Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8181921

C2 crash in CountedLoopEndNode::loopnode() const+0x6f



    • Subcomponent:
    • Introduced In Build:
    • Introduced In Version:
    • Resolved In Build:
    • CPU:
    • OS:


      java version "1.8.0_131"
      Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
      Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

      Windows 8.1 (x64)

      When running my program, the HotSpot Java virtual machine crashes, prints error messages, and halts. However, this is pure Java code with nothing tricky, just multidimensional array indexing.

      The program does not access any out-of-bounds indexes, so it should not crash at all. Even if any indexes are potentially out of bounds, the JVM should throw ArrayIndexOutOfBoundsException, not crash at the native level.

      Also tested to crash:
      - Java SE 8 Update 121 x64 on Windows 8.1
      - Java SE 8 Update 131 x64 on Windows 8.1
      - Java SE 8 Update 131 x64 on Windows 7

      Also tested to not crash:
      - Java SE 8 Update 92 x64 on Windows 7
      - Java SE 8 Update 131 x64 on Windows 8.1 with "-Xint" option

      It seems a regression happened between Update 92 and Update 121.

      My uninformed guess is that I suspect that the JIT compiler is mishandling this piece of code:
          if (0 <= yy && yy < pixels.length && 0 <= xx && xx < pixels[yy].length)
              value = pixels[yy][xx];

      Also, it seems that the variables xreal and yreal are necessary for the crash. Tweaking some numerical constants (e.g. x < 80, y - 15) will also affect whether the JVM crashes or not. The numbers have already been reduced in magnitude compared to the first discovered crashing case.



      REGRESSION. Last worked in version 8u121

      Simply compile and run the code:
      - javac Buggy.java
      - java Buggy

      Expected behavior: All array accesses are in bounds, the program prints "-37.032725118435685", and exits cleanly.
      # A fatal error has been detected by the Java Runtime Environment:
      # EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x00000000719bdc7b, pid=3968, tid=0x0000000000000c34
      # JRE version: Java(TM) SE Runtime Environment (8.0_131-b11) (build 1.8.0_131-b11)
      # Java VM: Java HotSpot(TM) 64-Bit Server VM (25.131-b11 mixed mode windows-amd64 compressed oops)
      # Problematic frame:
      # V [jvm.dll+0x4bdc7b]
      # Failed to write core dump. Minidumps are not enabled by default on client versions of Windows
      # If you would like to submit a bug report, please visit:
      # http://bugreport.java.com/bugreport/crash.jsp

      --------------- T H R E A D ---------------

      Current thread (0x00000000257e0800): JavaThread "C2 CompilerThread1" daemon [_thread_in_native, id=3124, stack(0x0000000026f20000,0x0000000027020000)]

      siginfo: ExceptionCode=0xc0000005, reading address 0x000000000000002c

      RAX=0x000000002581c970, RBX=0x000000002581b0a0, RCX=0x00000000000001ff, RDX=0x000000002712b6f8
      RSP=0x000000002701bcb0, RBP=0x000000002712c500, RSI=0x0000000000000000, RDI=0x0000000000000000
      R8 =0x0000000000000002, R9 =0x0000000025835838, R10=0x00000000257cb5e0, R11=0x0000000000000004
      R12=0x000000002712cd40, R13=0x000000002701c230, R14=0x00000000000001ff, R15=0x0000000000000002
      RIP=0x00000000719bdc7b, EFLAGS=0x0000000000010246

      Top of Stack: (sp=0x000000002701bcb0)
      0x000000002701bcb0: 0000000025834c30 0000000000000000
      0x000000002701bcc0: 00000000271794c0 0000000000000080
      0x000000002701bcd0: 000000002701bdf8 00000000719be05a
      0x000000002701bce0: 000000002581b0a0 000000002712c500
      0x000000002701bcf0: 000000002701c230 00000000719f4d5a
      0x000000002701bd00: 0000000000000002 00000000258346e0
      0x000000002701bd10: 000000002701be48 000000002701bdd8
      0x000000002701bd20: 00000000258347c8 00000000719c3248
      0x000000002701bd30: 000000002701c230 00000000258346e0
      0x000000002701bd40: 000000002701c250 000000002701bdf8
      0x000000002701bd50: 0000000027174000 00000000257a7220
      0x000000002701bd60: 0000000000000003 0000000000000002
      0x000000002701bd70: 00000000257e49f0 000000002716a000
      0x000000002701bd80: 00000000257a7220 000000002701c230
      0x000000002701bd90: 000000002701bea0 00000000719c51fb
      0x000000002701bda0: 000000002701c230 000000002701bdf8

