[Bug 44656] Multiple applications need ntdll.NtSuspendProcess and ntdll.NtResumeProcess implementation (Crashpad/Chromium/CEF, Oracle Data Visualization Desktop, cbwin)

wine-bugs at winehq.org wine-bugs at winehq.org
Mon Apr 2 13:16:12 CDT 2018 

https://bugs.winehq.org/show_bug.cgi?id=44656

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Multiple applications need  |Multiple applications need
                   |ntdll.NtSuspendProcess and  |ntdll.NtSuspendProcess and
                   |ntdll.NtResumeProcess       |ntdll.NtResumeProcess
                   |implementation (Oracle Data |implementation
                   |Visualization Desktop,      |(Crashpad/Chromium/CEF,
                   |cbwin)                      |Oracle Data Visualization
                   |                            |Desktop, cbwin)
           Keywords|                            |source

--- Comment #1 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

found another important usage of this native API:

Crashpad used in Chromium/CEF projects which in turn is used by many popular
app (Steam, ...)

https://bitbucket.org/chromiumembedded/cef/issues/1995/migrate-from-breakpad-to-crashpad

Example with 'steamwebhelper.exe' process crashing:

--- snip ---
...
00c9:trace:seh:raise_exception code=c0000005 flags=0 addr=0x18208dc ip=018208dc
tid=00c9
00c9:trace:seh:raise_exception  info[0]=00000000
00c9:trace:seh:raise_exception  info[1]=0000002c
00c9:trace:seh:raise_exception  eax=00000000 ebx=0000000c ecx=00000008
edx=00000000 esi=00000008 edi=00000008
00c9:trace:seh:raise_exception  ebp=0033b7fc esp=0033b7f8 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210246
00c9:trace:seh:call_stack_handlers calling handler at 0x650a58 code=c0000005
flags=0
00c9:trace:seh:call_stack_handlers handler at 0x650a58 returned 1
00c9:trace:seh:call_stack_handlers calling handler at 0x650c98 code=c0000005
flags=0
...
0091:fixme:ntdll:NtSuspendProcess stub: 0xf0
[0402/195414.122:ERROR:scoped_process_suspend.cc(31)] NtSuspendProcess: <failed
to retrieve error message (0x13d)> (0xc0000002)
...
--- snip ---

Code:

--- snip ---
...
036C42E9  PUSH ESI
036C42EA  MOV ESI,libcef.04B71114
036C42EF  PUSH ESI
036C42F0  CALL libcef.033EF85F
036C42F5  CMP DWORD PTR DS:[4B71114],-1
036C42FC  POP ECX
036C42FD  JNZ SHORT libcef.036C42DD
036C42FF  PUSH 1
036C4301  PUSH libcef.0461197C          ; ASCII "::NtResumeProcess"
036C4306  PUSH libcef.048759CC          ; UNICODE "ntdll.dll"
036C430B  CALL libcef.02B21EEF
036C4310  PUSH ESI
036C4311  MOV DWORD PTR DS:[4B71110],EAX
036C4316  CALL libcef.033EF820
036C431B  ADD ESP,10
036C431E  JMP SHORT libcef.036C42DD
036C4320  PUSH EBP
036C4321  MOV EBP,ESP
036C4323  MOV EAX,DWORD PTR FS:[2C]
036C4329  MOV ECX,DWORD PTR DS:[4B6E5A4]
036C432F  MOV ECX,DWORD PTR DS:[EAX+ECX*4]
036C4332  MOV EAX,DWORD PTR DS:[4B7110C]
036C4337  CMP EAX,DWORD PTR DS:[ECX+18]
036C433D  JLE SHORT libcef.036C4342
036C433F  JMP SHORT libcef.036C434D
036C4341  POP ESI
036C4342  PUSH DWORD PTR SS:[EBP+8]
036C4345  CALL DWORD PTR DS:[4B71108]   ; ntdll.NtSuspendProcess
036C434B  POP EBP
036C434C  RETN
...
036C434D  PUSH ESI
036C434E  MOV ESI,libcef.04B7110C
036C4353  PUSH ESI
036C4354  CALL libcef.033EF85F
036C4359  CMP DWORD PTR DS:[4B7110C],-1
036C4360  POP ECX
036C4361  JNZ SHORT libcef.036C4341
036C4363  PUSH 1
036C4365  PUSH libcef.04611968          ; ASCII "::NtSuspendProcess"
036C436A  PUSH libcef.048759CC          ; UNICODE "ntdll.dll"
036C436F  CALL libcef.02B21EEF
036C4374  PUSH ESI
036C4375  MOV DWORD PTR DS:[4B71108],EAX
036C437A  CALL libcef.033EF820
036C437F  ADD ESP,10
036C4382  JMP SHORT libcef.036C4341
036C4384  PUSH EBP
036C4385  MOV EBP,ESP
036C4387  MOV EAX,DWORD PTR FS:[2C]
036C438D  MOV ECX,DWORD PTR DS:[4B6E5A4]
036C4393  MOV ECX,DWORD PTR DS:[EAX+ECX*4]
036C4396  MOV EAX,DWORD PTR DS:[4B7111C]
036C439B  CMP EAX,DWORD PTR DS:[ECX+18]
036C43A1  JLE SHORT libcef.036C43A6
036C43A3  JMP SHORT libcef.036C43B7
036C43A5  POP ESI
036C43A6  PUSH DWORD PTR SS:[EBP+10]
036C43A9  PUSH DWORD PTR SS:[EBP+C]
036C43AC  PUSH DWORD PTR SS:[EBP+8]
036C43AF  CALL DWORD PTR DS:[4B71118]
036C43B5  POP EBP
036C43B6  RETN
036C43B7  PUSH ESI
036C43B8  MOV ESI,libcef.04B7111C
036C43BD  PUSH ESI
036C43BE  CALL libcef.033EF85F
036C43C3  CMP DWORD PTR DS:[4B7111C],-1
036C43CA  POP ECX
036C43CB  JNZ SHORT libcef.036C43A5
036C43CD  PUSH 1
036C43CF  PUSH libcef.04611990      ; ASCII "::RtlGetUnloadEventTraceEx"
036C43D4  PUSH libcef.048759CC      ; UNICODE "ntdll.dll"
036C43D9  CALL libcef.02B21EEF
036C43DE  PUSH ESI
036C43DF  MOV DWORD PTR DS:[4B71118],EAX
...
--- snip ---

Disassembly highlights another problem/crash reason, I will create a separate
bug report for.

Source:

https://github.com/electron/crashpad/blob/HEAD/util/win/scoped_process_suspend.cc

$ wine --version
wine-3.5

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list