JDK-6301771 : REGRESSION: VM crashed when a image of particular size is drawn on a Canvas
  • Type: Bug
  • Component: client-libs
  • Sub-Component: 2d
  • Affected Version: 2.0,5.0,5.0u2
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS:
    generic,solaris_10,windows_2000,windows_xp generic,solaris_10,windows_2000,windows_xp
  • CPU: generic,x86
  • Submitted: 2005-07-26
  • Updated: 2010-04-04
  • Resolved: 2005-09-06
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other JDK 6
5.0u6Fixed 6 b51Fixed
Related Reports
Duplicate :  
JDK-6545864 - JCK: test DrawImageTests triggers silent memory corruption
Duplicate :  
JDK-6295976 - Browser crashed by Java2D with JVM 1.5.0
Description
FULL PRODUCT VERSION :
java version "1.5.0_03"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_03-b07)
Java HotSpot(TM) Client VM (build 1.5.0_03-b07, mixed mode, sharing)


ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Happens in all Windows XP machines

A DESCRIPTION OF THE PROBLEM :

The application draws a jpeg image of size "360 x 510" pixels on a canvas at x=6 ,y=6 ,width=84 and height = 119, using the following code.

g.drawImage(img,rect.x, rect.y, rect.width, rect.height,0,0,img.getWidth(null),img.getHeight(null), this);

Application crashes when "drawImage" is called.

Note that if image of size "510x360" pixels is draw using the same code at x = 6, y=6,widht=119 and height=84 then the image is displayed as tiled horizontally.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Launch this application in JRE1.5.0_02 or JRE1.5.0_03.
2. This displays a application main window
3. Click on the "Load File" button and load a image of size 360 x 510 pixels jpg image ( you can use gif image too)
4. The application will crash.
The above can be reproduced with image size of 255 x 255 also.
#This problem does not happen with JRE versions before JRE1.5.0_02

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The image should be painted on the screen

ACTUAL -
Application crashes

ERROR MESSAGES/STACK TRACES THAT OCCUR :
#
# An unexpected error has been detected by HotSpot Virtual Machine:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d022110, pid=416, tid=592
#
# Java VM: Java HotSpot(TM) Client VM (1.5.0_03-b07 mixed mode, sharing)
# Problematic frame:
# C  [awt.dll+0x22110]
#

---------------  T H R E A D  ---------------

Current thread (0x10e4d818):  JavaThread "AWT-EventQueue-0" [_thread_in_native, id=592]

siginfo: ExceptionCode=0xc0000005, reading address 0x22fa5c38

Registers:
EAX=0x22fa5c30, EBX=0x00000002, ECX=0x00000017, EDX=0x0133ecae
ESP=0x1167f30c, EBP=0x1167f4f8, ESI=0x141783b0, EDI=0x0000009f
EIP=0x6d022110, EFLAGS=0x00010202

  Top of Stack: (sp=0x1167f30c)
0x1167f30c:   0267d95b 00000017 00000006 6d0023f6
0x1167f31c:   22fe5434 000003fc 0000009f 0000006a
0x1167f32c:   0133ecae 80b3ec85 0267d95b 0267d95b
0x1167f33c:   00000017 00000000 1167f408 6d11f2d8
0x1167f34c:   1167f3fc 10e4d818 2ab86158 2b3f5208
0x1167f35c:   0267d95b 0133ecae 0267d95b 00000006
0x1167f36c:   1167f3e8 6d11f2d8 10e4fe70 00aa5ed8
0x1167f37c:   000000ff 0133ecae 404a8000 10e4d818

Instructions: (pc=0x6d022110)
0x6d022100:   24 20 0f af 44 24 14 03 c3 8b da 83 c6 04 d3 fb
0x6d022110:   8b 1c 98 89 5e fc 8b 5c 24 28 03 d3 4f 75 ea 8b


Stack: [0x11640000,0x11680000),  sp=0x1167f30c,  free space=252k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C  [awt.dll+0x22110]
j  sun.java2d.loops.ScaledBlit.Scale(Lsun/java2d/SurfaceData;Lsun/java2d/SurfaceData;Ljava/awt/Composite;Lsun/java2d/pipe/Region;IIIIDDDD)V+0
j  sun.java2d.pipe.DrawImage.scaleSurfaceData(Lsun/java2d/SunGraphics2D;Lsun/java2d/pipe/Region;Lsun/java2d/SurfaceData;Lsun/java2d/SurfaceData;Lsun/java2d/loops/SurfaceType;Lsun/java2d/loops/SurfaceType;IIIIDDDD)Z+72
j  sun.java2d.pipe.DrawImage.renderImageScale(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;Ljava/awt/Color;IIIIIDDDD)Z+95
j  sun.java2d.pipe.DrawImage.scaleImage(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;IIIIIIIILjava/awt/Color;)Z+248
j  sun.java2d.pipe.DrawImage.scaleImage(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;IIIIIIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+27
j  sun.java2d.SunGraphics2D.drawImage(Ljava/awt/Image;IIIIIIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+182
j  sun.awt.image.ImageRepresentation.drawToBufImage(Ljava/awt/Graphics;Lsun/awt/image/ToolkitImage;IIIIIIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+164
j  sun.java2d.pipe.DrawImage.scaleImage(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;IIIIIIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+80
j  sun.java2d.SunGraphics2D.drawImage(Ljava/awt/Image;IIIIIIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+182
j  sun.java2d.SunGraphics2D.drawImage(Ljava/awt/Image;IIIIIIIILjava/awt/image/ImageObserver;)Z+19
j  ScaledBltCrash$ImageCanvas.paint(Ljava/awt/Graphics;)V+83
j  sun.awt.RepaintArea.paintComponent(Ljava/awt/Component;Ljava/awt/Graphics;)V+6
j  sun.awt.RepaintArea.paint(Ljava/lang/Object;Z)V+326
j  sun.awt.windows.WComponentPeer.handleEvent(Ljava/awt/AWTEvent;)V+63
j  java.awt.Component.dispatchEventImpl(Ljava/awt/AWTEvent;)V+765
j  java.awt.Component.dispatchEvent(Ljava/awt/AWTEvent;)V+2
j  java.awt.EventQueue.dispatchEvent(Ljava/awt/AWTEvent;)V+46
j  java.awt.EventDispatchThread.pumpOneEventForHierarchy(ILjava/awt/Component;)Z+233
j  java.awt.EventDispatchThread.pumpEventsForHierarchy(ILjava/awt/Conditional;Ljava/awt/Component;)V+26
j  java.awt.EventDispatchThread.pumpEvents(ILjava/awt/Conditional;)V+4
j  java.awt.EventDispatchThread.pumpEvents(Ljava/awt/Conditional;)V+3
j  java.awt.EventDispatchThread.run()V+9
v  ~StubRoutines::call_stub
V  [jvm.dll+0x818b8]
V  [jvm.dll+0xd431d]
V  [jvm.dll+0x81789]
V  [jvm.dll+0x814e6]
V  [jvm.dll+0x9c06b]
V  [jvm.dll+0xfe7f5]
V  [jvm.dll+0xfe7c3]
C  [MSVCRT.dll+0x27fb8]
C  [kernel32.dll+0x202ed]

