[Bug 27393] New: mmdevapi uninitialiased memory access and crash past rendering

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Jun 4 17:30:29 CDT 2011 

http://bugs.winehq.org/show_bug.cgi?id=27393

           Summary: mmdevapi uninitialiased memory access and crash past
                    rendering
           Product: Wine
           Version: 1.3.21
          Platform: x86
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: mmdevapi
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: hoehle at users.sourceforge.net


Created an attachment (id=35024)
 --> (http://bugs.winehq.org/attachment.cgi?id=35024)
patch to mmdevapi/tests/render.c to play silence

Hi,

I've attached one version of the patch to mmdevapi/tests/render.c that works
well with testbot and seems to work well with Ubuntu Intrepid with PulseAudio,
but produces random crashes within a critical section when used with dmix.

mmdevdrv.d:837 NULL pointer access when looking for a GUID, called from
test_session i.e. after my changes in test_clock!

I found that very suspicious and thus ran the test in Ubuntu Lucid with
Valgrind (and PulseAudio), and it shows:

wine: Unhandled page fault on read access to 0xdededef6 at address 0x7bc34880
(thread 0020), starting debugger...
DEDEDE comes from a read after free() provoked by running

VALGRIND_OPTS="--trace-children=yes --log-file=/dev/shm/v%p.log
--leak-check=full --malloc-fill=A5 --free-fill=DE --track-origins=yes
--vex-iropt-precise-memory-exns=yes" WINETEST_WRAPPER=valgrind make render.ok

Thread 2:
Invalid read of size 4
   at 0x7BC34876: RtlpWaitForCriticalSection (critsection.c:434)
   by 0x7BC34F64: RtlEnterCriticalSection (critsection.c:546)
   by 0x541672A: alsa_push_buffer_data (mmdevdrv.c:1429)
   by 0x7BC7C53A: timer_callback_wrapper (threadpool.c:601)
   by 0x7BC7DA59: timer_queue_thread_proc (threadpool.c:670)
   by 0x7BC71737: ??? (in /wine-lucid/dlls/ntdll/ntdll.dll.so)
   by 0x7BC7190D: call_thread_entry_point (signal_i386.c:2499)
   by 0x7BC7B524: start_thread (thread.c:404)
   by 0x418296D: start_thread (pthread_create.c:300)
   by 0x4263A4D: clone (clone.S:130)
 Address 0x7f037dcc is not stack'd, malloc'd or (recently) free'd

Invalid read of size 4
   at 0x7BC34880: RtlpWaitForCriticalSection (critsection.c:434)
   by 0x7BC34F64: RtlEnterCriticalSection (critsection.c:546)
   by 0x541672A: alsa_push_buffer_data (mmdevdrv.c:1429)
   by 0x7BC7C53A: timer_callback_wrapper (threadpool.c:601)
   by 0x7BC7DA59: timer_queue_thread_proc (threadpool.c:670)
   by 0x7BC71737: ??? (in /wine-lucid/dlls/ntdll/ntdll.dll.so)
   by 0x7BC7190D: call_thread_entry_point (signal_i386.c:2499)
   by 0x7BC7B524: start_thread (thread.c:404)
   by 0x418296D: start_thread (pthread_create.c:300)
   by 0x4263A4D: clone (clone.S:130)
 Address 0xdededef6 is not stack'd, malloc'd or (recently) free'd

My render loop may not be bug free - please check - but I believe the illegal
access to be in mmdevapi.
I recommend adding a player loop to the tests.

There really is a timing issue.  Sometimes, even with Valgrind, there's no
illegal access during the test run.  In that case I typically see:
err:ntdll:RtlpWaitForCriticalSection section 0x7f41a704 "?" wait timed out in
thread 0022, blocked by 0023, retrying (60 sec)
Perhaps the critical section was destroyed, somewhat too early?

BTW, the CoTaskMemFree within the patch are part of a bug fix that I'll submit
this Monday.

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list