[Bug 21456] Mathematica 4.0 crash (app MONITORENUMPROC with incorrect calling convention, gcc 4.6.x frame pointer omission in Wine code)
WineHQ Bugzilla
wine-bugs at winehq.org
Sun Jan 26 05:02:03 CST 2020
https://bugs.winehq.org/show_bug.cgi?id=21456
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|-unknown |build-env
CC| |focht at gmx.net
Summary|Mathematica 4.0 crash |Mathematica 4.0 crash (app
| |MONITORENUMPROC with
| |incorrect calling
| |convention, gcc 4.6.x frame
| |pointer omission in Wine
| |code)
Fixed by SHA1| |5cfe7db1854ff1142d598eaf49f
| |6050676c8d547
--- Comment #12 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
by coincidence I stumbled across this ticket while looking for bugs to test my
builds of very old Wine versions with modern distros/gcc. Curious as I am -
looking for the root cause and explanations ;-)
It was fixed by commit
https://source.winehq.org/git/wine.git/commitdiff/5cfe7db1854ff1142d598eaf49f6050676c8d547
("configure: Use -fno-omit-frame-pointer when available."), part of Wine 1.3.31
release.
Using Mathematica 4.1 Student edition for reproduce.
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files (x86)/Wolfram
Research/Mathematica/4.1/SystemFiles/FrontEnd/Binaries/Windows
$ WINEDEBUG=+tid,+seh,+relay wine ./Mathematica.exe >>log.txt 2>&1
...
0023:Call KERNEL32.GetProcAddress(7e6f0000,005cceb8 "EnumDisplayMonitors")
ret=0054f14b
0023:Ret KERNEL32.GetProcAddress() retval=7e6fdd7c ret=0054f14b
0023:Call user32.EnumDisplayMonitors(00000000,00000000,0046cba7,005d29b0)
ret=0054f173
0023:Call user32.GetMonitorInfoA(00000001,0033e210) ret=0054f08d
0023:Ret user32.GetMonitorInfoA() retval=00000001 ret=0054f08d
0023:Call gdi32.CreateDCA(00000000,0033e238
"\\\\.\\DISPLAY1",00000000,00000000) ret=0046cbe5
0023:Ret gdi32.CreateDCA() retval=000051d8 ret=0046cbe5
0023:Call gdi32.GetDeviceCaps(000051d8,0000000e) ret=0046cbf2
0023:Ret gdi32.GetDeviceCaps() retval=00000001 ret=0046cbf2
0023:Call gdi32.GetDeviceCaps(000051d8,0000000c) ret=0046cbf9
0023:Ret gdi32.GetDeviceCaps() retval=00000020 ret=0046cbf9
0023:Call gdi32.DeleteDC(000051d8) ret=0046cc03
0023:Ret gdi32.DeleteDC() retval=00000001 ret=0046cc03
0023:trace:seh:raise_exception code=c000001d flags=0 addr=0x33e30c ip=0033e30c
tid=0023
0023:trace:seh:raise_exception eax=00147834 ebx=7dce4000 ecx=005d29b0
edx=00110060 esi=00000000 edi=00000002
0023:trace:seh:raise_exception ebp=00000068 esp=0033e24c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210246
0023:trace:seh:call_vectored_handlers calling handler at 0x7dc588d0
code=c000001d flags=0
0023:trace:seh:call_vectored_handlers handler at 0x7dc588d0 returned 0
...
0023:Call KERNEL32.UnhandledExceptionFilter(0033de10) ret=0058b1ac
wine: Unhandled illegal instruction at address 0x33e30c (thread 0023), starting
debugger...
0023:trace:seh:start_debugger Starting debugger "winedbg --auto 34 144"
0023:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=0058b1ac
0023:trace:seh:call_stack_handlers handler at 0x582910 returned 1
0023:trace:seh:call_stack_handlers calling handler at 0x7efa2c20 code=c000001d
flags=0
0023:Call KERNEL32.UnhandledExceptionFilter(0033de08) ret=7efa2c58
0023:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7efa2c58
0023:trace:seh:call_stack_handlers handler at 0x7efa2c20 returned 1
Unhandled exception: illegal instruction in 32-bit code (0x0033e30c).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
EIP:0033e30c ESP:0033e24c EBP:00000068 EFLAGS:00210246( R- -- I Z- -P- )
EAX:00147834 EBX:7dce4000 ECX:005d29b0 EDX:00110060
ESI:00000000 EDI:00000002
...
Backtrace:
0x0033e30c: lock jle 0x0033e320
Modules:
Module Address Debug info Name (135 modules)
PE 350000- 360000 Deferred mltcp32.mlp
PE 3d0000- 3e4000 Deferred mlmap32.mlp
PE 400000- 60b000 Deferred mathematica
ELF 7be74000-7bf00000 Deferred libvorbisenc.so.2
...
--- snip ---
Wine 'X11DRV_EnumDisplayMonitors' function:
https://source.winehq.org/git/wine.git/blob/13643f59be7a1ce4b9d7486069b4a4a2ff57d4ed:/dlls/winex11.drv/xinerama.c#l227
Disassembly:
--- snip ---
7DC98837 89F6 MOV ESI,ESI
7DC98839 8DBC27 00000000 LEA EDI,DWORD PTR DS:[EDI]
7DC98840 8D4424 30 LEA EAX,DWORD PTR SS:[ESP+30]
7DC98844 31ED XOR EBP,EBP
7DC98846 894424 0C MOV DWORD PTR SS:[ESP+C],EAX
7DC9884A 8B83 0C760000 MOV EAX,DWORD PTR DS:[EBX+760C]
7DC98850 89EF MOV EDI,EBP
7DC98852 85C0 TEST EAX,EAX
7DC98854 7E D4 JLE SHORT winex11.7DC9882A
7DC98856 8D76 00 LEA ESI,DWORD PTR DS:[ESI]
7DC98859 8DBC27 00000000 LEA EDI,DWORD PTR DS:[EDI]
7DC98860 6BEF 68 IMUL EBP,EDI,68
7DC98863 8B83 10760000 MOV EAX,DWORD PTR DS:[EBX+7610]
7DC98869 83C7 01 ADD EDI,1
7DC9886C 01E8 ADD EAX,EBP
7DC9886E 83C0 04 ADD EAX,4
7DC98871 85F6 TEST ESI,ESI
7DC98873 74 1E JE SHORT winex11.7DC98893
7DC98875 83EC 04 SUB ESP,4
7DC98878 56 PUSH ESI
7DC98879 50 PUSH EAX
7DC9887A FF7424 18 PUSH DWORD PTR SS:[ESP+18]
7DC9887E E8 55DAFAFF CALL winex11.7DC462D8
7DC98883 5A POP EDX
7DC98884 85C0 TEST EAX,EAX
7DC98886 74 1F JE SHORT winex11.7DC988A7
7DC98888 8B8B 10760000 MOV ECX,DWORD PTR DS:[EBX+7610]
7DC9888E 01E9 ADD ECX,EBP
7DC98890 8D41 04 LEA EAX,DWORD PTR DS:[ECX+4]
7DC98893 FF7424 6C PUSH DWORD PTR SS:[ESP+6C]
7DC98897 50 PUSH EAX
7DC98898 6A 00 PUSH 0
7DC9889A 57 PUSH EDI
