[Bug 18601] Google Sketchup 7 crashes early in wine's imm.dll
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun May 24 06:30:35 CDT 2009
http://bugs.winehq.org/show_bug.cgi?id=18601
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |focht at gmx.net
--- Comment #2 from Anastasius Focht <focht at gmx.net> 2009-05-24 06:30:34 ---
Hello,
it's not that easy as you think... and it affects many apps that use browser
control.
In short: wrong handling of TLS slots in urlmon leads to "reuse" of TLS slots
with undefined behaviour in other Wine components (crash at best).
Another app suffering from this: "BinTube" (http://www.bintube.com/player/)
Trace log:
--- snip ---
...
0035:Call user32.PeekMessageW(0032c860,00000000,00000100,0000010f,00000000)
ret=08c3b480
0035:Call imm32.ImmProcessKey(00030144,04090409,00000020,00390001,00000000)
ret=603cc93f
0035:Call KERNEL32.TlsGetValue(00000000) ret=791ae8cf
0035:Ret KERNEL32.TlsGetValue() retval=001f3348 ret=791ae8cf
0035:Call user32.GetPropW(00030144,791b76c0 L"WineImmHIMCProperty")
ret=791b2bb4
0035:Ret user32.GetPropW() retval=00000000 ret=791b2bb4
0035:Call KERNEL32.TlsGetValue(00000000) ret=791ae8cf
0035:Ret KERNEL32.TlsGetValue() retval=001f3348 ret=791ae8cf
0035:trace:seh:raise_exception code=c0000005 flags=0 addr=0x791b2beb
ip=791b2beb tid=0035
0035:trace:seh:raise_exception info[0]=00000001
0035:trace:seh:raise_exception info[1]=00000006
0035:trace:seh:raise_exception eax=00030144 ebx=791b94dc ecx=00000000
edx=00000002 esi=0032c384 edi=0032c2f4
0035:trace:seh:raise_exception ebp=0032c188 esp=0032c140 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
...
--- snip ---
TLS slot 0 is the interesting one. It's allocated early by IMM.
Different run in winedbg, hence different TID:
--- snip ---
Wine-dbg>bt
Backtrace:
=>0 0x7b882040 TlsSetValue(index=0, value=0x1d28d8)
[/opt/wine/wine-git/dlls/kernel32/process.c:2421] in kernel32 (0x0033a958)
1 0x60a3c055 ImmGetContext+0x6f(hWnd=(nil))
[/opt/wine/wine-git/dlls/imm32/imm.c:1380] in imm32 (0x0033a9a8)
2 0x6087fe5f IME_UpdateAssociation+0x1d(focus=(nil))
[/opt/wine/wine-git/dlls/winex11.drv/ime.c:1036] in winex11 (0x0033a9c8)
3 0x608b94c7 open_xim+0x977(display=0x7c7952a8)
[/opt/wine/wine-git/dlls/winex11.drv/xim.c:502] in winex11 (0x0033aac8)
4 0x608b956b X11DRV_SetupXIM+0x2a()
[/opt/wine/wine-git/dlls/winex11.drv/xim.c:517] in winex11 (0x0033ab08)
5 0x608adeed x11drv_init_thread_data+0x1ea()
[/opt/wine/wine-git/dlls/winex11.drv/x11drv_main.c:660] in winex11 (0x0033ab38)
...
--- snip ---
TID to be sure:
--- snip ---
Wine-dbg>info thread
process tid prio (all id:s are in hex)
...
0000001e (D) C:\Program Files\BinTube\BinTube Usenet Reader Pro\BinPlayer.exe
00000025 0
00000024 0
00000023 2
00000022 0
0000001f 0 <==
...
--- snip ---
"Reuse" of TLS slot 0 by Gecko:
--- snip ---
Wine-dbg>bt
Backtrace:
=>0 0x7b882040 TlsSetValue(index=0, value=0x20d218)
[/opt/wine/wine-git/dlls/kernel32/process.c:2421] in kernel32 (0x0033b698)
1 0x04c8071e in nspr4 (+0x1071e) (0x0033b6b8)
2 0x04c80765 in nspr4 (+0x10765) (0x0033b6c8)
3 0x04c7568b in nspr4 (+0x568b) (0x0033b6d8)
4 0x0817b148 in xul (+0xbcb148) (0x0033b6f8)
5 0x0817b167 in xul (+0xbcb167) (0x0033b718)
6 0x0826d137 in xul (+0xcbd137) (0x0033b728)
7 0x075b10e1 in xul (+0x10e1) (0x0033b748)
8 0x7bc47ffd call_dll_entry_point+0x15() in ntdll (0x0033b768)
9 0x7bc4a3c9 MODULE_InitDLL+0x211(wm=0x208c70, reason=1, lpReserved=(nil))
[/opt/wine/wine-git/dlls/ntdll/loader.c:969] in ntdll (0x0033b8c8)
10 0x7bc4a757 process_attach+0x197(wm=0x208c70, lpReserved=(nil))
[/opt/wine/wine-git/dlls/ntdll/loader.c:1058] in ntdll (0x0033b928)
11 0x7bc4a703 process_attach+0x143(wm=0x1fde50, lpReserved=(nil))
[/opt/wine/wine-git/dlls/ntdll/loader.c:1050] in ntdll (0x0033b988)
12 0x7bc4d3df LdrLoadDll+0x88(path_name=0x208ab0, flags=0, libname=0x33ba28,
hModule=0x33b9f0) [/opt/wine/wine-git/dlls/ntdll/loader.c:2015] in ntdll
(0x0033b9b8)
13 0x7b86c9a3 load_library+0x118(libname=0x33ba28, flags=0)
[/opt/wine/wine-git/dlls/kernel32/module.c:875] in kernel32 (0x0033ba08)
...
