jdk11 SIGSEGV in G1CMTask::make_reference_grey

Vitaly Davidovich vitalyd at gmail.com
Tue May 10 13:34:56 UTC 2022


Hi all,

I wanted to report a jdk11 SIGSEGV in a G1CMTask on Linux, and see if it's
a known issue/bug (I found a somewhat similar looking report against
Jetbrains JRE but it wasn't identical).

The hotspot crash report output is quite verbose so I've trimmed it down to
the most pertinent (I think) parts for now.  If any other section would be
useful, please let me know and I'll try to provide it.

Without further ado, here're the snippets from the report:

#

# A fatal error has been detected by the Java Runtime Environment:

#

#  SIGSEGV (0xb) at pc=0x000014f4c6465972, pid=1856501, tid=1856699

#

# JRE version: OpenJDK Runtime Environment Temurin-11.0.12+7 (11.0.12+7)
(build 11.0.12+7)

# Java VM: OpenJDK 64-Bit Server VM Temurin-11.0.12+7 (11.0.12+7, mixed
mode, g1 gc, linux-amd64)

# Problematic frame:

# V  [libjvm.so+0x7b8972]  G1CMTask::make_reference_grey(oopDesc*)+0x132

---------------  T H R E A D  ---------------



Current thread (0x000014dd2403d800):  GCTaskThread "GC Thread#30" [stack:
0x000014dc339f6000,0x000014dc33af6000] [id=1856699]



Stack: [0x000014dc339f6000,0x000014dc33af6000],  sp=0x000014dc33af4b10,
free space=1018k

Native frames: (J=compiled Java code, A=aot compiled Java code,
j=interpreted, Vv=VM code, C=native code)

V  [libjvm.so+0x7b8972]  G1CMTask::make_reference_grey(oopDesc*)+0x132

V  [libjvm.so+0x7b931a]  void
OopOopIterateDispatch<G1CMOopClosure>::Table::oop_oop_iterate<InstanceKlass,
oopDesc*>(G1CMOopClosure*, oopDesc*, Klass*)+0x9a

V  [libjvm.so+0x7c7298]  void
G1CMTask::process_grey_task_entry<true>(G1TaskQueueEntry)+0xc8

V  [libjvm.so+0x7c0440]  G1CMTask::drain_local_queue(bool) [clone
.part.158]+0x110

V  [libjvm.so+0x7c33e6]  G1CMTask::do_marking_step(double, bool, bool)+0x4c6

V  [libjvm.so+0x7c860e]  G1CMRemarkTask::work(unsigned int)+0x1ee

V  [libjvm.so+0xf7675d]  GangWorker::loop()+0x4d

V  [libjvm.so+0xed863f]  Thread::call_run()+0x14f

V  [libjvm.so+0xc773fe]  thread_native_entry(Thread*)+0xee



 siginfo: si_signo: 11 (SIGSEGV), si_code: 128 (SI_KERNEL), si_addr:
0x0000000000000000



Register to memory mapping:



RAX=0x0101010101010164 is an unknown value

RBX=0xfffffffb8277e0a8 is an unknown value

RCX=0x0000007ffffffdc1 is an unknown value

RDX=0x000014f4c023d640 points into unknown readable memory:
0x00000000fffffdc1 | c1 fd ff ff 00 00 00 00

RSP=0x000014dc33af4b10 points into unknown readable memory:
0x000014ed547ea5f0 | f0 a5 7e 54 ed 14 00 00

RBP=0x000014dc33af4b40 points into unknown readable memory:
0x000014dc33af4b90 | 90 4b af 33 dc 14 00 00

RSI=0x000014f4c023b8a0 points into unknown readable memory:
0x000014f4c712fa68 | 68 fa 12 c7 f4 14 00 00

RDI=0x0 is NULL

R8 =0x0 is NULL

R9 =0x000014dd7751f790 points into unknown readable memory:
0x0000200021108844 | 44 88 10 21 00 20 00 00

R10=0x000014dd2403ec20 points into unknown readable memory:
0x0000000000000005 | 05 00 00 00 00 00 00 00

R11=0x0000000000000246 is an unknown value

R12=0x0000000000000023 is an unknown value

R13=0x000014d99277e0a0 is pointing into metadata

R14=0x000014d99277e0a8 is pointing into metadata

R15=0x000014ed547de538 is pointing into object: <REDACTED>

{0x000014ed547de4e8} - klass: '<REDACTED>'



Registers:

RAX=0x0101010101010164, RBX=0xfffffffb8277e0a8, RCX=0x0000007ffffffdc1,
RDX=0x000014f4c023d640

RSP=0x000014dc33af4b10, RBP=0x000014dc33af4b40, RSI=0x000014f4c023b8a0,
RDI=0x0000000000000000

R8 =0x0000000000000000, R9 =0x000014dd7751f790, R10=0x000014dd2403ec20,
R11=0x0000000000000246

R12=0x0000000000000023, R13=0x000014d99277e0a0, R14=0x000014d99277e0a8,
R15=0x000014ed547de538

RIP=0x000014f4c6465972, EFLAGS=0x0000000000010206,
CSGSFS=0x002b000000000033, ERR=0x0000000000000000

  TRAPNO=0x000000000000000d



Top of Stack: (sp=0x000014dc33af4b10)

0x000014dc33af4b10:   000014ed547ea5f0 0000000000000000

0x000014dc33af4b20:   000014ed547de568 000014dc33af4c90

0x000014dc33af4b30:   000014d99277e0a0 000014d99277e0a8

0x000014dc33af4b40:   000014dc33af4b90 000014f4c646631a



Instructions: (pc=0x000014f4c6465972)

0x000014f4c6465872:   01 00 00 72 19 48 83 c4 10 31 c0 5b 41 5c 41 5d

0x000014f4c6465882:   41 5e 5d c3 66 2e 0f 1f 84 00 00 00 00 00 48 8b

0x000014f4c6465892:   93 90 00 00 00 48 89 f1 44 8b 67 10 48 2b 0a 48

0x000014f4c64658a2:   89 c8 8b 4a 10 48 c1 e8 03 48 d3 e8 48 89 c1 49

0x000014f4c64658b2:   89 c0 48 8b 42 18 49 c1 e8 06 83 e1 3f 4e 8d 0c

0x000014f4c64658c2:   c0 41 b8 01 00 00 00 49 d3 e0 49 8b 09 eb 17 0f

0x000014f4c64658d2:   1f 80 00 00 00 00 48 89 c8 f0 49 0f b1 11 48 39

0x000014f4c64658e2:   c1 74 13 48 89 c1 4c 89 c2 48 09 ca 48 39 d1 75

0x000014f4c64658f2:   e5 eb 82 0f 1f 00 49 89 fd 48 89 f7 49 89 f6 e8

0x000014f4c6465902:   4a 5e ea ff 48 8b 93 f0 02 00 00 48 8d 0d 90 21

0x000014f4c6465912:   dd 00 4c 89 f3 48 98 4a 8b 34 e2 8b 09 48 8b 56

0x000014f4c6465922:   18 48 2b 5a 10 48 89 da 48 d3 ea 48 89 d1 23 56

0x000014f4c6465932:   68 48 c1 e2 04 48 03 56 48 8b 3a 39 f9 0f 84 8b

0x000014f4c6465942:   01 00 00 4c 8b 42 08 4d 85 c0 74 0d 4c 8b 4e 38

0x000014f4c6465952:   49 8d 3c f9 f0 4c 0f c1 07 48 c7 42 08 00 00 00

0x000014f4c6465962:   00 89 0a 48 83 46 60 01 48 01 42 08 49 8b 45 20

0x000014f4c6465972:   48 8b 90 d8 02 00 00 49 8b 85 98 00 00 00 48 85

0x000014f4c6465982:   c0 74 12 49 39 c6 72 16 4d 3b b5 a0 00 00 00 0f

0x000014f4c6465992:   82 97 00 00 00 49 39 d6 0f 83 8e 00 00 00 48 8d

0x000014f4c64659a2:   05 45 0e dd 00 80 38 00 0f 84 90 00 00 00 48 8d

0x000014f4c64659b2:   15 59 3e da 00 41 8b 46 08 8b 4a 08 48 d3 e0 48

0x000014f4c64659c2:   03 02 81 78 08 ff ff ff bf 0f 86 7c 00 00 00 49

0x000014f4c64659d2:   8b 85 b0 00 00 00 49 39 85 a8 00 00 00 73 10 49

0x000014f4c64659e2:   8b 85 c8 00 00 00 49 39 85 c0 00 00 00 72 3d 4c

0x000014f4c64659f2:   89 ef e8 47 73 00 00 48 83 c4 10 b8 01 00 00 00

0x000014f4c6465a02:   5b 41 5c 41 5d 41 5e 5d c3 0f 1f 44 00 00 48 8b

0x000014f4c6465a12:   91 88 00 00 00 89 c6 48 8d 14 f2 48 8b 75 d0 83

0x000014f4c6465a22:   c0 01 48 89 32 25 ff ff 01 00 89 01 48 83 c4 10

0x000014f4c6465a32:   b8 01 00 00 00 5b 41 5c 41 5d 41 5e 5d c3 49 8b

0x000014f4c6465a42:   46 08 81 78 08 ff ff ff bf 77 84 49 8b 4d 30 4c

0x000014f4c6465a52:   89 75 d0 8b 01 8b 91 80 00 00 00 89 c3 29 d3 89

0x000014f4c6465a62:   da 81 e2 ff ff 01 00 81 fa fd ff 01 00 76 9f 81





Stack slot to memory mapping:

stack at sp + 0 slots: 0x000014ed547ea5f0 is an oop: <REDACTED>

{0x000014ed547ea5f0} - klass: '<REDACTED>'

