[Bug 48641] skse64 is broken with the ntdll-ForceBottomUpAlloc patchset

Mon Oct 12 20:12:14 CDT 2020

https://bugs.winehq.org/show_bug.cgi?id=48641

--- Comment #7 from qsniyg <qsniyg at mail.com> ---
Sorry for the late response (never got around to compiling staging again...).
The bug now happens with wine vanilla as well, I haven't yet bisected the
cause.

After applying a rebased version of your test hack, it still doesn't work.
However, after doing further research, it's not the cause of the issue.

Before the patch (with a err trace added to display the output):

0398:trace:virtual:NtQueryVirtualMemory (0xffffffffffffffff, 0x13fffffff,
info_class=0, 0x21f760, 48, 0x21f728)
0398:err:virtual:get_basic_memory_info .State=4096, .RegionSize=0x1000
...
06dc:trace:virtual:NtQueryVirtualMemory (0xffffffffffffffff, 0x13fff0fff,
info_class=0, 0x21f760, 48, 0x21f728)
06dc:err:virtual:get_basic_memory_info .State=65536, .RegionSize=0x10000
, .BaseAddress=0x13fff0000
06dc:trace:virtual:NtAllocateVirtualMemory 0xffffffffffffffff 0x13fff0000
00010000 3000 00000040

After the patch:

...
0398:trace:virtual:NtQueryVirtualMemory (0xffffffffffffffff, 0x13ffb0fff,
info_class=0, 0x21f760, 48, 0x21f728)
0398:err:virtual:get_basic_memory_info .State=65536, .RegionSize=0x10000
, .BaseAddress=0x13ffb0000
0398:trace:virtual:NtAllocateVirtualMemory 0xffffffffffffffff 0x13ffb0000
00010000 3000 00000040

This works fine, and corresponds to the following in
src/skse64/skse64/skse64.cpp
(https://github.com/JimBeamBeagle/SimplyKnock/blob/e0e64412201c9eac1881377e3573f923aa1eb016/simplyknock_skse_plugin/skse64/skse64/skse64.cpp#L68
):

        if(!g_branchTrampoline.Create(1024 * 64))
        {
            _ERROR("couldn't create branch trampoline. this is fatal. skipping
remainder of init process.");
            return;
        }

However, what fails is the line right after in the log:

0398:trace:virtual:NtQueryVirtualMemory (0xffffffffffffffff, 0x2236ffff,
info_class=0, 0x21f760, 48, 0x21f728)
0398:err:virtual:get_basic_memory_info .State=65536, .RegionSize=0x1000
, .BaseAddress=0x2236f000

Source code (the difference here is g_moduleHandle, which is the handle of
skse_1_5_97.dll, which loads at 0x22370000):

        if(!g_localTrampoline.Create(1024 * 64, g_moduleHandle))
        {
            _ERROR("couldn't create codegen buffer. this is fatal. skipping
remainder of init process.");
            return;
        }

The reason this fails is because of the following in BranchTrampoline::Create
(src/skse64/skse64_common/BranchTrampoline.cpp, link:
https://github.com/JimBeamBeagle/SimplyKnock/blob/e0e64412201c9eac1881377e3573f923aa1eb016/simplyknock_skse_plugin/skse64/skse64_common/BranchTrampoline.cpp#L22
):

    uintptr_t lowestOKAddress = moduleBase - 0x80000000 + (1024 * 1024 * 128); 
  // largest 32-bit displacement with 128MB scratch space
    ...
        if (addr < lowestOKAddress)
        {
            _ERROR("couldn't allocate trampoline, no free space before image");
            break;
        }

lowestOKAddress = 0x22370000 - 0x80000000 + (1024 * 1024 * 128), which is a
negative value (and therefore overflows).

Applying an updated version of the SKSE hack (sending MEM_TOP_DOWN to
NtMapViewOfSection in open_dll_file) allows it to work fine (loads it at
7FFFFED40000), but this is probably not a proper solution.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.