United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6513889 java runtime VM double free or corruption segfault
JDK-6513889 : java runtime VM double free or corruption segfault

Details
Type:
Bug
Submit Date:
2007-01-17
Status:
Closed
Updated Date:
2011-03-08
Project Name:
JDK
Resolved Date:
2011-03-08
Component:
client-libs
OS:
linux,windows_xp
Sub-Component:
2d
CPU:
x86
Priority:
P4
Resolution:
Fixed
Affected Versions:
6
Fixed Versions:

Related Reports
Backport:
Duplicate:
Relates:

Sub Tasks

Description
FULL PRODUCT VERSION :
java version "1.6.0"
Java(TM) SE Runtime Environment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Linux myhostname 2.6.18-suspend2 #1 SMP Wed Oct 18 12:55:15 EDT 2006 i686 Genuine Intel(R) CPU T2400  @ 1.83GHz GenuineIntel GNU/Linux
(Gentoo linux)


A DESCRIPTION OF THE PROBLEM :
I am able to cause a segfault with the following code:

myJList.setFont(myJList.getFont().deriveFont(Float.NaN));

where myJList is a currently visible JList. The segfault does not usually occur on the first call to the function. It usually takes several calls to make it happen.
Obviously this is not code that you would ever see, but I was making a related call as part of a componentResized function, to dynamically adjust the font size based on the size of the container in which the JList sits. When the size of the parent container dropped to zero, the above code would be executed, and eventually java would segfault.



STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
The following code will reliably reproduce the bug. Run it for 5-10 seconds:
Create a JFrame and a JList. Add some data to the JList, add the JList to the JFrame. Make the JFrame visible, and set the font size of the JList to Float.NaN over and over again. Code listed below.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I would expect the font size to become 0, or perhaps to not change, or for an exception to be thrown somewhere in the swing graphics rendering system.
ACTUAL -
Segmentation fault. Backtrace below

