Что такое сейф поинт в читах
Перейти к содержимому

Что такое сейф поинт в читах

  • автор:

Safe Point and Safe Region for JVM-GC

The choice of safe points is important because too few can lead to long GC waits, and too frequent can lead to performance problems at runtime. The execution time of most instructions is very short, and is usually based on «characteristics that make the program run for a long time». For example, select some commands that take a long time to execute as safe points, such as:

  • End of loop
  • Method before return
  • After calling the method
  • The location of the throw exception

How do you check that all threads run to the nearest safe point and stop during GC life?

  • Preemptive interrupt: (no virtual machine currently uses it) interrupts all threads first. If there are still threads that are not at the safe point, restore the thread and let it run to the safe point.
  • Active Interrupts: Sets an interrupt flag, which threads actively poll when running to Safe Point, and suspends themselves if the interrupt flag is true. (The inn door has a monitor that says true, or false. If the system needs garbage collection, it updates the status to true, and when the thread gets to the inn, it sees true and enters the inn.
  1. The SafePoint mechanism ensures that when a program executes, it will not take too long to encounter a SafePoint ready for GC. But what about when the program «doesn’t execute»? For example, when a thread is in the state of Sleep or Blocked, unable to respond to interrupt requests from the JVM, the thread «walks» to a safe point to interrupt the suspension, and the JVM is less likely to wait for the thread to wake up. In this case, a Safe Region is required.
  2. A safe zone is a code snippet where the reference relationship of the object does not change and it is safe to start GC anywhere in the zone. We can also think of Safe Region as Safepoint extended

When a thread runs into Safe Region code, it first identifies that it has entered the Safe Region. If GC occurs during that time, the JVM ignores the thread identified as Safe Region: When the thread is about to leave, it checks to see if the JVM has completed GC, and if so, continues running, otherwise the thread must wait until it receives a signal that it is Safe to leave the Safe Region.

Что такое сейф поинт в читах

Safe Point is just a feature that makes ur b1g aimbot go for points on the player that intersect both desync and real.
An example is if someone is freestanding, their desync will extremely close to their real (nature of desync) with their heads being
basically behind or infront of each other.

Safe point will recognize this, and be like. We can def shoot there, as the bullet will still hit thee real player.
You really shouldn’t be missing a shot due to bad animations with safe point, but I’ve seen some hacks still fail to hit.

Just have 3 matrixes, 2 being the possible desync resolve directions, and the 3rd one being the original.

Scan for a hitbox to shoot, and then re-trace and see if it intersects all 3 hitboxes.
(You can use this tracing method for also triggerbot bt, and missed shot calculations)

Another and lazier method which is LESS reliable is using angToLocal:
You can check if the person is leaning to the left or right on your side
This usually means that desync head and real head are extremely close (freestanding)

If they aren’t, or the lean doesn’t seem good, just go for the pelvis, which has the smallest fake body from my experience.

But I would recommend with trace-raying hitboxes (there are many SDKs with it)
— Usually stored in gamer software’s math files (math.cpp)
— Usually labelled like, TraceHitbox, and requires a few other math. like IntersectInfinityRayWithSphere or smth like that

That’s my take on it at least, and if anyone would like to correct me, please do :3

Last Achievements

Safe Point is just a feature that makes ur b1g aimbot go for points on the player that intersect both desync and real.
An example is if someone is freestanding, their desync will extremely close to their real (nature of desync) with their heads being
basically behind or infront of each other.

Safe point will recognize this, and be like. We can def shoot there, as the bullet will still hit thee real player.
You really shouldn’t be missing a shot due to bad animations with safe point, but I’ve seen some hacks still fail to hit.

Just have 3 matrixes, 2 being the possible desync resolve directions, and the 3rd one being the original.

