search

intel-iot-devkit / tinyb

TinyB exposes the BLE GATT API for C++, Java and other languages, using BlueZ over DBus.
MIT License
254 stars 114 forks source link

SIGSEGV when detaching thread after JVM has exited #135

Open pgfisico opened 6 years ago

pgfisico commented 6 years ago

A segmentation fault occurs when the JNIEnvContainer destructor detaches the thread and the JVM has already exited.

The cause is Monitor::lock_without_safepoint_check() receives a null pointer from Thread::current(). Monitor::ILock() receives the null pointer as the argument and the segmentation fault occurs when Monitor::ILock() dereferences the pointer to access _MutexEvent. _MutexEvent is at an offset of 0xe4 within Thread, which is confirmed by the offending si_addr of 0x000000e4.

Issue also occurs when using Oracle JDK 8u152 Linux ARM 32 Hard Float ABI.

Issue appears similar to #66 and #59.

See also https://bugs.openjdk.java.net/browse/JDK-8033696

TinyB Version 0.5.0-28-gac6d308

hs_err_pid2261.log

#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0xb584e300, pid=2261, tid=0xb53b4470
#
# JRE version: OpenJDK Runtime Environment (8.0_151-b12) (build 1.8.0_151-8u151-b12-1~deb9u1-b12)
# Java VM: OpenJDK Client VM (25.151-b12 mixed mode linux-aarch32 )
# Problematic frame:
# V  [libjvm.so+0x2ec300]
#
# Core dump written. Default location: /home/debian/main-board/core or core.2261
#
# If you would like to submit a bug report, please visit:
#   http://bugreport.java.com/bugreport/crash.jsp
#

---------------  T H R E A D  ---------------

Current thread is native thread

siginfo: si_signo: 11 (SIGSEGV), si_code: 1 (SEGV_MAPERR), si_addr: 0x000000e4

Registers:
R0=0xb5205218
R1=0x00000000
R2=0x00000001
R3=0x00000001
R4=0xb5205218
R5=0x00000000
R6=0x00183cf6
R7=0xb53b3dd8
R8=0x000c3d18
R9=0xb53b3e5c
R10=0x00000000
R11=0x00000000
R12=0xb59d21dc
R13=0xb53b3dd8
R14=0xb584ee05
R15=0xb584e300

Top of Stack: (sp=0xb53b3dd8)
0xb53b3dd8:   00000001 b5205218 00000000 b6f8fce4
0xb53b3de8:   b53b3df8 000c3d18 b53b3e5c b584ee05
0xb53b3df8:   b59d2000 b6e028c0 b53b3e08 b594f2bb
0xb53b3e08:   b59d2000 b53b4930 b53b3e18 b5783d09
0xb53b3e18:   aa8d9cf8 b53b4930 b53b3e28 aa4363d1
0xb53b3e28:   aa44e000 b59da820 b53b3e38 aa436275
0xb53b3e38:   6a0de79a aa8b80f0 b53b3e48 aa4361cf
0xb53b3e48:   0000000c aa8b80f0 000c3cd6 b6e2b323 

Instructions: (pc=0xb584e300)
0xb584e2e0:   68 3e 18 00 10 20 00 00 8c 23 00 00 46 d8 18 00
0xb584e2f0:   32 d8 18 00 30 06 00 00 2d e9 f8 43 00 af 66 4e
0xb584e300:   d1 f8 e4 50 03 68 7e 44 10 e0 bf f3 5b 8f 50 e8
0xb584e310:   00 2f 9a 42 04 d1 40 e8 00 4e be f1 00 0f f6 d1 

Register to memory mapping:

R0=
[error occurred during error reporting (printing register info), id 0xb]

Stack: [0xb5365000,0xb53b5000],  sp=0xb53b3dd8,  free space=315k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
V  [libjvm.so+0x2ec300]

[error occurred during error reporting (printing native stack), id 0xb]

---------------  P R O C E S S  ---------------

VM state:at safepoint (shutting down)

VM Mutex/Monitor currently owned by a thread:  ([mutex/lock_event])
[0xb5205218] Threads_lock - owner thread: 0xb525d800

