Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4904136

[1.3.1_09]JVM crashes when big number is specified in fillRect()

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P4 P4
    • 1.3.1_12
    • 1.3.1_09
    • client-libs
    • 2d
    • 12
    • x86
    • windows_xp

      JVM crashed when a big number is specified as one of arg. of fillRect()
      in 1.3.1_09.

      The error messages is,

      === hs_err_pid1952.log =======>

      An unexpected exception has been detected in native code outside the VM.
      Unexpected Signal : EXCEPTION_ACCESS_VIOLATION occurred at PC=0x6d022cba
      Function name=Java_sun_java2d_loops_IntDiscreteRenderer_devSetRect
      Library=J:\java\jdk1.3.1_09\win32\jre\bin\awt.dll

      Current Java thread:
              at sun.java2d.loops.IntDiscreteRenderer.devSetRect(Native Method)
              at sun.java2d.loops.ICRFillRectRasterContext.invoke(IntDiscreteRenderer.
      java:256)
              at sun.awt.image.BufferedImageGraphics2D.fillRect(BufferedImageGraphics2
      D.java:648)
              at sun.java2d.pipe.ValidatePipe.fillRect(ValidatePipe.java:37)
              at sun.java2d.SunGraphics2D.fillRect(SunGraphics2D.java:1555)
              at Test.paint(Test.java:27)
              at sun.awt.RepaintArea.paint(RepaintArea.java:293)
              at sun.awt.windows.WComponentPeer.handleEvent(WComponentPeer.java:191)
              at java.awt.Component.dispatchEventImpl(Component.java:2658)
              at java.awt.Container.dispatchEventImpl(Container.java:1208)
              at java.awt.Window.dispatchEventImpl(Window.java:923)
              at java.awt.Component.dispatchEvent(Component.java:2492)
              at java.awt.EventQueue.dispatchEvent(EventQueue.java:334)
              at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchTh
      read.java:126)
              at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThre
      ad.java:93)
              at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:88)
              at java.awt.EventDispatchThread.run(EventDispatchThread.java:80)

      Dynamic libraries:
      0x00400000 - 0x00405000 J:\java\jdk1.3.1_09\win32\bin\java.exe
      0x77F50000 - 0x77FE4000 F:\WINDOWS\System32\ntdll.dll
      0x77E20000 - 0x77F43000 F:\WINDOWS\system32\kernel32.dll
      0x77D80000 - 0x77E1B000 F:\WINDOWS\system32\ADVAPI32.dll
      0x78000000 - 0x78086000 F:\WINDOWS\system32\RPCRT4.dll
      0x77BC0000 - 0x77C13000 F:\WINDOWS\system32\MSVCRT.dll
      0x6D420000 - 0x6D4F9000 J:\java\jdk1.3.1_09\win32\jre\bin\hotspot\jvm.dl
      l
      0x77CF0000 - 0x77D7B000 F:\WINDOWS\system32\USER32.dll
      0x77C20000 - 0x77C60000 F:\WINDOWS\system32\GDI32.dll
      0x76AF0000 - 0x76B1A000 F:\WINDOWS\System32\WINMM.dll
      0x762E0000 - 0x762FC000 F:\WINDOWS\System32\IMM32.DLL
      0x60740000 - 0x60748000 F:\WINDOWS\System32\LPK.DLL
      0x72EF0000 - 0x72F4A000 F:\WINDOWS\System32\USP10.dll
      0x6D220000 - 0x6D227000 J:\java\jdk1.3.1_09\win32\jre\bin\hpi.dll
      0x6D3B0000 - 0x6D3BD000 J:\java\jdk1.3.1_09\win32\jre\bin\verify.dll
      0x6D250000 - 0x6D268000 J:\java\jdk1.3.1_09\win32\jre\bin\java.dll
      0x6D3C0000 - 0x6D3CD000 J:\java\jdk1.3.1_09\win32\jre\bin\zip.dll
      0x6D020000 - 0x6D12B000 J:\java\jdk1.3.1_09\win32\jre\bin\awt.dll
      0x72F50000 - 0x72F73000 F:\WINDOWS\System32\WINSPOOL.DRV
      0x77160000 - 0x77281000 F:\WINDOWS\system32\ole32.dll
      0x58730000 - 0x58764000 F:\WINDOWS\System32\uxtheme.dll
      0x6D1E0000 - 0x6D21B000 J:\java\jdk1.3.1_09\win32\jre\bin\fontmanager.dl
      l

              at java.awt.Component.dispatchEvent(Component.java:2492)
              at java.awt.EventQueue.dispatchEvent(EventQueue.java:334)
              at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchTh
      read.java:126)
              at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThre
      ad.java:93)
              at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:88)
              at java.awt.EventDispatchThread.run(EventDispatchThread.java:80)

