JDK-8242498 : Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash
  • Type: Bug
  • Component: client-libs
  • Sub-Component: java.awt
  • Affected Version: 7,8,11,14,15
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: windows
  • Submitted: 2020-04-10
  • Updated: 2020-07-24
  • Resolved: 2020-04-20
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 JDK 15 JDK 7 JDK 8 Other
11.0.8-oracleFixed 13.0.4Fixed 14.0.2Fixed 15 b21Fixed 7u271Fixed 8u261Fixed openjdk8u272Fixed
Description
FULL PRODUCT VERSION :
JDK 15

ADDITIONAL OS VERSION INFORMATION :
MS Windows 10 OS

A DESCRIPTION OF THE PROBLEM :
Passing "java.awt.Component" object instead of an object of the expected type "java.awt.Window" to the constructor "TimedWindowEvent(Window source, int id, Window opposite, int oldState, int newState, long time)" of the class "sun.awt.TimedWindowEvent" through JNI invocation in "AwtWindow::SendWindowEvent(jint, HWND, jint, jint)" C++ method allows to create invalid "sun.awt.TimedWindowEvent" instance, which during its processing in Java method "java.awt.DefaultKeyboardFocusManager.dispatchEvent(AWTEvent)" leads to JVM crash. The crash occurs, during an attempt to call the method "java.awt.Window.getTemporaryLostComponent()" on the object retrieved from the invalid instance of "TimedWindowEvent" through the method "getOppositeWindow()", because the returned  "java.awt.Window" object is in runtime in fact the instance of "java.awt.Component" class, which does not have "getTemporaryLostComponent()" method.

ERROR MESSAGES/STACK TRACES THAT OCCUR :

---------- Part of JVM error log from the attached file "hs_err_pid5836.log" ----------

#
# A fatal error has been detected by the Java Runtime Environment:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x00007ffee4f399fb, pid=5836, tid=7276
#
# JRE version: Java(TM) SE Runtime Environment (15.0+10) (build 15-ea+10-316)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (15-ea+10-316, mixed mode, sharing, tiered, compressed oops, g1 gc, windows-amd64)
# Problematic frame:
# V  [jvm.dll+0x4d99fb]
#
# No core dump will be written. Minidumps are not enabled by default on client versions of Windows
#
# If you would like to submit a bug report, please visit:
#   https://bugreport.java.com/bugreport/crash.jsp
#

---------------  S U M M A R Y ------------

Command Line: Foreground

Host: Intel(R) Core(TM) i7-6660U CPU @ 2.40GHz, 2 cores, 5G,  Windows 10 , 64 bit Build 16299 (10.0.16299.15)
Time: Fri Apr 10 16:16:13 2020 GMT Daylight Time elapsed time: 3 seconds (0d 0h 0m 3s)

---------------  T H R E A D  ---------------

Current thread (0x0000028c434d9000):  JavaThread "AWT-EventQueue-0" [_thread_in_vm, id=7276, stack(0x000000f279300000,0x000000f279400000)]

Stack: [0x000000f279300000,0x000000f279400000],  sp=0x000000f2793fdda0,  free space=1015k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
V  [jvm.dll+0x4d99fb]
V  [jvm.dll+0x4d7f7f]
V  [jvm.dll+0x323903]
V  [jvm.dll+0x322ebf]
C  0x0000028c2dedd698

