[Bug 50290] New: Thunderbird 78.5.1 device_notify_proc() thread crashes with a stack overflow inside RtlCaptureStackBackTrace()

WineHQ Bugzilla wine-bugs at winehq.org
Tue Dec 8 18:22:21 CST 2020 

https://bugs.winehq.org/show_bug.cgi?id=50290

            Bug ID: 50290
           Summary: Thunderbird 78.5.1 device_notify_proc() thread crashes
                    with a stack overflow inside
                    RtlCaptureStackBackTrace()
           Product: Wine
           Version: 6.0-rc1
          Hardware: x86-64
               URL: https://download.mozilla.org/?product=thunderbird-78.5
                    .1-SSL&os=win64&lang=en-US
                OS: Linux
            Status: NEW
          Keywords: download, source
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs at winehq.org
          Reporter: z.figura12 at gmail.com
      Distribution: ---

This doesn't actually result in any visible problems with the application
(though I didn't try very hard to use it), but looks like a bug worth fixing
nonetheless. In theory the crash actually breaks device notification, but I'm
not sure what devices Thunderbird is trying to be notified of, or if Wine
actually supports hotplugging them.

The only visible symptom is:

01a0:err:virtual:virtual_setup_exception stack overflow 560 bytes in thread
01a0 addr 0x7f87f3cd7c73 stack 0x19a70dd0 (0x19a70000-0x19a71000-0x1a270000)

This thread is then terminated. It seems that it doesn't affect the rest of the
process. But the exception bothered me, and upon examination it happens inside
of RtlCaptureStackBackTrace().

What the application actually does is to hook LdrLoadDll and then later trigger
delay-loading for some rpcrt4 function from sechost. Inside of the hook it
calls RtlCaptureStackBackTrace(). The problem is that one of the functions is
missing unwinding information. The function in question is
__tailMerge_dlls_rpcrt4_librpcrt4_delay_a, generated by dlltool. It's missing
seh annotations (and is not in a form compatible with SEH).

The full call stack is something like this:

- RtlCaptureStackBackTrace
- application hook of LdrLoadDll
- LdrResolveDelayLoadedAPI [dlls/ntdll/loader.c]
- __delayLoadHelper2 [sechost.dll, from libs/winecrt0/delay_load.c]
- __tailMerge_dlls_rpcrt4_librpcrt4_delay_a [sechost.dll, from
libs/rpcrt4/librpcrt4.delay.a]
- RpcStringBindingComposeW [delay thunk in sechost.dll, tail caller]
- device_notify_proc [sechost.dll, dlls/sechost/service.c]

RtlCaptureStackBackTrace() tries to unwind past the tailMerge function, but
can't, and ends up recursing until the stack overflows. [I didn't actually
investigate why, but I'm assuming that RtlCaptureStackBackTrace() is not what's
broken here.]

Patching dlltool to generate SEH directives allows everything to work nicely;
the crash is avoided and a valid stack backtrace is returned.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list