JDK-6545864 : JCK: test DrawImageTests triggers silent memory corruption
  • Type: Bug
  • Component: client-libs
  • Sub-Component: 2d
  • Affected Version: 2.0
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: solaris_10
  • CPU: x86
  • Submitted: 2007-04-13
  • Updated: 2010-04-02
  • Resolved: 2007-04-18
Related Reports
Duplicate :  
JDK-6301771 - REGRESSION: VM crashed when a image of particular size is drawn on a Canvas
Description
to reproduce
1. ssh vmsqe-xeon-01.russia.sun.com
2. cd /set/vmsqe/execution/results/realtime/weekly/b39/jck_runtime/SOLARIS-I586/client/mixed/jck_runtime-jck_runtime_realtime_client_mixed_SOLARIS-I5862007-04-07-23-56-38/api/java_awt/Graphics
3. sh run
It is important to have a correct DISPLAY variable while you reproduce the problem otherwise test logic is changed.
Bug reproduce only with Serial GC

test output:
#
# An unexpected error has been detected by HotSpot Virtual Machine:
#
#  SIGSEGV (0xb) at pc=0xf8d458aa, pid=12000, tid=1
#
# Java VM: Java Real-Time System HotSpot(TM) Client VM (1.5.0_04-b39 mixed mode)
# Problematic frame:
# C  [libawt.so+0x358aa]
#
# An error report file with more information is saved as hs_err_pid12000.log
 ImmortalSpace ImmortalSpace 32768K,   1% used [ 0xf4a62600, 0xf4a62540 0x00000000 0xf4a62540 0xf6a00000, 0x08104070]
  ScopedFree list
   33554432 bytes 0xf6c00000-0xf8c00000 in chunk 0x80f5e78 (p=0x0 n=0x0 cs=2048)
#
# If you would like to submit a bug report, please visit:
#   http://java.sun.com/webapps/bugreport/crash.jsp
#
Abort

hs error:
Current thread (0x08074a98):  JavaThread "main" [_thread_in_native, id=1]

siginfo:si_signo=11, si_errno=0, si_code=1, si_addr=0xec9fdd8c

Registers:
EAX=0x00000032, EBX=0x0000000b, ECX=0xec9fdcc4, EDX=0x08282b0c
ESP=0x08046038, EBP=0x08046050, ESI=0x32000000, EDI=0xeca08264
EIP=0xf8d458aa, EFLAGS=0x00010202

Top of Stack: (sp=0x08046038)
0x08046038:   00000018 f8d70ecc f8d6c870 00000000
0x08046048:   ec9fdcc4 00000190 08046238 f8d20a59
0x08046058:   eca08264 08282ae0 0000000b 0000000a
0x08046068:   32000000 96000000 64000000 64000000
0x08046078:   00000018 08046120 080460a8 f8d70ecc
0x08046088:   08046208 08074a98 f0f4b5d0 f0f4b5d0
0x08046098:   00000000 00000000 0000000b 0000000b
0x080460a8:   00000000 00000000 0000000b 0000000b

Instructions: (pc=0xf8d458aa)
0xf8d4589a:   fc 03 c7 89 45 f8 8b 4d 28 8b c6 d3 f8 8b 4d f8
0xf8d458aa:   8b 04 81 8b c8 c1 e1 10 bf 00 ff 00 00 23 f8 0b

