Bug ID: JDK-8341195 VM crashes in HBShaper via Font.layoutGlyphVector() when using Java 23

JDK-8341195 : VM crashes in HBShaper via Font.layoutGlyphVector() when using Java 23

Type: Bug
Component: client-libs
Sub-Component: 2d
Affected Version: 22,23

Priority: P4
Status: Closed
Resolution: Duplicate
OS: windows
CPU: x86_64

Submitted: 2024-09-27
Updated: 2024-10-21
Resolved: 2024-10-21

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

Other
tbdResolved

Related Reports

Duplicate :

JDK-8337753 - Target class of upcall stub may be unloaded

Description

ADDITIONAL SYSTEM INFORMATION :
Java 23, both Oracle and OpenJDK, on Windows 10 and 11 as well as OpenJDK 23 on macOS 14.
Our Swing-based test application running our proprietary layout engine to create images in multiple threads.

A DESCRIPTION OF THE PROBLEM :
Testing our product, RealObjects PDFreactor, with Java 23, using our local Swing-based test application, we encountered random VM crashes, reporting different kinds of errors. While they happen randomly, it rarely takes more than 5-10 tries to get another one. Each try requires a restart of the Application/VM, as it seems that once the critical line of code has run successfully, the issue won't occur until restarting.
The issue does not occur when there is no or little multi-threading (4 threads works fine, 8 shows the issue and being near the amount of CPU cores shows it quicker), but we could not pinpoint what has to be happening in the other threads. It seems the involvement of BufferedImages, presumably drawing text into them, is relevant, but that is speculation.
The line causing the crash can be found below (Steps to Reproduce). It is the first time that the application creates a GlyphVector for a complex (Hebrew) character and in RTL direction. It may also be the first GlyphVector explicitly created.
We hope the attached error report files, especially the 1st and 4th, help you pinpoint the issue without being able to replicate it first.
While this issue persists, we must recommend our customers to not upgrade to Java 23.

REGRESSION : Last worked in version 22.0.2

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
The line causing the actual error is as follows:
awtFont.layoutGlyphVector(new FontRenderContext(new AffineTransform(), true, true), "\u05d0".toCharArray(), 0, 1, Font.LAYOUT_RIGHT_TO_LEFT | Font.LAYOUT_NO_START_CONTEXT | Font.LAYOUT_NO_LIMIT_CONTEXT);
(awtFont is Tinos regular at a size of 16, but using a random system font still reproduces crashes)
However it does require activity in other threads to happen (see above) and there is always some randomness to it.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
VM does not crash
ACTUAL -
VM crashes

CUSTOMER SUBMITTED WORKAROUND :
Making the same layoutGlyphVector call, with the first available system font, as early as possible seems to avoid the issue for the rest of the runtime.