ERROR MESSAGES/STACK TRACES THAT OCCUR :
*** glibc detected *** /usr/lib/jvm/sun-jdk-1.6/bin/java: double free or corruption (out): 0xad62b690 ***
======= Backtrace: =========
/lib/libc.so.6[0xb7e022f0]
/lib/libc.so.6(__libc_free+0x89)[0xb7e03949]
/opt/sun-jdk-1.6.0/jre/lib/i386/libfontmanager.so(Java_sun_font_StrikeCache_freeIntMemory+0xcf)[0xad31f91f]
[0xb5cb468e]
[0xb5cace9d]
[0xb5cace9d]
[0xb5cad379]
[0xb5cad379]
[0xb5caa207]
/opt/sun-jdk-1.6.0/jre/lib/i386/client/libjvm.so[0x620967d]
/opt/sun-jdk-1.6.0/jre/lib/i386/client/libjvm.so[0x63057d8]
/opt/sun-jdk-1.6.0/jre/lib/i386/client/libjvm.so[0x6208f90]
/opt/sun-jdk-1.6.0/jre/lib/i386/client/libjvm.so[0x620901d]
/opt/sun-jdk-1.6.0/jre/lib/i386/client/libjvm.so[0x6279215]
/opt/sun-jdk-1.6.0/jre/lib/i386/client/libjvm.so[0x638035f]
/opt/sun-jdk-1.6.0/jre/lib/i386/client/libjvm.so[0x63066b3]
/lib/libpthread.so.0[0xb7eda4bb]
/lib/libc.so.6(__clone+0x5e)[0xb7e5c1be]
======= Memory map: ========
06000000-06412000 r-xp 00000000 08:03 852396     /opt/sun-jdk-1.6.0/jre/lib/i386/client/libjvm.so
06412000-0642b000 rwxp 00411000 08:03 852396     /opt/sun-jdk-1.6.0/jre/lib/i386/client/libjvm.so
0642b000-0684a000 rwxp 0642b000 00:00 0
08048000-08052000 r-xp 00000000 08:03 837781     /opt/sun-jdk-1.6.0/bin/java
08052000-08053000 rwxp 00009000 08:03 837781     /opt/sun-jdk-1.6.0/bin/java
08053000-081e3000 rwxp 08053000 00:00 0          [heap]
ad070000-ad076000 r-xs 00000000 08:03 839425     /var/cache/fontconfig/87f5e051180a7a75f16eb6fe7dbd3749-x86.cache-2
ad076000-ad084000 r-xs 00000000 08:03 837389     /var/cache/fontconfig/8d4af663993b81a124ee82e610bb31f9-x86.cache-2
ad084000-ad0a6000 r-xs 00000000 08:03 837087     /var/cache/fontconfig/17090aa38d5c6f09fb8c5c354938f1d7-x86.cache-2
ad0a6000-ad0c8000 r-xs 00000000 08:03 837408     /var/cache/fontconfig/df311e82a1a24c41a75c2c930223552e-x86.cache-2
ad142000-ad14c000 r-xp 00000000 08:03 935289     /usr/lib/gcc/i686-pc-linux-gnu/4.1.1/libgcc_s.so.1
ad14c000-ad14d000 rwxp 00009000 08:03 935289     /usr/lib/gcc/i686-pc-linux-gnu/4.1.1/libgcc_s.so.1
ad162000-ad169000 r-xp 00000000 08:03 838323     /opt/sun-jdk-1.6.0/jre/lib/i386/libnio.so
ad169000-ad16a000 rwxp 00006000 08:03 838323     /opt/sun-jdk-1.6.0/jre/lib/i386/libnio.so
ad16a000-ad16d000 ---p ad16a000 00:00 0
ad16d000-ad1bb000 rwxp ad16d000 00:00 0
ad1bb000-ad1be000 ---p ad1bb000 00:00 0
ad1be000-ad20c000 rwxp ad1be000 00:00 0
ad20c000-ad20f000 ---p ad20c000 00:00 0
ad20f000-ad25d000 rwxp ad20f000 00:00 0
ad25d000-ad261000 r-xp 00000000 08:03 1149176    /usr/lib/libXfixes.so.3.1.0
ad261000-ad262000 rwxp 00003000 08:03 1149176    /usr/lib/libXfixes.so.3.1.0
ad262000-ad269000 r-xp 00000000 08:03 1149212    /usr/lib/libXrender.so.1.3.0
ad269000-ad26a000 rwxp 00006000 08:03 1149212    /usr/lib/libXrender.so.1.3.0
ad26a000-ad272000 r-xp 00000000 08:03 1149250    /usr/lib/libXcursor.so.1.0.2
ad272000-ad273000 rwxp 00007000 08:03 1149250    /usr/lib/libXcursor.so.1.0.2
ad274000-ad287000 r-xp 00000000 08:03 838322     /opt/sun-jdk-1.6.0/jre/lib/i386/libnet.so
ad287000-ad288000 rwxp 00013000 08:03 838322     /opt/sun-jdk-1.6.0/jre/lib/i386/libnet.so
ad288000-ad28b000 ---p ad288000 00:00 0
ad28b000-ad2d9000 rwxp ad28b000 00:00 0
ad2d9000-ad357000 r-xp 00000000 08:03 838336     /opt/sun-jdk-1.6.0/jre/lib/i386/libfontmanager.so
ad357000-ad361000 rwxp 0007e000 08:03 838336     /opt/sun-jdk-1.6.0/jre/lib/i386/libfontmanager.so
ad361000-ad366000 rwxp ad361000 00:00 0
ad366000-ad44e000 r-xp 00000000 08:03 1311701    /usr/lib/libX11.so.6.2.0
ad44e000-ad452000 rwxp 000e8000 08:03 1311701    /usr/lib/libX11.so.6.2.0