Stack: [0x08007000,0x08048000),  sp=0x08046038,  free space=252k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C  [libawt.so+0x358aa]
C  [libawt.so+0x10a59]  Java_sun_java2d_loops_ScaledBlit_Scale+0x659
j  sun.java2d.loops.ScaledBlit.Scale(Lsun/java2d/SurfaceData;Lsun/java2d/SurfaceData;Ljava/awt/Composite;Lsun/java2d/pipe/Region;IIIIDDDD)V+0
j  sun.java2d.pipe.DrawImage.scaleSurfaceData(Lsun/java2d/SunGraphics2D;Lsun/java2d/pipe/Region;Lsun/java2d/SurfaceData;Lsun/java2d/SurfaceData;Lsun/java2d/loops/SurfaceType;Lsun/java2d/loops/SurfaceType;IIIIDDDD)Z+72
j  sun.java2d.pipe.DrawImage.renderImageScale(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;Ljava/awt/Color;IIIIIDDDD)Z+95
j  sun.java2d.pipe.DrawImage.scaleImage(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;IIIILjava/awt/Color;)Z+89
j  sun.java2d.pipe.DrawImage.scaleImage(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;IIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+19
j  sun.java2d.SunGraphics2D.drawImage(Ljava/awt/Image;IIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+72
j  sun.awt.image.ImageRepresentation.drawToBufImage(Ljava/awt/Graphics;Lsun/awt/image/ToolkitImage;IIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+156
j  sun.java2d.pipe.DrawImage.scaleImage(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;IIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+64
j  sun.java2d.SunGraphics2D.drawImage(Ljava/awt/Image;IIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+72
j  sun.java2d.SunGraphics2D.drawImage(Ljava/awt/Image;IIIILjava/awt/image/ImageObserver;)Z+11
j  javasoft.sqe.tests.api.java.awt.Graphics.DrawImageTests.Graphics2027_14()Ljavasoft/sqe/javatest/Status;+325
v  ~StubRoutines::call_stub
V  [libjvm.so+0xb5ad1]
V  [libjvm.so+0xb5924]
V  [libjvm.so+0xb5908]
V  [libjvm.so+0xd5982]
V  [libjvm.so+0x1624b7]
V  [libjvm.so+0x162006]
C  [libjava.so+0xcb41]  Java_sun_reflect_NativeMethodAccessorImpl_invoke0+0x21
j  sun.reflect.NativeMethodAccessorImpl.invoke0(Ljava/lang/reflect/Method;Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+0
j  sun.reflect.NativeMethodAccessorImpl.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+87
j  sun.reflect.DelegatingMethodAccessorImpl.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+6
j  java.lang.reflect.Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+111
j  javasoft.sqe.javatest.lib.MultiTest.invokeTestCase(Ljava/lang/reflect/Method;)Ljavasoft/sqe/javatest/Status;+8
j  javasoft.sqe.javatest.lib.MultiTest.run([Ljava/lang/String;Ljava/io/PrintWriter;Ljava/io/PrintWriter;)Ljavasoft/sqe/javatest/Status;+152
j  javasoft.sqe.javatest.lib.MultiTest.run([Ljava/lang/String;Ljava/io/PrintStream;Ljava/io/PrintStream;)Ljavasoft/sqe/javatest/Status;+40
j  javasoft.sqe.tests.api.java.awt.Graphics.DrawImageTests.main([Ljava/lang/String;)V+16
v  ~StubRoutines::call_stub
V  [libjvm.so+0xb5ad1]
V  [libjvm.so+0xb5924]
V  [libjvm.so+0xb5908]
V  [libjvm.so+0xc72d6]
V  [libjvm.so+0x12fdc7]
C  [java+0x1dae]  main+0xa4c
C  [java+0x12ca]

