6465a22: c0 01 48 89 32 25 ff ff 01 00 89 01 48 83 c4 10
0x000014f4c6465a32: b8 01 00 00 00 5b 41 5c 41 5d 41 5e 5d c3 49 8b
0x000014f4c6465a42: 46 08 81 78 08 ff ff ff bf 77 84 49 8b 4d 30 4c
0x000014f4c6465a52: 89 75 d0 8b 01 8b 91 80 00 00 00 89 c3 29 d3 89
0x000014f4c6465a62: da 81 e2 ff ff 01 00 81 fa fd ff 01 00 76 9f 81
Stack slot to memory mapping:
stack at sp + 0 slots: 0x000014ed547ea5f0 is an oop: <REDACTED>
{0x000014ed547ea5f0} - klass: '<REDACTED>'
stack at sp + 1 slots: 0x0 is NULL
stack at sp + 2 slots: 0x000014ed547de568 is an oop: [D
{0x000014ed547de568} - klass: {type array double}
- length: 16
stack at sp + 3 slots: 0x000014dc33af4c90 points into unknown readable
memory: 0x000014f4c712f7d0 | d0 f7 12 c7 f4 14 00 00
stack at sp + 4 slots: 0x000014d99277e0a0 is pointing into metadata
stack at sp + 5 slots: 0x000014d99277e0a8 is pointing into metadata
stack at sp + 6 slots: 0x000014dc33af4b90 points into unknown readable
memory: 0x000014dc33af4bd0 | d0 4b af 33 dc 14 00 00
stack at sp + 7 slots: 0x000014f4c646631a: <offset 0x00000000007b931a> in
/path/to/server/libjvm.so at 0x000014f4c5cad000
VM state:at safepoint (normal execution)
VM Mutex/Monitor currently owned by a thread: ([mutex/lock_event])
[0x000014f4c0142dc0] Threads_lock - owner thread: 0x000014f4c1e47000
[0x000014f4c01435a0] Heap_lock - owner thread: 0x000014f4c01a6000
Heap:
garbage-first heap total 94371840K, used 85704613K [0x000014de10000000,
0x000014f490000000)
region size 32768K, 141 young (4620288K), 18 survivors (589824K)
Metaspace used 203995K, capacity 207585K, committed 220416K, reserved
221184K
uname:Linux 5.4.134-ts1-amd64 #1 SMP Debian 5.4.134-ts1~debian10
(2021-07-22) x86_64
libc:glibc 2.28 NPTL 2.28
vm_info: OpenJDK 64-Bit Server VM (11.0.12+7) for linux-amd64 JRE
(11.0.12+7), built on Jul 21 2021 08:09:41 by "" with gcc 7.5.0
Looking at the disassembly of libjvm.so, and particularly the 0x132 offset
of make_reference_grey (I've bolded the exact offset where it lands):
7b893f: 0f 84 8b 01 00 00 je 7b8ad0
<_ZN8G1CMTask19make_reference_greyEP7oopDesc+0x290>
7b8945: 4c 8b 42 08 mov 0x8(%rdx),%r8
7b8949: 4d 85 c0 test %r8,%r8
7b894c: 74 0d je 7b895b
<_ZN8G1CMTask19make_reference_greyEP7oopDesc+0x11b>
7b894e: 4c 8b 4e 38 mov 0x38(%rsi),%r9
7b8952: 49 8d 3c f9 lea (%r9,%rdi,8),%rdi
7b8956: f0 4c 0f c1 07 lock xadd %r8,(%rdi)
7b895b: 48 c7 42 08 00 00 00 movq $0x0,0x8(%rdx)
7b8962: 00
7b8963: 89 0a mov %ecx,(%rdx)
7b8965: 48 83 46 60 01 addq $0x1,0x60(%rsi)
7b896a: 48 01 42 08 add %rax,0x8(%rdx)
7b896e: 49 8b 45 20 mov 0x20(%r13),%rax
*7b8972: 48 8b 90 d8 02 00 00 mov 0x2d8(%rax),%rdx*
7b8979: 49 8b 85 98 00 00 00 mov 0x98(%r13),%rax
7b8980: 48 85 c0 test %rax,%rax
7b8983: 74 12 je 7b8997
<_ZN8G1CMTask19make_reference_greyEP7oopDesc+0x157>
7b8985: 49 39 c6 cmp %rax,%r14
7b8988: 72 16 jb 7b89a0
<_ZN8G1CMTask19make_reference_greyEP7oopDesc+0x160>
7b898a: 4d 3b b5 a0 00 00 00 cmp 0xa0(%r13),%r14
7b8991: 0f 82 97 00 00 00 jb 7b8a2e
<_ZN8G1CMTask19make_reference_greyEP7oopDesc+0x1ee>
7b8997: 49 39 d6 cmp %rdx,%r14
7b899a: 0f 83 8e 00 00 00 jae 7b8a2e
<_ZN8G1CMTask19make_reference_greyEP7oopDesc+0x1ee>
7b89a0: 48 8d 05 45 0e dd 00 lea 0xdd0e45(%rip),%rax #
15897ec <UseCompressedClassPointers>
7b89a7: 80 38 00 cmpb $0x0,(%rax)
7b89aa: 0f 84 90 00 00 00 je 7b8a40
<_ZN8G1CMTask19make_reference_greyEP7oopDesc+0x200>
RAX contents in the register output of the report looks like an interesting
pattern, but doesn't appear to be a valid address of anything yet the
instruction is using it as the base of a load. Also, si_addr in the
siginfo claims the faulting address is actually NULL. Not quite sure what
to make of that yet.
Thanks!
More information about the hotspot-gc-dev
mailing list