Bug 713956 - valgrind causes jvm to crash
Summary: valgrind causes jvm to crash
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: valgrind
Version: 6.3
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Jelinek
QA Contact: qe-baseos-tools-bugs
URL:
Whiteboard:
Depends On:
Blocks: 767244
TreeView+ depends on / blocked
 
Reported: 2011-06-16 21:31 UTC by Mike Millson
Modified: 2011-12-13 15:41 UTC (History)
1 user (show)

Fixed In Version: valgrind-3.6.0-4.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 767244 (view as bug list)
Environment:
Last Closed: 2011-12-06 16:28:06 UTC
Target Upstream Version:

Attachments (Terms of Use)
Reproducer application. (889.24 KB, application/x-java-archive)
2011-06-16 21:31 UTC, Mike Millson 		no flags Details
Reproducer data. (252.29 KB, text/plain)
2011-06-16 21:33 UTC, Mike Millson 		no flags Details
valgrind output from reproducer. (596.72 KB, text/plain)
2011-06-16 21:33 UTC, Mike Millson 		no flags Details
Fatal error log running JBoss under valgrind trunk. (26.49 KB, text/plain)
2011-06-16 22:03 UTC, Mike Millson 		no flags Details
valgrind output from running JBoss on valgrind trunk. (864.23 KB, text/plain)
2011-06-16 22:05 UTC, Mike Millson 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
KDE Software Compilation 194402 0 None None None Never
KDE Software Compilation 279071 0 None None None Never
Red Hat Product Errata RHBA-2011:1651 0 normal SHIPPED_LIVE valgrind bug fix and enhancement update 2011-12-06 00:50:27 UTC

Description Mike Millson 2011-06-16 21:31:53 UTC 
Created attachment 505149 [details]
Reproducer application.

Description of problem:
When I try to run valgrind on a java application that uses nio, it causes the JVM to crash.


Version-Release number of selected component (if applicable):
valgrind-3.6.0-3.el6.x86_64

Steps to Reproduce:
1. Set java and javac to sun 1.6 or openjdk with alternatives.

2. valgrind  --trace-children=yes --leak-check=full --log-file=valgrind.log /etc/alternatives/java_sdk/bin/java -XX:-UseCompressedOops -jar garbagecat-1.0.0.jar gc.log
  
Actual results:
The jvm crashes with the following in the fatal error log:

#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGILL (0x4) at pc=0x0000000005be4886, pid=13545, tid=90412800
#
# JRE version: 6.0_26-b03
# Java VM: Java HotSpot(TM) 64-Bit Server VM (20.1-b02 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# v  ~RuntimeStub::resolve_opt_virtual_call
#
# If you would like to submit a bug report, please visit:
#   http://java.sun.com/webapps/bugreport/crash.jsp
#

---------------  T H R E A D  ---------------

Current thread (0x000000000458e800):  JavaThread "main" [_thread_in_Java, id=13547, stack(0x0000000005539000,0x000000000563a000)]

siginfo:si_signo=SIGILL: si_errno=0, si_code=1 (ILL_ILLOPC), si_addr=0x0000000005be4886

Registers:
RAX=0x00000000cbd46228, RBX=0x0000000000000000, RCX=0x0000000000000000, RDX=0x0000000000000000
RSP=0x00000000056379f0, RBP=0x0000000005637c80, RSI=0x00000000f0908510, RDI=0x0000000000000000
R8 =0x00000000f0908510, R9 =0x0000000000000000, R10=0x0000000000000000, R11=0x0000000000000000
R12=0x0000000000000000, R13=0x0000000000002000, R14=0x0000000005637d80, R15=0x000000000458e800
RIP=0x0000000005be4886, EFLAGS=0x0000000000000004, CSGSFS=0x0000000000000000, ERR=0x0000000000000000
  TRAPNO=0x0000000000000000

Top of Stack: (sp=0x00000000056379f0)
0x00000000056379f0:   0000000005637e40 0000000004d0aa5c
0x0000000005637a00:   0000000005637a60 0000000004f7f35d
0x0000000005637a10:   0000000005637a50 00000000051165d1
0x0000000005637a20:   0000000005637ad0 000000000458f310
0x0000000005637a30:   000000000000005c 000000000458e800
0x0000000005637a40:   000000000458f3e8 000000000458f3d0
0x0000000005637a50:   0000000005637ea0 0000000004d0aa5c
0x0000000005637a60:   0000000005637a90 0000000005113d44
0x0000000005637a70:   0000000005637ad0 000000000458f310
0x0000000005637a80:   000000000000005c 00000000cc0b1dc4
0x0000000005637a90:   0000000005637aa0 00000000045e20c0
0x0000000005637aa0:   00000000048b7ab8 00000000cbc128f0
0x0000000005637ab0:   0000000005637b30 0000000004f864e3
0x0000000005637ac0:   0000000000000010 0000000000000000
0x0000000005637ad0:   000000000458f410 000000000458f418
0x0000000005637ae0:   0000000005637bc0 0000000005112a00
0x0000000005637af0:   0000000005637b30 000000000500fc4f
0x0000000005637b00:   0000000005637ea0 00000000053cdfe0
0x0000000005637b10:   000000006ccc7ad6 00000000cbc128f0
0x0000000005637b20:   0000000005637b30 000000000500ff57
0x0000000005637b30:   0000000005637be0 000000000511bd00
0x0000000005637b40:   000000000458f3d8 0000033e0458f3f8
0x0000000005637b50:   000000000458e800 0000000000000000
0x0000000005637b60:   000000000458f410 00000000cbf5ef68
0x0000000005637b70:   0000000005637be0 0000000004de5b40
0x0000000005637b80:   0000000005637bf0 0000000004de5b40
0x0000000005637b90:   000000000458ee80 000000000458e800
0x0000000005637ba0:   0000000004581ad0 000000000458f3d8
0x0000000005637bb0:   000000000458e800 000000000458f310
0x0000000005637bc0:   00000000ffffffff 0000000005637bc8
0x0000000005637bd0:   00000000cbc86340 0000000005637c20
0x0000000005637be0:   00000000cbd50258 0000000000000000 

Instructions: (pc=0x0000000005be4886)
0x0000000005be4866:   28 4c 89 5c 24 20 4c 89 64 24 18 4c 89 6c 24 10
0x0000000005be4876:   4c 89 74 24 08 4c 89 3c 24 48 81 ec 00 02 00 00
0x0000000005be4886:   48 0f ae 04 24 49 89 a7 b0 01 00 00 49 8b ff e8
0x0000000005be4896:   86 4a 4d ff 49 ba 00 00 00 00 00 00 00 00 4d 89 

Register to memory mapping:

RAX=0x00000000cbd46228 is an oop
{method} 
 - klass: {other class}
RBX=0x0000000000000000 is an unknown value
RCX=0x0000000000000000 is an unknown value
RDX=0x0000000000000000 is an unknown value
RSP=0x00000000056379f0 is pointing into the stack for thread: 0x000000000458e800
RBP=0x0000000005637c80 is pointing into the stack for thread: 0x000000000458e800
RSI=0x00000000f0908510 is an oop
java.nio.HeapByteBuffer 
 - klass: 'java/nio/HeapByteBuffer'
RDI=0x0000000000000000 is an unknown value
R8 =0x00000000f0908510 is an oop
java.nio.HeapByteBuffer 
 - klass: 'java/nio/HeapByteBuffer'
R9 =0x0000000000000000 is an unknown value
R10=0x0000000000000000 is an unknown value
R11=0x0000000000000000 is an unknown value
R12=0x0000000000000000 is an unknown value
R13=0x0000000000002000 is an unknown value
R14=0x0000000005637d80 is pointing into the stack for thread: 0x000000000458e800
R15=0x000000000458e800 is a thread


Stack: [0x0000000005539000,0x000000000563a000],  sp=0x00000000056379f0,  free space=1018k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
v  ~RuntimeStub::resolve_opt_virtual_call


Expected results:
The jvm process should exit and valgrind display leak summary information.

