(S) RFR: 8159461: bigapps/Kitchensink/stressExitCode hits assert: Must be VMThread or JavaThread

Daniel D. Daugherty daniel.daugherty at oracle.com
Fri Aug 12 01:25:39 UTC 2016


David,

Sorry I forgot to respond before I left for Santa Fe, NM...
More below...


On 8/8/16 5:57 PM, David Holmes wrote:
> Hi Dan,
>
> Thanks for the review.
>
> On 9/08/2016 2:07 AM, Daniel D. Daugherty wrote:
>> On 8/4/16 8:28 PM, David Holmes wrote:
>>> Hi Volker,
>>>
>>> Thanks for looking at this.
>>>
>>> On 5/08/2016 1:48 AM, Volker Simonis wrote:
>>>> Hi David,
>>>>
>>>> thanks for doing this change on all platforms.
>>>> The fix looks good. Maybe you can just extend the following comment 
>>>> with
>>>> something like:
>>>>
>>>>  //  Note that the SR_lock plays no role in this suspend/resume
>>>> protocol.
>>>>  //  It is only used in SR_handler as a thread termination 
>>>> indicator if
>>>> NULL.
>>>
>>> Darn this code is confusing - too many "SR"'s :( I have added
>>>
>>> //  Note that the SR_lock plays no role in this suspend/resume 
>>> protocol,
>>> //  but is checked for NULL in SR_handler as a thread termination
>>> indicator.
>>>
>>> Updated webrev:
>>>
>>> http://cr.openjdk.java.net/~dholmes/8159461/webrev.v2/
>>
>> src/share/vm/runtime/thread.cpp
>>     L380:   _SR_lock = NULL;
>>         I was expecting the _SR_lock to be freed and NULL'ed earlier
>>         based on the discussion in the bug report. Since the crashing
>>         assert() happens in a race between the JavaThread destructor
>>         the NULL'ing of the _SR_lock field, I was expecting the _SR_lock
>>         field to be dealt with as early as possible in the Thread
>>         destructor (or even earlier; see my last comment).
>
> I will respond after that comment.
>
>>  src/os/linux/vm/os_linux.cpp
>>     L4010:   // mask is changed as part of thread termination. Check the
>> current thread
>>         grammar?: "Check the current" -> "Check that the current"
>
> Will change.
>
>>     L4015:   if (thread->SR_lock() == NULL)
>>     L4016:     return;
>>         style nit: multi-line if-statements require '{' and '}'
>>         Please add the braces or make this a single line if-statement.
>>         I would prefer the braces. :-)
>
> Will fix.
>
>>         Isn't there still a window between the completion of the
>>         JavaThread destructor and where the Thread destructor sets
>>         _SR_lock = NULL?
>
> See below.
>
>>     L4020:   OSThread* osthread = thread->osthread();
>>         Not your bug. This code assumes that osthread != NULL.
>>         Maybe it needs to be more robust.
>
> Depends what kind of impossibilities we want to guard against. :) 
> There should be no possible way a signal can be sent to a thread that 
> doesn't even have a osThread as it means we never successfully 
> started/attached the thread.

That's a really good point. I'm good with what's there
for osthread.


>
>> src/os/aix/vm/os_aix.cpp
>>     L2731:   if (thread->SR_lock() == NULL)
>>     L2732:     return;
>>         Same style nit.
>>
>>         Same race.
>>
>>     L2736:   OSThread* osthread = thread->osthread();
>>         Same robustness comment.
>>
>> src/os/bsd/vm/os_bsd.cpp
>>     L2759:   if (thread->SR_lock() == NULL)
>>     L2760:     return;
>>         Same style nit.
>>
>>         Same race.
>>
>>     L2764:   OSThread* osthread = thread->osthread();
>>         Same robustness comment.
>>
>> It has been a very long time since I've dealt with races in the
>> suspend/resume code so I'm probably very rusty with this code.
>> If the _SR_lock is only used by the JavaThread suspend/resume
>> protocol, then we could consider free'ing and NULL'ing the field
>> in the JavaThread destructor (as the last piece of work).
>>
>> That should eliminate the race that was being observed by the
>> SR_handler() in this bug. It will open a very small race where
>> is_Java_thread() can return true, the _SR_lock field is !NULL,
>> but the _SR_lock has been deleted.
>
> Given that it should have been impossible to get into the SR_handler 
> in the first place from this code I was trying to minimize the 
> disruption to the existing logic. Moving the delete/NULLing to just 
> before the call to os::free_thread() fixes the crashes that had been 
> observed. I was not trying to make the entire destruction sequence 
> safe wrt. the SR_handler.

I suspect it is the combination of 1) NULLing the _SR_lock as a sentinel and
2) doing that before the more expensive os::free_thread() call that results
in the change in behavior.


> My major concern with deleting the SR_lock much earlier is the 
> potential race condition that I have previously outlined in:
>
> https://bugs.openjdk.java.net/browse/JDK-8152849
>
> where there is no protection against a target thread terminating. The 
> sooner it terminates and deletes the SR_lock the more likely we may 
> attempt to lock a deleted lock!

Ah yes... thanks for the reminder. We have seen a few of those in the
past where we're racing to grab the _SR_lock and Elvis is trying to
leave the building...

I'm good with just the minor changes you agreed to make above. I don't
think I need to see a new webrev for the above edits.

Thumbs up!

Dan



>
> Thanks,
> David
>
>> Dan
>>
>>
>>>
>>> This also reminded me to follow up on why the Solaris SR_handler is
>>> different and I found it is not actually installed as a direct signal
>>> handler, but is called from the real signal handler if dealing with a
>>> JavaThread or the VMThread. Consequently the Solaris version of the
>>> SR_handler can not encounter this specific bug and so I have reverted
>>> the changes to os_solaris.cpp
>>>
>>> Thanks,
>>> David
>>>
>>>
>>>> Regards,
>>>> Volker
>>>>
>>>> On Wed, Aug 3, 2016 at 3:13 AM, David Holmes <david.holmes at oracle.com
>>>> <mailto:david.holmes at oracle.com>> wrote:
>>>>
>>>>     webrev: http://cr.openjdk.java.net/~dholmes/8159461/webrev/
>>>> <http://cr.openjdk.java.net/~dholmes/8159461/webrev/>
>>>>
>>>>     bug: https://bugs.openjdk.java.net/browse/JDK-8159461
>>>>     <https://bugs.openjdk.java.net/browse/JDK-8159461>
>>>>
>>>>     The suspend/resume signal (SR_signum) is never sent to a thread 
>>>> once
>>>>     it has started to terminate. On one platform (SuSE 12) we have 
>>>> seen
>>>>     what appears to be a "stuck" signal, which is only delivered when
>>>>     the terminating thread restores its original signal mask (as if
>>>>     pthread_sigmask makes the system realize there is a pending 
>>>> signal -
>>>>     we already check the signal was not blocked). At this point in the
>>>>     thread termination we have freed the osthread, so the the 
>>>> SR_handler
>>>>     would access deallocated memory. In debug builds we first hit an
>>>>     assertion that the current thread is a JavaThread or the 
>>>> VMThread -
>>>>     that assertion fails, even though it is a JavaThread, because we
>>>>     have already executed the ~JavaThread destructor and inside the
>>>>     ~Thread destructor we are a plain Thread not a JavaThread.
>>>>
>>>>     The fix was to make a small adjustment to the thread termination
>>>>     process so that we delete the SR_lock before calling
>>>>     os::free_thread(). In the SR_handler() we can then use a NULL 
>>>> check
>>>>     of SR_lock() to indicate the thread has terminated and we return.
>>>>
>>>>     While only seen on Linux I took the opportunity to apply the 
>>>> fix on
>>>>     all platforms and also cleaned up the code where we were using
>>>>     Thread::current() unsafely in a signal-handling context.
>>>>
>>>>     Testing: regular tier 1 (JPRT)
>>>>              Kitchensink (in progress)
>>>>
>>>>     As we can't readily reproduce the problem I tested this by 
>>>> having a
>>>>     terminating thread raise SR_signum directly from within the 
>>>> ~Thread
>>>>     destructor.
>>>>
>>>>     Thanks,
>>>>     David
>>>>
>>>>
>>



More information about the ppc-aix-port-dev mailing list