4th International Conference on Principles and Practices ... - MADOC
4th International Conference on Principles and Practices ... - MADOC
4th International Conference on Principles and Practices ... - MADOC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Heap protecti<strong>on</strong> for Java virtual machines<br />
Yuji Chiba<br />
Systems Development Laboratory, Hitachi, Ltd.<br />
1099 Ozenji, Asao, Kawasaki,<br />
Kanagawa, Japan<br />
yuji@sdl.hitachi.co.jp<br />
ABSTRACT<br />
Java virtual machine (JVM) crashes are often due to an invalid<br />
memory reference to the JVM heap. Before the bug<br />
that caused the invalid reference can be fixed, its locati<strong>on</strong><br />
must be identified. It can be in either the JVM implementati<strong>on</strong><br />
or the native library written in C language invoked from<br />
Java applicati<strong>on</strong>s. To help system engineers identify the locati<strong>on</strong>,<br />
we implemented a feature using page protecti<strong>on</strong> that<br />
prevents threads executing native methods from referring to<br />
the JVM heap. This feature protects the JVM heap during<br />
native method executi<strong>on</strong>, <strong>and</strong> when native method executi<strong>on</strong><br />
refers to the JVM heap invalidly, it interrupts the executi<strong>on</strong><br />
by generating a page-fault excepti<strong>on</strong> <strong>and</strong> then reports<br />
the locati<strong>on</strong> where the page-fault excepti<strong>on</strong> was generated.<br />
This helps the system engineer to identify the locati<strong>on</strong> of<br />
the bug in the native library. The runtime overhead for using<br />
this feature averaged 4.4% based <strong>on</strong> an estimati<strong>on</strong> using<br />
the SPECjvm98, SPECjbb2000, <strong>and</strong> JFCMark benchmark<br />
suites.<br />
Categories <strong>and</strong> Subject Descriptors<br />
D.3.4 [Programming Languages]: Processors—memory<br />
management<br />
General Terms<br />
Reliability, Languages<br />
1. INTRODUCTION<br />
Servers are being equipped with more <strong>and</strong> more memory,<br />
<strong>and</strong> some server applicati<strong>on</strong>s, such as applicati<strong>on</strong> servers,<br />
now use several gigabytes of memory for the heap. Therefore,<br />
if a server applicati<strong>on</strong> is executed <strong>on</strong> a 32-bit operating<br />
system (OS) that provides a 4-Gigabyte (GByte) logical address<br />
space for its processes, the server applicati<strong>on</strong> commits<br />
tens of percent of its logical address space as its heap. This<br />
reduces the use of page protecti<strong>on</strong>, which has l<strong>on</strong>g been used<br />
Permissi<strong>on</strong> to make digital or hard copies of all or part of this work for<br />
pers<strong>on</strong>al or classroom use is granted without fee provided that copies are<br />
not made or distributed for profit or commercial advantage <strong>and</strong> that copies<br />
bear this notice <strong>and</strong> the full citati<strong>on</strong> <strong>on</strong> the first page. To copy otherwise, to<br />
republish, to post <strong>on</strong> servers or to redistribute to lists, requires prior specific<br />
permissi<strong>on</strong> <strong>and</strong>/or a fee.<br />
PPPJ 2006, August 30 – September 1, 2006 Mannheim, Germany<br />
Copyright 2006 ACM ... ...$5.00.<br />
to detect invalid memory references, because most of the logical<br />
address space is committed as heap <strong>and</strong> is thus valid for<br />
reference.<br />
Developers of Java TM1 runtime envir<strong>on</strong>ments (JREs) often<br />
face this problem because server applicati<strong>on</strong>s running<br />
<strong>on</strong> them sometimes crash due to corrupted heap. If the engineer<br />
trying to debug the problem does find that the heap<br />
is corrupted, he or she will likely ask the JRE developer to<br />
perform the debugging, simply because the heap has been<br />
allocated by the JRE. The engineer will not suspect that<br />
the bug is in a server applicati<strong>on</strong> if the applicati<strong>on</strong> is implemented<br />
in Java, because Java does not permit invalid memory<br />
references. While the bug may be in native libraries<br />
used by the server applicati<strong>on</strong>s, the engineer may not ask a<br />
native library developer to perform the debugging because<br />
it is often not easy for an engineer to tell which native library<br />
c<strong>on</strong>tains the bug. This is because JRE may crash l<strong>on</strong>g<br />
after the bug corrupted the heap, so all that the engineer<br />
can tell from the core file of the crashed JRE process is that<br />
the heap is corrupted <strong>and</strong> that it had been allocated by the<br />
JRE.<br />
To cope with this problem, we implemented a JRE that<br />
uses page protecti<strong>on</strong> to protect its heap from invalid references<br />
due to bugs in the native libraries. The JRE protects<br />
its heap during native method executi<strong>on</strong>, <strong>and</strong> when the native<br />
method executi<strong>on</strong> refers to the heap invalidly 2 ,itinterrupts<br />
the executi<strong>on</strong> by generating a page-fault excepti<strong>on</strong> <strong>and</strong><br />
then reports the locati<strong>on</strong> where the page-fault excepti<strong>on</strong> was<br />
generated. This helps the engineer to identify which native<br />
library c<strong>on</strong>tains the bug.<br />
This heap protecti<strong>on</strong> feature permits a thread to write to<br />
the heap <strong>on</strong>ly when the thread is executing a Java method.<br />
When the thread calls a native method through the Java Native<br />
Interface[21] (JNI), it is not granted permissi<strong>on</strong> to write<br />
to the heap because our JNI implementati<strong>on</strong> deprives the<br />
thread of this permissi<strong>on</strong>. This protecti<strong>on</strong> feature c<strong>on</strong>trols<br />
permissi<strong>on</strong> to write to the heap by thread, while mainstream<br />
operating systems such as Windows R○3 <strong>and</strong> Linux R○4 c<strong>on</strong>trol<br />
1 Java <strong>and</strong> HotSpot are trademarks of Sun Microsystems,<br />
Inc. in the United States <strong>and</strong> other countries.<br />
2 Basically, native methods should refer to the JRE heap<br />
via the Java Native Interface (JNI). Any direct reference is<br />
invalid if the JNI implementati<strong>on</strong> does not permit native<br />
methods to refer directly to the body of a Java array, as<br />
that of HotSpot VM (jdk1.5.0 06) doesnot.<br />
3 Windows is a registered trademark of Microsoft Corporati<strong>on</strong><br />
in the United States <strong>and</strong> other countries.<br />
4 Linux is a trademark or a registered trademark of Linus<br />
Torvalds in the United States <strong>and</strong> other countries.<br />
103