      Instructions: (pc=0x00000000719bdc7b)
      0x00000000719bdc5b: 10 83 78 18 03 75 0a 48 8b 40 08 48 8b 40 08 eb
      0x00000000719bdc6b: 03 48 8b c7 48 8b 40 08 b9 ff 01 00 00 48 8b 30
      0x00000000719bdc7b: 0f b7 46 2c 66 23 c1 b9 60 01 00 00 66 3b c1 75
      0x00000000719bdc8b: 48 48 8b 46 08 48 8b 40 10 48 85 c0 74 23 48 8b

      Register to memory mapping:

      RAX=0x000000002581c970 is an unknown value
      RBX=0x000000002581b0a0 is an unknown value
      RCX=0x00000000000001ff is an unknown value
      RDX=0x000000002712b6f8 is an unknown value
      RSP=0x000000002701bcb0 is pointing into the stack for thread: 0x00000000257e0800
      RBP=0x000000002712c500 is an unknown value
      RSI=0x0000000000000000 is an unknown value
      RDI=0x0000000000000000 is an unknown value
      R8 =0x0000000000000002 is an unknown value
      R9 =0x0000000025835838 is an unknown value
      R10=0x00000000257cb5e0 is an unknown value
      R11=0x0000000000000004 is an unknown value
      R12=0x000000002712cd40 is an unknown value
      R13=0x000000002701c230 is pointing into the stack for thread: 0x00000000257e0800
      R14=0x00000000000001ff is an unknown value
      R15=0x0000000000000002 is an unknown value

      Stack: [0x0000000026f20000,0x0000000027020000], sp=0x000000002701bcb0, free space=1007k
      Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
      V [jvm.dll+0x4bdc7b]
      V [jvm.dll+0x4be05a]
      V [jvm.dll+0x4c3248]
      V [jvm.dll+0x4c51fb]
      V [jvm.dll+0x4760a0]
      V [jvm.dll+0x476ed3]
      V [jvm.dll+0x4599f2]
      V [jvm.dll+0xa5de2]
      V [jvm.dll+0xa671f]
      V [jvm.dll+0x24537f]
      V [jvm.dll+0x29cc1a]
      C [msvcr100.dll+0x21d9f]
      C [msvcr100.dll+0x21e3b]
      C [KERNEL32.DLL+0x13d2]
      C [ntdll.dll+0x154e4]

      Current CompileTask:
      C2: 69 28 4 Buggy::blendPixels (149 bytes)

      --------------- P R O C E S S ---------------

      Java Threads: ( => current thread )
        0x000000002583e000 JavaThread "Service Thread" daemon [_thread_blocked, id=2712, stack(0x0000000027520000,0x0000000027620000)]
        0x00000000257e4000 JavaThread "C1 CompilerThread2" daemon [_thread_blocked, id=1752, stack(0x0000000027020000,0x0000000027120000)]
      =>0x00000000257e0800 JavaThread "C2 CompilerThread1" daemon [_thread_in_native, id=3124, stack(0x0000000026f20000,0x0000000027020000)]
        0x00000000257dd000 JavaThread "C2 CompilerThread0" daemon [_thread_blocked, id=3632, stack(0x0000000026e20000,0x0000000026f20000)]
        0x00000000257db800 JavaThread "Attach Listener" daemon [_thread_blocked, id=188, stack(0x0000000026d20000,0x0000000026e20000)]
        0x00000000257e7000 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=784, stack(0x0000000026c20000,0x0000000026d20000)]
        0x00000000257ca800 JavaThread "Finalizer" daemon [_thread_blocked, id=364, stack(0x0000000026a40000,0x0000000026b40000)]
        0x0000000002c5f000 JavaThread "Reference Handler" daemon [_thread_blocked, id=1948, stack(0x0000000026940000,0x0000000026a40000)]
        0x0000000002b70800 JavaThread "main" [_thread_in_Java, id=1692, stack(0x00000000029d0000,0x0000000002ad0000)]

      Other Threads:
        0x00000000257a7800 VMThread [stack: 0x0000000026840000,0x0000000026940000] [id=244]
        0x0000000027184800 WatcherThread [stack: 0x0000000027620000,0x0000000027720000] [id=3464]

