Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JDK17 Assertion Failed with memoryCorruptionDetected #15639

Closed
lochnagarr opened this issue Jul 28, 2022 · 9 comments · Fixed by #15681
Closed

JDK17 Assertion Failed with memoryCorruptionDetected #15639

lochnagarr opened this issue Jul 28, 2022 · 9 comments · Fixed by #15681
Assignees
@ChengJin01
Labels
comp:vm userRaised
Milestone
Release 0.35 (Jav...

Comments

@lochnagarr
Copy link

Java -version output

openjdk version "17.0.3" 2022-04-19
IBM Semeru Runtime Open Edition 17.0.3.0 (build 17.0.3+7)
Eclipse OpenJ9 VM 17.0.3.0 (build openj9-0.32.0, JRE 17 Linux amd64-64-Bit Compressed References 20220422_184 (JIT enabled, AOT enabled)
OpenJ9 - 9a84ec3
OMR - ab24b6666
JCL - dc07fd49b92 based on jdk-17.0.3+7)

Summary of problem

When running a buggy classfile generated by a fuzzer, JVM crashes and we get the following message:

06:21:46.676 0x21f00 omrport.359    *   ** ASSERTION FAILED ** at ../../../../../../omr/port/common/omrmemtag.c:145: ((memoryCorruptionDetected))
JVMDUMP039I Processing dump event "traceassert", detail "" at 2022/07/28 14:21:46 - please wait.
JVMDUMP032I JVM requested System dump using '/home/minghai/bug_memory/core.20220728.142146.24281.0001.dmp' in response to an event
JVMDUMP010I System dump written to /home/minghai/bug_memory/core.20220728.142146.24281.0001.dmp
JVMDUMP032I JVM requested Java dump using '/home/minghai/bug_memory/javacore.20220728.142146.24281.0002.txt' in response to an event
JVMDUMP010I Java dump written to /home/minghai/bug_memory/javacore.20220728.142146.24281.0002.txt
JVMDUMP032I JVM requested Snap dump using '/home/minghai/bug_memory/Snap.20220728.142146.24281.0003.trc' in response to an event
JVMDUMP010I Snap dump written to /home/minghai/bug_memory/Snap.20220728.142146.24281.0003.trc
JVMDUMP013I Processed dump event "traceassert", detail "".

We have collected the related classfiles and dependencies in bug_memory.zip:
bug_memory.zip
The buggy classfile is in bug_memory/bug_file

To reproduce this issue, enter bug_memory and run the following command:

java -jar ./junit-platform-console-standalone-1.8.2.jar -cp ./bug_file:./util:./test-classes:./classes:./guava-31.0.1-jre.jar:./javax.inject-1.jar:./failureaccess-1.0.1.jar -m com.google.inject.spi.InjectionPointTest#testConstructorInjectionPoint

To avoid this issue, run

java -jar ./junit-platform-console-standalone-1.8.2.jar -cp ./test-classes:./classes:./guava-31.0.1-jre.jar:./javax.inject-1.jar:./failureaccess-1.0.1.jar -m com.google.inject.spi.InjectionPointTest#testConstructorInjectionPoint

Adding -noverify will also avoid this issue, but may lead to Segmentation error vmState=0x00000000

We also tested this in HotSpot, and the buggy classfile leads to a VerifyError.

Diagnostic files

javacore.20220728.135359.622426.0002.txt
Snap.20220728.135359.622426.0003.zip
@pshipton
Copy link
Member

@tajila fyi

@tajila
Copy link
Contributor

tajila commented Jul 28, 2022

Failing thread

3XMTHREADINFO3           Java callstack:
4XESTACKTRACE                at com/google/inject/spi/InjectionPointTest.testConstructorInjectionPoint(InjectionPointTest.java:64)
4XESTACKTRACE                at jdk/internal/reflect/NativeMethodAccessorImpl.invoke0(Native Method)
4XESTACKTRACE                at jdk/internal/reflect/NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
4XESTACKTRACE                at jdk/internal/reflect/DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
4XESTACKTRACE                at java/lang/reflect/Method.invoke(Method.java:568)
4XESTACKTRACE                at junit/framework/TestCase.runTest(TestCase.java:177)
4XESTACKTRACE                at junit/framework/TestCase.runBare(TestCase.java:142)
4XESTACKTRACE                at junit/framework/TestResult$1.protect(TestResult.java:122)
4XESTACKTRACE                at junit/framework/TestResult.runProtected(TestResult.java:142)
4XESTACKTRACE                at junit/framework/TestResult.run(TestResult.java:125)
4XESTACKTRACE                at junit/framework/TestCase.run(TestCase.java:130)
4XESTACKTRACE                at junit/framework/TestSuite.runTest(TestSuite.java:241)
4XESTACKTRACE                at junit/framework/TestSuite.run(TestSuite.java:236)
4XESTACKTRACE                at org/junit/internal/runners/JUnit38ClassRunner.run(JUnit38ClassRunner.java:90)
4XESTACKTRACE                at org/junit/runner/JUnitCore.run(JUnitCore.java:137)
4XESTACKTRACE                at org/junit/runner/JUnitCore.run(JUnitCore.java:115)
4XESTACKTRACE                at org/junit/vintage/engine/execution/RunnerExecutor.execute(RunnerExecutor.java:42)
4XESTACKTRACE                at org/junit/vintage/engine/VintageTestEngine.executeAllChildren(VintageTestEngine.java:80)
4XESTACKTRACE                at org/junit/vintage/engine/VintageTestEngine.execute(VintageTestEngine.java:72)
4XESTACKTRACE                at org/junit/platform/launcher/core/EngineExecutionOrchestrator.execute(EngineExecutionOrchestrator.java:107)
4XESTACKTRACE                at org/junit/platform/launcher/core/EngineExecutionOrchestrator.execute(EngineExecutionOrchestrator.java:88)
4XESTACKTRACE                at org/junit/platform/launcher/core/EngineExecutionOrchestrator.lambda$execute$0(EngineExecutionOrchestrator.java:54)
4XESTACKTRACE                at org/junit/platform/launcher/core/EngineExecutionOrchestrator$$Lambda$233/0x00000000c4552398.accept(Bytecode PC:16)
4XESTACKTRACE                at org/junit/platform/launcher/core/EngineExecutionOrchestrator.withInterceptedStreams(EngineExecutionOrchestrator.java:67)
4XESTACKTRACE                at org/junit/platform/launcher/core/EngineExecutionOrchestrator.execute(EngineExecutionOrchestrator.java:52)
4XESTACKTRACE                at org/junit/platform/launcher/core/DefaultLauncher.execute(DefaultLauncher.java:114)
4XESTACKTRACE                at org/junit/platform/launcher/core/DefaultLauncher.execute(DefaultLauncher.java:86)
4XESTACKTRACE                at org/junit/platform/launcher/core/DefaultLauncherSession$DelegatingLauncher.execute(DefaultLauncherSession.java:86)
4XESTACKTRACE                at org/junit/platform/launcher/core/SessionPerRequestLauncher.execute(SessionPerRequestLauncher.java:53)
4XESTACKTRACE                at org/junit/platform/console/tasks/ConsoleTestExecutor.executeTests(ConsoleTestExecutor.java:66)
4XESTACKTRACE                at org/junit/platform/console/tasks/ConsoleTestExecutor.lambda$execute$0(ConsoleTestExecutor.java:58)
4XESTACKTRACE                at org/junit/platform/console/tasks/ConsoleTestExecutor$$Lambda$26/0x00000000c4454b50.call(Bytecode PC:8)
4XESTACKTRACE                at org/junit/platform/console/tasks/CustomContextClassLoaderExecutor.replaceThreadContextClassLoaderAndInvoke(CustomContextClassLoaderExecutor.java:41)
4XESTACKTRACE                at org/junit/platform/console/tasks/CustomContextClassLoaderExecutor.invoke(CustomContextClassLoaderExecutor.java:31)
4XESTACKTRACE                at org/junit/platform/console/tasks/ConsoleTestExecutor.execute(ConsoleTestExecutor.java:58)
