[Bug 10062] Bellybutton Groove demo runs out of stack space (broken by design)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Jul 27 09:05:56 CDT 2014


http://bugs.winehq.org/show_bug.cgi?id=10062

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |obfuscation
             Status|NEW                         |RESOLVED
                 CC|                            |focht at gmx.net
          Component|kernel32                    |-unknown
           Hardware|Other                       |x86
         Resolution|---                         |WONTFIX
            Summary|Segmentation Fault with     |Bellybutton Groove demo
                   |Bellybutton Groove demo     |runs out of stack space
                   |                            |(broken by design)

--- Comment #16 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming, actually a WONTFIX.

Some "genius" tried to be clever and reserved a stupid amount of stack space on
the main thread stack (hard coded).

The guy most likely calculated the typical thread stack usage by Windows API
and subtracted that from default 1MB limit.

--- snip ---
004010E0  55                      PUSH EBP
004010E1  8BEC                    MOV EBP,ESP
004010E3  6A FF                   PUSH -1
004010E5  68 0AEF4000             PUSH dotdot_T.0040EF0A ; install SE handler
004010EA  64:A1 00000000          MOV EAX,DWORD PTR FS:[0]
004010F0  50                      PUSH EAX
004010F1  64:8925 00000000        MOV DWORD PTR FS:[0],ESP
004010F8  51                      PUSH ECX
004010F9  B8 FC370F00             MOV EAX,0F37FC         ; alloc stack (~974KB)
004010FE  E8 CD650000             CALL dotdot_T.004076D0
00401103  53                      PUSH EBX
00401104  56                      PUSH ESI
00401105  57                      PUSH EDI
00401106  C745 FC 00000000        MOV DWORD PTR SS:[EBP-4],0
0040110D  8965 F0                 MOV DWORD PTR SS:[EBP-10],ESP
00401110  E8 FF590000             CALL <JMP.&ptc.#167__ptc_use_exceptions at 0>
...
--- snip ---

Stack allocator:

--- snip ---
004076D0  51                      PUSH ECX
004076D1  3D 00100000             CMP EAX,1000             ; stack alloc size
004076D6  8D4C24 08               LEA ECX,DWORD PTR SS:[ESP+8]
004076DA  72 14                   JB SHORT dotdot_T.004076F0
004076DC  81E9 00100000           SUB ECX,1000
004076E2  2D 00100000             SUB EAX,1000
004076E7  8501                    TEST DWORD PTR DS:[ECX],EAX
004076E9  3D 00100000             CMP EAX,1000
004076EE  73 EC                   JNB SHORT dotdot_T.004076DC
004076F0  2BC8                    SUB ECX,EAX
004076F2  8BC4                    MOV EAX,ESP
004076F4  8501                    TEST DWORD PTR DS:[ECX],EAX
004076F6  8BE1                    MOV ESP,ECX              ; new bottom
004076F8  8B08                    MOV ECX,DWORD PTR DS:[EAX]
004076FA  8B40 04                 MOV EAX,DWORD PTR DS:[EAX+4]
004076FD  50                      PUSH EAX
004076FE  C3                      RETN
--- snip ---

After that operation there is ~50 KB of stack space left for the main thread.

NVIDIA's driver and possibly others sometimes need 40-64 KB stack space on
certain API calls.

Debugger session:

--- snip ---
Wine-dbg>
2970        wined3d_adapter_init_limits(gl_info);

Wine-dbg>s
2972        if (gl_info->supported[ARB_VERTEX_PROGRAM] &&
test_arb_vs_offset_limit(gl_info))

Wine-dbg>

0x7e40a859 test_arb_vs_offset_limit+0xd5
[/home/focht/projects/wine/wine.repo/src/dlls/wined3d/directx.c:457] in
wined3d: call    *%eax
457        GL_EXTCALL(glProgramStringARB(GL_VERTEX_PROGRAM_ARB,
GL_PROGRAM_FORMAT_ASCII_ARB,

...

Wine-dbg>n
453        if(!prog) {
Wine-dbg>n
456        GL_EXTCALL(glBindProgramARB(GL_VERTEX_PROGRAM_ARB, prog));
Wine-dbg>n
457        GL_EXTCALL(glProgramStringARB(GL_VERTEX_PROGRAM_ARB,
GL_PROGRAM_FORMAT_ASCII_ARB,

