JDK-6811384 : MacroAssembler::serialize_memory may touch next page on amd64
  • Type: Bug
  • Component: hotspot
  • Sub-Component: runtime
  • Affected Version: hs14,6u14,6u16
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS:
    linux,linux_2.6,linux_redhat_5.0,solaris_10 linux,linux_2.6,linux_redhat_5.0,solaris_10
  • CPU: x86
  • Submitted: 2009-02-27
  • Updated: 2012-10-08
  • Resolved: 2009-03-18
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 Other
6u18Fixed 7Fixed hs14.3Resolved
Related Reports
Duplicate :  
Duplicate :  
Duplicate :  
Relates :  
Description
Customer reported a crash running SPECjAppServer2004 benchmark on Glassfish v2ur2-b04/OpenSolaris Nevada build snv_107/Nehalem EP.

I think this is a previously unreported bug in MacroAssembler::serialize_memory.

void MacroAssembler::serialize_memory(Register thread,
                                      Register tmp) {

  movl(tmp, thread);
  shrl(tmp, os::get_serialize_page_shift_count());
  andl(tmp, (os::vm_page_size() - sizeof(int)));

  Address index(noreg, tmp, Address::times_1);
  ExternalAddress page(os::get_memory_serialize_page());

  movptr(ArrayAddress(page, index), tmp);
}


It's storing a 64-bit quantity but only masking for an int.  In your faulting case we've got this:

;; fffffd7ffac6ff1d 81 e1 fc 0f 00 00       and    $0xffc,%ecx
;; fffffd7ffac6ff23 49 ba 00 00 e9 fd 7f fd ff ff mov    $0xfffffd7ffde90000,%r10
;; ---------------
;; fffffd7ffac6ff2d 49 89 0c 0a             mov    %rcx,(%r10,%rcx,1)

RCX=0x0000000000000ffc, R10=0xfffffd7ffde90000
siginfo:si_signo=SIGSEGV: si_errno=0, si_code=1 (SEGV_MAPERR), si_addr=0xfffffd7ffde91000;;

So we're crossing the boundary and accessing off the end of the page because of the 8 byte store.  It either needs to mask more or use smaller stores.
*** (#1 of 1): [ UNSAVED ] ###@###.###

Comments
EVALUATION http://hg.openjdk.java.net/jdk7/hotspot-comp/hotspot/rev/19962e74284f
02-03-2009

WORK AROUND -XX:+UseMembar will use a membar instruction instead of the serialize page.
27-02-2009