Scan for a hitbox to shoot, and then re-trace and see if it intersects all 3 hitboxes.
(You can use this tracing method for also triggerbot bt, and missed shot calculations)

Another and lazier method which is LESS reliable is using angToLocal:
You can check if the person is leaning to the left or right on your side
This usually means that desync head and real head are extremely close (freestanding)

If they aren’t, or the lean doesn’t seem good, just go for the pelvis, which has the smallest fake body from my experience.

But I would recommend with trace-raying hitboxes (there are many SDKs with it)

That’s my take on it at least, and if anyone would like to correct me, please do :3

to save urself some fps, its enough to grab the points from matrix a and then trace them onto the opposite direction. if they hit (could add a check if its the same hitbox if needed) u know that they overlap.

consider ur points are within the hitboxes and not outside, if your points are literally on the edge or further u might want to trace both matrix i guess

eg. take points with blue matrix, set bonematrix to green and trace the points u got from blue

Alexey Ragozin

Nice article Alexey. Do you know what part of the JDK code really does this — "JVM unmaps page with that address provoking page fault on application thread"?

I think the Azul JVM also used to do this to quickly trap moved/GC'ed addresses.

Using page faults for read barrier ("quickly trap moved/GC'ed addresses") would be prohibitively expensive. Azul JVM does not use page faults for read barrier, though it is using this technique for defragmenting physical memory associated with large object.

Azul is using custom page mapping to facilitate software read barrier, but this technique does not relay on page faults.

Or at least it was that way last time I was working with Azul.

Thank you for an eye-opening article on safepoints. Do you know if there is any way to identify the reason for a huge pause of hundreds of seconds that does not appear to be related to GC activity?

Total time for which application threads were stopped: 0.0020916 seconds
Total time for which application threads were stopped: 0.0677614 seconds
Total time for which application threads were stopped: 0.0016208 seconds
Total time for which application threads were stopped: 195.2580105 seconds
Total time for which application threads were stopped: 0.0313111 seconds
Total time for which application threads were stopped: 0.0005465 seconds
Total time for which application threads were stopped: 0.0006269 seconds

First enable safe point logging -XX:+PrintSafepointStatistics
-XX:PrintSafepointStatisticsCount=1
This will allow you to understand whenever safepoint is culprit.

Last problem with slow safepoints, was bug in JIT combined with weird application code.

Trying latest JVM is another step.

We switched to 1.6.0_43, at the time that happened we had 1.6.0_31. One of the reasons was bug 2221291. Can you tell me the bug ID for the problem related to JIT?

No, I didn't track exact bug. Slight change of code has solved issue in my case.
Yep, 2221291 is a nasty one.

Very informative article, thank you. We have seen due to IO overload inside Linux. When this happens, GC log entries show use_time

at least 1 second. We are able to recreate this type of stalls in the lab too. It turns out that deferred writes to append a file can be blocked for a long time when the write is blocked by journal commit. Or when dirty_ratio is exceeded. We straced the Java process and could correlate some but not all of the stalls to GC threads when they write to the gc.log file. If GC threads do not have park the Java threads running in kernel mode, we are stumped about what else could have caused the stall (where user_time

0). Any other data/traces you would recommend to help us understand the issue better? Many thanks.

Have you enabled -XX:+PrintSafepointStatistics ?

Sometimes I've seen JVM spending too much time trying to enter to safe point. Safe point initiation time is accounted to GC pause time.

Another suspects are native threads taking GC lock via JNI (+XX:+PrintJNIGCStals may help to identify if this is a case).

Hi Alexey, thanks for the feedback. We did not always turn on -XX:+PrintSafepointStatistics because the output is so obscure. Our test program that recreates the stall just uses log4j and does not make calls to JNI but it's great to know about this option PrintJNIGCStalls.

Hi Alexey, your articles are very informative. Recently i have faced a situation where GC is taking mamooth time and not sure what can be the reason. Here is the output of jstat -gc command

S0C S1C S0U S1U EC EU OC OU PC PU YGC YGCT FGC FGCT GCT

77440.0 73088.0 22896.4 0.0 1946624.0 222690.4 4194304.0 3638965.1 262144.0 216641.1 1093 11258.452 3 10031.493 21289.944

To be able to give you a reasonable advise, I need
— your JVM start parameters
— excerpt from your GC logs with at least -Xx:+PrintGCDetails enabled

I would also suggest you to post question on stackoverflow.com (and post link here) as it is better platform for that kind of questions.

