[Bug 36733] CodeBlocks 13.12 crashes on exit (broken app plugin)

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Jun 14 16:51:46 CDT 2014 

https://bugs.winehq.org/show_bug.cgi?id=36733

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |download, source
             Status|UNCONFIRMED                 |NEW
                URL|                            |http://sourceforge.net/proj
                   |                            |ects/codeblocks/files/Binar
                   |                            |ies/13.12/Windows/codeblock
                   |                            |s-13.12-setup.exe
                 CC|                            |focht at gmx.net
            Summary|CodeBlocks fails on exit    |CodeBlocks 13.12 crashes on
                   |                            |exit (broken app plugin)
     Ever confirmed|0                           |1

--- Comment #2 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming.

The crash is in 'FileManager' plugin, on directory watcher thread teardown.

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/CodeBlocks

$ WINEDEBUG=+tid,+seh,+relay,+msvcrt wine ./codeblocks.exe >>log.txt 2>&1
...
0023:Call
msvcrt._beginthreadex(00000000,00000000,6ccba6a4,05563b10,00000004,05563b90)
ret=6ccb89b6
0023:trace:msvcrt:_beginthreadex ((nil), 0, 0x6ccba6a4, 0x5563b10, 4,
0x5563b90)
0023:Call
KERNEL32.CreateThread(00000000,00000000,6ccba6a4,05563b10,00000004,05563b90)
ret=7e9742af
0023:Ret  KERNEL32.CreateThread() retval=00000434 ret=7e9742af
0023:Ret  msvcrt._beginthreadex() retval=00000434 ret=6ccb89b6 
...
002a:Call KERNEL32.CreateFileW(0559ad04
L"C:\\",00000001,00000007,00000000,00000003,42000000,00000000) ret=63081cb2
...
002a:Ret  KERNEL32.CreateFileW() retval=00000460 ret=63081cb2 
...
002a:Call
KERNEL32.ReadDirectoryChangesW(00000460,05a54220,00001000,00000000,0000017f,00000000,05584b40,630bf50c)
ret=63081afd 
...
002a:Ret  KERNEL32.ReadDirectoryChangesW() retval=00000001 ret=63081afd 
...
0023:Call KERNEL32.SetEvent(000003ac) ret=630c03ed
0023:Ret  KERNEL32.SetEvent() retval=00000001 ret=630c03ed
...
002a:Call
KERNEL32.WaitForMultipleObjectsEx(00000002,05563b34,00000000,ffffffff,00000001)
ret=630bfc0a
002a:Ret  KERNEL32.WaitForMultipleObjectsEx() retval=00000001 ret=630bfc0a
002a:Call KERNEL32.GetLastError() ret=630b45e0
002a:Ret  KERNEL32.GetLastError() retval=00000000 ret=630b45e0
002a:Call KERNEL32.CancelIo(00000460) ret=63081941
002a:Call KERNEL32.GetLastError() ret=630b45e0
002a:Ret  KERNEL32.GetLastError() retval=00000000 ret=630b45e0
002a:Call KERNEL32.GetLastError() ret=630b45e0
002a:Ret  KERNEL32.GetLastError() retval=00000000 ret=630b45e0
002a:Call KERNEL32.CloseHandle(00000460) ret=63081b63
002a:Ret  KERNEL32.CloseHandle() retval=00000001 ret=63081b63
002a:Call msvcrt.free(05a54220) ret=63081b77
002a:Call ntdll.RtlFreeHeap(00240000,00000000,05a54220) ret=7e94553d
002a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e94553d
002a:Ret  msvcrt.free() retval=00000001 ret=63081b77
002a:Call msvcrt.free(05a53c88) ret=63081b99
002a:Call ntdll.RtlFreeHeap(00240000,00000000,05a53c88) ret=7e94553d
002a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e94553d
002a:Ret  msvcrt.free() retval=00000001 ret=63081b99
002a:Call msvcrt.free(05584b40) ret=630bf76b
002a:Call ntdll.RtlFreeHeap(00240000,00000000,05584b40) ret=7e94553d
002a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e94553d
002a:Ret  msvcrt.free() retval=00000001 ret=630bf76b
002a:Call msvcrt.free(0559acf8) ret=631064ff
002a:Call ntdll.RtlFreeHeap(00240000,00000000,0559acf8) ret=7e94553d
002a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e94553d
002a:Ret  msvcrt.free() retval=00000001 ret=631064ff
002a:Call msvcrt.free(05a53cf0) ret=6310650b
002a:Call ntdll.RtlFreeHeap(00240000,00000000,05a53cf0) ret=7e94553d
002a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e94553d
002a:Ret  msvcrt.free() retval=00000001 ret=6310650b
002a:Ret  KERNEL32.CancelIo() retval=00000001 ret=63081941