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j  java.awt.DefaultKeyboardFocusManager.dispatchEvent(Ljava/awt/AWTEvent;)Z+1455 java.desktop@15-ea
j  java.awt.Component.dispatchEventImpl(Ljava/awt/AWTEvent;)V+131 java.desktop@15-ea
j  java.awt.Container.dispatchEventImpl(Ljava/awt/AWTEvent;)V+42 java.desktop@15-ea
j  java.awt.Window.dispatchEventImpl(Ljava/awt/AWTEvent;)V+19 java.desktop@15-ea
j  java.awt.Component.dispatchEvent(Ljava/awt/AWTEvent;)V+2 java.desktop@15-ea
j  java.awt.EventQueue.dispatchEventImpl(Ljava/awt/AWTEvent;Ljava/lang/Object;)V+41 java.desktop@15-ea
j  java.awt.EventQueue$4.run()Ljava/lang/Void;+32 java.desktop@15-ea
j  java.awt.EventQueue$4.run()Ljava/lang/Object;+1 java.desktop@15-ea
J 480 c1 java.security.AccessController.executePrivileged(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;Ljava/lang/Class;)Ljava/lang/Object; java.base@15-ea (65 bytes) @ 0x0000028c2e4fac44 [0x0000028c2e4faae0+0x0000000000000164]
j  java.security.AccessController.doPrivileged(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;)Ljava/lang/Object;+13 java.base@15-ea
j  java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;Ljava/security/AccessControlContext;)Ljava/lang/Object;+18 java.base@15-ea
j  java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;)Ljava/lang/Object;+6 java.base@15-ea
j  java.awt.EventQueue$5.run()Ljava/lang/Void;+11 java.desktop@15-ea
j  java.awt.EventQueue$5.run()Ljava/lang/Object;+1 java.desktop@15-ea
J 480 c1 java.security.AccessController.executePrivileged(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;Ljava/lang/Class;)Ljava/lang/Object; java.base@15-ea (65 bytes) @ 0x0000028c2e4fac44 [0x0000028c2e4faae0+0x0000000000000164]
j  java.security.AccessController.doPrivileged(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;)Ljava/lang/Object;+13 java.base@15-ea
j  java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;Ljava/security/AccessControlContext;)Ljava/lang/Object;+18 java.base@15-ea
j  java.awt.EventQueue.dispatchEvent(Ljava/awt/AWTEvent;)V+73 java.desktop@15-ea
j  java.awt.SequencedEvent.dispatch()V+150 java.desktop@15-ea
j  java.awt.EventQueue.dispatchEventImpl(Ljava/awt/AWTEvent;Ljava/lang/Object;)V+21 java.desktop@15-ea
j  java.awt.EventQueue$4.run()Ljava/lang/Void;+32 java.desktop@15-ea
j  java.awt.EventQueue$4.run()Ljava/lang/Object;+1 java.desktop@15-ea
J 480 c1 java.security.AccessController.executePrivileged(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;Ljava/lang/Class;)Ljava/lang/Object; java.base@15-ea (65 bytes) @ 0x0000028c2e4fac44 [0x0000028c2e4faae0+0x0000000000000164]
j  java.security.AccessController.doPrivileged(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;)Ljava/lang/Object;+13 java.base@15-ea
j  java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;Ljava/security/AccessControlContext;)Ljava/lang/Object;+18 java.base@15-ea
j  java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;)Ljava/lang/Object;+6 java.base@15-ea
j  java.awt.EventQueue$5.run()Ljava/lang/Void;+11 java.desktop@15-ea
j  java.awt.EventQueue$5.run()Ljava/lang/Object;+1 java.desktop@15-ea
J 480 c1 java.security.AccessController.executePrivileged(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;Ljava/lang/Class;)Ljava/lang/Object; java.base@15-ea (65 bytes) @ 0x0000028c2e4fac44 [0x0000028c2e4faae0+0x0000000000000164]
j  java.security.AccessController.doPrivileged(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;)Ljava/lang/Object;+13 java.base@15-ea
j  java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Ljava/security/PrivilegedAction;Ljava/security/AccessControlContext;Ljava/security/AccessControlContext;)Ljava/lang/Object;+18 java.base@15-ea
j  java.awt.EventQueue.dispatchEvent(Ljava/awt/AWTEvent;)V+73 java.desktop@15-ea
j  java.awt.EventDispatchThread.pumpOneEventForFilters(I)V+78 java.desktop@15-ea
j  java.awt.EventDispatchThread.pumpEventsForFilter(ILjava/awt/Conditional;Ljava/awt/EventFilter;)V+35 java.desktop@15-ea
j  java.awt.EventDispatchThread.pumpEventsForHierarchy(ILjava/awt/Conditional;Ljava/awt/Component;)V+11 java.desktop@15-ea
j  java.awt.EventDispatchThread.pumpEvents(ILjava/awt/Conditional;)V+4 java.desktop@15-ea
j  java.awt.EventDispatchThread.pumpEvents(Ljava/awt/Conditional;)V+3 java.desktop@15-ea
j  java.awt.EventDispatchThread.run()V+9 java.desktop@15-ea
v  ~StubRoutines::call_stub

siginfo: EXCEPTION_ACCESS_VIOLATION (0xc0000005), reading address 0x00000000003b0020
Comments
Tests used for verification: http://closedjdk.us.oracle.com/jdk/jdk/closed/test/jdk/java/awt/event/WindowEvent/CrashWithInvalidWndEventTest/CrashWithInvalidWndEventTest.java Tested on windows (AMRSAHU-IN.oradev.oraclecorp.com) JDK15 b16: test FAILED TEST RESULTS: - ----------System.out:(19/916)*---------- Test #0: comp='java.awt.Label[label0,7,30,224x65,align=left,text=Label 1]', x='7', y='30', width='224', heigth='65', centerX='119', centerY='62' # # A fatal error has been detected by the Java Runtime Environment: # # EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x00007ffaa6a9c353, pid=15624, tid=20276 # # JRE version: Java(TM) SE Runtime Environment (15.0+16) (build 15-ea+16-681) # Java VM: Java HotSpot(TM) 64-Bit Server VM (15-ea+16-681, mixed mode, sharing, tiered, compressed oops, g1 gc, windows-amd64) # Problematic frame: # V [jvm.dll+0x4ac353] # # No core dump will be written. Minidumps are not enabled by default on client versions of Windows # # An error report file with more information is saved as: # C:\\regression\\results\\JTwork\\scratch\\hs_err_pid15624.log # # If you would like to submit a bug report, please visit: # https://bugreport.java.com/bugreport/crash.jsp JDK15 b22: test PASSED TEST RESULTS:- test result: Passed. Execution successful Resolution: The fix succeeded.
24-07-2020
Fix Request (8u): Backport to 8u requested because it is a part of 8u261-oracle. Patch applies cleanly after paths changes. Testing: jck:api/java_awt. 8u changeset with original attribution: http://cr.openjdk.java.net/~akasko/jdk8u/8242498/8242498_8u.patch
19-06-2020
Fix request (13u) Requesting backport to 13u for parity with 11u, applies cleanly.
09-06-2020
jdk11u backport request I would like to have the patch in OpenJDK11 as well (for better parity with 11.0.8_oracle). The patch applies cleanly.
30-04-2020
URL: https://hg.openjdk.java.net/jdk/jdk/rev/ead0b50a6a79 User: psadhukhan Date: 2020-04-24 11:16:29 +0000
24-04-2020
Fix Request (14u) The fix resolves the crash stably reproducible in some user's environment. The patch applies cleanly to "jdk14u" repository. The fix risk is low, because it modifies only MS Windows OS specific code in JDK and the new code is executed only in the crash scenario, which should be rare. There is no a regression test to test this bug.
21-04-2020
URL: https://hg.openjdk.java.net/jdk/client/rev/ead0b50a6a79 User: alitvinov Date: 2020-04-20 18:31:44 +0000
20-04-2020