JDK-7158988 : jvm crashes while debugging on x86_32 and x86_64
  • Type: Bug
  • Component: hotspot
  • Sub-Component: runtime
  • Affected Version: 7
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic,os_x
  • CPU: generic,x86
  • Submitted: 2012-04-04
  • Updated: 2013-07-18
  • Resolved: 2012-04-25
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 Other
7u40Fixed 8Fixed hs24Fixed
Related Reports
Relates :  
Description
Hi All,
we encountered a JVM crash while debugging a Java program under load.We set a watch point to a variable using eclipse, so that the watchpoint suspends just the thread. As a result, the jvm crashes with a corrupted oop.
I attached two java files to reproduce the bug. TestPostFieldModification starts two threads. One thread modifies the String 'value'. The other thread triggers a GC periodically. In order to reproduce, run the program in a debugger, set a modification watch point for the field value and you should be able to crash the jvm.

The second java file I attached plays the part of the debugger to reproduce the bug without eclipse.. The program launches a second jvm via jdi and sets the watchpoint.
Command line:

$TEST_JDK/bin/java -cp $TEST_JDK/lib/tools.jar:. FieldMonitor

The problem is in the template table in jvmti_post_fast_field_mod(). At the entry of that function, the top of the java expression stack (tos) is already popped to rax or xmm0. Before the call to InterpreterRuntime::post_field_modification() the value is pushed back to the stack.
A pointer to this value is passed as argument jvalue to the runtime call. After pushing tos back to the stack, rax is pushed again to the stack and rax is restored with that value.

This value will not be updated during a GC and rax will be restored with a corrupted oop.
Another problem is that xmm0 will not be restored after the call.

False stack layout:

   :     :
   +-----+
   | ... |
   | rax | <- Top of expression stack updated by GC
   | rax | <- another copy of rax, not updated by GC, used to restore
              rax after call_VM()

Expected stack layout:

   :     :
   +-----+
   | ... |
   | rax | <- Top of expression stack, updated by GC, used to
              restore rax after call_VM()

The following webrev suggests a fix:

http://sapjvm.com/as/webrevs/post_field_modification/

The fix is based on the code on sparc, push tos values to the stack and restore it after the call, so that the expression stack has the expected layout and oops can be handled correctly during a GC.

Regards,
Axel

Comments
RULE runtime/7158988/FieldMonitor.java Crash EXCEPTION_ACCESS_VIOLATION
22-10-2012

RULE runtime/7158988/FieldMonitor.java Crash SIGSEGV
22-10-2012

EVALUATION http://hg.openjdk.java.net/lambda/lambda/hotspot/rev/19e197e2a1af
29-06-2012

EVALUATION http://hg.openjdk.java.net/hsx/hotspot-main/hotspot/rev/19e197e2a1af
11-04-2012

EVALUATION http://hg.openjdk.java.net/hsx/hotspot-rt/hotspot/rev/19e197e2a1af
05-04-2012