JDK-6539626 : freed MSG structure seems to cause access violation in 1.4.2
  • Type: Bug
  • Component: client-libs
  • Sub-Component: java.awt
  • Affected Version: 1.4.2_14
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2007-03-28
  • Updated: 2011-02-16
  • Resolved: 2008-04-03
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other Other
1.4.2_17-revFixed 1.4.2_18 b05Fixed
Description
An applet terminates abnormally at our customer site.
When the applet invokes a pop up window and press "delete" key,
that occurs.

CONFIGURATION :
 OS  : WindowsXP SP2
 JRE : 1.4.2_05

INVESTIGATION :
For all the 1.4.2_XX releases, there seems  the following problem.

The implementation of AwtComponent::WmKeyDown is as follows.

---- ./j2se/src/windows/native/sun/windows/awt_Component.c --->
.....

    MSG* msg = CreateMessage((system ? WM_SYSKEYDOWN : WM_KEYDOWN), 
			     wkey, MAKELPARAM(repCnt, flags));

    UINT modifiers = GetJavaModifiers();
    jint keyLocation = GetKeyLocation(wkey, flags);
    UINT jkey = WindowsKeyToJavaKey(wkey, modifiers);
    UINT character = WindowsKeyToJavaChar(wkey, modifiers, SAVE);

    SendKeyEventToFocusOwner(java_awt_event_KeyEvent_KEY_PRESSED,
                             nowMillisUTC(msg->time), jkey, character,
                             modifiers, keyLocation, msg);

    // bugid 4724007: Windows does not create a WM_CHAR for the Del key 
    // for some reason, so we need to create the KEY_TYPED event on the 
    // WM_KEYDOWN.  Use null msg so the character doesn't get sent back 
    // to the native window for processing (this event is synthesized 
    // for Java - we don't want Windows trying to process it).  
    if (jkey == java_awt_event_KeyEvent_VK_DELETE) {
        SendKeyEventToFocusOwner(java_awt_event_KeyEvent_KEY_TYPED,
                                 nowMillisUTC(msg->time), 
                                 java_awt_event_KeyEvent_VK_UNDEFINED, 
                                 character, modifiers, 
                                 java_awt_event_KeyEvent_KEY_LOCATION_UNKNOWN); 
    }
....

<-----

MSG structure is created ( "new" ed)  in CreateMessage() and deleted in SendKeyEvent()
called from SendKeyEventToFocusOwner().

---->
void AwtComponent::SendKeyEvent(jint id, jlong when, jint raw, jint cooked,
				jint modifiers, jint keyLocation, MSG *pMsg)
.........
    if (pMsg != NULL) {
	AwtAWTEvent::saveMSG(env, pMsg, keyEvent);
	delete pMsg;
    }
    SendEvent(keyEvent);
........
<----

When "delete" key is pressed, the value of msg is invalid in the 2nd 
SendKeyEventToFocusOwner() because ms has been "delete"ed.
(This has been confirmed with debugger.)

When the application is running under heavy loaded environment, msg can not be
accessed correctly and access violation occurs at "msg->time".
Comments
EVALUATION Fixed via 1.4.2_17-rev-b10.
03-04-2008
EVALUATION The fix looks fine but little change: DWORD when = msg->time; SendKeyEventToFocusOwner(java_awt_event_KeyEvent_KEY_PRESSED, nowMillisUTC(when), jkey, character, modifiers, keyLocation, msg); if (jkey == java_awt_event_KeyEvent_VK_DELETE) { SendKeyEventToFocusOwner(java_awt_event_KeyEvent_KEY_TYPED, nowMillisUTC(when), java_awt_event_KeyEvent_VK_UNDEFINED, character, modifiers, java_awt_event_KeyEvent_KEY_LOCATION_UNKNOWN); } So, that there is no time gap when the method called nowMillisUTC.
16-08-2007