Bug ID: JDK-8280468 Crashes in getConfigColormap, getConfigVisualId, XVisualIDFromVisual on Linux

JDK-8280468 : Crashes in getConfigColormap, getConfigVisualId, XVisualIDFromVisual on Linux

Type: Bug
Component: client-libs
Sub-Component: java.awt
Affected Version: 17

Priority: P3
Status: Resolved
Resolution: Fixed
OS: linux

Submitted: 2022-01-21
Updated: 2022-05-05
Resolved: 2022-04-27

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 19
19 b21Fixed

Related Reports

Relates :

JDK-8076313 - GraphicsEnvironment does not detect changes in count of monitors on Linux OS

Description

Starting around summer of 2021, we've started to receive crash reports (SIGBUS, SIGSEGV) on Linux originating from libawt_xawt.so with stack frames falling into the following three categories. Neither of those were reproduced on site.
The crashes seem to be related to the backport of JDK-8076313 to JetBrains Runtime.

Current thread (0x00007f97ec0f3800):  JavaThread "AWT-EventQueue-0" [_thread_in_native, id=110867, stack(0x00007f97d2e1a000,0x00007f97d301b000)]

Stack: [0x00007f97d2e1a000,0x00007f97d301b000],  sp=0x00007f97d3015f10,  free space=2031k
Native frames: (J=compiled Java code, A=aot compiled Java code, j=interpreted, Vv=VM code, C=native code)
C  [libawt_xawt.so+0x366c3]  Java_sun_awt_X11GraphicsDevice_getConfigColormap+0x73
j  sun.awt.X11GraphicsDevice.getConfigColormap(II)I+0 java.desktop@11.0.11
j  sun.awt.X11GraphicsDevice.makeDefaultConfiguration()V+172 java.desktop@11.0.11
J 105853 c2 sun.awt.X11GraphicsDevice.getDefaultConfiguration()Ljava/awt/GraphicsConfiguration; java.desktop@11.0.11 (33 bytes) @ 0x00007f986e1bb770 [0x00007f986e1bb6c0+0x00000000000000b0]
J 106313 c2 javax.swing.BufferStrategyPaintManager.paint(Ljavax/swing/JComponent;Ljavax/swing/JComponent;Ljava/awt/Graphics;IIII)Z java.desktop@11.0.11 (235 bytes) @ 0x00007f986e2eaf68 [0x00007f986e2e8e00+0x0000000000002168]
J 98318 c2 javax.swing.JComponent.paint(Ljava/awt/Graphics;)V java.desktop@11.0.11 (409 bytes) @ 0x00007f986d73d38c [0x00007f986d73cc60+0x000000000000072c]
J 73257 c1 java.awt.GraphicsCallback$PaintCallback.run(Ljava/awt/Component;Ljava/awt/Graphics;)V java.desktop@11.0.11 (6 bytes) @ 0x00007f985b59d0c4 [0x00007f985b59cfc0+0x0000000000000104]
J 73254 c1 sun.awt.SunGraphicsCallback.runOneComponent(Ljava/awt/Component;Ljava/awt/Rectangle;Ljava/awt/Graphics;Ljava/awt/Shape;I)V java.desktop@11.0.11 (177 bytes) @ 0x00007f986012cbac [0x00007f986012b5e0+0x00000000000015cc]
J 73253 c1 sun.awt.SunGraphicsCallback.runComponents([Ljava/awt/Component;Ljava/awt/Graphics;I)V java.desktop@11.0.11 (167 bytes) @ 0x00007f985ebfee14 [0x00007f985ebfe6a0+0x0000000000000774]
j  java.awt.Container.paint(Ljava/awt/Graphics;)V+58 java.desktop@11.0.11
J 62857 c1 java.awt.Window.paint(Ljava/awt/Graphics;)V java.desktop@11.0.11 (72 bytes) @ 0x00007f985f4a520c [0x00007f985f4a4540+0x0000000000000ccc]
...


C  [libawt_xawt.so+0x36403]  Java_sun_awt_X11GraphicsDevice_getConfigVisualId+0x73
j  sun.awt.X11GraphicsDevice.getConfigVisualId(II)I+0 java.desktop@11.0.11
j  sun.awt.X11GraphicsDevice.makeDefaultConfiguration()V+13 java.desktop@11.0.11
j  sun.awt.X11GraphicsDevice.getDefaultConfiguration()Ljava/awt/GraphicsConfiguration;+15 java.desktop@11.0.11
j  javax.swing.RepaintManager.getDoubleBufferMaximumSize()Ljava/awt/Dimension;+46 java.desktop@11.0.11
j  javax.swing.RepaintManager.getVolatileOffscreenBuffer(Ljava/awt/Component;II)Ljava/awt/Image;+98 java.desktop@11.0.11
j  javax.swing.RepaintManager$PaintManager.paint(Ljavax/swing/JComponent;Ljavax/swing/JComponent;Ljava/awt/Graphics;IIII)Z+35 java.desktop@11.0.11
J 26358 c1 javax.swing.BufferStrategyPaintManager.paint(Ljavax/swing/JComponent;Ljavax/swing/JComponent;Ljava/awt/Graphics;IIII)Z java.desktop@11.0.11 (235 bytes) @ 0x00007f9623e63874 [0x00007f9623e63380+0x00000000000004f4]
J 25815 c1 javax.swing.RepaintManager.paint(Ljavax/swing/JComponent;Ljavax/swing/JComponent;Ljava/awt/Graphics;IIII)V java.desktop@11.0.11 (93 bytes) @ 0x00007f9623c30974 [0x00007f9623c30680+0x00000000000002f4]
J 36174 c2 javax.swing.JComponent.paint(Ljava/awt/Graphics;)V java.desktop@11.0.11 (409 bytes) @ 0x00007f9631a49448 [0x00007f9631a48c60+0x00000000000007e8]
...


