[1.8.0_60-ea-b18 & 1.9.0-ea-b67] Array accesses using sun.misc.Unsafe cause data corruption or SIGSEGV

Wed Jun 10 12:28:09 UTC 2015

Hi all,

While we were testing an internal project at Hazelcast using
1.8.0_60-ea-b18 & 1.9.0-ea-b67, we encountered a previously
reported sun.misc.Unsafe issue.

https://bugs.openjdk.java.net/browse/JDK-8076445
http://mail.openjdk.java.net/pipermail/hotspot-compiler-dev/2015-April/017685.html

Issue status says it's resolved with resolution "Cannot Reproduce".  But
unfortunately it's still reproducible using "1.8.0_60-ea-b18" and
"1.9.0-ea-b67".

Test is very simple:

```
public static void main(String[] args) throws Exception {
        Unsafe unsafe = findUnsafe();
        // 10000 pass
        // 100000 jvm crash
        // 1000000 fail
        int count = 100000;
        long size = count * 8L;
        long baseAddress = unsafe.allocateMemory(size);

        try {
            for (int i = 0; i < count; i++) {
                long address = baseAddress + (i * 8L);

                long expected = i;
                unsafe.putLong(address, expected);

                long actual = unsafe.getLong(address);

                if (expected != actual) {
                    throw new AssertionError("Expected: " + expected + ",
Actual: " + actual);
                }
            }
        } finally {
            unsafe.freeMemory(baseAddress);
        }
    }
```
It's not failing up to version 1.8.0.31, by starting 1.8.0.40 test is
failing constantly.

- With iteration count 10000, test is passing.
- With iteration count 100000, jvm is crashing with SIGSEGV.
- With iteration count 1000000, test is failing with AssertionError.

When one of compilation (-Xint) or inlining (-XX:-Inline) or
on-stack-replacement (-XX:-UseOnStackReplacement) is disabled, test is not
failing at all.

Also, when address calculation in the loop is converted to

long address = baseAddress + (i * 8)

test passes. Only difference is, next address is calculated using integer 8
instead of long 8.

```
for (int i = 0; i < count; i++) {
    long address = baseAddress + (i * 8); // <--- here, integer 8 instead
of long 8

    long expected = i;
    unsafe.putLong(address, expected);

    long actual = unsafe.getLong(address);

    if (expected != actual) {
        throw new AssertionError("Expected: " + expected + ", Actual: " +
actual);
    }
}
```

I tested on versions:
- 1.8.0.40
- 1.8.0.45
- 1.8.0_60-ea-b18
- 1.9.0-ea-b67

Previous issue comment (
https://bugs.openjdk.java.net/browse/JDK-8076445?focusedCommentId=13633043#comment-13633043)
says "Cannot reproduce based on the latest version". I hope that latest
version is not mentioning to '1.8.0_60-ea-b18' or '1.9.0-ea-b67'. Because
both are failing.

PS: Cross posted this on 'hotspot-compiler-dev' group but still haven't got
a response yet.
http://mail.openjdk.java.net/pipermail/hotspot-compiler-dev/2015-June/018191.html

Thanks,
Mehmet Dogan
-- 

@mmdogan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/quality-discuss/attachments/20150610/37402085/attachment-0001.html>