United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6539626 freed MSG structure seems to cause access violation in 1.4.2
JDK-6539626 : freed MSG structure seems to cause access violation in 1.4.2

Details
Type:
Bug
Submit Date:
2007-03-28
Status:
Resolved
Updated Date:
2011-02-16
Project Name:
JDK
Resolved Date:
2008-04-03
Component:
client-libs
OS:
windows_xp
Sub-Component:
java.awt
CPU:
x86
Priority:
P3
Resolution:
Fixed
Affected Versions:
1.4.2_14
Fixed Versions:
1.4.2_18 (b05)

Related Reports
Backport:

Sub Tasks

Description
An applet terminates abnormally at our customer site.
When the applet invokes a pop up window and press "delete" key,
that occurs.

CONFIGURATION :
 OS  : WindowsXP SP2
 JRE : 1.4.2_05

INVESTIGATION :
For all the 1.4.2_XX releases, there seems  the following problem.

The implementation of AwtComponent::WmKeyDown is as follows.

---- ./j2se/src/windows/native/sun/windows/awt_Component.c --->
.....

    MSG* msg = CreateMessage((system ? WM_SYSKEYDOWN : WM_KEYDOWN), 
			     wkey, MAKELPARAM(repCnt, flags));

    UINT modifiers = GetJavaModifiers();
    jint keyLocation = GetKeyLocation(wkey, flags);
    UINT jkey = WindowsKeyToJavaKey(wkey, modifiers);
    UINT character = WindowsKeyToJavaChar(wkey, modifiers, SAVE);

    SendKeyEventToFocusOwner(java_awt_event_KeyEvent_KEY_PRESSED,
                             nowMillisUTC(msg->time), jkey, character,
                             modifiers, keyLocation, msg);

    // bugid 4724007: Windows does not create a WM_CHAR for the Del key 
    // for some reason, so we need to create the KEY_TYPED event on the 
    // WM_KEYDOWN.  Use null msg so the character doesn't get sent back 
    // to the native window for processing (this event is synthesized 
    // for Java - we don't want Windows trying to process it).  
    if (jkey == java_awt_event_KeyEvent_VK_DELETE) {
        SendKeyEventToFocusOwner(java_awt_event_KeyEvent_KEY_TYPED,
                                 nowMillisUTC(msg->time), 
                                 java_awt_event_KeyEvent_VK_UNDEFINED, 
                                 character, modifiers, 
                                 java_awt_event_KeyEvent_KEY_LOCATION_UNKNOWN); 
    }
....

<-----

MSG structure is created ( "new" ed)  in CreateMessage() and deleted in SendKeyEvent()
called from SendKeyEventToFocusOwner().

---->
void AwtComponent::SendKeyEvent(jint id, jlong when, jint raw, jint cooked,
				jint modifiers, jint keyLocation, MSG *pMsg)
.........
    if (pMsg != NULL) {
	AwtAWTEvent::saveMSG(env, pMsg, keyEvent);
	delete pMsg;
    }
    SendEvent(keyEvent);
........
<----

When "delete" key is pressed, the value of msg is invalid in the 2nd 
SendKeyEventToFocusOwner() because ms has been "delete"ed.
(This has been confirmed with debugger.)

When the application is running under heavy loaded environment, msg can not be
accessed correctly and access violation occurs at "msg->time".

                                    

Comments
EVALUATION

The fix looks fine but little change:

 DWORD when = msg->time;
 SendKeyEventToFocusOwner(java_awt_event_KeyEvent_KEY_PRESSED,
                           nowMillisUTC(when), jkey, character,
                            modifiers, keyLocation, msg);

   if (jkey == java_awt_event_KeyEvent_VK_DELETE) {
       SendKeyEventToFocusOwner(java_awt_event_KeyEvent_KEY_TYPED,
                               nowMillisUTC(when),
                                java_awt_event_KeyEvent_VK_UNDEFINED,
                                character, modifiers,
                                java_awt_event_KeyEvent_KEY_LOCATION_UNKNOWN);
   } 

So, that there is no time gap when the method called nowMillisUTC.
                                     
2007-08-16
EVALUATION

Fixed via 1.4.2_17-rev-b10.
                                     
2008-04-03



Hardware and Software, Engineered to Work Together