4XESTACKTRACE                at org/junit/platform/console/ConsoleLauncher.executeTests(ConsoleLauncher.java:95)
4XESTACKTRACE                at org/junit/platform/console/ConsoleLauncher.execute(ConsoleLauncher.java:73)
4XESTACKTRACE                at org/junit/platform/console/ConsoleLauncher.execute(ConsoleLauncher.java:50)
4XESTACKTRACE                at org/junit/platform/console/ConsoleLauncher.execute(ConsoleLauncher.java:43)
4XESTACKTRACE                at org/junit/platform/console/ConsoleLauncher.main(ConsoleLauncher.java:37)
3XMTHREADINFO3           Native callstack:
4XENATIVESTACK               protectedBacktrace+0x16 (0x00007F4ECB8CCCD6 [libj9prt29.so+0x24cd6])
4XENATIVESTACK               omrsig_protect+0x241 (0x00007F4ECB8D1221 [libj9prt29.so+0x29221])
4XENATIVESTACK               omrintrospect_backtrace_thread_raw+0xc4 (0x00007F4ECB8CD1C4 [libj9prt29.so+0x251c4])
4XENATIVESTACK               omrsig_protect+0x241 (0x00007F4ECB8D1221 [libj9prt29.so+0x29221])
4XENATIVESTACK               omrintrospect_backtrace_thread+0x73 (0x00007F4ECB8CCB93 [libj9prt29.so+0x24b93])
4XENATIVESTACK               setup_native_thread+0x1e3 (0x00007F4ECB8CDFA3 [libj9prt29.so+0x25fa3])
4XENATIVESTACK               omrintrospect_threads_startDo_with_signal+0x427 (0x00007F4ECB8CEBD7 [libj9prt29.so+0x26bd7])
4XENATIVESTACK               omrsig_protect+0x241 (0x00007F4ECB8D1221 [libj9prt29.so+0x29221])
4XENATIVESTACK               _ZN18JavaCoreDumpWriter28writeThreadsWithNativeStacksEv+0x465 (0x00007F4ECA99CB15 [libj9dmp29.so+0x19b15])
4XENATIVESTACK               protectedWriteThreadsWithNativeStacks+0x11 (0x00007F4ECA99D2C1 [libj9dmp29.so+0x1a2c1])
4XENATIVESTACK               omrsig_protect+0x241 (0x00007F4ECB8D1221 [libj9prt29.so+0x29221])
4XENATIVESTACK               _ZN18JavaCoreDumpWriter18writeThreadSectionEv+0x14f (0x00007F4ECA9997EF [libj9dmp29.so+0x167ef])
4XENATIVESTACK               protectedWriteSection+0x21 (0x00007F4ECA994D61 [libj9dmp29.so+0x11d61])
4XENATIVESTACK               omrsig_protect+0x241 (0x00007F4ECB8D1221 [libj9prt29.so+0x29221])
4XENATIVESTACK               _ZN18JavaCoreDumpWriterC2EPKcP16J9RASdumpContextP14J9RASdumpAgent+0x3f7 (0x00007F4ECA995C87 [libj9dmp29.so+0x12c87])
4XENATIVESTACK               runJavadump+0x20 (0x00007F4ECA99FDF0 [libj9dmp29.so+0x1cdf0])
4XENATIVESTACK               doJavaDump+0x46 (0x00007F4ECA988626 [libj9dmp29.so+0x5626])
4XENATIVESTACK               protectedDumpFunction+0x19 (0x00007F4ECA987C49 [libj9dmp29.so+0x4c49])
4XENATIVESTACK               omrsig_protect+0x241 (0x00007F4ECB8D1221 [libj9prt29.so+0x29221])
4XENATIVESTACK               runDumpFunction+0x66 (0x00007F4ECA98B466 [libj9dmp29.so+0x8466])
4XENATIVESTACK               runDumpAgent+0x161 (0x00007F4ECA98B5F1 [libj9dmp29.so+0x85f1])
4XENATIVESTACK               triggerDumpAgents+0x38c (0x00007F4ECA9A23BC [libj9dmp29.so+0x1f3bc])
4XENATIVESTACK               triggerHit+0x10e (0x00007F4ECA96B3AE [libj9trc29.so+0x1d3ae])
4XENATIVESTACK               raiseAssertion+0xf1 (0x00007F4ECA95BDF1 [libj9trc29.so+0xddf1])
4XENATIVESTACK               doTracePoint+0x96e (0x00007F4ECA95F91E [libj9trc29.so+0x1191e])
4XENATIVESTACK               javaTrace+0xa0 (0x00007F4ECA957EE0 [libj9trc29.so+0x9ee0])
4XENATIVESTACK               unwrapBlockAndCheckTags+0x91 (0x00007F4ECB8C9111 [libj9prt29.so+0x21111])
4XENATIVESTACK               omrmem_free_memory+0x52 (0x00007F4ECB8C93C2 [libj9prt29.so+0x213c2])
4XENATIVESTACK               generateJ9RtvExceptionDetails+0x699 (0x00007F4EC991C149 [libj9vrb29.so+0x10149])
4XENATIVESTACK               j9bcv_createVerifyErrorString+0x332 (0x00007F4ECBB88672 [libj9vm29.so+0x158672])
4XENATIVESTACK               classInitStateMachine+0xab5 (0x00007F4ECBA513B5 [libj9vm29.so+0x213b5])
4XENATIVESTACK               resolveClassRef+0x2de (0x00007F4ECBAA199E [libj9vm29.so+0x7199e])
4XENATIVESTACK               _ZN32VM_BytecodeInterpreterCompressed3runEP10J9VMThread+0x12752 (0x00007F4ECBAD24F2 [libj9vm29.so+0xa24f2])
4XENATIVESTACK               bytecodeLoopCompressed+0xb8 (0x00007F4ECBABFD98 [libj9vm29.so+0x8fd98])
4XENATIVESTACK                (0x00007F4ECBB62232 [libj9vm29.so+0x132232])

