[Bug 38596] Photo Ninja 1.2.5 (32 bit) crashes on startup
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun May 17 11:51:47 CDT 2015
https://bugs.winehq.org/show_bug.cgi?id=38596
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
URL| |http://picturecode.cachefly
| |.net/photoninja/downloads/I
| |nstall_PhotoNinja32_1.2.5.e
| |xe
CC| |focht at gmx.net
Ever confirmed|0 |1
--- Comment #2 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
I've spent some hours on this and came to conclusion the crash is the
manifestation of at least one application bug.
It probably just works by chance on Windows due to differences in heap
management and win32 API impl (= affects heap usage).
The first (non-critical) problem is missing SRGB color profile.
--- snip ---
...
0026:Call msvcr90.fopen(4bb84700
"C:\\windows\\system32\\spool\\drivers\\color\\sRGB Color Space
Profile.icm",00afeb10 "rb") ret=007fa8be
...
0026:trace:msvcrt:MSVCRT__wfsopen
(L"C:\\windows\\system32\\spool\\drivers\\color\\sRGB Color Space
Profile.icm",L"rb")
0026:trace:msvcrt:msvcrt_get_flags L"rb"
0026:trace:msvcrt:MSVCRT__wsopen_s fd*: 0x33f988 :file
(L"C:\\windows\\system32\\spool\\drivers\\color\\sRGB Color Space Profile.icm")
oflags: 0x8000 shflags: 0x0040 pmode: 0x0000
0026:Call KERNEL32.CreateFileW(4bb85418
L"C:\\windows\\system32\\spool\\drivers\\color\\sRGB Color Space
Profile.icm",80000000,00000003,0033f8b4,00000003,00000001,00000000)
ret=7ddeb2c2
0026:Ret KERNEL32.CreateFileW() retval=ffffffff ret=7ddeb2c2
0026:warn:msvcrt:MSVCRT__wsopen_s :failed-last error (2)
0026:trace:msvcrt:MSVCRT__wfsopen :got ((nil))
...
0026:Call msvcr90._vsnprintf(0033f69c,000003ff,00b64048 "File '%s' not
found",0033fab0) ret=007f9e3b
0026:trace:msvcrt:pf_printf_a Format is: "File '%s' not found"
...
0026:Call msvcr90._CxxThrowException(0033fb78,00be335c) ret=0049d8d1
0026:Call KERNEL32.RaiseException(e06d7363,00000001,00000003,0033faa4)
ret=7ddd8881
0026:trace:seh:raise_exception code=e06d7363 flags=1 addr=0x7b83b8ab
ip=7b83b8ab tid=0026
0026:trace:seh:raise_exception info[0]=19930520
0026:trace:seh:raise_exception info[1]=0033fb78
0026:trace:seh:raise_exception info[2]=00be335c
0026:trace:seh:raise_exception eax=7b827485 ebx=7b8c1000 ecx=0000000c
edx=0033f9f4 esi=0033faa0 edi=0033fa60
0026:trace:seh:raise_exception ebp=0033fa38 esp=0033f9d4 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00200202
0026:trace:seh:call_stack_handlers calling handler at 0xa57edf code=e06d7363
flags=1
0026:trace:seh:cxx_frame_handler handling C++ exception rec 0x33f9e0 frame
0x33fb6c trylevel 0 descr 0xbeff28 nested_frame (nil)
0026:trace:seh:dump_exception_type flags 0 destr 0x424cb0 handler (nil) type
info 0xbe336c
0026:trace:seh:dump_exception_type 0: flags 0 type 0xc99004
{vtable=0xbbf4ec name=.?AVPcEx@@ ()} offsets 0,-1,0 size 44 copy ctor 0x424c20
0026:trace:seh:dump_exception_type 1: flags 0 type 0xc9934c
{vtable=0xbbf4ec name=.?AVruntime_error at std@@ ()} offsets 0,-1,0 size 40 copy
ctor 0x4092b0
0026:trace:seh:dump_exception_type 2: flags 0 type 0xc99080
{vtable=0xbbf4ec name=.?AVexception at std@@ ()} offsets 0,-1,0 size 12 copy ctor
0xa4698
--- snip ---
Not a problem for the 32-bit version but a deal breaker for 64-bit Photo Ninja
as the resulting C++ exception isn't propagated (bug 35092).
Can be worked around by putting 'sRGB Color Space Profile.icm' into
'$WINEPREFIX/drive_c/windows/system32/spool/drivers/color'.
The actual problem is not visible through tracing, one has to debug the app.
--- snip ---
...