Additional info:
Reproducer files, valgrind.log, and Java fatal error log attached.
Comment 2 Mike Millson 2011-06-16 21:33:03 UTC 
Created attachment 505150 [details]
Reproducer data.
Comment 3 Mike Millson 2011-06-16 21:33:57 UTC 
Created attachment 505151 [details]
valgrind output from reproducer.
Comment 4 Mike Millson 2011-06-16 21:36:54 UTC 
This is apparently due to this (valgrind.log):
vex amd64->IR: unhandled instruction bytes: 0x48 0xF 0xAE 0x4 0x24 0x49

Compiling and running the latest valgrind 3.6.1 resolves this issue.
Comment 5 Mike Millson 2011-06-16 22:01:37 UTC 
JBoss will not run on vagrind 3.6.1 or the valgrind trunk. It progresses much farther, but still causes the JVM to crash with the following in valgrind.log:

vex amd64->IR: unhandled instruction bytes: 0x66 0x48 0xF 0x38 0x17 0xC9 0x75 0x5C
==24209== valgrind: Unrecognised instruction at address 0x5c601b6.

And the following in the fatal error log:

#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGILL (0x4) at pc=0x0000000005c601b6, pid=24209, tid=339650304
#
# JRE version: 6.0_26-b03
# Java VM: Java HotSpot(TM) 64-Bit Server VM (20.1-b02 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# J  java.util.jar.Manifest.getAttributes(Ljava/lang/String;)Ljava/util/jar/Attributes;
#
# If you would like to submit a bug report, please visit:
#   http://java.sun.com/webapps/bugreport/crash.jsp
#

---------------  T H R E A D  ---------------

Current thread (0x000000000d6cc800):  JavaThread "main" [_thread_in_Java, id=24224, stack(0x00000000142ea000,0x00000000143eb000)]

siginfo:si_signo=SIGILL: si_errno=0, si_code=1 (ILL_ILLOPC), si_addr=0x0000000005c601b6

Registers:
RAX=0x000000000000000a, RBX=0x00000000a1206f60, RCX=0xffffffffffffffb0, RDX=0x0000000000000000
RSP=0x00000000143e7bd0, RBP=0x00000000a1207740, RSI=0x00000000a1206fc0, RDI=0x000000009f4eb9d8
R8 =0x000000009f4eb9e8, R9 =0x00000000a92e0e83, R10=0x0000000000000000, R11=0x000000000000002d
R12=0x0000000000000000, R13=0x00000000143e7c18, R14=0x0000000000000000, R15=0x000000000d6cc800
RIP=0x0000000005c601b6, EFLAGS=0x0000000000000081, CSGSFS=0x0000000000000000, ERR=0x0000000000000000
  TRAPNO=0x0000000000000000

Top of Stack: (sp=0x00000000143e7bd0)
0x00000000143e7bd0:   000000009f4eb9e8 00000000143e7c20
0x00000000143e7be0:   00000000f01fa038 0000000000000000
0x00000000143e7bf0:   00000000f01f9328 0000000000000000
0x00000000143e7c00:   00000000143e7c68 0000000005bb2929
0x00000000143e7c10:   0000000005bb2929 000000009f4eb9e8
0x00000000143e7c20:   00000000a12060d8 00000000143e7c28
0x00000000143e7c30:   00000000f02859b3 00000000143e7cc0
0x00000000143e7c40:   00000000f02865e0 0000000000000000
0x00000000143e7c50:   00000000f0285ad8 00000000143e7c18
0x00000000143e7c60:   00000000143e7cb0 00000000143e7d08
0x00000000143e7c70:   0000000005bb2a82 0000000000000000
0x00000000143e7c80:   0000000000000000 0000000000000000
0x00000000143e7c90:   0000000000000000 0000000000000000
0x00000000143e7ca0:   0000000000000000 0000000000000000
0x00000000143e7cb0:   000000009f4eba48 000000009f4eb9e8
0x00000000143e7cc0:   000000009f4ed050 00000000143e7cc8
0x00000000143e7cd0:   00000000f027b48e 00000000143e7d38
0x00000000143e7ce0:   00000000f027d7e8 0000000000000000
0x00000000143e7cf0:   00000000f027b4c8 00000000143e7cb0
0x00000000143e7d00:   00000000143e7d28 00000000143e7d80
0x00000000143e7d10:   0000000005bb2a82 0000000000000000
0x00000000143e7d20:   000000009f4eb9e8 000000009f4ed050
0x00000000143e7d30:   000000009f4eba48 00000000a11ea1a0
0x00000000143e7d40:   00000000143e7d40 00000000f04b14dc
0x00000000143e7d50:   00000000143e7db0 00000000f04b1d38
0x00000000143e7d60:   0000000000000000 00000000f04b1510
0x00000000143e7d70:   00000000143e7d28 00000000143e7d90
0x00000000143e7d80:   00000000143e7e10 0000000005bb2a82
0x00000000143e7d90:   00000000a11ea1a0 000000009f4ec6b0
0x00000000143e7da0:   000000009f4eba48 00000000a12060d8
0x00000000143e7db0:   000000009f4ec660 000000009f4ec660
0x00000000143e7dc0:   0000000000000001 00000000a11ead08 

