wild pointers in current named pipe implementation?

Gregory M. Turner gmturner007 at ameritech.net
Mon Apr 14 15:26:29 CDT 2003 

On Monday 14 April 2003 12:25 pm, Dan Kegel wrote:
> I know Mike is planning to rewrite the named pipe
> implementation, but the current implementation could
> use a little love while we're waiting for the new one.
> So I'm looking into the recent user complaint
> about FlushFileBuffers and named pipes, in hopes I can find
> a very simple patch that will tide us over until the
> new named pipes code is ready (whenever that might be;
> Mike's busy on other things at the moment).
>
> So I added an early call to FlushFileBuffers in the
> named pipe regression test (see attached patch).
> While poking around in wineserver, I found a few places where pointers
> were not set to NULL after being invalidated, and
> after I added the missing statements to set them to NULL,
> wineserver started behaving badly on the regression
> test.  A run of wineserver under valgrind showed a null pointer access,
> so I added a couple null pointer check asserts (see attached patch).
> And sure enough, they fire.
>
> So the question is -- did I screw up, or did I uncover a real
> issue?  The answer will help me as I continue digging
> into the FlushFileBuffers named pipe bug report
> (and testing possible simple enhancements to the current
> named pipe implementation).
>
> Thanks,
> Dan

I'm looking at the same stuff, since it's hard for me to proceed without 
working pipes.  Bill's recent post to patches looks promising, I'll give it a 
try and get back to the list.

You can see the error by running wineserver -f -p under gdb or ddd and running 
the attached replacement for dlls/kernel/tests/pipe.c (which comes from your 
website Dan).

Here is a "+relay" dump on the client side:

greg at bad-penguin tests $ wine --debugmsg +relay kernel32_test.exe.so pipe
0009:Call PE DLL (proc=0x40620a00,module=0x40600000 
(kernel32.dll),type=1,res=0x1)
0009:Ret  PE DLL (proc=0x40620a00,module=0x40600000 
(kernel32.dll),type=1,res=0x1) retval=1
0009:Starting process 
F:\src\wine\wine.test\dlls\kernel\tests\kernel32_test.exe 
(entryproc=0x40355000)
0009:Call kernel32.TlsAlloc() ret=403830e6
0009:Ret  kernel32.TlsAlloc() retval=00000000 ret=403830e6
0009:Call kernel32.TlsGetValue(00000000) ret=40382b6f
0009:Ret  kernel32.TlsGetValue() retval=00000000 ret=40382b6f
0009:Call ntdll.RtlAllocateHeap(40230000,00000008,00000010) ret=40382bad
0009:Ret  ntdll.RtlAllocateHeap() retval=40231a70 ret=40382bad
0009:Call kernel32.TlsSetValue(00000000,40231a70) ret=40382bc4
0009:Ret  kernel32.TlsSetValue() retval=00000001 ret=40382bc4
(null):0:test 1 of 4:
0009:Call kernel32.CreateNamedPipeA(40394434 
"\\\\.\\PiPe\\tests_pipe.c",00000003,00000000,00000001,00000400,00000400,00000000,00000000) 
ret=4037993a
0009:Ret  kernel32.CreateNamedPipeA() retval=00000018 ret=4037993a
0009:Call kernel32.TlsGetValue(00000000) ret=40382b6f
0009:Ret  kernel32.TlsGetValue() retval=40231a70 ret=40382b6f
0009:Call kernel32.TlsGetValue(00000000) ret=40382b6f
0009:Ret  kernel32.TlsGetValue() retval=40231a70 ret=40382b6f
0009:Call kernel32.TlsGetValue(00000000) ret=40382b6f
0009:Ret  kernel32.TlsGetValue() retval=40231a70 ret=40382b6f
0009:Call kernel32.WriteFile(00000018,405c2e0c,0000000b,405c2de8,00000000) 
ret=403799ac

The call to WriteFile pretty much goes as expected on the server side, up to 
and including the call to grab_object; but when grab_object returns, the IP 
ends up somewhere surprising, and quickly jumps back into grab_object, this 
time, apparently with the NULL argument... although I start seeing some 
inconsistient results from the ddd now, which bizarrely claims that obj is 
/not/ NULL!

I wonder if there is some stack corruption, or a compiler optimization bug?  
There is a function pointer call in the stack, using the get_obj_fd inline 
function... but the inline is fine, spelling out it's meaning in 
get_handle_fd_obj has the same result.  Wierd.  Oh well... maybe Bill has 
already cracked this nut... will try his patch.

-- 
gmt

"Democracy is the theory that holds that the common people know
what they want, and deserve to get it good and hard." HL Mencken
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pipe.c
Type: text/x-csrc
Size: 22367 bytes
Desc: not available
Url : http://www.winehq.org/pipermail/wine-devel/attachments/20030414/a1ae15e0/pipe.c

More information about the wine-devel mailing list