Heap:
 def new generation   total 2432K, used 919K [0xab600000, 0xab8a0000, 0xadea0000)
  eden space 2176K,  37% used [0xab600000, 0xab6ca000, 0xab820000)
  from space 256K,  43% used [0xab820000, 0xab83bf70, 0xab860000)
  to   space 256K,   0% used [0xab860000, 0xab860000, 0xab8a0000)
 tenured generation   total 5504K, used 631K [0xadea0000, 0xae400000, 0xb3000000)
   the space 5504K,  11% used [0xadea0000, 0xadf3dc58, 0xadf3de00, 0xae400000)
 Metaspace       used 2783K, capacity 2958K, committed 2968K, reserved 4400K

////////// CUT //////////

Events (10 events):
Event: 35.903 loading class tinyb/BluetoothGattDescriptor done
Event: 43.347 Thread 0xaa8c9c00 Thread added: 0xaa8c9c00
Event: 53.341 Thread 0xb5207c00 Thread exited: 0xb5207c00
Event: 53.342 Thread 0xb5207c00 Thread added: 0xb5207c00
Event: 53.342 loading class java/lang/Shutdown
Event: 53.343 loading class java/lang/Shutdown done
Event: 53.343 loading class java/lang/Shutdown$Lock
Event: 53.343 loading class java/lang/Shutdown$Lock done
Event: 53.353 Thread 0xb527e800 Thread exited: 0xb527e800
Event: 53.354 Thread 0xb5207c00 Thread exited: 0xb5207c00

////////// CUT //////////

---------------  S Y S T E M  ---------------

OS:PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

uname:Linux 4.4.91-ti-r138 #1 SMP Thu Dec 7 23:10:14 UTC 2017 armv7l
libc:glibc 2.24 NPTL 2.24 
rlimit: STACK 8192k, CORE infinity, NPROC 3461, NOFILE 1048576, AS infinity
load average:0.22 0.11 0.04

////////// CUT //////////

CPU:total 1 (initial active 1) 0x41:0x3:0xc08:2

/proc/cpuinfo:
processor   : 0
model name  : ARMv7 Processor rev 2 (v7l)
BogoMIPS    : 995.32
Features    : half thumb fastmult vfp edsp thumbee neon vfpv3 tls vfpd32 
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x3
CPU part    : 0xc08
CPU revision    : 2

Hardware    : Generic AM33XX (Flattened Device Tree)
Revision    : 0000
Serial      : 0000000000000000

////////// CUT //////////

vm_info: OpenJDK Client VM (25.151-b12) for linux-aarch32 JRE (1.8.0_151-8u151-b12-1~deb9u1-b12), built on Nov  1 2017 14:17:57 by "buildd" with gcc 6.3.0 20170516

////////// CUT //////////

elapsed time: 53 seconds (0d 0h 0m 53s)

GDB Session

GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "arm-linux-gnueabihf".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 4182
[New LWP 4183]
[New LWP 4184]
[New LWP 4185]
[New LWP 4186]
[New LWP 4187]
[New LWP 4188]
[New LWP 4189]
[New LWP 4190]
[New LWP 4191]
[New LWP 4192]
[New LWP 4193]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
__libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:46
46      ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S: No such file or directory.
(gdb) break JNIEnvContainer::JNIEnvContainer
Breakpoint 1 at 0xaa4221f4 (2 locations)
(gdb) break JNIEnvContainer::~JNIEnvContainer
Breakpoint 2 at 0xaa4381cc: file /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx, line 48.
(gdb) break JNIEnvContainer::attach
Breakpoint 3 at 0xaa422050 (2 locations)
(gdb) break JNIEnvContainer::detach
Breakpoint 4 at 0xaa422578 (2 locations)
(gdb) c
Continuing.
[Switching to Thread 0xb53b8470 (LWP 4183)]

Thread 2 "java" hit Breakpoint 1, 0xaa4221f4 in JNIEnvContainer::JNIEnvContainer()@plt ()
   from /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308
(gdb) bt
#0  0xaa4221f4 in JNIEnvContainer::JNIEnvContainer()@plt ()
   from /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308
#1  0xaa438346 in __tls_init () at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:28
#2  0xaa427704 in TLS wrapper function for jni_env ()
   from /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308
#3  0xaa43829e in JNIGlobalRef::JNIGlobalRef (this=0xaa9bd248, object=0xb53b7a90) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:67
#4  0xaa42c0b0 in Java_tinyb_BluetoothDevice_enableConnectedNotifications (env=0xb5207d30, obj=0xb53b7a94, callback=0xb53b7a90)
    at /home/debian/tinyb_build/tinyb/java/jni/BluetoothDevice.cxx:770
#5  0xb320992c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

////////// CUT //////////

(gdb) up
#1  0xaa438346 in __tls_init () at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:28
28      thread_local JNIEnvContainer jni_env;
(gdb) list
23       */
24
25      #include "JNIMem.hpp"
26
27      JavaVM* vm;
28      thread_local JNIEnvContainer jni_env;
29
30      jint JNI_OnLoad(JavaVM *initVM, void *reserved) {
31          vm = initVM;
32          return JNI_VERSION_1_8;
(gdb) p jni_env
$1 = {env = 0x0}

////////// CUT //////////

(gdb) c
Continuing.

Thread 2 "java" hit Breakpoint 1, JNIEnvContainer::JNIEnvContainer (this=0xb52ab2a0) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:45
45      JNIEnvContainer::JNIEnvContainer() {}
(gdb) bt
#0  JNIEnvContainer::JNIEnvContainer (this=0xb52ab2a0) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:45
#1  0xaa438346 in __tls_init () at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:28
#2  0xaa427704 in TLS wrapper function for jni_env ()
   from /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308
#3  0xaa43829e in JNIGlobalRef::JNIGlobalRef (this=0xaa9bd248, object=0xb53b7a90) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:67
#4  0xaa42c0b0 in Java_tinyb_BluetoothDevice_enableConnectedNotifications (env=0xb5207d30, obj=0xb53b7a94, callback=0xb53b7a90)
    at /home/debian/tinyb_build/tinyb/java/jni/BluetoothDevice.cxx:770
#5  0xb320992c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) c
Continuing.

Thread 2 "java" hit Breakpoint 3, 0xaa422050 in JNIEnvContainer::attach()@plt ()
   from /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308
(gdb) bt
#0  0xaa422050 in JNIEnvContainer::attach()@plt ()
   from /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308
#1  0xaa43819c in JNIEnvContainer::operator-> (this=0xb52ab2a0) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:41
#2  0xaa4382a6 in JNIGlobalRef::JNIGlobalRef (this=0xaa9bd248, object=0xb53b7a90) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:67
#3  0xaa42c0b0 in Java_tinyb_BluetoothDevice_enableConnectedNotifications (env=0xb5207d30, obj=0xb53b7a94, callback=0xb53b7a90)
    at /home/debian/tinyb_build/tinyb/java/jni/BluetoothDevice.cxx:770
#4  0xb320992c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) list
40      JNIEnv *JNIEnvContainer::operator->() {
41          attach();
42          return env;
43      }
44
45      JNIEnvContainer::JNIEnvContainer() {}
46
47      JNIEnvContainer::~JNIEnvContainer() {
48          detach();
49      }

////////// CUT //////////

(gdb) c
Continuing.

Thread 2 "java" hit Breakpoint 3, JNIEnvContainer::attach (this=0xb52ab2a0) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:52
52          if (env != nullptr)
(gdb) bt
#0  JNIEnvContainer::attach (this=0xb52ab2a0) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:52
#1  0xaa43819c in JNIEnvContainer::operator-> (this=0xb52ab2a0) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:41
#2  0xaa4382a6 in JNIGlobalRef::JNIGlobalRef (this=0xaa9bd248, object=0xb53b7a90) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:67
#3  0xaa42c0b0 in Java_tinyb_BluetoothDevice_enableConnectedNotifications (env=0xb5207d30, obj=0xb53b7a94, callback=0xb53b7a90)
    at /home/debian/tinyb_build/tinyb/java/jni/BluetoothDevice.cxx:770
#4  0xb320992c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) list
47      JNIEnvContainer::~JNIEnvContainer() {
48          detach();
49      }
50
51      void JNIEnvContainer::attach() {
52          if (env != nullptr)
53              return;
54          jint err = vm->AttachCurrentThreadAsDaemon((void **)&env, NULL);
55          if (err != JNI_OK)
56              throw std::runtime_error("Attach to VM failed");
(gdb) p env
$2 = (JNIEnv *) 0x0
(gdb) n
54          jint err = vm->AttachCurrentThreadAsDaemon((void **)&env, NULL);
(gdb) n
55          if (err != JNI_OK)
(gdb) p err
$3 = 0
(gdb) n
57      }
(gdb) p env
$4 = (JNIEnv *) 0xb5207d30
(gdb) c
Continuing.
[Switching to Thread 0xa9403470 (LWP 4193)]

