United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-5069955 : JRE/Browser crash during repaint - IE/XP on MP or HT systems.

Details
Type:
Bug
Submit Date:
2004-06-30
Status:
Resolved
Updated Date:
2004-08-17
Project Name:
JDK
Resolved Date:
2004-08-06
Component:
client-libs
OS:
windows_xp,windows
Sub-Component:
java.awt
CPU:
x86
Priority:
P1
Resolution:
Fixed
Affected Versions:
5.0,5.0u11,5.0u12
Fixed Versions:
1.4.2_06 (06)

Related Reports
Backport:
Backport:
Duplicate:
Duplicate:
Relates:
Relates:
Relates:

Sub Tasks

Description
The test provided demonstrates the problem by using Javascript to show a web page with the test applet and then resizes the web page repeatedly until a crash occurs.

Note: Although this test is a heavy load test, users experience it intermittantly when just resizing the browser in every-day use.

This is very easy to reproduce in modern HyperThreading Petium processors, or on multi-processor systems.  We've been unable to reproduce it so far on single-processor boxes with no HT.  In the case of HT, switching HT off in the BIOS stops the crash from happening.

The following log is produced by the crash:


# An unexpected error has been detected by HotSpot Virtual Machine:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d0c2b9f, pid=2484, tid=3320
#
# Java VM: Java HotSpot(TM) Client VM (1.5.0-beta2-b50 mixed mode, sharing)
# Problematic frame:
# C  [awt.dll+0xc2b9f]
#

---------------  T H R E A D  ---------------

Current thread (0x069b4e98):  JavaThread "AWT-Windows" daemon [_thread_in_native, id=3320]

siginfo: ExceptionCode=0xc0000005, reading address 0x07561008

Registers:
EAX=0x00020010, EBX=0x0755d730, ECX=0x07560fa4, EDX=0x00000002
ESP=0x06e9f76c, EBP=0x0000038b, ESI=0x07561000, EDI=0xfffffffe
EIP=0x6d0c2b9f, EFLAGS=0x00010287

Top of Stack: (sp=0x06e9f76c)
0x06e9f76c:   0000000f 07479608 77e7d142 00000000
0x06e9f77c:   9f0410a6 07479608 0755d830 0755d810
0x06e9f78c:   6d0bda84 00000000 6d0c11bd 00000000
0x06e9f79c:   06e9f878 000204fe 06e9f804 00000000
0x06e9f7ac:   00000001 00000000 069b4f54 069b4f54
0x06e9f7bc:   069b4e98 06e9f7f8 77d7390a 77d99b08
0x06e9f7cc:   06e9f7f8 6d0f2a68 00000000 6d0c04b8
0x06e9f7dc:   0000000f 00000000 00000000 06e9f878 

Instructions: (pc=0x6d0c2b9f)
0x6d0c2b8f:   33 ed 03 f3 3b c5 89 6c 24 18 89 6c 24 1c 76 44
0x6d0c2b9f:   8b 46 08 8b 3e 8b 56 04 2b c7 8b 7e 0c 2b fa 85 


Stack: [0x06da0000,0x06ea0000),  sp=0x06e9f76c,  free space=1021k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C  [awt.dll+0xc2b9f]

[error occurred during error reporting, step 120, id 0xc0000005]

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j  sun.awt.windows.WToolkit.eventLoop()V+0
j  sun.awt.windows.WToolkit.run()V+69
j  java.lang.Thread.run()V+11
v  ~StubRoutines::call_stub