      Dynamic libraries:
      0x00400000 - 0x00405000 J:\java\jdk1.3.1_09\win32\bin\java.exe
      0x77F50000 - 0x77FE4000 F:\WINDOWS\System32\ntdll.dll
      0x77E20000 - 0x77F43000 F:\WINDOWS\system32\kernel32.dll
      0x77D80000 - 0x77E1B000 F:\WINDOWS\system32\ADVAPI32.dll
      0x78000000 - 0x78086000 F:\WINDOWS\system32\RPCRT4.dll
      0x77BC0000 - 0x77C13000 F:\WINDOWS\system32\MSVCRT.dll
      0x6D420000 - 0x6D4F9000 J:\java\jdk1.3.1_09\win32\jre\bin\hotspot\jvm.dl
      l
      0x77CF0000 - 0x77D7B000 F:\WINDOWS\system32\USER32.dll
      0x77C20000 - 0x77C60000 F:\WINDOWS\system32\GDI32.dll
      0x76AF0000 - 0x76B1A000 F:\WINDOWS\System32\WINMM.dll
      0x762E0000 - 0x762FC000 F:\WINDOWS\System32\IMM32.DLL
      0x60740000 - 0x60748000 F:\WINDOWS\System32\LPK.DLL
      0x72EF0000 - 0x72F4A000 F:\WINDOWS\System32\USP10.dll
      0x6D220000 - 0x6D227000 J:\java\jdk1.3.1_09\win32\jre\bin\hpi.dll
      0x6D3B0000 - 0x6D3BD000 J:\java\jdk1.3.1_09\win32\jre\bin\verify.dll
      0x6D250000 - 0x6D268000 J:\java\jdk1.3.1_09\win32\jre\bin\java.dll
      0x6D3C0000 - 0x6D3CD000 J:\java\jdk1.3.1_09\win32\jre\bin\zip.dll
      0x6D020000 - 0x6D12B000 J:\java\jdk1.3.1_09\win32\jre\bin\awt.dll
      0x72F50000 - 0x72F73000 F:\WINDOWS\System32\WINSPOOL.DRV
      0x77160000 - 0x77281000 F:\WINDOWS\system32\ole32.dll
      0x58730000 - 0x58764000 F:\WINDOWS\System32\uxtheme.dll
      0x6D1E0000 - 0x6D21B000 J:\java\jdk1.3.1_09\win32\jre\bin\fontmanager.dl
      l
      0x74660000 - 0x746A4000 F:\WINDOWS\System32\MSCTF.dll
      0x08FB0000 - 0x08FDB000 F:\WINDOWS\System32\msctfime.ime
      0x3A700000 - 0x3A754000 F:\WINDOWS\System32\imjp81.ime
      0x648F0000 - 0x649BC000 F:\WINDOWS\System32\IMJP81K.DLL
      0x772F0000 - 0x7737B000 F:\WINDOWS\system32\COMCTL32.DLL
      0x77380000 - 0x77B60000 F:\WINDOWS\system32\SHELL32.DLL
      0x08FF0000 - 0x09054000 F:\WINDOWS\system32\SHLWAPI.dll
      0x78090000 - 0x78174000 F:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-C
      ontrols_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
      0x76C40000 - 0x76C62000 F:\WINDOWS\system32\imagehlp.dll
      0x6D6B0000 - 0x6D72D000 F:\WINDOWS\system32\DBGHELP.dll
      0x77BB0000 - 0x77BB7000 F:\WINDOWS\system32\VERSION.dll
      0x76BA0000 - 0x76BAB000 F:\WINDOWS\System32\PSAPI.DLL

      Local Time = Mon Aug 11 15:42:09 2003
      Elapsed Time = 6
      #
      # The exception above was detected in native code outside the VM
      #
      # Java VM: Java HotSpot(TM) Client VM (1.3.1_09-b03 mixed mode)
      #


      <===============================


      According to users investigation, this issues occurs when we set the
      invalid number data of REctangle in java.awt.Graphics.Graphics.fillRect().

       1) x + width is greater than the maximun of 32 bits integer
       2) y + height is greater than the maxmun number of 32 bits integer

      Further investigation, Java_sun_java2d_loops_IntDiscreteRenderer_devSetRect
      does not check if the above numbers.
      At the entrance of the function, it checks the range of Rectangle.
      but it doesn't seem to check when the following number becomes greater than
      the maximun of jint.
        1') jint x + jint w
        2') jint y + jint h

      If the above value is greater than jint max, dataPtr[x] is invalid address
      and access violation occurs.


      TO REPRODUCE:
        Compile the attached file, "Test.java", and invoke "java Test" in 1.3.1_09.

      NOTE:
        This issue does not occur in 1.4.2fcs.

      ===========================================================================

            avu Alexey Ushakov
            tbaba Tadayuki Baba (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: