search

eclipse-openj9 / openj9

Eclipse OpenJ9: A Java Virtual Machine for OpenJDK that's optimized for small footprint, fast start-up, and high throughput. Builds on Eclipse OMR (https://github.com/eclipse/omr) and combines with the Extensions for OpenJDK for OpenJ9 repo.
Other
3.28k stars 721 forks source link

JDK11 Segmentation error vmState=0x0005ff09 #15363

Closed connglli closed 1 year ago

connglli commented 2 years ago

Java -version output

openjdk version "11.0.16-internal" 2022-07-19
OpenJDK Runtime Environment (build 11.0.16-internal+0-adhoc..openj9-openjdk-jdk11)
Eclipse OpenJ9 VM (build master-4ca209b54, JRE 11 Linux amd64-64-Bit Compressed References 20220615_000000 (JIT enabled, AOT enabled)
OpenJ9   - 4ca209b54
OMR      - 26b89f9f9
JCL      - 231dcc9eeb based on jdk-11.0.16+6)

Summary of problem

The following Test.java, which is reduced by us, crashes OpenJ9's JIT compiler

class Test {
  int N;
  long instanceCount;

  void vMeth(int i2, double d2) {
    int i10;
    for (i10 = 1; i10 < 6; )
      try {
        int[] ax$0 = {1, 3};
        for (int ax$1 = 4; ; ax$1++) i10 += ax$0[ax$1 - Integer.MIN_VALUE];
      } catch (Throwable ax$4) {
      } finally {
      }
  }

  long lMeth(double d1, int i1, long l1) {
    float fArr[] = new float[N];
    vMeth(i1, d1);
    long meth_res = Double.doubleToLongBits(FuzzerUtils.checkSum(fArr));
    return meth_res;
  }

  void vSmallMeth(int i, long l) {
    double d = 1.92934;
    d += lMeth(2.5332, i, instanceCount);
  }

  void mainTest(String[] strArr1) {
    int i22 = 22025;
    vSmallMeth(i22, instanceCount);
  }

  public static void main(String[] strArr) {
    Test _instance = new Test();
    _instance.mainTest(strArr);
  }

  public static double checkSum(float[] a) {
    double sum = 0;
    for (int j = 0; j < a.length; j++) {
      sum += (a[j] / (j + 1) + a[j] % (j + 1));
    }
    return sum;
  }
}

Diagnostic files

By issuing 

$ java -Xmx1G -Xshareclasses:none Test

the following crash log is given:

