2 Replies Latest reply on Apr 21, 2010 7:13 PM by Nick Belaevski

    DisabledCalendarIcon uses dangerous ColorConvertOp (JVM crash)

    arjan tijms Novice

      DisabledCalendarIcon.java in at least RichFaces 3.3.1, 3.3.2 and the latest 3.3.3 uses the dangerous ColorConvertOp class, which is known for its ability to crash a JVM. It concerns this code fragment:

       

       

      protected BufferedImage paintImage(Object[] colors) {
      
          BufferedImage image = super.paintImage(colors);
          image = new ColorConvertOp(ColorSpace.getInstance(ColorSpace.CS_GRAY), null).filter(image, null);
          return image;
      }
      

       

      On some machines, but not all, a call to e.g. http://localhost:8080/a4j/g/3_3_1.GAorg.richfaces.renderkit.html.iconimages.DisabledCalendarIcon/DATB/eAF79eoVw6znAA!XBEA_.jsf immediately and 100% reproducible crashes the JVM:

       

       

      #
      # A fatal error has been detected by the Java Runtime Environment:
      #
      #  SIGSEGV (0xb) at pc=0x00007ff73ad5f628, pid=3035, tid=1194969424
      #
      # JRE version: 6.0_18-b07
      # Java VM: Java HotSpot(TM) 64-Bit Server VM (16.0-b13 mixed mode linux-amd64 compressed oops)
      # Problematic frame:
      # C  [libpthread.so.0+0x7628]  pthread_join+0x28
      #
      # If you would like to submit a bug report, please visit:
      #   http://java.sun.com/webapps/bugreport/crash.jsp
      # The crash happened outside the Java Virtual Machine in native code.
      # See problematic frame for where to report the bug.
      #
       
      ---------------  T H R E A D  ---------------
       
      Current thread (0x00007ff70ef30800):  JavaThread "ajp-0.0.0.0-8009-6" daemon [_thread_in_native, id=3183, stack(0x000000004729c000,0x000000004739d000)]
       
      siginfo:si_signo=SIGSEGV: si_errno=0, si_code=1 (SEGV_MAPERR), si_addr=0x000000004b59f9e0
       
      Registers:
      RAX=0x0000000000000000, RBX=0x000000004b59f950, RCX=0x0000000000000003, RDX=0x0000000000000001
      RSP=0x0000000047398640, RBP=0x0000000000000001, RSI=0x00000000473986a0, RDI=0x000000004b59f950
      R8 =0x00007ff704c9f380, R9 =0x0000000000000ce8, R10=0x0000000000000000, R11=0x0000000000000202
      R12=0x0000000000000000, R13=0x0000000047398710, R14=0x000000004b59f950, R15=0x00000000473986a0
      RIP=0x00007ff73ad5f628, EFL=0x0000000000010202, CSGSFS=0x415300000000e033, ERR=0x0000000000000004
        TRAPNO=0x000000000000000e
       
      Top of Stack: (sp=0x0000000047398640)
      0x0000000047398640:   00007ff73ad5f5e0 000000004b59fd38
      0x0000000047398650:   00000000473986a8 0000000000000000
      0x0000000047398660:   0000000000000002 0000000000000001
      0x0000000047398670:   0000000000000001 0000000000000000
      0x0000000047398680:   0000000047398710 000000004b59f950
      0x0000000047398690:   0000000047398710 00007ff709c4ba20
      0x00000000473986a0:   0000000000000001 0000000000000003
      0x00000000473986b0:   0000000000000000 0000000000000003
      0x00000000473986c0:   0000000000000000 0000000000000004
      0x00000000473986d0:   0000000000000001 00007ff709c10b3a
      0x00000000473986e0:   00000000473986f8 0000000000000000
      0x00000000473986f0:   00000000efc90f60 00000000efc91160
      0x0000000047398700:   00000000efc7a6f0 00000000efc7aaf0
      0x0000000047398710:   000000004b59f950 000000004f5a0950
      0x0000000047398720:   00000000535a1950 0000000000000000
      0x0000000047398730:   0000000047399310 00007ff709c205e0
      0x0000000047398740:   0000000000000001 0000000047399050
      0x0000000047398750:   0000000000000107 0000200000002000
      0x0000000047398760:   0000000000002000 0000000000000000
      0x0000000047398770:   0000000000000001 0000000300000000
      0x0000000047398780:   0000000200000008 0000000300000003
      0x0000000047398790:   0000001000000004 00000000efc7a7f2
      0x00000000473987a0:   00000000efc7a7f1 00000000efc7a7f0
      0x00000000473987b0:   0000000000000000 0000000000000000
      0x00000000473987c0:   0000000000000000 0000000000000000
      0x00000000473987d0:   0000000000000000 00000000efc90fe0
      0x00000000473987e0:   0000000000000000 0000000000000000
      0x00000000473987f0:   0000000000000000 0000000000000000
      0x0000000047398800:   0000000000000000 0000000000000000
      0x0000000047398810:   0000000000000000 0000000400000004
      0x0000000047398820:   0000000000000004 0000000000000000
      0x0000000047398830:   0000000000000000 0000004000000040 
       
