[Bug 44897] New: Multiple applications using Crashpad/Chromium/ CEF in Win7+ mode crash on unimplemented function ntdll.RtlGetUnloadEventTraceEx (Steam client)
wine-bugs at winehq.org
wine-bugs at winehq.org
Mon Apr 2 13:25:58 CDT 2018
https://bugs.winehq.org/show_bug.cgi?id=44897
Bug ID: 44897
Summary: Multiple applications using Crashpad/Chromium/CEF in
Win7+ mode crash on unimplemented function
ntdll.RtlGetUnloadEventTraceEx (Steam client)
Product: Wine
Version: 3.5
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntdll
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
related a bit to bug 44656 ("Multiple applications need ntdll.NtSuspendProcess
and ntdll.NtResumeProcess implementation (Crashpad/Chromium/CEF, Oracle Data
Visualization Desktop, cbwin)")
'steamwebhelper.exe' process crashes which triggers the crash reporting via
'Crashpad' (part of Chromium/CEF):
--- snip ---
00c9:trace:seh:raise_exception code=c0000005 flags=0 addr=0x18208dc ip=018208dc
tid=00c9
00c9:trace:seh:raise_exception info[0]=00000000
00c9:trace:seh:raise_exception info[1]=0000002c
00c9:trace:seh:raise_exception eax=00000000 ebx=0000000c ecx=00000008
edx=00000000 esi=00000008 edi=00000008
00c9:trace:seh:raise_exception ebp=0033b7fc esp=0033b7f8 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210246
00c9:trace:seh:call_stack_handlers calling handler at 0x650a58 code=c0000005
flags=0
00c9:trace:seh:call_stack_handlers handler at 0x650a58 returned 1
00c9:trace:seh:call_stack_handlers calling handler at 0x650c98 code=c0000005
flags=0
00c9:trace:seh:call_stack_handlers handler at 0x650c98 returned 1
00c9:trace:seh:call_stack_handlers calling handler at 0x5953d0 code=c0000005
flags=0
00c9:trace:seh:call_stack_handlers handler at 0x5953d0 returned 1
00c9:trace:seh:call_stack_handlers calling handler at 0x7b48f4cc code=c0000005
flags=0
--- snip ---
Causing another crash in the crash reporting itself:
--- snip ---
...
0091:fixme:ntdll:NtSuspendProcess stub: 0xf0
[0402/195414.122:ERROR:scoped_process_suspend.cc(31)] NtSuspendProcess: <failed
to retrieve error message (0x13d)> (0xc0000002)
...
0091:trace:seh:raise_exception code=c0000005 flags=0 addr=(nil) ip=00000000
tid=0091
0091:trace:seh:raise_exception info[0]=00000008
0091:trace:seh:raise_exception info[1]=00000000
0091:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=05acf7bc
edx=ffffffff esi=05acfb08 edi=05acfb98
0091:trace:seh:raise_exception ebp=05acf7dc esp=05acf7cc cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010206
0091:trace:seh:call_stack_handlers calling handler at 0x7bcb17b2 code=c0000005
flags=0
wine: Unhandled page fault on execute access to 0x00000000 at address (nil)
(thread 0091), starting debugger...
--- snip ---
Disassembly of crash location:
--- snip ---
...
036C434D PUSH ESI
036C434E MOV ESI,libcef.04B7110C
036C4353 PUSH ESI
036C4354 CALL libcef.033EF85F
036C4359 CMP DWORD PTR DS:[4B7110C],-1
036C4360 POP ECX
036C4361 JNZ SHORT libcef.036C4341
036C4363 PUSH 1
036C4365 PUSH libcef.04611968 ; ASCII "::NtSuspendProcess"
036C436A PUSH libcef.048759CC ; UNICODE "ntdll.dll"
036C436F CALL libcef.02B21EEF
036C4374 PUSH ESI
036C4375 MOV DWORD PTR DS:[4B71108],EAX
036C437A CALL libcef.033EF820
036C437F ADD ESP,10
036C4382 JMP SHORT libcef.036C4341
036C4384 PUSH EBP
036C4385 MOV EBP,ESP
036C4387 MOV EAX,DWORD PTR FS:[2C]
036C438D MOV ECX,DWORD PTR DS:[4B6E5A4]
036C4393 MOV ECX,DWORD PTR DS:[EAX+ECX*4]
036C4396 MOV EAX,DWORD PTR DS:[4B7111C]
036C439B CMP EAX,DWORD PTR DS:[ECX+18]
036C43A1 JLE SHORT libcef.036C43A6
036C43A3 JMP SHORT libcef.036C43B7
036C43A5 POP ESI
036C43A6 PUSH DWORD PTR SS:[EBP+10]
036C43A9 PUSH DWORD PTR SS:[EBP+C]
036C43AC PUSH DWORD PTR SS:[EBP+8]
036C43AF CALL DWORD PTR DS:[4B71118]
036C43B5 POP EBP
036C43B6 RETN
036C43B7 PUSH ESI
036C43B8 MOV ESI,libcef.04B7111C
036C43BD PUSH ESI
036C43BE CALL libcef.033EF85F
036C43C3 CMP DWORD PTR DS:[4B7111C],-1
036C43CA POP ECX
036C43CB JNZ SHORT libcef.036C43A5
036C43CD PUSH 1
036C43CF PUSH libcef.04611990 ; ASCII "::RtlGetUnloadEventTraceEx"
036C43D4 PUSH libcef.048759CC ; UNICODE "ntdll.dll"
036C43D9 CALL libcef.02B21EEF
036C43DE PUSH ESI
036C43DF MOV DWORD PTR DS:[4B71118],EAX
...
--- snip ---
Source code:
https://github.com/electron/crashpad/blob/HEAD/snapshot/win/process_snapshot_win.cc
--- snip ---
void ProcessSnapshotWin::InitializeUnloadedModules() {
// As documented by https://msdn.microsoft.com/en-us/library/cc678403.aspx
// we can retrieve the location for our unload events, and use that address
in
// the target process. Unfortunately, this of course only works for
// 64-reading-64 and 32-reading-32, so at the moment, we simply do not
// retrieve unloaded modules for 64-reading-32. See
// https://crashpad.chromium.org/bug/89.
#if defined(ARCH_CPU_X86_64)
if (!process_reader_.Is64Bit()) {
LOG(ERROR)
<< "reading unloaded modules across bitness not currently supported";
return;
}
using Traits = process_types::internal::Traits64;
#elif defined(ARCH_CPU_X86)
using Traits = process_types::internal::Traits32;
#else
#error port
#endif
ULONG* element_size;
ULONG* element_count;
void* event_trace_address;
RtlGetUnloadEventTraceEx(&element_size, &element_count,
&event_trace_address);
if (*element_size < sizeof(RTL_UNLOAD_EVENT_TRACE<Traits>)) {
LOG(ERROR) << "unexpected unloaded module list element size";
return;
}
...
--- snip ---
Surprise surprise .. some Wine-Staging patchset exists:
https://github.com/wine-staging/wine-staging/tree/master/patches/ntdll-RtlGetUnloadEventTraceEx
There is a bit tracebility here:
https://dev.wine-staging.com/patches/88/
--- quote ---
Adding a stub is a bit difficult as this function can not fail and chromium
tries to access the address unless it encounters a suspicious element size.
Setting the size to zero causes chromium to print a warning without accessing
the memory address.
--- quote ---
$ wine --version
wine-3.5
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list