0026:Call ntdll.RtlAllocateHeap(00ee0000,00000000,00000018) ret=7dd47f4b
0026:Ret ntdll.RtlAllocateHeap() retval=4ff43170 ret=7dd47f4b
0026:trace:msvcrt:MSVCRT_operator_new (24) returning 0x4ff43170
0026:Ret msvcr90.??2 at YAPAXI@Z() retval=4ff43170 ret=00a14b3e
0026:Call msvcr90.??2 at YAPAXI@Z(00001b6e) ret=008ff629
0026:Call ntdll.RtlAllocateHeap(00ee0000,00000000,00001b6e) ret=7dd47f4b
0026:Ret ntdll.RtlAllocateHeap() retval=50098b00 ret=7dd47f4b
0026:trace:msvcrt:MSVCRT_operator_new (7022) returning 0x50098b00
0026:Ret msvcr90.??2 at YAPAXI@Z() retval=50098b00 ret=008ff629
0026:Call msvcr90.memmove_s(50098b00,00000002,00000000,00000002) ret=00a14579
0026:trace:msvcrt:MSVCRT_memmove_s (0x50098b00 2 (nil) 2)
0026:err:msvcrt:MSVCRT__invalid_parameter (null):0 (null): (null) 0
0026:Call KERNEL32.RaiseException(c0000417,00000001,00000000,00000000)
ret=7dd366ba
0026:trace:seh:raise_exception code=c0000417 flags=1 addr=0x7b83b8ab
ip=7b83b8ab tid=0026
0026:trace:seh:raise_exception eax=7b827485 ebx=7b8c1000 ecx=0033d090
edx=7b83b81c esi=0033d0e0 edi=0033d0a0
0026:trace:seh:raise_exception ebp=0033d078 esp=0033d014 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00200246
0026:trace:seh:call_stack_handlers calling handler at 0xabebe3 code=c0000417
flags=1
0026:trace:seh:call_stack_handlers handler at 0xabebe3 returned 1
0026:trace:seh:call_stack_handlers calling handler at 0xabec61 code=c0000417
flags=1
0026:trace:seh:call_stack_handlers handler at 0xabec61 returned 1
0026:trace:seh:call_stack_handlers calling handler at 0xab56c8 code=c0000417
flags=1
...
--- snip ---
The culprit is an internal structure - allocated on heap - only getting
partially initialized.
Some uninitialized members are getting accessed and depending on prior heap
usage, different code paths are taken or worse it ends with a crash (Wine).
Internal structure layout on heap:
--- snip ---
$-8 00000018 ; length
$-4 00455355 ; Wine heap magic 'USE'
$+0 ==> 4FF2B3D0 ; .m1 = uninit
$+4 00000000 ; .m2 = zero-init (app)
$+8 00000000 ; .m3 = zero-init (app)
$+C 00000000 ; .m4 = zero-init (app)
$+10 00000002 ; .m5 = uninit
$+14 4FD66500 ; .m6 = uninit
--- snip ---
Relevant app code:
--- snip ---
...
00A14B10 6A FF PUSH -1
00A14B12 68 E3EBAB00 PUSH PhotoNin.00ABEBE3
00A14B17 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00A14B1D 50 PUSH EAX
00A14B1E 83EC 10 SUB ESP,10
00A14B21 53 PUSH EBX
00A14B22 55 PUSH EBP
00A14B23 56 PUSH ESI
00A14B24 57 PUSH EDI
00A14B25 A1 80FBCC00 MOV EAX,DWORD PTR DS:[CCFB80]
00A14B2A 33C4 XOR EAX,ESP
00A14B2C 50 PUSH EAX
00A14B2D 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24]
00A14B31 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
00A14B37 6A 18 PUSH 18 ; len = 0x18
00A14B39 E8 E01C0300 CALL <JMP.&MSVCR90.??2 at YAPAXI@Z> ; struc alloc
00A14B3E 83C4 04 ADD ESP,4
00A14B41 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
00A14B45 33F6 XOR ESI,ESI
00A14B47 897424 2C MOV DWORD PTR SS:[ESP+2C],ESI
00A14B4B 3BC6 CMP EAX,ESI
00A14B4D 74 09 JE SHORT PhotoNin.00A14B58
00A14B4F 8BC8 MOV ECX,EAX
00A14B51 E8 1373F1FF CALL PhotoNin.0092BE69 ; (partial) struc init
...
0092BE69 56 PUSH ESI
0092BE6A 6A 00 PUSH 0
0092BE6C 8BF1 MOV ESI,ECX
0092BE6E E8 FF38FDFF CALL PhotoNin.008FF772
0092BE73 8BC6 MOV EAX,ESI
0092BE75 5E POP ESI
0092BE76 C3 RETN
...
008FF772 55 PUSH EBP
008FF773 8BEC MOV EBP,ESP
008FF775 56 PUSH ESI
008FF776 33C0 XOR EAX,EAX
008FF778 57 PUSH EDI
008FF779 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
008FF77C 8BF1 MOV ESI,ECX
008FF77E 8946 04 MOV DWORD PTR DS:[ESI+4],EAX ; .m2 = 0
008FF781 8946 08 MOV DWORD PTR DS:[ESI+8],EAX ; .m3 = 0
008FF784 8946 0C MOV DWORD PTR DS:[ESI+C],EAX ; .m4 = 0
008FF787 3BF8 CMP EDI,EAX
...