Thread 12 "java" hit Breakpoint 1, 0xaa4221f4 in JNIEnvContainer::JNIEnvContainer()@plt ()
   from /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308
(gdb) bt
#0  0xaa4221f4 in JNIEnvContainer::JNIEnvContainer()@plt ()
   from /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308
#1  0xaa438346 in __tls_init () at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:28
#2  0xaa427704 in TLS wrapper function for jni_env ()
   from /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308
#3  0xaa42bf16 in <lambda(bool)>::operator()(bool) const (__closure=0xb52b2888, v=false) at /home/debian/tinyb_build/tinyb/java/jni/BluetoothDevice.cxx:773
#4  0xaa42e7ea in std::_Function_handler<void(bool), Java_tinyb_BluetoothDevice_enableConnectedNotifications(JNIEnv*, jobject, jobject)::<lambda(bool)> >::_M_invoke(const std::_Any_data &, <unknown type in /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308, CU 0x1980f, DIE 0x2bcca>) (__functor=...,
    __args#0=<unknown type in /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308, CU 0x1980f, DIE 0x2bcca>) at /usr/include/c++/6/functional:1731
#5  0xaa831086 in std::function<void (bool)>::operator()(bool) const (this=0xa94027c4, __args#0=false) at /usr/include/c++/6/functional:2127
#6  0xaa832c78 in tinyb::BluetoothNotificationHandler::on_properties_changed_device (proxy=0xaa9b82c0, changed_properties=0x123c680,
    invalidated_properties=0xb52ada48, userdata=0xb52ac490) at /home/debian/tinyb_build/tinyb/src/BluetoothDevice.cpp:81
#7  0xaa4a4c60 in ffi_call_VFP () from /usr/lib/arm-linux-gnueabihf/libffi.so.6
#8  0xaa4a5312 in ffi_call () from /usr/lib/arm-linux-gnueabihf/libffi.so.6
#9  0xaa5aef50 in g_cclosure_marshal_generic () from /usr/lib/arm-linux-gnueabihf/libgobject-2.0.so.0
#10 0xaa5ae99e in g_closure_invoke () from /usr/lib/arm-linux-gnueabihf/libgobject-2.0.so.0
#11 0xaa5bb88c in ?? () from /usr/lib/arm-linux-gnueabihf/libgobject-2.0.so.0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) up
#1  0xaa438346 in __tls_init () at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:28
28      thread_local JNIEnvContainer jni_env;

////////// CUT //////////

(gdb) p jni_env
$5 = {env = 0x0}
(gdb) c
Continuing.
[Thread 0xaaaa4470 (LWP 4190) exited]
[Thread 0xaabc4470 (LWP 4187) exited]
[Thread 0xaaf96470 (LWP 4184) exited]
[Switching to Thread 0xb53b8470 (LWP 4183)]

Thread 2 "java" hit Breakpoint 2, JNIEnvContainer::~JNIEnvContainer (this=0xb52ab2a0, __in_chrg=<optimized out>)
    at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:48
48          detach();
(gdb) list
43      }
44
45      JNIEnvContainer::JNIEnvContainer() {}
46
47      JNIEnvContainer::~JNIEnvContainer() {
48          detach();
49      }
50
51      void JNIEnvContainer::attach() {
52          if (env != nullptr)
(gdb) p env
$6 = (JNIEnv *) 0xb5207d30
(gdb) n
[Switching to Thread 0xa9403470 (LWP 4193)]

