JDK11 ASSERTION FAILED at ScavengerRootScanner.hpp:108

[connglli]

Java -version output

openjdk version "11.0.16-internal" 2022-07-19
OpenJDK Runtime Environment (build 11.0.16-internal+0-adhoc..openj9-openjdk-jdk11)
Eclipse OpenJ9 VM (build master-4ca209b54, JRE 11 Linux amd64-64-Bit Compressed References 20220615_000000 (JIT enabled, AOT enabled)
OpenJ9   - 4ca209b54
OMR      - 26b89f9f9
JCL      - 231dcc9eeb based on jdk-11.0.16+6)

Summary of problem

The following Test.java is quite similar to the one in #15475. The only difference is that this case added some PrintStream and System things. However, instead of crashing and print the stacktraces, this one triggers an ASSERTION FAILURE in ScavengerRootScanner.hpp.

Also, this is perhaps a JIT bug since -Xint can hide it.

class Test {
  void vMeth1(int i4, int i5) {
      java.io.PrintStream ax$7 = System.out;
      java.io.PrintStream ax$9 =
          new java.io.PrintStream(
              new java.io.OutputStream() {
                public void write(int b) {}
              });
      int ax$1 = 0xf;
      byte[] ax$0 = new byte[ax$1];
      int ax$3 = ax$0.length;
      for (int k = 0; ax$3 > 0; ax$3--) {
        int ax$2 = ax$0.length - ax$3;
        ax$0[ax$2] = (byte) 0xff;
      }
      System.setOut(ax$7);
  }
  void vMeth(long l) {
    int i2 = 3;
    vMeth1(6, i2);
  }
  void mainTest(String[] strArr1) {
    for (     ; ; ) vMeth(4045L);
  }
  public static void main(String[] strArr) {
    Test _instance = new Test();
    _instance.mainTest(strArr);
  }
}

Diagnostic files

By issuing

$ java Test

the following crash log is given:

000000000004DD00: Object neither in heap nor stack-allocated in thread main
000000000004DD00: O-Slot=00000000001441B0
000000000004DD00: O-Slot value=000000FFFFFFFFFF
000000000004DD00: PC=00007F4A54D68745
000000000004DD00: framesWalked=9
000000000004DD00: arg0EA=00000000001441D0
000000000004DD00: walkSP=00000000001440C8
000000000004DD00: literals=00000000000FF8A8
000000000004DD00: jitInfo=00007F4A5424D338
000000000004DD00: method=000000000029D9F8 (Test.vMeth1(II)V) (JIT)
000000000004DD00: stack=000000000013CBE0-0000000000144310
15:23:38.421 0x231200    j9mm.479    *   ** ASSERTION FAILED ** at /root/hostdir/openj9-openjdk-jdk11/openj9/runtime/gc_glue_java/ScavengerRootScanner.hpp:108: ((MM_StackSlotValidator(MM_StackSlotValidator::NOT_ON_HEAP, *slotPtr, stackLocation, walkState).validate(_env)))
JVMDUMP039I Processing dump event "traceassert", detail "" at 2022/07/01 17:23:38 - please wait.
JVMDUMP032I JVM requested System dump using '/zdata/congli/ax-exp/ax-eval/2-ax-only/89.openj9/mutant/red/core.20220701.172338.1931610.0001.dmp' in response to an event
JVMDUMP010I System dump written to /zdata/congli/ax-exp/ax-eval/2-ax-only/89.openj9/mutant/red/core.20220701.172338.1931610.0001.dmp
JVMDUMP032I JVM requested Java dump using '/zdata/congli/ax-exp/ax-eval/2-ax-only/89.openj9/mutant/red/javacore.20220701.172338.1931610.0002.txt' in response to an event
JVMDUMP010I Java dump written to /zdata/congli/ax-exp/ax-eval/2-ax-only/89.openj9/mutant/red/javacore.20220701.172338.1931610.0002.txt
JVMDUMP032I JVM requested Snap dump using '/zdata/congli/ax-exp/ax-eval/2-ax-only/89.openj9/mutant/red/Snap.20220701.172338.1931610.0003.trc' in response to an event
JVMDUMP010I Snap dump written to /zdata/congli/ax-exp/ax-eval/2-ax-only/89.openj9/mutant/red/Snap.20220701.172338.1931610.0003.trc
JVMDUMP013I Processed dump event "traceassert", detail "".