7DC9889B FF5424 78 CALL DWORD PTR SS:[ESP+78] ; MONITORENUMPROC()
7DC9889F 85C0 TEST EAX,EAX
7DC988A1 0F84 C4FEFFFF JE winex11.7DC9876B
7DC988A7 39BB 0C760000 CMP DWORD PTR DS:[EBX+760C],EDI
7DC988AD 7F B1 JG SHORT winex11.7DC98860
7DC988AF B8 01000000 MOV EAX,1
7DC988B4 E9 76FFFFFF JMP winex11.7DC9882F
7DC988B9 66:90 NOP
7DC988BB 66:90 NOP
7DC988BD 66:90 NOP
7DC988BF 90 NOP
7DC988C0 B8 01000000 MOV EAX,1
7DC988C5 C3 RETN
--- snip ---
Mathematica 'MONITORENUMPROC':
--- snip ---
0046CBA7 PUSH EBP
0046CBA8 MOV EBP,ESP
0046CBAA SUB ESP,48
0046CBAD PUSH EBX
0046CBAE PUSH ESI
0046CBAF PUSH EDI
0046CBB0 LEA EAX,DWORD PTR SS:[EBP-48]
0046CBB3 PUSH EAX
0046CBB4 PUSH DWORD PTR SS:[EBP+8]
0046CBB7 MOV DWORD PTR SS:[EBP-48],48
0046CBBE CALL Mathemat.0054F046
0046CBC3 MOV ECX,EAX
0046CBC5 NEG ECX
0046CBC7 SBB ECX,ECX
0046CBC9 LEA EDX,DWORD PTR SS:[EBP-20]
0046CBCC AND ECX,EDX
0046CBCE NEG EAX
0046CBD0 PUSH 0 ; pInitData = NULL
0046CBD2 SBB EAX,EAX
0046CBD4 PUSH 0 ; Output = NULL
0046CBD6 NOT EAX
0046CBD8 PUSH ECX ; Device
0046CBD9 AND EAX,5B3B10
0046CBDE PUSH EAX ; Driver
0046CBDF CALL DWORD PTR DS:[<&GDI32.CreateDCA>]
0046CBE5 MOV EDI,DWORD PTR DS:[<&GDI32.GetDeviceC>
0046CBEB MOV EBX,EAX
0046CBED PUSH 0E ; Index = PLANES
0046CBEF PUSH EBX ; hDC
0046CBF0 CALL EDI ; GetDeviceCaps
0046CBF2 PUSH 0C ; Index = BITSPIXEL
0046CBF4 PUSH EBX ; hDC
0046CBF5 MOV ESI,EAX
0046CBF7 CALL EDI ; GetDeviceCaps
0046CBF9 IMUL ESI,EAX
0046CBFC PUSH EBX ; hDC
0046CBFD CALL DWORD PTR DS:[<&GDI32.DeleteDC>] ; DeleteDC
0046CC03 MOV ECX,DWORD PTR SS:[EBP+14]
0046CC06 MOV EAX,DWORD PTR DS:[ECX]
0046CC08 CMP EAX,ESI
0046CC0A JG SHORT Mathemat.0046CC0E
0046CC0C MOV EAX,ESI
0046CC0E PUSH 1
0046CC10 MOV DWORD PTR DS:[ECX],EAX
0046CC12 POP EAX
0046CC13 POP EDI
0046CC14 POP ESI
0046CC15 POP EBX
0046CC16 LEAVE
0046CC17 RETN
--- snip ---
App braindamage. That MONITORENUMPROC doesn't look like CALLBACK.
--- snip ---
#define CALLBACK __stdcall
--- snip ---
--- snip ---
typedef BOOL (CALLBACK *MONITORENUMPROC)(HMONITOR,HDC,LPRECT,LPARAM);
--- snip ---
The stack gets imbalanced upon return from MONITORENUMPROC(). Since Wine uses
ESP relative addressing for parameter setup (due to gcc default), the callback
address for the next iteration is just random garbage from stack, causing a
crash.
Starting with commit
https://source.winehq.org/git/wine.git/commitdiff/5cfe7db1854ff1142d598eaf49f6050676c8d547
, Wine code looks like this:
Relevant part:
--- snip ---
...