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j  sun.java2d.loops.ScaledBlit.Scale(Lsun/java2d/SurfaceData;Lsun/java2d/SurfaceData;Ljava/awt/Composite;Lsun/java2d/pipe/Region;IIIIDDDD)V+0
j  sun.java2d.pipe.DrawImage.scaleSurfaceData(Lsun/java2d/SunGraphics2D;Lsun/java2d/pipe/Region;Lsun/java2d/SurfaceData;Lsun/java2d/SurfaceData;Lsun/java2d/loops/SurfaceType;Lsun/java2d/loops/SurfaceType;IIIIDDDD)Z+72
j  sun.java2d.pipe.DrawImage.renderImageScale(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;Ljava/awt/Color;IIIIIDDDD)Z+95
j  sun.java2d.pipe.DrawImage.scaleImage(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;IIIILjava/awt/Color;)Z+89
j  sun.java2d.pipe.DrawImage.scaleImage(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;IIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+19
j  sun.java2d.SunGraphics2D.drawImage(Ljava/awt/Image;IIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+72
j  sun.awt.image.ImageRepresentation.drawToBufImage(Ljava/awt/Graphics;Lsun/awt/image/ToolkitImage;IIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+156
j  sun.java2d.pipe.DrawImage.scaleImage(Lsun/java2d/SunGraphics2D;Ljava/awt/Image;IIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+64
j  sun.java2d.SunGraphics2D.drawImage(Ljava/awt/Image;IIIILjava/awt/Color;Ljava/awt/image/ImageObserver;)Z+72
j  sun.java2d.SunGraphics2D.drawImage(Ljava/awt/Image;IIIILjava/awt/image/ImageObserver;)Z+11
j  javasoft.sqe.tests.api.java.awt.Graphics.DrawImageTests.Graphics2027_14()Ljavasoft/sqe/javatest/Status;+325
v  ~StubRoutines::call_stub
j  sun.reflect.NativeMethodAccessorImpl.invoke0(Ljava/lang/reflect/Method;Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+0
j  sun.reflect.NativeMethodAccessorImpl.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+87
j  sun.reflect.DelegatingMethodAccessorImpl.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+6
j  java.lang.reflect.Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+111
j  javasoft.sqe.javatest.lib.MultiTest.invokeTestCase(Ljava/lang/reflect/Method;)Ljavasoft/sqe/javatest/Status;+8
j  javasoft.sqe.javatest.lib.MultiTest.run([Ljava/lang/String;Ljava/io/PrintWriter;Ljava/io/PrintWriter;)Ljavasoft/sqe/javatest/Status;+152
j  javasoft.sqe.javatest.lib.MultiTest.run([Ljava/lang/String;Ljava/io/PrintStream;Ljava/io/PrintStream;)Ljavasoft/sqe/javatest/Status;+40
j  javasoft.sqe.tests.api.java.awt.Graphics.DrawImageTests.main([Ljava/lang/String;)V+16
v  ~StubRoutines::call_stub

---------------  P R O C E S S  ---------------

Java Threads: ( => current thread )
  0x08275ff0 JavaThread "AWT-EventQueue-0" [_thread_blocked, id=12]
  0x0824d308 JavaThread "AWT-Motif" daemon [_thread_in_native, id=11]
  0x0824ce70 JavaThread "AWT-Shutdown" [_thread_blocked, id=10]
  0x08226a18 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=9]
  0x08153618 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=7]
  0x08157ef8 JavaThread "CompilerThread0" daemon [_thread_blocked, id=6]
  0x0815c468 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=5]
  0x0814fe18 JavaThread "Finalizer" daemon [_thread_blocked, id=4]
  0x0814f760 JavaThread "Reference Handler" daemon [_thread_blocked, id=3]
=>0x08074a98 JavaThread "main" [_thread_in_native, id=1]
  0x08278e88 JavaThread "Image Fetcher 2" daemon [_thread_blocked, id=15]
  0x0827bf08 JavaThread "Image Fetcher 1" daemon [_thread_blocked, id=14]
  0x0827dd00 JavaThread "Image Fetcher 0" daemon [_thread_blocked, id=13]

Other Threads:
  0x08151e38 VMThread [id=2]
  0x08164800 WatcherThread [id=8]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

Heap
 def new generation   total 576K, used 131K [0xeca00000, 0xecaa0000, 0xecee0000)
  eden EdenSpace 512K,  16% used [0xeca00000, 0xeca14840, 0xeca80000)
  from ContiguousSpace 64K,  77% used [0xeca80000, 0xeca8c760, 0xeca90000)
  to   ContiguousSpace 64K,   0% used [0xeca90000, 0xeca90000, 0xecaa0000)
 tenured generation   total 1408K, used 137K [0xecee0000, 0xed040000, 0xf0a00000)
   the TenuredSpace 1408K,   9% used [0xecee0000, 0xecf027d8, 0xecf02800, 0xed040000)
 rtsj-mark-sweep perm gen total 65536K, used 6341K [0xf0a00000, 0xf4a00000, 0xf4a00000)
   the RTSJPermSpace 65536K,   9% used [0xf0a00000, 0xf1031430, 0xf4a00000)
 RTSJ gen             total 67584K, used 393K [0xf4a00000, 0xf8c00000, 0xf8c00000)
  ImmortalPhysicalReserved 0xf6a00000-0xf6b00000
  ScopedPhysicalReserved 0xf6b00000-0xf6c00000