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j  sun.java2d.loops.ScaledBlit.Scale(Lsun/java2d/SurfaceData;Lsun/java2d/SurfaceData;Ljava/awt/Composite;Lsun/java2d/pipe/Region;IIIIDDDD)V+0
j  sun.java2d.pipe.DrawImage.scaleSurfaceData(Lsun/java2d/SunGraphics2D;Lsun/java2d/pipe/Region;Lsun/java2d/SurfaceData;Lsun/java2d/SurfaceData;Lsun/java2d/loops/SurfaceType;Lsun/java2d/loops/SurfaceType;IIIIDDDD)Z+72
j  sun.java2d.pipe.DrawImage.renderImageScale(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;Ljava/awt/Color;IIIIIDDDD)Z+95
j  sun.java2d.pipe.DrawImage.scaleImage(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;IIIIIIIILjava/awt/Color;)Z+248
j  sun.java2d.pipe.DrawImage.scaleImage(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;IIIIIIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+27
j  sun.java2d.SunGraphics2D.drawImage(Ljava/awt/Image;IIIIIIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+182
j  sun.awt.image.ImageRepresentation.drawToBufImage(Ljava/awt/Graphics;Lsun/awt/image/ToolkitImage;IIIIIIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+164
j  sun.java2d.pipe.DrawImage.scaleImage(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;IIIIIIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+80
j  sun.java2d.SunGraphics2D.drawImage(Ljava/awt/Image;IIIIIIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+182
j  sun.java2d.SunGraphics2D.drawImage(Ljava/awt/Image;IIIIIIIILjava/awt/image/ImageObserver;)Z+19
j  ScaledBltCrash$ImageCanvas.paint(Ljava/awt/Graphics;)V+83
j  sun.awt.RepaintArea.paintComponent(Ljava/awt/Component;Ljava/awt/Graphics;)V+6
j  sun.awt.RepaintArea.paint(Ljava/lang/Object;Z)V+326
j  sun.awt.windows.WComponentPeer.handleEvent(Ljava/awt/AWTEvent;)V+63
j  java.awt.Component.dispatchEventImpl(Ljava/awt/AWTEvent;)V+765
j  java.awt.Component.dispatchEvent(Ljava/awt/AWTEvent;)V+2
j  java.awt.EventQueue.dispatchEvent(Ljava/awt/AWTEvent;)V+46
j  java.awt.EventDispatchThread.pumpOneEventForHierarchy(ILjava/awt/Component;)Z+233
j  java.awt.EventDispatchThread.pumpEventsForHierarchy(ILjava/awt/Conditional;Ljava/awt/Component;)V+26
j  java.awt.EventDispatchThread.pumpEvents(ILjava/awt/Conditional;)V+4
j  java.awt.EventDispatchThread.pumpEvents(Ljava/awt/Conditional;)V+3
j  java.awt.EventDispatchThread.run()V+9
v  ~StubRoutines::call_stub

---------------  P R O C E S S  ---------------

Java Threads: ( => current thread )
  0x10e51390 JavaThread "Image Fetcher 0" daemon [_thread_in_native, id=904]
  0x00035fd8 JavaThread "DestroyJavaVM" [_thread_blocked, id=284]
=>0x10e4d818 JavaThread "AWT-EventQueue-0" [_thread_in_native, id=592]
  0x10e49408 JavaThread "AWT-Windows" daemon [_thread_in_native, id=3112]
  0x10e49088 JavaThread "AWT-Shutdown" [_thread_blocked, id=2480]
  0x10e45820 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=3128]
  0x00a77b50 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=3312]
  0x00a76728 JavaThread "CompilerThread0" daemon [_thread_blocked, id=2624]
  0x00a75a40 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=3412]
  0x00a71c08 JavaThread "Finalizer" daemon [_thread_blocked, id=608]
  0x00a70728 JavaThread "Reference Handler" daemon [_thread_blocked, id=3492]

Other Threads:
  0x00a6de88 VMThread [id=1616]
  0x00a78d60 WatcherThread [id=108]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

Heap
 def new generation   total 576K, used 312K [0x22ad0000, 0x22b70000, 0x22fb0000)
  eden space 512K,  49% used [0x22ad0000, 0x22b0f280, 0x22b50000)
  from space 64K,  93% used [0x22b50000, 0x22b5ef48, 0x22b60000)
  to   space 64K,   0% used [0x22b60000, 0x22b60000, 0x22b70000)
 tenured generation   total 1408K, used 500K [0x22fb0000, 0x23110000, 0x26ad0000)
   the space 1408K,  35% used [0x22fb0000, 0x2302d2e0, 0x2302d400, 0x23110000)
 compacting perm gen  total 8192K, used 193K [0x26ad0000, 0x272d0000, 0x2aad0000)
   the space 8192K,   2% used [0x26ad0000, 0x26b00610, 0x26b00800, 0x272d0000)
    ro space 8192K,  62% used [0x2aad0000, 0x2afd8850, 0x2afd8a00, 0x2b2d0000)
    rw space 12288K,  46% used [0x2b2d0000, 0x2b85ced8, 0x2b85d000, 0x2bed0000)