Please also check openj9-bug-89.tar.gz for all the logs (core, snap, etc.) and the test (Test.java, Test.class).

[dmitripivkine]

There is bad O-slot in JIT frame.

[dmitripivkine]

<4dd00> JIT frame: bp = 0x00000000001441B8, pc = 0x00007F4A54D68745, unwindSP = 0x0000000000144150, cp = 0x000000000029D8D0, arg0EA = 0x00000000001441D0, jitInfo = 0x00007F4A5424D338
<4dd00> 	Method: Test.vMeth1(II)V !j9method 0x000000000029D9F8
<4dd00> 	Bytecode index = 16, inlineDepth = 0, PC offset = 0x00000000000000DD
<4dd00> 	stackMap=0x00007F4A5424D440, slots=I16(0x0003) parmBaseOffset=I16(0x0018), parmSlots=U16(0x0001), localBaseOffset=I16(0xFFF0)
<4dd00> 	Described JIT args starting at 0x00000000001441D0 for U16(0x0001) slots
<4dd00> 		O-Slot: : a0[0x00000000001441D0] = 0x00000001C0037AB8
<4dd00> 	Described JIT temps starting at 0x00000000001441A8 for IDATA(0x0000000000000002) slots
<4dd00> 		I-Slot: : t1[0x00000000001441A8] = 0xFFFFFFFFFFFFFFFF
<4dd00> 		O-Slot: : t0[0x00000000001441B0] = 0x000000FFFFFFFFFF <--------
<4dd00> 	JIT-RegisterMap = UDATA(0x0000000000000000)
<4dd00> 	JIT-Frame-RegisterMap[0x0000000000144170] = UDATA(0x00000007FFEF9A18) (jit_rbx)
<4dd00> 	JIT-Frame-RegisterMap[0x0000000000144178] = UDATA(0x00000007FFFC0A60) (jit_r9)
<4dd00> 	JIT-Frame-RegisterMap[0x0000000000144120] = UDATA(0x0000000000000000) (jit_r10)
<4dd00> 	JIT-Frame-RegisterMap[0x0000000000144118] = UDATA(0x00007F4A936AA928) (jit_r11)
<4dd00> 	JIT-Frame-RegisterMap[0x0000000000144110] = UDATA(0x00007F4A93501400) (jit_r12)
<4dd00> 	JIT-Frame-RegisterMap[0x0000000000144108] = UDATA(0x00000007FFEFFBD0) (jit_r13)
<4dd00> 	JIT-Frame-RegisterMap[0x0000000000144100] = UDATA(0x0000000000000000) (jit_r14)
<4dd00> 	JIT-Frame-RegisterMap[0x00000000001440F8] = UDATA(0x000000002F892167) (jit_r15)

[dmitripivkine]

GC Check sees another problem - second object in statics for !j9class 0x92300 java/lang/System Ljava/io/PrintStream has the same bogus value 0x000000FFFFFFFFFF. I guess this is the source for bad value in JIT frame:

Checking CLASS HEAP...  <gc check (1): from debugger: CLASS HEAP: static slot 92300(92220) -> ffffffffff: corrupt data exception>