@tajila
Copy link
Contributor

tajila commented Jul 28, 2022

@ChengJin01 Can you please take a look at this

@ChengJin01
Copy link
Contributor

  1. I reproduced the crash in a debug build with backtrace as follows:
#36 0x00007ffff75da768 in omrmem_free_memory (portLibrary=0x7ffff7a129d0 <j9portLibrary>, memoryPointer=0x7ffff05d6d30) at ../../omr/port/common/omrmemtag.c:205
#37 0x00007ffff5adfdd0 in releaseVerificationTypeBuffer (stackMapFrame=0x7ffff7a9b7a0, methodInfo=0x7ffff7a9b7e8) at errormessagehelper.c:809
#38 0x00007ffff5add7f8 in generateJ9RtvExceptionDetails (verifyData=0x7ffff00dfb20, initMsgBuffer=0x7ffff7a9b9d8 "\nException Details:\n  Location:\n    com/google/inject/spi/InjectionPoint.forMember(Lcom/google/inject/internal/Errors;Ljava/lang/reflect/Member;Lcom/google/inject/TypeLiteral;[Ljava/lang/reflect/Annot"..., msgBufferLength=0x7ffff7a9b980) at errormessageframeworkrtv.c:981
#39 0x00007ffff7895f98 in j9bcv_createVerifyErrorString (portLib=0x7ffff7a129d0 <j9portLibrary>, error=0x7ffff00dfb20) at vrfyhelp.c:832
#40 0x00007ffff770ea58 in performVerification (currentThread=0xc8200, clazz=0x517600) at ClassInitialization.cpp:188
#41 0x00007ffff770fd40 in classInitStateMachine (currentThread=0xc8200, clazz=0x517600, desiredState=J9_CLASS_INIT_INITIALIZED) at ClassInitialization.cpp:495
#42 0x00007ffff770f590 in initializeClass (currentThread=0xc8200, clazz=0x517600) at ClassInitialization.cpp:341
#43 0x00007ffff7827ef4 in resolveClassRef (vmStruct=0xc8200, ramCP=0x4598c0, cpIndex=12, resolveFlags=65) at resolvesupport.cpp:445


(gdb) frame 38
#38 0x00007ffff5add7f8 in generateJ9RtvExceptionDetails (verifyData=0x7ffff00dfb20, initMsgBuffer=0x7ffff7a9b9d8 "\nException Details:\n  Location:\n    com/google/inject/spi/InjectionPoint.forMember(Lcom/google/inject/internal/Errors;Ljava/lang/reflect/Member;Lcom/google/inject/TypeLiteral;[Ljava/lang/reflect/Annot"..., msgBufferLength=0x7ffff7a9b980) at errormessageframeworkrtv.c:981
981             releaseVerificationTypeBuffer(&stackMapFrameTarget, &methodInfo);

(gdb) printf  "%s\n",  msgBuf->buffer

Exception Details:
  Location:
    com/google/inject/spi/InjectionPoint.forMember(Lcom/google/inject/internal/Errors;Ljava/lang/reflect/Member;Lcom/google/inject/TypeLiteral;[Ljava/lang/reflect/AnnotatedType;[[Ljava/lang/annotation/Annotation;Ljava/util/function/Predicate;)Lcom/google/common/collect/ImmutableList; @905: JBgoto
  Reason:
    Current frame's stack size doesn't match stackmap.
  Current Frame:
    bci: @905
    flags: { }
    locals: { 'com/google/inject/spi/InjectionPoint', 'com/google/inject/internal/Errors', 'java/lang/reflect/Member', 'java/util/Iterator', '[Ljava/lang/reflect/AnnotatedType;', '[[Ljava/lang/annotation/Annotation;', 'java/util/function/Predicate', integer, integer, 'java/util/ArrayList', 'java/lang/reflect/AnnotatedType', 'com/google/inject/TypeLiteral', integer, '[Ljava/lang/annotation/Annotation;', '[Ljava/lang/annotation/Annotation;', 'com/google/inject/Key', integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, top, integer, integer, integer, integer, integer, integer, integer, integer, integer }
    stack: { }

which means the error message was successfully created & printed to the message buffer but the crash occurred when releasing the stackmape frame memory afterwards at

#37 0x00007ffff5adfdd0 in releaseVerificationTypeBuffer
 (stackMapFrame=0x7ffff7a9b7a0, methodInfo=0x7ffff7a9b7e8) at errormessagehelper.c:809 <--------
#38 0x00007ffff5add7f8 in generateJ9RtvExceptionDetails (verifyData=0x7ffff00dfb20, initMsgBuffer=0x7ffff7a9b9d8 "\nException Details:\n  Location:\n    com/google/inject/spi/InjectionPoint.forMember(Lcom/google/inject/internal/Errors;Ljava/lang/reflect/Member;Lcom/google/inject/TypeLiteral;[Ljava/lang/reflect/Annot"..., msgBufferLength=0x7ffff7a9b980) at errormessageframeworkrtv.c:981

against the code in releaseVerificationTypeBuffer() at /runtime/verbose/errormessagehelper.c

releaseVerificationTypeBuffer(StackMapFrame* stackMapFrame, MethodContextInfo* methodInfo)
{
	if (NULL != stackMapFrame->entries) {
		PORT_ACCESS_FROM_PORT(methodInfo->portLib);
		j9mem_free_memory(stackMapFrame->entries); <---------
	}
}
  1. Looking at the error message above:
  Reason:
    Current frame's stack size doesn't match stackmap. <------

against the code in generateJ9RtvExceptionDetails() at /runtime/verbose/errormessageframeworkrtv.c

	case BCV_ERR_STACK_SIZE_MISMATCH:
		printMessage(&msgBuf, "Current frame's stack size doesn't match stackmap.");
		printStackFrame = setStackMapFrameWithIndex(verifyData, &methodInfo, &stackMapFrameTarget);
		break;