Dynamic libraries:
0x08050000      /opt/SUNWrtjv/bin/java
0xfefb0000      /lib/libthread.so.1
0xfefc0000      /lib/libdl.so.1
0xfeeb0000      /lib/libc.so.1
0xfe800000      /opt/SUNWrtjv/jre/lib/i386/client/libjvm.so
0xfee70000      /lib/libsocket.so.1
0xfeea0000      /usr/lib/libsched.so.1
0xfee30000      /usr/lib/libCrun.so.1
0xfedd0000      /lib/libm.so.2
0xfeda0000      /lib/librt.so.1
0xfe770000      /lib/libnsl.so.1
0xfed80000      /lib/libaio.so.1
0xfed50000      /lib/libmd5.so.1
0xfed20000      /lib/libscf.so.1
0xfe750000      /lib/libdoor.so.1
0xfe720000      /lib/libuutil.so.1
0xfe700000      /lib/libmp.so.2
0xfe6d0000      /opt/SUNWrtjv/jre/lib/i386/native_threads/libhpi.so
0xfe6a0000      /lib/libm.so.1
0xfe660000      /opt/SUNWrtjv/jre/lib/i386/libverify.so
0xfe600000      /opt/SUNWrtjv/jre/lib/i386/libjava.so
0xfe5d0000      /opt/SUNWrtjv/jre/lib/i386/libzip.so
0xfb9a0000      /opt/SUNWrtjv/jre/lib/i386/librtsj.so
0xf8d10000      /opt/SUNWrtjv/jre/lib/i386/libawt.so
0xf8c50000      /opt/SUNWrtjv/jre/lib/i386/libmlib_image.so
0xec980000      /opt/SUNWrtjv/jre/lib/i386/motif21/libmawt.so
0xec430000      /usr/dt/lib/libXm.so.4
0xfae50000      /usr/openwin/lib/libXp.so.1
0xec920000      /usr/openwin/lib/libXt.so.4
0xfae10000      /usr/openwin/lib/libXext.so.0
0xf8c30000      /usr/openwin/lib/libXtst.so.1
0xec890000      /usr/openwin/lib/libX11.so.4
0xec870000      /usr/openwin/lib/libXtsol.so.1
0xec850000      /lib/libtsol.so.2
0xec830000      /lib/libsecdb.so.1
0xec810000      /lib/libcmd.so.1
0xec410000      /usr/openwin/lib/libSM.so.6
0xec3e0000      /usr/openwin/lib/libICE.so.6
0xec370000      /opt/SUNWrtjv/jre/lib/i386/libfontmanager.so
0xec2f0000      /usr/lib//liblayout.so

VM Arguments:
jvm_args: -Xmixed -XX:-UseRTGC -Xverify:all -Djava.security.policy=/net/vmsqe-amd-01.russia/export2/rtj/QA/test_suites/JCK-runtime-15a/lib/jck.policy
java_command: javasoft.sqe.tests.api.java.awt.Graphics.DrawImageTests -TestCaseID ALL

Environment Variables:
PATH=/set/vmsqe/dist/ant/apache-ant-1.6.5/bin/:/usr/sge/sge6/bin/sol-amd64:/set/vmsqe/gee/bin:/set/vmsqe/gtee/bin:/bin:/usr/bin:/usr/sbin:/sbin:/usr/ccs/bin:/usr/sge/sge6/bin/sol-amd64:/set/vmsqe/gee/bin:/set/vmsqe/gtee/bin:/bin:/usr/bin:/usr/sbin:/sbin:/usr/ccs/bin:/usr/bin:/usr/sfw/bin:/set/vmsqe/devtools/i386/SUNWspro/SS11_EA/prod/bin/:/set/vmsqe/devtools/solaris-i586/teamware/7.7/bin/:/usr/local/bin:/usr/sfw/bin:/set/vmsqe/devtools/i386/SUNWspro/SS11_EA/prod/bin/:/set/vmsqe/devtools/solaris-i586/teamware/7.7/bin/:/usr/local/bin:/bin:/bin
LD_LIBRARY_PATH=/opt/SUNWrtjv/jre/lib/i386/client:/opt/SUNWrtjv/jre/lib/i386:/opt/SUNWrtjv/jre/../lib/i386:/usr/sge/sge6/lib/sol-amd64:/usr/sge/sge6/lib/sol-amd64
SHELL=/bin/bash
DISPLAY=129.159.123.152:29.0

