Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8149338

JVM Crash caused by Marlin renderer not handling NaN coordinates

XMLWordPrintable

    • 2d
    • b110

        Marlin's Renderer does not handle properly NaN coordinates and it can lead to a SEGV (corrupted edgeBuckets pointers):


        #
        # A fatal error has been detected by the Java Runtime Environment:
        #
        # SIGSEGV (0xb) at pc=0x00007f33add22bdc, pid=4640, tid=4666
        #
        # JRE version: OpenJDK Runtime Environment (9.0) (build 9-internal+0-2016-02-03-151308.bourgesl.client)
        # Java VM: OpenJDK 64-Bit Server VM (9-internal+0-2016-02-03-151308.bourgesl.client, mixed mode, tiered, compressed oops, g1 gc, linux-amd64)
        # Problematic frame:
        # J 488 C1 sun.java2d.marlin.Renderer._endRendering(II)V (2400 bytes) @ 0x00007f33add22bdc [0x00007f33add21ee0+0x0000000000000cfc]
        #
        # Core dump will be written. Default location: Core dumps may be processed with "/usr/share/apport/apport %p %s %c %P" (or dumping to /home/graphics-rasterizer/JTwork/sun/java2d/marlin/CrashNaN/core.4640)
        #
        # If you would like to submit a bug report, please visit:
        # http://bugreport.java.com/bugreport/crash.jsp
        #

        --------------- S U M M A R Y ------------

        Command Line: -Dtest.src=/home/graphics-rasterizer/client/jdk/test/sun/java2d/marlin -Dtest.src.path=/home/graphics-rasterizer/client/jdk/test/sun/java2d/marlin -Dtest.classes=/home/graphics-rasterizer/JTwork/classes/sun/java2d/marlin -Dtest.class.path=/home/graphics-rasterizer/JTwork/classes/sun/java2d/marlin -Dtest.vm.opts= -Dtest.tool.vm.opts= -Dtest.compiler.opts= -Dtest.java.opts= -Dtest.jdk=/home/bourgesl/libs/graphics-rasterizer/client/build/linux-x86_64-normal-server-release/images/jdk -Dcompile.jdk=/home/bourgesl/libs/graphics-rasterizer/client/build/linux-x86_64-normal-server-release/images/jdk -Dtest.timeout.factor=1.0 -Dtest.modules=java.desktop com.sun.javatest.regtest.agent.MainWrapper /home/graphics-rasterizer/JTwork/sun/java2d/marlin/CrashNaN.d/main.0.jta

        Host: Intel(R) Core(TM) i7-4800MQ CPU @ 2.70GHz, 4 cores, 15G, Ubuntu 14.04.3 LTS
        Time: Mon Feb 8 21:10:53 2016 CET elapsed time: 0 seconds (0d 0h 0m 0s)

        --------------- T H R E A D ---------------

        Current thread (0x00007f33c02e4000): JavaThread "MainThread" [_thread_in_Java, id=4666, stack(0x00007f33425b7000,0x00007f33426b8000)]

        Stack: [0x00007f33425b7000,0x00007f33426b8000], sp=0x00007f33426b5d20, free space=1019k
        Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
        J 488 C1 sun.java2d.marlin.Renderer._endRendering(II)V (2400 bytes) @ 0x00007f33add22bdc [0x00007f33add21ee0+0x0000000000000cfc]
        j sun.java2d.marlin.Renderer.endRendering(I)V+49
        j sun.java2d.marlin.Renderer.endRendering()Z+459
        j sun.java2d.marlin.MarlinRenderingEngine.getAATileGenerator(Ljava/awt/Shape;Ljava/awt/geom/AffineTransform;Lsun/java2d/pipe/Region;Ljava/awt/BasicStroke;ZZ[I)Lsun/java2d/pipe/AATileGenerator;+160
        j sun.java2d.pipe.AAShapePipe.renderPath(Lsun/java2d/SunGraphics2D;Ljava/awt/Shape;Ljava/awt/BasicStroke;)V+71
        j sun.java2d.pipe.AAShapePipe.fill(Lsun/java2d/SunGraphics2D;Ljava/awt/Shape;)V+4
        j sun.java2d.pipe.PixelToParallelogramConverter.fill(Lsun/java2d/SunGraphics2D;Ljava/awt/Shape;)V+70
        j sun.java2d.SunGraphics2D.fill(Ljava/awt/Shape;)V+6
        j CrashNaNTest.main([Ljava/lang/String;)V+346
        v ~StubRoutines::call_stub
        V [libjvm.so+0x75ac08] JavaCalls::call_helper(JavaValue*, methodHandle const&, JavaCallArguments*, Thread*)+0x3f8
        V [libjvm.so+0xa60b40] invoke(instanceKlassHandle, methodHandle, Handle, bool, objArrayHandle, BasicType, objArrayHandle, bool, Thread*) [clone .isra.151]+0x610
        V [libjvm.so+0xa62bb3] Reflection::invoke_method(oopDesc*, Handle, objArrayHandle, Thread*)+0x133
        V [libjvm.so+0x7a6dd6] JVM_InvokeMethod+0x186
        j sun.reflect.NativeMethodAccessorImpl.invoke0(Ljava/lang/reflect/Method;Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+0
        j sun.reflect.NativeMethodAccessorImpl.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+100
        j sun.reflect.DelegatingMethodAccessorImpl.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+6
        j java.lang.reflect.Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;+56
        j com.sun.javatest.regtest.agent.MainWrapper$MainThread.run()V+162
        j java.lang.Thread.run()V+11
        v ~StubRoutines::call_stub
        V [libjvm.so+0x75ac08] JavaCalls::call_helper(JavaValue*, methodHandle const&, JavaCallArguments*, Thread*)+0x3f8
        V [libjvm.so+0x759655] JavaCalls::call_virtual(JavaValue*, Handle, KlassHandle, Symbol*, Symbol*, Thread*)+0x1a5
        V [libjvm.so+0x79c98e] thread_entry(JavaThread*, Thread*)+0x8e
        V [libjvm.so+0xb32ae8] JavaThread::thread_main_inner()+0xd8
        V [libjvm.so+0x9d33a2] java_start(Thread*)+0xc2
        C [libpthread.so.0+0x8182] start_thread+0xc2


        I reproduced that issue with this simple test class:
        public class CrashNaNTest {

            public static void main(String argv[]) {
                Locale.setDefault(Locale.US);

                final int width = 400;
                final int height = 400;

                final BufferedImage image = new BufferedImage(width, height,
                        BufferedImage.TYPE_INT_ARGB);

                final Graphics2D g2d = (Graphics2D) image.getGraphics();
                try {
                    g2d.setRenderingHint(RenderingHints.KEY_ANTIALIASING,
                            RenderingHints.VALUE_ANTIALIAS_ON);

                    g2d.setBackground(Color.WHITE);
                    g2d.clearRect(0, 0, width, height);

                    final Path2D.Double path = new Path2D.Double();
                    path.moveTo(30, 30);
                    path.lineTo(100, 100);
                    
                    for (int i = 0; i < 20000; i++) {
                        path.lineTo(110 + 0.01 * i, 110);
                        path.lineTo(111 + 0.01 * i, 100);
                    }
                    
                    path.lineTo(NaN, 200);
                    path.lineTo(200, 200);
                    path.lineTo(200, NaN);
                    path.lineTo(300, 300);
                    path.lineTo(NaN, NaN);
                    path.lineTo(100, 100);
                    path.closePath();

                    final Path2D.Double path2 = new Path2D.Double();
                    path2.moveTo(0,0);
                    path2.lineTo(width,height);
                    path2.lineTo(10, 10);
                    path2.closePath();
                    
                    // Paint:
                    final long start = System.nanoTime();
                    g2d.setColor(Color.BLUE);
                    g2d.fill(path);

                    g2d.fill(path2);

                    final long time = System.nanoTime() - start;
                    System.out.println("paint: duration= " + (1e-6 * time) + " ms.");

                } finally {
                    g2d.dispose();
                }
            }
        }

              lbourges Laurent Bourgès
              lbourges Laurent Bourgès
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: