JDK-8227277 : HeapInspection::find_instances_at_safepoint walks dead objects
  • Type: Bug
  • Component: hotspot
  • Sub-Component: jvmti
  • Affected Version: 8,11,13,14
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2019-07-04
  • Updated: 2024-02-02
  • Resolved: 2019-07-09
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 JDK 8
11.0.5Fixed 13 b29Fixed 14Fixed 8u401Fixed
Description
In the HeapInspection::find_instances_at_safepoint function, the unsafe heap iteration API (which also walks dead objects) is used to find objects that are instance of a class, used for concurrent lock dumping where we find dead java.util.concurrent.locks.AbstractOwnableSynchronizer objects and pointer chase to its possibly dead owner threadObj. There is a comment saying that if this starts crashing because we use CMS, we should probably change to use the safe_object_iterate() API instead, which does not include dead objects.

Arguably, whether CMS is observed to crash or not, we really should not be walking over dead objects and exposing them anyway. It's not safe... and it will crash sooner or later.

For example, CMS yields to safepoints (including young GCs) while sweeping. This means that both the AbstractOwnableSynchronizer and its owner thread might have died, but while sweeping, we could yield for a young GC that promotes objects overriding the memory of the dead thread object with random primitives, but not yet freeing the dead AbstractOwnableSynchronizer. A subsequent dumping operation could use the heap walker to find the dead AbstractOwnableSynchronizer, and pointer chase into its dead owner thread, which by now has been freed and had its memory clobbered with primitive data.

This will all eventually end up in a glorious crash. So we shouldn't do this.
Comments
Fix Request (11u) Fixes the corner case during heap dumping that may crash the VM instead. Patch applies cleanly to 11u, passes tier1. Risk is low: all GCs would handle safe_object_iterate properly; heap dump parsers would normally filter out dead objects anyway.
24-07-2019
URL: http://hg.openjdk.java.net/jdk/jdk13/rev/7a0d1616851e User: eosterlund Date: 2019-07-09 15:45:40 +0000
09-07-2019