Bug ID: 5108694 XAWT: crash when displaying hw combobox popup on secondary screen (sol/lin)

5108694 : XAWT: crash when displaying hw combobox popup on secondary screen (sol/lin)

Details

Type:	Bug	Submit Date:	2004-09-29
Status:	Resolved	Updated Date:	2004-11-02
Project Name:	JDK	Resolved Date:	2004-10-25
Component:	client-libs	OS:	generic
Sub-Component:	java.awt	CPU:	generic
Priority:	P3
Resolution:	Fixed
Affected Versions:	6
Fixed Versions:	6

Related Reports

Backport:	JDK-2120517 - XAWT: crash when displaying hw combobox popup on secondary screen (sol/lin)
Backport:	JDK-2121072 - XAWT: crash when displaying hw combobox popup on secondary screen (sol/lin)
Relates:	JDK-6195711 - JCK15:api/java_awt/interactive/ComponentTests.html#ComponentTests componentTest0010 , rhas3, mustang
Relates:	JDK-5107634 - XAWT: crash when displaying hw combobox popup on secondary screen (sol/lin)
Relates:	JDK-5093198 - XAWT: Java crashes on window dispose/getLocationOnScreen

Sub Tasks

Description

Since it is impossible to reopen the bug(5107634), I filed this one as an absolute copy, see evaluation for reasons.

This is reproducible only on mulriscreen system 
(no xinerama), on linux and solaris, with XAWT toolkit only.
It's a regression since 1.4.2, reproducible in both tiger-b64 and mustang-b04.

Run SwingSet2. Create a SS frame on the secondary screen via Multiscreen 
menu, go to the Table Demo on the newly created SS frame.

Click the 'Color' cell on the last visible row on the bottom.
Note that the combobox doesn't appear. Click several more 
times and java crashes with the following stack trace
(full hs log is attached):
#
# An unexpected error has been detected by HotSpot Virtual Machine:
#
#  SIGSEGV (0xb) at pc=0x4dea3b09, pid=1793, tid=98317
#
# Java VM: Java HotSpot(TM) Client VM (1.6.0-ea-b05 mixed mode)
# Problematic frame:
# C  [libX11.so.6+0x25b09]  XScreenNumberOfScreen+0x9
#
# An error report file with more information is saved as hs_err_pid1793.log
#
# If you would like to submit a bug report, please visit:
#   http://java.sun.com/webapps/bugreport/crash.jsp
#
Aborted
Stack: [0x4e225000,0x4e2a5000),  sp=0x4e2a4024,  free space=508k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C  [libX11.so.6+0x25b09]  XScreenNumberOfScreen+0x9
C  [libmawt.so+0xd7e7]  Java_sun_awt_X11_XlibWrapper_XScreenNumberOfScreen+0x77
j  sun.awt.X11.XlibWrapper.XScreenNumberOfScreen(J)J+0
j  sun.awt.X11.XBaseWindow.getScreenNumber()J+10
j  sun.awt.X11.XBaseWindow.toGlobal(II)Ljava/awt/Point;+11
j  sun.awt.X11.XWindow.getLocationOnScreen()Ljava/awt/Point;+93
j  java.awt.Component.getLocationOnScreen_NoTreeLock()Ljava/awt/Point;+86
j  java.awt.Component.getLocationOnScreen()Ljava/awt/Point;+8
J  javax.swing.SwingUtilities.convertPointFromScreen(Ljava/awt/Point;Ljava/awt/Component;)V
v  ~RuntimeStub::alignment_frame_return Runtime1 stub
j  javax.swing.SwingUtilities.convertPoint(Ljava/awt/Component;Ljava/awt/Point;Ljava/awt/Component;)Ljava/awt/Point;+72
j  javax.swing.plaf.basic.BasicComboPopup.convertMouseEvent(Ljava/awt/event/MouseEvent;)Ljava/awt/event/MouseEvent;+15
j  javax.swing.plaf.basic.BasicComboPopup$Handler.mouseDragged(Ljava/awt/event/MouseEvent;)V+30
j  java.awt.Component.processMouseMotionEvent(Ljava/awt/event/MouseEvent;)V+52
j  javax.swing.JComponent.processMouseMotionEvent(Ljava/awt/event/MouseEvent;)V+42
j  java.awt.Component.processEvent(Ljava/awt/AWTEvent;)V+92
j  java.awt.Container.processEvent(Ljava/awt/AWTEvent;)V+18
j  java.awt.Component.dispatchEventImpl(Ljava/awt/AWTEvent;)V+477
j  java.awt.Container.dispatchEventImpl(Ljava/awt/AWTEvent;)V+42
J  java.awt.LightweightDispatcher.retargetMouseEvent(Ljava/awt/Component;ILjava/awt/event/MouseEvent;)V
j  java.awt.LightweightDispatcher.processMouseEvent(Ljava/awt/event/MouseEvent;)Z+191
j  java.awt.LightweightDispatcher.dispatchEvent(Ljava/awt/AWTEvent;)Z+50
j  java.awt.Container.dispatchEventImpl(Ljava/awt/AWTEvent;)V+12
j  java.awt.Window.dispatchEventImpl(Ljava/awt/AWTEvent;)V+19
J  java.awt.EventQueue.dispatchEvent(Ljava/awt/AWTEvent;)V
J  java.awt.EventDispatchThread.pumpOneEventForHierarchy(ILjava/awt/Component;)Z