7DDBEA52 MOV ECX,DWORD PTR SS:[EBP-4C]
7DDBEA55 ADD ECX,DWORD PTR DS:[EBX+7610]
7DDBEA5B LEA EAX,DWORD PTR DS:[ECX+4]
7DDBEA5E PUSH DWORD PTR SS:[EBP+14]
7DDBEA61 PUSH EAX
7DDBEA62 PUSH 0
7DDBEA64 PUSH EDI
7DDBEA65 CALL DWORD PTR SS:[EBP+10] ; MONITORENUMPROC()
7DDBEA68 TEST EAX,EAX
7DDBEA6A JE winex11.7DDBE949
7DDBEA70 CMP DWORD PTR DS:[EBX+760C],EDI
7DDBEA76 JG SHORT winex11.7DDBEA28
7DDBEA78 MOV EAX,1
7DDBEA7D JMP SHORT winex11.7DDBEA08
7DDBEA7F NOP
7DDBEA80 MOV EAX,1
7DDBEA85 RETN
...
7DDBEA03 MOV EAX,1
7DDBEA08 LEA ESP,DWORD PTR SS:[EBP-C] ; recover/restore stack (!)
7DDBEA0B POP EBX
7DDBEA0C POP ESI
7DDBEA0D POP EDI
7DDBEA0E POP EBP
7DDBEA0F RETN
--- snip ---
Due to EBP-relative addressing, an imbalanced stack caused by MONITORENUMPROC
having wrong calling convention doesn't matter here The imbalanced stack is
restored in epilog code of 'X11DRV_EnumDisplayMonitors'.
Tidbit: Related bugs, fixed by same commit
https://source.winehq.org/git/wine.git/commitdiff/5cfe7db1854ff1142d598eaf49f6050676c8d547
https://bugs.winehq.org/buglist.cgi?bug_status=CLOSED&f1=cf_fixedby_sha1sum&list_id=686171&o1=equals&product=Wine&query_format=advanced&v1=5cfe7db1854ff1142d598eaf49f6050676c8d547
ProtectionID scan for documentation:
--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> C:\Program Files (x86)\Wolfram
Research\Mathematica\4.1\SystemFiles\FrontEnd\Binaries\Windows\Mathematica.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 2002944 (01E9000h)
Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x3A015C02 -> Thu 02nd Nov 2000 12:20:18 (GMT)
[TimeStamp] 0x3A015C02 -> Thu 02nd Nov 2000 12:20:18 (GMT) | PE Header | - |
Offset: 0x00000100 | VA: 0x00400100 | -
[LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset
0x2000001 | Reserved 0x46A4A0
[LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558
(4629848)
[LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008)
[LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C
[LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360
[LoadConfig] UnknownZero1 0x8000011
[File Heuristics] -> Flag #1 : 00000000000000000000000000000000 (0x00000000)
[Entrypoint Section Entropy] : 6.71 (section #0) ".text " | Size : 0x18D5BC
(1627580) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 4 (0x4) | ImageSize 0x20B000 (2142208) byte(s)
[VersionInfo] Company Name : Wolfram Research. Inc.
[VersionInfo] Product Name : Mathematica
[VersionInfo] Product Version : 4. 1. 0. 0
[VersionInfo] File Description : Mathematica for Windows Version 4.1
[VersionInfo] File Version : 4. 1. 0. 0
[VersionInfo] Original FileName : MATHEMATICA.EXE
[VersionInfo] Internal Name : MATHEMATICA
[VersionInfo] Version Comments : Mathematica for Windows Version 4.1
[VersionInfo] Legal Copyrights : Copyright © 1988-2000 Wolfram Research. Inc.
[ModuleReport] [IAT] Modules -> KERNEL32.dll | USER32.dll | GDI32.dll |
comdlg32.dll | ADVAPI32.dll | SHELL32.dll | ole32.dll | COMCTL32.dll |
WINMM.dll | oledlg.dll | WSOCK32.dll | ML32I2.dll
[CompilerDetect] -> Visual C++ 6.0
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.618 Second(s) [00000026Ah (618) tick(s)] [506 of 580 scan(s)
done]
--- snip ---
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list