C  [libX11.so.6+0x31154]  XVisualIDFromVisual+0x4
C  [libawt_xawt.so+0x3514f]  getAllConfigs+0x90f
C  [libawt_xawt.so+0x363e6]  Java_sun_awt_X11GraphicsDevice_getConfigVisualId+0x56
j  sun.awt.X11GraphicsDevice.getConfigVisualId(II)I+0 java.desktop@11.0.11
j  sun.awt.X11GraphicsDevice.makeDefaultConfiguration()V+13 java.desktop@11.0.11
J 50467 c1 sun.awt.X11GraphicsDevice.getDefaultConfiguration()Ljava/awt/GraphicsConfiguration; java.desktop@11.0.11 (33 bytes) @ 0x00007f429ee79a14 [0x00007f429ee79860+0x00000000000001b4]
J 41966 c1 javax.swing.RepaintManager.getDoubleBufferMaximumSize()Ljava/awt/Dimension; java.desktop@11.0.11 (134 bytes) @ 0x00007f429cf0be1c [0x00007f429cf0b640+0x00000000000007dc]
J 34245 c1 javax.swing.RepaintManager.getVolatileOffscreenBuffer(Ljava/awt/Component;II)Ljava/awt/Image; java.desktop@11.0.11 (243 bytes) @ 0x00007f429cb67744 [0x00007f429cb67020+0x0000000000000724]
J 42055 c1 javax.swing.RepaintManager$PaintManager.paint(Ljavax/swing/JComponent;Ljavax/swing/JComponent;Ljava/awt/Graphics;IIII)Z java.desktop@11.0.11 (201 bytes) @ 0x00007f429d0225b4 [0x00007f429d022320+0x0000000000000294]
J 21887 c1 javax.swing.BufferStrategyPaintManager.paint(Ljavax/swing/JComponent;Ljavax/swing/JComponent;Ljava/awt/Graphics;IIII)Z java.desktop@11.0.11 (235 bytes) @ 0x00007f429f195874 [0x00007f429f195380+0x00000000000004f4]
J 38591 c1 javax.swing.RepaintManager.paint(Ljavax/swing/JComponent;Ljavax/swing/JComponent;Ljava/awt/Graphics;IIII)V java.desktop@11.0.11 (93 bytes) @ 0x00007f429f2f18fc [0x00007f429f2f13c0+0x000000000000053c]
J 36546 c2 javax.swing.JComponent.paint(Ljava/awt/Graphics;)V java.desktop@11.0.11 (409 bytes) @ 0x00007f42ada94594 [0x00007f42ada93e00+0x0000000000000794]

...
(stacks trimmed for clarity).

Comments

Changeset: 05dac5a2 Author: Maxim Kartashev <maxim.kartashev@jetbrains.com> Committer: Phil Race <prr@openjdk.org> Date: 2022-04-27 18:19:55 +0000 URL: https://git.openjdk.java.net/jdk/commit/05dac5a23ed2813b2f4f2e4f007ebb93b4ae23ef

27-04-2022

This issue can be artificially reproduced with a patched JDK from here: https://github.com/mkartashev/jdk/commit/202afe06763ed3ebda6d042239e578af299bb7a0 The idea of the reproducer is to introduce artificial synchronization and then delay between the time `X11GraphicsEnvironment.initDevices()` invalidates the device and the time `X11GraphicsDevice.makeConfigurations()` is made aware of that. In the scenario the reproducer helps to create, `makeConfigurations()` starts working on the second monitor (`screen == 1`) and in the middle of that the screen disappears, but the screen number is changed 500+ms later, allowing `getConfigVisualId()` to be called with screen number 1 that is no longer valid. To facilitate a crash rather than random memory corruption, I pad the array of screens (`x11Screens` from `awt_GraphicsEnv.c`) with a couple of zeroed-out elements at the end. This way, when accessing past the effective end, you're de-referencing a zero (or near-zero) pointer. Steps to reproduce are described in the `Test.java` file in the repository root of the mentioned commit; there's also a sample of the crash there. To repeat: On a Linux box with exactly two monitors running X11 (no Wayland or XWayland), - build branch https://github.com/mkartashev/jdk/tree/JDK-8280468-reproducer or apply the above mentioned commit as a patch, - compile `Test.java` from the repository root, - execute it using the freshly built `java` (both release and fastdebug builds will work), - when this gets printed to stdout `makeConfigurations(): waiting for the signal to continue...` unplug or disable the second monitor on the system, - observe the crash. The reproducer is quite fragile in the sense that it is built on a number of implicit assumptions about the order and quantity of several things, which may or may not differ between systems. If it doesn't crash on your system, some tweaks may be in order.

16-02-2022

A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk/pull/7182 Date: 2022-01-21 17:02:38 +0000

21-01-2022