Hi Alexey, as suggested by you i have posted question on stackoverflow.com and here is the link

Also here is the start up parameters and PrintGCDetails are not enabled and will take time as it is production server.

-Xms6144m -Xmx6144m -XX:MaxPermSize=256m -Djava.security.policy=/bea/wlserver_10.3/server/lib/weblogic.policy -Dweblogic.ProductionModeEnabled=true -da -Dplatform.home=/bea/wlserver_10.3 -Dwls.home=/bea/wlserver_10.3/server -Dweblogic.home=/bea/wlserver_10.3/server -Dweblogic.management.discover=true -Dwlw.iterativeDev=false -Dwlw.testConsole=false -Dwlw.logErrorsToConsole=false -Dweblogic.ext.dirs=/bea/patch_wls1036/profiles/default/sysext_manifest_classpath -Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Duser.timezone=GMT -Dfile.encoding=UTF-8 -Duser.language=en -Duser.country=US -Dweblogic.wsee.wstx.wsat.deployed=false -XX:+DisableExplicitGC

Running VMStat for 5 hours has given the following result, i am providing a part of the output:
swap free re mf pi po 40336468 4025208 383 5473 465 59 40336132 4025732 383 5477 465 59 40336020 4025732 383 5478 465 59 40335940 4025752 383 5479 465 59 40335860 4025776 383 5479 465 59 40335776 4025796 383 5480 465 59 40335696 4025816 383 5481 465 59 40335584 4025816 383 5482 464 59 40335504 4025836 383 5483 464 59 40335420 4025856 383 5484 464 59

Can we inference something from this output

I am getting millions of following messages:
54.104: ThreadDump [ 153 2 3 ] [ 0 0 0 0 0 ] 0
vmop [threads: total initially_running wait_to_block] [time: spin block sync cleanup vmop] page_trap_count
54.104: ThreadDump [ 153 3 4 ] [ 0 0 0 0 0 ] 0
vmop [threads: total initially_running wait_to_block] [time: spin block sync cleanup vmop] page_trap_count
54.104: ThreadDump [ 153 1 6 ] [ 0 0 0 0 0 ] 0
vmop [threads: total initially_running wait_to_block] [time: spin block sync cleanup vmop] page_trap_count
54.104: ThreadDump [ 153 2 2 ] [ 0 0 0 0 0 ] 0
vmop [threads: total initially_running wait_to_block] [time: spin block sync cleanup vmop] page_trap_count
54.105: ThreadDump [ 153 0 2 ] [ 0 0 0 0 0 ] 0
vmop [threads: total initially_running wait_to_block] [time: spin block sync cleanup vmop] page_trap_count
54.105: ThreadDump [ 153 1 6 ] [ 0 0 0 0 0 ] 0
vmop [threads: total initially_running wait_to_block] [time: spin block sync cleanup vmop] page_trap_count

What could be the reason of ThreadDump activity in SafePoint?

I would guess, it is result of profiler. Thread dumps are widely used by profiler and sometimes by monitoring tools. Java code could also cause thread dump for itself.

Thanks for your quick updates.

There are no profiler attached to the java process.

I don't see any log of general Threaddumps it means they are Internal Thread dumps as you mentioned.

Что такое сейф поинт в читах

Reddit and its partners use cookies and similar technologies to provide you with a better experience.

By accepting all cookies, you agree to our use of cookies to deliver and maintain our services and site, improve the quality of Reddit, personalize Reddit content and advertising, and measure the effectiveness of advertising.

By rejecting non-essential cookies, Reddit may still use certain cookies to ensure the proper functionality of our platform.

For more information, please see our Cookie Notice and our Privacy Policy .

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *