P3
In the AwtTextComponent::AddCR(WCHAR*, int), the function tries to operator delete a JNI string object, which cause various heap corruption and memory leakage.
See the call stack. (sorry if you think it is too long)
operator delete(void * 0x0559f040) line 47 + 81 bytes
AwtTextComponent::AddCR(unsigned short * 0x0559f040, int 21) line 95 + 15 bytes
Java_sun_awt_windows_WTextAreaPeer_replaceText(JNIEnv_ * 0x00477280, _jobject * 0x04f1a0f0, _jstring * 0x04f1a0f4, long 50, long 50) line 207 + 13 bytes
Java_sun_awt_windows_WTextAreaPeer_insertText(JNIEnv_ * 0x00477280, _jobject * 0x04f1a0f0, _jstring * 0x04f1a0f4, long 49) line 262
_sysInvokeNative() line 163
invokeJNINativeMethod(Hjava_lang_Object * 0x01a28370, methodblock * 0x0579ff78, int 3, execenv * 0x00477280) line 475 + 41 bytes
invokeLazyNativeMethod(Hjava_lang_Object * 0x01a28370, methodblock * 0x0579ff78, int 3, execenv * 0x00477280) line 644 + 22 bytes
ExecuteJava_C(unsigned char * 0x0559fed4, execenv * 0x00477280) line 1453 + 22 bytes
do_execute_java_method_vararg(execenv * 0x00477280, void * 0x01a02a58, char * 0x00428e78, char * 0x00412e98, methodblock * 0x00000000, int 0, char * 0x0559ff5c, long * 0x00000000, int 0) line 581 + 14 bytes
execute_java_dynamic_method(execenv * 0x00477280, Hjava_lang_Object * 0x01a02a58, char * 0x1008d1ec, char * 0x1008d1e8) line 297 + 33 bytes
ThreadRT0(Hjava_lang_Thread * 0x01a02a58) line 2082 + 23 bytes
saveStackBase(void * 0x00477250) line 86 + 7 bytes
_start(sys_thread * 0x00477300) line 253 + 13 bytes
_threadstartex(void * 0x00477380) line 212 + 13 bytes
BaseThreadStart@8 + 81 bytes
The create code looks like:
// awt_Unicode.h
#define TO_WSTRING(jstr) ((jstr == NULL) ? NULL : (JNI_J2WHelper1(env, (LPWSTR) alloca((env->GetStringLength(jstr)+1)*2), jstr) ))
// awt_TextArea.cpp
JNIEXPORT void JNICALL
Java_sun_awt_windows_WTextAreaPeer_replaceText(JNIEnv *env, jobject self,
jstring text,
jint start, jint end)
{
...
int length = env->GetStringLength(text) + 1;
WCHAR* buffer = TO_WSTRING(text);
buffer = AwtTextComponent::AddCR(buffer, length);
...
}
The delete code looks like:
// awt_TextComponent.cpp
WCHAR *AwtTextComponent::AddCR(WCHAR *pStr, int nStrLen)
{
...
if (pStr != result) {
/* We realloc'd, so delete old buffer. */
delete[] pStr;
}
return result;
}
See the call stack. (sorry if you think it is too long)
operator delete(void * 0x0559f040) line 47 + 81 bytes
AwtTextComponent::AddCR(unsigned short * 0x0559f040, int 21) line 95 + 15 bytes
Java_sun_awt_windows_WTextAreaPeer_replaceText(JNIEnv_ * 0x00477280, _jobject * 0x04f1a0f0, _jstring * 0x04f1a0f4, long 50, long 50) line 207 + 13 bytes
Java_sun_awt_windows_WTextAreaPeer_insertText(JNIEnv_ * 0x00477280, _jobject * 0x04f1a0f0, _jstring * 0x04f1a0f4, long 49) line 262
_sysInvokeNative() line 163
invokeJNINativeMethod(Hjava_lang_Object * 0x01a28370, methodblock * 0x0579ff78, int 3, execenv * 0x00477280) line 475 + 41 bytes
invokeLazyNativeMethod(Hjava_lang_Object * 0x01a28370, methodblock * 0x0579ff78, int 3, execenv * 0x00477280) line 644 + 22 bytes
ExecuteJava_C(unsigned char * 0x0559fed4, execenv * 0x00477280) line 1453 + 22 bytes
do_execute_java_method_vararg(execenv * 0x00477280, void * 0x01a02a58, char * 0x00428e78, char * 0x00412e98, methodblock * 0x00000000, int 0, char * 0x0559ff5c, long * 0x00000000, int 0) line 581 + 14 bytes
execute_java_dynamic_method(execenv * 0x00477280, Hjava_lang_Object * 0x01a02a58, char * 0x1008d1ec, char * 0x1008d1e8) line 297 + 33 bytes
ThreadRT0(Hjava_lang_Thread * 0x01a02a58) line 2082 + 23 bytes
saveStackBase(void * 0x00477250) line 86 + 7 bytes
_start(sys_thread * 0x00477300) line 253 + 13 bytes
_threadstartex(void * 0x00477380) line 212 + 13 bytes
BaseThreadStart@8 + 81 bytes
The create code looks like:
// awt_Unicode.h
#define TO_WSTRING(jstr) ((jstr == NULL) ? NULL : (JNI_J2WHelper1(env, (LPWSTR) alloca((env->GetStringLength(jstr)+1)*2), jstr) ))
// awt_TextArea.cpp
JNIEXPORT void JNICALL
Java_sun_awt_windows_WTextAreaPeer_replaceText(JNIEnv *env, jobject self,
jstring text,
jint start, jint end)
{
...
int length = env->GetStringLength(text) + 1;
WCHAR* buffer = TO_WSTRING(text);
buffer = AwtTextComponent::AddCR(buffer, length);
...
}
The delete code looks like:
// awt_TextComponent.cpp
WCHAR *AwtTextComponent::AddCR(WCHAR *pStr, int nStrLen)
{
...
if (pStr != result) {
/* We realloc'd, so delete old buffer. */
delete[] pStr;
}
return result;
}
- duplicates
-
JDK-4149908 crash in jvm_g.dll
-
- Closed
-
- relates to
-
-
- Closed
-