--- snip ---
--- snip ---
00A14B56 8BF0 MOV ESI,EAX
00A14B58 897424 18 MOV DWORD PTR SS:[ESP+18],ESI
00A14B5C BB 01000000 MOV EBX,1
00A14B61 68 B70D0000 PUSH 0DB7
00A14B66 8BCE MOV ECX,ESI
00A14B68 895C24 30 MOV DWORD PTR SS:[ESP+30],EBX
00A14B6C E8 9FF9FFFF CALL PhotoNin.00A14510 ; fill/copy members (crash)
...
00A14510 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4] ; arg0 = 0xdb7 (len)
00A14514 56 PUSH ESI
00A14515 8BF1 MOV ESI,ECX ; struc
00A14517 81FA FFFFFF7F CMP EDX,7FFFFFFF
00A1451D 76 05 JBE SHORT PhotoNin.00A14524
00A1451F E8 AEB0EEFF CALL PhotoNin.008FF5D2
00A14524 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+C] ; .m4 (zero-init)
00A14527 85C9 TEST ECX,ECX
00A14529 75 04 JNZ SHORT PhotoNin.00A1452F ; no jump
00A1452B 33C0 XOR EAX,EAX
00A1452D EB 07 JMP SHORT PhotoNin.00A14536
00A1452F 8B46 14 MOV EAX,DWORD PTR DS:[ESI+14]
00A14532 2BC1 SUB EAX,ECX
00A14534 D1F8 SAR EAX,1
00A14536 3BC2 CMP EAX,EDX ; arg0 != 0
00A14538 73 6F JNB SHORT PhotoNin.00A145A9 ; no jump
00A1453A 53 PUSH EBX
00A1453B 57 PUSH EDI
00A1453C 6A 00 PUSH 0
00A1453E 52 PUSH EDX
00A1453F E8 CDB0EEFF CALL PhotoNin.008FF611 ; alloc block2
00A14544 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10] ; .m5 (uninit)
00A14547 83C4 08 ADD ESP,8
00A1454A 8BD8 MOV EBX,EAX ; EBX = block2
00A1454C 397E 0C CMP DWORD PTR DS:[ESI+C],EDI ; .m4 != .m5
00A1454F 76 06 JBE SHORT PhotoNin.00A14557
00A14551 FF15 C434AD00 CALL DWORD PTR DS:[<&MSVCR90._invalid_parameter>
00A14557 55 PUSH EBP
00A14558 8B6E 0C MOV EBP,DWORD PTR DS:[ESI+C] ; .m4 (zero-init)
00A1455B 3B6E 10 CMP EBP,DWORD PTR DS:[ESI+10] ; .m4 != .m5 (uninit)
00A1455E 76 06 JBE SHORT PhotoNin.00A14566
00A14560 FF15 C434AD00 CALL DWORD PTR DS:[<&MSVCR90._invalid_parameter>
00A14566 2BFD SUB EDI,EBP ; .m5 -= .m4
00A14568 D1FF SAR EDI,1 ; /2 still non-zero
00A1456A 74 10 JE SHORT PhotoNin.00A1457C ; skip copy on zero
00A1456C 8D043F LEA EAX,DWORD PTR DS:[EDI+EDI]
00A1456F 50 PUSH EAX ; count
00A14570 55 PUSH EBP ; src
00A14571 50 PUSH EAX ; num elems
00A14572 53 PUSH EBX ; dest = block2
00A14573 FF15 C034AD00 CALL DWORD PTR DS:[<&MSVCR90.memmove_s>]
skip_copy:
...
--- snip ---
There is no code path which initializes .m5 prior to its access.
The alloc/init and the actual member accesses are not that far away and in
synchronous code paths (unlike other cases when the block is allocated and
later accessed through async callbacks/message handlers).
The 64-bit version of Photo Ninja works fine after working around color profile
problem or overriding 64-bit msvcr90.dll (the app already ships a bundled
version).
The 64-bit code initializes the same structure differently (size is also
doubled to 0x30 due to 64-bit).
I don't want to post all the 64-bit disassembly for comparison here.
If you want to look/debug on your own, 0x1406f3a70 is the 64-bit app code
equivalent to 32-bit app code 0xa14510 (with 0x1406f5cdc being struc init)
The 32-bit app should crash/exit the same way on Windows if heap
debugging/poisoning is activated, for example running the app with a debugger.
This prevents .m5 ever having zero value after allocation (.m5 == NULL skips
the initial copy).
For 32-bit it's IMHO a WONTFIX unless the publisher/developer of the app fixes
their code.
$ sha1sum Install_PhotoNinja32_1.2.5.exe
51ef332f33941c99208fde57444bcac9be79f3cc Install_PhotoNinja32_1.2.5.exe
$ du -sh Install_PhotoNinja32_1.2.5.exe
12M Install_PhotoNinja32_1.2.5.exe
$ wine --version
wine-1.7.43
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list