[Bug 38162] New: Winemenubuilder occasionally crashes during WINEPREFIX update (race between placeholder icon extraction and placeholder update)

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Feb 28 10:58:25 CST 2015 

https://bugs.winehq.org/show_bug.cgi?id=38162

            Bug ID: 38162
           Summary: Winemenubuilder occasionally crashes during WINEPREFIX
                    update (race between placeholder icon extraction and
                    placeholder update)
           Product: Wine
           Version: 1.7.37
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: programs
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

split off from bug 19241

André unfortunately reopened that bug with this different issue.

I've seen this rarely on my machines too but didn't find it interesting enough
to investigate - until now.

--- snip ---
Unhandled exception: page fault on read access to 0x00480244 in 32-bit code
(0x7ed7c950).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:7ed7c950 ESP:0033f8e0 EBP:0033f9d8 EFLAGS:00010216(  R- --  I   -A-P- )
 EAX:00480240 EBX:7ed92000 ECX:0033f9e0 EDX:0033f99c
 ESI:0033fd80 EDI:00000000
Stack dump:
0x0033f8e0:  00000000 7b8c1000 0012d4f0 00110000
0x0033f8f0:  7bcd3000 0033f9e0 0033f938 0033f920
0x0033f900:  7b8c1000 0033f9e0 0033f938 0001fcd4
0x0033f910:  7bcdbf44 00460000 00000000 00000000
0x0033f920:  00110000 00000002 0033f950 00000000
0x0033f930:  0033f9e0 00000000 0033f968 7bc70efa
000c: sel=0067 base=00000000 limit=00000000 16-bit r-x
Backtrace:

=>0 0x7ed7c950 add_module_icons_to_stream+0x6c(iconData16=(nil),
hModule=0x460001, grpIconDir=0x480240)
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:651]
in winemenubuilder (0x0033f9d8)

  1 0x7ed7da2d
open_module_icon+0x29b(szFileName="C:\windows\system32\winhlp32.exe", nIndex=0,
ppStream=0x33fad8)
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:914]
in winemenubuilder (0x0033fa68)

  2 0x7ed7e12c open_icon+0x2a(filename="C:\windows\system32\winhlp32.exe",
index=0, bWait=0, ppStream=0x33fad8)
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:1056]
in winemenubuilder (0x0033faa8)

  3 0x7ed7e962 extract_icon+0xb0(icoPathW="C:\windows\system32\winhlp32.exe",
index=0, destFilename=0x0(nil), bWait=0)
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:1370]
in winemenubuilder (0x0033fb08)

  4 0x7ed82d00
generate_associations+0x6a5(xdg_data_home="/home/focht/.local/share",
packages_dir="/home/focht/.local/share/mime/packages",
applications_dir="/home/focht/.local/share/applications")
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:2677]
in winemenubuilder (0x0033fc68)

  5 0x7ed85d72 RefreshFileTypeAssociations+0x284()
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:3367]
in winemenubuilder (0x0033fce8)

  6 0x7ed86dcf wWinMain+0x102(hInstance=<couldn't compute location>,

  22 0xf7406963 __libc_start_main+0xf2() in libc.so.6 (0x00000000)
0x7ed7c950 add_module_icons_to_stream+0x6c
[/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:651]
in winemenubuilder: movzwl    0x4(%eax),%eax
651        for (i = 0; i < grpIconDir->idCount; i++)
Modules:
Module    Address            Debug info    Name (53 modules)
PE    53000000-530b4000    Deferred        windowscodecs
ELF    7b800000-7ba67000    Dwarf           kernel32<elf>
  \-PE    7b810000-7ba67000    \               kernel32
ELF    7bc00000-7bcf0000    Dwarf           ntdll<elf>
  \-PE    7bc10000-7bcf0000    \               ntdll
ELF    7bf00000-7bf04000    Dwarf           <wine-loader>
...
Threads:
process  tid      prio (all id:s are in hex)
...
0000000c (D) C:\windows\system32\winemenubuilder.exe
    0000000d    0 <== 
--- snip ---

'winemenubuilder' is started asynchronously before the prefix update via
'RunServices' registry key.

The prefix update rewrites Wine's builtin placeholders in the prefix.
Since 'winemenubuilder' was started asynchronously, it might still populate
placeholders at this time, mapping them into memory and extracting icon
resources.

Source:
http://source.winehq.org/git/wine.git/blob/cbc8f3c81148079a17f4062fb9bad6569107fb34:/programs/winemenubuilder/winemenubuilder.c#l876

--- snip ---
 876 hModule = LoadLibraryExW(szFileName, 0, LOAD_LIBRARY_AS_DATAFILE);
--- snip ---

-> FILE_SHARE_READ

This doesn't prevent concurrently running processes to write to the placeholder
files which indeed happens by rundll32's processing of 'wine.inf'.

In rare situations, Winemenubuilder hits the jackpot - being affected from the 
concurrent rewrite of the placeholder while peeking at the in-memory image
(PE/resource directory entries).

Source:
http://source.winehq.org/git/wine.git/blob/57c54bc9ad1e13ee7cd730b2ffb4df834bf02a17:/programs/wineboot/wineboot.c#l1236

--- snip ---
1236     ProcessRunKeys( HKEY_LOCAL_MACHINE, RunServicesOnceW, TRUE, FALSE );
1237
1238     if (init || (kill && !restart))
1239     {
1240         ProcessRunKeys( HKEY_LOCAL_MACHINE, RunServicesW, FALSE, FALSE );
1241         start_services_process();
1242     }
1243     if (init || update) update_wineprefix( update );
...
--- snip ---

A solution to prevent this race is to move the asynchronous execution of
'winemenubuilder' after the prefix update (which runs synchronously).

This also avoids the situation where 'winemenubuilder' manages to extract
potentially outdated icon resources before the placeholders are overwritten by
newer versions with different icons.

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list