It seems the problem was triggered somewhere in setStackMapFrameWithIndex()

  1. Further debugging indicates it failed to allocate the stackmap frame due to the unexpected huge requested size:
Thread 2 "main" hit Breakpoint 7, allocateMemoryToVerificationTypeBuffer (methodInfo=0x7ffff7a9b7e8, stackMapFrame=0x7ffff7a9b7a0, currentVerificationTypeEntry=0x7ffff05cd010, 
slotCount=18446744073709486134 <---- a huge size was requested when allocating memory for the stackmap frame
) at errormessagehelper.c:200
200                             currentVerificationTypeEntry = NULL; <-------
(gdb) bt
#0  allocateMemoryToVerificationTypeBuffer (methodInfo=0x7ffff7a9b7e8, stackMapFrame=0x7ffff7a9b7a0, currentVerificationTypeEntry=0x7ffff05cd010, slotCount=18446744073709486134) at errormessagehelper.c:200
#1  0x00007ffff5ade2a4 in pushTopTypeToVerificationTypeBuffer (methodInfo=0x7ffff7a9b7e8, stackMapFrame=0x7ffff7a9b7a0, currentVerificationTypeEntry=0x7ffff05cd010, slotCount=18446744073709486134) at errormessagehelper.c:219
#2  0x00007ffff5adf254 in decodeConstuctedStackMapFrameData (stackMapFrame=0x7ffff7a9b7a0, nextStackmapFrame=0x7ffff05f2af8 "\261\003", stackmapFrameIndex=36, methodInfo=0x7ffff7a9b7e8, verifyData=0x7ffff00dfb20) at errormessagehelper.c:558
#3  0x00007ffff5adecd0 in decodeStackmapFrameData (stackMapFrame=0x7ffff7a9b7a0, nextStackmapFrame=0x7ffff05f2900 "\250\003", stackmapFrameIndex=36, methodInfo=0x7ffff7a9b7e8, verifyData=0x7ffff00dfb20) at errormessagehelper.c:423
#4  0x00007ffff5adccfc in setStackMapFrameWithIndex (verifyData=0x7ffff00dfb20, methodInfo=0x7ffff7a9b7e8, targetFrame=0x7ffff7a9b7a0) at errormessageframeworkrtv.c:723
#5  0x00007ffff5add270 in generateJ9RtvExceptionDetails (verifyData=0x7ffff00dfb20, initMsgBuffer=0x7ffff7a9b9d8 "\nException Details:\n  Location:\n    com/google/inject/spi/InjectionPoint.forMember(Lcom/google/inject/internal/Errors;Ljava/lang/reflect/Member;Lcom/google/inject/TypeLiteral;[Ljava/lang/reflect/AnnotatedType;[[Ljava/lang/annotation/Annotation;Ljava/util/function/Predicate;)Lcom/google/common/collect/ImmutableList; @905: JBgoto\n  Reason:\n    Current frame's stack size doesn't match stackmap.", msgBufferLength=0x7ffff7a9b980) at errormessageframeworkrtv.c:872
...

(gdb) frame 2
#2  0x00007ffff5adf254 in decodeConstuctedStackMapFrameData (stackMapFrame=0x7ffff7a9b7a0, nextStackmapFrame=0x7ffff05f2af8 "\261\003", stackmapFrameIndex=36, methodInfo=0x7ffff7a9b7e8, verifyData=0x7ffff00dfb20) at errormessagehelper.c:558
558             currentVerificationTypeEntry = pushTopTypeToVerificationTypeBuffer(methodInfo, stackMapFrame, currentVerificationTypeEntry, maxLocals - stackMapFrame->numberOfLocals);
(gdb) p maxLocals
$31 = 53
(gdb) p stackMapFrame->numberOfLocals  <-------------
$32 = 65535

which means stackMapFrame->numberOfLocals was set to a wrong value in decodeConstuctedStackMapFrameData (the class version < 50 in which case the stackmaps are created internally based on the class bytecode)

  1. Looking at the code in decodeConstuctedStackMapFrameData() at /runtime/verbose/errormessagehelper.c
U_8*
decodeConstuctedStackMapFrameData(StackMapFrame* stackMapFrame, U_8* nextStackmapFrame, I_32 stackmapFrameIndex, MethodContextInfo* methodInfo, J9BytecodeVerificationData* verifyData)
{
	J9BranchTargetStack * targetStackmapFrame = BCV_INDEX_STACK((UDATA)stackmapFrameIndex);
	IDATA stackBaseIndex = targetStackmapFrame->stackBaseIndex; <------- stackBaseIndex is -1
	IDATA stackTopIndex = targetStackmapFrame->stackTopIndex;
	VerificationTypeInfo* currentVerificationTypeEntry = stackMapFrame->entries;
	U_16 maxStack = methodInfo->maxStack;
	U_16 maxLocals = methodInfo->maxLocals;
	IDATA lastIndex = stackBaseIndex - 1; <------- lastIndex  is -2 in such case
	IDATA slot = 0;
	IDATA dataTypeCode = DATATYPE_1_SLOT;
	BOOLEAN nonTopFound = FALSE;

	nextStackmapFrame = (U_8*)BCV_NEXT_STACK(targetStackmapFrame);

	stackMapFrame->bci = (U_16)targetStackmapFrame->pc;

	/* 'locals' on 'Stackmap Frame' */
	stackMapFrame->numberOfLocals = (U_16)(lastIndex + 1); <----- wrongly converted be 65535

(gdb) p  *targetStackmapFrame
$52 = {
  pc = 936,
  uninitializedThis = 0,
  stackBaseIndex = -1, <---------- (this is the default value when creating the stackmaps)
  stackTopIndex = -1,
  stackElements = {0}
}

which means there is no element of 'locals' and 'stack' in the current stackmap frame in which case the code above didn't handle at this point.

@ChengJin01
Copy link
Contributor

ChengJin01 commented Jul 29, 2022
edited

Looking at the Verification error message generated by HotSpot as follows:

jdk17_hotspot_openjdk/bin/java -jar ./junit-platform-console-standalone-1.8.2.jar -cp ./bug_file:./util:./test-classes:./classes:./guava-31.0.1-jre.jar:./javax.inject-1.jar:./failureaccess-1.0.1.jar -m com.google.inject.spi.InjectionPointTest#testConstructorInjectionPoint

hanks for using JUnit! Support its development at https://junit.org/sponsoring
...
Failures (1):
  JUnit Vintage:InjectionPointTest:testConstructorInjectionPoint
    MethodSource [className = 'com.google.inject.spi.InjectionPointTest', methodName = 'testConstructorInjectionPoint', methodParameterTypes = '']
    => java.lang.VerifyError: Expecting a stackmap frame at branch target 71
Exception Details:
  Location:
    com/google/inject/spi/InjectionPoint.<init>(Lcom/google/inject/TypeLiteral;Ljava/lang/reflect/Field;Z)V @52: aload_1
  Reason:
    Expected stackmap frame at this location.
  Bytecode:
    0000000: 2ab7 0198 2a2c b502 3b2a 2bb5 0283 2a1d
...
    00000c0: b1                                     
  Exception Handler Table:
    bci [52, 68] => handler: 71
    bci [52, 68] => handler: 99

       com.google.inject.spi.InjectionPointTest.testConstructorInjectionPoint(InjectionPointTest.java:64)
       java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...

which shows it captured the error with com/google/inject/spi/InjectionPoint.<init> which is different from our error with com/google/inject/spi/InjectionPoint.forMember. It is mostly likely that there are multiple verification errors caused by different methods in the buggy class file but the question is whether com/google/inject/spi/InjectionPoint.forMember was the first problematic method captured in our Verifier.

So there might be two issues with our code:

  1. we only need to fix up the issue with the crash if com/google/inject/spi/InjectionPoint.forMember was the first problematic method captured in our Verifier.
  2. if not the case, then the next step is to figure out whether com/google/inject/spi/InjectionPoint.<init> passed without any error being captured.

@ChengJin01
Copy link
Contributor

FYI: @DanHeidinga

@ChengJin01
Copy link
Contributor

I will be on vacation next week and get back to keep working on this issue.

@ChengJin01
Copy link
Contributor

With my fix at ChengJin01@b557b59, the assertion was resolved and ended up with the expected error message as follows:

jdk17_openj9_build/bin/java -jar ./junit-platform-console-standalone-1.8.2.jar -cp ./bug_file:./util:./test-classes:./classes:./guava-31.0.1-jre.jar:./javax.inject-1.jar:./failureaccess-1.0.1.jar -m com.google.inject.spi.InjectionPointTest#testConstructorInjectionPoint

