You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Roland Groen (JIRA)" <ji...@apache.org> on 2010/10/28 01:30:22 UTC
[jira] Created: (WICKET-3136) JVM 1.6 crash caused by
WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
JVM 1.6 crash caused by WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
-----------------------------------------------------------------------------------------------
Key: WICKET-3136
URL: https://issues.apache.org/jira/browse/WICKET-3136
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 1.4.12
Environment: JVM 1.6.0_22, CentOS release 5.3 (Final) and Mac OS 10.6.4
Reporter: Roland Groen
The JVM 6u22 (1.6.0_22) crashes while clicking on a page in the wicket application. This is always the same page, but there are pages that function. When serializing a Page object with the pageMapName field set, a JVM 1.6 crashes on a segmentation fault. The error message is:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0xf44a859e, pid=3145, tid=2969234320
#
# JRE version: 6.0_22-b04
# Java VM: Java HotSpot(TM) Server VM (17.1-b03 mixed mode linux-x86 )
# Problematic frame:
# J org.apache.wicket.util.io.WicketObjectOutputStream$HandleTable.hash(Ljava/lang/Object;)I
#
# If you would like to submit a bug report, please visit:
# http://java.sun.com/webapps/bugreport/crash.jsp
#
What goes on (and it took some time to find it):
The WicketObjectOutputStream has a field wich is called classHandler. This classHandler is suppose to match the class of the curObject.
When Page.writePageObject is called AND the field Page.pageMapName is set, the method Page.writePageObject will call writeObject(pageMapName). This call will change the value of WicketObjectOutputStream.classHandler into the classHandler of java.lang.String somewhere in WicketObjectOutputStream.writeObjectOverride. What happens next is a true disaster. Though some abstractions (PageSerializer), the method WicketObjectOutputStream.defaultWriteObject will is called. This method states:
classHandler.writeFields(this, curObject);
and due to fact that classHandler is a class handler of java.lang.String and not the one of the curObject, an instance of FieldAndIndex belonging to String.value will be called with another object. This ends up at calling unsafe.getObject(object, index) (a native method) with the wrong object reference, something which is not a good idea with sun.misc.Unsafe. Every operation on the returned object will crash the JVM. Unfortunately the next in line to operate on the object is WicketObjectOutputStream.HandleTable.hash which also calls a native method called System.identityHashCode. This method is known for some JVM crashes, and has been attributed for the JVM crash for a while during the investigation into this JVM crash.
The solutions:
1) Do not use the WicketObjectOutputStream/WicketObjectStreamFactory. Works.
2) The method org.apache.wicket.Page.writePageObject(ObjectOutputStream) should not do a s.writeObject(pageMapName), but a s.writeUTF(pageMapName) instead. This way, the WicketObjectOutputStream.classHandler will not get the wrong value. org.apache.wicket.Page.readPageObject(ObjectInputStream) should be matched, of course.
3) WicketObjectOutputStream.defaultWriteObject() should update/get the right classHandler reference, just as WicketObjectOutputStream.writeObjectOverride(Object) does. You might even consider dropping the field entirely.
The last option seems the best to me, because calling a writeObject from writePageObject is not semantically incorrect, furthermore, there might be other instances of this.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-3136) JVM 1.6 crash caused by
WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12964473#action_12964473 ]
Hudson commented on WICKET-3136:
--------------------------------
Integrated in Apache Wicket 1.4.x #295 (See [https://hudson.apache.org/hudson/job/Apache%20Wicket%201.4.x/295/])
> JVM 1.6 crash caused by WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
> -----------------------------------------------------------------------------------------------
>
> Key: WICKET-3136
> URL: https://issues.apache.org/jira/browse/WICKET-3136
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.12
> Environment: JVM 1.6.0_22, CentOS release 5.3 (Final) and Mac OS 10.6.4
> Reporter: Roland Groen
> Assignee: Johan Compagner
> Fix For: 1.4.14
>
> Attachments: fix-test-WICKET-3136.patch, hs_err_pid3145.log, test-WICKET-3136.patch
>
>
> The JVM 6u22 (1.6.0_22) crashes while clicking on a page in the wicket application. This is always the same page, but there are pages that function. When serializing a Page object with the pageMapName field set, a JVM 1.6 crashes on a segmentation fault. The error message is:
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> # SIGSEGV (0xb) at pc=0xf44a859e, pid=3145, tid=2969234320
> #
> # JRE version: 6.0_22-b04
> # Java VM: Java HotSpot(TM) Server VM (17.1-b03 mixed mode linux-x86 )
> # Problematic frame:
> # J org.apache.wicket.util.io.WicketObjectOutputStream$HandleTable.hash(Ljava/lang/Object;)I
> #
> # If you would like to submit a bug report, please visit:
> # http://java.sun.com/webapps/bugreport/crash.jsp
> #
> What goes on (and it took some time to find it):
> The WicketObjectOutputStream has a field wich is called classHandler. This classHandler is suppose to match the class of the curObject.