---------------  P R O C E S S  ---------------

Java Threads: ( => current thread )
  0x0752e3f8 JavaThread "AWT-EventQueue-2" [_thread_blocked, id=3308]
  0x0752e068 JavaThread "thread applet-testcrash/Applet1.class" [_thread_blocked, id=1452]
  0x069c2938 JavaThread "AWT-EventQueue-0" [_thread_blocked, id=3304]
  0x069c1920 JavaThread "traceMsgQueueThread" [_thread_blocked, id=3284]
=>0x069b4e98 JavaThread "AWT-Windows" daemon [_thread_in_native, id=3320]
  0x069b4a70 JavaThread "AWT-Shutdown" [_thread_blocked, id=3272]
  0x069b3758 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=3252]
  0x026d01d8 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=2468]
  0x026ceee8 JavaThread "CompilerThread0" daemon [_thread_blocked, id=2644]
  0x026ce150 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=1056]
  0x026cac00 JavaThread "Finalizer" daemon [_thread_blocked, id=1584]
  0x026ca078 JavaThread "Reference Handler" daemon [_thread_blocked, id=2776]
  0x026208d8 JavaThread "main" [_thread_in_native, id=2548]

Other Threads:
  0x026c77d8 VMThread [id=3112]
  0x026d15b0 WatcherThread [id=2504]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

Heap
 def new generation   total 576K, used 299K [0x20a60000, 0x20b00000, 0x211c0000)
  eden space 512K,  58% used [0x20a60000, 0x20aaac30, 0x20ae0000)
  from space 64K,   0% used [0x20ae0000, 0x20ae00f0, 0x20af0000)
  to   space 64K,   0% used [0x20af0000, 0x20af0000, 0x20b00000)
 tenured generation   total 1408K, used 899K [0x211c0000, 0x21320000, 0x26a60000)
   the space 1408K,  63% used [0x211c0000, 0x212a0f70, 0x212a1000, 0x21320000)
 compacting perm gen  total 8192K, used 1152K [0x26a60000, 0x27260000, 0x2aa60000)
   the space 8192K,  14% used [0x26a60000, 0x26b80140, 0x26b80200, 0x27260000)
    ro space 8192K,  62% used [0x2aa60000, 0x2af5e5d0, 0x2af5e600, 0x2b260000)
    rw space 12288K,  46% used [0x2b260000, 0x2b7e61e0, 0x2b7e6200, 0x2be60000)