002a:Call KERNEL32.GetLastError() ret=630b45e0
002a:Ret  KERNEL32.GetLastError() retval=00000000 ret=630b45e0
002a:Call KERNEL32.CloseHandle(0559ad04) ret=63081b63
002a:Ret  KERNEL32.CloseHandle() retval=00000000 ret=63081b63
002a:Call msvcrt.free(05a53ce8) ret=63081b77
002a:Call ntdll.RtlFreeHeap(00240000,00000000,05a53ce8) ret=7e94553d
002a:Ret  ntdll.RtlFreeHeap() retval=00000000 ret=7e94553d
002a:Ret  msvcrt.free() retval=00000000 ret=63081b77
002a:trace:seh:raise_exception code=c0000005 flags=0 addr=0x63081b7e
ip=63081b7e tid=002a
002a:trace:seh:raise_exception  info[0]=00000000
002a:trace:seh:raise_exception  info[1]=fffffff4
002a:trace:seh:raise_exception  eax=00000000 ebx=05563b10 ecx=0832e860
edx=05a53ce8 esi=0832fb40 edi=003d0f00
002a:trace:seh:raise_exception  ebp=0832ea68 esp=0832e880 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210206
002a:trace:seh:call_stack_handlers calling handler at 0x7bc9ecf7 code=c0000005
flags=0 
...
wine: Unhandled page fault on read access to 0xfffffff4 at address 0x63081b7e
(thread 002a), starting debugger...
002a:trace:seh:start_debugger Starting debugger "winedbg --auto 34 16"
002a:Ret  KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bc9ed31
002a:trace:seh:call_stack_handlers handler at 0x7bc9ecf7 returned 1
Unhandled exception: page fault on read access to 0xfffffff4 in 32-bit code
(0x63081b7e).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:63081b7e ESP:0832e880 EBP:0832ea68 EFLAGS:00210206(  R- --  I   - -P- )
 EAX:00000000 EBX:05563b10 ECX:0832e860 EDX:05a53ce8
 ESI:0832fb40 EDI:003d0f00
...
Backtrace:
=>0 0x63081b7e in filemanager (+0x1b7e) (0x0832ea68)
  1 0x7bc86851 call_thread_func+0x3e(entry=0x6ccba6a4, arg=0x5563b10,
frame=0x832eb68)
[/home/focht/projects/wine/wine.repo/src/dlls/ntdll/signal_i386.c:2630] in
ntdll (0x0832eb48)
  2 0x7bc867e6 call_thread_entry_point+0x11() in ntdll (0x0832eb68)
  3 0x7bc8dc31 start_thread+0x11a(info=0x7ffbcfb8)
[/home/focht/projects/wine/wine.repo/src/dlls/ntdll/thread.c:428] in ntdll
(0x0832f3a8)
  4 0xf754c9da start_thread+0xc9() in libpthread.so.0 (0x0832f468)
  5 0xf747ebfe __clone+0x5d() in libc.so.6 (0x00000000) 
...
0x63081b7e: movl    0xfffffff4(%eax),%edx
Modules:
Module    Address            Debug info    Name (175 modules)
PE      400000-  5a2000    Deferred        codeblocks
PE     15f0000- 160e000    Deferred        cccc
PE     1620000- 1647000    Deferred        editorconfig
PE     27f0000- 286c000    Deferred        headerfixup
PE     2870000- 28fd000    Deferred        lib_finder
PE     2900000- 29fb000    Deferred        wxflatnotebook
PE     2a00000- 2a2a000    Deferred        occurrenceshighlighting
PE     2a30000- 2a7b000    Deferred        toolsplus
PE     2a80000- 2aa8000    Deferred        reopeneditor
PE     2ab0000- 2b61000    Deferred        spellchecker
PE     37e0000- 38fe000    Deferred        wxsmithcontribitems
PE     3900000- 39e8000    Deferred        wxkwic
PE     39f0000- 3a92000    Deferred        wxtreelist
ELF    4eb20000-4eb3d000    Deferred        libgcc_s.so.1
PE    61500000-6151d000    Deferred        smartindentlua
PE    617c0000-61d19000    Deferred        codeblocks
PE    61d40000-61d5e000    Deferred        smartindentxml
PE    62300000-6231d000    Deferred        xpmanifest
PE    62840000-6285d000    Deferred        copystrings
PE    62980000-629cd000    Deferred        keybinder
PE    62e00000-62edb000    Deferred        hexeditor
PE    63080000-63139000    Export          filemanager 
...
Threads:
process  tid      prio (all id:s are in hex)
...
00000022 (D) C:\Program Files\CodeBlocks\codeblocks.exe
    0000002b    0
    0000002a    0 <==
    00000028    0
    00000027    0
    00000026    0
    00000025    0
    00000024    0
    00000023    0 
--- snip ---

The source code is available:
http://sourceforge.net/projects/codeblocks/files/Sources/13.12/codeblocks_13.12-1.tar.gz

The code quality is so-so (very politely spoken). 

