JDK11 Segmentation error vmState=0x0005ff09 #15363

connglli · 2022-06-20T12:35:11Z

Java -version output

openjdk version "11.0.16-internal" 2022-07-19
OpenJDK Runtime Environment (build 11.0.16-internal+0-adhoc..openj9-openjdk-jdk11)
Eclipse OpenJ9 VM (build master-4ca209b54, JRE 11 Linux amd64-64-Bit Compressed References 20220615_000000 (JIT enabled, AOT enabled)
OpenJ9   - 4ca209b54
OMR      - 26b89f9f9
JCL      - 231dcc9eeb based on jdk-11.0.16+6)

Summary of problem

The following Test.java, which is reduced by us, crashes OpenJ9's JIT compiler

class Test {
  int N;
  long instanceCount;

  void vMeth(int i2, double d2) {
    int i10;
    for (i10 = 1; i10 < 6; )
      try {
        int[] ax$0 = {1, 3};
        for (int ax$1 = 4; ; ax$1++) i10 += ax$0[ax$1 - Integer.MIN_VALUE];
      } catch (Throwable ax$4) {
      } finally {
      }
  }

  long lMeth(double d1, int i1, long l1) {
    float fArr[] = new float[N];
    vMeth(i1, d1);
    long meth_res = Double.doubleToLongBits(FuzzerUtils.checkSum(fArr));
    return meth_res;
  }

  void vSmallMeth(int i, long l) {
    double d = 1.92934;
    d += lMeth(2.5332, i, instanceCount);
  }

  void mainTest(String[] strArr1) {
    int i22 = 22025;
    vSmallMeth(i22, instanceCount);
  }

  public static void main(String[] strArr) {
    Test _instance = new Test();
    _instance.mainTest(strArr);
  }

  public static double checkSum(float[] a) {
    double sum = 0;
    for (int j = 0; j < a.length; j++) {
      sum += (a[j] / (j + 1) + a[j] % (j + 1));
    }
    return sum;
  }
}

Diagnostic files

By issuing

$ java -Xmx1G -Xshareclasses:none Test

the following crash log is given:

#0: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x8bfda5) [0x7fe7d7c69da5]
#1: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x8cb090) [0x7fe7d7c75090]
#2: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x139579) [0x7fe7d74e3579]
#3: /zdata/congli/OpenJ9/jdk11/lib/default/libj9prt29.so(+0x2911a) [0x7fe7dd61911a]
#4: /lib/x86_64-linux-gnu/libpthread.so.0(+0x14420) [0x7fe7dda9f420]
#5: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x5171fc) [0x7fe7d78c11fc]
#6: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x93d0c2) [0x7fe7d7ce70c2]
#7: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x941ed9) [0x7fe7d7cebed9]
#8: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x9621d4) [0x7fe7d7d0c1d4]
#9: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x925935) [0x7fe7d7ccf935]
#10: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x95a571) [0x7fe7d7d04571]
#11: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x514c7a) [0x7fe7d78bec7a]
#12: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x516409) [0x7fe7d78c0409]
#13: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x513053) [0x7fe7d78bd053]
#14: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x540529) [0x7fe7d78ea529]
#15: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14d7ef) [0x7fe7d74f77ef]
#16: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14e834) [0x7fe7d74f8834]
#17: /zdata/congli/OpenJ9/jdk11/lib/default/libj9prt29.so(+0x29c53) [0x7fe7dd619c53]
#18: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14bf79) [0x7fe7d74f5f79]
#19: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14c5c0) [0x7fe7d74f65c0]
#20: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14b0e3) [0x7fe7d74f50e3]
#21: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14b5c2) [0x7fe7d74f55c2]
#22: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14b672) [0x7fe7d74f5672]
#23: /zdata/congli/OpenJ9/jdk11/lib/default/libj9prt29.so(+0x29c53) [0x7fe7dd619c53]
#24: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14bab2) [0x7fe7d74f5ab2]
#25: /zdata/congli/OpenJ9/jdk11/lib/default/libj9thr29.so(+0xf2b2) [0x7fe7dd7db2b2]
#26: /lib/x86_64-linux-gnu/libpthread.so.0(+0x8609) [0x7fe7dda93609]
#27: /lib/x86_64-linux-gnu/libc.so.6(clone+0x43) [0x7fe7ddbef133]
Unhandled exception
Type=Segmentation error vmState=0x0005ff09
J9Generic_Signal_Number=00000018 Signal_Number=0000000b Error_Value=00000000 Signal_Code=00000001
Handler1=00007FE7DD82FFD0 Handler2=00007FE7DD618EF0 InaccessibleAddress=0000000000000030
RDI=00007FE7A67DA470 RSI=0000000000000000 RAX=00007FE7D7FC5D10 RBX=0000000000000000
RCX=0000000000000001 RDX=0000000000000000 R8=0000000000000000 R9=0000000000000002
R10=00000000000000F8 R11=0000000000000001 R12=00007FE7A669ECB0 R13=00007FE7A67DA430
R14=0000000200000020 R15=0000000000000222
RIP=00007FE7D78C11FC GS=0000 FS=0000 RSP=00007FE7BC52B7C0
EFlags=0000000000010206 CS=0033 RBP=00007FE7A67DA470 ERR=0000000000000004
TRAPNO=000000000000000E OLDMASK=0000000000000000 CR2=0000000000000030
xmm0 0000000000000000 (f: 0.000000, d: 0.000000e+00)
xmm1 00007fe7a6825c90 (f: 2793561344.000000, d: 6.948189e-310)
xmm2 00007fe7a68221d0 (f: 2793546240.000000, d: 6.948189e-310)
xmm3 00007fe7a68211b0 (f: 2793542144.000000, d: 6.948189e-310)
xmm4 00007fe7a66a2520 (f: 2791974144.000000, d: 6.948189e-310)
xmm5 00007fe7a681cdb0 (f: 2793524736.000000, d: 6.948189e-310)
xmm6 00007fe7a681f290 (f: 2793534208.000000, d: 6.948189e-310)
xmm7 00007fe7a6820460 (f: 2793538560.000000, d: 6.948189e-310)
xmm8 00007fe7a68284d0 (f: 2793571584.000000, d: 6.948189e-310)
xmm9 0000000000000000 (f: 0.000000, d: 0.000000e+00)
xmm10 0000000000000000 (f: 0.000000, d: 0.000000e+00)
xmm11 0000000000000000 (f: 0.000000, d: 0.000000e+00)
xmm12 0000000000000000 (f: 0.000000, d: 0.000000e+00)
xmm13 0000000000000000 (f: 0.000000, d: 0.000000e+00)
xmm14 0000000000000000 (f: 0.000000, d: 0.000000e+00)
xmm15 0000000000000000 (f: 0.000000, d: 0.000000e+00)
Module=/zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so
Module_base_address=00007FE7D73AA000

Method_being_compiled=Test.vMeth(ID)V
Target=2_90_20220615_000000 (Linux 5.4.0-120-generic)
CPU=amd64 (8 logical CPUs) (0x3e45ba000 RAM)
----------- Stack Backtrace -----------
_ZN3OMR11Instruction11useRegisterEPN2TR8RegisterE+0xc (0x00007FE7D78C11FC [libj9jit29.so+0x5171fc])
_ZN2TR27AMD64RegImm64SymInstructionC1EPNS_11InstructionEN3OMR10InstOpCode8MnemonicEPNS_8RegisterEmPNS_15SymbolReferenceEPNS_13CodeGeneratorE+0x82 (0x00007FE7D7CE70C2 [libj9jit29.so+0x93d0c2])
_Z30generateRegImm64SymInstructionPN2TR11InstructionEN3OMR10InstOpCode8MnemonicEPNS_8RegisterEmPNS_15SymbolReferenceEPNS_13CodeGeneratorE+0x59 (0x00007FE7D7CEBED9 [libj9jit29.so+0x941ed9])
_ZN3OMR3X865AMD6415MemoryReference22generateBinaryEncodingEPhPN2TR11InstructionEPNS4_13CodeGeneratorE+0x314 (0x00007FE7D7D0C1D4 [libj9jit29.so+0x9621d4])
_ZN3OMR3X8611Instruction22generateBinaryEncodingEv+0x95 (0x00007FE7D7CCF935 [libj9jit29.so+0x925935])
_ZN3OMR3X8613CodeGenerator16doBinaryEncodingEv+0x881 (0x00007FE7D7D04571 [libj9jit29.so+0x95a571])
_ZN3OMR12CodeGenPhase26performBinaryEncodingPhaseEPN2TR13CodeGeneratorEPNS1_12CodeGenPhaseE+0x8a (0x00007FE7D78BEC7A [libj9jit29.so+0x514c7a])
_ZN3OMR12CodeGenPhase10performAllEv+0xc9 (0x00007FE7D78C0409 [libj9jit29.so+0x516409])
_ZN3OMR13CodeGenerator12generateCodeEv+0x63 (0x00007FE7D78BD053 [libj9jit29.so+0x513053])
_ZN3OMR11Compilation7compileEv+0xa29 (0x00007FE7D78EA529 [libj9jit29.so+0x540529])
_ZN2TR28CompilationInfoPerThreadBase7compileEP10J9VMThreadPNS_11CompilationEP17TR_ResolvedMethodR11TR_J9VMBaseP19TR_OptimizationPlanRKNS_16SegmentAllocatorE+0x4bf (0x00007FE7D74F77EF [libj9jit29.so+0x14d7ef])
_ZN2TR28CompilationInfoPerThreadBase14wrappedCompileEP13J9PortLibraryPv+0x314 (0x00007FE7D74F8834 [libj9jit29.so+0x14e834])
omrsig_protect+0x1e3 (0x00007FE7DD619C53 [libj9prt29.so+0x29c53])
_ZN2TR28CompilationInfoPerThreadBase7compileEP10J9VMThreadP21TR_MethodToBeCompiledRN2J917J9SegmentProviderE+0x309 (0x00007FE7D74F5F79 [libj9jit29.so+0x14bf79])
_ZN2TR24CompilationInfoPerThread12processEntryER21TR_MethodToBeCompiledRN2J917J9SegmentProviderE+0x1c0 (0x00007FE7D74F65C0 [libj9jit29.so+0x14c5c0])
_ZN2TR24CompilationInfoPerThread14processEntriesEv+0x3b3 (0x00007FE7D74F50E3 [libj9jit29.so+0x14b0e3])
_ZN2TR24CompilationInfoPerThread3runEv+0x42 (0x00007FE7D74F55C2 [libj9jit29.so+0x14b5c2])
_Z30protectedCompilationThreadProcP13J9PortLibraryPN2TR24CompilationInfoPerThreadE+0x82 (0x00007FE7D74F5672 [libj9jit29.so+0x14b672])
omrsig_protect+0x1e3 (0x00007FE7DD619C53 [libj9prt29.so+0x29c53])
_Z21compilationThreadProcPv+0x1d2 (0x00007FE7D74F5AB2 [libj9jit29.so+0x14bab2])
thread_wrapper+0x162 (0x00007FE7DD7DB2B2 [libj9thr29.so+0xf2b2])
start_thread+0xd9 (0x00007FE7DDA93609 [libpthread.so.0+0x8609])
clone+0x43 (0x00007FE7DDBEF133 [libc.so.6+0x11f133])
---------------------------------------
JVMDUMP039I Processing dump event "gpf", detail "" at 2022/06/20 14:29:41 - please wait.
JVMDUMP032I JVM requested System dump using '/zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/core.20220620.142941.2694175.0001.dmp' in response to an event
JVMDUMP010I System dump written to /zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/core.20220620.142941.2694175.0001.dmp
JVMDUMP032I JVM requested Java dump using '/zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/javacore.20220620.142941.2694175.0002.txt' in response to an event
JVMDUMP010I Java dump written to /zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/javacore.20220620.142941.2694175.0002.txt
JVMDUMP032I JVM requested Snap dump using '/zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/Snap.20220620.142941.2694175.0003.trc' in response to an event
JVMDUMP010I Snap dump written to /zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/Snap.20220620.142941.2694175.0003.trc
JVMDUMP032I JVM requested JIT dump using '/zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/jitdump.20220620.142941.2694175.0004.dmp' in response to an event
JVMDUMP051I JIT dump occurred in 'JIT Compilation Thread-001' thread 0x0000000000022300
JVMDUMP049I JIT dump notified all waiting threads of the current method to be compiled
JVMDUMP054I JIT dump is tracing the IL of the method on the crashed compilation thread
JVMDUMP052I JIT dump recursive crash occurred on diagnostic thread
JVMDUMP010I JIT dump written to /zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/jitdump.20220620.142941.2694175.0004.dmp
JVMDUMP013I Processed dump event "gpf", detail "".

Please also check openj9-bug-81.tar.gz for all the logs (jitdump, snap, etc.), the test (Test.java, Test.class), and the unreduced test (Test.java.orig).

Notice

The given Test.java (which is reduced by us) is always reproducible for us. If it is not reproducible for you, please use Test.java.orig in the above link.

The text was updated successfully, but these errors were encountered:

0xdaryl · 2022-06-20T13:36:05Z

@BradleyWood : please add this codegen crash to your list of issues to investigate.

pshipton · 2022-06-20T14:14:10Z

I reproduced the crash.

pshipton · 2022-06-20T14:17:33Z

The reduced test case uses FuzzerUtils, but I commented it out and returned 0 and still reproduced a crash.

BradleyWood · 2022-06-20T17:17:37Z

_addressRegister is null

https://github.com/eclipse/omr/blob/master/compiler/x/amd64/codegen/OMRMemoryReference.cpp#L618-L629

BradleyWood · 2022-06-20T20:43:58Z

For some reason on initialisation it was determined that the memory reference does not need an address register at:

https://github.com/eclipse/omr/blob/e287e61337dbf37ab2929a102b59ad0687260aa4/compiler/x/amd64/codegen/OMRMemoryReference.cpp#L170-L226

However, the opposite conclusion is made at binary encoding, but no register was allocated.

0xdaryl · 2022-06-21T10:40:59Z

This is not a regression in 0.33. Reproducible on JDK8 back to at least 0.29.

0xdaryl · 2022-09-20T09:26:40Z

This will not be fixed for 0.35. Moving to 0.36.

0xdaryl · 2022-11-15T10:52:42Z

Moving to 0.38.

0xdaryl · 2023-03-14T12:15:56Z

No change in status. Moving to 0.40.

BradleyWood · 2023-03-23T20:04:11Z

In this test case, we have a small integer array which becomes stack allocated, and is indexed at ax$1 - Integer.MIN_VALUE. I have identified 3 separate issues related to this crash.

An extra address load register was not assigned, which will be needed at codegen to handle the VFP-relative displacement > |2^31|. Then we crash because the register is not assigned. The register was not assigned because the initialisation assumes that the frames cannot be larger than 2 GB, which is true. However, this does not account for OOB-access. To resolve this, we can check if the mem-ref is referring to a stack-allocated array.
Allocating an extra address load register when the base register is VFP also causes a crash. When estimating the binary length of the mem-ref, the estimate is excessively large to account for an address load instruction. However, the estimate is a constant, and the estimation logic from the parent is not used.
Displacement overflow. Although not the cause of this crash, a number of transformations (such as analyseSubForLEA) check if displacement is a signed 32-bit integer, then negate that displacement value. If the displacement is 2^31-1, negation leads to overflow because 2^31+1 is not a valid signed 32-bit integer.

I will open a fix shortly.

connglli added the userRaised label Jun 20, 2022

pshipton added comp:jit blocker segfault Issues that describe segfaults / JVM crashes labels Jun 20, 2022

pshipton added this to the Release 0.33 (Java 8, 11, 17, 18) July refresh milestone Jun 20, 2022

0xdaryl assigned BradleyWood Jun 28, 2022

pshipton removed the blocker label Jun 28, 2022

pshipton modified the milestones: Release 0.33 (Java 8, 11, 17, 18) July refresh, Release 0.34 (Java 19) Jun 28, 2022

pshipton modified the milestones: Java 19, Release 0.35 (Java 8, 11, 17, 19) Oct refresh Jul 19, 2022

0xdaryl modified the milestones: Release 0.35 (Java 8, 11, 17, 19) Oct refresh, Release 0.36 (Java 8, 11, 17, 19) Jan refresh Sep 20, 2022

0xdaryl modified the milestones: Release 0.36 (Java 8, 11, 17, 19) Jan refresh, Release 0.38 (Java 8, 11, 17, 20) Apr refresh Nov 15, 2022

0xdaryl modified the milestones: Release 0.38 (Java 8, 11, 17) Apr refresh, Release 0.40? (Java 8, 11, 17, 20) July refresh Mar 14, 2023

BradleyWood mentioned this issue Mar 27, 2023

Fix Large VFP-relative memory-references eclipse-omr/omr#6937

Merged

BradleyWood mentioned this issue Apr 18, 2023

JDK 8/11/17/18 - JVM crash due to JIT compilation with ArrayIndexOutOfBoundsException #17212

Closed

0xdaryl closed this as completed in eclipse-omr/omr#6937 May 5, 2023

hzongaro mentioned this issue Aug 27, 2024

Non-fatal assert triggered in jdk_lang_0: 64-bit displacement should have been replaced #20066

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

JDK11 Segmentation error vmState=0x0005ff09 #15363

JDK11 Segmentation error vmState=0x0005ff09 #15363

connglli commented Jun 20, 2022

0xdaryl commented Jun 20, 2022

pshipton commented Jun 20, 2022

pshipton commented Jun 20, 2022

BradleyWood commented Jun 20, 2022

BradleyWood commented Jun 20, 2022

0xdaryl commented Jun 21, 2022

0xdaryl commented Sep 20, 2022

0xdaryl commented Nov 15, 2022

0xdaryl commented Mar 14, 2023

BradleyWood commented Mar 23, 2023

JDK11 Segmentation error vmState=0x0005ff09 #15363

JDK11 Segmentation error vmState=0x0005ff09 #15363

Comments

connglli commented Jun 20, 2022

Java -version output

Summary of problem

Diagnostic files

Notice

0xdaryl commented Jun 20, 2022

pshipton commented Jun 20, 2022

pshipton commented Jun 20, 2022

BradleyWood commented Jun 20, 2022

BradleyWood commented Jun 20, 2022

0xdaryl commented Jun 21, 2022

0xdaryl commented Sep 20, 2022

0xdaryl commented Nov 15, 2022

0xdaryl commented Mar 14, 2023

BradleyWood commented Mar 23, 2023