Intercept relay_call causes seh:raise_exception code=c0000005

Jui-Hao Chiang windtracekimo at gmail.com
Wed Apr 21 08:37:53 CDT 2010 

Hi, All, I am currently using the WINEDEBUG=relay feature to intercept
function calls as the following

1. in dlls/ntdll/relay.c, insert code snippet in
static LONGLONG WINAPI relay_call( struct relay_descr *descr, unsigned
int idx, const INT_PTR *stack )
{
.....
my_own_function(entry_point->name, nb_args stack); /* added by myself */
ret = call_entry_point( entry_point->orig_func, nb_args, stack + 1 );
/* original Wine code*/
....
}

LONGLONG
my_own_function(const char *funcname, int nb_args, const INT_PTR *stack)
{
 /* CreateBitmap has 5 parameters, the 5th one is pointing to an array
while others are native type as the following
    HBITMAP WINAPI CreateBitmap( INT width, INT height, UINT planes,
UINT bpp, LPCVOID bits )
*/
    if (strcmp(funcname, "CreateBitmap") == 0)
             Rpc_CreateBitmap(*(stack+1), *(stack+2), *(stack+3),
*(stack+4), *(stack+5)); // this function just try to forward all
parameters to remote RPC server for record
}

2. Run program with WINEDEBUG=trace+all,relay wine notepad > dump 2>&1
3. If I only pass the parameter 1 to 4 to Rpc_CreateBitmap, then there
is no problem, but if I add the 5th one (which points to some array),
then the notepad aborts with he following debug message

0009:Call gdi32.CreateBitmap(00000008,00000008,00000001,00000001,7e95d822)
ret=7e8da083
0009:trace:seh:raise_exception code=c0000005 flags=0 addr=0xb754a21d
ip=b754a21d tid=0009
0009:trace:seh:raise_exception  info[0]=00000001
0009:trace:seh:raise_exception  info[1]=7e95d822
0009:trace:seh:raise_exception  eax=00000055 ebx=b7593ff4 ecx=0033fa4c
edx=00000001 esi=7e95d822 edi=00000001
0009:trace:seh:raise_exception  ebp=0033fa54 esp=0033fa44 cs=0073
ds=007b es=007b fs=0033 gs=003b flags=00010202
0009:trace:seh:call_vectored_handlers calling handler at 0x7b83fd50
code=c0000005 flags=0
0009:trace:seh:call_vectored_handlers handler at 0x7b83fd50 returned 0
0009:trace:seh:call_stack_handlers calling handler at 0x7bc4a480
code=c0000005 flags=0
0009:trace:seh:__regs_RtlUnwind code=c0000005 flags=2
0009:trace:seh:__regs_RtlUnwind calling handler at 0x7bc6bc50
code=c0000005 flags=2
0009:trace:seh:__regs_RtlUnwind handler at 0x7bc6bc50 returned 1
0009:exception in PE entry point
(proc=0x7e95a890,module=0x7e8c0000,reason=PROCESS_ATTACH,res=0x1)

4. But if I use malloc to copy the content of the array pointed by 5th
parameter, then there is no problem
LONGLONG
my_own_function(const char *funcname, int nb_args, const INT_PTR *stack)
{
    char *buffer = NULL;
    if (strcmp(funcname, "CreateBitmap") == 0) {
             buffer = (char*)malloc(.....);
             memcpy(buffer, *(stack+5), ....);
             Rpc_CreateBitmap(*(stack+1), *(stack+2), *(stack+3),
*(stack+4), buffer); /* No exception if I do this */
}

Can anyone gives me a hint that what's happening here? or I am doing
some illegal operations?
Appreciate any comments,
Jui-Hao

More information about the wine-devel mailing list