> When Page.writePageObject is called AND the field Page.pageMapName is set, the method Page.writePageObject will call writeObject(pageMapName). This call will change the value of WicketObjectOutputStream.classHandler into the classHandler of java.lang.String somewhere in WicketObjectOutputStream.writeObjectOverride. What happens next is a true disaster. Though some abstractions (PageSerializer), the method WicketObjectOutputStream.defaultWriteObject will is called. This method states:
> classHandler.writeFields(this, curObject);
> and due to fact that classHandler is a class handler of java.lang.String and not the one of the curObject, an instance of FieldAndIndex belonging to String.value will be called with another object. This ends up at calling unsafe.getObject(object, index) (a native method) with the wrong object reference, something which is not a good idea with sun.misc.Unsafe. Every operation on the returned object will crash the JVM. Unfortunately the next in line to operate on the object is WicketObjectOutputStream.HandleTable.hash which also calls a native method called System.identityHashCode. This method is known for some JVM crashes, and has been attributed for the JVM crash for a while during the investigation into this JVM crash.
> The solutions:
> 1) Do not use the WicketObjectOutputStream/WicketObjectStreamFactory. Works.
> 2) The method org.apache.wicket.Page.writePageObject(ObjectOutputStream) should not do a s.writeObject(pageMapName), but a s.writeUTF(pageMapName) instead. This way, the WicketObjectOutputStream.classHandler will not get the wrong value. org.apache.wicket.Page.readPageObject(ObjectInputStream) should be matched, of course.
> 3) WicketObjectOutputStream.defaultWriteObject() should update/get the right classHandler reference, just as WicketObjectOutputStream.writeObjectOverride(Object) does. You might even consider dropping the field entirely.
> The last option seems the best to me, because calling a writeObject from writePageObject is not semantically incorrect, furthermore, there might be other instances of this.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WICKET-3136) JVM 1.6 crash caused by
WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
Posted by "Pedro Santos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pedro Santos updated WICKET-3136:
---------------------------------
Attachment: fix-test-WICKET-3136.patch
Using an stack to make sure that the WicketObjectOutputStream has the correct ClassStreamHandler on each defaultWriteObject call at the method invocations stack, and asserting the class equlity at the test case.
I still want to write some javadoc about, but I'm sending what I got now to share was is going on here.
> JVM 1.6 crash caused by WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
> -----------------------------------------------------------------------------------------------
>
> Key: WICKET-3136
> URL: https://issues.apache.org/jira/browse/WICKET-3136
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.12
> Environment: JVM 1.6.0_22, CentOS release 5.3 (Final) and Mac OS 10.6.4
> Reporter: Roland Groen
> Assignee: Johan Compagner
> Fix For: 1.4.14, 1.5-M4
>
> Attachments: fix-test-WICKET-3136.patch, hs_err_pid3145.log, test-WICKET-3136.patch
>
>
> The JVM 6u22 (1.6.0_22) crashes while clicking on a page in the wicket application. This is always the same page, but there are pages that function. When serializing a Page object with the pageMapName field set, a JVM 1.6 crashes on a segmentation fault. The error message is:
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> # SIGSEGV (0xb) at pc=0xf44a859e, pid=3145, tid=2969234320
> #
> # JRE version: 6.0_22-b04
> # Java VM: Java HotSpot(TM) Server VM (17.1-b03 mixed mode linux-x86 )
> # Problematic frame:
> # J org.apache.wicket.util.io.WicketObjectOutputStream$HandleTable.hash(Ljava/lang/Object;)I
> #
> # If you would like to submit a bug report, please visit:
> # http://java.sun.com/webapps/bugreport/crash.jsp
> #
> What goes on (and it took some time to find it):
> The WicketObjectOutputStream has a field wich is called classHandler. This classHandler is suppose to match the class of the curObject.
> When Page.writePageObject is called AND the field Page.pageMapName is set, the method Page.writePageObject will call writeObject(pageMapName). This call will change the value of WicketObjectOutputStream.classHandler into the classHandler of java.lang.String somewhere in WicketObjectOutputStream.writeObjectOverride. What happens next is a true disaster. Though some abstractions (PageSerializer), the method WicketObjectOutputStream.defaultWriteObject will is called. This method states:
> classHandler.writeFields(this, curObject);
> and due to fact that classHandler is a class handler of java.lang.String and not the one of the curObject, an instance of FieldAndIndex belonging to String.value will be called with another object. This ends up at calling unsafe.getObject(object, index) (a native method) with the wrong object reference, something which is not a good idea with sun.misc.Unsafe. Every operation on the returned object will crash the JVM. Unfortunately the next in line to operate on the object is WicketObjectOutputStream.HandleTable.hash which also calls a native method called System.identityHashCode. This method is known for some JVM crashes, and has been attributed for the JVM crash for a while during the investigation into this JVM crash.
> The solutions:
> 1) Do not use the WicketObjectOutputStream/WicketObjectStreamFactory. Works.
> 2) The method org.apache.wicket.Page.writePageObject(ObjectOutputStream) should not do a s.writeObject(pageMapName), but a s.writeUTF(pageMapName) instead. This way, the WicketObjectOutputStream.classHandler will not get the wrong value. org.apache.wicket.Page.readPageObject(ObjectInputStream) should be matched, of course.
> 3) WicketObjectOutputStream.defaultWriteObject() should update/get the right classHandler reference, just as WicketObjectOutputStream.writeObjectOverride(Object) does. You might even consider dropping the field entirely.
> The last option seems the best to me, because calling a writeObject from writePageObject is not semantically incorrect, furthermore, there might be other instances of this.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WICKET-3136) JVM 1.6 crash caused by
WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
Posted by "Jeremy Thomerson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeremy Thomerson updated WICKET-3136:
-------------------------------------
Fix Version/s: (was: 1.4.14)
1.4.15
changing fix version to 1.4.15 since this was committed in 1.4.x branch after 1.4.14 was cut. it was also ported to the 1.4.14 branch, but should not have been since that was a release branch that was already cut. it was overwritten to preserve the accuracy of 1.4.14 svn history
> JVM 1.6 crash caused by WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
> -----------------------------------------------------------------------------------------------
>
> Key: WICKET-3136
> URL: https://issues.apache.org/jira/browse/WICKET-3136
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.12
> Environment: JVM 1.6.0_22, CentOS release 5.3 (Final) and Mac OS 10.6.4
> Reporter: Roland Groen
> Assignee: Johan Compagner
> Fix For: 1.4.15
>
> Attachments: fix-test-WICKET-3136.patch, hs_err_pid3145.log, test-WICKET-3136.patch
>
>
> The JVM 6u22 (1.6.0_22) crashes while clicking on a page in the wicket application. This is always the same page, but there are pages that function. When serializing a Page object with the pageMapName field set, a JVM 1.6 crashes on a segmentation fault. The error message is:
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> # SIGSEGV (0xb) at pc=0xf44a859e, pid=3145, tid=2969234320
> #
> # JRE version: 6.0_22-b04
> # Java VM: Java HotSpot(TM) Server VM (17.1-b03 mixed mode linux-x86 )
> # Problematic frame:
> # J org.apache.wicket.util.io.WicketObjectOutputStream$HandleTable.hash(Ljava/lang/Object;)I
> #
> # If you would like to submit a bug report, please visit:
> # http://java.sun.com/webapps/bugreport/crash.jsp
> #
> What goes on (and it took some time to find it):
> The WicketObjectOutputStream has a field wich is called classHandler. This classHandler is suppose to match the class of the curObject.
> When Page.writePageObject is called AND the field Page.pageMapName is set, the method Page.writePageObject will call writeObject(pageMapName). This call will change the value of WicketObjectOutputStream.classHandler into the classHandler of java.lang.String somewhere in WicketObjectOutputStream.writeObjectOverride. What happens next is a true disaster. Though some abstractions (PageSerializer), the method WicketObjectOutputStream.defaultWriteObject will is called. This method states:
> classHandler.writeFields(this, curObject);
> and due to fact that classHandler is a class handler of java.lang.String and not the one of the curObject, an instance of FieldAndIndex belonging to String.value will be called with another object. This ends up at calling unsafe.getObject(object, index) (a native method) with the wrong object reference, something which is not a good idea with sun.misc.Unsafe. Every operation on the returned object will crash the JVM. Unfortunately the next in line to operate on the object is WicketObjectOutputStream.HandleTable.hash which also calls a native method called System.identityHashCode. This method is known for some JVM crashes, and has been attributed for the JVM crash for a while during the investigation into this JVM crash.
> The solutions:
> 1) Do not use the WicketObjectOutputStream/WicketObjectStreamFactory. Works.
> 2) The method org.apache.wicket.Page.writePageObject(ObjectOutputStream) should not do a s.writeObject(pageMapName), but a s.writeUTF(pageMapName) instead. This way, the WicketObjectOutputStream.classHandler will not get the wrong value. org.apache.wicket.Page.readPageObject(ObjectInputStream) should be matched, of course.
> 3) WicketObjectOutputStream.defaultWriteObject() should update/get the right classHandler reference, just as WicketObjectOutputStream.writeObjectOverride(Object) does. You might even consider dropping the field entirely.
> The last option seems the best to me, because calling a writeObject from writePageObject is not semantically incorrect, furthermore, there might be other instances of this.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (WICKET-3136) JVM 1.6 crash caused by
WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
Posted by "Pedro Santos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pedro Santos closed WICKET-3136.
--------------------------------
Resolution: Fixed
Fix Version/s: (was: 1.5-M4)
> JVM 1.6 crash caused by WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
> -----------------------------------------------------------------------------------------------
>
> Key: WICKET-3136
> URL: https://issues.apache.org/jira/browse/WICKET-3136
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.12
> Environment: JVM 1.6.0_22, CentOS release 5.3 (Final) and Mac OS 10.6.4
> Reporter: Roland Groen
> Assignee: Johan Compagner
> Fix For: 1.4.14
>
> Attachments: fix-test-WICKET-3136.patch, hs_err_pid3145.log, test-WICKET-3136.patch
>
>
> The JVM 6u22 (1.6.0_22) crashes while clicking on a page in the wicket application. This is always the same page, but there are pages that function. When serializing a Page object with the pageMapName field set, a JVM 1.6 crashes on a segmentation fault. The error message is:
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> # SIGSEGV (0xb) at pc=0xf44a859e, pid=3145, tid=2969234320
> #
> # JRE version: 6.0_22-b04
> # Java VM: Java HotSpot(TM) Server VM (17.1-b03 mixed mode linux-x86 )
> # Problematic frame:
> # J org.apache.wicket.util.io.WicketObjectOutputStream$HandleTable.hash(Ljava/lang/Object;)I
> #
> # If you would like to submit a bug report, please visit:
> # http://java.sun.com/webapps/bugreport/crash.jsp
> #
> What goes on (and it took some time to find it):
> The WicketObjectOutputStream has a field wich is called classHandler. This classHandler is suppose to match the class of the curObject.