stack at sp + 1 slots: 0x0 is NULL

stack at sp + 2 slots: 0x000014ed547de568 is an oop: [D

{0x000014ed547de568} - klass: {type array double}

- length: 16

stack at sp + 3 slots: 0x000014dc33af4c90 points into unknown readable
memory: 0x000014f4c712f7d0 | d0 f7 12 c7 f4 14 00 00

stack at sp + 4 slots: 0x000014d99277e0a0 is pointing into metadata

stack at sp + 5 slots: 0x000014d99277e0a8 is pointing into metadata

stack at sp + 6 slots: 0x000014dc33af4b90 points into unknown readable
memory: 0x000014dc33af4bd0 | d0 4b af 33 dc 14 00 00

stack at sp + 7 slots: 0x000014f4c646631a: <offset 0x00000000007b931a> in
/path/to/server/libjvm.so at 0x000014f4c5cad000



VM state:at safepoint (normal execution)



VM Mutex/Monitor currently owned by a thread:  ([mutex/lock_event])

[0x000014f4c0142dc0] Threads_lock - owner thread: 0x000014f4c1e47000

[0x000014f4c01435a0] Heap_lock - owner thread: 0x000014f4c01a6000



Heap:

garbage-first heap   total 94371840K, used 85704613K [0x000014de10000000,
0x000014f490000000)

  region size 32768K, 141 young (4620288K), 18 survivors (589824K)

Metaspace       used 203995K, capacity 207585K, committed 220416K, reserved
221184K



uname:Linux 5.4.134-ts1-amd64 #1 SMP Debian 5.4.134-ts1~debian10
(2021-07-22) x86_64

libc:glibc 2.28 NPTL 2.28



vm_info: OpenJDK 64-Bit Server VM (11.0.12+7) for linux-amd64 JRE
(11.0.12+7), built on Jul 21 2021 08:09:41 by "" with gcc 7.5.0



Looking at the disassembly of libjvm.so, and particularly the 0x132 offset
of make_reference_grey (I've bolded the exact offset where it lands):


7b893f:       0f 84 8b 01 00 00       je     7b8ad0
<_ZN8G1CMTask19make_reference_greyEP7oopDesc+0x290>

7b8945:       4c 8b 42 08             mov    0x8(%rdx),%r8

7b8949:       4d 85 c0                test   %r8,%r8

7b894c:       74 0d                   je     7b895b
<_ZN8G1CMTask19make_reference_greyEP7oopDesc+0x11b>

7b894e:       4c 8b 4e 38             mov    0x38(%rsi),%r9

7b8952:       49 8d 3c f9             lea    (%r9,%rdi,8),%rdi

7b8956:       f0 4c 0f c1 07          lock xadd %r8,(%rdi)

7b895b:       48 c7 42 08 00 00 00    movq   $0x0,0x8(%rdx)

7b8962:       00

7b8963:       89 0a                   mov    %ecx,(%rdx)

7b8965:       48 83 46 60 01          addq   $0x1,0x60(%rsi)

7b896a:       48 01 42 08             add    %rax,0x8(%rdx)

7b896e:       49 8b 45 20             mov    0x20(%r13),%rax

*7b8972:       48 8b 90 d8 02 00 00    mov    0x2d8(%rax),%rdx*

7b8979:       49 8b 85 98 00 00 00    mov    0x98(%r13),%rax

7b8980:       48 85 c0                test   %rax,%rax

7b8983:       74 12                   je     7b8997
<_ZN8G1CMTask19make_reference_greyEP7oopDesc+0x157>

7b8985:       49 39 c6                cmp    %rax,%r14

7b8988:       72 16                   jb     7b89a0
<_ZN8G1CMTask19make_reference_greyEP7oopDesc+0x160>

7b898a:       4d 3b b5 a0 00 00 00    cmp    0xa0(%r13),%r14

7b8991:       0f 82 97 00 00 00       jb     7b8a2e
<_ZN8G1CMTask19make_reference_greyEP7oopDesc+0x1ee>

7b8997:       49 39 d6                cmp    %rdx,%r14

7b899a:       0f 83 8e 00 00 00       jae    7b8a2e
<_ZN8G1CMTask19make_reference_greyEP7oopDesc+0x1ee>

7b89a0:       48 8d 05 45 0e dd 00    lea    0xdd0e45(%rip),%rax        #
15897ec <UseCompressedClassPointers>

7b89a7:       80 38 00                cmpb   $0x0,(%rax)
7b89aa:       0f 84 90 00 00 00       je     7b8a40
<_ZN8G1CMTask19make_reference_greyEP7oopDesc+0x200>

RAX contents in the register output of the report looks like an interesting
pattern, but doesn't appear to be a valid address of anything yet the
instruction is using it as the base of a load.  Also, si_addr in the
siginfo claims the faulting address is actually NULL.  Not quite sure what
to make of that yet.

Thanks!



More information about the hotspot-gc-dev mailing list