ad452000-ad490000 r-xp 00000000 08:03 1335754    /opt/sun-jdk-1.6.0/jre/lib/i386/xawt/libmawt.so
ad490000-ad493000 rwxp 0003d000 08:03 1335754    /opt/sun-jdk-1.6.0/jre/lib/i386/xawt/libmawt.so
ad493000-ad559000 r-xp 00000000 08:03 838333     /opt/sun-jdk-1.6.0/jre/lib/i386/libmlib_image.so
ad559000-ad55a000 rwxp 000c5000 08:03 838333     /opt/sun-jdk-1.6.0/jre/lib/i386/libmlib_image.so
ad55a000-ad5d5000 r-xp 00000000 08:03 838334     /opt/sun-jdk-1.6.0/jre/lib/i386/libawt.so
ad5d5000-ad5dc000 rwxp 0007b000 08:03 838334     /opt/sun-jdk-1.6.0/jre/lib/i386/libawt.so
ad5dc000-ad67c000 rwxp ad5dc000 00:00 0
ad67c000-ad700000 ---p ad67c000 00:00 0
ad704000-ad70b000 r-xp 00000000 08:03 1114376    /usr/lib/libXi.so.6.0.0
ad70b000-ad70c000 rwxp 00006000 08:03 1114376    /usr/lib/libXi.so.6.0.0
ad70c000-ad719000 r-xp 00000000 08:03 1163419    /usr/lib/libXext.so.6.4.0
ad719000-ad71a000 rwxp 0000c000 08:03 1163419    /usr/lib/libXext.so.6.4.0
ad71e000-ad720000 r-xs 00000000 08:03 837072     /var/cache/fontconfig/76fa4b957c916922374347f144bde9da-x86.cache-2
ad720000-ad72c000 r-xs 00000000 08:03 837073     /var/cache/fontconfig/4b5cf4386f1cde02a336ba961b4ac82d-x86.cache-2
ad72c000-ad72f000 r-xs 00000000 08:03 837075     /var/cache/fontconfig/d62e99ef547d1d24cdb1bd22ec1a2976-x86.cache-2
ad72f000-ad730000 ---p ad72f000 00:00 0
ad730000-ad7b0000 rwxp ad730000 00:00 0
ad7b0000-ad7b3000 ---p ad7b0000 00:00 0
ad7b3000-ad801000 rwxp ad7b3000 00:00 0
ad801000-ad804000 ---p ad801000 00:00 0
ad804000-ad882000 rwxp ad804000 00:00 0
ad882000-ad885000 ---p ad882000 00:00 0
ad885000-ad8d3000 rwxp ad885000 00:00 0
ad8d3000-ad8d6000 ---p ad8d3000 00:00 0
ad8d6000-ad924000 rwxp ad8d6000 00:00 0
ad924000-ad927000 ---p ad924000 00:00 0
ad927000-ad975000 rwxp ad927000 00:00 0
ad975000-ad976000 ---p ad975000 00:00 0
ad976000-ada26000 rwxp ad976000 00:00 0
ada26000-adba0000 r-xs 02c68000 08:03 838415     /opt/sun-jdk-1.6.0/jre/lib/rt.jar
adba0000-adba7000 rwxp adba0000 00:00 0
adba7000-adbc1000 rwxp adba7000 00:00 0
adbc1000-adbc8000 rwxp adbc1000 00:00 0
adbc8000-adbdf000 rwxp adbc8000 00:00 0
adbdf000-adbe0000 rwxp adbdf000 00:00 0
adbe0000-adbe1000 rwxp adbe0000 00:00 0
adbe1000-adbe8000 rwxp adbe1000 00:00 0
adbe8000-adbff000 rwxp adbe8000 00:00 0
adbff000-adc05000 rwxp adbff000 00:00 0
adc05000-adc1f000 rwxp adc05000 00:00 0
adc1f000-add40000 rwxp adc1f000 00:00 0
add40000-ae100000 rwxp add40000 00:00 0
ae100000-aee0d000 rwxp ae100000 00:00 0
aee0d000-b1c20000 rwxp aee0d000 00:00 0
b1c20000-b2820000 rwxp b1c20000 00:00 0
b2820000-b5c20000 rwxp b2820000 00:00 0
b5c20000-b5c24000 r-xp 00000000 08:03 824929     /usr/lib/libXdmcp.so.6.0.0
b5c24000-b5c25000 rwxp 00003000 08:03 824929     /usr/lib/libXdmcp.so.6.0.0
b5c25000-b5c29000 r-xp 00000000 08:03 837038     /usr/lib/libXtst.so.6.1.0
b5c29000-b5c2a000 rwxp 00004000 08:03 837038     /usr/lib/libXtst.so.6.1.0
b5c2a000-b5c2e000 rwxp b5c2a000 00:00 0
b5c2e000-b5caa000 rwxp b5c2e000 00:00 0
b5caa000-b5daa000 rwxp b5caa000 00:00 0
b5daa000-b7caa000 rwxp b5daa000 00:00 0
b7caa000-b7cb9000 r-xp 00000000 08:03 838318     /opt/sun-jdk-1.6.0/jre/lib/i386/libzip.so
b7cb9000-b7cbb000 rwxp 0000e000 08:03 838318     /opt/sun-jdk-1.6.0/jre/lib/i386/libzip.so
b7cbb000-b7cde000 r-xp 00000000 08:03 838316     /opt/sun-jdk-1.6.0/jre/lib/i386/libjava.so
b7cde000-b7ce0000 rwxp 00023000 08:03 838316     /opt/sun-jdk-1.6.0/jre/lib/i386/libjava.so
b7ce0000-b7ce8000 r-xp 00000000 08:03 975658     /lib/libnss_files-2.5.so
b7ce8000-b7cea000 rwxp 00007000 08:03 975658     /lib/libnss_files-2.5.so
b7cea000-b7cf2000 r-xp 00000000 08:03 975668     /lib/libnss_nis-2.5.so
