Bug ID: JDK-8255039 SIGSEGV in StubRoutines::jbyte_disjoint

JDK-8255039 : SIGSEGV in StubRoutines::jbyte_disjoint_arraycopy

Type: Bug
Component: hotspot
Sub-Component: compiler
Affected Version: 16

Priority: P1
Status: Closed
Resolution: Duplicate

Submitted: 2020-10-20
Updated: 2023-12-25
Resolved: 2020-10-22

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 16
16Resolved

Related Reports

Duplicate :

JDK-8254790 - SIGSEGV in string_indexof_char and stringL_indexof_char intrinsics

Description

We see the following crash with a confidential test after JDK-8252847:

#  SIGSEGV (0xb) at pc=0x00007f885cc19a70, pid=24353, tid=24417
#
# JRE version: OpenJDK Runtime Environment (16.0+20) (build 16-ea+20-1092)
# Java VM: OpenJDK 64-Bit Server VM (16-ea+20-1092, mixed mode, sharing, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# v  ~StubRoutines::jbyte_disjoint_arraycopy

Stack: [0x00007f87f70d2000,0x00007f87f71d3000],  sp=0x00007f87f71d1000,  free space=1020k
Native frames: (J=compiled Java code, A=aot compiled Java code, j=interpreted, Vv=VM code, C=native code)
v  ~StubRoutines::jbyte_disjoint_arraycopy


siginfo: si_signo: 11 (SIGSEGV), si_code: 1 (SEGV_MAPERR), si_addr: 0x0000000006e9bcac

Register to memory mapping:

RAX=0x0000000006e9bcf9 is an unknown value
RBX=0x0000000706e9bd38 is an oop: [B
{0x0000000706e9bd38} - klass: {type array byte}
 - length: 77
RCX=0x000000000000004d is an unknown value
RDX=0xffffffffffffffff is an unknown value
RSP=0x00007f87f71d1000 is pointing into the stack for thread: 0x00007f88000342b0
RBP=0x00007f87f71d1000 is pointing into the stack for thread: 0x00007f88000342b0
RSI=0x0000000706e9bd88 is pointing into object: [B
{0x0000000706e9bd38} - klass: {type array byte}
 - length: 77
RDI=0x0000000006e9bcec is an unknown value
R8 =0x0000000706e9bd38 is an oop: [B
{0x0000000706e9bd38} - klass: {type array byte}
 - length: 77
R9 =0x000000000000000c is an unknown value
R10=0x00007f885cc19ac0 is at begin+0 in a stub
StubRoutines::jbyte_arraycopy [0x00007f885cc19ac0, 0x00007f885cc19b86] (198 bytes)
R11=0x0000000006e9bcac is an unknown value
R12=0x0 is NULL
R13=0x0000000706e9bd20 is an oop: java.lang.String
{0x0000000706e9bd20} - klass: 'java/lang/String'
R14=3772594087 is a compressed pointer to object: [B
{0x0000000706e9bd38} - klass: {type array byte}
 - length: 77
R15=0x00007f88000342b0 is a thread


Registers:
RAX=0x0000000006e9bcf9, RBX=0x0000000706e9bd38, RCX=0x000000000000004d, RDX=0xffffffffffffffff
RSP=0x00007f87f71d1000, RBP=0x00007f87f71d1000, RSI=0x0000000706e9bd88, RDI=0x0000000006e9bcec
R8 =0x0000000706e9bd38, R9 =0x000000000000000c, R10=0x00007f885cc19ac0, R11=0x0000000006e9bcac
R12=0x0000000000000000, R13=0x0000000706e9bd20, R14=0x00000000e0dd37a7, R15=0x00007f88000342b0
RIP=0x00007f885cc19a70, EFLAGS=0x0000000000010286, CSGSFS=0x002b000000000033, ERR=0x0000000000000004
  TRAPNO=0x000000000000000e