#0: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x8bfda5) [0x7fe7d7c69da5]
#1: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x8cb090) [0x7fe7d7c75090]
#2: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x139579) [0x7fe7d74e3579]
#3: /zdata/congli/OpenJ9/jdk11/lib/default/libj9prt29.so(+0x2911a) [0x7fe7dd61911a]
#4: /lib/x86_64-linux-gnu/libpthread.so.0(+0x14420) [0x7fe7dda9f420]
#5: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x5171fc) [0x7fe7d78c11fc]
#6: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x93d0c2) [0x7fe7d7ce70c2]
#7: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x941ed9) [0x7fe7d7cebed9]
#8: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x9621d4) [0x7fe7d7d0c1d4]
#9: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x925935) [0x7fe7d7ccf935]
#10: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x95a571) [0x7fe7d7d04571]
#11: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x514c7a) [0x7fe7d78bec7a]
#12: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x516409) [0x7fe7d78c0409]
#13: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x513053) [0x7fe7d78bd053]
#14: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x540529) [0x7fe7d78ea529]
#15: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14d7ef) [0x7fe7d74f77ef]
#16: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14e834) [0x7fe7d74f8834]
#17: /zdata/congli/OpenJ9/jdk11/lib/default/libj9prt29.so(+0x29c53) [0x7fe7dd619c53]
#18: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14bf79) [0x7fe7d74f5f79]
#19: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14c5c0) [0x7fe7d74f65c0]
#20: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14b0e3) [0x7fe7d74f50e3]
#21: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14b5c2) [0x7fe7d74f55c2]
#22: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14b672) [0x7fe7d74f5672]
#23: /zdata/congli/OpenJ9/jdk11/lib/default/libj9prt29.so(+0x29c53) [0x7fe7dd619c53]
#24: /zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so(+0x14bab2) [0x7fe7d74f5ab2]
#25: /zdata/congli/OpenJ9/jdk11/lib/default/libj9thr29.so(+0xf2b2) [0x7fe7dd7db2b2]
#26: /lib/x86_64-linux-gnu/libpthread.so.0(+0x8609) [0x7fe7dda93609]
#27: /lib/x86_64-linux-gnu/libc.so.6(clone+0x43) [0x7fe7ddbef133]
Unhandled exception
Type=Segmentation error vmState=0x0005ff09
J9Generic_Signal_Number=00000018 Signal_Number=0000000b Error_Value=00000000 Signal_Code=00000001
Handler1=00007FE7DD82FFD0 Handler2=00007FE7DD618EF0 InaccessibleAddress=0000000000000030
RDI=00007FE7A67DA470 RSI=0000000000000000 RAX=00007FE7D7FC5D10 RBX=0000000000000000
RCX=0000000000000001 RDX=0000000000000000 R8=0000000000000000 R9=0000000000000002
R10=00000000000000F8 R11=0000000000000001 R12=00007FE7A669ECB0 R13=00007FE7A67DA430
R14=0000000200000020 R15=0000000000000222
RIP=00007FE7D78C11FC GS=0000 FS=0000 RSP=00007FE7BC52B7C0
EFlags=0000000000010206 CS=0033 RBP=00007FE7A67DA470 ERR=0000000000000004
TRAPNO=000000000000000E OLDMASK=0000000000000000 CR2=0000000000000030
xmm0 0000000000000000 (f: 0.000000, d: 0.000000e+00)
xmm1 00007fe7a6825c90 (f: 2793561344.000000, d: 6.948189e-310)
xmm2 00007fe7a68221d0 (f: 2793546240.000000, d: 6.948189e-310)
xmm3 00007fe7a68211b0 (f: 2793542144.000000, d: 6.948189e-310)
xmm4 00007fe7a66a2520 (f: 2791974144.000000, d: 6.948189e-310)
xmm5 00007fe7a681cdb0 (f: 2793524736.000000, d: 6.948189e-310)
xmm6 00007fe7a681f290 (f: 2793534208.000000, d: 6.948189e-310)
xmm7 00007fe7a6820460 (f: 2793538560.000000, d: 6.948189e-310)
xmm8 00007fe7a68284d0 (f: 2793571584.000000, d: 6.948189e-310)
xmm9 0000000000000000 (f: 0.000000, d: 0.000000e+00)
xmm10 0000000000000000 (f: 0.000000, d: 0.000000e+00)
xmm11 0000000000000000 (f: 0.000000, d: 0.000000e+00)
xmm12 0000000000000000 (f: 0.000000, d: 0.000000e+00)
xmm13 0000000000000000 (f: 0.000000, d: 0.000000e+00)
xmm14 0000000000000000 (f: 0.000000, d: 0.000000e+00)
xmm15 0000000000000000 (f: 0.000000, d: 0.000000e+00)
Module=/zdata/congli/OpenJ9/jdk11/lib/default/libj9jit29.so
Module_base_address=00007FE7D73AA000