> When Page.writePageObject is called AND the field Page.pageMapName is set, the method Page.writePageObject will call writeObject(pageMapName). This call will change the value of WicketObjectOutputStream.classHandler into the classHandler of java.lang.String somewhere in WicketObjectOutputStream.writeObjectOverride. What happens next is a true disaster. Though some abstractions (PageSerializer), the method WicketObjectOutputStream.defaultWriteObject will is called. This method states:
> classHandler.writeFields(this, curObject);
> and due to fact that classHandler is a class handler of java.lang.String and not the one of the curObject, an instance of FieldAndIndex belonging to String.value will be called with another object. This ends up at calling unsafe.getObject(object, index) (a native method) with the wrong object reference, something which is not a good idea with sun.misc.Unsafe. Every operation on the returned object will crash the JVM. Unfortunately the next in line to operate on the object is WicketObjectOutputStream.HandleTable.hash which also calls a native method called System.identityHashCode. This method is known for some JVM crashes, and has been attributed for the JVM crash for a while during the investigation into this JVM crash.
> The solutions:
> 1) Do not use the WicketObjectOutputStream/WicketObjectStreamFactory. Works.
> 2) The method org.apache.wicket.Page.writePageObject(ObjectOutputStream) should not do a s.writeObject(pageMapName), but a s.writeUTF(pageMapName) instead. This way, the WicketObjectOutputStream.classHandler will not get the wrong value. org.apache.wicket.Page.readPageObject(ObjectInputStream) should be matched, of course.
> 3) WicketObjectOutputStream.defaultWriteObject() should update/get the right classHandler reference, just as WicketObjectOutputStream.writeObjectOverride(Object) does. You might even consider dropping the field entirely.
> The last option seems the best to me, because calling a writeObject from writePageObject is not semantically incorrect, furthermore, there might be other instances of this.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-3136) JVM 1.6 crash caused by
WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
Posted by "Johan Compagner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12935322#action_12935322 ]
Johan Compagner commented on WICKET-3136:
-----------------------------------------
that would mean api break
i would say @deprecate
and remove in 1.5
> JVM 1.6 crash caused by WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
> -----------------------------------------------------------------------------------------------
>
> Key: WICKET-3136
> URL: https://issues.apache.org/jira/browse/WICKET-3136
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.12
> Environment: JVM 1.6.0_22, CentOS release 5.3 (Final) and Mac OS 10.6.4
> Reporter: Roland Groen
> Assignee: Johan Compagner
> Fix For: 1.4.14, 1.5-M4
>
> Attachments: fix-test-WICKET-3136.patch, hs_err_pid3145.log, test-WICKET-3136.patch
>
>
> The JVM 6u22 (1.6.0_22) crashes while clicking on a page in the wicket application. This is always the same page, but there are pages that function. When serializing a Page object with the pageMapName field set, a JVM 1.6 crashes on a segmentation fault. The error message is:
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> # SIGSEGV (0xb) at pc=0xf44a859e, pid=3145, tid=2969234320
> #
> # JRE version: 6.0_22-b04
> # Java VM: Java HotSpot(TM) Server VM (17.1-b03 mixed mode linux-x86 )
> # Problematic frame:
> # J org.apache.wicket.util.io.WicketObjectOutputStream$HandleTable.hash(Ljava/lang/Object;)I
> #
> # If you would like to submit a bug report, please visit:
> # http://java.sun.com/webapps/bugreport/crash.jsp
> #
> What goes on (and it took some time to find it):
> The WicketObjectOutputStream has a field wich is called classHandler. This classHandler is suppose to match the class of the curObject.
> When Page.writePageObject is called AND the field Page.pageMapName is set, the method Page.writePageObject will call writeObject(pageMapName). This call will change the value of WicketObjectOutputStream.classHandler into the classHandler of java.lang.String somewhere in WicketObjectOutputStream.writeObjectOverride. What happens next is a true disaster. Though some abstractions (PageSerializer), the method WicketObjectOutputStream.defaultWriteObject will is called. This method states:
> classHandler.writeFields(this, curObject);
> and due to fact that classHandler is a class handler of java.lang.String and not the one of the curObject, an instance of FieldAndIndex belonging to String.value will be called with another object. This ends up at calling unsafe.getObject(object, index) (a native method) with the wrong object reference, something which is not a good idea with sun.misc.Unsafe. Every operation on the returned object will crash the JVM. Unfortunately the next in line to operate on the object is WicketObjectOutputStream.HandleTable.hash which also calls a native method called System.identityHashCode. This method is known for some JVM crashes, and has been attributed for the JVM crash for a while during the investigation into this JVM crash.
> The solutions:
> 1) Do not use the WicketObjectOutputStream/WicketObjectStreamFactory. Works.
> 2) The method org.apache.wicket.Page.writePageObject(ObjectOutputStream) should not do a s.writeObject(pageMapName), but a s.writeUTF(pageMapName) instead. This way, the WicketObjectOutputStream.classHandler will not get the wrong value. org.apache.wicket.Page.readPageObject(ObjectInputStream) should be matched, of course.
> 3) WicketObjectOutputStream.defaultWriteObject() should update/get the right classHandler reference, just as WicketObjectOutputStream.writeObjectOverride(Object) does. You might even consider dropping the field entirely.
