OpenJDK crash in G1ParScanThreadState::copy_to_survivor_space

Environment

• OpenJDK
  • 8
  • 11

Issue

• JDK8 JVM has crashed with the following in the fatal error log:

#  SIGSEGV (0xb) at pc=0x00007f510e83bab3, pid=205542, tid=0x00007f510c1d4700
#
# JRE version: OpenJDK Runtime Environment (8.0_222-b10) (build 1.8.0_222-b10)
# Java VM: OpenJDK 64-Bit Server VM (25.222-b10 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# V  [libjvm.so+0x5b4ab3]  G1ParScanThreadState::copy_to_survivor_space(InCSetState, oopDesc*, markOopDesc*)+0x2e3
...
Stack: [0x00007f510c0d5000,0x00007f510c1d5000],  sp=0x00007f510c1d36a0,  free space=1017k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
V  [libjvm.so+0x5b4ab3]  G1ParScanThreadState::copy_to_survivor_space(InCSetState, oopDesc*, markOopDesc*)+0x2e3
V  [libjvm.so+0x5b54ae]  G1ParScanThreadState::trim_queue()+0x59e
V  [libjvm.so+0x598db7]  G1ParEvacuateFollowersClosure::do_void()+0x37
V  [libjvm.so+0x5998e1]  G1ParTask::work(unsigned int) [clone .part.431]+0x491
V  [libjvm.so+0xae685a]  GangWorker::loop()+0xca
V  [libjvm.so+0x8c3a72]  java_start(Thread*)+0xf2

• Backtrace:

#0  0x00007f6d5990a3d7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007f6d5990bac8 in __GI_abort () at abort.c:90
#2  0x00007f6d591a7b29 in os::abort (dump_core=<optimized out>)
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/os/linux/vm/os_linux.cpp:1576
#3  0x00007f6d593b21f6 in VMError::report_and_die (this=this@entry=0x7f6d3bffdf90)
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/share/vm/utilities/vmError.cpp:1107
#4  0x00007f6d591b1b75 in JVM_handle_linux_signal (sig=11, info=0x7f6d3bffe230, ucVoid=0x7f6d3bffe100, 
    abort_if_unrecognized=<optimized out>)
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp:541
#5  0x00007f6d591a4ce8 in signalHandler (sig=11, info=0x7f6d3bffe230, uc=0x7f6d3bffe100)
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/os/linux/vm/os_linux.cpp:4556
#6  <signal handler called>
#7  age (this=<error reading variable: Cannot access memory at address 0x2f8002268>)
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/share/vm/oops/markOop.hpp:336
#8  next_state (age=<synthetic pointer>, m=0x2f8002268, state=..., this=0x7f6d3bffec50)
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/share/vm/gc_implementation/g1/g1ParScanThreadState.cpp:193
#9  G1ParScanThreadState::copy_to_survivor_space (this=this@entry=0x7f6d3bffec50, state=..., 
    old=old@entry=0x6a6dde810, old_mark=0x2f8002268)
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/share/vm/gc_implementation/g1/g1ParScanThreadState.cpp:213
#10 0x00007f6d58e984ae in do_oop_evac<unsigned int> (from=0x7f6d041524f0, p=0x666ed1df0, 
    this=0x7f6d3bffec50)
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/share/vm/gc_implementation/g1/g1ParScanThreadState.inline.hpp:48
#11 deal_with_reference<unsigned int> (ref_to_scan=0x666ed1df0, this=0x7f6d3bffec50)
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/share/vm/gc_implementation/g1/g1ParScanThreadState.inline.hpp:117
#12 dispatch_reference (ref=..., this=0x7f6d3bffec50)
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/share/vm/gc_implementation/g1/g1ParScanThreadState.inline.hpp:126
#13 G1ParScanThreadState::trim_queue (this=this@entry=0x7f6d3bffec50)
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/share/vm/gc_implementation/g1/g1ParScanThreadState.cpp:157
#14 0x00007f6d58e7bdb7 in G1ParEvacuateFollowersClosure::do_void (this=this@entry=0x7f6d3bffe8b0)
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp:4609
#15 0x00007f6d58e7c8e1 in G1ParTask::work (this=0x7f6d382326a0, worker_id=3)
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp:4784
#16 0x00007f6d593c985a in GangWorker::loop (this=0x7f6d54061800)
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/share/vm/utilities/workgroup.cpp:329
#17 0x00007f6d591a6a72 in java_start (thread=0x7f6d54061800)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/debug/java-1.8.0-openjdk-1.8.0.222.b10-1.el7_7.x86_64/openjdk/hotspot/src/os/linux/vm/os_linux.cpp:847
#18 0x00007f6d5a2d2ea5 in start_thread (arg=0x7f6d3bfff700) at pthread_create.c:307
#19 0x00007f6d599d29fd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

• Code listing

331	
332	  // age operations
333	  markOop set_marked()   { return markOop((value() & ~lock_mask_in_place) | marked_value); }
334	  markOop set_unmarked() { return markOop((value() & ~lock_mask_in_place) | unlocked_value); }
335	
336	  uint    age()               const { return mask_bits(value() >> age_shift, age_mask); }
337	  markOop set_age(uint v) const {
338	    assert((v & ~age_mask) == 0, "shouldn't overflow age field");
339	    return markOop((value() & ~age_mask_in_place) | (((uintptr_t)v & age_mask) << age_shift));
340	  }

• JDK11 fatal error log:

#  SIGSEGV (0xb) at pc=0x00007f72766ef19c, pid=583249, tid=583305
#
# JRE version: OpenJDK Runtime Environment 18.9 (11.0.11+9) (build 11.0.11+9-LTS)
# Java VM: OpenJDK 64-Bit Server VM 18.9 (11.0.11+9-LTS, mixed mode, sharing, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# V  [libjvm.so+0x7c419c]  G1ParScanThreadState::copy_to_survivor_space(InCSetState, oopDesc*, markOopDesc*)+0x37c
...
Current thread (0x00007f7234014000):  GCTaskThread "GC Thread#14" [stack: 0x00007f7218663000,0x00007f7218763000] [id=583305]

Stack: [0x00007f7218663000,0x00007f7218763000],  sp=0x00007f7218761b50,  free space=1018k
Native frames: (J=compiled Java code, A=aot compiled Java code, j=interpreted, Vv=VM code, C=native code)
V  [libjvm.so+0x7c419c]  G1ParScanThreadState::copy_to_survivor_space(InCSetState, oopDesc*, markOopDesc*)+0x37c
V  [libjvm.so+0x7c4a58]  G1ParScanThreadState::trim_queue()+0x438
V  [libjvm.so+0x784c4c]  G1ParEvacuateFollowersClosure::do_void()+0x15c
V  [libjvm.so+0x78a369]  G1ParTask::work(unsigned int)+0x199
V  [libjvm.so+0xeed56d]  GangWorker::loop()+0x5d
V  [libjvm.so+0xe5818c]  Thread::call_run()+0x15c
V  [libjvm.so+0xc0d406]  thread_native_entry(Thread*)+0xf6

Resolution

Resolution depends on what is causing the memory corruption.

There is a JDK11 specific issue, so if using JDK11, upgrade to 11.0.10+ to fix the following:

• Content from bugs.openjdk.java.net is not included.Content from bugs.openjdk.java.net is not included.https://bugs.openjdk.java.net/browse/JDK-8251118
• Content from bugs.openjdk.java.net is not included.Content from bugs.openjdk.java.net is not included.https://bugs.openjdk.java.net/browse/JDK-8249192

Root Cause

There seem to be many causes; therefore, it is somewhat an indicator of general memory corruption.

Content from bugs.openjdk.org is not included.JDK-8317577: JVM crash with G1ParScanThreadState::copy_to_survivor_space

Diagnostic Steps

Check the following in the fatal error log:

• JDK version
• Stack
• Check if the crash is the result of dereferencing a null pointer (si_addr: 0x0000000000000000).

Get a core dump.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.