Wine-dbg>bt

Backtrace:
=>0 0x437b8d41 in libnvidia-glcore.so.331.67 (+0x1476d41) (0x0024bb78)
  1 0x7e40285b test_arb_vs_offset_limit+0xd6(gl_info=0x12d71c)
[/home/focht/projects/wine/wine.repo/src/dlls/wined3d/directx.c:457] in wined3d
(0x0024bb78)
  2 0x7e40ca1b wined3d_adapter_init_gl_caps+0xcc7(adapter=0x12d70c)
[/home/focht/projects/wine/wine.repo/src/dlls/wined3d/directx.c:2972] in
wined3d (0x0024bd58)
  3 0x7e412877 wined3d_adapter_init+0x372(adapter=0x12d70c, ordinal=0)
[/home/focht/projects/wine/wine.repo/src/dlls/wined3d/directx.c:5141] in
wined3d (0x0024c168)
  4 0x7e412dd0 wined3d_init+0xb3(wined3d=0x12d700, flags=0x5)
[/home/focht/projects/wine/wine.repo/src/dlls/wined3d/directx.c:5233] in
wined3d (0x0024c198)
  5 0x7e4ba564 wined3d_create+0xc3(flags=<couldn't compute location>)
[/home/focht/projects/wine/wine.repo/src/dlls/wined3d/wined3d_main.c:105] in
wined3d (0x0024c208)
  6 0x7e534f85 ddraw_init+0xa5(ddraw=0x11fb28, device_type=0)
[/home/focht/projects/wine/wine.repo/src/dlls/ddraw/ddraw.c:4870] in ddraw
(0x0024c3e8)
  7 0x7e549038 DDRAW_Create+0x15f(guid=(nil), DD=0x855f74, UnkOuter=(nil),
iid=0x7e576374) [/home/focht/projects/wine/wine.repo/src/dlls/ddraw/main.c:274]
in ddraw (0x0024c458)
  8 0x7e549249 DirectDrawCreate+0xac(driver_guid=<couldn't compute location>,
ddraw=<couldn't compute location>, outer=<couldn't compute location>)
[/home/focht/projects/wine/wine.repo/src/dlls/ddraw/main.c:309] in ddraw
(0x0024c4a8)
  9 0x00356cec in ptc (+0x16ceb) (0x0024c50c)
  10 0x003514ed in ptc (+0x114ec) (0x00855f70)
  11 0x00000000 (0x7e520000)
  12 0x00000003 (0x00905a4d)
...

Wine-dbg>info reg
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:437b7e8b ESP:0024bab0 EBP:0024bb78 EFLAGS:00000202(   - --  I   - - - )
 EAX:00000001 EBX:7e50e000 ECX:00008620 EDX:00000000
 ESI:7e4d0e40 EDI:0012df04

Wine-dbg>bt
Backtrace:
=>0 0x43725bc0 in libnvidia-glcore.so.331.67 (+0x13e3bc0) (0x00000001)
Wine-dbg>si
0x43725bc1: pushl    %edi
Wine-dbg>
0x43725bc2: pushl    %esi
Wine-dbg>
0x43725bc3: pushl    %ebx
Wine-dbg>
0x43725bc4: subl    $0xb06c,%esp
Wine-dbg>
err:seh:setup_exception_record stack overflow 2304 bytes in thread 0039 eip
43725bca esp 00240a30 stack 0x240000-0x242000-0x340000
Process of pid=0038 has terminated
--- snip ---

That "calculation" of course doesn't work with Wine due to the architectural
differences to Windows (kernel/user components/gfx driver split).

There is a way to work around this stupid code though, making the demo still
work.

Dump of PE optional header:

--- snip ---
->Optional Header
   Magic:                        0x010B  (HDR32_MAGIC)
   MajorLinkerVersion:           0x05
   MinorLinkerVersion:           0x00  -> 5.00
   SizeOfCode:                   0x0000E000
   SizeOfInitializedData:        0x00005E00
   SizeOfUninitializedData:      0x00000000
   AddressOfEntryPoint:          0x00007820
   BaseOfCode:                   0x00001000
   BaseOfData:                   0x0000F000
   ImageBase:                    0x00400000
   SectionAlignment:             0x00001000
   FileAlignment:                0x00000200
   MajorOperatingSystemVersion:  0x0004
   MinorOperatingSystemVersion:  0x0000  -> 4.00
   MajorImageVersion:            0x0000
   MinorImageVersion:            0x0000  -> 0.00
   MajorSubsystemVersion:        0x0004
   MinorSubsystemVersion:        0x0000  -> 4.00
   Win32VersionValue:            0x00000000
   SizeOfImage:                  0x00016000
   SizeOfHeaders:                0x00000400
   CheckSum:                     0x00000000
   Subsystem:                    0x0002  (WINDOWS_GUI)
   DllCharacteristics:           0x0000
   SizeOfStackReserve:           0x00100000
   SizeOfStackCommit:            0x00001000
   SizeOfHeapReserve:            0x00100000
   SizeOfHeapCommit:             0x00001000
   LoaderFlags:                  0x00000000
   NumberOfRvaAndSizes:          0x00000010
--- snip ---

'SizeOfStackReserve' -> 0x100000 = 1MB thread stack (Windows default)

Use the following command to patch the executable PE optional header, changing
'SizeOfStackReserve' value to 2MB:

--- snip ---
$ printf '\x20' | dd of=dotdot_TG1900Demo.exe bs=1 seek=226 count=1
conv=notrunc
--- snip ---

$ sha1sum dotdot_non3d.zip
165674571849be7050208b622359821e36358ef0  dotdot_non3d.zip

$ du -sh dotdot_non3d.zip
3.8M    dotdot_non3d.zip

$ wine --version
wine-1.7.23

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.



More information about the wine-bugs mailing list