###@###.### 2004-09-27

###@###.### 2004-09-29
###@###.### 2004-09-29

Comments

SUGGESTED FIX

First change has no immediate relation to the fix: it is just should make code more robust.

in src/solaris/native/sun/xawt/XlibWrapper.c
*** 962,971 ****
--- 962,974 ----
   */
  JNIEXPORT jlong JNICALL Java_sun_awt_X11_XlibWrapper_XScreenNumberOfScreen
  (JNIEnv *env, jclass clazz, jlong screen) 
  {
      AWT_CHECK_HAVE_LOCK();   
+     if((Screen*)screen == NULL) {
+         return -1;
+     }    
      return XScreenNumberOfScreen((Screen*)screen);
  }
  
And this is the fix itself: just remove a clause 
src/solaris/classes/sun/awt/X11/XBaseWindow.java

*** 176,190 ****
          params.putIfNull(VALUE_MASK, new Long(XlibWrapper.CWEventMask));
          Rectangle bounds = (Rectangle)params.get(BOUNDS);
          bounds.width = Math.max(MIN_SIZE, bounds.width);
          bounds.height = Math.max(MIN_SIZE, bounds.height);
  
-         Boolean overrideRedirect = (Boolean)params.get(OVERRIDE_REDIRECT);
-         if (Boolean.TRUE.equals(overrideRedirect)) {
-             params.put(PARENT_WINDOW, new Long(XToolkit.getDefaultRootWindow()));
-         }
-         
          Long eventMaskObj = (Long)params.get(EVENT_MASK);
          long eventMask = eventMaskObj != null ? eventMaskObj.longValue() : 0;
          // We use our own synthetic grab see XAwtState.getGrabWindow()
          // (see X vol. 1, 8.3.3.2)
          eventMask |= PropertyChangeMask | OwnerGrabButtonMask;
--- 176,185 ----
###@###.### 10/15/04 10:54 GMT

2004-10-15

CONVERTED DATA

BugTraq+ Release Management Values

COMMIT TO FIX:
dragon
mustang

2004-09-30

EVALUATION

Per ###@###.### 's investigation, the bug is still reproducible even with the fix proposed in 5093198. The crash happen in XScreenNumberOfScreen, when screen parameter is 0. Documentation for XScreenNumberOfScreen doesn't deny 0 value, however, implementation of Xlib has this limitation - it uses the value passed as a pointer without NULL check. 
We must make sure that we don't pass NULL value to XScreenNumberOfScreen, as well as that we don't pass use this function with screen number instead of Screen*.
###@###.### 2004-09-29
###@###.### 2004-09-29

It crashes processing mouse motion, so the simplest way to reproduce it is to
find whichever cell doesn't show heavyweight popup, click there and move mouse a bit as if dragging. Crash is immediate even with Xnest on my Linux.

The reason of the crash is the setting as a parent window for popup (which is override-redirect) a default root window, not a second one.
###@###.### 10/13/04 13:25 GMT
###@###.### 10/15/04 13:57 GMT

4-10-13 00:00:00

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together