JDK-8265488 : stack-use-after-scope in G1ConcurrentMarkThread::run_service()
  • Type: Bug
  • Component: hotspot
  • Sub-Component: gc
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2021-04-19
  • Updated: 2021-04-21
  • Resolved: 2021-04-21
Related Reports
Duplicate :  
JDK-8265326 - Strange Characters in G1GC GC Log
Description
Running JDK tests with Address Sanitizer detected the following:

 530 ==3159906==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f11abe7cb88 at pc 0x7f11dfabedbb bp 0x7f11abe7b3e0 sp 0x7f11abe7ab58
 531 READ of size 22 at 0x7f11abe7cb88 thread T3 (G1 Main Marker)                                                  
 532     #0 0x7f11dfabedba  (/lib/x86_64-linux-gnu/libasan.so.5+0x9cdba)                                           
 533     #1 0x7f11dfac2255 in __vsnprintf_chk (/lib/x86_64-linux-gnu/libasan.so.5+0xa0255)                         
 534     #2 0x7f11d9f224f7 in vsnprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:80                             
 535     #3 0x7f11d9f224f7 in os::vsnprintf(char*, unsigned long, char const*, __va_list_tag*) /home/jb/work/jbr-dev/src/hotspot/os/posix/os_posix.cpp:386
 536     #4 0x7f11d96f7a0d in LogTagSet::vwrite(LogLevel::type, char const*, __va_list_tag*) /home/jb/work/jbr-dev/src/hotspot/share/logging/logTagSet.cpp:121
 537     #5 0x7f11d8098b21 in LogImpl<(LogTag::type)45, (LogTag::type)0, (LogTag::type)0, (LogTag::type)0, (LogTag::type)0, (LogTag::type)0>::vwrite(LogLevel::type, char const*, __va_list_ta
 538     #6 0x7f11d8098b21 in void LogImpl<(LogTag::type)45, (LogTag::type)0, (LogTag::type)0, (LogTag::type)0, (LogTag::type)0, (LogTag::type)0>::write<(LogLevel::type)3>(char const*, ...)
 539     #7 0x7f11d832961b in G1ConcurrentMarkThread::run_service() /home/jb/work/jbr-dev/src/hotspot/share/gc/g1/g1ConcurrentMarkThread.cpp:143
 540     #8 0x7f11d7cb5eb8 in ConcurrentGCThread::run() /home/jb/work/jbr-dev/src/hotspot/share/gc/shared/concurrentGCThread.cpp:51
 541     #9 0x7f11dacea5bf in Thread::call_run() /home/jb/work/jbr-dev/src/hotspot/share/runtime/thread.cpp:408    
 542     #10 0x7f11d9f0921c in thread_native_entry /home/jb/work/jbr-dev/src/hotspot/os/linux/os_linux.cpp:714     
 543     #11 0x7f11df7d6608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477               
 544     #12 0x7f11df923292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)                                  
 545                                                                                                               
 546 Address 0x7f11abe7cb88 is located in stack of thread T3 (G1 Main Marker) at offset 184 in frame               
 547     #0 0x7f11d832928f in G1ConcurrentMarkThread::run_service() /home/jb/work/jbr-dev/src/hotspot/share/gc/g1/g1ConcurrentMarkThread.cpp:135
 548                                                                                                               
 549   This frame has 4 object(s):                                                                                 
 550     [48, 64) 'gc_id_mark' (line 141)                                                                          
 551     [80, 96) 'sts_join' (line 336)                                                                            
 552     [112, 144) 'tt' (line 142)                                                                                
 553     [176, 312) '<unknown>' <== Memory access at offset 184 is inside this variable    

The bug is in G1ConcurrentMarkThread::run_service() (src/hotspot/share/gc/g1/g1ConcurrentMarkThread.cpp):

GCTraceConcTime(Info, gc) tt(FormatBuffer<128>("Concurrent %s Cycle",...
variable tt holds a pointer to a data member of FormatBuffer<128> temporary and uses it in its destructor after the temporary has been destroyed already.