Fix snapshot dump crash on stale jmethodID (PROF-14003)#460
Open
Fix snapshot dump crash on stale jmethodID (PROF-14003)#460
Conversation
DTLS initialisation for shared libraries calls calloc internally. If a profiler signal fires on a thread whose TLS block has not been set up yet while that thread is inside malloc, any thread_local access in the signal-handler path deadlocks on the allocator lock — manifesting as a crash in findLibraryByAddress. - Add findLibraryImpl.h: signal-handler-safe template using a plain static volatile int last-hit index (no thread_local, no TLS access) - Delegate Libraries::findLibraryByAddress to the template - Add libraries_ut.cpp: unit tests for known/null/invalid/cache paths Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On JDK 8, jmethodIDs captured during profiling can refer to classes that are subsequently unloaded before the snapshot dump. The TOCTOU window between check_jmethodID() and the JVMTI calls could result in GetMethodDeclaringClass returning a jclass wrapping a garbage oop, causing GetClassSignature to crash in oopDesc::is_a(). Two mitigations: - In check_jmethodID_hotspot: add SafeAccess::isReadableRange() guard on the Klass before reading its class_loader_data field, catching freed/reclaimed Klass pages before returning true. - In fillJavaMethodInfo: add method_class != NULL guard after GetMethodDeclaringClass to prevent calling GetClassSignature with a null handle. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
CI Test ResultsRun: #24238697713 | Commit:
Status Overview
Legend: ✅ passed | ❌ failed | ⚪ skipped | 🚫 cancelled Summary: Total: 32 | Passed: 32 | Failed: 0 Updated: 2026-04-10 10:58:23 UTC |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?:
Fixes a crash in
Lookup::fillJavaMethodInfoduring snapshot dump when profiled jmethodIDs refer to classes that were subsequently unloaded. Two mitigations close the TOCTOU window:check_jmethodID_hotspot(vmStructs.cpp): Before readingclass_loader_datafrom thecpool_holderKlass pointer, verify the full memory range is still readable viaSafeAccess::isReadableRange. This catches freed/reclaimed Klass pages before JVMTI is called.fillJavaMethodInfo(flightRecorder.cpp): Addmethod_class != NULLguard afterGetMethodDeclaringClasssucceeds, preventingGetClassSignaturefrom being called with a null JNI handle.Motivation:
On JDK 1.8.0_472, profiling captures jmethodIDs in async signal handlers. By dump time, associated classes may have been unloaded.
GetMethodDeclaringClasscan return ajclasswrapping a stale/garbage oop, and the existing J9 sentinel guard (method_class != (jclass)-1) is bypassed on HotSpot (!VM::isOpenJ9()is always true). This causesGetClassSignatureto crash insideoopDesc::is_a().Crash trace:
#0 oopDesc::is_a() → #1 jvmti_GetClassSignature → #2 Lookup::fillJavaMethodInfoAdditional Notes:
This is a mitigation, not a complete fix. The TOCTOU window between
check_jmethodIDand the JVMTI calls is narrowed but not eliminated. A complete fix would require aClassUnloadlistener to eagerly invalidate cached jmethodIDs, which is a larger change. TheisReadableRangeguard covers the exact memory range accessed atcpool_holder + class_loader_data_offset.How to test the change?:
Reproducing the race reliably requires running under a class-loading-heavy workload on JDK 8 with frequent GC cycles during dump. The fix is a defensive guard; unit-level testing is not feasible without a test-only API that forces jmethodID staleness. CI should verify no regression in existing profiling tests.
For Datadog employees: