| Prepared by: | never on Tue Mar 27 21:04:02 PDT 2012 |
|---|---|
| Workspace: | /net/smite.us.oracle.com/export/ws/poll |
| Compare against: | ssh://hg.openjdk.java.net/hsx/hotspot-comp-gate/hotspot |
| Summary of changes: | 39 lines changed: 18 ins; 19 del; 2 mod; 24524 unchg |
| Patch of changes: | 7157141.patch |
| Author comments: |
7157141: crash in 64 bit with corrupted oops Reviewed-by: The fix for 6964776 introduced a new match pattern for cases where the polling page is far from the code cache and must be materialized as a 64 bit value. In the very rare case that the byte_map_base for the card table and the polling page end up at the same address it's possible for this code to incorrectly trigger when emitting card mark code, resulting in incorrect card marks. It requires a bit of a confluence of events since the OS has to hand out unlucky values for the card table and polling page and C2 has to emits the unlucky sequence as well. Changing the heap size would cause those values to change and the problem to disappear. -XX:+VerifyRememberedSets finds the issue fairly quickly. The issue is new in JDK7/hs21 and only occurs on x64. The simplest fix is to simply remove the special handling of immP_poll and allow the poll page to be handled just like any other constant when it can't be handled as a RIP relative value. Tested with failing program from original report and runthese with and without -XX:+ForceUnreachable to exercise the new path. I also added some code to dump the card table space, byte_map_base and polling page in the hs_err. The output looks like this: Heap PSYoungGen total 39424K, used 675K [0xfffffd7fcc000000, 0xfffffd7fcec00000, 0xfffffd7ff6c00000) eden space 33792K, 2% used [0xfffffd7fcc000000,0xfffffd7fcc0a8fc8,0xfffffd7fce100000) from space 5632K, 0% used [0xfffffd7fce680000,0xfffffd7fce680000,0xfffffd7fcec00000) to space 5632K, 0% used [0xfffffd7fce100000,0xfffffd7fce100000,0xfffffd7fce680000) ParOldGen total 86016K, used 0K [0xfffffd7f76c00000, 0xfffffd7f7c000000, 0xfffffd7fcc000000) object space 86016K, 0% used [0xfffffd7f76c00000,0xfffffd7f76c00000,0xfffffd7f7c000000) PSPermGen total 22528K, used 2754K [0xfffffd7f71a00000, 0xfffffd7f73000000, 0xfffffd7f76c00000) object space 22528K, 12% used [0xfffffd7f71a00000,0xfffffd7f71cb0b38,0xfffffd7f73000000) Card table byte_map: 0xfffffd7f71200000,0xfffffd7f7162a000 byte_map_base: 0xff7ffd80b1673000 Polling page: 0xfffffd7fff170000 |
| Bug id: | Bug Database |
| Legend: |
Modified file Deleted file New file |
Cdiffs
Udiffs
Sdiffs
Frames
Old
New
Patch
Raw
src/cpu/x86/vm/assembler_x86.cpp
4 lines changed: 2 ins; 0 del; 2 mod; 10270 unchg
Cdiffs
Udiffs
Sdiffs
Frames
Old
New
Patch
Raw
src/cpu/x86/vm/x86_64.ad
19 lines changed: 0 ins; 19 del; 0 mod; 11771 unchg
Cdiffs
Udiffs
Sdiffs
Frames
Old
New
Patch
Raw
src/share/vm/memory/barrierSet.hpp
2 lines changed: 2 ins; 0 del; 0 mod; 186 unchg
Cdiffs
Udiffs
Sdiffs
Frames
Old
New
Patch
Raw
src/share/vm/memory/cardTableModRefBS.cpp
5 lines changed: 5 ins; 0 del; 0 mod; 725 unchg
Cdiffs
Udiffs
Sdiffs
Frames
Old
New
Patch
Raw
src/share/vm/memory/cardTableModRefBS.hpp
3 lines changed: 3 ins; 0 del; 0 mod; 507 unchg
Cdiffs
Udiffs
Sdiffs
Frames
Old
New
Patch
Raw
src/share/vm/utilities/vmError.cpp
6 lines changed: 6 ins; 0 del; 0 mod; 1065 unchg
This code review page was prepared using /never/bin/webrev (vers 23.18-hg-never-dev).