The directory watcher issues read request(s) and puts the thread in alertable
state by calling 'WaitForMultipleObjectsEx'.
This is needed to allow completion routines to be delivered via APC.

On teardown, the outstanding read request is cancelled through 'CancelIo'.
The completion routine gets called which frees up instance data and removes the
watcher path/mon object from std::map.

--- snip ---
Wine-dbg>bt

Backtrace:
=>0 0x630bf50c in filemanager (+0x3f50c) (0x0832e498)
  1 0x7bc41fef read_changes_user_apc+0x4d(arg=<couldn't compute location>,
io=<couldn't compute location>, reserved=<couldn't compute location>)
[/home/focht/projects/wine/wine.repo/src/dlls/ntdll/directory.c:3314] in ntdll
(0x0832e4e8)
  2 0x7bc7faa7 invoke_apc+0xda(call=0x832e674, result=0x832e64c)
[/home/focht/projects/wine/wine.repo/src/dlls/ntdll/server.c:378] in ntdll
(0x0832e5b8)
  3 0x7bc806e7 server_select+0x1ac(select_op=(nil), size=0, flags=0x3,
timeout=0x832e7d8)
[/home/focht/projects/wine/wine.repo/src/dlls/ntdll/server.c:599] in ntdll
(0x0832e6c8)
  4 0x7bc89f20 NtDelayExecution+0x4e(alertable=1, timeout=<couldn't compute
location>) [/home/focht/projects/wine/wine.repo/src/dlls/ntdll/sync.c:916] in
ntdll (0x0832e728)
  5 0x7bc4b855 NtCancelIoFile+0x127(hFile=<couldn't compute location>,
io_status=<couldn't compute location>)
[/home/focht/projects/wine/wine.repo/src/dlls/ntdll/file.c:3120] in ntdll
(0x0832e808)
  6 0x7b83e2c5 CancelIo+0x23(handle=<couldn't compute location>)
[/home/focht/projects/wine/wine.repo/src/dlls/kernel32/file.c:672] in kernel32
(0x0832e848)
  7 0x63081941 in filemanager (+0x1940) (0x0832ea68)
  8 0x7bc86851 call_thread_func+0x3e(entry=0x6ccba6a4, arg=0x5563af8,
frame=0x832eb68)
[/home/focht/projects/wine/wine.repo/src/dlls/ntdll/signal_i386.c:2630] in
ntdll (0x0832eb48)
  9 0x7bc867e6 call_thread_entry_point+0x11() in ntdll (0x0832eb68)
  10 0x7bc8dc31 start_thread+0x11a(info=0x7ffbcfb8)
[/home/focht/projects/wine/wine.repo/src/dlls/ntdll/thread.c:428] in ntdll
(0x0832f3a8)
  11 0xf755c9da start_thread+0xc9() in libpthread.so.0 (0x0832f468)
...
--- snip ---

Upon return, a check for cancellation failure is done which removes/destroys
the monitor data object.

--- snip ---
  for(MonMap::iterator it=m_monmap.begin();it!=m_monmap.end();++it)
  {
       it->second->ReadCancel();
       if(it->second->m_fail)
       {
           delete it->second;
           m_monmap.erase(it);
       }
  }
--- snip ---

Problem: the instance is no longer valid because the object destructor was
called and the item was removed from std::map within the completion routine
(APC).

Why does this broken code work in Windows?
Well, could be a couple of reasons...

Maybe the completion routine (APC) wasn't called during 'CancelIO' hence the
object is still alive in the std::map after return. It will get called during
next WaitForMultipleObjectsEx/SleepEx() call (while loop).

Another reason could be differences in NT heap manager/msvcrt runtime which
tends to hide use-after-free bugs (block management/metadata).

My personal preference would be 'INVALID'.

$ sha1sum codeblocks-13.12-setup.exe 
2d908cbcea04408fe5869584e49097c288936b27  codeblocks-13.12-setup.exe

$ du -sh codeblocks-13.12-setup.exe 
30M    codeblocks-13.12-setup.exe

$ wine --version
wine-1.7.20

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list