Thanks for using JUnit! Support its development at https://junit.org/sponsoring

?
├─ JUnit Jupiter ?
└─ JUnit Vintage ?
   └─ InjectionPointTest ?
      └─ testConstructorInjectionPoint ? JVMVRFY021 thrown object not throwable; class=com/google/inject/spi/InjectionPoint, method=forMember(Lcom/google/inject/internal/Errors;Ljava/lang/reflect/Member;Lcom/google/inject/TypeLiteral;[Ljava/lang/reflect/AnnotatedType;[[Ljava/lang/annotation/Annotation;Ljava/util/function/Predicate;)Lcom/google/common/collect/ImmutableList;, pc=905
               Exception Details:
                 Location:
                   com/google/inject/spi/InjectionPoint.forMember(Lcom/google/inject/internal/Errors;Ljava/lang/reflect/Member;Lcom/google/inject/TypeLiteral;[Ljava/lang/reflect/AnnotatedType;[[Ljava/lang/annotation/Annotation;Ljava/util/function/Predicate;)Lcom/google/common/collect/ImmutableList; @905: JBgoto
                 Reason:
                   Current frame's stack size doesn't match stackmap.
                 Current Frame:
                   bci: @905
                   flags: { }
                   locals: { 'com/google/inject/spi/InjectionPoint', 'com/google/inject/internal/Errors', 'java/lang/reflect/Member', 'java/util/Iterator', '[Ljava/lang/reflect/AnnotatedType;', '[[Ljava/lang/annotation/Annotation;', 'java/util/function/Predicate', integer, integer, 'java/util/ArrayList', 'java/lang/reflect/AnnotatedType', 'com/google/inject/TypeLiteral', integer, '[Ljava/lang/annotation/Annotation;', '[Ljava/lang/annotation/Annotation;', 'com/google/inject/Key', integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, top, integer, integer, integer, integer, integer, integer, integer, integer, integer }
                   stack: { }
                 Stackmap Frame (FallBack):
                   bci: @963
                   flags: { }
                   locals: { 'com/google/inject/spi/InjectionPoint', 'com/google/inject/internal/Errors', 'java/lang/reflect/Member', 'java/util/Iterator', '[Ljava/lang/reflect/AnnotatedType;', '[[Ljava/lang/annotation/Annotation;', 'java/util/function/Predicate', integer, integer, 'java/util/ArrayList', top, 'com/google/inject/TypeLiteral', integer, top, top, top, top, top, top, top, top, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, top, integer, integer, integer, integer, integer, integer, integer, integer, integer }
                   stack: { 'com/google/inject/ConfigurationException' }
                 Exception Handler Table:
                   bci [169, 722] => handler: 963
                   bci [169, 722] => handler: 1002

Failures (1):
  JUnit Vintage:InjectionPointTest:testConstructorInjectionPoint
    MethodSource [className = 'com.google.inject.spi.InjectionPointTest', methodName = 'testConstructorInjectionPoint', methodParameterTypes = '']
    => java.lang.VerifyError: JVMVRFY021 thrown object not throwable; class=com/google/inject/spi/InjectionPoint, method=forMember(Lcom/google/inject/internal/Errors;Ljava/lang/reflect/Member;Lcom/google/inject/TypeLiteral;[Ljava/lang/reflect/AnnotatedType;[[Ljava/lang/annotation/Annotation;Ljava/util/function/Predicate;)Lcom/google/common/collect/ImmutableList;, pc=905
Exception Details:
  Location:
    com/google/inject/spi/InjectionPoint.forMember(Lcom/google/inject/internal/Errors;Ljava/lang/reflect/Member;Lcom/google/inject/TypeLiteral;[Ljava/lang/reflect/AnnotatedType;[[Ljava/lang/annotation/Annotation;Ljava/util/function/Predicate;)Lcom/google/common/collect/ImmutableList; @905: JBgoto
  Reason:
    Current frame's stack size doesn't match stackmap.
  Current Frame:
    bci: @905
    flags: { }
    locals: { 'com/google/inject/spi/InjectionPoint', 'com/google/inject/internal/Errors', 'java/lang/reflect/Member', 'java/util/Iterator', '[Ljava/lang/reflect/AnnotatedType;', '[[Ljava/lang/annotation/Annotation;', 'java/util/function/Predicate', integer, integer, 'java/util/ArrayList', 'java/lang/reflect/AnnotatedType', 'com/google/inject/TypeLiteral', integer, '[Ljava/lang/annotation/Annotation;', '[Ljava/lang/annotation/Annotation;', 'com/google/inject/Key', integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, top, integer, integer, integer, integer, integer, integer, integer, integer, integer }
    stack: { }
  Stackmap Frame (FallBack): <-------- in a fallback status
    bci: @963
    flags: { }
    locals: { 'com/google/inject/spi/InjectionPoint', 'com/google/inject/internal/Errors', 'java/lang/reflect/Member', 'java/util/Iterator', '[Ljava/lang/reflect/AnnotatedType;', '[[Ljava/lang/annotation/Annotation;', 'java/util/function/Predicate', integer, integer, 'java/util/ArrayList', top, 'com/google/inject/TypeLiteral', integer, top, top, top, top, top, top, top, top, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, integer, top, integer, integer, integer, integer, integer, integer, integer, integer, integer }
    stack: { 'com/google/inject/ConfigurationException' }
  Exception Handler Table:
    bci [169, 722] => handler: 963
    bci [169, 722] => handler: 1002
       com.google.inject.spi.InjectionPointTest.testConstructorInjectionPoint(InjectionPointTest.java:64)
       java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
       java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       java.base/java.lang.reflect.Method.invoke(Method.java:568)
       junit.framework.TestCase.runTest(TestCase.java:177)
       junit.framework.TestCase.runBare(TestCase.java:142)
       junit.framework.TestResult$1.protect(TestResult.java:122)
       junit.framework.TestResult.runProtected(TestResult.java:142)
       junit.framework.TestResult.run(TestResult.java:125)
       [...]

Test run finished after 504 ms
[         3 containers found      ]
[         0 containers skipped    ]
[         3 containers started    ]
...

which indicates the class (version <= 50) was verified with the older verifier (fallback). So it matches RI's output in the case of non-fallback by specifying -Xverify:nofallback:

jdk17_openj9/bin/java -Xverify:nofallback <-------
-jar ./junit-platform-console-standalone-1.8.2.jar -cp ./bug_file:./util:./test-classes:./classes:./guava-31.0.1-jre.jar:./javax.inject-1.jar:./failureaccess-1.0.1.jar -m com.google.inject.spi.InjectionPointTest#testConstructorInjectionPoint

Thanks for using JUnit! Support its development at https://junit.org/sponsoring

?
├─ JUnit Jupiter ?
└─ JUnit Vintage ?
   └─ InjectionPointTest ?
      └─ testConstructorInjectionPoint ? JVMVRFY021 thrown object not throwable; class=com/google/inject/spi/InjectionPoint, method=<init>(Lcom/google/inject/TypeLiteral;Ljava/lang/reflect/Field;Z)V, pc=51
               Exception Details:
                 Location:
                   com/google/inject/spi/InjectionPoint.<init>(Lcom/google/inject/TypeLiteral;Ljava/lang/reflect/Field;Z)V @51: JBastore3
                 Reason:
                   A stackmap frame is expected at branch target 71.
                 Exception Handler Table:
                   bci [52, 68] => handler: 71
                   bci [52, 68] => handler: 99

Failures (1):
  JUnit Vintage:InjectionPointTest:testConstructorInjectionPoint
    MethodSource [className = 'com.google.inject.spi.InjectionPointTest', methodName = 'testConstructorInjectionPoint', methodParameterTypes = '']
    => java.lang.VerifyError: JVMVRFY021 thrown object not throwable; class=com/google/inject/spi/InjectionPoint, method=<init>(Lcom/google/inject/TypeLiteral;Ljava/lang/reflect/Field;Z)V, pc=51
Exception Details:
  Location:
    com/google/inject/spi/InjectionPoint.<init>(Lcom/google/inject/TypeLiteral;Ljava/lang/reflect/Field;Z)V @51: JBastore3
  Reason:
    A stackmap frame is expected at branch target 71.
  Exception Handler Table:
    bci [52, 68] => handler: 71
    bci [52, 68] => handler: 99
       com.google.inject.spi.InjectionPointTest.testConstructorInjectionPoint(InjectionPointTest.java:64)
       java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
       java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       java.base/java.lang.reflect.Method.invoke(Method.java:568)
       junit.framework.TestCase.runTest(TestCase.java:177)
       junit.framework.TestCase.runBare(TestCase.java:142)
       junit.framework.TestResult$1.protect(TestResult.java:122)
       junit.framework.TestResult.runProtected(TestResult.java:142)
       junit.framework.TestResult.run(TestResult.java:125)
       [...]

Test run finished after 738 ms
[         3 containers found      ]
[         0 containers skipped    ]
[         3 containers started    ]
...
[         1 tests failed          ]

@ChengJin01
Copy link
Contributor

Hi @lochnagarr, please specify -Xverify:nofallback to enable the current Verifier in OpenJ9 if you'd like to see the same error message as Hotspot.

@ChengJin01 ChengJin01 mentioned this issue Aug 8, 2022
Merged
ChengJin01 added a commit to ChengJin01/openj9 that referenced this issue Aug 8, 2022
@ChengJin01
Fix the crash issue with the error message framework in Verifier
0e45a9f 
The change is to resolve the crash issue specific to a stackmap
frame without any element in 'locals' and 'stack' when allocating
the memory of stackmap frame in the error message framework during
the runtime verification.

Fixes: eclipse-openj9#15639

Signed-off-by: Cheng Jin <jincheng@ca.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ChengJin01 ChengJin01

Labels
comp:vm userRaised
Projects
None yet
Milestone
Release 0.35 (Java 8, 11, 17) Oct ref...
Development

Successfully merging a pull request may close this issue.

Fix the crash issue with the error message framework in Verifier ChengJin01/openj9
4 participants
@tajila @ChengJin01 @pshipton @lochnagarr