<div dir="ltr"><p>I hope you can check whether this is a ZGC-related bug.</p><p>Version: openjdk-23-ga</p><p>Git command: git clone --branch jdk-23-ga <a href="https://github.com/openjdk/jdk.git">https://github.com/openjdk/jdk.git</a></p><p>In one run, I caused the VM to halt and the following message appeared: </p><p> #<br> # A fatal error has been detected by the Java Runtime Environment:<br> #<br> # SIGSEGV (0xb) at pc=0x00007c928eaf58da, pid=214039, tid=214049<br> #<br> # JRE version: OpenJDK Runtime Environment (23.0) (build 23-internal-adhoc.yifanzhang.jdk)<br> # Java VM: OpenJDK 64-Bit Server VM (23-internal-adhoc.yifanzhang.jdk, interpreted mode, sharing, compressed class ptrs, z gc, linux-amd64)<br> # Problematic frame:<br> # V [libjvm.so+0x10f58da] ZRelocationSetSelectorGroup::semi_sort()+0x13a<br> #<br> # No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again<br> #<br> # An error report file with more information is saved as:<br> # /home/yifanzhang/Work/Bug-HotspotVM/testFile/JavaFile/Gjf_Case22/hs_err_pid214039.log<br> #<br> # If you would like to submit a bug report, please visit:<br> # <a href="https://bugreport.java.com/bugreport/crash.jsp">https://bugreport.java.com/bugreport/crash.jsp</a><br> #<br> 已中止</p><p>I looked into the VM source code and found that this appears to be an array out-of-bounds error.</p><p>Detailed problem description :</p><p> In function `<span style="color:rgb(0,0,0);font-family:Consolas,"JetBrains Mono","Courier New",monospace,Consolas,"Courier New",monospace;font-size:14px;white-space:pre">ZRelocationSetSelectorGroup::semi_sort()</span>` , an array partitions[npartitions] is allocated. Under the heap’s default settings, its size is 2048 (meaning indices 0 through 2047 are valid).
</p><p> However, the subsequent index used for access is determined by right-shifting each page’s live byte count, which may lead to accessing index 2048.
</p><p> Based on this, I made the following changes to the function `semi_sort()`, add a conditional branch to print corresponding information when an out-of-bounds access may occur.
:
</p><p> ```</p><p> int partitions[npartitions] = { /* zero initialize */ };</p><br> // Calculate partition slots<br> ZArrayIterator<ZPage*> iter1(&_live_pages);<br> for (ZPage* page; iter1.next(&page);) {<br> const size_t index = page->live_bytes() >> partition_size_shift;<br> if (index >= npartitions) {<br> log_info(gc, heap)("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");<br> log_info(gc, heap)("Size of partition array : %zu", npartitions);<br> log_info(gc, heap)("partition_size = _page_size >> npartitions_shift : %zu = %zu >> %zu", partition_size, _page_size, npartitions_shift);<br> log_info(gc, heap)("partition_size_shift = exact_log2(partition_size) : %zu", partition_size_shift);<br> log_info(gc, heap)("Index will be visited (page->live_bytes() >> partition_size_shift): %zu", index);<br> log_info(gc, heap)("Page lived bytes: %zu", page->live_bytes());<br> log_info(gc, heap)("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");<br> }<br> partitions[index]++;<br> }<div><br></div><div> ```</div><div>
Here is the information I obtained:</div><div>[4.779s][info][gc,heap] !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br>[4.779s][info][gc,heap] Size of partition array : 2048<br>[4.779s][info][gc,heap] partition_size = _page_size >> npartitions_shift : 1024 = 2097152 >> 11<br>[4.779s][info][gc,heap] partition_size_shift = exact_log2(partition_size) : 10<br>[4.779s][info][gc,heap] Index will be visited (page->live_bytes() >> partition_size_shift): 2048<br>[4.779s][info][gc,heap] Page lived bytes: 2097152<br>[4.779s][info][gc,heap] !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!</div><div><br></div><div>
So I’d like to ask you to check whether this is a related bug, and if so, whether I should open a corresponding issue in the JDK bug system.
</div><div><br></div></div>