Dynamic libraries:
0x00400000 - 0x00419000         C:\Program Files\Internet Explorer\iexplore.exe
0x77f50000 - 0x77ff7000         C:\WINDOWS\System32\ntdll.dll
0x77e60000 - 0x77f46000         C:\WINDOWS\system32\kernel32.dll
0x77c10000 - 0x77c63000         C:\WINDOWS\system32\msvcrt.dll
0x77d40000 - 0x77dcc000         C:\WINDOWS\system32\USER32.dll
0x77c70000 - 0x77cb0000         C:\WINDOWS\system32\GDI32.dll
0x77dd0000 - 0x77e5d000         C:\WINDOWS\system32\ADVAPI32.dll
0x78000000 - 0x78086000         C:\WINDOWS\system32\RPCRT4.dll
0x70a70000 - 0x70ad5000         C:\WINDOWS\system32\SHLWAPI.dll
0x71700000 - 0x71849000         C:\WINDOWS\System32\SHDOCVW.dll
0x71950000 - 0x71a34000         C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
0x773d0000 - 0x77bc2000         C:\WINDOWS\system32\SHELL32.dll
0x77340000 - 0x773cb000         C:\WINDOWS\system32\comctl32.dll
0x771b0000 - 0x772d1000         C:\WINDOWS\system32\ole32.dll
0x5ad70000 - 0x5ada4000         C:\WINDOWS\System32\uxtheme.dll
0x74720000 - 0x74764000         C:\WINDOWS\System32\MSCTF.dll
0x10000000 - 0x1000f000         C:\Program Files\RealVNC\WinVNC\VNCHooks.dll
0x71500000 - 0x715fd000         C:\WINDOWS\System32\BROWSEUI.dll
0x72430000 - 0x72442000         C:\WINDOWS\System32\browselc.dll
0x75f40000 - 0x75f5f000         C:\WINDOWS\system32\appHelp.dll
0x76fd0000 - 0x77048000         C:\WINDOWS\System32\CLBCATQ.DLL
0x77120000 - 0x771ab000         C:\WINDOWS\system32\OLEAUT32.dll
0x77050000 - 0x77115000         C:\WINDOWS\System32\COMRes.dll
0x77c00000 - 0x77c07000         C:\WINDOWS\system32\VERSION.dll
0x63000000 - 0x63096000         C:\WINDOWS\system32\WININET.dll
0x762c0000 - 0x76348000         C:\WINDOWS\system32\CRYPT32.dll
0x762a0000 - 0x762b0000         C:\WINDOWS\system32\MSASN1.dll
0x76f90000 - 0x76fa0000         C:\WINDOWS\System32\Secur32.dll
0x76670000 - 0x76757000         C:\WINDOWS\System32\SETUPAPI.dll
0x76620000 - 0x7666e000         C:\WINDOWS\System32\cscui.dll
0x76600000 - 0x7661b000         C:\WINDOWS\System32\CSCDLL.dll
0x00e30000 - 0x00ee8000         c:\program files\google\googletoolbar1.dll
0x1a400000 - 0x1a47a000         C:\WINDOWS\system32\urlmon.dll
0x71ad0000 - 0x71ad8000         C:\WINDOWS\System32\WSOCK32.dll
0x71ab0000 - 0x71ac5000         C:\WINDOWS\System32\WS2_32.dll
0x71aa0000 - 0x71aa8000         C:\WINDOWS\System32\WS2HELP.dll
0x76c30000 - 0x76c5b000         C:\WINDOWS\System32\WINTRUST.dll
0x76c90000 - 0x76cb2000         C:\WINDOWS\system32\IMAGEHLP.dll
0x76b40000 - 0x76b6c000         C:\WINDOWS\System32\WINMM.dll
0x0ffd0000 - 0x0fff3000         C:\WINDOWS\System32\rsaenh.dll
0x76ee0000 - 0x76f17000         C:\WINDOWS\System32\RASAPI32.DLL
0x76e90000 - 0x76ea1000         C:\WINDOWS\System32\rasman.dll
0x71c20000 - 0x71c6e000         C:\WINDOWS\System32\NETAPI32.dll
0x76eb0000 - 0x76edb000         C:\WINDOWS\System32\TAPI32.dll
0x76e80000 - 0x76e8d000         C:\WINDOWS\System32\rtutils.dll
0x722b0000 - 0x722b5000         C:\WINDOWS\System32\sensapi.dll
0x75a70000 - 0x75b15000         C:\WINDOWS\system32\USERENV.dll
0x010b0000 - 0x010b8000         C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
0x75e90000 - 0x75f37000         C:\WINDOWS\System32\SXS.DLL
0x76170000 - 0x761f8000         C:\WINDOWS\System32\shdoclc.dll
0x74770000 - 0x747ff000         C:\WINDOWS\System32\mlang.dll
0x71a50000 - 0x71a8b000         C:\WINDOWS\system32\mswsock.dll
0x71a90000 - 0x71a98000         C:\WINDOWS\System32\wshtcpip.dll
0x01780000 - 0x01981000         C:\WINDOWS\System32\msi.dll
0x76f20000 - 0x76f45000         C:\WINDOWS\System32\DNSAPI.dll
0x76fb0000 - 0x76fb7000         C:\WINDOWS\System32\winrnr.dll
0x76f60000 - 0x76f8c000         C:\WINDOWS\system32\WLDAP32.dll
0x76fc0000 - 0x76fc5000         C:\WINDOWS\System32\rasadhlp.dll
0x63580000 - 0x63830000         C:\WINDOWS\System32\mshtml.dll
0x746f0000 - 0x74716000         C:\WINDOWS\System32\msimtf.dll
0x76390000 - 0x763ac000         C:\WINDOWS\System32\IMM32.DLL
0x6b700000 - 0x6b790000         c:\windows\system32\jscript.dll
0x746c0000 - 0x746e7000         C:\WINDOWS\System32\MSLS31.DLL
0x73300000 - 0x73375000         c:\windows\system32\vbscript.dll
0x02870000 - 0x02a17000         C:\WINDOWS\System32\macromed\flash\Flash.ocx
0x763b0000 - 0x763f5000         C:\WINDOWS\system32\comdlg32.dll
0x72d20000 - 0x72d29000         C:\WINDOWS\System32\wdmaud.drv
0x72d10000 - 0x72d18000         C:\WINDOWS\System32\msacm32.drv
0x77be0000 - 0x77bf4000         C:\WINDOWS\System32\MSACM32.dll
0x77bd0000 - 0x77bd7000         C:\WINDOWS\System32\midimap.dll
0x6d430000 - 0x6d439000         C:\WINDOWS\System32\ddrawex.dll
0x73760000 - 0x737a4000         C:\WINDOWS\System32\DDRAW.dll
0x73bc0000 - 0x73bc6000         C:\WINDOWS\System32\DCIMAN32.dll
0x71b20000 - 0x71b31000         C:\WINDOWS\system32\MPR.dll
0x75f60000 - 0x75f66000         C:\WINDOWS\System32\drprov.dll
0x71c10000 - 0x71c1d000         C:\WINDOWS\System32\ntlanman.dll
0x71cd0000 - 0x71ce6000         C:\WINDOWS\System32\NETUI0.dll
0x71c90000 - 0x71ccc000         C:\WINDOWS\System32\NETUI1.dll
0x71c80000 - 0x71c86000         C:\WINDOWS\System32\NETRAP.dll
0x71bf0000 - 0x71c01000         C:\WINDOWS\System32\SAMLIB.dll
0x75f70000 - 0x75f79000         C:\WINDOWS\System32\davclnt.dll
0x73d70000 - 0x73d82000         C:\WINDOWS\System32\shgina.dll
0x75970000 - 0x75a61000         C:\WINDOWS\System32\MSGINA.dll
0x76360000 - 0x7636f000         C:\WINDOWS\System32\WINSTA.dll
0x037d0000 - 0x03802000         C:\WINDOWS\System32\ODBC32.dll
0x1f850000 - 0x1f866000         C:\WINDOWS\System32\odbcint.dll
0x74cb0000 - 0x74d1f000         C:\WINDOWS\System32\mshtmled.dll
0x71d40000 - 0x71d5b000         C:\WINDOWS\System32\actxprxy.dll
0x6d580000 - 0x6d591000         C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
0x5edd0000 - 0x5edea000         C:\WINDOWS\System32\OLEPRO32.DLL
0x6d3f0000 - 0x6d407000         C:\Program Files\Java\jre1.5.0\bin\jpiexp32.dll
0x6d440000 - 0x6d458000         C:\Program Files\Java\jre1.5.0\bin\jpishare.dll
0x6d630000 - 0x6d7b4000         C:\PROGRA~1\Java\JRE15~1.0\bin\client\jvm.dll
0x6d280000 - 0x6d288000         C:\PROGRA~1\Java\JRE15~1.0\bin\hpi.dll
0x76bf0000 - 0x76bfb000         C:\WINDOWS\System32\PSAPI.DLL
0x6d600000 - 0x6d60c000         C:\PROGRA~1\Java\JRE15~1.0\bin\verify.dll
0x6d2f0000 - 0x6d30d000         C:\PROGRA~1\Java\JRE15~1.0\bin\java.dll
0x6d620000 - 0x6d62f000         C:\PROGRA~1\Java\JRE15~1.0\bin\zip.dll
0x6d000000 - 0x6d166000         C:\Program Files\Java\jre1.5.0\bin\awt.dll
0x73000000 - 0x73023000         C:\WINDOWS\System32\WINSPOOL.DRV
0x73940000 - 0x73a07000         C:\WINDOWS\System32\D3DIM700.DLL
0x6d240000 - 0x6d27e000         C:\Program Files\Java\jre1.5.0\bin\fontmanager.dll
0x6d1f0000 - 0x6d202000         C:\Program Files\Java\jre1.5.0\bin\deploy.dll
0x6d5c0000 - 0x6d5dd000         C:\Program Files\Java\jre1.5.0\bin\RegUtils.dll
0x6d3d0000 - 0x6d3e4000         C:\Program Files\Java\jre1.5.0\bin\jpicom32.dll
0x6d4b0000 - 0x6d4c3000         C:\Program Files\Java\jre1.5.0\bin\net.dll
0x6cc60000 - 0x6cc6b000         C:\WINDOWS\System32\dispex.dll

