Bug ID: JDK-8248447 SIGSEGV in G1ScanHRForRegionClosure::scan_heap

JDK-8248447 : SIGSEGV in G1ScanHRForRegionClosure::scan_heap_roots

Type: Bug
Component: hotspot
Sub-Component: gc
Affected Version: 16

Priority: P2
Status: Closed
Resolution: Duplicate
OS: linux
CPU: x86_64

Submitted: 2020-06-28
Updated: 2020-07-13
Resolved: 2020-07-13

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 16
16Resolved

Related Reports

Duplicate :	JDK-8248650 - [BACKOUT] Backout JDK-8244603 because it generates too much noise in CI
Relates :	JDK-8248442 - Kitchensink24HStress.java SIGSEGV in G1ParScanThreadState::copy_to_survivor_space due to bad Handle
Relates :	JDK-8248438 - SIGSEGV in ObjectMonitor::enter
Relates :	JDK-8244603 - G1 incorrectly limiting young gen size when using the reserve can result in repeated full gcs
Relates :	JDK-8243197 - Crash in oopDesc::size_given_klass

Description

The following test failed in the JDK16 CI:

applications/kitchensink/Kitchensink.java

Here's a snippet from the log file:

Iteration start: LockDeflation at Sun Jun 28 22:30:37 UTC 2020
Iteration done: MemAccess at Sun Jun 28 22:31:02 UTC 2020
Iteration done: SpecJvm2008Batch at Sun Jun 28 22:31:07 UTC 2020
Iteration start: SpecJvm2008Batch at Sun Jun 28 22:31:07 UTC 2020
Iteration done: LockDeflation at Sun Jun 28 22:31:15 UTC 2020
Iteration start: MemAccess at Sun Jun 28 22:32:02 UTC 2020


The tail of stress stdout is:
For random generator using seed: -828827228002506869
To re-run test with same seed value please add "-Djdk.test.lib.random.seed=-828827228002506869" to command line.
Stress process main method is started.
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x00007f27a667b3be, pid=6760, tid=6827
#
# JRE version: Java(TM) SE Runtime Environment (16.0+4) (build 16-ea+4-99)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (16-ea+4-99, mixed mode, sharing, tiered, g1 gc, linux-amd64)
# Problematic frame:
# V  [libjvm.so+0x69e3be]  G1ScanHRForRegionClosure::scan_heap_roots(HeapRegion*)+0xa6e
#
# Core dump will be written. Default location: Core dumps may be processed with "/opt/core.sh %p" (or dumping to /opt/mach5/mesos/work_dir/slaves/4728e7c1-7e67-490e-be0f-6bbf2a2f33db-S57/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/eb174d08-460e-4623-82ee-217b486baca8/runs/1ca75b9f-c575-4bc1-a4e0-28d2da51dca0/testoutput/test-support/jtreg_closed_test_hotspot_jtreg_applications_kitchensink_Kitchensink_java/scratch/0/core.6760)
#
Unsupported internal testing APIs have been used.

# An error report file with more information is saved as:
# /opt/mach5/mesos/work_dir/slaves/4728e7c1-7e67-490e-be0f-6bbf2a2f33db-S57/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/eb174d08-460e-4623-82ee-217b486baca8/runs/1ca75b9f-c575-4bc1-a4e0-28d2da51dca0/testoutput/test-support/jtreg_closed_test_hotspot_jtreg_applications_kitchensink_Kitchensink_java/scratch/0/hs_err_pid6760.log
#
# If you would like to submit a bug report, please visit:
#   https://bugreport.java.com/bugreport/crash.jsp
#
----------System.err:(242/22586)----------


Here's the crashing thread's stack:

---------------  T H R E A D  ---------------

Current thread (0x00007f2360001f80):  GCTaskThread "GC Thread#2" [stack: 0x00007f2365b59000,0x00007f2365c59000] [id=6827]

Stack: [0x00007f2365b59000,0x00007f2365c59000],  sp=0x00007f2365c57b00,  free space=1018k
Native frames: (J=compiled Java code, A=aot compiled Java code, j=interpreted, Vv=VM code, C=native code)
V  [libjvm.so+0x69e3be]  G1ScanHRForRegionClosure::scan_heap_roots(HeapRegion*)+0xa6e
V  [libjvm.so+0x695bc5]  G1RemSet::scan_heap_roots(G1ParScanThreadState*, unsigned int, G1GCPhaseTimes::GCParPhases, G1GCPhaseTimes::GCParPhases)+0x1b5
V  [libjvm.so+0x641a93]  G1EvacuateRegionsTask::scan_roots(G1ParScanThreadState*, unsigned int)+0x43
V  [libjvm.so+0x6424b9]  G1EvacuateRegionsBaseTask::work(unsigned int)+0x99
V  [libjvm.so+0xd8e23d]  GangWorker::loop()+0x4d
V  [libjvm.so+0xcf326d]  Thread::call_run()+0xfd
V  [libjvm.so+0xb468b7]  thread_native_entry(Thread*)+0xe7


siginfo: si_signo: 11 (SIGSEGV), si_code: 1 (SEGV_MAPERR), si_addr: 0x00000000000000f0

Comments

Fixed by the backout of JDK-8248650.
13-07-2020
This test failure mode was first spotted in the jdk-16+4-99-tier7 CI job set and there is only one sighting of this exact failure mode. This failure mode has not reproduced since Thomas pushed: JDK-8248650 [BACKOUT] Backout JDK-8244603 because it generates too much noise in CI This bug can be closed as a duplicate of JDK-8248650 if Thomas agrees.
06-07-2020
Potentially same/similar to JDK-8248438 as a few of the threads are in ObjectMonitor as they safepoint. None seems to be waiting on object 0x7f2549fc3d40 though.
30-06-2020
Full stack trace: 0x800b59000: 0x00000000 0x00000000 0x00000000 0x00000000 p (Klass ) 0x800b59000 $5 = {[...] _id = InstanceKlassID, _vtable_len = -1608606992, _super_check_offset = 32551, _name = 0x0, _secondary_super_cache = 0x7f237c1b55d8, _secondary_supers = 0x7f237c1b62d8, _primary_supers = {0x7f237c1b6308, 0x800b58f38, 0x800566168, 0x0, 0x0, 0x5, 0x1100000001, 0x60000000d0000}, _java_mirror = {_obj = 0x23000004000009}, _super = 0x0, _subklass = 0x0, [...]} i.e. the klass is bogus (e.g. _vtable_len < 0, _layout_helper should be nonzero for instanceKlasses (id == InstanceKlassID) to show the object size and others afaik) [ frames above here only show another crash when trying to find out what is at RSI ] #34 <signal handler called> #35 0x00007f27a667b3be in oopDesc::size_given_klass (klass=0x800b59000, this=0x7f2549fc3d40) at .../open/src/hotspot/share/oops/oop.inline.hpp:234 #36 oopDesc::size_given_klass (klass=0x800b59000, this=0x7f2549fc3d40) at .../open/src/hotspot/share/oops/oop.inline.hpp:187 #37 oopDesc::size (this=0x7f2549fc3d40) at .../open/src/hotspot/share/oops/oop.inline.hpp:184 #38 HeapRegion::is_obj_dead_with_size (size=<synthetic pointer>, prev_bitmap=0x7f27a0089da0, obj=0x7f2549fc3d40, this=0x7f23606b7270) at .../open/src/hotspot/share/gc/g1/heapRegion.inline.hpp:132 #39 HeapRegion::oops_on_memregion_seq_iterate_careful<true, G1ScanCardClosure> (cl=0x7f2365c57bc0, mr=..., this=<optimized out>) at .../open/src/hotspot/share/gc/g1/heapRegion.inline.hpp:350 #40 G1ScanHRForRegionClosure::scan_memregion (this=0x7f2365c57cb0, this=0x7f2365c57cb0, mr=..., region_idx_for_card=844) at .../open/src/hotspot/share/gc/g1/g1RemSet.cpp:653 #41 G1ScanHRForRegionClosure::do_claimed_block (num_cards=1, first_card=<optimized out>, region_idx_for_card=844, this=0x7f2365c57cb0) at .../open/src/hotspot/share/gc/g1/g1RemSet.cpp:678 #42 G1ScanHRForRegionClosure::do_card_block (num_cards=1, first_card=<optimized out>, region_idx=844, this=0x7f2365c57cb0) at .../open/src/hotspot/share/gc/g1/g1RemSet.cpp:685 #43 G1ScanHRForRegionClosure::scan_heap_roots (this=this@entry=0x7f2365c57cb0, r=r@entry=0x7f23606b7270) at .../open/src/hotspot/share/gc/g1/g1RemSet.cpp:716 #44 0x00007f27a6672bc5 in G1ScanHRForRegionClosure::do_heap_region (r=0x7f23606b7270, this=0x7f2365c57cb0) at .../open/src/hotspot/share/gc/g1/g1RemSet.cpp:758 #45 G1ScanHRForRegionClosure::do_heap_region (r=0x7f23606b7270, this=0x7f2365c57cb0) at .../open/src/hotspot/share/gc/g1/g1RemSet.cpp:750 #46 G1RemSetScanState::iterate_dirty_regions_from (worker_id=7, cl=0x7f2365c57cb0, this=<optimized out>) at .../open/src/hotspot/share/gc/g1/g1RemSet.cpp:403 #47 G1RemSet::scan_heap_roots (this=<optimized out>, pss=pss@entry=0x7f22d001ec10, worker_id=worker_id@entry=7, scan_phase=scan_phase@entry=G1GCPhaseTimes::ScanHR, objcopy_phase=objcopy_phase@entry=G1GCPhaseTimes::ObjCopy) at .../open/src/hotspot/share/gc/g1/g1RemSet.cpp:776 #48 0x00007f27a661ea93 in G1EvacuateRegionsTask::scan_roots (this=0x7f2367f7d3d0, pss=0x7f22d001ec10, worker_id=7) at .../open/src/hotspot/share/gc/g1/g1CollectedHeap.hpp:997 #49 0x00007f27a661f4b9 in G1EvacuateRegionsBaseTask::work (this=0x7f2367f7d3d0, worker_id=7) at .../open/src/hotspot/share/gc/g1/g1CollectedHeap.cpp:3859 #50 0x00007f27a6d6b23d in GangWorker::run_task (this=0x7f2360001f80, data=...) at .../open/src/hotspot/share/gc/shared/workgroup.cpp:339 Object 0x7f2549fc3d40 is located in \| 844\|0x00007f2549800000, 0x00007f254a000000, 0x00007f254a000000\|100%\| O\| \|TAMS 0x00007f2549800000, 0x00007f254a000000\| Complete (this is an initial mark gc, so no particular evacuation activity)
30-06-2020
Linked JDK-8243197, JDK-8248438, JDK-8248442 as related because they have been appearing together lately, but may of course have no real relation other than timing.
29-06-2020