Dynamic libraries:
0x00400000 - 0x0040c000 	C:\Program Files\Java\jre1.5.0_03\bin\java.exe
0x77f50000 - 0x77ff9000 	C:\WINDOWS\System32\ntdll.dll
0x77e20000 - 0x77f42000 	C:\WINDOWS\system32\kernel32.dll
0x77d80000 - 0x77e19000 	C:\WINDOWS\system32\ADVAPI32.dll
0x77c70000 - 0x77ce5000 	C:\WINDOWS\system32\RPCRT4.dll
0x77bc0000 - 0x77c13000 	C:\WINDOWS\system32\MSVCRT.dll
0x6d640000 - 0x6d7c6000 	C:\Program Files\Java\jre1.5.0_03\bin\client\jvm.dll
0x77cf0000 - 0x77d7d000 	C:\WINDOWS\system32\USER32.dll
0x77c20000 - 0x77c60000 	C:\WINDOWS\system32\GDI32.dll
0x76af0000 - 0x76b1c000 	C:\WINDOWS\System32\WINMM.dll
0x762e0000 - 0x762fa000 	C:\WINDOWS\System32\IMM32.DLL
0x60740000 - 0x60748000 	C:\WINDOWS\System32\LPK.DLL
0x72ef0000 - 0x72f4a000 	C:\WINDOWS\System32\USP10.dll
0x6d280000 - 0x6d288000 	C:\Program Files\Java\jre1.5.0_03\bin\hpi.dll
0x76ba0000 - 0x76bab000 	C:\WINDOWS\System32\PSAPI.DLL
0x6d610000 - 0x6d61c000 	C:\Program Files\Java\jre1.5.0_03\bin\verify.dll
0x6d300000 - 0x6d31d000 	C:\Program Files\Java\jre1.5.0_03\bin\java.dll
0x6d630000 - 0x6d63f000 	C:\Program Files\Java\jre1.5.0_03\bin\zip.dll
0x6d000000 - 0x6d167000 	C:\Program Files\Java\jre1.5.0_03\bin\awt.dll
0x72f50000 - 0x72f73000 	C:\WINDOWS\System32\WINSPOOL.DRV
0x77160000 - 0x7727a000 	C:\WINDOWS\system32\ole32.dll
0x58730000 - 0x58764000 	C:\WINDOWS\system32\uxtheme.dll
0x51000000 - 0x5104d000 	C:\WINDOWS\System32\ddraw.dll
0x73b10000 - 0x73b16000 	C:\WINDOWS\System32\DCIMAN32.dll
0x5c000000 - 0x5c0c8000 	C:\WINDOWS\System32\D3DIM700.DLL
0x6d240000 - 0x6d27d000 	C:\Program Files\Java\jre1.5.0_03\bin\fontmanager.dll
0x67320000 - 0x6734f000 	C:\PROGRA~1\COMMON~1\SYMANT~1\ANTISPAM\asOEHook.dll
0x7c340000 - 0x7c396000 	C:\WINDOWS\System32\MSVCR71.dll
0x74660000 - 0x746ab000 	C:\WINDOWS\System32\MSCTF.dll
0x11170000 - 0x1117e000 	C:\Program Files\Sony\Jog Dial Navigator\WMHook.dll
0x63000000 - 0x63014000 	C:\WINDOWS\System32\SynTPFcs.dll
0x77bb0000 - 0x77bb7000 	C:\WINDOWS\system32\VERSION.dll
0x3a700000 - 0x3a754000 	C:\WINDOWS\System32\imjp81.ime
0x648f0000 - 0x649bc000 	C:\WINDOWS\System32\IMJP81K.DLL
0x772f0000 - 0x7737b000 	C:\WINDOWS\system32\COMCTL32.DLL
0x77380000 - 0x77b74000 	C:\WINDOWS\system32\SHELL32.DLL
0x77280000 - 0x772e3000 	C:\WINDOWS\system32\SHLWAPI.dll
0x71950000 - 0x71a34000 	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
0x3b100000 - 0x3b11c000 	C:\WINDOWS\IME\IMJP8_1\Dicts\IMJPCD.DIC
0x770d0000 - 0x7715b000 	C:\WINDOWS\system32\oleaut32.dll
0x76300000 - 0x76345000 	C:\WINDOWS\system32\COMDLG32.DLL
0x75e90000 - 0x75ead000 	C:\WINDOWS\system32\appHelp.dll
0x76f80000 - 0x76ff8000 	C:\WINDOWS\System32\CLBCATQ.DLL
0x77000000 - 0x770c5000 	C:\WINDOWS\System32\COMRes.dll
0x76570000 - 0x765be000 	C:\WINDOWS\System32\cscui.dll
0x76550000 - 0x7656b000 	C:\WINDOWS\System32\CSCDLL.dll
0x75ed0000 - 0x75fcc000 	C:\WINDOWS\System32\browseui.dll
0x765c0000 - 0x7670a000 	C:\WINDOWS\System32\SETUPAPI.dll
0x76940000 - 0x76964000 	C:\WINDOWS\System32\ntshrui.dll
0x76ad0000 - 0x76ae5000 	C:\WINDOWS\System32\ATL.DLL
0x71b70000 - 0x71bbf000 	C:\WINDOWS\System32\NETAPI32.dll
0x52880000 - 0x52923000 	C:\WINDOWS\system32\USERENV.dll
0x71700000 - 0x71848000 	C:\WINDOWS\System32\shdocvw.dll
0x6d3c0000 - 0x6d3df000 	C:\Program Files\Java\jre1.5.0_03\bin\jpeg.dll