VM Arguments:
jvm_args: -Xbootclasspath/a:C:\PROGRA~1\Java\JRE15~1.0\lib\deploy.jar;C:\PROGRA~1\Java\JRE15~1.0\lib\plugin.jar -Xmx96m -Djavaplugin.maxHeapSize=96m -Xverify:remote -Djavaplugin.version=1.5.0 -Djavaplugin.nodotversion=150 -Dbrowser=sun.plugin -DtrustProxy=true -Dapplication.home=C:\PROGRA~1\Java\JRE15~1.0 -Djava.protocol.handler.pkgs=sun.plugin.net.protocol -Djavaplugin.vm.options=-Djava.class.path=C:\PROGRA~1\Java\JRE15~1.0\classes -Xbootclasspath/a:C:\PROGRA~1\Java\JRE15~1.0\lib\deploy.jar;C:\PROGRA~1\Java\JRE15~1.0\lib\plugin.jar -Xmx96m -Djavaplugin.maxHeapSize=96m -Xverify:remote -Djavaplugin.version=1.5.0 -Djavaplugin.nodotversion=150 -Dbrowser=sun.plugin -DtrustProxy=true -Dapplication.home=C:\PROGRA~1\Java\JRE15~1.0 -Djava.protocol.handler.pkgs=sun.plugin.net.protocol  vfprintf
java_command: <unknown>

Environment Variables:
PATH=C:\PROGRA~1\Java\JRE15~1.0\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Executive Software\DiskeeperLite\;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Internet Explorer;;.
USERNAME=daven
OS=Windows_NT
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel


---------------  S Y S T E M  ---------------

OS: Windows XP Build 2600 Service Pack 1

CPU:total 2 family 15, cmov, cx8, fxsr, mmx, sse, sse2, ht

Memory: 4k page, physical 1030888k(527996k free), swap 2484012k(2114240k free)

vm_info: Java HotSpot(TM) Client VM (1.5.0-beta2-b50) for windows-x86, built on May  5 2004 02:07:14 by "java_re" with MS VC++ 6.0

                                    

Comments
PUBLIC COMMENTS

The Sun JRE and IE crash when resizing a page containing an applet.
                                     
2004-08-18
SUGGESTED FIX

Name: ag153227			Date: 07/27/2004


Check on GetRegionData() failure and return after necessary cleaning
[in the function AwtComponent::PaintUpdateRgn()]:

--- awt_Component.cpp   Tue Jul 27 15:52:19 2004
***************
*** 2188,2199 ****
           ::OffsetRgn(rgn, insets->left, insets->top);
       }
       int size = ::GetRegionData(rgn, 0, NULL);
       char* buffer = new char[size];
       memset(buffer, 0, size);
       LPRGNDATA rgndata = (LPRGNDATA)buffer;
       rgndata->rdh.dwSize = sizeof(RGNDATAHEADER);
       rgndata->rdh.iType = RDH_RECTANGLES;
!       VERIFY(::GetRegionData(rgn, size, rgndata));
       /*
        * Updating rects are divided into mostly vertical and mostly horizontal
        * Each group is united together and if not empty painted separately
--- 2188,2209 ----
           ::OffsetRgn(rgn, insets->left, insets->top);
       }
       int size = ::GetRegionData(rgn, 0, NULL);
+         if (size == 0) {
+             ::DeleteObject((HGDIOBJ)rgn);
+             return;
+         }
       char* buffer = new char[size];
       memset(buffer, 0, size);
       LPRGNDATA rgndata = (LPRGNDATA)buffer;
       rgndata->rdh.dwSize = sizeof(RGNDATAHEADER);
       rgndata->rdh.iType = RDH_RECTANGLES;
!         int retCode = ::GetRegionData(rgn, size, rgndata);
!         VERIFY(retCode);
!         if (retCode == 0) {
!             delete [] buffer;
!             ::DeleteObject((HGDIOBJ)rgn);
!             return;
!         }
       /*
        * Updating rects are divided into mostly vertical and mostly horizontal
        * Each group is united together and if not empty painted separately


###@###.###


======================================================================
                                     
2004-08-18
WORK AROUND

If the system is an HT P4, Disable HT in the BIOS.  This is probably not acceptable to most users, though, as HT is why they purchased the box, and switching it off to avoid a JRE crash...
                                     
2004-08-18
EVALUATION

Looking into the stack trace, the crash is in awt.dll. Reassigning to AWT team for evaluation
###@###.### 2004-07-01

I've tried this test on XP (HT was switched on) box
with JRE1.5(b57). Applet started by IE 6.0.
Still have no failures. How long should I wait till the
first failure?
###@###.###    9-July-2004

The crash happened within a minute - within 30 seconds really - when the
machine was effected.  Are you sure HT is enabled?
###@###.### 2004-07-12

Name: osR10079			Date: 07/15/2004

reproduced on specific HyperThreading machine. Looks like
a thread race but I didn't invent the way to reproduce it locally,
manually or with appletviewer.
###@###.###   15-July-2004


======================================================================

After investigation I found that the testcase is crashing in AwtComponent::PaintUpdateRgn().

VERIFY(::GetRegionData(rgn, size, rgndata));
        /*
         * Updating rects are divided into mostly vertical and mostly horizontal
         * Each group is united together and if not empty painted separately
         */
        RECT* r = (RECT*)(buffer + rgndata->rdh.dwSize);
        RECT* un[2] = {0, 0};
        for (DWORD i = 0; i < rgndata->rdh.nCount; i++, r++) {
            int width = r->right-r->left;     <<==========CRASH========
            int height = r->bottom-r->top;
            if (width > 0 && height > 0) {
                int toAdd = (width > height) ? 0: 1;
                if (un[toAdd] != 0) {
                    ::UnionRect(un[toAdd], un[toAdd], r);
                } else {
                    un[toAdd] = r;
                }
            }
        }

I printed the rgndata->rdh.nCount before it enters the for loop. And just before crash the the count comes out to be huge number e.g. 131090, 131074 and the width and height also are junk numbers

Then I checked for the return value of GetRegionData() in the case when the rgndata->rdh.nCount is a junk value. It is coming as 0 and the 'size' also that we pass to this function is '0'. 

So we should put a zero check either for 'size' before calling GetRegionData() or we should check for the return value of this function(it fails when it returns 0).

I will put this zero check and test if the testcase still fails or not.

###@###.### 2004-07-20
--------------------------------------------

I tested the application after putting a check before the second GetRegionData call:

if (size == 0)
  return; 
VERIFY(::GetRegionData(rgn, size, rgndata));

The customer app ran successfully for 2 days with this change.

###@###.### 2004-07-22

Name: ag153227			Date: 07/27/2004


Indeed, sometimes the calls to GetRegionData() return 0, i.e. the function fails
[normally GetRegionData(rgn, 0, NULL) should return at least size of RGNDATAHEADER].
For an unknown reason Windows considers a handle to a region just returned from 
GetUpdateRgn() as invalid. Anyway, we should check on GetRegionData() failure 
and do nothing but necessary cleaning.

###@###.###
======================================================================
                                     
2004-08-18
CONVERTED DATA

BugTraq+ Release Management Values

COMMIT TO FIX:
1.4.2_06
generic
tiger-rc

FIXED IN:
1.4.2_06
tiger-rc

INTEGRATED IN:
1.4.2_06
tiger-b63
tiger-rc


                                     
2004-08-18



Hardware and Software, Engineered to Work Together