Method_being_compiled=Test.vMeth(ID)V
Target=2_90_20220615_000000 (Linux 5.4.0-120-generic)
CPU=amd64 (8 logical CPUs) (0x3e45ba000 RAM)
----------- Stack Backtrace -----------
_ZN3OMR11Instruction11useRegisterEPN2TR8RegisterE+0xc (0x00007FE7D78C11FC [libj9jit29.so+0x5171fc])
_ZN2TR27AMD64RegImm64SymInstructionC1EPNS_11InstructionEN3OMR10InstOpCode8MnemonicEPNS_8RegisterEmPNS_15SymbolReferenceEPNS_13CodeGeneratorE+0x82 (0x00007FE7D7CE70C2 [libj9jit29.so+0x93d0c2])
_Z30generateRegImm64SymInstructionPN2TR11InstructionEN3OMR10InstOpCode8MnemonicEPNS_8RegisterEmPNS_15SymbolReferenceEPNS_13CodeGeneratorE+0x59 (0x00007FE7D7CEBED9 [libj9jit29.so+0x941ed9])
_ZN3OMR3X865AMD6415MemoryReference22generateBinaryEncodingEPhPN2TR11InstructionEPNS4_13CodeGeneratorE+0x314 (0x00007FE7D7D0C1D4 [libj9jit29.so+0x9621d4])
_ZN3OMR3X8611Instruction22generateBinaryEncodingEv+0x95 (0x00007FE7D7CCF935 [libj9jit29.so+0x925935])
_ZN3OMR3X8613CodeGenerator16doBinaryEncodingEv+0x881 (0x00007FE7D7D04571 [libj9jit29.so+0x95a571])
_ZN3OMR12CodeGenPhase26performBinaryEncodingPhaseEPN2TR13CodeGeneratorEPNS1_12CodeGenPhaseE+0x8a (0x00007FE7D78BEC7A [libj9jit29.so+0x514c7a])
_ZN3OMR12CodeGenPhase10performAllEv+0xc9 (0x00007FE7D78C0409 [libj9jit29.so+0x516409])
_ZN3OMR13CodeGenerator12generateCodeEv+0x63 (0x00007FE7D78BD053 [libj9jit29.so+0x513053])
_ZN3OMR11Compilation7compileEv+0xa29 (0x00007FE7D78EA529 [libj9jit29.so+0x540529])
_ZN2TR28CompilationInfoPerThreadBase7compileEP10J9VMThreadPNS_11CompilationEP17TR_ResolvedMethodR11TR_J9VMBaseP19TR_OptimizationPlanRKNS_16SegmentAllocatorE+0x4bf (0x00007FE7D74F77EF [libj9jit29.so+0x14d7ef])
_ZN2TR28CompilationInfoPerThreadBase14wrappedCompileEP13J9PortLibraryPv+0x314 (0x00007FE7D74F8834 [libj9jit29.so+0x14e834])
omrsig_protect+0x1e3 (0x00007FE7DD619C53 [libj9prt29.so+0x29c53])
_ZN2TR28CompilationInfoPerThreadBase7compileEP10J9VMThreadP21TR_MethodToBeCompiledRN2J917J9SegmentProviderE+0x309 (0x00007FE7D74F5F79 [libj9jit29.so+0x14bf79])
_ZN2TR24CompilationInfoPerThread12processEntryER21TR_MethodToBeCompiledRN2J917J9SegmentProviderE+0x1c0 (0x00007FE7D74F65C0 [libj9jit29.so+0x14c5c0])
_ZN2TR24CompilationInfoPerThread14processEntriesEv+0x3b3 (0x00007FE7D74F50E3 [libj9jit29.so+0x14b0e3])
_ZN2TR24CompilationInfoPerThread3runEv+0x42 (0x00007FE7D74F55C2 [libj9jit29.so+0x14b5c2])
_Z30protectedCompilationThreadProcP13J9PortLibraryPN2TR24CompilationInfoPerThreadE+0x82 (0x00007FE7D74F5672 [libj9jit29.so+0x14b672])
omrsig_protect+0x1e3 (0x00007FE7DD619C53 [libj9prt29.so+0x29c53])
_Z21compilationThreadProcPv+0x1d2 (0x00007FE7D74F5AB2 [libj9jit29.so+0x14bab2])
thread_wrapper+0x162 (0x00007FE7DD7DB2B2 [libj9thr29.so+0xf2b2])
start_thread+0xd9 (0x00007FE7DDA93609 [libpthread.so.0+0x8609])
clone+0x43 (0x00007FE7DDBEF133 [libc.so.6+0x11f133])
---------------------------------------
JVMDUMP039I Processing dump event "gpf", detail "" at 2022/06/20 14:29:41 - please wait.
JVMDUMP032I JVM requested System dump using '/zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/core.20220620.142941.2694175.0001.dmp' in response to an event
JVMDUMP010I System dump written to /zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/core.20220620.142941.2694175.0001.dmp
JVMDUMP032I JVM requested Java dump using '/zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/javacore.20220620.142941.2694175.0002.txt' in response to an event
JVMDUMP010I Java dump written to /zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/javacore.20220620.142941.2694175.0002.txt
JVMDUMP032I JVM requested Snap dump using '/zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/Snap.20220620.142941.2694175.0003.trc' in response to an event
JVMDUMP010I Snap dump written to /zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/Snap.20220620.142941.2694175.0003.trc
JVMDUMP032I JVM requested JIT dump using '/zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/jitdump.20220620.142941.2694175.0004.dmp' in response to an event
JVMDUMP051I JIT dump occurred in 'JIT Compilation Thread-001' thread 0x0000000000022300
JVMDUMP049I JIT dump notified all waiting threads of the current method to be compiled
JVMDUMP054I JIT dump is tracing the IL of the method on the crashed compilation thread
JVMDUMP052I JIT dump recursive crash occurred on diagnostic thread
JVMDUMP010I JIT dump written to /zdata/congli/ax-exp/ax-eval/2-ax-only/81.openj9/mutant/red/jitdump.20220620.142941.2694175.0004.dmp
JVMDUMP013I Processed dump event "gpf", detail "".

