Bug ID: JDK-8249183 JVM crash in "AwtFrame::WmSize" method

JDK-8249183 : JVM crash in "AwtFrame::WmSize" method

Type: Bug
Component: client-libs
Sub-Component: java.awt
Affected Version: 7,8,8u251,11,13,16

Priority: P3
Status: Resolved
Resolution: Fixed
OS: windows

Submitted: 2020-07-10
Updated: 2024-11-20
Resolved: 2020-08-31

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 13	JDK 15	JDK 16	JDK 7	JDK 8	Other
11.0.10-oracleFixed	13.0.6Fixed	15.0.2Fixed	16 b14Fixed	7u291Fixed	8u261Fixed	openjdk8u292Fixed

Description

FULL PRODUCT VERSION :
JDK 16

ADDITIONAL OS VERSION INFORMATION :
MS Windows 10 OS

A DESCRIPTION OF THE PROBLEM :
Minimizing a dialog window, which is instance for example of "javax.swing.JDialog" class, in a Java application from a second non-Java application by calling Win32 API function "::ShowWindow(hwnd, SW_MINIMIZE)", where "hwnd" argument is HWND of the peer window of the Java dialog window, leads to a postponed JVM crash in "AwtFrame::WmSize" C++ method.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Download and unpack the attached archive "CrashOnMinimizingDialogTest.zip" with the created test case. Go to the directory of the unpacked test case.
2. <JDK_HOME>\bin\javac CrashOnMinimizingDialogTest.java
3. <JDK_HOME>\bin\java CrashOnMinimizingDialogTest

ERROR MESSAGES/STACK TRACES THAT OCCUR :

---------- Part of JVM error log from the attached file "hs_err_pid5116.log" ----------

#
# A fatal error has been detected by the Java Runtime Environment:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x00007ff81d7f8a46, pid=5116, tid=7940
#
# JRE version: Java(TM) SE Runtime Environment (16.0+99) (fastdebug build 16-internal+99-sust)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (fastdebug 16-internal+99-sust, mixed mode, sharing, tiered, compressed oops, g1 gc, windows-amd64)
# Problematic frame:
# V  [jvm.dll+0x618a46]  JavaCallArguments::verify+0x76
#
# Core dump will be written. Default location: C:\Work\Bugs\8249183\hs_err_pid5116.mdmp
#
# If you would like to submit a bug report, please visit:
#   https://bugreport.java.com/bugreport/crash.jsp
#

---------------  S U M M A R Y ------------

Command Line: DialogExample

Host: DESKTOP-O33OQ27, Intel(R) Core(TM) i7-6660U CPU @ 2.40GHz, 2 cores, 5G,  Windows 10 , 64 bit Build 16299 (10.0.16299.15)
Time: Tue Aug  4 12:41:03 2020 GMT Daylight Time elapsed time: 72.008507 seconds (0d 0h 1m 12s)

---------------  T H R E A D  ---------------

Current thread (0x000002e8c54de440):  JavaThread "AWT-Windows" daemon [_thread_in_vm, id=7940, stack(0x000000f06a200000,0x000000f06a300000)]

Stack: [0x000000f06a200000,0x000000f06a300000],  sp=0x000000f06a2fcb90,  free space=1010k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
V  [jvm.dll+0x618a46]  JavaCallArguments::verify+0x76  (javaCalls.cpp:603)
V  [jvm.dll+0x616e11]  JavaCalls::call_helper+0x111  (javaCalls.cpp:354)
V  [jvm.dll+0xa4ec0c]  os::os_exception_wrapper+0x2c  (os_windows_x86.cpp:114)
V  [jvm.dll+0x616cef]  JavaCalls::call+0x6f  (javaCalls.cpp:342)
V  [jvm.dll+0x6cc5d2]  jni_invoke_nonstatic+0x3b2  (jni.cpp:1037)
V  [jvm.dll+0x6bc992]  jni_CallVoidMethodV+0x262  (jni.cpp:1424)
C  [awt.dll+0x68c8c]

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j  sun.awt.windows.WToolkit.eventLoop()V+0 java.desktop@16-internal
j  sun.awt.windows.WToolkit.run()V+50 java.desktop@16-internal
j  java.lang.Thread.run()V+11 java.base@16-internal
v  ~StubRoutines::call_stub

siginfo: EXCEPTION_ACCESS_VIOLATION (0xc0000005), reading address 0x0000000000000045


Register to memory mapping:

RIP=0x00007ff81d7f8a46 jvm.dll::JavaCallArguments::verify + 0x76
RAX=0x0000000000000011 is an unknown value
RBX=0x000000f06a2fce90 is pointing into the stack for thread: 0x000002e8c54de440
RCX=0x000000f06a2fcf00 is pointing into the stack for thread: 0x000002e8c54de440
RDX=0x0000000800c23a68 is a pointer to class: 
java.awt.peer.ContainerPeer {0x0000000800c23a70}
 - instance size:     2
 - klass size:        65
 - access:            public interface abstract 
 - state:             linked
 - name:              'java/awt/peer/ContainerPeer'
 - super:             'java/lang/Object'
 - sub:               
 - nof implementors:  2
 - arrays:            NULL
 - methods:           Array<T>(0x000002e8c4cdb518)
 - method ordering:   Array<T>(0x0000000800b268d0)
 - default_methods:   Array<T>(0x0000000000000000)
 - local interfaces:  Array<T>(0x000002e8c4cdb4e8)
 - trans. interfaces: Array<T>(0x000002e8c4cdb4e8)
 - constants:         constant pool [16] {0x000002e8c4cdb400} for 'java/awt/peer/ContainerPeer' cache=0x000002e8c4d03160
 - class loader data:  loader data: 0x000002e8a7c4c700 of 'bootstrap'
 - unsafe anonymous host class:        NULL
 - source file:       'ContainerPeer.java'
 - class annotations:       Array<T>(0x0000000000000000)
 - class type annotations:  Array<T>(0x0000000000000000)
 - field annotations:       Array<T>(0x0000000000000000)
 - field type annotations:  Array<T>(0x0000000000000000)
 - inner classes:     Array<T>(0x00000008005cf2e0)
 - nest members:     Array<T>(0x00000008005cf2e0)
 - permitted subclasses:     Array<T>(0x00000008005cf2e0)
 - java mirror:       a 'java/lang/Class'{0x00000000a5c79c38} = 'java/awt/peer/ContainerPeer'
 - vtable length      5  (start addr: 0x0000000800c23c40)
 - itable length      0 (start addr: 0x0000000800c23c68)
 - ---- static fields (0 words):
 - ---- non-static fields (0 words):
 - non-static oop maps: 
RSP=0x000000f06a2fcb90 is pointing into the stack for thread: 0x000002e8c54de440
RBP=0x000000f06a2fcc49 is pointing into the stack for thread: 0x000002e8c54de440
RSI=0x000000f06a2fcf00 is pointing into the stack for thread: 0x000002e8c54de440
RDI=0x000000f06a2fce90 is pointing into the stack for thread: 0x000002e8c54de440
R8 =0x000000000000000e is an unknown value
R9 =0x000002e8c54de440 is a thread
R10=0x80e0e0fefcfefefe is an unknown value
R11=0x000000f06a2fce58 is pointing into the stack for thread: 0x000002e8c54de440
R12=0x000000f06a2fd058 is pointing into the stack for thread: 0x000002e8c54de440
R13=0x000002e8c54de7c8 points into unknown readable memory: 0x00007ff81e2d2f60 | 60 2f 2d 1e f8 7f 00 00
R14=0x000000f06a2fd058 is pointing into the stack for thread: 0x000002e8c54de440
R15=0x000000f06a2fcf00 is pointing into the stack for thread: 0x000002e8c54de440


Registers:
RAX=0x0000000000000011, RBX=0x000000f06a2fce90, RCX=0x000000f06a2fcf00, RDX=0x0000000800c23a68
RSP=0x000000f06a2fcb90, RBP=0x000000f06a2fcc49, RSI=0x000000f06a2fcf00, RDI=0x000000f06a2fce90
R8 =0x000000000000000e, R9 =0x000002e8c54de440, R10=0x80e0e0fefcfefefe, R11=0x000000f06a2fce58
R12=0x000000f06a2fd058, R13=0x000002e8c54de7c8, R14=0x000000f06a2fd058, R15=0x000000f06a2fcf00
RIP=0x00007ff81d7f8a46, EFLAGS=0x0000000000010202

Top of Stack: (sp=0x000000f06a2fcb90)
0x000000f06a2fcb90:   0000000000000000 00007ff847631c1e
0x000000f06a2fcba0:   000002e8c85d2ed1 0000000000000000
0x000000f06a2fcbb0:   000002e8c85d2ed1 000002e8c85d2f88
0x000000f06a2fcbc0:   0000000000000000 00007ff84762bbae
0x000000f06a2fcbd0:   0000000000000000 00007ff847631b59
0x000000f06a2fcbe0:   0000000000000000 00007ff84726af62
0x000000f06a2fcbf0:   0000000000000000 000000f06a2fcc50
0x000000f06a2fcc00:   0000000000000020 0000000000000000
0x000000f06a2fcc10:   000000f06a2fcc40 000000f06a2fcc28
0x000000f06a2fcc20:   000002e8c85d40da 000002e8001c001a
0x000000f06a2fcc30:   000002e8c85d40da 000000007ffe0384
0x000000f06a2fcc40:   0000014300000050 0000000000000000
0x000000f06a2fcc50:   000000000000f060 0000000000000000
0x000000f06a2fcc60:   00001f941f6efdec 0000000000000000
0x000000f06a2fcc70:   0000000000000002 000000f06a2fd058
0x000000f06a2fcc80:   000002e8c54de7c8 000000f06a2fd058

