JDK-4821397 : EXCEPTION_ACCESS_VIOLATION in VM when clicking on Popup
  • Type: Bug
  • Component: client-libs
  • Sub-Component: java.awt
  • Affected Version: 1.4.1
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_2000
  • CPU: x86
  • Submitted: 2003-02-20
  • Updated: 2003-05-25
  • Resolved: 2003-05-25
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
5.0 tigerFixed
Related Reports
Relates :  
JDK-4926453 - NPE in Win32SurfaceData while running applet demos with Tiger b08
Relates :  
JDK-4905311 - Exception throws when run IDE using 1.5
Description

Name: rmT116609			Date: 02/20/2003


FULL PRODUCT VERSION :
java version "1.4.1_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1_01-b01)
Java HotSpot(TM) Client VM (build 1.4.1_01-b01, mixed mode)

FULL OPERATING SYSTEM VERSION :
Microsoft Windows 2000 [Version 5.00.2195]

A DESCRIPTION OF THE PROBLEM :
Creating a popup that becomes hidden when a given component
loses focus will cause a VM crash if the user clicks on the
popup contents.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Compile and run the test case.
2. This will show a frame with a button inside.
3. Press the button in the new frame.
4. This will show a popup that partially covers the button.
5. Resize the frame.
5. Click on the text of the popup.
6. The VM will crash with an EXCEPTION_ACCESS_VIOLATION

EXPECTED VERSUS ACTUAL BEHAVIOR :
Clicking the text of the popup should hide the popup (due
to the focus lost listener on the button)

ERROR MESSAGES/STACK TRACES THAT OCCUR :

An unexpected exception has been detected in native code outside the VM.
Unexpected Signal : EXCEPTION_ACCESS_VIOLATION occurred at PC=0x0
Function=[Unknown.]
Library=(N/A)

NOTE: We are unable to locate the function name symbol for the error
      just occurred. Please refer to release documentation for possible
      reason and solutions.


Current Java thread:
	at sun.awt.windows.WToolkit.eventLoop(Native Method)
	at sun.awt.windows.WToolkit.run(WToolkit.java:253)
	at java.lang.Thread.run(Thread.java:536)

Dynamic libraries:
0x00400000 - 0x00406000 	C:\j2sdk1.4.1\bin\javaw.exe
0x77F80000 - 0x77FFB000 	C:\WINNT\System32\ntdll.dll
0x77DB0000 - 0x77E0B000 	C:\WINNT\system32\ADVAPI32.dll
0x77E80000 - 0x77F35000 	C:\WINNT\system32\KERNEL32.DLL
0x77D40000 - 0x77DB0000 	C:\WINNT\system32\RPCRT4.DLL
0x77E10000 - 0x77E74000 	C:\WINNT\system32\USER32.dll
0x77F40000 - 0x77F7C000 	C:\WINNT\system32\GDI32.DLL
0x78000000 - 0x78046000 	C:\WINNT\system32\MSVCRT.dll
0x75E60000 - 0x75E7A000 	C:\WINNT\System32\IMM32.DLL
0x6CA60000 - 0x6CA68000 	C:\WINNT\System32\LPK.DLL
0x66650000 - 0x666A4000 	C:\WINNT\System32\USP10.dll
0x6D330000 - 0x6D45A000 	C:\j2sdk1.4.1\jre\bin\client\jvm.dll
0x77570000 - 0x775A0000 	C:\WINNT\System32\WINMM.dll
0x6D1D0000 - 0x6D1D7000 	C:\j2sdk1.4.1\jre\bin\hpi.dll
0x6D300000 - 0x6D30D000 	C:\j2sdk1.4.1\jre\bin\verify.dll
0x6D210000 - 0x6D229000 	C:\j2sdk1.4.1\jre\bin\java.dll
0x6D320000 - 0x6D32D000 	C:\j2sdk1.4.1\jre\bin\zip.dll
0x6D000000 - 0x6D0FB000 	C:\j2sdk1.4.1\jre\bin\awt.dll
0x77800000 - 0x7781D000 	C:\WINNT\System32\WINSPOOL.DRV
0x77A50000 - 0x77B46000 	C:\WINNT\system32\ole32.dll
0x6D180000 - 0x6D1D0000 	C:\j2sdk1.4.1\jre\bin\fontmanager.dll
0x51000000 - 0x51044000 	C:\WINNT\System32\ddraw.dll
0x728A0000 - 0x728A6000 	C:\WINNT\System32\DCIMAN32.dll
0x72D90000 - 0x72E03000 	C:\WINNT\System32\D3DIM.DLL
0x6E420000 - 0x6E426000 	C:\WINNT\System32\INDICDLL.dll
0x10000000 - 0x10005000 	C:\Program Files\Jabber\actMonitor.dll
0x77920000 - 0x77943000 	C:\WINNT\system32\imagehlp.dll
0x72A00000 - 0x72A2D000 	C:\WINNT\system32\DBGHELP.dll
0x690A0000 - 0x690AB000 	C:\WINNT\System32\PSAPI.DLL

