JDK-6559593 : JVM crashing in fonthandler.dll when transform is Double.NaN and gc() is called
  • Type: Bug
  • Component: client-libs
  • Sub-Component: 2d
  • Affected Version: 6
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2007-05-18
  • Updated: 2010-04-04
  • Resolved: 2007-05-21
Related Reports
Duplicate :  
JDK-6513889 - java runtime VM double free or corruption segfault
Description
FULL PRODUCT VERSION :
java version "1.6.0_01"
Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
Java HotSpot(TM) Client VM (build 1.6.0_01-b06, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Windows XP SP2 [5.1.2600]

A DESCRIPTION OF THE PROBLEM :
Running the test code will produce a crash in fonthandler.dll after about 5 secs( on my computer.. may take longer on others) It only crashes if you include the System.gc() call AND if you have NaN in the transform. If you remove the gc() call  or set the transform to the identity the bug does not occur.

During the attempt to define a test case, multiple crash logs were recorded. The most common crash line was at:

fontmanager.dll+0x26abd

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run the program, wait about 5 secs for the crash

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The program should run forever until the user quits
ACTUAL -
The JVM crashes about 5 seconds into the execution.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
(Note: our project manager insisted i sanitize some project specific class names)

#
# An unexpected error has been detected by Java Runtime Environment:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d2d6819, pid=232, tid=3164
#
# Java VM: Java HotSpot(TM) Client VM (1.6.0_01-b06 mixed mode, sharing)
# Problematic frame:
# C  [fontmanager.dll+0x26819]
#
# If you would like to submit a bug report, please visit:
#   http://java.sun.com/webapps/bugreport/crash.jsp
#

---------------  T H R E A D  ---------------

Current thread (0x04727800):  JavaThread "AWT-EventQueue-0" [_thread_in_native, id=3164]

siginfo: ExceptionCode=0xc0000005, reading address 0xfff75826

Registers:
EAX=0x04707af8, EBX=0xfff756fa, ECX=0x00000000, EDX=0x0604eefc
ESP=0x0604ee38, EBP=0x0604ee58, ESI=0x04707af8, EDI=0xfff756fa
EIP=0x6d2d6819, EFLAGS=0x00010246

  Top of Stack: (sp=0x0604ee38)
0x0604ee38:   00000000 04707af8 04707af8 096b5208
0x0604ee48:   0604ee98 00d465e4 069a1f90 00000000
0x0604ee58:   0604ee98 6d2d6afd 047278e8 0604eefc
0x0604ee68:   04707af8 04707af8 00000000 04727800
0x0604ee78:   2aa77170 2b310bf0 00000000 5554c2f8
0x0604ee88:   00000003 0000000b 0604ef08 00000000
0x0604ee98:   0604eee0 00ccabc1 047278e8 0604eefc
0x0604eea8:   04707af8 00000002 0000003e 0604eeb8

Instructions: (pc=0x6d2d6819)
0x6d2d6809:   57 8b 78 04 89 4d fc 74 06 8d 46 14 50 eb 01 51
0x6d2d6819:   ff b7 2c 01 00 00 e8 b7 d9 fe ff 8b 46 04 89 45


Stack: [0x05c50000,0x06050000),  sp=0x0604ee38,  free space=4091k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C  [fontmanager.dll+0x26819]
C  [fontmanager.dll+0x26afd]
j  sun.font.FileFont.getGlyphImage(JI)J+0
J  sun.font.FileFontStrike.getSlot0GlyphImagePtrs([I[JI)I
J  sun.font.CompositeStrike.getGlyphImagePtrs([I[JI)V
J  sun.font.GlyphList.mapChars(Lsun/java2d/loops/FontInfo;I)Z
J  sun.font.GlyphList.setFromString(Lsun/java2d/loops/FontInfo;Ljava/lang/String;FF)Z
J  sun.java2d.pipe.GlyphListPipe.drawString(Lsun/java2d/SunGraphics2D;Ljava/lang/String;DD)V
J  sun.java2d.pipe.ValidatePipe.drawString(Lsun/java2d/SunGraphics2D;Ljava/lang/String;DD)V
J  sun.java2d.SunGraphics2D.drawString(Ljava/lang/String;II)V
j  net.XXXXXXX.nazca.cad2.PlanEditorView.drawWallFrameText(Ljava/awt/Graphics2D;Lnet/XXXXXXX/nazca/cad2/WallSection;)V+169
J  net.XXXXXXX.nazca.cad2.PlanEditorView.render(Ljava/awt/Graphics2D;)V
j  net.XXXXX.dxfinput.TransformableView.paintChildren(Ljava/awt/Graphics;)V+138
J  javax.swing.JComponent.paint(Ljava/awt/Graphics;)V
j  javax.swing.JComponent.paintToOffscreen(Ljava/awt/Graphics;IIIIII)V+41
j  javax.swing.BufferStrategyPaintManager.paint(Ljavax/swing/JComponent;Ljavax/swing/JComponent;Ljava/awt/Graphics;IIII)Z+157
j  javax.swing.RepaintManager.paint(Ljavax/swing/JComponent;Ljavax/swing/JComponent;Ljava/awt/Graphics;IIII)V+52
J  javax.swing.JComponent._paintImmediately(IIII)V
j  javax.swing.JComponent.paintImmediately(IIII)V+83
J  javax.swing.RepaintManager.paintDirtyRegions(Ljava/util/Map;)V
j  javax.swing.RepaintManager.paintDirtyRegions()V+46
j  javax.swing.RepaintManager.seqPaintDirtyRegions()V+73
j  javax.swing.SystemEventQueueUtilities$ComponentWorkRequest.run()V+36
J  java.awt.event.InvocationEvent.dispatch()V
J  java.awt.EventQueue.dispatchEvent(Ljava/awt/AWTEvent;)V
J  java.awt.EventDispatchThread.pumpOneEventForFilters(I)Z
j  java.awt.EventDispatchThread.pumpEventsForFilter(ILjava/awt/Conditional;Ljava/awt/EventFilter;)V+30
j  java.awt.EventDispatchThread.pumpEventsForHierarchy(ILjava/awt/Conditional;Ljava/awt/Component;)V+11
j  java.awt.EventDispatchThread.pumpEvents(ILjava/awt/Conditional;)V+4
j  java.awt.EventDispatchThread.pumpEvents(Ljava/awt/Conditional;)V+3
j  java.awt.EventDispatchThread.run()V+9
v  ~StubRoutines::call_stub

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j  sun.font.FileFont.getGlyphImage(JI)J+0
J  sun.font.FileFontStrike.getSlot0GlyphImagePtrs([I[JI)I
J  sun.font.CompositeStrike.getGlyphImagePtrs([I[JI)V
J  sun.font.GlyphList.mapChars(Lsun/java2d/loops/FontInfo;I)Z
J  sun.font.GlyphList.setFromString(Lsun/java2d/loops/FontInfo;Ljava/lang/String;FF)Z
J  sun.java2d.pipe.GlyphListPipe.drawString(Lsun/java2d/SunGraphics2D;Ljava/lang/String;DD)V
J  sun.java2d.pipe.ValidatePipe.drawString(Lsun/java2d/SunGraphics2D;Ljava/lang/String;DD)V
J  sun.java2d.SunGraphics2D.drawString(Ljava/lang/String;II)V
j  net.XXXXXXX.nazca.cad2.PlanEditorView.drawWallFrameText(Ljava/awt/Graphics2D;Lnet/XXXXXXX/nazca/cad2/WallSection;)V+169
J  net.XXXXXXX.nazca.cad2.PlanEditorView.render(Ljava/awt/Graphics2D;)V
j  net.XXXXX.dxfinput.TransformableView.paintChildren(Ljava/awt/Graphics;)V+138
J  javax.swing.JComponent.paint(Ljava/awt/Graphics;)V
j  javax.swing.JComponent.paintToOffscreen(Ljava/awt/Graphics;IIIIII)V+41
j  javax.swing.BufferStrategyPaintManager.paint(Ljavax/swing/JComponent;Ljavax/swing/JComponent;Ljava/awt/Graphics;IIII)Z+157
j  javax.swing.RepaintManager.paint(Ljavax/swing/JComponent;Ljavax/swing/JComponent;Ljava/awt/Graphics;IIII)V+52
J  javax.swing.JComponent._paintImmediately(IIII)V
j  javax.swing.JComponent.paintImmediately(IIII)V+83
J  javax.swing.RepaintManager.paintDirtyRegions(Ljava/util/Map;)V
j  javax.swing.RepaintManager.paintDirtyRegions()V+46
j  javax.swing.RepaintManager.seqPaintDirtyRegions()V+73
j  javax.swing.SystemEventQueueUtilities$ComponentWorkRequest.run()V+36
J  java.awt.event.InvocationEvent.dispatch()V
J  java.awt.EventQueue.dispatchEvent(Ljava/awt/AWTEvent;)V
J  java.awt.EventDispatchThread.pumpOneEventForFilters(I)Z
j  java.awt.EventDispatchThread.pumpEventsForFilter(ILjava/awt/Conditional;Ljava/awt/EventFilter;)V+30
j  java.awt.EventDispatchThread.pumpEventsForHierarchy(ILjava/awt/Conditional;Ljava/awt/Component;)V+11
j  java.awt.EventDispatchThread.pumpEvents(ILjava/awt/Conditional;)V+4
j  java.awt.EventDispatchThread.pumpEvents(Ljava/awt/Conditional;)V+3
j  java.awt.EventDispatchThread.run()V+9
v  ~StubRoutines::call_stub