Top of Stack: (sp=0x00007f87f71d1000)
0x00007f87f71d1000:   000000000000004d 00007f8864869990
0x00007f87f71d1010:   00007f88000342b0 0000000706e9bbd8
0x00007f87f71d1020:   0000000706e9bb58 0000000000000000
0x00007f87f71d1030:   0000000000000051 0000000000000001

Instructions: (pc=0x00007f885cc19a70)
0x00007f885cc19970:   54 24 28 4c 89 5c 24 20 4c 89 64 24 18 4c 89 6c
0x00007f885cc19980:   24 10 4c 89 74 24 08 4c 89 3c 24 48 8b bc 24 88
0x00007f885cc19990:   00 00 00 48 8b b4 24 80 00 00 00 48 8b d4 4c 8b
0x00007f885cc199a0:   e4 48 83 ec 00 48 83 e4 f0 e8 02 b1 30 1f f4 66
0x00007f885cc199b0:   66 66 0f 1f 84 00 00 00 00 00 66 66 66 90 66 90
0x00007f885cc199c0:   55 48 8b ec 0f ae 3f c9 c3 66 66 66 0f 1f 84 00
0x00007f885cc199d0:   00 00 00 00 66 66 66 90 0f 1f 84 00 00 00 00 00
0x00007f885cc199e0:   55 48 8b ec 83 ff 00 0f 85 00 00 00 00 c9 c3 66
0x00007f885cc199f0:   66 66 0f 1f 84 00 00 00 00 00 66 66 66 90 66 90
0x00007f885cc19a00:   55 48 8b ec 48 8b ca 48 c1 ea 03 48 8d 7c d7 f8
0x00007f885cc19a10:   48 8d 74 d6 f8 48 f7 da e9 6b 00 00 00 48 8b 44
0x00007f885cc19a20:   d7 08 48 89 44 d6 08 48 ff c2 75 f1 f7 c1 04 00
0x00007f885cc19a30:   00 00 74 0e 8b 47 08 89 46 08 48 83 c7 04 48 83
0x00007f885cc19a40:   c6 04 f7 c1 02 00 00 00 74 10 66 8b 47 08 66 89
0x00007f885cc19a50:   46 08 48 83 c7 02 48 83 c6 02 f7 c1 01 00 00 00
0x00007f885cc19a60:   74 06 8a 47 08 88 46 08 48 33 c0 c5 f8 77 c9 c3
0x00007f885cc19a70:   c5 fe 6f 44 d7 c8 c5 fe 7f 44 d6 c8 c5 fe 6f 4c
0x00007f885cc19a80:   d7 e8 c5 fe 7f 4c d6 e8 48 83 c2 08 7e e2 48 83
0x00007f885cc19a90:   ea 04 7f 10 c5 fe 6f 44 d7 e8 c5 fe 7f 44 d6 e8
0x00007f885cc19aa0:   48 83 c2 04 c5 fd ef c0 c5 f5 ef c9 48 83 ea 04
0x00007f885cc19ab0:   0f 8c 67 ff ff ff e9 71 ff ff ff 0f 1f 44 00 00
0x00007f885cc19ac0:   55 48 8b ec 48 3b f7 48 8d 04 17 0f 86 33 ff ff
0x00007f885cc19ad0:   ff 48 3b f0 0f 83 2a ff ff ff 48 8b ca 48 c1 ea
0x00007f885cc19ae0:   03 f7 c1 01 00 00 00 0f 84 0b 00 00 00 8a 44 0f
0x00007f885cc19af0:   ff 88 44 0e ff 48 ff c9 f7 c1 02 00 00 00 0f 84
0x00007f885cc19b00:   0a 00 00 00 66 8b 44 0f fe 66 89 44 0e fe f7 c1
0x00007f885cc19b10:   04 00 00 00 0f 84 3c 00 00 00 8b 04 d7 89 04 d6
0x00007f885cc19b20:   e9 31 00 00 00 48 8b 44 d7 f8 48 89 44 d6 f8 48
0x00007f885cc19b30:   ff ca 75 f1 48 33 c0 c5 f8 77 c9 c3 0f 1f 40 00
0x00007f885cc19b40:   c5 fe 6f 44 d7 20 c5 fe 7f 44 d6 20 c5 fe 6f 0c
0x00007f885cc19b50:   d7 c5 fe 7f 0c d6 48 83 ea 08 7d e4 48 83 c2 04
0x00007f885cc19b60:   7c 0e c5 fe 6f 04 d7 c5 fe 7f 04 d6 48 83 ea 04