Instructions: (pc=0x0000000005c601b6)
0x0000000005c60196:   e0 0f 83 e1 f0 74 45 48 8d 3c 0f 48 8d 34 0e 48
0x0000000005c601a6:   f7 d9 f3 0f 6f 0c 0f f3 0f 6f 04 0e 66 0f ef c8
0x0000000005c601b6:   66 48 0f 38 17 c9 75 5c 48 83 c1 10 75 e4 85 c0
0x0000000005c601c6:   74 4b f3 0f 6f 4c 07 f0 f3 0f 6f 44 06 f0 66 0f 

Register to memory mapping:

RAX=0x000000000000000a is an unknown value
RBX=0x00000000a1206f60 is an oop
[C 
 - klass: {type array char}
 - length: 45
RCX=0xffffffffffffffb0 is an unknown value
RDX=0x0000000000000000 is an unknown value
RSP=0x00000000143e7bd0 is pointing into the stack for thread: 0x000000000d6cc800
RBP=0x00000000a1207740 is an oop
java.util.HashMap$Entry 
 - klass: 'java/util/HashMap$Entry'
RSI=0x00000000a1206fc0 is an oop
[C 
 - klass: {type array char}
 - length: 45
RDI=0x000000009f4eb9d8 is an oop
[C 
 - klass: {type array char}
 - length: 45
R8 =0x000000009f4eb9e8 is an oop
java.lang.String 
 - klass: 'java/lang/String'
R9 =0x00000000a92e0e83 is an unallocated location in the heap
R10=0x0000000000000000 is an unknown value
R11=0x000000000000002d is an unknown value
R12=0x0000000000000000 is an unknown value
R13=0x00000000143e7c18 is pointing into the stack for thread: 0x000000000d6cc800
R14=0x0000000000000000 is an unknown value
R15=0x000000000d6cc800 is a thread


Stack: [0x00000000142ea000,0x00000000143eb000],  sp=0x00000000143e7bd0,  free space=1014k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
J  java.util.jar.Manifest.getAttributes(Ljava/lang/String;)Ljava/util/jar/Attributes;
Comment 6 Mike Millson 2011-06-16 22:03:52 UTC 
Created attachment 505155 [details]
Fatal error log running JBoss under valgrind trunk.
Comment 7 Mike Millson 2011-06-16 22:05:08 UTC 
Created attachment 505156 [details]
valgrind output from running JBoss on valgrind trunk.
Comment 8 Mike Millson 2011-06-16 22:06:53 UTC 
To reproduce on JBoss EAP 5.1.0:
1) Make copy of JBOSS_HOME/server/SERVERCONF/product called "tmp".
2) /opt/valgrind-trunk/bin/valgrind --trace-children=yes --leak-check=full
--log-file=valgrind.log /etc/alternatives/java_sdk/bin/java
-Dprogram.name=run.sh -server -Xms1303m -Xmx1303m -XX:MaxPermSize=256m
-XX:MaxTenuringThreshold=0 -XX:+UseConcMarkSweepGC
-Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000
-Dsun.rmi.dgc.server.gcInterval=3600000
-Dsun.lang.ClassLoader.allowArraySyntax=true -Djava.net.preferIPv4Stack=true
-Djava.endorsed.dirs=/home/mmillson/jboss/eap-5.1.0/jboss-as/lib/endorsed
-classpath
/home/mmillson/jboss/eap-5.1.0/jboss-as/bin/run.jar:/etc/alternatives/java_sdk/lib/tools.jar
org.jboss.Main -c tmp
Comment 9 Jakub Jelinek 2011-08-01 19:13:15 UTC 
The first issue is KDE#194402, already fixed in valgrind 3.6.1.
The second issue is IMNSHO a JDK bug, see Fedora bug #720854, butit is possible to work around it in valgrind too, see KDE#279071.
Comment 12 errata-xmlrpc 2011-12-06 16:28:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1651.html
Note You need to log in before you can comment on or make changes to this bug.