Need help debugging a memory corruption bug in shfldr_unixfs.c

Michael Jung mjung at iss.tu-darmstadt.de
Fri Aug 26 15:10:16 CDT 2005 

Hi,

Sometimes while browsing the unixfs namespace in the file dialog wine crashes 
with the following console output:

=============================================================================
wine: Unhandled exception (thread 0009), starting debugger...
WineDbg starting on pid 0x8
Unhandled exception: page fault on read access to 0x00004005 in 32-bit code 
(0x7b24fbf2).
In 32 bit mode.
Register dump:
 CS:0073 SS:007b DS:007b ES:007b FS:003b GS:0033
 EIP:7b24fbf2 ESP:7b8af188 EBP:7b8af1ac EFLAGS:00210202(   - 00      - -RI1)
 EAX:00000000 EBX:7b2e8b70 ECX:78560110 EDX:7b8af258
 ESI:7b2e88f6 EDI:00004001
Stack dump:
0x7b8af188:  00000000 000007d0 7b8af298 00000000
0x7b8af198:  00000008 00000001 7b2e8b70 00000000
0x7b8af1a8:  7b8af1f8 7b8af244 7b2696a2 00004001
0x7b8af1b8:  00000015 00000040 00000000 78561a78
0x7b8af1c8:  78561a78 7b4e8448 7b8af298 00000000
0x7b8af1d8:  7b8af204 7b47bfd1 0036003e 0000004e
Backtrace:
=>1 0x7b24fbf2 DPA_GetPtr+0x32(hdpa=0x4001, nIndex=0x15) [dpa.c:479] in 
comctl32 (0x7b8af1ac)
  2 0x7b2696a2 LISTVIEW_GetItemT(infoPtr=0x78560110, lpLVItem=0x7b8af258, 
isW=0x1) [/home/mjung/compile/wine/dlls/comctl32/listview.c:5225] in comctl32 
(0x7b8af244)
  3 0x7b273e7a notify_itemactivate+0x6a(infoPtr=0x78560110, htInfo=0x7b8af308) 
[/home/mjung/compile/wine/dlls/comctl32/listview.c:791] in comctl32 
(0x7b8af2d4)
  4 0x7b26fd5f LISTVIEW_LButtonDblClk+0x8f(infoPtr=0x78560110, wKey=0x1, 
x=0xad, y=0x39) [/home/mjung/compile/wine/dlls/comctl32/listview.c:8103] in 
comctl32 (0x7b8af334)

...

===============================================================================

As you see, the hdpa parameter to DPA_GetPtr is invalid. The relevant code in 
LISTVIEW_GetItemT is (dlls/comctl32/listview.c, line 5126):

    /* find the item and subitem structures before we proceed */
    hdpaSubItems = (HDPA)DPA_GetPtr(infoPtr->hdpaItems, lpLVItem->iItem);
    lpItem = (ITEM_INFO *)DPA_GetPtr(hdpaSubItems, 0);
    assert (lpItem);

It's the first call to DPA_GetPtr that crashes. So the structure pointed to by 
infoPtr seems to be corrupted (infoPtr is a LISTVIEW_INFO *, which represents 
the listview item and which given as the first parameter to 
LISTVIEW_GetItemT).

As I never saw this with the original shfldr_fs.c code, I assume that 
shfldr_unixfs.c has a memory corruption bug somewhere. I've tried to figure 
the problem for some time now, but to now avail.

So my questions are:

1) Can someone give me some advice on how to debug such a problem? 
2) Did other people see this bug already? 
3) Would valgrind be of help to debug this?

Thanks,
-- 
Michael Jung
mjung at iss.tu-darmstadt.de

More information about the wine-devel mailing list