Customer reported a crash running SPECjAppServer2004 benchmark on Glassfish v2ur2-b04/OpenSolaris Nevada build snv_107/Nehalem EP.

I think this is a previously unreported bug in MacroAssembler::serialize_memory.

void MacroAssembler::serialize_memory(Register thread,
                                      Register tmp) {

  movl(tmp, thread);
  shrl(tmp, os::get_serialize_page_shift_count());
  andl(tmp, (os::vm_page_size() - sizeof(int)));

  Address index(noreg, tmp, Address::times_1);
  ExternalAddress page(os::get_memory_serialize_page());

  movptr(ArrayAddress(page, index), tmp);
}


It's storing a 64-bit quantity but only masking for an int.  In your faulting case we've got this:

;; fffffd7ffac6ff1d 81 e1 fc 0f 00 00       and    $0xffc,%ecx
;; fffffd7ffac6ff23 49 ba 00 00 e9 fd 7f fd ff ff mov    $0xfffffd7ffde90000,%r10
;; ---------------
;; fffffd7ffac6ff2d 49 89 0c 0a             mov    %rcx,(%r10,%rcx,1)

RCX=0x0000000000000ffc, R10=0xfffffd7ffde90000
siginfo:si_signo=SIGSEGV: si_errno=0, si_code=1 (SEGV_MAPERR), si_addr=0xfffffd7ffde91000;;

So we're crossing the boundary and accessing off the end of the page because of the 8 byte store.  It either needs to mask more or use smaller stores.
*** (#1 of 1): [ UNSAVED ]   xxxxx@xxxxx  
Posted Date : 2009-02-27 20:20:00.0

-XX:+UseMembar will use a membar instruction instead of the serialize page.

http://hg.openjdk.java.net/jdk7/hotspot-comp/hotspot/rev/19962e74284f
Posted Date : 2009-03-02 07:28:35.0