--- snip ---
TID to be sure it's the same thread:
--- snip ---
Wine-dbg>info thread
process tid prio (all id:s are in hex)
...
0000001e (D) C:\Program Files\BinTube\BinTube Usenet Reader Pro\BinPlayer.exe
00000025 0
00000024 0
00000023 2
00000022 0
0000001f 0 <==
...
--- snip ---
My first thought was: "oops, someone corrupted TLS bitmap?" but it wasn't the
case. There was indeed a TLS free on slot 0 in between!
--- snip ---
TlsFree () at /opt/wine/wine-git/dlls/kernel32/process.c:2353
2353 {
Wine-dbg>bt
Backtrace:
=>0 0x7b881f22 TlsFree(index=0)
[/opt/wine/wine-git/dlls/kernel32/process.c:2353] in kernel32 (0x0033c228)
1 0x71f06bcb get_notif_hwnd+0x17()
[/opt/wine/wine-git/dlls/urlmon/bindprot.c:138] in urlmon (0x0033c278)
2 0x71f05fe5 Binding_Create+0xa6(mon=0x1fe018, binding_ctx=(nil),
url=0x206b68, pbc=0x20bc18, to_obj=1, riid=0x60e05c34, binding=0x33c334)
[/opt/wine/wine-git/dlls/urlmon/binding.c:1371] in urlmon (0x0033c2d8)
3 0x71f0657f start_binding+0x50(mon=0x1fe018, binding_ctx=(nil),
url=0x206b68, pbc=0x20bc18, to_obj=1, riid=0x60e05c34, ret=0x33c390)
[/opt/wine/wine-git/dlls/urlmon/binding.c:1463] in urlmon (0x0033c358)
4 0x71f069bf bind_to_object+0x46(mon=0x1fe018, url=0x206b68, pbc=0x20bc18,
riid=0x60e05c34, ppv=0x33c434) [/opt/wine/wine-git/dlls/urlmon/binding.c:1539]
in urlmon (0x0033c398)
5 0x71f1cac0 URLMoniker_BindToObject+0x137(iface=0x1fe018, pbc=0x20bc18,
pmkToLeft=(nil), riid=0x60e05c34, ppv=0x33c434)
[/opt/wine/wine-git/dlls/urlmon/umon.c:212] in urlmon (0x0033c3e8)
6 0x60df38d0 bind_to_object+0x286(This=0x1d2120, mon=0x1fe018, url=0x1c6ed8,
bindctx=0x20bc18, callback=0x1c7928)
[/opt/wine/wine-git/dlls/shdocvw/navigate.c:620] in shdocvw (0x0033c4e8)
7 0x60df3ae9 navigate_bsc+0x147(This=0x1d2120, bsc=0x1c7928, mon=(nil))
[/opt/wine/wine-git/dlls/shdocvw/navigate.c:656] in shdocvw (0x0033c538)
8 0x60df3b85 navigate_bsc_proc+0x4a(This=0x1d2120, t=0x1c6ec0)
[/opt/wine/wine-git/dlls/shdocvw/navigate.c:680] in shdocvw (0x0033c568)
9 0x60de89fc process_dochost_task+0x20(This=0x1d2120, lparam=1863360)
[/opt/wine/wine-git/dlls/shdocvw/dochost.c:45] in shdocvw (0x0033c588)
10 0x60df4836 shell_embedding_proc+0xb2(hwnd=0xd00c6, msg=1792, wParam=0,
lParam=1863360) [/opt/wine/wine-git/dlls/shdocvw/oleobject.c:65] in shdocvw
(0x0033c5c8)
--- snip ---
This free leads to reuse of TLS slot 0 by different component, assigning other
data structures.
When IMM later queries TLS slot 0 because it still thinks it owns it bogus
values are retrieved leading to crash.
The offending code :
--- snip dlls/urlmon/urlmon_main.c ---
tls_data_t *get_tls_data(void)
{
tls_data_t *data;
if(!urlmon_tls) {
DWORD tls = TlsAlloc();
tls = InterlockedCompareExchange((LONG*)&urlmon_tls, tls, 0);
if(tls != urlmon_tls)
TlsFree(tls);
}
data = TlsGetValue(urlmon_tls);
if(!data) {
data = heap_alloc_zero(sizeof(tls_data_t));
if(!data)
return NULL;
EnterCriticalSection(&tls_cs);
list_add_tail(&tls_list, &data->entry);
LeaveCriticalSection(&tls_cs);
TlsSetValue(urlmon_tls, data);
}
return data;
}
--- snip dlls/urlmon/urlmon_main.c --
TLS slot 0 is a valid value hence you can't use "zero" value as "TLS slot not
allocated yet" (use TLS_OUT_OF_INDEXES or a flag).
Applies to InterlockedCompareExchange() and urlmon_tls comparisons scattered
throughout the code. Also trying to free the slot doesn't make sense here.
You might want to check other Wine components for incorrect "!tls_slot" idioms.
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list