[Bug 43774] New: Chromium-based browser engine (CEFv3) used by several games crashes on shutdown (World of Warships 0.6.x)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Sep 24 07:49:25 CDT 2017 

https://bugs.winehq.org/show_bug.cgi?id=43774

            Bug ID: 43774
           Summary: Chromium-based browser engine (CEFv3) used by several
                    games crashes on shutdown (World of Warships 0.6.x)
           Product: Wine
           Version: 2.17
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks

to track https://source.winehq.org/patches/data/137313

--- quote ---
ntdll: Do not queue a completion status if pipe ops fail synchronously.

This fixes random crashes when exiting Chromium or shutting down CEF.
It is similar to 7a1142035d7ee04839417176ff93fd0953e2a4e1, just for pipes.
--- quote ---

Can be reproduced with games that use Chromium/CEFv3 as in-game browser, for
example World of Warships 0.6.x.
In World of Warships 0.6.x switch multiple times between "[Port]" and "[CLAN]"
tabs (CLAN page uses in-game browser) to force a crash.
With the patch applied the crash disappears.

NOTE: Currently Wine-Staging must be used for reproduce because there are still
some patches missing from vanilla Wine
(https://github.com/wine-compholio/wine-staging/tree/master/patches/kernel32-Named_Pipe
etc.)

--- snip ---
0x11fc9c62: int    $3
Modules:
Module    Address            Debug info    Name (186 modules)
PE      400000-  514000    Deferred        cef_browser_process
PE     1c20000- 1c94000    Deferred        chrome_elf
PE    10000000-14113000    Export          libcef
ELF    7a800000-7a942000    Deferred        opengl32<elf>
  \-PE    7a840000-7a942000    \               opengl32
ELF    7b400000-7b7f5000    Deferred        kernel32<elf>
  \-PE    7b420000-7b7f5000    \               kernel32
ELF    7bc00000-7bd15000    Dwarf           ntdll<elf>
  \-PE    7bc30000-7bd15000    \               ntdll
ELF    7c000000-7c004000    Deferred        <wine-loader> 
...
0000015f (D) C:\Games\World_of_Warships\cef\cef_browser_process.exe
    [C:/Games/World_of_Warships/cef/cef_browser_process.exe
--user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/39.0.2171.95 Safari/537.36 WOWS/1.0"
--cache-path="C:/Games/World_of_Warships/profile/cef_cache" --disable-gpu
--disable-gpu-compositing --enable-begin-frame-scheduling --max-frame-rate=30
--log-severity="info" --accept-language-list="en" --id=138]
    000001cb    0
...
    00000172    0 <== 
...
--- snip ---

Disassembly:

--- snip ---
...
11FC9C0D   50               PUSH EAX
11FC9C0E   6A 60            PUSH 60
; ASCII "y:\work\cef3_git\chromium\src\mojo\edk\system\channel_win.cc"
11FC9C10   68 E86E6913      PUSH libcef.13696EE8  
11FC9C15   68 286F6913      PUSH libcef.13696F28  ; ASCII "ShutDownImpl"
11FC9C1A   8D4D E0          LEA ECX,DWORD PTR SS:[EBP-20]
11FC9C1D   E8 1E1576FE      CALL libcef.1072B140
11FC9C22   50               PUSH EAX
11FC9C23   8BCE             MOV ECX,ESI
11FC9C25   E8 668176FE      CALL libcef.10731D90
11FC9C2A   8D4D FC          LEA ECX,DWORD PTR SS:[EBP-4]
11FC9C2D   E8 CE290DFE      CALL libcef.1009C600
11FC9C32   5E               POP ESI
11FC9C33   8BE5             MOV ESP,EBP
11FC9C35   5D               POP EBP
11FC9C36   C3               RETN
11FC9C37   55               PUSH EBP
11FC9C38   8BEC             MOV EBP,ESP
11FC9C3A   83EC 0C          SUB ESP,0C
11FC9C3D   53               PUSH EBX
11FC9C3E   8BD9             MOV EBX,ECX
11FC9C40   8BD3             MOV EDX,EBX
11FC9C42   F7DA             NEG EDX
11FC9C44   56               PUSH ESI
11FC9C45   8D43 10          LEA EAX,DWORD PTR DS:[EBX+10]
11FC9C48   1BD2             SBB EDX,EDX
11FC9C4A   23D0             AND EDX,EAX
11FC9C4C   57               PUSH EDI
11FC9C4D   52               PUSH EDX
11FC9C4E   E8 1D7A79FE      CALL libcef.10761670
11FC9C53   8BC8             MOV ECX,EAX
11FC9C55   E8 367B79FE      CALL libcef.10761790
11FC9C5A   8D7B 1C          LEA EDI,DWORD PTR DS:[EBX+1C]
11FC9C5D   833F FF          CMP DWORD PTR DS:[EDI],-1
11FC9C60   75 01            JNZ SHORT libcef.11FC9C63
11FC9C62   CC               INT3  ; triggers CHECK(handle_.is_valid());
11FC9C63   FF37             PUSH DWORD PTR DS:[EDI]
11FC9C65   FF15 E8043513    CALL DWORD PTR DS:[<&KERNEL32.CancelIo>]
11FC9C6B   80BB 85000000 00 CMP BYTE PTR DS:[EBX+85],0
11FC9C72   74 0B            JE SHORT libcef.11FC9C7F
...
--- snip ---

https://chromium.googlesource.com/chromium/src/+/refs/heads/master/mojo/edk/system/channel_win.cc

--- snip ---
void ShutDownOnIOThread() {
  base::MessageLoop::current()->RemoveDestructionObserver(this);
  // BUG(crbug.com/583525): This function is expected to be called once, and
  // |handle_| should be valid at this point.
  CHECK(handle_.is_valid());
  CancelIo(handle_.get().handle);
  if (leak_handle_)
    ignore_result(handle_.release());
  handle_.reset();
  // May destroy the |this| if it was the last reference.
  self_ = nullptr;
}
--- snip ---

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list