> The last option seems the best to me, because calling a writeObject from writePageObject is not semantically incorrect, furthermore, there might be other instances of this.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WICKET-3136) JVM 1.6 crash caused by
WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Vaynberg updated WICKET-3136:
----------------------------------
Fix Version/s: 1.5-M4
1.4.14
> JVM 1.6 crash caused by WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
> -----------------------------------------------------------------------------------------------
>
> Key: WICKET-3136
> URL: https://issues.apache.org/jira/browse/WICKET-3136
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.12
> Environment: JVM 1.6.0_22, CentOS release 5.3 (Final) and Mac OS 10.6.4
> Reporter: Roland Groen
> Fix For: 1.4.14, 1.5-M4
>
> Attachments: hs_err_pid3145.log
>
>
> The JVM 6u22 (1.6.0_22) crashes while clicking on a page in the wicket application. This is always the same page, but there are pages that function. When serializing a Page object with the pageMapName field set, a JVM 1.6 crashes on a segmentation fault. The error message is:
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> # SIGSEGV (0xb) at pc=0xf44a859e, pid=3145, tid=2969234320
> #
> # JRE version: 6.0_22-b04
> # Java VM: Java HotSpot(TM) Server VM (17.1-b03 mixed mode linux-x86 )
> # Problematic frame:
> # J org.apache.wicket.util.io.WicketObjectOutputStream$HandleTable.hash(Ljava/lang/Object;)I
> #
> # If you would like to submit a bug report, please visit:
> # http://java.sun.com/webapps/bugreport/crash.jsp
> #
> What goes on (and it took some time to find it):
> The WicketObjectOutputStream has a field wich is called classHandler. This classHandler is suppose to match the class of the curObject.
> When Page.writePageObject is called AND the field Page.pageMapName is set, the method Page.writePageObject will call writeObject(pageMapName). This call will change the value of WicketObjectOutputStream.classHandler into the classHandler of java.lang.String somewhere in WicketObjectOutputStream.writeObjectOverride. What happens next is a true disaster. Though some abstractions (PageSerializer), the method WicketObjectOutputStream.defaultWriteObject will is called. This method states:
> classHandler.writeFields(this, curObject);
> and due to fact that classHandler is a class handler of java.lang.String and not the one of the curObject, an instance of FieldAndIndex belonging to String.value will be called with another object. This ends up at calling unsafe.getObject(object, index) (a native method) with the wrong object reference, something which is not a good idea with sun.misc.Unsafe. Every operation on the returned object will crash the JVM. Unfortunately the next in line to operate on the object is WicketObjectOutputStream.HandleTable.hash which also calls a native method called System.identityHashCode. This method is known for some JVM crashes, and has been attributed for the JVM crash for a while during the investigation into this JVM crash.
> The solutions:
> 1) Do not use the WicketObjectOutputStream/WicketObjectStreamFactory. Works.
> 2) The method org.apache.wicket.Page.writePageObject(ObjectOutputStream) should not do a s.writeObject(pageMapName), but a s.writeUTF(pageMapName) instead. This way, the WicketObjectOutputStream.classHandler will not get the wrong value. org.apache.wicket.Page.readPageObject(ObjectInputStream) should be matched, of course.
> 3) WicketObjectOutputStream.defaultWriteObject() should update/get the right classHandler reference, just as WicketObjectOutputStream.writeObjectOverride(Object) does. You might even consider dropping the field entirely.
> The last option seems the best to me, because calling a writeObject from writePageObject is not semantically incorrect, furthermore, there might be other instances of this.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-3136) JVM 1.6 crash caused by
WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
Posted by "Johan Compagner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12934250#action_12934250 ]
Johan Compagner commented on WICKET-3136:
-----------------------------------------
my vote is more to remove WicketObject in and output streams
We tried it to optimize it. But the problem is that all kinds of hacks and hooks and special threat meant are in the core of java for this
So that we will be constantly updating and fixing problems for specific releases (and that is some times hard because of compile dependencies...)
I think if we need some kind of special wicket serialization we should not use object output stream but have our own completely stand alone implementation (how does terracotta do it?)
> JVM 1.6 crash caused by WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
> -----------------------------------------------------------------------------------------------
>
> Key: WICKET-3136
> URL: https://issues.apache.org/jira/browse/WICKET-3136
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.12
> Environment: JVM 1.6.0_22, CentOS release 5.3 (Final) and Mac OS 10.6.4
> Reporter: Roland Groen
> Assignee: Johan Compagner
> Fix For: 1.4.14, 1.5-M4
>
> Attachments: fix-test-WICKET-3136.patch, hs_err_pid3145.log, test-WICKET-3136.patch
>
>
> The JVM 6u22 (1.6.0_22) crashes while clicking on a page in the wicket application. This is always the same page, but there are pages that function. When serializing a Page object with the pageMapName field set, a JVM 1.6 crashes on a segmentation fault. The error message is:
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> # SIGSEGV (0xb) at pc=0xf44a859e, pid=3145, tid=2969234320
> #
> # JRE version: 6.0_22-b04
> # Java VM: Java HotSpot(TM) Server VM (17.1-b03 mixed mode linux-x86 )
> # Problematic frame:
> # J org.apache.wicket.util.io.WicketObjectOutputStream$HandleTable.hash(Ljava/lang/Object;)I
> #
> # If you would like to submit a bug report, please visit:
> # http://java.sun.com/webapps/bugreport/crash.jsp
> #
> What goes on (and it took some time to find it):
> The WicketObjectOutputStream has a field wich is called classHandler. This classHandler is suppose to match the class of the curObject.