Comments

8u review approval: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-November/013052.html
25-11-2020
Fix request (13u): should be downported to 13u as well. Patch applies clean, relevant tests do pass.
25-11-2020
Fix Request (8u). Review threads: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-September/012746.html https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-November/013049.html
24-11-2020
Fix Request (11u): Backport to 11u requested because it is a part of 11.0.10-oracle. Patch applies cleanly. Testing: checked that "CrashOnMinimizingDialogTest.zip" (attached to this issue) crashes on unpatched jdk and passes with the patch applied, ran jck:api/java_awt .
29-09-2020
Fix Request (15u): Backport to 15u requested because it fixes a potential crash problem. Patch applies cleanly. Testing: checked that "CrashOnMinimizingDialogTest.zip" (attached to this issue) crashes on unpatched jdk and passes with the patch applied, ran jck:api/java_awt .
24-09-2020
URL: https://hg.openjdk.java.net/jdk/jdk/rev/9f529b04be26 User: psadhukhan Date: 2020-09-02 06:28:14 +0000
02-09-2020
URL: https://hg.openjdk.java.net/jdk/client/rev/9f529b04be26 User: alitvinov Date: 2020-08-31 16:07:54 +0000
31-08-2020
Code review: https://mail.openjdk.java.net/pipermail/awt-dev/2020-August/016043.html
24-08-2020
The test case allowing to reproduce the bug and verifying many different test scenarios was created and attached to the bug as the file "CrashOnMinimizingDialogTest.zip".
14-08-2020
REASON OF THE CRASH: The crash occurs during JNI invocation "env->CallVoidMethod(GetPeer(env), AwtFrame::setExtendedStateMID, newState);" of the Java class method "sun.awt.windows.WFramePeer.setExtendedState(int)" in C++ method "AwtFrame::WmSize(UINT, int, int)" defined in the file "src/java.desktop/windows/native/libawt/windows/awt_Frame.cpp" located in the repository "http://hg.openjdk.java.net/jdk/client". The crash happens, because in this particular scenario "GetPeer(env)" expression returns an instance of "sun.awt.windows.WDialogPeer" Java class instead of an instance of the expected "sun.awt.windows.WFramePeer" class. Since neither "sun.awt.windows.WDialogPeer" class nor any of its parent classes implements the method "setExtendedState(int)" the attempt to invoke this method on "WDialogPeer" instance ends with the crash. On Java code level "javax.swing.JFrame" and "javax.swing.JDialog" similarly as "java.awt.Frame" and "java.awt.Dialog" are unrelated to each other in inheritance hierarchies, and "JFrame", "Frame" classes contain the method "setExtendedState(int)", while "JDialog", "Dialog" do not contain this method. But on C++ code level the C++ class "AwtDialog" extends "AwtFrame" class and the involved in this crash method "AwtFrame::WmSize(UINT, int, int)", which is executed on "AwtDialog" instance, does not take into account the fact that corresponding Java classes "java.awt.Frame", "java.awt.Dialog" do not have relation inheritance hierarchy. WINDOW MESSAGES TRACKED USING MS Spy++ UTILITY: MS Windows OS window messages sent to HWND of "JDialog" window right after the call "::ShowWindow(hwnd, SW_MINIMIZE)" for this HWND which were tracked using MS Spy++ utility are provided below. The crash itself occurs during handling of the last message "WM_SIZE". ---------------------------------------- <000040> 00230684 S WM_WINDOWPOSCHANGING lpwp:000000C3D87FEED0 <000041> 00230684 S WM_GETMINMAXINFO lpmmi:000000C3D87FE140 <000042> 00230684 R WM_GETMINMAXINFO lpmmi:000000C3D87FE140 <000043> 00230684 R WM_WINDOWPOSCHANGING <000044> 00230684 S WM_NCCALCSIZE fCalcValidRects:True lpncsp:000000C3D87FEEA0 <000045> 00230684 R WM_NCCALCSIZE fuValidRect:0000 lpncsp:000000C3D87FEEA0 <000046> 00230684 S WM_SYNCPAINT <000047> 00230684 S WM_NCPAINT hrgn:00000001 <000048> 00230684 R WM_NCPAINT <000049> 00230684 R WM_SYNCPAINT <000050> 00230684 S WM_WINDOWPOSCHANGED lpwp:000000C3D87FEED0 <000051> 00230684 S WM_MOVE xPos:0 yPos:718 <000052> 00230684 R WM_MOVE <000053> 00230684 S WM_SIZE fwSizeType:SIZE_MINIMIZED nWidth:0 nHeight:0 ----------------------------------------