Local Time = Thu Feb 20 10:16:57 2003
Elapsed Time = 5
#
# The exception above was detected in native code outside the VM
#
# Java VM: Java HotSpot(TM) Client VM (1.4.1_01-b01 mixed mode)
#


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import javax.swing.*;
import java.awt.event.*;
public class PopupCrash {
    private static Popup popup = null;

    public static void main(String[] args) {
        JFrame frame = new JFrame();
        JPanel root = new JPanel();

        final JLabel popupContents = new JLabel("Click to crash VM");

        final JButton button = new JButton();
        button.setAction(new AbstractAction("Show popup"){
            public void actionPerformed(ActionEvent e) {
                if (popup == null) {
                    popup = PopupFactory.getSharedInstance().getPopup(button,
popupContents, button.getLocationOnScreen().x, button.getLocationOnScreen().y);
                    popup.show();
                }
            }
        });
        root.add(button);

        button.addFocusListener(new FocusAdapter() {
            public void focusLost(FocusEvent e) {
                if (!e.isTemporary()) {
                    if (popup != null) {
                        popup.hide();
                        popup = null;
                    }
                }
            }
        });

//uncomment this to workaround the crash - seems pretty dodgy, but it works
//        popupContents.addMouseListener(new MouseAdapter() {
//            public void mousePressed(MouseEvent e) {
//                if (popup != null) {
//                    popup.hide();
//                    popup = null;
//                }
//            }
//        });


        frame.getContentPane().add(root);
        frame.pack();
        frame.show();
    }
}


---------- END SOURCE ----------

CUSTOMER WORKAROUND :
add a mouse pressed listener to the popup contents in order
to hide the popup before focus can be transfered to it (see
the commented out lines in the included source code).
(Review ID: 181558) 
======================================================================
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: tiger FIXED IN: tiger INTEGRATED IN: tiger tiger-b08
14-06-2004
EVALUATION I was unable to reproduce the bug with 1.4.1(latest), 1.4.1_01(latest), 1.4.2b16, 1.5.0b02. ###@###.### 2003-02-25 I tried two Win2K machines in a lab and it is not reproducible there. I tested using 1.4.1_01, 1.4.2b16, 1.5.0b02. Moving to incomplete - need more information about configuration of the system on which the problem is reproducible or idealy an access to that system. ###@###.### 2003-02-25 This bug only happens in 8-bit mode. Below is the stack trace : AwtComponent::HandleEvent(tagMSG * 0x0099a738 {msg=0x00000201 wp=0x00000001 lp=0 x00050050}, int 0) line 5752 + 29 bytes AwtCanvas::HandleEvent(tagMSG * 0x0099a738 {msg=0x00000201 wp=0x00000001 lp=0x00 050050}, int 0) line 182 AwtComponent::WindowProc(unsigned int 32777, unsigned int 0, long 10069816) line 1700 + 25 bytes AwtComponent::WndProc(HWND__ * 0x000b039c, unsigned int 32777, unsigned int 0, l ong 10069816) line 331 + 23 bytes USER32! 77e12e98() USER32! 77e130e0() USER32! 77e1320f() AwtToolkit::MessageLoop(void (void)* 0x185d3d8f AwtToolkit::PrimaryIdleFunc(void ), int (tagMSG &)* 0x185d3db9 AwtToolkit::CommonPeekMessageFunc(tagMSG &)) line 963 Java_sun_awt_windows_WToolkit_eventLoop(JNIEnv_ * 0x186b30dc, _jobject * 0x1a98f c54) line 1653 00a69b70() 00a62da3() 00a630a9() 00a60181() JavaCalls::call_helper(JavaValue * 0x1a98ff04, methodHandle * 0x1a98fdf0, JavaCa llArguments * 0x1a98fe58, Thread * 0x186b3030) line 373 + 54 bytes os::os_exception_wrapper(void (JavaValue *, methodHandle *, JavaCallArguments *, Thread *)* 0x08123888 JavaCalls::call_helper(JavaValue *, methodHandle *, JavaC allArguments *, Thread *), JavaValue * 0x1a98ff04, methodHandle * 0x1a98fdf0, Ja vaCallArguments * 0x1a98fe58, Thread * 0x186b3030) line 1718 + 19 bytes JavaCalls::call(JavaValue * 0x1a98ff04, methodHandle {...}, JavaCallArguments * 0x1a98fe58, Thread * 0x186b3030) line 300 + 26 bytes JavaCalls::call_virtual(JavaValue * 0x1a98ff04, KlassHandle {...}, symbolHandle {...}, symbolHandle {...}, JavaCallArguments * 0x1a98fe58, Thread * 0x186b3030) line 187 + 21 bytes JavaCalls::call_virtual(JavaValue * 0x1a98ff04, Handle {...}, KlassHandle {...}, symbolHandle {...}, symbolHandle {...}, Thread * 0x186b3030) line 193 + 29 byte s thread_entry(JavaThread * 0x186b3030, Thread * 0x186b3030) line 1846 + 68 bytes JavaThread::thread_main_inner() line 1120 + 18 bytes JavaThread::run() line 1107 _start(Thread * 0x186b3030) line 290 _threadstartex(void * 0x186b3e48) line 212 + 13 bytes KERNEL32! 77e8758a() It looks like it is crashing inside AWT. But, it only happens in 8 bit mode. My gut feeling is that there is some kind of memory corruption in 2D that causes this to happen (Otherwise why would 8-bit mode matter ? ) The message it is handling is : - msg 0x0099a738 {msg=0x00000201 wp=0x00000001 lp=0x00050050} + hwnd 0xcdcdcdcd message 513 wParam 1 lParam 327760 time 528077500 + pt {x=80 y=5} msg->lParam 327760 msg->message 513 msg->wParam 1 - this 0x18768940 Notice that HWND is bad "cdcdcdcd" ! ###@###.### 2003-02-26 Name: ssR10077 Date: 03/03/2003 Actualy it is a thread race between EDT and Toolkit. EDT tries to dispose peer the same time Toolkit dispatches last messages to the HWND. It exposes two serious problems. 1. Obvious. The Component destructor doesn't clear user data in HWND. So even after native object is deleted it can receive messages. 2. Not so obvious. Why we send WM_AWT_DISPOSE event instead of posting it. Windows has bad habbit of processing synchronous events inside another synchronous event handler. So componet in theory can be deleted inside for example ::SetFocus. WM_AWT_DISPOSE has a lowest imaginable priority and shouldn't interrupt anything. Posting WM_AWT_DISPOSE shouldn't make any new problem, as removeNotify clears Component.peer before disposing it. So java peer object can't be resurected and use native object waiting to be deleted. ======================================================================
11-06-2004
SUGGESTED FIX Name: ssR10077 Date: 03/03/2003 ------- awt_Component.cpp ------- *** /tmp/dEJaq2U Thu Feb 27 19:55:24 2003 --- awt_Component.cpp Thu Feb 27 19:59:26 2003 *************** *** 254,259 **** --- 254,260 ---- m_brushBackground->Release(); m_brushBackground = NULL; } + ::SetWindowLongPtr(GetHWnd(), GWLP_USERDATA, (LONG_PTR)NULL); } /* store component pointer in window extra bytes */ *************** *** 6484,6490 **** PDATA pData; JNI_CHECK_PEER_RETURN(self); AwtComponent* p = (AwtComponent*)pData; ! AwtToolkit::GetInstance().SendMessage(WM_AWT_DISPOSE, (WPARAM)p, 0); CATCH_BAD_ALLOC; } --- 6485,6491 ---- PDATA pData; JNI_CHECK_PEER_RETURN(self); AwtComponent* p = (AwtComponent*)pData; ! AwtToolkit::GetInstance().PostMessage(WM_AWT_DISPOSE, (WPARAM)p, 0); CATCH_BAD_ALLOC; } ======================================================================
11-06-2004