> When Page.writePageObject is called AND the field Page.pageMapName is set, the method Page.writePageObject will call writeObject(pageMapName). This call will change the value of WicketObjectOutputStream.classHandler into the classHandler of java.lang.String somewhere in WicketObjectOutputStream.writeObjectOverride. What happens next is a true disaster. Though some abstractions (PageSerializer), the method WicketObjectOutputStream.defaultWriteObject will is called. This method states:
> classHandler.writeFields(this, curObject);
> and due to fact that classHandler is a class handler of java.lang.String and not the one of the curObject, an instance of FieldAndIndex belonging to String.value will be called with another object. This ends up at calling unsafe.getObject(object, index) (a native method) with the wrong object reference, something which is not a good idea with sun.misc.Unsafe. Every operation on the returned object will crash the JVM. Unfortunately the next in line to operate on the object is WicketObjectOutputStream.HandleTable.hash which also calls a native method called System.identityHashCode. This method is known for some JVM crashes, and has been attributed for the JVM crash for a while during the investigation into this JVM crash.
> The solutions:
> 1) Do not use the WicketObjectOutputStream/WicketObjectStreamFactory. Works.
> 2) The method org.apache.wicket.Page.writePageObject(ObjectOutputStream) should not do a s.writeObject(pageMapName), but a s.writeUTF(pageMapName) instead. This way, the WicketObjectOutputStream.classHandler will not get the wrong value. org.apache.wicket.Page.readPageObject(ObjectInputStream) should be matched, of course.
> 3) WicketObjectOutputStream.defaultWriteObject() should update/get the right classHandler reference, just as WicketObjectOutputStream.writeObjectOverride(Object) does. You might even consider dropping the field entirely.
> The last option seems the best to me, because calling a writeObject from writePageObject is not semantically incorrect, furthermore, there might be other instances of this.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (WICKET-3136) JVM 1.6 crash caused by
WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
Posted by "Martin Grigorov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Grigorov reassigned WICKET-3136:
---------------------------------------
Assignee: Johan Compagner
Johan, can you take a look at the suggested solutions and comment on them.
I believe you are the expert in the area.
> JVM 1.6 crash caused by WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
> -----------------------------------------------------------------------------------------------
>
> Key: WICKET-3136
> URL: https://issues.apache.org/jira/browse/WICKET-3136
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.12
> Environment: JVM 1.6.0_22, CentOS release 5.3 (Final) and Mac OS 10.6.4
> Reporter: Roland Groen
> Assignee: Johan Compagner
> Fix For: 1.4.14, 1.5-M4
>
> Attachments: hs_err_pid3145.log
>
>
> The JVM 6u22 (1.6.0_22) crashes while clicking on a page in the wicket application. This is always the same page, but there are pages that function. When serializing a Page object with the pageMapName field set, a JVM 1.6 crashes on a segmentation fault. The error message is:
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> # SIGSEGV (0xb) at pc=0xf44a859e, pid=3145, tid=2969234320
> #
> # JRE version: 6.0_22-b04
> # Java VM: Java HotSpot(TM) Server VM (17.1-b03 mixed mode linux-x86 )
> # Problematic frame:
> # J org.apache.wicket.util.io.WicketObjectOutputStream$HandleTable.hash(Ljava/lang/Object;)I
> #
> # If you would like to submit a bug report, please visit:
> # http://java.sun.com/webapps/bugreport/crash.jsp
> #
> What goes on (and it took some time to find it):
> The WicketObjectOutputStream has a field wich is called classHandler. This classHandler is suppose to match the class of the curObject.
> When Page.writePageObject is called AND the field Page.pageMapName is set, the method Page.writePageObject will call writeObject(pageMapName). This call will change the value of WicketObjectOutputStream.classHandler into the classHandler of java.lang.String somewhere in WicketObjectOutputStream.writeObjectOverride. What happens next is a true disaster. Though some abstractions (PageSerializer), the method WicketObjectOutputStream.defaultWriteObject will is called. This method states:
> classHandler.writeFields(this, curObject);
> and due to fact that classHandler is a class handler of java.lang.String and not the one of the curObject, an instance of FieldAndIndex belonging to String.value will be called with another object. This ends up at calling unsafe.getObject(object, index) (a native method) with the wrong object reference, something which is not a good idea with sun.misc.Unsafe. Every operation on the returned object will crash the JVM. Unfortunately the next in line to operate on the object is WicketObjectOutputStream.HandleTable.hash which also calls a native method called System.identityHashCode. This method is known for some JVM crashes, and has been attributed for the JVM crash for a while during the investigation into this JVM crash.
> The solutions:
> 1) Do not use the WicketObjectOutputStream/WicketObjectStreamFactory. Works.
> 2) The method org.apache.wicket.Page.writePageObject(ObjectOutputStream) should not do a s.writeObject(pageMapName), but a s.writeUTF(pageMapName) instead. This way, the WicketObjectOutputStream.classHandler will not get the wrong value. org.apache.wicket.Page.readPageObject(ObjectInputStream) should be matched, of course.
> 3) WicketObjectOutputStream.defaultWriteObject() should update/get the right classHandler reference, just as WicketObjectOutputStream.writeObjectOverride(Object) does. You might even consider dropping the field entirely.
