-
Bug
-
Resolution: Future Project
-
P5
-
None
-
7
-
x86
-
windows
SYNOPSIS
--------
Crash in ntdll.dll RtlEnterCriticalSection due to race condition in JdbcOdbcConnection
OPERATING SYSTEM
----------------
Windows on x86
NOTE
----
Not reproduced with Oracle JDK, but problem code is present in Oracle codebase.
PROBLEM DESCRIPTION
-------------------
A crash is observed in C:\WINDOWS\system32\ntdll.dll, with a Licensee's Windows JDK implementation (see Comments for Licensee identity). Below is the stack:
Java Stack Frames:
at sun/jdbc/odbc/JdbcOdbc.allocConnect(Native Method)
at sun/jdbc/odbc/JdbcOdbc.SQLAllocConnect(JdbcOdbc.java:125)
at sun/jdbc/odbc/JdbcOdbcDriver.allocConnection(JdbcOdbcDriver.java:938)
at sun/jdbc/odbc/JdbcOdbcConnection.initialize(JdbcOdbcConnection.java:138)
at sun/jdbc/odbc/JdbcOdbcDriver.connect(JdbcOdbcDriver.java:174)
<frames removed to protect customer/licensee privacy>
at javax/servlet/http/HttpServlet.service(HttpServlet.java:718)
at javax/servlet/http/HttpServlet.service(HttpServlet.java:831)
<frames removed to protect customer/licensee privacy>
Native callstack:
RtlEnterCriticalSection+0x19 (0x7C96A379 [ntdll+0x1a379])
SQLConnectA+0x2ef8 (0x4B904C36 [ODBC32+0x34c36])
SQLAllocConnect+0x7d (0x4B8D8751 [ODBC32+0x8751])
SQLAllocConnect+0x1f (0x4B8D86F3 [ODBC32+0x86f3])
Java_sun_jdbc_odbc_JdbcOdbc_allocConnect+0x28 (jdbcodbc.c:243, 0x7F3B11CB [JdbcOdbc+0x11cb])
<frames removed to protect customer/licensee privacy>
SUGGESTED FIX
-------------
See Suggested Fix section for diffs relative to code in 6u22-b01.
Licensee's iinvestigation revealed that the problem is caused by code in the JdbcOdbcDriver class. This is the sequence of events that leads up to the crash:
1. Thread T1 finishes its work on JdbcOdbcConnection and calls close()
upon it.
2. This results in a call to JdbcOdbcDriver.closeConnection().
3. Since no other connections are currently active, SQLFreeEnv() will be
called, and a global variable hEnv will be set to NULL, which
releases the OpenRDA ODBC driver DLL.
4. However, before step 4 is complete, another thread, T2, needs a new
connection and calls JdbcOdbcDriver.connect(). T2 checks for the
global hEnv variable and finds that it is not NULL, thus indicating
that a valid hEnv will exist.
5. T2 then goes on to call the SQLAllocConnect() call, passing in the
hEnv variable which has already been freed by T1. This causes the
ODBC driver manager to crash.
Licensee fix suggestion is to add the synchronized modifier to some of the JdbcOdbcDriver Class's methods to prevent concurrent execution, thus avoiding the race condition that causes the crash. These methods are:
JdbcOdbcDriver.allocConnection()
JdbcOdbcDriver.initialize()
JdbcOdbcDriver.closeConnection()
--------
Crash in ntdll.dll RtlEnterCriticalSection due to race condition in JdbcOdbcConnection
OPERATING SYSTEM
----------------
Windows on x86
NOTE
----
Not reproduced with Oracle JDK, but problem code is present in Oracle codebase.
PROBLEM DESCRIPTION
-------------------
A crash is observed in C:\WINDOWS\system32\ntdll.dll, with a Licensee's Windows JDK implementation (see Comments for Licensee identity). Below is the stack:
Java Stack Frames:
at sun/jdbc/odbc/JdbcOdbc.allocConnect(Native Method)
at sun/jdbc/odbc/JdbcOdbc.SQLAllocConnect(JdbcOdbc.java:125)
at sun/jdbc/odbc/JdbcOdbcDriver.allocConnection(JdbcOdbcDriver.java:938)
at sun/jdbc/odbc/JdbcOdbcConnection.initialize(JdbcOdbcConnection.java:138)
at sun/jdbc/odbc/JdbcOdbcDriver.connect(JdbcOdbcDriver.java:174)
<frames removed to protect customer/licensee privacy>
at javax/servlet/http/HttpServlet.service(HttpServlet.java:718)
at javax/servlet/http/HttpServlet.service(HttpServlet.java:831)
<frames removed to protect customer/licensee privacy>
Native callstack:
RtlEnterCriticalSection+0x19 (0x7C96A379 [ntdll+0x1a379])
SQLConnectA+0x2ef8 (0x4B904C36 [ODBC32+0x34c36])
SQLAllocConnect+0x7d (0x4B8D8751 [ODBC32+0x8751])
SQLAllocConnect+0x1f (0x4B8D86F3 [ODBC32+0x86f3])
Java_sun_jdbc_odbc_JdbcOdbc_allocConnect+0x28 (jdbcodbc.c:243, 0x7F3B11CB [JdbcOdbc+0x11cb])
<frames removed to protect customer/licensee privacy>
SUGGESTED FIX
-------------
See Suggested Fix section for diffs relative to code in 6u22-b01.
Licensee's iinvestigation revealed that the problem is caused by code in the JdbcOdbcDriver class. This is the sequence of events that leads up to the crash:
1. Thread T1 finishes its work on JdbcOdbcConnection and calls close()
upon it.
2. This results in a call to JdbcOdbcDriver.closeConnection().
3. Since no other connections are currently active, SQLFreeEnv() will be
called, and a global variable hEnv will be set to NULL, which
releases the OpenRDA ODBC driver DLL.
4. However, before step 4 is complete, another thread, T2, needs a new
connection and calls JdbcOdbcDriver.connect(). T2 checks for the
global hEnv variable and finds that it is not NULL, thus indicating
that a valid hEnv will exist.
5. T2 then goes on to call the SQLAllocConnect() call, passing in the
hEnv variable which has already been freed by T1. This causes the
ODBC driver manager to crash.
Licensee fix suggestion is to add the synchronized modifier to some of the JdbcOdbcDriver Class's methods to prevent concurrent execution, thus avoiding the race condition that causes the crash. These methods are:
JdbcOdbcDriver.allocConnection()
JdbcOdbcDriver.initialize()
JdbcOdbcDriver.closeConnection()