United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: 6604900 D3D: incorrect error handling in CreateInstance() code
6604900 : D3D: incorrect error handling in CreateInstance() code

Details
Type:
Bug
Submit Date:
2007-09-14
Status:
Closed
Updated Date:
2010-10-14
Project Name:
JDK
Resolved Date:
2007-09-24
Component:
client-libs
OS:
windows_xp
Sub-Component:
2d
CPU:
x86
Priority:
P2
Resolution:
Fixed
Affected Versions:
6u5
Fixed Versions:
6u10

Related Reports

Sub Tasks

Description
Crashes possible because of incorrect handling of errors
in the pipeline initialization code.

Comments
SUGGESTED FIX

http://sa.sfbay.sun.com/projects/java2d_data/6u5/6604900.0
2007-09-19 
SUGGESTED FIX

In all these places change 'ppRet = NULL' to '*ppRet = NULL'
2007-09-14 
EVALUATION

There are several places where the following template
is used to create an instance of an object:
HRESULT Class::CreateInstance(Class **ppRet) {
    HRESULT res;
    *ppRet = new Class();
    if (FAILED(res = (*ppRet)->Init())) {
        delete *ppRet;
        ppRet = NULL;
    }
    return res;    
}
There's a bug here: in case of Init() failure the intention
was to set *ppRet to NULL. The current code doesn't clear
the *ppRet in case of failure, which could lead to a later
attempt to delete the return result of CreateInstance().

This could happen for example with D3DContext::CreateInstance():
if the creation of the device fails, we set pAdapters[i].pContext
to the return value of D3DContext::CreateInstance(), expecting
it to be NULL if CreateInstance() failed.
When the pipeline is shut down, we check if we need to
delete the context by checking pContext against NULL, and will
attempt to delete a garbage reference, leading to a crash.
2007-09-14


Hardware and Software, Engineered to Work Together