8231197: Shenandoah: JVMTI heap walking cleanup crashes with NULL forwardee

shipilev · shipilev · commit f925696a0ce0 · 2019-09-19T20:26:51.000+02:00
Reviewed-by: zgu, rkennke
diff --git a/src/hotspot/share/gc/shenandoah/shenandoahCodeRoots.cpp b/src/hotspot/share/gc/shenandoah/shenandoahCodeRoots.cpp
@@ -316,7 +316,11 @@ void ShenandoahNMethod::assert_alive_and_correct() {
     oop *loc = _oops[c];
     assert(_nm->code_contains((address) loc) || _nm->oops_contains(loc), "nmethod should contain the oop*");
     oop o = RawAccess<>::oop_load(loc);
-    shenandoah_assert_correct_except(loc, o, o == NULL || heap->is_full_gc_move_in_progress());
+    shenandoah_assert_correct_except(loc, o,
+             o == NULL ||
+             heap->is_full_gc_move_in_progress() ||
+             (VMThread::vm_operation() != NULL) && (VMThread::vm_operation()->type() == VM_Operation::VMOp_HeapWalkOperation)
+    );
   }
 }
 
diff --git a/src/hotspot/share/gc/shenandoah/shenandoahHeap.cpp b/src/hotspot/share/gc/shenandoah/shenandoahHeap.cpp
@@ -1225,7 +1225,22 @@ class ObjectIterateScanRootClosure : public BasicOopIterateClosure {
     T o = RawAccess<>::oop_load(p);
     if (!CompressedOops::is_null(o)) {
       oop obj = CompressedOops::decode_not_null(o);
-      obj = ShenandoahBarrierSet::resolve_forwarded_not_null(obj);
+      oop fwd = (oop) ShenandoahForwarding::get_forwardee_raw_unchecked(obj);
+      if (fwd == NULL) {
+        // There is an odd interaction with VM_HeapWalkOperation, see jvmtiTagMap.cpp.
+        //
+        // That operation walks the reachable objects on its own, storing the marking
+        // wavefront in the object marks. When it is done, it calls the CollectedHeap
+        // to iterate over all objects to clean up the mess. When it reaches here,
+        // the Shenandoah fwdptr resolution code encounters the marked objects with
+        // NULL forwardee. Trying to act on that would crash the VM. Or fail the
+        // asserts, should we go for resolve_forwarded_pointer(obj).
+        //
+        // Therefore, we have to dodge it by doing the raw access to forwardee, and
+        // assuming the object had no forwardee, if that thing is NULL.
+      } else {
+        obj = fwd;
+      }
       assert(oopDesc::is_oop(obj), "must be a valid oop");
       if (!_bitmap->is_marked((HeapWord*) obj)) {
         _bitmap->mark((HeapWord*) obj);

Original file line number	Diff line number	Diff line change
`@@ -316,7 +316,11 @@ void ShenandoahNMethod::assert_alive_and_correct() {`
`316`	`316`	`oop *loc = _oops[c];`
`317`	`317`	`assert(_nm->code_contains((address) loc) \|\| _nm->oops_contains(loc), "nmethod should contain the oop*");`
`318`	`318`	`oop o = RawAccess<>::oop_load(loc);`
`319`		`- shenandoah_assert_correct_except(loc, o, o == NULL \|\| heap->is_full_gc_move_in_progress());`
	`319`	`+ shenandoah_assert_correct_except(loc, o,`
	`320`	`+ o == NULL \|\|`
	`321`	`+ heap->is_full_gc_move_in_progress() \|\|`
	`322`	`+ (VMThread::vm_operation() != NULL) && (VMThread::vm_operation()->type() == VM_Operation::VMOp_HeapWalkOperation)`
	`323`	`+ );`
`320`	`324`	`}`
`321`	`325`	`}`
`322`	`326`