Signal Handlers:
SIGSEGV: [libjvm.so+0x40ef30], sa_mask[0]=0xffbffeff, sa_flags=0x00000004
SIGBUS: [libjvm.so+0x40ef30], sa_mask[0]=0xffbffeff, sa_flags=0x00000004
SIGFPE: [libjvm.so+0x185480], sa_mask[0]=0xffbffeff, sa_flags=0x0000000c
SIGPIPE: [libjvm.so+0x185480], sa_mask[0]=0xffbffeff, sa_flags=0x0000000c
SIGILL: [libjvm.so+0x185480], sa_mask[0]=0xffbffeff, sa_flags=0x0000000c
SIGUSR1: SIG_DFL, sa_mask[0]=0x00000000, sa_flags=0x00000000
SIGUSR2: SIG_DFL, sa_mask[0]=0x00000000, sa_flags=0x00000000
SIGHUP: [libjvm.so+0x356c60], sa_mask[0]=0xffbffeff, sa_flags=0x00000004
SIGINT: [libjvm.so+0x356c60], sa_mask[0]=0xffbffeff, sa_flags=0x00000004
SIGQUIT: [libjvm.so+0x356c60], sa_mask[0]=0xffbffeff, sa_flags=0x00000004
SIGTERM: [libjvm.so+0x356c60], sa_mask[0]=0xffbffeff, sa_flags=0x00000004


---------------  S Y S T E M  ---------------

OS:                        Solaris 10 11/06 s10x_u3wos_10 X86
           Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
                        Use is subject to license terms.
                           Assembled 14 November 2006

uname:SunOS 5.10 Generic_118855-33 i86pc  (T2 libthread)
rlimit: STACK 10240k, CORE infinity, NOFILE 65536, AS infinity
load average:0.02 0.02 0.28

CPU:total 4 family 15, cmov, cx8, fxsr, mmx, sse, sse2, ht

Memory: 4k page, physical 2096624k(1111840k free)

vm_info: Java Real-Time System HotSpot(TM) Client VM (1.5.0_04-b39) for solaris-x86, built on Apr  6 2007 19:34:49 by unknown with unknown Workshop:0x550
Running this JCK test crashes java RTS 2.0 but I believe the probleme exists also with the jdk 5.0u4 (on which java RTS is based). When run with the jdk 5.0u4, the JVM is not crashed but I think there is a silent memory corruption. Follows a description of what I believe is wrong with jdk 5.0u4. I don't have a jdk6 at hand so I don't if this was fixed since jdk5.0u4.

The problem is run with the DISPLAY variable set and a command line similar to:

/net/amos/mackinac/jdk5.0u4/binaries/solaris-i486/bin/java_g -client -Xint -verify -classpath /net/amos.france/mackinac/jck/1.5a/binaries/JCK-runtime-15a/classes -Djava.security.policy=/net/amos.france/mackinac/jck/1.5a/binaries/JCK-runtime-15a/lib/jck.policy javasoft.sqe.tests.api.java.awt.Graphics.DrawImageTests -exclude Graphics2025_14 -TestCaseID ALL

The problem occurs in function AnyIntIsomorphicScaleCopy of libawt_g.so
I stop the JVM at the 25th call to AnyIntIsomorphicScaleCopy with dbx.
A the 25th call to AnyIntIsomorphicScaleCopy the value of the input parameters are:
width=11
height=11
sxloc=838860800=0x32000000
syloc=838860800=0x32000000
sxinc=1677721600=0x64000000
syinc=1677721600=0x64000000
shift=24

At the second iteration of the outer loop,
syloc=0x96000000=-1778384896
and the offset that is applied to srcBase is -42400. Because of an overflow we write outside of the buffer that is passed in parameter.
Comments
EVALUATION This looks as if it is a duplicate of 6301771. Same stack trace etc. Also this bug is reported against 1.5.0_04 (with the realtime vm but this is a libraries bug) and 6301771 is known to affect that release but is fixed in 1.5.0_06 and later.
18-04-2007