FREQUENCY : often

Comments

"v ~RuntimeStub::nep_invoker_blob 0x000001a8d48d446b" Looks to me exactly like what is seen in the stack trace attached to https://bugs.openjdk.org/browse/JDK-8337753 Closing as a dup. of that which is fixed in JDK 24 b19 Also as already added in a comment above on 9/29/24 in JDK 23 you can work around this with -Dsun.font.layout.ffm=false
21-10-2024
probable dup. of https://bugs.openjdk.org/browse/JDK-8331735
01-10-2024
Additional information from the submitter: Unfortunately, I cannot. As mentioned, we have the line at which the crash happens: awtFont.layoutGlyphVector(new FontRenderContext(new AffineTransform(), true, true), "\u05d0".toCharArray(), 0, 1, Font.LAYOUT_RIGHT_TO_LEFT \| Font.LAYOUT_NO_START_CONTEXT \| Font.LAYOUT_NO_LIMIT_CONTEXT); But it also requires activity in another thread that we could not track down, probably something related to AWT fonts, likely text measuring or maybe painting. But those are only educated guesses. We hope that the detailed stack traces in two of the error logs help you pinpoint the issue. I also have a correction for the report: In addition to Java 23 I was also able to replicate it in Java 22. In Java 21 I was not able to replicate it. So please add version 22 to the affected versions alongside 23.
30-09-2024
The provided logs probably aren't suitable for adding to the bug report in their entirety but in part they are as below. They are different than each other so I am not sure but we have at least one known bug that causes crashes in this code (https://bugs.openjdk.org/browse/JDK-8331735) so my best guess is a dup. of that. Once there's a fix for that the submitter should try the appropriate JDK 24 build. In the meantime a simple workaround is to run with -Dsun.font.layout.ffm=false # # A fatal error has been detected by the Java Runtime Environment: # # Internal Error (sharedRuntime.cpp:1423), pid=1104, tid=21964 # guarantee(callee != nullptr && callee->is_method()) failed: bad handshake # --------------- S U M M A R Y ------------ Command Line: -Xmx10g -Dfile.encoding=UTF-8 -XX:+ShowCodeDetailsInExceptionMessages com.realobjects.... Host: 11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz, 16 cores, 15G, Windows 10 , 64 bit Build 19041 (10.0.19041.4842) Time: Thu Sep 26 17:16:32 2024 W. Europe Daylight Time elapsed time: 5.752195 seconds (0d 0h 0m 5s) --------------- T H R E A D --------------- Current thread (0x000001a8f16f8740): JavaThread "RealObjects Test Executor" [_thread_in_Java, id=21964, stack(0x00000014d4a00000,0x00000014d4b00000) (1024K)] Stack: [0x00000014d4a00000,0x00000014d4b00000] Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code) V [jvm.dll+0x6e08a9] (no source info available) V [jvm.dll+0x87da63] (no source info available) V [jvm.dll+0x87feee] (no source info available) V [jvm.dll+0x880577] (no source info available) V [jvm.dll+0x27ae67] (no source info available) V [jvm.dll+0x750968] (no source info available) C 0x000001a8d45376d4 (no source info available) The last pc belongs to wrong_method_stub (printed below). Java frames: (J=compiled Java code, j=interpreted, Vv=VM code) v ~RuntimeStub::wrong_method_stub 0x000001a8d45376d4 v blob 0x000001a8d47b66f3 v ~RuntimeStub::nep_invoker_blob 0x000001a8d48d446b j java.lang.invoke.LambdaForm$MH+0x000001a88174d000.invoke(Ljava/lang/Object;JFJJJIIIIIFFIIJJ)V+45 java.base@23 j java.lang.invoke.LambdaForm$MH+0x000001a8816ff000.invokeExact_MT(Ljava/lang/Object;JFJJJIIIIIFFIIJJLjava/lang/Object;)V+49 java.base@23 j jdk.internal.foreign.abi.DowncallStub+0x000001a8816c8400.invoke(Ljava/lang/foreign/SegmentAllocator;Ljava/lang/foreign/MemorySegment;FLjava/lang/foreign/MemorySegment;Ljava/lang/foreign/MemorySegment;Ljava/lang/foreign/MemorySegment;IIIIIFFIILjava/lang/foreign/MemorySegment;Ljava/lang/foreign/MemorySegment;)V+369 java.base@23 j java.lang.invoke.LambdaForm$DMH+0x000001a8816c8800.invokeStatic(Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;FLjava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;IIIIIFFIILjava/lang/Object;Ljava/lang/Object;)V+42 java.base@23 j java.lang.invoke.LambdaForm$MH+0x000001a88174e400.invoke(Ljava/lang/Object;FLjava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;IIIIIFFIILjava/lang/Object;Ljava/lang/Object;)V+82 java.base@23 j java.lang.invoke.LambdaForm$MH+0x000001a8816fa800.invokeExact_MT(Ljava/lang/Object;FLjava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;IIIIIFFIILjava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;)V+46 java.base@23 j sun.font.HBShaper.lambda$shape$0(Ljava/awt/geom/Point2D$Float;[F[CFLjava/lang/foreign/MemorySegment;IIIIII)V+79 java.desktop@23 j sun.font.HBShaper$$Lambda+0x000001a88168d048.run()V+44 java.desktop@23 j jdk.internal.vm.ScopedValueContainer.runWithoutScope(Ljava/lang/Runnable;)V+21 java.base@23 j jdk.internal.vm.ScopedValueContainer.run(Ljava/lang/Runnable;)V+7 java.base@23 j java.lang.ScopedValue$Carrier.runWith(Ljava/lang/ScopedValue$Snapshot;Ljava/lang/Runnable;)V+9 java.base@23 j java.lang.ScopedValue$Carrier.run(Ljava/lang/Runnable;)V+29 java.base@23 j sun.font.HBShaper.shape(Lsun/font/Font2D;Lsun/font/FontStrike;F[FLjava/lang/foreign/MemorySegment;[CLsun/font/GlyphLayout$GVData;IIIILjava/awt/geom/Point2D$Float;II)V+48 java.desktop@23 ================================== # # A fatal error has been detected by the Java Runtime Environment: # # EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x0000000000000020, pid=12780, tid=25288 # # JRE version: Java(TM) SE Runtime Environment (23.0+37) (build 23+37-2369) # Java VM: Java HotSpot(TM) 64-Bit Server VM (23+37-2369, mixed mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, windows-amd64) # Problematic frame: # v blob 0x00000206d5fefc73 --------------- S U M M A R Y ------------ Command Line: -Xmx10g -Dfile.encoding=UTF-8 -XX:+ShowCodeDetailsInExceptionMessages com.realobjects.... Host: 11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz, 16 cores, 15G, Windows 10 , 64 bit Build 19041 (10.0.19041.4842) Time: Thu Sep 26 16:58:19 2024 W. Europe Daylight Time elapsed time: 5.932060 seconds (0d 0h 0m 5s) --------------- T H R E A D --------------- Current thread (0x00000206c2686640): JavaThread "RealObjects Test Executor" [_thread_in_Java, id=25288, stack(0x00000037b8600000,0x00000037b8700000) (1024K)] Stack: [0x00000037b8600000,0x00000037b8700000], sp=0x00000037b86fa790, free space=1001k Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code) C 0x0000000000000020 (no source info available) siginfo: EXCEPTION_ACCESS_VIOLATION (0xc0000005), data execution prevention violation at address 0x0000000000000020 Registers: RAX=0x00000206c2686640, RBX=0x00000206f14e7f18, RCX=0x000000006b65726e, RDX=0x0000000587a6af90 RSP=0x00000037b86fa788, RBP=0x00000037b86faab0, RSI=0x0000000000000000, RDI=0x00000206f9f76cf8 R8 =0x000000006b65726e, R9 =0x00000037b86fab18, R10=0x00000206f7ee883c, R11=0x00000037b86fa728 R12=0x0000000000000000, R13=0x00000206f90351b0, R14=0x0000000000000000, R15=0x00000206c2686640 RIP=0x0000000000000020, EFLAGS=0x0000000000010297 Register to memory mapping: RAX=0x00000206c2686640 is a thread RBX=0x00000206f14e7f18 is pointing into metadata RCX=0x000000006b65726e is an unknown value RDX=0x0000000587a6af90 is an oop: java.lang.invoke.BoundMethodHandle$Species_LL {0x0000000587a6af90} - klass: 'java/lang/invoke/BoundMethodHandle$Species_LL' - ---- fields (total size 5 words): - private 'customizationCount' 'B' @12 0 (0x00) - private volatile 