      VM state:not at safepoint (normal execution)

      VM Mutex/Monitor currently owned by a thread: None

       PSYoungGen total 152576K, used 5242K [0x0000000716100000, 0x0000000720b00000, 0x00000007c0000000)
        eden space 131072K, 4% used [0x0000000716100000,0x000000071661eba8,0x000000071e100000)
        from space 21504K, 0% used [0x000000071f600000,0x000000071f600000,0x0000000720b00000)
        to space 21504K, 0% used [0x000000071e100000,0x000000071e100000,0x000000071f600000)
       ParOldGen total 348160K, used 0K [0x00000005c2200000, 0x00000005d7600000, 0x0000000716100000)
        object space 348160K, 0% used [0x00000005c2200000,0x00000005c2200000,0x00000005d7600000)
       Metaspace used 2599K, capacity 4486K, committed 4864K, reserved 1056768K
        class space used 284K, capacity 386K, committed 512K, reserved 1048576K

      Card table byte_map: [0x0000000012030000,0x0000000013020000] byte_map_base: 0x000000000f21f000

      Marking Bits: (ParMarkBitMap*) 0x0000000071d1c720
       Begin Bits: [0x0000000013ec0000, 0x000000001be38000)
       End Bits: [0x000000001be38000, 0x0000000023db0000)

      Polling page: 0x00000000029a0000

      CodeCache: size=245760Kb used=1113Kb max_used=1117Kb free=244646Kb
       bounds [0x0000000002c70000, 0x0000000002ee0000, 0x0000000011c70000]
       total_blobs=258 nmethods=27 adapters=145
       compilation: enabled

      Compilation events (10 events):
      Event: 0.047 Thread 0x00000000257e4000 nmethod 23 0x0000000002d84590 code [0x0000000002d84700, 0x0000000002d84908]
      Event: 0.048 Thread 0x00000000257e4000 24 3 java.lang.StringBuilder::append (8 bytes)
      Event: 0.048 Thread 0x00000000257e4000 nmethod 24 0x0000000002d83c10 code [0x0000000002d83d80, 0x0000000002d83f08]
      Event: 0.049 Thread 0x00000000257e4000 25 3 Buggy::blendPixels (149 bytes)
      Event: 0.049 Thread 0x00000000257e4000 nmethod 25 0x0000000002d82c10 code [0x0000000002d82de0, 0x0000000002d83910]
      Event: 0.052 Thread 0x00000000257e0800 26 4 Buggy::blendPixels (149 bytes)
      Event: 0.054 Thread 0x00000000257e0800 nmethod 26 0x0000000002d86b10 code [0x0000000002d86c80, 0x0000000002d872b8]
      Event: 0.054 Thread 0x00000000257dd000 27 % 4 Buggy::blendPixels @ 58 (149 bytes)
      Event: 0.057 Thread 0x00000000257dd000 nmethod 27% 0x0000000002d873d0 code [0x0000000002d87560, 0x0000000002d87a58]
      Event: 0.057 Thread 0x00000000257e0800 28 4 Buggy::blendPixels (149 bytes)

      GC Heap History (0 events):
      No events

      Deoptimization events (1 events):
      Event: 0.054 Thread 0x0000000002b70800 Uncommon trap: reason=predicate action=maybe_recompile pc=0x0000000002d87238 method=Buggy.blendPixels(II)D @ 58

      Internal exceptions (2 events):
      Event: 0.022 Thread 0x0000000002b70800 Exception <a 'java/lang/NoSuchMethodError': Method sun.misc.Unsafe.defineClass(Ljava/lang/String;[BII)Ljava/lang/Class; name or signature does not match> (0x0000000716107ca8) thrown at [C:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u131\8869\hotspot\
      Event: 0.022 Thread 0x0000000002b70800 Exception <a 'java/lang/NoSuchMethodError': Method sun.misc.Unsafe.prefetchRead(Ljava/lang/Object;J)V name or signature does not match> (0x0000000716107f90) thrown at [C:\re\workspace\8-2-build-windows-amd64-cygwin\jdk8u131\8869\hotspot\src\share\vm\prims