Thread 12 "java" hit Breakpoint 1, JNIEnvContainer::JNIEnvContainer (this=0xb52b1e58) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:45
45      JNIEnvContainer::JNIEnvContainer() {}
(gdb) bt
#0  JNIEnvContainer::JNIEnvContainer (this=0xb52b1e58) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:45
#1  0xaa438346 in __tls_init () at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:28
#2  0xaa427704 in TLS wrapper function for jni_env ()
   from /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308
#3  0xaa42bf16 in <lambda(bool)>::operator()(bool) const (__closure=0xb52b2888, v=false) at /home/debian/tinyb_build/tinyb/java/jni/BluetoothDevice.cxx:773
#4  0xaa42e7ea in std::_Function_handler<void(bool), Java_tinyb_BluetoothDevice_enableConnectedNotifications(JNIEnv*, jobject, jobject)::<lambda(bool)> >::_M_invoke(const std::_Any_data &, <unknown type in /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308, CU 0x1980f, DIE 0x2bcca>) (__functor=...,
    __args#0=<unknown type in /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308, CU 0x1980f, DIE 0x2bcca>) at /usr/include/c++/6/functional:1731
#5  0xaa831086 in std::function<void (bool)>::operator()(bool) const (this=0xa94027c4, __args#0=false) at /usr/include/c++/6/functional:2127
#6  0xaa832c78 in tinyb::BluetoothNotificationHandler::on_properties_changed_device (proxy=0xaa9b82c0, changed_properties=0x123c680,
    invalidated_properties=0xb52ada48, userdata=0xb52ac490) at /home/debian/tinyb_build/tinyb/src/BluetoothDevice.cpp:81
#7  0xaa4a4c60 in ffi_call_VFP () from /usr/lib/arm-linux-gnueabihf/libffi.so.6
#8  0xaa4a5312 in ffi_call () from /usr/lib/arm-linux-gnueabihf/libffi.so.6
#9  0xaa5aef50 in g_cclosure_marshal_generic () from /usr/lib/arm-linux-gnueabihf/libgobject-2.0.so.0
#10 0xaa5ae99e in g_closure_invoke () from /usr/lib/arm-linux-gnueabihf/libgobject-2.0.so.0
#11 0xaa5bb88c in ?? () from /usr/lib/arm-linux-gnueabihf/libgobject-2.0.so.0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) n
[Switching to Thread 0xb53b8470 (LWP 4183)]

Thread 2 "java" hit Breakpoint 4, 0xaa422578 in JNIEnvContainer::detach()@plt ()
   from /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308
(gdb) list
40      JNIEnv *JNIEnvContainer::operator->() {
41          attach();
42          return env;
43      }
44
45      JNIEnvContainer::JNIEnvContainer() {}
46
47      JNIEnvContainer::~JNIEnvContainer() {
48          detach();
49      }

////////// CUT //////////

(gdb) n
Single stepping until exit from function _ZN15JNIEnvContainer6detachEv@plt,
which has no line number information.
[Switching to Thread 0xa9403470 (LWP 4193)]

Thread 12 "java" hit Breakpoint 3, 0xaa422050 in JNIEnvContainer::attach()@plt ()
   from /home/debian/tinyb_build/tinyb/build_debug/java/jni/libjavatinyb.so.0.5.0-28-gac6d308.0.5.0-28-gac6d308.0.5.0-28-gac6d308
(gdb) n
Single stepping until exit from function _ZN15JNIEnvContainer6attachEv@plt,
which has no line number information.
[Switching to Thread 0xb53b8470 (LWP 4183)]

Thread 2 "java" hit Breakpoint 4, JNIEnvContainer::detach (this=0xb52ab2a0) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:60
60          if (env == nullptr)
(gdb) n
[Switching to Thread 0xa9403470 (LWP 4193)]

Thread 12 "java" hit Breakpoint 3, JNIEnvContainer::attach (this=0xb52b1e58) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:52
52          if (env != nullptr)
(gdb) n

