fix(engine): release worker buffers in coordinated close to avoid JVM crash on binding fault#1809
Merged
Merged
Conversation
jfallows
force-pushed
the
fix/engine-controlled-shutdown
branch
from
fecc804 to
a7b42c4
Compare
… crash on binding fault A hot-path binding exception is wrapped by EngineWorker.doWork as AgentTerminationException, terminating the worker agent. Agrona then runs onClose on the agent thread, which released the worker's memory-mapped buffers in advance. The engine-coordinated Engine.close() -> drain() then read that worker's unmapped streams ring buffer via Unsafe, causing a SIGSEGV / JVM abort. Defer all worker memory-mapped resource releases (targets, streamsLayout, bufferPoolLayout, debitors, creditor, eventWriter) from onClose to doClose's finally, which runs after the agent has stopped, so a self-terminated worker no longer unmaps buffers the engine or peer workers still reference. Engine.close also skips draining workers whose agent already terminated, which would otherwise spin until the drain timeout. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jfallows
force-pushed
the
fix/engine-controlled-shutdown
branch
from
a7b42c4 to
6413eee
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
A hot-path binding exception (e.g. a null-exchange NPE in a client stream factory) is caught by
EngineWorker.doWorkand rethrown wrapped inAgentTerminationException, terminating the worker agent. Agrona'sAgentRunnerthen runs the agent'sonCloseon the agent thread, which released the worker's memory-mapped buffers in advance. The engine-coordinatedEngine.close()then callsdrain(), reading that worker's already-unmapped streams ring buffer viaUnsafe.getLongVolatile→ SIGSEGV / JVM abort (confirmed viahs_err_pidfatal-error log).The intended policy is preserved: an uncaught binding exception should stop the engine — but it must not also crash the JVM.
Fix
EngineWorker—onCloseno longer releases any memory-mapped resources. All releases (targets,streamsLayout,bufferPoolLayout,debitors,creditor,eventWriter) are deferred todoClose'sfinally, which runs on the engine thread afterrunner.close()has stopped the agent. A self-terminated worker therefore no longer unmaps buffers the engine — or peer workers (sharedcreditor/debitorbudget buffers) — still reference.Engine.close— skips draining a worker whose agent already terminated (!worker.runner().isClosed()); such a worker will never consume again, so draining it would otherwise spin until the 30s timeout.Validation
newStream): pre-fix → JVM abort (exit 134,hs_err_pid); post-fix → no crash, nohs_err, ~1.0s (no drain hang). The worker stops and the engine closes cleanly../mvnw verify -pl runtime/engine(unit +EngineIT+ jacoco + checkstyle): green on thedevelopbase.🤖 Generated with Claude Code