Please also check openj9-bug-81.tar.gz for all the logs (jitdump, snap, etc.), the test (Test.java, Test.class), and the unreduced test (Test.java.orig).

Notice

The given Test.java (which is reduced by us) is always reproducible for us. If it is not reproducible for you, please use Test.java.orig in the above link.

0xdaryl commented 2 years ago

@BradleyWood : please add this codegen crash to your list of issues to investigate.

pshipton commented 2 years ago

I reproduced the crash.

pshipton commented 2 years ago

The reduced test case uses FuzzerUtils, but I commented it out and returned 0 and still reproduced a crash.

BradleyWood commented 2 years ago

_addressRegister is null

https://github.com/eclipse/omr/blob/master/compiler/x/amd64/codegen/OMRMemoryReference.cpp#L618-L629

BradleyWood commented 2 years ago

For some reason on initialisation it was determined that the memory reference does not need an address register at:

https://github.com/eclipse/omr/blob/e287e61337dbf37ab2929a102b59ad0687260aa4/compiler/x/amd64/codegen/OMRMemoryReference.cpp#L170-L226

However, the opposite conclusion is made at binary encoding, but no register was allocated.

0xdaryl commented 2 years ago

This is not a regression in 0.33. Reproducible on JDK8 back to at least 0.29.

0xdaryl commented 2 years ago

This will not be fixed for 0.35. Moving to 0.36.

0xdaryl commented 1 year ago

Moving to 0.38.

0xdaryl commented 1 year ago

No change in status. Moving to 0.40.

BradleyWood commented 1 year ago

In this test case, we have a small integer array which becomes stack allocated, and is indexed at ax$1 - Integer.MIN_VALUE. I have identified 3 separate issues related to this crash.

  1. An extra address load register was not assigned, which will be needed at codegen to handle the VFP-relative displacement > |2^31|. Then we crash because the register is not assigned. The register was not assigned because the initialisation assumes that the frames cannot be larger than 2 GB, which is true. However, this does not account for OOB-access. To resolve this, we can check if the mem-ref is referring to a stack-allocated array.
  2. Allocating an extra address load register when the base register is VFP also causes a crash. When estimating the binary length of the mem-ref, the estimate is excessively large to account for an address load instruction. However, the estimate is a constant, and the estimation logic from the parent is not used.
  3. Displacement overflow. Although not the cause of this crash, a number of transformations (such as analyseSubForLEA) check if displacement is a signed 32-bit integer, then negate that displacement value. If the displacement is 2^31-1, negation leads to overflow because 2^31+1 is not a valid signed 32-bit integer.

I will open a fix shortly.