openjdk · tstuefe · Jul 8, 2025 · Jul 8, 2025 · Jul 9, 2025 · Jul 9, 2025
diff --git a/src/hotspot/share/gc/shenandoah/shenandoahAsserts.cpp b/src/hotspot/share/gc/shenandoah/shenandoahAsserts.cpp
@@ -269,7 +269,15 @@ void ShenandoahAsserts::assert_correct(void* interior_loc, oop obj, const char*
   // We want to check class loading/unloading did not corrupt them.
 
   if (Universe::is_fully_initialized() && (obj_klass == vmClasses::Class_klass())) {
-    Metadata* klass = obj->metadata_field(java_lang_Class::klass_offset());
+    // During class redefinition the old Klass gets reclaimed and the old mirror oop's Klass reference
+    // nulled out (hence the "klass != nullptr" condition below). However, the mirror oop may have been
+    // forwarded if we are in the mids of an evacuation. In that case, the forwardee's Klass reference
+    // is nulled out. The old, forwarded, still still carries the old invalid Klass pointer. It will be
+    // eventually collected.
+    // This checking code may encounter the old copy of the mirror, and its referee Klass pointer may
+    // already be reclaimed and therefore be invalid. We must therefore check the forwardee's Klass
+    // reference.
+    const Metadata* klass = fwd->metadata_field(java_lang_Class::klass_offset());
     if (klass != nullptr && !Metaspace::contains(klass)) {
       print_failure(_safe_all, obj, interior_loc, nullptr, "Shenandoah assert_correct failed",
                     "Instance class mirror should point to Metaspace",

diff --git a/src/hotspot/share/gc/shenandoah/shenandoahVerifier.cpp b/src/hotspot/share/gc/shenandoah/shenandoahVerifier.cpp
@@ -247,7 +247,15 @@ class ShenandoahVerifyOopClosure : public BasicOopIterateClosure {
     // We want to check class loading/unloading did not corrupt them.
 
     if (obj_klass == vmClasses::Class_klass()) {
-      Metadata* klass = obj->metadata_field(java_lang_Class::klass_offset());
+      // During class redefinition the old Klass gets reclaimed and the old mirror oop's Klass reference
+      // nulled out (hence the "klass != nullptr" condition below). However, the mirror oop may have been
+      // forwarded if we are in the mids of an evacuation. In that case, the forwardee's Klass reference
+      // is nulled out. The old, forwarded, still still carries the old invalid Klass pointer. It will be
+      // eventually collected.
+      // This checking code may encounter the old copy of the mirror, and its referee Klass pointer may
+      // already be reclaimed and therefore be invalid. We must therefore check the forwardee's Klass
+      // reference.
+      Metadata* klass = fwd->metadata_field(java_lang_Class::klass_offset());
       check(ShenandoahAsserts::_safe_oop, obj,
             klass == nullptr || Metaspace::contains(klass),
             "Instance class mirror should point to Metaspace");