06-08-2020
On 07/17/2020 was able to reproduce the issue with the user's test case on MS Windows 10 OS with JDK 16+6, JDK 8u261 b12 x64, JDK 8u251 b08 x64, JDK 8 b132 x64. On 08/04/2020 the file "hs_err_pid5116.log" was attached to the bug record. It contains JVM error log generated during the crash of JDK 16 compiled from the source code in "http://hg.openjdk.java.net/jdk/client" repository at the state on 07/31/2020. PRECISE CALL STACK OF THE CRASH: Precise call stack of the crash reported in "hs_err_pid5116.log" file, which was retrieved using MS Visual Studio 2013 from a minidump file generated during the crash, is provided below. This call stack shows what exact C functions and C++ methods from "awt.dll" library are involved in the crash. ---------------------------------------- jvm.dll!JavaCallArguments::verify(const methodHandle & method, BasicType return_type) Line 603 C++ jvm.dll!JavaCalls::call_helper(JavaValue * result, const methodHandle & method, JavaCallArguments * args, Thread * __the_thread__) Line 354 C++ jvm.dll!os::os_exception_wrapper(void (JavaValue , const methodHandle &, JavaCallArguments , Thread ) f, JavaValue * value, const methodHandle & method, JavaCallArguments * args, Thread * thread) Line 114 C++ jvm.dll!JavaCalls::call(JavaValue * result, const methodHandle & method, JavaCallArguments * args, Thread * __the_thread__) Line 342 C++ jvm.dll!jni_invoke_nonstatic(JNIEnv_ * env, JavaValue * result, _jobject * receiver, JNICallType call_type, _jmethodID * method_id, JNI_ArgumentPusher * args, Thread * __the_thread__) Line 1037 C++ jvm.dll!jni_CallVoidMethodV(JNIEnv_ * env, _jobject * obj, _jmethodID * methodID, char * args) Line 1424 C++ awt.dll!JNIEnv_::CallVoidMethod(_jobject * obj, _jmethodID * methodID, ...) Line 1061 C++ awt.dll!AwtFrame::WmSize(unsigned int type, int w, int h) Line 984 C++ awt.dll!AwtComponent::WindowProc(unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 1511 C++ awt.dll!AwtWindow::WindowProc(unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 2007 C++ awt.dll!AwtFrame::WindowProc(unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 464 C++ awt.dll!AwtDialog::WindowProc(unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 646 C++ awt.dll!AwtComponent::WndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 404 C++ [External Code] awt.dll!ComCtl32Util::SharedWindowProc(HWND__ * hwnd, unsigned int msg, unsigned __int64 wParam, __int64 lParam, unsigned __int64 uIdSubclass, unsigned __int64 dwRefData) Line 80 C++ [External Code] awt.dll!ComCtl32Util::DefWindowProcW(__int64 (HWND__ , unsigned int, unsigned __int64, __int64) _DefWindowProc, HWND__ * hwnd, unsigned int msg, unsigned __int64 wParam, __int64 lParam) Line 65 C++ awt.dll!AwtComponent::DefWindowProcW(unsigned int msg, unsigned __int64 wParam, __int64 lParam) Line 2018 C++ awt.dll!AwtComponent::WindowProc(unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 2009 C++ awt.dll!AwtWindow::WindowProc(unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 2007 C++ awt.dll!AwtFrame::WindowProc(unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 464 C++ awt.dll!AwtDialog::WindowProc(unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 646 C++ awt.dll!AwtComponent::WndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 404 C++ [External Code] awt.dll!ComCtl32Util::SharedWindowProc(HWND__ * hwnd, unsigned int msg, unsigned __int64 wParam, __int64 lParam, unsigned __int64 uIdSubclass, unsigned __int64 dwRefData) Line 80 C++ [External Code] awt.dll!AwtToolkit::CommonPeekMessageFunc(tagMSG & msg) Line 1666 C++ awt.dll!AwtToolkit::PumpWaitingMessages(int (tagMSG &) * lpPeekMessageFunc) Line 1607 C++ awt.dll!AwtToolkit::MessageLoop(void (void) * lpIdleFunc, int (tagMSG &) * lpPeekMessageFunc) Line 1517 C++ awt.dll!Java_sun_awt_windows_WToolkit_eventLoop(JNIEnv_ * env, _jobject * self) Line 2553 C++ [External Code] ----------------------------------------
04-08-2020