JDK-8193053 : jvm crash by G1CMBitMapClosure::do_addr
  • Type: Bug
  • Component: hotspot
  • Sub-Component: runtime
  • Affected Version: 10
  • Priority: P1
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2017-12-05
  • Updated: 2018-01-04
  • Resolved: 2017-12-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 10 JDK 11
10 b37Fixed 11Fixed
Related Reports
Relates :  
JDK-8186777 - Make Klass::_java_mirror an OopHandle
Relates :  
JDK-8135322 - ConstantPool::release_C_heap_structures not run in some circumstances
Description
There are 4 jck tests on jdk10 crashes

api/javax_xml/ws/ee/w2j/document/literal/marshalltest/MarshallOneWayTest.html#MarshallOneWayTest
api/javax_xml/ws/ee/w2j/document/literal/marshalltest/MarshallUnsignedTypesTest.html#MarshallUnsignedTypesTest
api/javax_xml/ws/ee/w2j/rpc/literal/httptest/TestGoodOneWaySoapMessageNoXMLDeclaration.html#TestGoodOneWaySoapMessageNoXMLDeclaration
api/javax_xml/ws/ee/w2j/rpc/literal/marshalltest/MarshallTokenTypeTest.html#MarshallTokenTypeTest
 
native stack
===========
Current thread (0x00007f0c38052800):  ConcurrentGCThread "G1 Conc#1" [stack: 0x00007f0c3c446000,0x00007f0c3c546000] [id=20003]

Stack: [0x00007f0c3c446000,0x00007f0c3c546000],  sp=0x00007f0c3c544d30,  free space=1019k
Native frames: (J=compiled Java code, A=aot compiled Java code, j=interpreted, Vv=VM code, C=native code)
V  [libjvm.so+0x786697]  G1CMBitMapClosure::do_addr(HeapWord*)+0xa7
V  [libjvm.so+0x78b780]  G1CMTask::do_marking_step(double, bool, bool)+0x9e0
V  [libjvm.so+0x78edfb]  G1CMConcurrentMarkingTask::work(unsigned int)+0xbb
V  [libjvm.so+0xe1051d]  GangWorker::loop()+0x4d
V  [libjvm.so+0xbf8f02]  thread_native_entry(Thread*)+0xf2


siginfo: si_signo: 11 (SIGSEGV), si_code: 1 (SEGV_MAPERR), si_addr: 0x0000000000000008

Register to memory mapping:
Comments
Added noreg-hard. This requires G1 GC during class unloading with a class found to have an error after the mirror is created but before the class is completed, likely due to an OOM situation.
13-12-2017
V [libjvm.so+0xb0b2ed] report_vm_error(char const*, int, char const*, char const*, ...)+0xdd V [libjvm.so+0xe8b7eb] InstanceKlass::deallocate_contents(ClassLoaderData*)+0x4ab V [libjvm.so+0x9ae528] void MetadataFactory::free_metadata<InstanceKlass*>(ClassLoaderData*, InstanceKlass*)+0xd8 V [libjvm.so+0x9ab8ec] ClassLoaderData::free_deallocate_list()+0x23c V [libjvm.so+0x9abd71] ClassLoaderData::unload()+0x2a1 V [libjvm.so+0x9aca63] ClassLoaderDataGraph::do_unloading(BoolObjectClosure*, bool)+0x213 V [libjvm.so+0x171516a] SystemDictionary::do_unloading(BoolObjectClosure*, GCTimer*, bool)+0x4a V [libjvm.so+0xcbbfa1] G1ConcurrentMark::weak_refs_work(bool)+0x5d1 V [libjvm.so+0xcbe527] G1ConcurrentMark::checkpoint_roots_final(bool)+0x107 So freeing the deallocate list was added for unloading classes which also releases C heap structures, but this case should not remove the mirror from the _handles[] area and probably should not remove the klass from the _klasses list either. Linked bug where this was added.
10-12-2017
It looks like the GC is processing grey references for objects that I think have been unloaded. The problem is very reproduceable with -XX:+MetadataAllocationFailALot. Commenting out this line makes the crash go away. This is supposed to remove the mirror from the _handles[] array in a loaded ClassLoaderData, primarily for redefinition but can also be called for failed class loading. Still investigating why this is called. diff --git a/src/hotspot/share/oops/instanceKlass.cpp b/src/hotspot/share/oops/instanceKlass.cpp --- a/src/hotspot/share/oops/instanceKlass.cpp +++ b/src/hotspot/share/oops/instanceKlass.cpp @@ -286,7 +286,7 @@ } // Also remove mirror from handles - loader_data->remove_handle(_java_mirror); + // loader_data->remove_handle(_java_mirror); // Need to take this class off the class loader data list. loader_data->remove_class(this);
10-12-2017
Coleen, Thomas' analysis indicates that the fix for: JDK-8186777 Make Klass::_java_mirror an OopHandle has caused this failure. Can you take a look?
07-12-2017
The change that introduced this regression is http://hg.openjdk.java.net/jdk10/hs/rev/96392e113a0a : 8186777: Make Klass::_java_mirror an OopHandle. A build with this change typically gives an error during the first run of above mentioned test suite. After removing this change, the test suite passed 10 runs of the test suite without error.
07-12-2017
There is a high probability that this issue has been introduced somewhere from 10b30 to 10b31. Ran like the above testsuite containing 72 tests seven times with 10b30 with no issue; 10b31 shows the issue once or twice every testsuite run.
07-12-2017
I think I can reproduce it locally using "make run-test CONF=l TEST="jck-runtime:api/javax_xml/ws/ee/w2j"; one of the tests in the w2j directory will fail. Reproducable in slowdebug builds too. #2 0x00002b68ed354dad in os::infinite_sleep () at .../open/src/hotspot/os/linux/os_linux.cpp:4037 #3 0x00002b68ed5e5978 in VMError::report_and_die (id=-536870912, message=0x2b68ed67887d "assert(!is_null(v)) failed", detail_fmt=0x2b68ed678858 "narrow klass value can never be zero", detail_args=0x2b6983c14720, thread=0x2b68f0095800, pc=0x0, siginfo=0x0, context=0x0, filename=0x2b68ed678898 ".../open/src/hotspot/share/oops/klass.inline.hpp", lineno=63, size=0) at .../open/src/hotspot/share/utilities/vmError.cpp:1325 #4 0x00002b68ed5e5603 in VMError::report_and_die (thread=0x2b68f0095800, filename=0x2b68ed678898 ".../open/src/hotspot/share/oops/klass.inline.hpp", lineno=63, message=0x2b68ed67887d "assert(!is_null(v)) failed", detail_fmt=0x2b68ed678858 "narrow klass value can never be zero", detail_args=0x2b6983c14720) at .../open/src/hotspot/share/utilities/vmError.cpp:1239 #5 0x00002b68ecb6fe18 in report_vm_error (file=0x2b68ed678898 ".../open/src/hotspot/share/oops/klass.inline.hpp", line=63, error_msg=0x2b68ed67887d "assert(!is_null(v)) failed", detail_fmt=0x2b68ed678858 "narrow klass value can never be zero") at .../open/src/hotspot/share/utilities/debug.cpp:214 #6 0x00002b68ec449062 in Klass::decode_klass_not_null (v=0) at .../open/src/hotspot/share/oops/klass.inline.hpp:63 #7 0x00002b68ec449151 in oopDesc::klass (this=0xc1245b38) at .../open/src/hotspot/share/oops/oop.inline.hpp:61 #8 0x00002b68ec78efb7 in oopDesc::is_typeArray (this=0xc1245b38) at .../open/src/hotspot/share/oops/oop.inline.hpp:234 #9 0x00002b68ecd051b6 in G1CMTask::make_reference_grey (this=0x2b68f009ea40, obj=0xc1245b38) at .../open/src/hotspot/share/gc/g1/g1ConcurrentMark.inline.hpp:184 #10 0x00002b68ecd05265 in G1CMTask::deal_with_reference (this=0x2b68f009ea40, obj=0xc1245b38) at .../open/src/hotspot/share/gc/g1/g1ConcurrentMark.inline.hpp:207 #11 0x00002b68ecd07888 in G1CMOopClosure::do_oop_nv<unsigned int> (this=0x2b6983c14cc0, p=0xc1b0db00) at .../open/src/hotspot/share/gc/g1/g1OopClosures.inline.hpp:91 #12 0x00002b68ecd60751 in Devirtualizer<true>::do_oop<G1CMOopClosure, unsigned int> (closure=0x2b6983c14cc0, p=0xc1b0db00) at .../open/src/hotspot/share/memory/iterator.inline.hpp:70 #13 0x00002b68ecd5351c in oop_oop_iterate_oop_map<true, unsigned int, G1CMOopClosure> (closure=0x2b6983c14cc0, obj=0xc1b0dae8, map=0x1000021e8, this=0x100001f60) at .../open/src/hotspot/share/oops/instanceKlass.inline.hpp:63 #14 oop_oop_iterate_oop_maps_specialized<true, unsigned int, G1CMOopClosure> (closure=0x2b6983c14cc0, obj=0xc1b0dae8, this=0x100001f60) at .../open/src/hotspot/share/oops/instanceKlass.inline.hpp:109 #15 oop_oop_iterate_oop_maps<true, G1CMOopClosure> (closure=0x2b6983c14cc0, obj=0xc1b0dae8, this=0x100001f60) at .../open/src/hotspot/share/oops/instanceKlass.inline.hpp:139 #16 oop_oop_iterate<true, G1CMOopClosure> (closure=0x2b6983c14cc0, obj=0xc1b0dae8, this=0x100001f60) at .../open/src/hotspot/share/oops/instanceKlass.inline.hpp:171 #17 InstanceMirrorKlass::oop_oop_iterate<true, G1CMOopClosure> (this=0x100001f60, obj=0xc1b0dae8, closure=0x2b6983c14cc0) at .../open/src/hotspot/share/oops/instanceMirrorKlass.inline.hpp:57 #18 0x00002b68ecd45212 in InstanceMirrorKlass::oop_oop_iterate_nv (this=0x100001f60, obj=0xc1b0dae8, closure=0x2b6983c14cc0) at .../open/src/hotspot/share/gc/g1/g1OopClosures.cpp:64 #19 0x00002b68ecd04a50 in oopDesc::oop_iterate_size (this=0xc1b0dae8, blk=0x2b6983c14cc0) at .../open/src/hotspot/share/oops/oop.inline.hpp:537 #20 0x00002b68ecd07af4 in G1CMTask::process_grey_task_entry<true> (this=0x2b68f009ea40, task_entry=...) at .../open/src/hotspot/share/gc/g1/g1ConcurrentMark.inline.hpp:148 #21 0x00002b68ecd04c59 in G1CMTask::scan_task_entry (this=0x2b68f009ea40, task_entry=...) at .../open/src/hotspot/share/gc/g1/g1ConcurrentMark.inline.hpp:82 #22 0x00002b68eccfa203 in G1CMBitMapClosure::do_addr (this=0x2b6983c14c90, addr=0xc1b0dae8) at .../open/src/hotspot/share/gc/g1/g1ConcurrentMark.cpp:71 #23 0x00002b68ecd04969 in G1CMBitMap::iterate (this=0x2b68f008c3d0, cl=0x2b6983c14c90, mr=...) at .../open/src/hotspot/share/gc/g1/g1ConcurrentMarkBitMap.inline.hpp:44 #24 0x00002b68ecd017b6 in G1CMTask::do_marking_step (this=0x2b68f009ea40, time_target_ms=10, do_termination=true, is_serial=false) at .../open/src/hotspot/share/gc/g1/g1ConcurrentMark.cpp:2609 #25 0x00002b68ecd05e37 in G1CMConcurrentMarkingTask::work (this=0x2b6983810a10, worker_id=5) at .../open/src/hotspot/share/gc/g1/g1ConcurrentMark.cpp:849 #26 0x00002b68ed65e3e7 in GangWorker::run_task (this=0x2b68f0095800, data=...) at .../open/src/hotspot/share/gc/shared/workgroup.cpp:336 #27 0x00002b68ed65e4be in GangWorker::loop (this=0x2b68f0095800) at .../open/src/hotspot/share/gc/shared/workgroup.cpp:346 #28 0x00002b68ed65e009 in AbstractGangWorker::run (this=0x2b68f0095800) at .../open/src/hotspot/share/gc/shared/workgroup.cpp:295 #29 0x00002b68ed34be9c in thread_native_entry (thread=0x2b68f0095800) at .../open/src/hotspot/os/linux/os_linux.cpp:707 #30 0x00002b68eb73ae25 in start_thread () from /lib64/libpthread.so.0
06-12-2017