Thread 2 "java" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb53b8470 (LWP 4183)]
Monitor::ILock (this=this@entry=0xb5205200, Self=Self@entry=0x0) at ./src/hotspot/src/share/vm/runtime/mutex.cpp:465
465     ./src/hotspot/src/share/vm/runtime/mutex.cpp: No such file or directory.
(gdb) bt
#0  Monitor::ILock (this=this@entry=0xb5205200, Self=Self@entry=0x0) at ./src/hotspot/src/share/vm/runtime/mutex.cpp:465
#1  0xb5852e04 in Monitor::ILock (Self=0x0, this=0xb5205200) at ./src/hotspot/src/share/vm/runtime/mutex.cpp:327
#2  Monitor::lock_without_safepoint_check (Self=<optimized out>, this=0xb5205200) at ./src/hotspot/src/share/vm/runtime/mutex.cpp:959
#3  Monitor::lock_without_safepoint_check (this=0xb5205200) at ./src/hotspot/src/share/vm/runtime/mutex.cpp:965
#4  0xb59532ba in VM_Exit::wait_if_vm_exited () at ./src/hotspot/src/share/vm/runtime/vm_operations.cpp:472
#5  0xb5787d08 in VM_Exit::block_if_vm_exited () at ./src/hotspot/src/share/vm/runtime/vm_operations.hpp:396
#6  jni_DetachCurrentThread (vm=<optimized out>) at ./src/hotspot/src/share/vm/prims/jni.cpp:5508
#7  0xaa4383d4 in JavaVM_::DetachCurrentThread (this=0xb59de820 <main_vm>) at /usr/lib/jvm/java-8-openjdk-armhf/include/jni.h:1917
#8  0xaa438278 in JNIEnvContainer::detach (this=0xb52ab2a0) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:62
#9  0xaa4381d2 in JNIEnvContainer::~JNIEnvContainer (this=0xb52ab2a0, __in_chrg=<optimized out>) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:48
#10 0xb6e2f322 in __GI___call_tls_dtors () at cxa_thread_atexit_impl.c:155
#11 0xb6f4d5f0 in start_thread (arg=0x0) at pthread_create.c:343
#12 0xb6e9d54a in ?? () at ../sysdeps/unix/sysv/linux/arm/clone.S:76 from /lib/arm-linux-gnueabihf/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) up 8
#8  0xaa438278 in JNIEnvContainer::detach (this=0xb52ab2a0) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:62
62          vm->DetachCurrentThread();
(gdb) p jni_env
$7 = {env = 0xb5207d30}
(gdb) p env
$8 = (JNIEnv *) 0xb5207d30
(gdb) info thread
  Id   Target Id         Frame
  1    Thread 0xb6e07430 (LWP 4182) "java" __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:46
* 2    Thread 0xb53b8470 (LWP 4183) "java" Monitor::ILock (this=this@entry=0xb5205200, Self=Self@entry=0x0) at ./src/hotspot/src/share/vm/runtime/mutex.cpp:465
  4    Thread 0xaadff470 (LWP 4185) "java" __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:46
  5    Thread 0xaadaf470 (LWP 4186) "java" __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:46
  7    Thread 0xaab74470 (LWP 4188) "java" __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:46
  8    Thread 0xaaaf4470 (LWP 4189) "java" __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:46
  10   Thread 0xaa403470 (LWP 4191) "gmain" 0xb6e97580 in poll () at ../sysdeps/unix/syscall-template.S:84
  11   Thread 0xa9c03470 (LWP 4192) "gdbus" 0xb6e97580 in poll () at ../sysdeps/unix/syscall-template.S:84
  12   Thread 0xa9403470 (LWP 4193) "java" 0xaa4381ea in JNIEnvContainer::attach (this=0xb52b1e58) at /home/debian/tinyb_build/tinyb/java/jni/JNIMem.cxx:52

////////// CUT //////////
cm-perrs commented 6 years ago

Is there any progress on this? I have this error on jdk 1.8.0_181-b13.

pgfisico commented 6 years ago

The segfault here is caused by a bug in HotSpot. It is fixed in JDK 11.

The reason TinyB hit the bug is that it would attach the thread without checking if it was already attached. As a result, for calls that were executing on a thread that started within Java, TinyB would attempt to detach the thread even though it was not a native thread.

For me, this was happening when using notifications. When the C++ code gets a global reference to the callback in Java code, it is re-attaching the thread that originated in Java. This is allowed by JNI and is a no-op. The problem is that it could not detach the thread correctly because the JVM had already cleaned up the thread on shutdown, leading to the null pointer from Thread::current().

https://bugs.openjdk.java.net/browse/JDK-8199012 https://bugs.java.com/view_bug.do?bug_id=8199012