---------------  P R O C E S S  ---------------

Java Threads: ( => current thread )
  0x046b7400 JavaThread "Busy Wait Thread method('drawPlan2') with params() on object net.XXXXX.XXXXXX.wfproto.gui.WFProtoFrame[frame0,50,50,1180x924,invalid,layout=java.awt.BorderLayout,title=InfoFrame Integrated Steel House Frame Designer - Release: DEVELOPMENT BUILD,resizable,normal,defaultCloseOperation=DO_NOTHING_ON_CLOSE,rootPane=javax.swing.JRootPane[,4,30,1172x890,invalid,layout=javax.swing.JRootPane$RootLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=16777673,maximumSize=,minimumSize=,preferredSize=],rootPaneCheckingEnabled=true]" [_thread_blocked, id=700]
  0x00386400 JavaThread "DestroyJavaVM" [_thread_blocked, id=1616]
  0x0304a800 JavaThread "TimerQueue" daemon [_thread_blocked, id=2696]
=>0x04727800 JavaThread "AWT-EventQueue-0" [_thread_in_native, id=3164]
  0x04680400 JavaThread "AWT-Windows" daemon [_thread_in_native, id=2124]
  0x0467f400 JavaThread "AWT-Shutdown" [_thread_blocked, id=268]
  0x0467e800 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=1112]
  0x02facc00 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=876]
  0x02fa8000 JavaThread "CompilerThread0" daemon [_thread_blocked, id=4092]
  0x02fa6c00 JavaThread "Attach Listener" daemon [_thread_blocked, id=1208]
  0x02fa6000 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=1132]
  0x02fa1800 JavaThread "Finalizer" daemon [_thread_blocked, id=2336]
  0x02f9d000 JavaThread "Reference Handler" daemon [_thread_blocked, id=1320]

Other Threads:
  0x02f94000 VMThread [id=1760]
  0x02fb7800 WatcherThread [id=3116]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

Heap
 def new generation   total 1152K, used 317K [0x06960000, 0x06a90000, 0x090c0000)
  eden space 1088K,  25% used [0x06960000, 0x069a4738, 0x06a70000)
  from space 64K,  67% used [0x06a70000, 0x06a7acf0, 0x06a80000)
  to   space 64K,   0% used [0x06a80000, 0x06a80000, 0x06a90000)
 tenured generation   total 13772K, used 6146K [0x090c0000, 0x09e33000, 0x26960000)
   the space 13772K,  44% used [0x090c0000, 0x096c08d8, 0x096c0a00, 0x09e33000)
 compacting perm gen  total 12288K, used 5659K [0x26960000, 0x27560000, 0x2a960000)
   the space 12288K,  46% used [0x26960000, 0x26ee6dc0, 0x26ee6e00, 0x27560000)
    ro space 8192K,  62% used [0x2a960000, 0x2ae5e4e8, 0x2ae5e600, 0x2b160000)
    rw space 12288K,  52% used [0x2b160000, 0x2b7a0e78, 0x2b7a1000, 0x2bd60000)