Comments

I will close this as duplicate of JDK-8254790 as soon as the fix is ready and we've verified that it also fixes this issue.
20-10-2020
After looking at the fix for JDK-8252847 for a while now and being unable to find any issues, I took another look at the hs_err file and noticed that the invalid address that we access RDI=0x0000000006e9bcec is very similar to these valid oops to byte arrays: RBX=0x0000000706e9bd38 is an oop: [B {0x0000000706e9bd38} - klass: {type array byte} - length: 77 RSI=0x0000000706e9bd88 is pointing into object: [B {0x0000000706e9bd38} - klass: {type array byte} - length: 77 It looks like as if the upper part has been cut off, very similar to what [~sviswanathan] found here for JDK-8254790 which is a regression from JDK-8173585: https://mail.openjdk.java.net/pipermail/hotspot-compiler-dev/2020-October/040839.html I therefore think this is not a regression from JDK-8252847 but from JDK-8173585.
20-10-2020
Jatin, could you please have a look?
20-10-2020
Assembly from the hs_err file: StubRoutines::jbyte_disjoint_arraycopy push rbp mov rbp,rsp mov rcx,rdx shr rdx,0x3 lea rdi,[rdi+rdx8-0x8] lea rsi,[rsi+rdx8-0x8] neg rdx jmp 0x88 mov rax,QWORD PTR [rdi+rdx8+0x8] mov QWORD PTR [rsi+rdx8+0x8],rax inc rdx jne 0x1d test ecx,0x4 je 0x42 mov eax,DWORD PTR [rdi+0x8] mov DWORD PTR [rsi+0x8],eax add rdi,0x4 add rsi,0x4 test ecx,0x2 je 0x5a mov ax,WORD PTR [rdi+0x8] mov WORD PTR [rsi+0x8],ax add rdi,0x2 add rsi,0x2 test ecx,0x1 je 0x68 mov al,BYTE PTR [rdi+0x8] mov BYTE PTR [rsi+0x8],al xor rax,rax vzeroupper leave ret vmovdqu ymm0,YMMWORD PTR [rdi+rdx8-0x38] <-- CRASH vmovdqu YMMWORD PTR [rsi+rdx8-0x38],ymm0 vmovdqu ymm1,YMMWORD PTR [rdi+rdx8-0x18] vmovdqu YMMWORD PTR [rsi+rdx8-0x18],ymm1 add rdx,0x8 jle 0x70 sub rdx,0x4 jg 0xa4 vmovdqu ymm0,YMMWORD PTR [rdi+rdx8-0x18] vmovdqu YMMWORD PTR [rsi+rdx8-0x18],ymm0 add rdx,0x4 vpxor ymm0,ymm0,ymm0 vpxor ymm1,ymm1,ymm1 sub rdx,0x4 jl 0x1d We crash in the code emitted by 'generate_disjoint_byte_copy' -> 'copy_bytes_forward'. The system we crash on does not support AVX-512: CPU: total 8 (initial active 8) (4 cores per cpu, 2 threads per core) family 6 model 85 stepping 4 microcode 0x1, cx8, cmov, fxsr, ht, mmx, 3dnowpref, sse, sse2, sse3, ssse3, sse4.1, sse4.2, popcnt, lzcnt, tsc, avx, avx2, aes, erms, clmul, bmi1, bmi2, rtm, adx, fma, vzeroupper, clflush, hv But JDK-8252847 also modified non-AVX-512 specific code.
20-10-2020