'updateInProgress' 'Z' @13 false (0x00) - private final 'type' 'Ljava/lang/invoke/MethodType;' @16 a 'java/lang/invoke/MethodType'{0x0000000588b0b4f0} = (IJ)I (0xb116169e) - final 'form' 'Ljava/lang/invoke/LambdaForm;' @20 a 'java/lang/invoke/LambdaForm'{0x0000000588b0b428} => a 'java/lang/invoke/MemberName'{0x0000000588b0d1c8} = {method} {0x00000206f14e8720} 'invoke' '(Ljava/lang/Object;IJ)I' in 'java/lang/invoke/LambdaForm$MH+0x00000206816ae400' (0xb1161685) - private 'asTypeCache' 'Ljava/lang/invoke/MethodHandle;' @24 null (0x00000000) - private 'asTypeSoftCache' 'Ljava/lang/ref/SoftReference;' @28 null (0x00000000) - final 'argL0' 'Ljava/lang/Object;' @32 a 'java/lang/invoke/MethodType'{0x0000000588b0b4f0} = (IJ)I (0xb116169e) - final 'argL1' 'Ljava/lang/Object;' @36 a 'java/lang/invoke/BoundMethodHandle$Species_LL'{0x0000000587e00578} (0xb0fc00af) RSP=0x00000037b86fa788 is pointing into the stack for thread: 0x00000206c2686640 RBP=0x00000037b86faab0 is pointing into the stack for thread: 0x00000206c2686640 RSI=0x0 is null RDI=0x00000206f9f76cf8 points into unknown readable memory: 0x0000000000000000 \| 00 00 00 00 00 00 00 00 R8 =0x000000006b65726e is an unknown value R9 =0x00000037b86fab18 is pointing into the stack for thread: 0x00000206c2686640 R10=0x00000206f7ee883c points into unknown readable memory: 6b 61 72 74 R11=0x00000037b86fa728 is pointing into the stack for thread: 0x00000206c2686640 R12=0x0 is null R13=0x00000206f90351b0 points into unknown readable memory: 0x000000016b65726e \| 6e 72 65 6b 01 00 00 00 R14=0x0 is null R15=0x00000206c2686640 is a thread ========= # # A fatal error has been detected by the Java Runtime Environment: # # Internal Error (upcallLinker.cpp:146), pid=9632, tid=25756 # Error: ShouldNotReachHere() # --------------- S U M M A R Y ------------ Command Line: -Xmx10g -Dfile.encoding=UTF-8 -XX:+ShowCodeDetailsInExceptionMessages com.realobjects.... Host: 11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz, 16 cores, 15G, Windows 10 , 64 bit Build 19041 (10.0.19041.4842) Time: Thu Sep 26 16:40:57 2024 W. Europe Daylight Time elapsed time: 6.462366 seconds (0d 0h 0m 6s) --------------- T H R E A D --------------- Current thread (0x000001cb4a6d8510): JavaThread "RealObjects Test Executor" [_thread_in_Java, id=25756, stack(0x0000003a14b00000,0x0000003a14c00000) (1024K)] Stack: [0x0000003a14b00000,0x0000003a14c00000] Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code) V [jvm.dll+0x6e08a9] (no source info available) V [jvm.dll+0x87da63] (no source info available) V [jvm.dll+0x87feee] (no source info available) V [jvm.dll+0x880577] (no source info available) V [jvm.dll+0x27ae67] (no source info available) V [jvm.dll+0x27ae8c] (no source info available) V [jvm.dll+0x27ade0] (no source info available) V [jvm.dll+0x84bcbf] (no source info available) C 0x000001cb6701a6f3 (no source info available) The last pc belongs to upcall stub exception handler (printed below). Lock stack of current Java thread (top to bottom): StubRoutines::upcall stub exception handler [0x000001cb6701a6d9, 0x000001cb6701a70e] (53 bytes) [MachCode] 0x000001cb6701a6d9: c5f8 7748 \| 8bc8 4883 \| e4f0 4883 \| ec20 48b8 \| 80bc 7850 \| f97f 0000 \| ffd0 48b9 \| 40d5 9050 0x000001cb6701a6f9: f97f 0000 \| 4883 e4f0 \| 48b8 604a \| 5750 f97f \| 0000 ffd0 \| [/MachCode] ====== # # A fatal error has been detected by the Java Runtime Environment: # # SIGBUS (0xa) at pc=0x0000000000000001, pid=32472, tid=128787 # # JRE version: OpenJDK Runtime Environment (23.0+37) (build 23+37-2369) # Java VM: OpenJDK 64-Bit Server VM (23+37-2369, mixed mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, bsd-aarch64) # Problematic frame: # C 0x0000000000000001 # --------------- S U M M A R Y ------------ Command Line: -Dfile.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ShowCodeDetailsInExceptionMessages com.realobjects.... Host: "Mac14,2" arm64, 8 cores, 16G, Darwin 23.6.0, macOS 14.6.1 (23G93) Time: Fri Sep 27 15:31:39 2024 CEST elapsed time: 4.582964 seconds (0d 0h 0m 4s) --------------- T H R E A D --------------- Current thread (0x000000034a123200): JavaThread "RealObjects Test Executor" [_thread_in_Java, id=128787, stack(0x000000037bf28000,0x000000037c12b000) (2060K)] Stack: [0x000000037bf28000,0x000000037c12b000], sp=0x000000037c126240, free space=2040k Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code) C 0x0000000000000001 C [libfontmanager.dylib+0x403d4] reference_table(hb_face_t, unsigned int, void)+0x20 C [libfontmanager.dylib+0x348c8] hb_face_reference_table+0x1c C [libfontmanager.dylib+0x95cd4] hb_blob_t* hb_data_wrapper_t<hb_face_t, 23u>::call_create<hb_blob_t, hb_table_lazy_loader_t<OT::kern, 23u, true>>() const+0x44 C [libfontmanager.dylib+0x688c0] hb_ot_layout_has_kerning(hb_face_t)+0x2c C [libfontmanager.dylib+0xad0c0] hb_ot_shape_planner_t::compile(hb_ot_shape_plan_t&, hb_ot_shape_plan_key_t const&)+0x528 C [libfontmanager.dylib+0xad624] hb_ot_shape_plan_t::init0(hb_face_t, hb_shape_plan_key_t const*)+0x3bc C [libfontmanager.dylib+0xd0a30] hb_shape_plan_create2+0xbc C [libfontmanager.dylib+0xd104c] hb_shape_plan_create_cached2+0x1cc C [libfontmanager.dylib+0xd1334] hb_shape_full+0x84 C [libfontmanager.dylib+0x3c78] jdk_hb_shape+0x23c v ~RuntimeStub::nep_invoker_blob 0x00000001145488f8 J 9668 c1 jdk.internal.foreign.abi.DowncallStub+0x0000018001654000.invoke(Ljava/lang/foreign/SegmentAllocator;Ljava/lang/foreign/MemorySegment;FLjava/lang/foreign/MemorySegment;Ljava/lang/foreign/MemorySegment;Ljava/lang/foreign/MemorySegment;IIIIIFFIILjava/lang/foreign/MemorySegment;Ljava/lang/foreign/MemorySegment;)V java.base@23 (514 bytes) @ 0x000000010da98a54 [0x000000010da96c80+0x0000000000001dd4] J 9661 c1 sun.font.HBShaper.lambda$shape$0(Ljava/awt/geom/Point2D$Float;[F[CFLjava/lang/foreign/MemorySegment;IIIIII)V java.desktop@23 (132 bytes) @ 0x000000010da9280c [0x000000010da8c5c0+0x000000000000624c] J 9472 c1 sun.font.HBShaper$$Lambda+0x00000180016c5438.run()V java.desktop@23 (48 bytes) @ 0x000000010da71b54 [0x000000010da71a40+0x0000000000000114] J 9660 c1 jdk.internal.vm.ScopedValueContainer.runWithoutScope(Ljava/lang/Runnable;)V java.base@23 (105 bytes) @ 0x000000010d7a1ff0 [0x000000010d7a1ec0+0x0000000000000130] J 9469 c1 java.lang.ScopedValue$Carrier.run(Ljava/lang/Runnable;)V java.base@23 (33 bytes) @ 0x000000010da70264 [0x000000010da6fd00+0x0000000000000564] J 9655 c1 sun.font.HBShaper.shape(Lsun/font/Font2D;Lsun/font/FontStrike;F[FLjava/lang/foreign/MemorySegment;[CLsun/font/GlyphLayout$GVData;IIIILjava/awt/geom/Point2D$Float;II)V java.desktop@23 (52 bytes) @ 0x000000010d4e5978 [0x000000010d4e52c0+0x00000000000006b8] J 7991 c1 sun.font.SunLayoutEngine.layout(Lsun/font/FontStrikeDesc;[FFIILsun/font/TextRecord;ILjava/awt/geom/Point2D$Float;Lsun/font/GlyphLayout$GVData;)V java.desktop@23 (141 bytes) @ 0x000000010d81a800 [0x000000010d81a4c0+0x0000000000000340] J 9465 c1 sun.font.GlyphLayout$EngineRecord.layout()V java.desktop@23 (108 bytes) @ 0x000000010da6ecac [0x000000010da6eb40+0x000000000000016c] J 9453 c1 sun.font.GlyphLayout.layout(Ljava/awt/Font;Ljava/awt/font/FontRenderContext;[CIIILsun/font/StandardGlyphVector;)Lsun/font/StandardGlyphVector; java.desktop@23 (683 bytes) @ 0x000000010da5faf8 [0x000000010da5dd80+0x0000000000001d78] j java.awt.Font.layoutGlyphVector(Ljava/awt/font/FontRenderContext;[CIII)Ljava/awt/font/GlyphVector;+19 java.desktop@23 ======
29-09-2024
Requested a simple reproducer from the submitter.
29-09-2024