8327647: Occasional SIGSEGV in markWord::displaced_mark_helper() for SPECjvm2008 sunflow

[matias9927]

A misplaced memory barrier causes a very intermittent crash on on some aarch64 systems. This patch adds an appropriate LoadLoad barrier after a constant pool cache field entry is loaded. Verified with tier 1-5 tests.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8327647: Occasional SIGSEGV in markWord::displaced_mark_helper() for SPECjvm2008 sunflow (Bug - P2)

Reviewers

• Coleen Phillimore (@coleenp - Reviewer) ⚠️ Review applies to 4f976405
• Fei Yang (@RealFYang - Reviewer) ⚠️ Review applies to c4789510
• Dean Long (@dean-long - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/18477/head:pull/18477
$ git checkout pull/18477

Update a local copy of the PR:
$ git checkout pull/18477
$ git pull https://git.openjdk.org/jdk.git pull/18477/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 18477

View PR using the GUI difftool:
$ git pr show -t 18477

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/18477.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back matsaave! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@matias9927 This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8327647: Occasional SIGSEGV in markWord::displaced_mark_helper() for SPECjvm2008 sunflow

Reviewed-by: coleenp, fyang, dlong

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 157 new commits pushed to the master branch:

• 819f3d6: 8330748: ByteArrayOutputStream.writeTo(OutputStream) pins carrier
• eb88343: 8331164: createJMHBundle.sh download jars fail when url needed to be redirected
• 9b423a8: 8330253: Remove verify_consistent_lock_order
• 4e42294: 8329004: Update Libpng to 1.6.43
• bdcc240: 8331087: Move immutable nmethod data from CodeCache
• 8b8fb64: 8324776: runtime/os/TestTransparentHugePageUsage.java fails with The usage of THP is not enough
• 151ef5d: 8330677: Add Per-Compilation memory usage to JFR
• 7272939: 8331200: Serial: Remove unused methods in SerialHeap
• 70d3f22: 8331175: Parallel: Remove VerifyRememberedSets
• 549bc6a: 8330685: ZGC: share barrier spilling logic
• ... and 147 more: https://git.openjdk.org/jdk/compare/9fd78022b19149ade40f92749f0b585ecfd41410...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[openjdk]

@matias9927 The following label will be automatically applied to this pull request:

• hotspot-compiler

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[sunny868]

It is useless to use r0 here, so can we change it to noreg and eliminate the use of push(r0)/pop(r0)?

[RealFYang]

I also noticed this today while looking at the code and I was testing the following change:
unnecessary-tos-load-v2.diff.txt

@matias9927 : Can you add this extra change while you are on it? I think we should fix this for both performance and correctness reasons. The 8-byte push/pop would violate the AArch64 & RISC-V ABI which specifies that alignment of SP should always be 16 bytes [1][2].

[1] https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/using-the-stack-in-aarch32-and-aarch64
[2] https://github.com/riscv-non-isa/riscv-elf-psabi-doc/blob/master/riscv-cc.adoc

[matias9927]

Noted! I haven't been able to replicate the crash yet, but I think it will be worth moving forward with this patch as a matter of correctness.

[RealFYang]

Note that noreg is currently not properly handled / considered in load_resolved_field_entry. And it doesn't look nice to me to only check if tos_state with noreg in this function. That's why I replaced call to load_resolved_field_entry with seperate loads in my propsed fix.

[matias9927]

I didn't notice your message until just now, but you're right. I would prefer to use load_resolved_field_entry when possible but there are places where fields are loaded individually so I think it's fine.

[RealFYang]

All right. Another place in TemplateTable::fast_accessfield which might be worth turning into a load_resolved_field_entry call with noreg for tos_state for consistency [1][2]:

[1] https://github.com/openjdk/jdk/blob/master/src/hotspot/cpu/aarch64/templateTable_aarch64.cpp#L3169-L3170
[2] https://github.com/openjdk/jdk/blob/master/src/hotspot/cpu/riscv/templateTable_riscv.cpp#L3139-L3140

[coleenp]

I think this change should be limited to fixing the membar issue and the push/pop issue and limit refactoring to a new change if more is wanted, but maybe this could call load_resolved_field_entry with noreg for tos-state too.