      Events (10 events):
      Event: 0.048 loading class java/security/BasicPermissionCollection done
      Event: 0.048 loading class sun/launcher/LauncherHelper$FXHelper
      Event: 0.048 loading class sun/launcher/LauncherHelper$FXHelper done
      Event: 0.048 loading class java/lang/Class$MethodArray
      Event: 0.048 loading class java/lang/Class$MethodArray done
      Event: 0.049 loading class java/lang/Void
      Event: 0.049 loading class java/lang/Void done
      Event: 0.054 Thread 0x0000000002b70800 Uncommon trap: trap_request=0xffffff86 fr.pc=0x0000000002d87238
      Event: 0.054 Thread 0x0000000002b70800 DEOPT PACKING pc=0x0000000002d87238 sp=0x0000000002acf5f0
      Event: 0.054 Thread 0x0000000002b70800 DEOPT UNPACKING pc=0x0000000002cb582a sp=0x0000000002acf590 mode 2

      Dynamic libraries:
      0x00007ff6b33f0000 - 0x00007ff6b3427000 C:\Program Files\Java\jdk1.8.0_131\bin\java.exe
      0x00007ffbd5d80000 - 0x00007ffbd5f2d000 C:\Windows\SYSTEM32\ntdll.dll
      0x00007ffbd54b0000 - 0x00007ffbd55ee000 C:\Windows\system32\KERNEL32.DLL
      0x00007ffbd3230000 - 0x00007ffbd3345000 C:\Windows\system32\KERNELBASE.dll
      0x00007ffbd1a60000 - 0x00007ffbd1aee000 C:\Windows\system32\apphelp.dll
      0x00007ffbb9ff0000 - 0x00007ffbba043000 C:\Windows\AppPatch\AppPatch64\AcGenral.DLL
      0x00007ffbd3860000 - 0x00007ffbd390a000 C:\Windows\system32\msvcrt.dll
      0x00007ffbd3200000 - 0x00007ffbd322e000 C:\Windows\system32\SspiCli.dll
      0x00007ffbd5c50000 - 0x00007ffbd5ca4000 C:\Windows\system32\SHLWAPI.dll
      0x00007ffbd3550000 - 0x00007ffbd36c7000 C:\Windows\system32\USER32.dll
      0x00007ffbd5a50000 - 0x00007ffbd5be4000 C:\Windows\system32\ole32.dll
      0x00007ffbd3910000 - 0x00007ffbd4e38000 C:\Windows\system32\SHELL32.dll
      0x00007ffbd24c0000 - 0x00007ffbd24e1000 C:\Windows\SYSTEM32\USERENV.dll
      0x00007ffbd5090000 - 0x00007ffbd513a000 C:\Windows\system32\ADVAPI32.dll
      0x00007ffbc9630000 - 0x00007ffbc964e000 C:\Windows\SYSTEM32\MPR.dll
      0x00007ffbd57b0000 - 0x00007ffbd58f0000 C:\Windows\system32\RPCRT4.dll
      0x00007ffbd5440000 - 0x00007ffbd5499000 C:\Windows\SYSTEM32\sechost.dll
      0x00007ffbd5140000 - 0x00007ffbd5352000 C:\Windows\SYSTEM32\combase.dll
      0x00007ffbd36d0000 - 0x00007ffbd381f000 C:\Windows\system32\GDI32.dll
      0x00007ffbd2ea0000 - 0x00007ffbd2eb5000 C:\Windows\SYSTEM32\profapi.dll
      0x00007ffbd1510000 - 0x00007ffbd15c2000 C:\Windows\SYSTEM32\SHCORE.dll
      0x00007ffbd3820000 - 0x00007ffbd3856000 C:\Windows\system32\IMM32.DLL
      0x00007ffbd58f0000 - 0x00007ffbd5a42000 C:\Windows\system32\MSCTF.dll
      0x00007ffbd0e00000 - 0x00007ffbd107b000 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll
      0x0000000071260000 - 0x0000000071332000 C:\Program Files\Java\jdk1.8.0_131\jre\bin\msvcr100.dll
      0x0000000071500000 - 0x0000000071d9c000 C:\Program Files\Java\jdk1.8.0_131\jre\bin\server\jvm.dll
      0x00007ffbc0340000 - 0x00007ffbc0349000 C:\Windows\SYSTEM32\WSOCK32.dll
      0x00007ffbc8c60000 - 0x00007ffbc8c82000 C:\Windows\SYSTEM32\WINMM.dll
      0x00007ffbcdf70000 - 0x00007ffbcdf7a000 C:\Windows\SYSTEM32\VERSION.dll
      0x00007ffbd54a0000 - 0x00007ffbd54a7000 C:\Windows\system32\PSAPI.DLL
      0x00007ffbd5bf0000 - 0x00007ffbd5c4a000 C:\Windows\system32\WS2_32.dll
      0x00007ffbc8c30000 - 0x00007ffbc8c5a000 C:\Windows\SYSTEM32\WINMMBASE.dll
      0x00007ffbd3400000 - 0x00007ffbd3409000 C:\Windows\system32\NSI.dll
      0x00007ffbd33b0000 - 0x00007ffbd33ff000 C:\Windows\SYSTEM32\cfgmgr32.dll
      0x00007ffbd1cd0000 - 0x00007ffbd1cf8000 C:\Windows\SYSTEM32\DEVOBJ.dll
      0x0000000071410000 - 0x000000007141f000 C:\Program Files\Java\jdk1.8.0_131\jre\bin\verify.dll
      0x00000000713e0000 - 0x0000000071409000 C:\Program Files\Java\jdk1.8.0_131\jre\bin\java.dll
      0x00000000713c0000 - 0x00000000713d6000 C:\Program Files\Java\jdk1.8.0_131\jre\bin\zip.dll
      0x00007ffbc0620000 - 0x00007ffbc07a9000 C:\Windows\SYSTEM32\dbghelp.dll

