Race condition in VMError::report_and_die()

Volker Simonis volker.simonis at gmail.com
Mon May 2 09:42:44 PDT 2011 

There is a race condition in VMError::report_and_die() which may lead
to an unhandled SIGSEGV during error reporting and may subsequently
result in a missing hs_err file. The race is in the constructor of the
static local fdStream 'out' which should be initialized only once
during the first execution of VMError::report_and_die(). However,
because there are no special guards around the static fdStream local,
it can happen that if several threads crash at the same time, they all
simultaneously call VMError::report_and_die() and more than one thread
tries to simultaneously initialize the local static fdStream object.
This can result in an error during the execution of the
ResourceObj::ResourceObj() constructor which can see inconsistent
values in the '_allocation' field.

The simple solution is to make 'out' (and also 'log' to be on the save
side) file-static objects which will be initialized before the first
function from vmError is called (I've also renamed 'out' and 'log' to
'fd_out' and 'fd_log' respectively to avoid name clashes - see
attachment).

Notice that GCC by default places a guard around the initialization
(see for example Arkaitz Jimenez blog:
http://arkaitzj.wordpress.com/2009/11/07/static-locals-and-threadsafety-in-g).
Therefore there are no problems with this technique on GCC platforms.

However, the documentation of Visual Studio 2010 warns about such a
use case: "Assigning a value to a static local variable in a
multi-threaded application is not thread safe and we do not recommend
it as a programming practice"
(http://msdn.microsoft.com/en-us/library/s1sb61xd.aspx).

And finally the SunStudio compiler doesn't seem to place guards around
the initialisation of static locals because I could reproduce the
mentioned problem on a heavy loaded SPARC-Enterprise-T5120 with a
4-core UltraSPARC-T2 and a test which crashes in several GC-threads
simultaneously.

Regards,
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RaceInVmErrorReportAndDie.patch
Type: text/x-patch
Size: 6668 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/hotspot-runtime-dev/attachments/20110502/021c3692/attachment.bin

More information about the hotspot-runtime-dev mailing list