b7cf2000-b7cf4000 rwxp 00007000 08:03 975668     /lib/libnss_nis-2.5.so
b7cf4000-b7d06000 r-xp 00000000 08:03 975667     /lib/libnsl-2.5.so
b7d06000-b7d08000 rwxp 00011000 08:03 975667     /lib/libnsl-2.5.so
b7d08000-b7d0a000 rwxp b7d08000 00:00 0
b7d0b000-b7d16000 r-xp 00000000 08:03 838315     /opt/sun-jdk-1.6.0/jre/lib/i386/libverify.so
b7d16000-b7d17000 rwxp 0000b000 08:03 838315     /opt/sun-jdk-1.6.0/jre/lib/i386/libverify.so
b7d17000-b7d1f000 rwxs 00000000 08:03 1146912    /tmp/hsperfdata_mike/17456
b7d1f000-b7d26000 r-xp 00000000 08:03 975663     /lib/librt-2.5.so
b7d26000-b7d28000 rwxp 00006000 08:03 975663     /lib/librt-2.5.so
b7d28000-b7d2b000 ---p b7d28000 00:00 0
b7d2b000-b7d79000 rwxp b7d2b000 00:00 0
b7d79000-b7d9c000 r-xp 00000000 08:03 975674     /lib/libm-2.5.so
b7d9c000-b7d9e000 rwxp 00022000 08:03 975674     /lib/libm-2.5.so
b7d9e000-b7d9f000 rwxp b7d9e000 00:00 0
b7d9f000-b7ec1000 r-xp 00000000 08:03 975673     /lib/libc-2.5.so
b7ec1000-b7ec2000 r-xp 00122000 08:03 975673     /lib/libc-2.5.so
b7ec2000-b7ec4000 rwxp 00123000 08:03 975673     /lib/libc-2.5.so
b7ec4000-b7ec8000 rwxp b7ec4000 00:00 0
b7ec8000-b7eca000 r-xp 00000000 08:03 975558     /lib/libdl-2.5.so
b7eca000-b7ecc000 rwxp 00001000 08:03 975558     /lib/libdl-2.5.so
b7ecc000-b7ed3000 r-xp 00000000 08:03 1335752    /opt/sun-jdk-1.6.0/jre/lib/i386/jli/libjli.so
b7ed3000-b7ed5000 rwxp 00006000 08:03 1335752    /opt/sun-jdk-1.6.0/jre/lib/i386/jli/libjli.so
b7ed5000-b7ee8000 r-xp 00000000 08:03 975572     /lib/libpthread-2.5.so
b7ee8000-b7ee9000 r-xp 00012000 08:03 975572     /lib/libpthread-2.5.so
b7ee9000-b7eea000 rwxp 00013000 08:03 975572     /lib/libpthread-2.5.so
b7eea000-b7eec000 rwxp b7eea000 00:00 0
b7eed000-b7eef000 r-xp 00000000 08:03 824627     /usr/lib/libXau.so.6.0.0
b7eef000-b7ef0000 rwxp 00001000 08:03 824627     /usr/lib/libXau.so.6.0.0
b7ef0000-b7ef6000 r-xp 00000000 08:03 975669     /lib/libnss_compat-2.5.so
b7ef6000-b7ef8000 rwxp 00005000 08:03 975669     /lib/libnss_compat-2.5.so
b7ef8000-b7efe000 r-xp 00000000 08:03 838086     /opt/sun-jdk-1.6.0/jre/lib/i386/native_threads/libhpi.so
b7efe000-b7eff000 rwxp 00006000 08:03 838086     /opt/sun-jdk-1.6.0/jre/lib/i386/native_threads/libhpi.so
b7eff000-b7f00000 rwxp b7eff000 00:00 0
b7f00000-b7f01000 r-xp b7f00000 00:00 0
b7f01000-b7f02000 rwxp b7f01000 00:00 0
b7f02000-b7f03000 r-xp b7f02000 00:00 0          [vdso]
b7f03000-b7f1d000 r-xp 00000000 08:03 975590     /lib/ld-2.5.so
b7f1d000-b7f1e000 r-xp 00019000 08:03 975590     /lib/ld-2.5.so
b7f1e000-b7f1f000 rwxp 0001a000 08:03 975590     /lib/ld-2.5.so
bfac1000-bfad7000 rwxp bfac1000 00:00 0          [stack]
Aborted

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import javax.swing.*;

public class foo {

   public static void main(String[] args) {
      JFrame f= new JFrame();
      JList l= new JList();
      l.setListData(new String[] {"foo"});
      f.add(l);
      f.setVisible(true);
      while(true)
         l.setFont(l.getFont().deriveFont(Float.NaN));
   }

}

---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
checking for NaN before assigning the new font will fix the problem.

                                    

Comments
EVALUATION

This was introduced in fixing
6357987 : Java2D Graphics transform with NaN SEGV in T2K font rasteriser on Linux

The fix detected the NaN scenario and installs a singleton dummy scaler context
which is not supposed to be freed. But it is freed each time and that needs fixing.
                                     
2007-01-18



Hardware and Software, Engineered to Work Together