RFR (S) [Graal] runtime/CommandLine/PrintTouchedMethods.java crashes with assertion "reference count underflow for symbol"

David Holmes david.holmes at oracle.com
Mon Mar 26 05:48:52 UTC 2018 

On 26/03/2018 3:18 PM, Ioi Lam wrote:
> 
> 
> On 3/25/18 4:28 PM, David Holmes wrote:
>> On 26/03/2018 1:23 AM, coleen.phillimore at oracle.com wrote:
>>> On 3/25/18 9:08 AM, David Holmes wrote:
>>>> Hi Ioi,
>>>>
>>>> On 24/03/2018 7:38 AM, Ioi Lam wrote:
>>>>> https://bugs.openjdk.java.net/browse/JDK-8199793
>>>>> http://cr.openjdk.java.net/~iklam/jdk11/8199793-PrintTouchedMethods-crash.v01/ 
>>>>>
>>>>>
>>>>>
>>>>> ANALYSIS:
>>>>>
>>>>> The crash is in
>>>>>
>>>>>      V [libjvm.so+0x16fe226] Symbol::decrement_refcount()+0xe6
>>>>>      V [libjvm.so+0x1026e0b] JVM_FindLoadedClass+0x20b
>>>>>
>>>>> and the log file says "Symbol: 'java/lang/invoke/LambdaForm$BMH' 
>>>>> count -1".
>>>>>
>>>>> This seems to be a race condition between Symbol::decrement_refcount()
>>>>> vs Symbol::set_permanent(). The former uses an atomic increment and 
>>>>> is called by
>>>>> JVM_FindLoadedClass. The latter does a simple store of a short 
>>>>> value of -1, and is
>>>>> called only by Method::log_touched() when -XX:+LogTouchedMethods is 
>>>>> enabled.
>>>>>
>>>>> Apparently we have a Symbol whose refcount started with a positive 
>>>>> value.
>>>>> While one thread is calling Symbol::decrement_refcount() and a second
>>>>> thread calls Symbol::set_permanent() at the same time, the 
>>>>> unexpected value -1
>>>>> could be returned to the first thread.
>>>>>
>>>>> FIX:
>>>>>
>>>>> I changed Method::log_touched() to use Symbol::increment_refcount 
>>>>> instead.
>>>>> I can no longer reproduce the crash after this change.
>>>>>
>>>>> Also, because the behavior of Symbol::set_permanent is not well 
>>>>> understood
>>>>> and has shown to be racy, I removed this function altogether.
>>>>
>>>> So when will a Symbol now ever be "permanent"? Isn't all the code 
>>>> related to is_permanent() and PERM_REFCOUNT dead now? And the checks 
>>>> for _refcount >= 0 ?
>>>
>>> When we create a symbol, it can have a permanent refcount.
>>
>> Okay so now there are two types of "permanent" symbols - which seems 
>> confusing. Those set at creation time, and those previously set 
>> through set_permanent which now simply bump the refcount. And you can 
>> no longer identify the second set as being permanent.
> After my patch, there will be only one type of permanent symbol -- when 
> you create a symbol, you know it will be alive forever (e.g., a symbol 
> requested by the null class loader).
> 
> I am not quite sure about this history of why this is necessary -- 
> except for symbols in the CDS archive. Those are marked as permanent so 
> you won't change its refcount (because it's read only).
> 
> Perhaps it's for performance reasons? There are a lot of Symbols created 
> by the boot loader and are referenced by many classes. So if we don't 
> need to atomically modify their _refcounts then it pays off??
> 
> Or, maybe it's for memory saving -- allocating from arena has less 
> overhead than malloc??
> 
> Anyway, regardless of whether a symbol is permanent or not, the usual 
> rule is -- when you store a symbol (e.g., as an UTF8 into a 
> ConstantPool), you increment its refcount. When you release a symbol 
> (e.g., when said ConstantPool is deallocated), you decrement its refcount.
> 
> The only exception to this rule was Method::log_touched(), which used 
> set_permanent instead. It stores a symbol (in its hashtable) but never 
> releases it (the hashtable persists for the entire VM run time). So in 
> this case, it's perfectly OK to call increment_reference instead.

Okay. That looks likes a special case that perhaps was not completely 
thought through in terms of the race with decrement_refcount. Getting 
rid of it seems fine.

Thanks,
David
-----

> 
>>
>>>>
>>>> The other way to avoid the race is to implement inc/dec using CAS 
>>>> instead of raw atomic add/sub.
>>>
>>> That seems expensive.
>>
>> If you wanted to keep the existing notion of permanent and how it is 
>> recorded, then it is a way to do that.
>>
> 
> I think removing set_permanent will make the code cleaner and easier to 
> understand.
> 
> Thanks
> - Ioi
>> David
>>
>>> Coleen
>>>>
>>>> Thanks,
>>>> David
>>>>
>>>>> Thanks
>>>>> - Ioi
>>>
>

More information about the hotspot-runtime-dev mailing list