Java Security

My code is using sun PKIX provider to check a CertPath object which contains a client certificate and a intermediate CA. The intermediate CA has basic constraints as "critical,CA:true,pathlen:0"
The check passes on JRE 1.6.17 but on 1.6.21. I got the following error:

java.security.cert.CertPathValidatorException: basic constraints check failed: this is not a CA certificate
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:328)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)

I don't understand why the check failed. Because the intermediate CA directly sign the client certificate. So the constraint has been meet. Additional information: the intermediate CA is signed by a self-signed root CA and it is not in the CertPath object, but it's passed as a trusted CA in PKIXParameters. The root doesn't have basic constraints. Is there more check added since 1.6.17. I searched the bug database, and didn't find anything related. Need someone to help to figure out what went wrong.