VM Arguments:
java_command: ScaledBltCrash

Environment Variables:
JAVA_HOME=c:\j2sdk1.4.0
CLASSPATH=.;.;C:\PROGRA~1\JMF21~1.1\lib\sound.jar;C:\PROGRA~1\JMF21~1.1\lib\jmf.jar;C:\WINDOWS\Java\Classes\Swingall.jar;.;C:\WINDOWS\Java\Classes\PcdrAPI.zip;.;C:\WINDOWS\java\classes;.
PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Justsystem\JSLIB32;C:\Program Files\Sony\SimpleDVDMaker\AS_Libs;C:\jwsdp-1.2\jwsdp-shared\bin
USERNAME=kp-iknow
OS=Windows_NT
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel


---------------  S Y S T E M  ---------------

OS: Windows XP Build 2600

CPU:total 1 family 15, cmov, cx8, fxsr, mmx, sse, sse2, ht

Memory: 4k page, physical 523244k(74836k free), swap 1018048k(525376k free)

vm_info: Java HotSpot(TM) Client VM (1.5.0_03-b07) for windows-x86, built on Apr 13 2005 02:07:01 by "java_re" with MS VC++ 6.0


REPRODUCIBILITY :
This bug can be reproduced always.

Release Regression From : 5.0
The above release value was the last known release where this 
bug was known to work. Since then there has been a regression.

Release Regression From : 5.0
The above release value was the last known release where this 
bug was known to work. Since then there has been a regression.
Comments
EVALUATION The code that determines where the "last pixel to be drawn" for a scaled image can overflow an integer when it is operating on a reduction scale of a source image that is near a power of 2 in size. All coordinates that fall anywhere in the source image should be represented by valid 32-bit signed scaled integers, but coordinates that fall outside an image could potentially overflow. The rendering code never calculates the coordinate of any pixel that is not inside the source image, but the clipping code can do so when it speculates "how far can I step before I run off the end of the image". Thus, the clipping code should use longs for those speculative calculations.
11-08-2005