[mlbridge]

Webrevs

• 05: Full - Incremental (a08af97f)
• 04: Full - Incremental (716a17cf)
• 03: Full - Incremental (c4789510)
• 02: Full - Incremental (f612f947)
• 01: Full - Incremental (4f976405)
• 00: Full (60925369)

[coleenp]

I'm wondering if this can be in load_field_entry at the end so we don't miss any callers. It might be a bit redundant with the ldar in the resolve_cache_and_index_for_field(), but that's for only the first time the field is resolved and in the interpreter, should not be an issue for performance.

[coleenp]

This handling of tos_state seems fine to me. Add a comment that the caller might not want to set type_offset as tos.

[coleenp]

/label add hotspot-runtime

[openjdk]

@coleenp
The hotspot-runtime label was successfully added.

[coleenp]

I think this looks really good.

[RealFYang]

The riscv part is still lacking one change:

diff --git a/src/hotspot/cpu/riscv/templateTable_riscv.cpp b/src/hotspot/cpu/riscv/templateTable_riscv.cpp
index 58f57f32b2f..e27b35e793f 100644
--- a/src/hotspot/cpu/riscv/templateTable_riscv.cpp
+++ b/src/hotspot/cpu/riscv/templateTable_riscv.cpp
@@ -2272,7 +2272,9 @@ void TemplateTable::load_resolved_field_entry(Register obj,
   __ load_unsigned_byte(flags, Address(cache, in_bytes(ResolvedFieldEntry::flags_offset())));

   // TOS state
-  __ load_unsigned_byte(tos_state, Address(cache, in_bytes(ResolvedFieldEntry::type_offset())));
+  if (tos_state != noreg) {
+    __ load_unsigned_byte(tos_state, Address(cache, in_bytes(ResolvedFieldEntry::type_offset())));
+  }

   // Klass overwrite register
   if (is_static) {

[RealFYang]

Suggestion: // X11: field offset, X12: field holder, X13: flags

[RealFYang]

Updated change LGTM. I didn't see any issue when running SPECjvm2008 sunflow overnight on my 64-core linux-aarch64 server.

[theRealAph]

This is rather unclear. Where is the bytecode load to which this comment refers?

[matias9927]

This comment was above all the other uses of membar and was just moved here for convenience. The "bytecode load" being referred to here is InterpreterMacroAssembler::dispatch_next. The bytecode loading could be scheduled before the cache entry is resolved.

[theRealAph]

The comment at the stop says "This patch adds an appropriate LoadLoad barrier after a constant pool cache field entry is loaded." But this seems to be before the constant pool cache field entry is loaded.

[coleenp]

I think what this wants to say is that when you've loaded the pointer to the ResolvedFieldEntry in 'cache', previous memory operations have been synched before the fields in the resolved entry are read. I'm looking for a different word than synched.

[theRealAph]

Suggested change

[dean-long]

If I understand correctly, the order of writes must be:

1. ResolvedFieldEntry fields, except _get_code and _put_code
2. _get_code, _put_code
3. patch_bytecode(fast_bytecode)

so the order of reads must be reversed. That's why there are load-acquires when reading _get_code and _put_code.
After [3] is done, after dispatching to fast_bytecode, we need to do a LoadLoad between the already read fast bytecode [3] and the "cache" fields [1]. The LoadLoad is not for the load of the next bytecode that will be done in dispatch_next().

[theRealAph]

If I understand correctly, the order of writes must be:

1. ResolvedFieldEntry fields, except _get_code and _put_code

So, release fence here?

2. _get_code, _put_code

and another here

3. patch_bytecode(fast_bytecode)

so the order of reads must be reversed. That's why there are load-acquires when reading _get_code and _put_code. After [3] is done, after dispatching to fast_bytecode, we need to do a LoadLoad between the already read fast bytecode [3] and the "cache" fields [1]. The LoadLoad is not for the load of the next bytecode that will be done in dispatch_next().

So, I guess the loadload fence being inserted here is the one we need between [2] and [3].

[coleenp]

There are two threads though:
t1: 1. write resolved fields
2. release_store get_code/put_code
3. patch bytecode to fastpath (should this be a release_store?)

but t2: 1. reads patched_bytecode
2. goes fastpath
3. loads pointer to cpCache entry for Resolved fields assuming they've been written in order
4. gets a resolved field

So the patch puts the LoadLoad membar between 2 and 3 because t2 is the thread that's loading the information. Would a LoadLoad barrier executed by t1 help?

[dean-long]

There are two threads though:
t1: 1. write resolved fields
2. release_store get_code/put_code
3. patch bytecode to fastpath (should this be a release_store?)

Yes, I think you need a release_store for 3, because 2 happened in the same thread. If 2 and 3 happened in different threads, then maybe it could be avoid, but that seems risky.

but t2: 1. reads patched_bytecode
2. goes fastpath
3. loads pointer to cpCache entry for Resolved fields assuming they've been written in order
4. gets a resolved field

So the patch puts the LoadLoad membar between 2 and 3 because t2 is the thread that's loading the information. Would a LoadLoad barrier executed by t1 help?

I don't see how t1 doing a LoadLoad helps. The LoadLoad needs to go anywhere between 1 and 4.

[dean-long]

So, I guess the loadload fence being inserted here is the one we need between [2] and [3].

The way I would say it is we need a LoadLoad betwen [3] and [2] or between [3] and [1]. The code assumes that if it is a fast bytecode, then it can read [1] without checking [2] again.

[coleenp]

Dean, can you change your numbers to say which thread? In the code someone has written that you need a LoadLoad between t2's [t2-3] and [t2-4] because t2 assumes that it's a fast path, so writes to the ResolvedFieldEntry [t1-2] are complete. The missing LoadLoad there was the cause of the crash anyway.

[theRealAph]

My confusion is because @dean-long said

_If I understand correctly, the order of writes must be:

ResolvedFieldEntry fields, except _get_code and _put_code
_get_code, _put_code
patch_bytecode(fast_bytecode)_

therefore, if that ordering must be maintained, we'll need two store fences. And on the reading side, we'll need two load fences. If that total order is more than is necessary, OK.

[dean-long]

I don't think t2-3 does any loads that need to be ordered, so the LoadLoad could be done earlier, anywhere between t2-1 and t2-4.

[dean-long]

And on the reading side, we'll need two load fences. If that total order is more than is necessary, OK.

On the read side, I don't think we read _get_code or _put_code for the fast bytecode path, so that's why there is only one barrier needed.

[coleenp]

Yes, the fast path assumes that put_code and get_code are already set since we're in the fast path. For this patch, t2 (the reader) has the LoadLoad membar between t2-3 and t2-4. I assume it doesn't matter where, but there were a few places where we loaded the pointer to ResolvedFieldEntry that had the LoadLoad membar. The bug was because one was missing. That's why I thought it should be moved to inside of load_field_entry, so that all readers would have the membar. There were also some fast-path jvmti cases where the membar was missing.

Above, my step t2-3 is loading a pointer to the ResolvedFieldEntry, ie: ResolvedFieldEntry* cache = ResolvedFieldEntry->at(index)

t2-4 is loading cache->flags, tos, and offset

[matias9927]

If I understand correctly, it seems like we agree on where the membar belongs, is this right @dean-long? The current placement of the LoadLoad barrier inside load_field_entry seems to be sufficient, and to reiterate information from the description, tier 1-5 test results look clean.

[dean-long]

@matias9927, yes that's right. But I agree with earlier reviewer comments that the comment above the LoadLoad could be improved. To me it's helpful to think of this as a kind of self-modifying code. We had a slow bytecode that used the operands in a certain way. Then we changed the opcode to a fast bytecode that uses the operands to access newly initialized data outside the bytecode stream. The LoadLoad makes sure we don't read any of the newly initialized data before we read that the bytecode has been changed to the fast version.

[matias9927]

@theRealAph @dean-long how about replacing the comment with this:

// Prevents stale data from being read by another thread after the bytecode is patched to the fast bytecode

[dean-long]

OK, except for the "another thread" part. The reads are done in the current thread, so that's the thread the barrier is for.

// Prevents stale data from being read after the bytecode is patched to the fast bytecode

[sunny868]

if we put LoadLoad in here, maybe it is redundant for TemplateTable::patch_bytecode(..)

jdk/src/hotspot/cpu/aarch64/templateTable_aarch64.cpp

Line 192 in a08af97

__ load_field_entry(temp_reg, bc_reg);

because there has a Load-acquire in L199.
can we change
load_field_entry(Register cache, Register index, int bcp_offset = 1)
to
load_field_entry(Register cache, Register index, int bcp_offset = 1, bool needLoadLoad = 1) ?

then change L192 like this

@@ -189,7 +189,7 @@ void TemplateTable::patch_bytecode(Bytecodes::Code bc, Register bc_reg,
       // additional, required work.
       assert(byte_no == f1_byte || byte_no == f2_byte, "byte_no out of range");
       assert(load_bc_into_bc_reg, "we use bc_reg as temp");
-      __ load_field_entry(temp_reg, bc_reg);
+      __ load_field_entry(temp_reg, bc_reg, 1 /*bcp_offset*/, false /*needLoadLoad*/);
       if (byte_no == f1_byte) {
         __ lea(temp_reg, Address(temp_reg, in_bytes(ResolvedFieldEntry::get_code_offset())));
       } else {
         __ lea(temp_reg, Address(temp_reg, in_bytes(ResolvedFieldEntry::put_code_offset())));
       }                                                                         
       // Load-acquire the bytecode to match store-release in ResolvedFieldEntry::fill_in()
       __ ldarb(temp_reg, temp_reg);

[dean-long]

I believe patch_bytecode only needs a LoadStore between reading the cache bytecode and patching at bcp[0], so I would agree the LoadLoad in load_field_entry is not needed here. But the reason is not because we have already load-acquire. The reason is because there are not two loads that need ordering. There is only a load and a store. We can't replace the load-acquire with a LoadLoad, for example.

[coleenp]

The LoadLoad in load_field_entry is needed for the second thread that (t2-1) loads the patched bytecode, and then (t2-2) loads the pointer to the cpCache entry for field, then (t2-3) loads the values from the cpCache entry pointer. The LoadLoad is between t2-2 and t2-3.

The ldarb in patch_bytecode does make the LoadLoad in load_field_entry redundant as pointed out by @sunny868 but seems harmless in terms of performance and correctness, ie. not needing a special parameter.

The reason that it's in load_field_entry is that there are other callers who do not load acquire the get_code and put_code fields. So it's safer and less error prone to forget with it in load_field_entry.

[matias9927]

Thank you for the reviews and detailed discussion @dean-long @coleenp @sunny868 @RealFYang!

I think it is best to move forward with the current design. If we do find that the unneeded LoadLoad negatively impacts performance, I will follow up with an appropriate fix.

/integrate

[openjdk]

Going to push as commit 9ce21d1.
Since your change was applied there have been 167 commits pushed to the master branch:

• 130f71c: 8326742: Change compiler tests without additional VM flags from @run driver to @run main
• f4caac8: 8329138: Convert JFR FileForceEvent to static mirror event
• 2cc8ecc: 8331346: Update PreviewFeature of STREAM_GATHERERS to JEP-473
• 33e8122: 8331410: Remove unused MemAllocator::mem_allocate_inside_tlab
• 22a1c61: 8330817: jdk/internal/vm/Continuation/OSRTest.java times out on libgraal
• ef4ec2d: 8331284: Inline methods in softRefPolicy.cpp
• cff841f: 8328934: Assert that ABS input and output are legal
• 0630bb0: 8331264: Reduce java.lang.constant initialization overhead
• 60b61e5: 8331298: avoid alignment checks in UBSAN enabled build
• b128bd7: 8331021: Deprecate and then obsolete the DontYieldALot flag
• ... and 157 more: https://git.openjdk.org/jdk/compare/9fd78022b19149ade40f92749f0b585ecfd41410...master

Your commit was automatically rebased without conflicts.

[openjdk]

@matias9927 Pushed as commit 9ce21d1.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.