JDK-2128962 : JRE/Browser crash during repaint - IE/XP on MP or HT systems.
  • Type: Backport
  • Backport of: JDK-5069955
  • Component: client-libs
  • Sub-Component: java.awt
  • Priority: P1
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2005-08-23
  • Updated: 2011-02-16
  • Resolved: 2005-10-28
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other Other
1.3.1_17 b01Fixed 1.4.2_06Fixed
Comments
SUGGESTED FIX Check on GetRegionData() failure and return after necessary cleaning [in the function AwtComponent::PaintUpdateRgn(). ---------awt_Window.cpp. int size = ::GetRegionData(rgn, 0, NULL); if (size == 0) { ::DeleteObject((HGDIOBJ)rgn); return mrConsume; } memset(buffer, 0, size); LPRGNDATA rgndata = (LPRGNDATA)buffer; rgndata->rdh.dwSize = sizeof(RGNDATAHEADER); rgndata->rdh.iType = RDH_RECTANGLES; int retCode = ::GetRegionData(rgn, size, rgndata); VERIFY(retCode); if (retCode == 0) { delete [] buffer; ::DeleteObject((HGDIOBJ)rgn); return mrConsume; } Lines were modified.
23-08-2005

EVALUATION Looking into the stack trace, the crash is in awt.dll. Reassigning to AWT team for evaluation ###@###.### 2004-07-01 I've tried this test on XP (HT was switched on) box with JRE1.5(b57). Applet started by IE 6.0. Still have no failures. How long should I wait till the first failure? ###@###.### 9-July-2004 The crash happened within a minute - within 30 seconds really - when the machine was effected. Are you sure HT is enabled? ###@###.### 2004-07-12 Name: osR10079 Date: 07/15/2004 reproduced on specific HyperThreading machine. Looks like a thread race but I didn't invent the way to reproduce it locally, manually or with appletviewer. ###@###.### 15-July-2004 ====================================================================== After investigation I found that the testcase is crashing in AwtComponent::PaintUpdateRgn(). VERIFY(::GetRegionData(rgn, size, rgndata)); /* * Updating rects are divided into mostly vertical and mostly horizontal * Each group is united together and if not empty painted separately */ RECT* r = (RECT*)(buffer + rgndata->rdh.dwSize); RECT* un[2] = {0, 0}; for (DWORD i = 0; i < rgndata->rdh.nCount; i++, r++) { int width = r->right-r->left; <<==========CRASH======== int height = r->bottom-r->top; if (width > 0 && height > 0) { int toAdd = (width > height) ? 0: 1; if (un[toAdd] != 0) { ::UnionRect(un[toAdd], un[toAdd], r); } else { un[toAdd] = r; } } } I printed the rgndata->rdh.nCount before it enters the for loop. And just before crash the the count comes out to be huge number e.g. 131090, 131074 and the width and height also are junk numbers Then I checked for the return value of GetRegionData() in the case when the rgndata->rdh.nCount is a junk value. It is coming as 0 and the 'size' also that we pass to this function is '0'. So we should put a zero check either for 'size' before calling GetRegionData() or we should check for the return value of this function(it fails when it returns 0). I will put this zero check and test if the testcase still fails or not. ###@###.### 2004-07-20 -------------------------------------------- I tested the application after putting a check before the second GetRegionData call: if (size == 0) return; VERIFY(::GetRegionData(rgn, size, rgndata)); The customer app ran successfully for 2 days with this change. ###@###.### 2004-07-22 Name: ag153227 Date: 07/27/2004 Indeed, sometimes the calls to GetRegionData() return 0, i.e. the function fails [normally GetRegionData(rgn, 0, NULL) should return at least size of RGNDATAHEADER]. For an unknown reason Windows considers a handle to a region just returned from GetUpdateRgn() as invalid. Anyway, we should check on GetRegionData() failure and do nothing but necessary cleaning. ###@###.### ====================================================================== *** (#1 of 1): 2004-08-18 06:04:27 GMT+00:00 ###@###.### *** Last Edit: 2004-08-18 06:04:27 GMT+00:00 ###@###.###
23-08-2005