> The last option seems the best to me, because calling a writeObject from writePageObject is not semantically incorrect, furthermore, there might be other instances of this.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WICKET-3136) JVM 1.6 crash caused by
WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
Posted by "Roland Groen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Roland Groen updated WICKET-3136:
---------------------------------
Attachment: hs_err_pid3145.log
Attaching the JVM crash log.
> JVM 1.6 crash caused by WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
> -----------------------------------------------------------------------------------------------
>
> Key: WICKET-3136
> URL: https://issues.apache.org/jira/browse/WICKET-3136
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.12
> Environment: JVM 1.6.0_22, CentOS release 5.3 (Final) and Mac OS 10.6.4
> Reporter: Roland Groen
> Attachments: hs_err_pid3145.log
>
>
> The JVM 6u22 (1.6.0_22) crashes while clicking on a page in the wicket application. This is always the same page, but there are pages that function. When serializing a Page object with the pageMapName field set, a JVM 1.6 crashes on a segmentation fault. The error message is:
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> # SIGSEGV (0xb) at pc=0xf44a859e, pid=3145, tid=2969234320
> #
> # JRE version: 6.0_22-b04
> # Java VM: Java HotSpot(TM) Server VM (17.1-b03 mixed mode linux-x86 )
> # Problematic frame:
> # J org.apache.wicket.util.io.WicketObjectOutputStream$HandleTable.hash(Ljava/lang/Object;)I
> #
> # If you would like to submit a bug report, please visit:
> # http://java.sun.com/webapps/bugreport/crash.jsp
> #
> What goes on (and it took some time to find it):
> The WicketObjectOutputStream has a field wich is called classHandler. This classHandler is suppose to match the class of the curObject.
> When Page.writePageObject is called AND the field Page.pageMapName is set, the method Page.writePageObject will call writeObject(pageMapName). This call will change the value of WicketObjectOutputStream.classHandler into the classHandler of java.lang.String somewhere in WicketObjectOutputStream.writeObjectOverride. What happens next is a true disaster. Though some abstractions (PageSerializer), the method WicketObjectOutputStream.defaultWriteObject will is called. This method states:
> classHandler.writeFields(this, curObject);
> and due to fact that classHandler is a class handler of java.lang.String and not the one of the curObject, an instance of FieldAndIndex belonging to String.value will be called with another object. This ends up at calling unsafe.getObject(object, index) (a native method) with the wrong object reference, something which is not a good idea with sun.misc.Unsafe. Every operation on the returned object will crash the JVM. Unfortunately the next in line to operate on the object is WicketObjectOutputStream.HandleTable.hash which also calls a native method called System.identityHashCode. This method is known for some JVM crashes, and has been attributed for the JVM crash for a while during the investigation into this JVM crash.
> The solutions:
> 1) Do not use the WicketObjectOutputStream/WicketObjectStreamFactory. Works.
> 2) The method org.apache.wicket.Page.writePageObject(ObjectOutputStream) should not do a s.writeObject(pageMapName), but a s.writeUTF(pageMapName) instead. This way, the WicketObjectOutputStream.classHandler will not get the wrong value. org.apache.wicket.Page.readPageObject(ObjectInputStream) should be matched, of course.
> 3) WicketObjectOutputStream.defaultWriteObject() should update/get the right classHandler reference, just as WicketObjectOutputStream.writeObjectOverride(Object) does. You might even consider dropping the field entirely.
> The last option seems the best to me, because calling a writeObject from writePageObject is not semantically incorrect, furthermore, there might be other instances of this.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-3136) JVM 1.6 crash caused by
WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
Posted by "Pedro Santos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12935272#action_12935272 ]
Pedro Santos commented on WICKET-3136:
--------------------------------------
Hi Johan, do you mean remove it from the Wicket 1.4.x?
> JVM 1.6 crash caused by WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
> -----------------------------------------------------------------------------------------------
>
> Key: WICKET-3136
> URL: https://issues.apache.org/jira/browse/WICKET-3136
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.12
> Environment: JVM 1.6.0_22, CentOS release 5.3 (Final) and Mac OS 10.6.4
> Reporter: Roland Groen
> Assignee: Johan Compagner
> Fix For: 1.4.14, 1.5-M4
>
> Attachments: fix-test-WICKET-3136.patch, hs_err_pid3145.log, test-WICKET-3136.patch
>
>
> The JVM 6u22 (1.6.0_22) crashes while clicking on a page in the wicket application. This is always the same page, but there are pages that function. When serializing a Page object with the pageMapName field set, a JVM 1.6 crashes on a segmentation fault. The error message is:
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> # SIGSEGV (0xb) at pc=0xf44a859e, pid=3145, tid=2969234320
> #
> # JRE version: 6.0_22-b04
> # Java VM: Java HotSpot(TM) Server VM (17.1-b03 mixed mode linux-x86 )
> # Problematic frame:
> # J org.apache.wicket.util.io.WicketObjectOutputStream$HandleTable.hash(Ljava/lang/Object;)I
> #
> # If you would like to submit a bug report, please visit:
> # http://java.sun.com/webapps/bugreport/crash.jsp
> #
> What goes on (and it took some time to find it):
> The WicketObjectOutputStream has a field wich is called classHandler. This classHandler is suppose to match the class of the curObject.
> When Page.writePageObject is called AND the field Page.pageMapName is set, the method Page.writePageObject will call writeObject(pageMapName). This call will change the value of WicketObjectOutputStream.classHandler into the classHandler of java.lang.String somewhere in WicketObjectOutputStream.writeObjectOverride. What happens next is a true disaster. Though some abstractions (PageSerializer), the method WicketObjectOutputStream.defaultWriteObject will is called. This method states:
> classHandler.writeFields(this, curObject);
> and due to fact that classHandler is a class handler of java.lang.String and not the one of the curObject, an instance of FieldAndIndex belonging to String.value will be called with another object. This ends up at calling unsafe.getObject(object, index) (a native method) with the wrong object reference, something which is not a good idea with sun.misc.Unsafe. Every operation on the returned object will crash the JVM. Unfortunately the next in line to operate on the object is WicketObjectOutputStream.HandleTable.hash which also calls a native method called System.identityHashCode. This method is known for some JVM crashes, and has been attributed for the JVM crash for a while during the investigation into this JVM crash.
> The solutions:
> 1) Do not use the WicketObjectOutputStream/WicketObjectStreamFactory. Works.
> 2) The method org.apache.wicket.Page.writePageObject(ObjectOutputStream) should not do a s.writeObject(pageMapName), but a s.writeUTF(pageMapName) instead. This way, the WicketObjectOutputStream.classHandler will not get the wrong value. org.apache.wicket.Page.readPageObject(ObjectInputStream) should be matched, of course.
> 3) WicketObjectOutputStream.defaultWriteObject() should update/get the right classHandler reference, just as WicketObjectOutputStream.writeObjectOverride(Object) does. You might even consider dropping the field entirely.
> The last option seems the best to me, because calling a writeObject from writePageObject is not semantically incorrect, furthermore, there might be other instances of this.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WICKET-3136) JVM 1.6 crash caused by
WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
Posted by "Pedro Santos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pedro Santos updated WICKET-3136:
---------------------------------
Attachment: test-WICKET-3136.patch
test case trying to serialize/deserialize an page with pagemap
> JVM 1.6 crash caused by WicketObjectOutputStream, ClassStreamHandler, and Page.writePageObject
> -----------------------------------------------------------------------------------------------
>
> Key: WICKET-3136
> URL: https://issues.apache.org/jira/browse/WICKET-3136
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.12
> Environment: JVM 1.6.0_22, CentOS release 5.3 (Final) and Mac OS 10.6.4
> Reporter: Roland Groen
> Assignee: Johan Compagner
> Fix For: 1.4.14, 1.5-M4
>
> Attachments: hs_err_pid3145.log, test-WICKET-3136.patch
>
>
> The JVM 6u22 (1.6.0_22) crashes while clicking on a page in the wicket application. This is always the same page, but there are pages that function. When serializing a Page object with the pageMapName field set, a JVM 1.6 crashes on a segmentation fault. The error message is:
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> # SIGSEGV (0xb) at pc=0xf44a859e, pid=3145, tid=2969234320
> #
> # JRE version: 6.0_22-b04
> # Java VM: Java HotSpot(TM) Server VM (17.1-b03 mixed mode linux-x86 )
> # Problematic frame:
> # J org.apache.wicket.util.io.WicketObjectOutputStream$HandleTable.hash(Ljava/lang/Object;)I
> #
> # If you would like to submit a bug report, please visit:
> # http://java.sun.com/webapps/bugreport/crash.jsp
> #
> What goes on (and it took some time to find it):
> The WicketObjectOutputStream has a field wich is called classHandler. This classHandler is suppose to match the class of the curObject.
> When Page.writePageObject is called AND the field Page.pageMapName is set, the method Page.writePageObject will call writeObject(pageMapName). This call will change the value of WicketObjectOutputStream.classHandler into the classHandler of java.lang.String somewhere in WicketObjectOutputStream.writeObjectOverride. What happens next is a true disaster. Though some abstractions (PageSerializer), the method WicketObjectOutputStream.defaultWriteObject will is called. This method states:
> classHandler.writeFields(this, curObject);
> and due to fact that classHandler is a class handler of java.lang.String and not the one of the curObject, an instance of FieldAndIndex belonging to String.value will be called with another object. This ends up at calling unsafe.getObject(object, index) (a native method) with the wrong object reference, something which is not a good idea with sun.misc.Unsafe. Every operation on the returned object will crash the JVM. Unfortunately the next in line to operate on the object is WicketObjectOutputStream.HandleTable.hash which also calls a native method called System.identityHashCode. This method is known for some JVM crashes, and has been attributed for the JVM crash for a while during the investigation into this JVM crash.
> The solutions:
> 1) Do not use the WicketObjectOutputStream/WicketObjectStreamFactory. Works.
> 2) The method org.apache.wicket.Page.writePageObject(ObjectOutputStream) should not do a s.writeObject(pageMapName), but a s.writeUTF(pageMapName) instead. This way, the WicketObjectOutputStream.classHandler will not get the wrong value. org.apache.wicket.Page.readPageObject(ObjectInputStream) should be matched, of course.
> 3) WicketObjectOutputStream.defaultWriteObject() should update/get the right classHandler reference, just as WicketObjectOutputStream.writeObjectOverride(Object) does. You might even consider dropping the field entirely.
> The last option seems the best to me, because calling a writeObject from writePageObject is not semantically incorrect, furthermore, there might be other instances of this.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.