Dynamic libraries:
0x00400000 - 0x00423000 	C:\Program Files\Java\jre1.6.0_01\bin\javaw.exe
0x7c900000 - 0x7c9b0000 	C:\WINDOWS\system32\ntdll.dll
0x7c800000 - 0x7c8f4000 	C:\WINDOWS\system32\kernel32.dll
0x77dd0000 - 0x77e6b000 	C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 - 0x77f01000 	C:\WINDOWS\system32\RPCRT4.dll
0x7e410000 - 0x7e4a0000 	C:\WINDOWS\system32\USER32.dll
0x77f10000 - 0x77f57000 	C:\WINDOWS\system32\GDI32.dll
0x7c340000 - 0x7c396000 	C:\Program Files\Java\jre1.6.0_01\bin\msvcr71.dll
0x6d7c0000 - 0x6da07000 	C:\Program Files\Java\jre1.6.0_01\bin\client\jvm.dll
0x76b40000 - 0x76b6d000 	C:\WINDOWS\system32\WINMM.dll
0x6d310000 - 0x6d318000 	C:\Program Files\Java\jre1.6.0_01\bin\hpi.dll
0x76bf0000 - 0x76bfb000 	C:\WINDOWS\system32\PSAPI.DLL
0x6d770000 - 0x6d77c000 	C:\Program Files\Java\jre1.6.0_01\bin\verify.dll
0x6d3b0000 - 0x6d3cf000 	C:\Program Files\Java\jre1.6.0_01\bin\java.dll
0x6d7b0000 - 0x6d7bf000 	C:\Program Files\Java\jre1.6.0_01\bin\zip.dll
0x6d560000 - 0x6d569000 	C:\Program Files\Java\jre1.6.0_01\bin\management.dll
0x6d000000 - 0x6d1c3000 	C:\Program Files\Java\jre1.6.0_01\bin\awt.dll
0x73000000 - 0x73026000 	C:\WINDOWS\system32\WINSPOOL.DRV
0x77c10000 - 0x77c68000 	C:\WINDOWS\system32\msvcrt.dll
0x76390000 - 0x763ad000 	C:\WINDOWS\system32\IMM32.dll
0x774e0000 - 0x7761d000 	C:\WINDOWS\system32\ole32.dll
0x5ad70000 - 0x5ada8000 	C:\WINDOWS\system32\uxtheme.dll
0x73760000 - 0x737a9000 	C:\WINDOWS\system32\ddraw.dll
0x73bc0000 - 0x73bc6000 	C:\WINDOWS\system32\DCIMAN32.dll
0x74720000 - 0x7476b000 	C:\WINDOWS\system32\MSCTF.dll
0x7c9c0000 - 0x7d1d5000 	C:\WINDOWS\system32\shell32.dll
0x77f60000 - 0x77fd6000 	C:\WINDOWS\system32\SHLWAPI.dll
0x773d0000 - 0x774d3000 	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
0x5d090000 - 0x5d12a000 	C:\WINDOWS\system32\comctl32.dll
0x6d2b0000 - 0x6d303000 	C:\Program Files\Java\jre1.6.0_01\bin\fontmanager.dll
0x6d570000 - 0x6d583000 	C:\Program Files\Java\jre1.6.0_01\bin\net.dll
0x71ab0000 - 0x71ac7000 	C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 - 0x71aa8000 	C:\WINDOWS\system32\WS2HELP.dll
0x71a50000 - 0x71a8f000 	C:\WINDOWS\system32\mswsock.dll
0x662b0000 - 0x66308000 	C:\WINDOWS\system32\hnetcfg.dll
0x58d40000 - 0x58d47000 	C:\WINDOWS\System32\wship6.dll
0x6d590000 - 0x6d599000 	C:\Program Files\Java\jre1.6.0_01\bin\nio.dll
0x77120000 - 0x771ac000 	C:\WINDOWS\system32\OLEAUT32.DLL
0x71a90000 - 0x71a98000 	C:\WINDOWS\System32\wshtcpip.dll

VM Arguments:
jvm_args: -Xmx512m -Xss4m -Dsun.java2d.debugfonts=true
java_command: net.XXXXX.XXXXXX.wfproto.WFProto -debug
Launcher Type: SUN_STANDARD

Environment Variables:
PATH=C:\Program Files\Java\jre1.6.0_01\bin;C:\jvmstat\bat;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\IDM Computer Solutions\UEStudio '06;C:\PROGRA~1\ATT\Graphviz\bin;C:\Program Files\doxygen\bin;C:\ejp\lib
USERNAME=Glen
OS=Windows_NT
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel



---------------  S Y S T E M  ---------------

OS: Windows XP Build 2600 Service Pack 2

CPU:total 2 family 15, cmov, cx8, fxsr, mmx, sse, sse2, ht

Memory: 4k page, physical 1015276k(230032k free), swap 2469756k(1825720k free)

vm_info: Java HotSpot(TM) Client VM (1.6.0_01-b06) for windows-x86, built on Mar 14 2007 00:24:02 by "java_re" with unknown MS VC++:1310




REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.awt.Dimension;
import java.awt.Graphics;
import java.awt.Graphics2D;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.awt.geom.AffineTransform;

import javax.swing.JFrame;
import javax.swing.JPanel;
import javax.swing.Timer;

public class Main
{
	public static void main(String[] args)
	{
		final JFrame frame = new JFrame("Hello World");

		JPanel p = new JPanel()
		{
			@Override
			public void paintComponent(Graphics g)
			{
				super.paintComponent(g);
				
				Graphics2D g2 = (Graphics2D)g;

				AffineTransform oldXForm = g2.getTransform();

				AffineTransform xform = new AffineTransform(Double.NaN, Double.NaN, Double.NaN, Double.NaN, Double.NaN, Double.NaN);
				g2.setTransform(xform);
				g.drawString("crashcrash", 100, 200);

				g2.setTransform(oldXForm);
			}
			
		};
		
		frame.add(p);
		frame.setPreferredSize(new Dimension(500,500));
		
		final Timer t2 = new Timer(1, new ActionListener() {
			public void actionPerformed(ActionEvent e)
			{
				System.gc();
				frame.repaint();
			}
		});
		t2.start();

		frame.pack();
		
		frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
		frame.setVisible(true);
	}
}

---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Check if the affine transform has a NaN in it and if it does set the transform to the identity.
Comments
EVALUATION Reproducible with 6u1 but not 6u2 which contains the fix for 6513889. Closing as a dup.
21-05-2007