> !j9statics 0x0000000000092300
Static fields in java/lang/System:
	0x0000000000092218 in Ljava/io/InputStream; (!j9romstaticfieldshape 0x00007F4A8C22FE10) = !j9object 0x00000001C003D068
	0x0000000000092220 out Ljava/io/PrintStream; (!j9romstaticfieldshape 0x00007F4A8C22FE1C) = !j9object 0x000000FFFFFFFFFF <------------
	0x0000000000092228 err Ljava/io/PrintStream; (!j9romstaticfieldshape 0x00007F4A8C22FE28) = !j9object 0x00000001C0039C58
	0x0000000000092230 RUNTIME Ljava/lang/Runtime; (!j9romstaticfieldshape 0x00007F4A8C22FE34) = !j9object 0x00000001C003D0B8
	0x0000000000092238 systemProperties Ljava/util/Properties; (!j9romstaticfieldshape 0x00007F4A8C22FE40) = !j9object 0x00000001C003D0C8
	0x0000000000092240 security Ljava/lang/SecurityManager; (!j9romstaticfieldshape 0x00007F4A8C22FE4C) = !j9object 0x0000000000000000
	0x0000000000092248 console Ljava/io/Console; (!j9romstaticfieldshape 0x00007F4A8C22FE58) = !j9object 0x0000000000000000
	0x0000000000092288 consoleInitialized Z (!j9romstaticfieldshape 0x00007F4A8C22FE64) = 0x00000000 (0)
	0x0000000000092250 lineSeparator Ljava/lang/String; (!j9romstaticfieldshape 0x00007F4A8C22FE70) = !j9object 0x00000001C003D0F8
	0x0000000000092290 propertiesInitialized Z (!j9romstaticfieldshape 0x00007F4A8C22FE7C) = 0x00000001 (1)
	0x0000000000092258 platformEncoding Ljava/lang/String; (!j9romstaticfieldshape 0x00007F4A8C22FE88) = !j9object 0x00000001C0039C88
	0x0000000000092260 fileEncoding Ljava/lang/String; (!j9romstaticfieldshape 0x00007F4A8C22FE94) = !j9object 0x00000001C003D108
	0x0000000000092268 osEncoding Ljava/lang/String; (!j9romstaticfieldshape 0x00007F4A8C22FEA0) = !j9object 0x00000001C0039C88
	0x0000000000092298 sysPropID_PlatformEncoding I (!j9romstaticfieldshape 0x00007F4A8C22FEAC) = 0x00000001 (1)
	0x00000000000922A0 sysPropID_FileEncoding I (!j9romstaticfieldshape 0x00007F4A8C22FEBC) = 0x00000002 (2)
	0x00000000000922A8 sysPropID_OSEncoding I (!j9romstaticfieldshape 0x00007F4A8C22FECC) = 0x00000003 (3)
	0x00000000000922B0 hasSetErrEncoding Z (!j9romstaticfieldshape 0x00007F4A8C22FEDC) = 0x00000000 (0)
	0x00000000000922B8 hasSetOutEncoding Z (!j9romstaticfieldshape 0x00007F4A8C22FEE8) = 0x00000000 (0)
	0x0000000000092270 consoleDefaultEncoding Ljava/lang/String; (!j9romstaticfieldshape 0x00007F4A8C22FEF4) = !j9object 0x00000001C003D108
	0x0000000000092278 consoleDefaultCharset Ljava/nio/charset/Charset; (!j9romstaticfieldshape 0x00007F4A8C22FF00) = !j9object 0x00000001C0034E00
	0x0000000000092280 bootLayer Ljava/lang/ModuleLayer; (!j9romstaticfieldshape 0x00007F4A8C22FF0C) = !j9object 0x00000001C003D118

[dmitripivkine]

@0xdaryl FYI

[0xdaryl]

@jdmpapin : please investigate.

We won't be able to get to the bottom of this for 0.35. Moving to 0.36.

[0xdaryl]

Moving to 0.38.

[jdmpapin]

I haven't had a chance to dig in to this. Moved to 0.40.

[hzongaro]

Moving to 0.43

[hzongaro]

Devin @jdmpapin, I suspect this issue was another duplicate of issue #15474, which was fixed by pull request #15870. When you have some time, may I ask you to verify that?

[hzongaro]

Moving this to the 0.44 release pending verification of whether this is a duplicate of #15474.

[hzongaro]

I tried reproducing this problem with various recent builds, going as far back as a Java 17 release 0.35 build, and the test runs without problem.

As I mentioned, I suspect this was a duplicate of #15474, so I will close it. @connglli, if you are still able to reproduce the problem, please reopen it.

[connglli]

@hzongaro No problems. Thanks for your effort!!!