      Instructions: (pc=0x00007ff73ad5f628)
      0x00007ff73ad5f618:   89 f7 4c 89 6c 24 e8 4c 89 74 24 f0 48 83 ec 58
      0x00007ff73ad5f628:   8b 87 90 00 00 00 bd 03 00 00 00 85 c0 0f 88 9f 
       
      Stack: [0x000000004729c000,0x000000004739d000],  sp=0x0000000047398640,  free space=3f10000000000000018k
      Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
      C  [libpthread.so.0+0x7628]  pthread_join+0x28
       
      Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
      j  sun.awt.color.CMM.cmmColorConvert(JLsun/awt/color/CMMImageLayout;Lsun/awt/color/CMMImageLayout;)I+0
      j  sun.awt.color.ICC_Transform.colorConvert(Ljava/awt/image/BufferedImage;Ljava/awt/image/BufferedImage;)V+34
      j  java.awt.image.ColorConvertOp.ICCBIFilter(Ljava/awt/image/BufferedImage;Ljava/awt/color/ColorSpace;Ljava/awt/image/BufferedImage;Ljava/awt/color/ColorSpace;)Ljava/awt/image/BufferedImage;+228
      j  java.awt.image.ColorConvertOp.filter(Ljava/awt/image/BufferedImage;Ljava/awt/image/BufferedImage;)Ljava/awt/image/BufferedImage;+126
      j  org.richfaces.renderkit.html.iconimages.DisabledCalendarIcon.paintImage([Ljava/lang/Object;)Ljava/awt/image/BufferedImage;+22
      j  org.richfaces.renderkit.html.iconimages.CalendarIcon.paint(Lorg/ajax4jsf/resource/ResourceContext;Ljava/awt/Graphics2D;)V+25
      j  org.ajax4jsf.resource.Java2Dresource.getImage(Lorg/ajax4jsf/resource/ResourceContext;)Ljava/awt/image/RenderedImage;+61
      j  org.ajax4jsf.resource.Java2Dresource.send(Lorg/ajax4jsf/resource/ResourceContext;)V+11
      j  org.ajax4jsf.resource.ResourceLifecycle.sendResource(Lorg/ajax4jsf/resource/ResourceContext;Lorg/ajax4jsf/resource/InternetResource;)V+9
      j  org.ajax4jsf.resource.ResourceLifecycle.send(Lorg/ajax4jsf/resource/ResourceContext;Lorg/ajax4jsf/resource/InternetResource;)V+234
      j  org.ajax4jsf.resource.InternetResourceService.load(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;+21
      j  org.ajax4jsf.cache.LRUMapCache.load(Ljava/lang/Object;Ljava/lang/Object;)V+8
      j  org.ajax4jsf.cache.LRUMapCache.get(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;+111
      j  org.ajax4jsf.resource.InternetResourceService.serviceResource(Ljava/lang/String;Ljavax/servlet/http/HttpServletRequest;Ljavax/servlet/http/HttpServletResponse;)V+184
      j  org.ajax4jsf.resource.InternetResourceService.serviceResource(Ljavax/servlet/http/HttpServletRequest;Ljavax/servlet/http/HttpServletResponse;)Z+18
      j  org.ajax4jsf.webapp.BaseFilter.doFilter(Ljavax/servlet/ServletRequest;Ljavax/servlet/ServletResponse;Ljavax/servlet/FilterChain;)V+281
      j  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Ljavax/servlet/ServletRequest;Ljavax/servlet/ServletResponse;)V+119
      j  org.apache.catalina.core.ApplicationFilterChain.doFilter(Ljavax/servlet/ServletRequest;Ljavax/servlet/ServletResponse;)V+101
      
      

       

      See Oracle bugs: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6511593 and http://forums.sun.com/thread.jspa?threadID=5308704

       

      And this discussion on the Oracle forum: http://forums.sun.com/thread.jspa?threadID=5308704

       

      Maybe it's better not to use this method?