Bug ID: JDK-8214250 ZGC: Missing load barrier in java.io.ObjectStreamClass.writeNonProxy()

Type: Bug
Component: hotspot
Sub-Component: compiler
Affected Version: 12

Priority: P3
Status: Closed
Resolution: Duplicate

Submitted: 2018-11-23
Updated: 2023-07-21
Resolved: 2023-07-21

JDK 12
12Resolved

The serial benchmark in SPECjvm2008 crashes because of a missing C2 load barrier in java.io.ObjectStreamClass.writeNonProxy().

ObjectStreamClass.writeNonProxy() calls ObjectStreamClass.getSerialVersionUID(), which gets inlined. ObjectStreamClass.getSerialVersionUID() calls suid.longValue(), which also gets inlined and where suid is a java.lang.Long reference member of ObjectStreamClass. The load of suid is not followed by a load barrier.

.... 
mov 0x10(%rsp),%r10
test %r10,0x20(%r15)   
jne loc_00000a06
mov (%rsp),%r13   
test %r10,%r10   
je loc_00002a98    
mov 0x30(%r13),%r10          // load of suid (java.lang.Long)
>>>>>> missing load barrier here!
mov 0x10(%r10),%rdx          // inlined call to suid.longValue()
mov 0x8(%rsp),%r14   
mov 0x20(%r14),%r11   
test %r11,0x20(%r15)   
jne loc_00000a18    
mov 0x10(%r11),%ebx   
mov %ebx,%r9d   
...

This test has now passed over 300 iterations without failing. I feel confident that this was fixed, either by JDK-8215708 or JDK-8214583.
14-01-2019
Could this be related to JDK-8214583? getSerialVersionUID() calls AccessController.doPrivileged() which might be broken? Time-wise this also seems plausible. We've only recently started to see this problem, and the change that broke AccessController.doPrivileged() was pushed in early November (JDK-8212605).
15-12-2018
Yes it looks correct. But I can't verify if the assembly I can produce matches the one where failure happened. The crash has happened once, with no core file. I have run 100 iterations without being able to reproduce.
28-11-2018
So it looks like the generated code is correct, right? Pre-ILW = Crash in compiled code due to bad oop, with ZGC (experimental feature), use different GC = HLM = P3
26-11-2018
suid.longValue() accesses a volatile field. This field is accessed twice. (We don't eliminate volatile accesses.) The second access is dominated by the first, and it's load barrier is removed. It is on this access we are crashing. This is a bit puzzling since it should be ok. Some other thread must have written a bad oop in between. It looks like this: ; B18: # B169 B19 <- B17 Freq: 0,999951 0x00007f13ed263e10: mov 0x18(%rsp),%r10 0x00007f13ed263e15: mov 0x30(%r10),%rbp ;goto {reexecute=0 rethrow=0 return_oop=0} <<<< first access with loadbarrier ; - java.io.ObjectOutputStream$HandleTable::lookup@51 (line 2300) ; - java.io.ObjectOutputStream::writeTypeString@16 (line 1030) ; - java.io.ObjectStreamClass::writeNonProxy@151 (line 835) 0x00007f13ed263e19: test %rbp,0x20(%r15) 0x00007f13ed263e1d: jne 0x00007f13ed264644 ;getfield suid {reexecute=0 rethrow=0 return_oop=0} ; - java.io.ObjectStreamClass::getSerialVersionUID@1 (line 261) ; - java.io.ObjectStreamClass::writeNonProxy@10 (line 809) ;; B19: # B217 B20 <- B169 B18 Freq: 0,999951 0x00007f13ed263e23: test %rbp,%rbp 0x00007f13ed263e26: je 0x00007f13ed264b82 ;ifnonnull {reexecute=0 rethrow=0 return_oop=0} ; - java.io.ObjectStreamClass::getSerialVersionUID@4 (line 261) ; - java.io.ObjectStreamClass::writeNonProxy@10 (line 809) ;; B20: # B249 B21 <- B19 Freq: 0,999951 0x00007f13ed263e2c: mov 0x30(%r10),%r10 ;getfield suid {reexecute=0 rethrow=0 return_oop=0} <<<< second access - no barrier ; - java.io.ObjectStreamClass::getSerialVersionUID@26 (line 270) ; - java.io.ObjectStreamClass::writeNonProxy@10 (line 809) 0x00007f13ed263e30: mov 0x10(%r10),%rdi ;*getfield value {reexecute=0 rethrow=0 return_oop=0} <<<< Crash on dereference ; - java.lang.Long::longValue@1 (line 1366) ; - java.io.ObjectStreamClass::getSerialVersionUID@29 (line 270) ; - java.io.ObjectStreamClass::writeNonProxy@10 (line 809) ; implicit exception: dispatches to 0x00007f13ed264e8a
23-11-2018