[Bug 35432] Wine builtin 'services.exe' crashes during prefix startup (service timeout, APC corrupts stack)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Nov 9 16:26:18 CST 2014 

https://bugs.winehq.org/show_bug.cgi?id=35432

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
                 CC|                            |focht at gmx.net
            Version|1.4-rc3                     |1.4.1
            Summary|config wine                 |Wine builtin 'services.exe'
                   |                            |crashes during prefix
                   |                            |startup (service timeout,
                   |                            |APC corrupts stack)
     Ever confirmed|0                           |1

--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

crashes in Wine builtins should be taken seriously - even with old Wine
versions :)

With little information given in the bug, following deduction...

Faulting thread 0xf -> service program main thread (#1)

'service_start+0x29f()' is probably inlined 'service_start_process()' and leafs
code (function is static).

http://source.winehq.org/git/wine.git/blob/154aef98d88f16acbcc029d298cc21227b87d305:/programs/services/services.c#l800

The value 0x8000000a in EAX translates to 'STATUS_HANDLES_CLOSED'.
Wineserver 'free_async_queue' for example sets this code.

Speculation: a service/control pipe timeout causes I/O cancellation/teardown
which queues APC.
It's likely that the queued APC is executed on the main thread (in alertable
wait).
The APC is somehow messing up the stack, causing the crash.

--- snip ---
Unhandled exception: page fault on execute access to 0x8000000a in 32-bit code
(0x8000000a).
Register dump:
 CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b
 EIP:8000000a ESP:0033fce4 EBP:0033fcf8 EFLAGS:00010246(  R- --  I  Z- -P- )
 EAX:00000001 EBX:7ed66000 ECX:00000000 EDX:00000000
 ESI:bfd99e24 EDI:00000000
Stack dump:
0x0033fce4:  00000000 00000000 000000b4 7ed66000
0x0033fcf4:  7ed66000 0033fd58 7ed53f70 00110dc8
0x0033fd04:  000000c4 0033fdb8 00000001 00000100
0x0033fd14:  00000100 00002710 00000000 00110944
0x0033fd24:  00000080 000000c4 0000041d 00113330
0x0033fd34:  7ed66000 0033fd58 7ed530e3 00110cac
Backtrace:
=>0 0x8000000a (0x0033fcf8)
  1 0x7ed53f70 service_start+0x29f() in services (0x0033fd58)
  2 0x7ed524e0 in services (+0x124df) (0x0033fdc8)
  3 0x7ed542af main+0xb0() in services (0x0033fe08)
...
  17 0x7bf011c6 main+0x13d() in <wine-loader> (0xbfd9b228)
  18 0xb7462905 __libc_start_main+0xf4(main=0x7bf01088, argc=0x2,
ubp_av=0xbfd9b2c4, init=0x7bf011f0, fini=0x7bf01260, rtld_fini=0xb77895f0,
stack_end=0xbfd9b2bc) [/build/buildd/eglibc-2.17/csu/libc-start.c:260] in
libc.so.6 (0x00000000)
0x8000000a: addb    %al,0x0(%eax)
Modules:
Module    Address            Debug info    Name (25 modules)
ELF    7b800000-7ba43000    Dwarf           kernel32<elf>
  \-PE    7b810000-7ba43000    \               kernel32
...
ELF    7ed3a000-7ed67000    Dwarf           services<elf>
  \-PE    7ed40000-7ed67000    \               services
...
Threads:
process  tid      prio (all id:s are in hex)
...
0000000e (D) C:\windows\system32\services.exe
    0000001e    0
    0000001d    0
    00000010    0
    0000000f    0 <==
--- snip ---

I found a similar case here: https://forum.winehq.org/viewtopic.php?f=8&t=19255

--- snip ---
err:service:service_send_start_message service L"DigiRefresh" failed to start
wine: Unhandled page fault on execute access to 0x8000000a at address
0x8000000a (thread 000f), starting debugger...
--- snip ---

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list