      VM Arguments:
      java_command: Buggy
      java_class_path (initial): .
      Launcher Type: SUN_STANDARD

      Environment Variables:
      PATH=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Common Files\Adobe\AGL;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Java\jdk1.8.0_131\bin;C:\Program Files\Python35;C:\Program Files (x86)\Portable\Utilities;C:\Windows\Microsoft.NET\Framework64\v4.0.30319
      PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 60 Stepping 3, GenuineIntel

      --------------- S Y S T E M ---------------

      OS: Windows 8.1 , 64 bit Build 9600 (6.3.9600.17415)

      CPU:total 4 (initial active 4) (4 cores per cpu, 1 threads per core) family 6 model 60 stepping 3, cmov, cx8, fxsr, mmx, sse, sse2, sse3, ssse3, sse4.1, sse4.2, popcnt, avx, avx2, aes, clmul, erms, lzcnt, tsc, tscinvbit, bmi1, bmi2

      Memory: 4k page, physical 33413128k(29389660k free), swap 33429512k(28245200k free)

      vm_info: Java HotSpot(TM) 64-Bit Server VM (25.131-b11) for windows-amd64 JRE (1.8.0_131-b11), built on Mar 15 2017 01:23:53 by "java_re" with MS VC++ 10.0 (VS2010)

      time: Mon Jun 12 00:47:05 2017
      elapsed time: 0 seconds (0d 0h 0m 0s)

      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      public class Buggy {
          public static void main(String[] args) {
              double sum = 0;
              for (int y = 0; y < 80; y++) {
                  for (int x = 0; x < 80; x++) {
                      sum += blendPixels(x, y - 15);
          private static double[][] pixels = new double[30][30];
          private static int filterLength = 4;
          private static double blendPixels(int x, int y) {
              int xstart = x - filterLength / 2;
              int xend = x + filterLength / 2;
              int ystart = y - filterLength / 2;
              int yend = y + filterLength / 2;
              double sum = 0;
              for (int yy = ystart; yy <= yend; yy++) {
                  double yreal = Math.sin(yy);
                  for (int xx = xstart; xx <= xend; xx++) {
                      double xreal = Math.sin(xx);
                      //Uncommenting the print will make the program not crash
                      //System.out.println(xx+" "+yy);
                      double value;
                      if (0 <= yy && yy < pixels.length && 0 <= xx && xx < pixels[yy].length)
                          value = pixels[yy][xx];
                          value = 1;
                      sum += value * xreal * yreal;
              return sum;
      ---------- END SOURCE ----------

      - Use interpreted mode, at a great cost to image processing speed.
      - Use the older version Java SE 8 Update 92, which runs this program without crashing.
      - Maybe change logic to use 1-dimension arrays?


        1. Buggy.java
          1 kB
        2. hs_err_pid77062.log
          34 kB
        3. hs_err_pid77062.log
          34 kB
        4. replay_pid77062.log
          74 kB

          Issue Links



              shshahma Shafi Ahmad (Inactive)
              webbuggrp Webbug Group
              0 Vote for this issue
              6 Start watching this issue