http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #2 from Hoshino Lina <lina@lina.yt> --- I tracked down the real stack trace (after restoring %rsp): #0 0x00007ffff7d0dffd in ?? () #1 0x00006fffffc1bee6 in RtlWaitOnAddress (addr=0x7fffe65582bc, addr@entry=0x180750db8, cmp=0x7ffff7d22ea0, cmp@entry=0x7a8bf4ac, size=size@entry=4, timeout=0x12938ead8, timeout@entry=0x7a8bf508) at dlls/ntdll/sync.c:910 #2 0x00006fffffc177bb in RtlSleepConditionVariableSRW (variable=0x180750db8, lock=0x180750d80, timeout=0x7a8bf508, flags=<optimized out>) at dlls/ntdll/sync.c:806 #3 0x00006fffff40576c in SleepConditionVariableSRW (variable=<optimized out>, lock=<optimized out>, timeout=<optimized out>, flags=<optimized out>) at dlls/kernelbase/sync.c:1202 #4 0x0000000180084261 in sleep_interruptable () from Z:\mnt\nas\home\lina\vt\app\VNyan\MonoBleedingEdge\EmbedRuntime\mono-2.0-bdwgc.dll #5 0x000000018014153f in FUN_180141480 () from Z:\mnt\nas\home\lina\vt\app\VNyan\MonoBleedingEdge\EmbedRuntime\mono-2.0-bdwgc.dll So it's just a thread sleeping. I believe this can probably affect a huge number of Unity apps/games with different probability of happening, but for VNyan one that stands out is this thread poll loop in uOSC: https://github.com/hecomi/uOSC/blob/3c80df7ee3ce7c58cb33f5820921a3b192e22c04... Not sure if that's the one but it's definitely one candidate. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 Zeb Figura <z.figura12@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |z.figura12@gmail.com --- Comment #3 from Zeb Figura <z.figura12@gmail.com> --- Fundamentally we shouldn't be reporting the "real" context if we're anywhere inside __wine_syscall_dispatcher(). This is probably tricky to do, because the shuffling around we do to actually save the context means that the correct context values to report depend on *exactly* where we are in the function. This is another case that makes me think we really just need to be "masking" usr1 until we're ready to deal with it. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #5 from Zeb Figura <z.figura12@gmail.com> --- I don't think a partial solution like that is particularly likely to be accepted. I could be wrong, though. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #7 from easyaspi314 <easy-as-pi314.ttv@proton.me> --- I mean I may be overlooking things, but uh... Is Wine actually checking whether it is in a syscall when calling NtGetContextThread and returning nonzero? I don't see it in any of the instances of where it sets the return value. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #9 from Hoshino Lina <lina@lina.yt> --- I was thinking about the "masking" USR1 and... I guess I was confused about the meaning. Since USR1 is just a normally handled signal, I guess it would be sufficient to just check if %rip is inside the syscall dispatcher and just set a flag and return? Then the syscall handler itself can check the flag, and if set, jump to the rest of the USR1 handling code. You'd need some subtlety around "carving out" the check itself so it would go something like: - Between start of __wine_syscall_dispatcher and loading the flag, do the above - After the flag is loaded, and before jumping into the syscall, just handle it normally in the signal handler (considered "in syscall"). - If it's after syscall return and back in __wine_syscall_dispatcher, perhaps the easiest thing to do is just have the USR1 handler alter the signal return context to restart the syscall return path (you'd have to ensure the syscall return code is idempotent with respect to user state). This only really matters if the context is allowed to be modified by another thread "during" a syscall. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 Esme Povirk <madewokherd@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |madewokherd@gmail.com --- Comment #11 from Esme Povirk <madewokherd@gmail.com> --- I think Unity is the only common user of bdwgc anymore. So I would guess it affects all Unity titles but not Mono in general. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #13 from Adalyn <adibtw@tuta.io> --- I personally haven't noticed a memory leak like this in VRChat, which is an IL2CPP game. With how inconsistent the bug is, it's hard to say for sure that it doesn't happen, but I've played thousands of hours on Linux without this type of memory leak happening, and it also shares many similarities with VTubing software, including OSC usage and poorly optimized user-made models -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #15 from Adalyn <adibtw@tuta.io> --- Based on the github archives from mods prior to EAC, it looks like they used IL2cpp before adding EAC. emmVRC has a blog post that mentions IL2cpp was added some time in April 2020, which was long before the commit that theoretically introduced this bug (0a5f7a71036 was made in 2023) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #17 from Hoshino Lina <lina@lina.yt> --- Also VNyan does OSC and 4x VMC receivers, so that's another factor of 5, for a total of 5000 chances to hit the race per second. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 Madalee <madalee@ohlmeyers.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |madalee@ohlmeyers.com --- Comment #18 from Madalee <madalee@ohlmeyers.com> --- We wanted to report that we've seen this same behavior in Warudo (also Unity based vtuber software) in all version after Proton-8. This leak usually doesn't happen quickly, though we've seen apps leak in as little as an hour, we've seen it not manifest until around 30 hours. We believe we've seen this in other unity games as well. Basically, anything unity that we run on Linux through Proton newer than 8 seems to leak... eventually. As Hoshino Lina pointed out, the common thread among vtubers is that we often stream for many hours. We think this extended time with Unity is why it tends to affect us more than most users and why this very serious bug often goes unnoticed. Not sure how this is for other users, but for us when a Unity app does this, our whole system hangs, sometimes for several minutes while we wait for the memory goblin to rescue us by killing apps. We're happy to provide any additional details that can help, or run testing/debug versions of Wine and provide logs. Thanks, -Madalee -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #20 from Hoshino Lina <lina@lina.yt> --- I didn't bisect the commit with testing, but I did identify 0a5f7a71036 as the likely culprit based on git blame (mentioned in my original report). This was introduced in wine-9, so that tracks with all the user reports that this starts happening in proton-9. I want to try writing an intentional reproducer for this that's faster than the test cases we have, though since it's a race I don't know if it will be fast enough to be incorporated into an actual test suite. @Madalee Yeah, Linux doesn't handle progressive memory leaks well. Here's one time it happened on stream: https://www.youtube.com/live/X3EfEZGe_Og?t=33280s You can't really see much because my whole stream system (separate from the one I was working on) froze pretty badly, but you can see the 4-minute jump in the clock when I came back (watched live, the stream was down for that time period, YouTube just cuts that out in the VOD). I don't remember if I had to restart the whole machine, but it definitely took down VTube Studio, OBS, and my audio system at least. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #22 from Zeb Figura <z.figura12@gmail.com> --- I don't think bisecting is going to be all that useful at this point; the problem is pretty well understood. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #24 from Adalyn <adibtw@tuta.io> --- The GE-Proton build started leaking memory after running my test program for about 5 minutes, with the exact same behaviour (all leaked memory is Managed Reserved memory according to Unity's Memory Profiler) I'll give the wine build a try as well once it's ready -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #26 from Madalee <madalee@ohlmeyers.com> --- We can't even get the right file, and yet we're gunna say. What do you mean it's not that easy? Easy game for babies! https://github.com/madalee-com/Wine-Builds-fix-unity-leak/blob/master/signal... Heh, we simply overwrote the whole __wine_syscall_dispatcher with the one from Proton 8. Then put the right file in the right place. And now we wait for them to compile again. To be clear, we don't understand what is happening in the code here. And this is a bit of a shot in the dark hoping that reverting the function will "resolve" the issue, with the intent of proving out the actual problem. We suppose if it works, this can be an okay workaround until a proper fix is made? But this is not, in any way, a thoughtful resolution of the issue at hand. Adalyn, any chance you can share your testing app? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #28 from Madalee <madalee@ohlmeyers.com> --- FYI, after a few more changes to get the revert right, and applying it directly to a localish build of Proton 10.0-4, we might be on to something? Have a Proton 10.0-4 with the revert that's been running Warudo for around 5 hours now, no leak. Again, on rare occasion we've seen the leak hit after a whole day, so it could be a coincidence. At the same time we are testing a Proton-GE 10-32(on another machine) with the script as Adalyn suggested. We're working on putting up a github repo to repeat the Proton build with the revert for Proton-10.0-4 and Proton Experimental Will post links once those are all ready. The GE build is already available, though we have less confidence in it, since it has a ton of other patches: https://github.com/madalee-com/proton-ge-custom-unity-leak-fix/releases -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #30 from Madalee <madalee@ohlmeyers.com> --- Warudo has been running under this modified Proton 10 for 18 hours now and has not experienced "THE" memory leak. We say "THE" because it does seem like it's experiencing "A" memory leak. It's been, very slowly, increasing in memory use since around hour 2 or so. It's gone from 1.5G to 5.8G after 18 hours. Along with the increase in memory usage, the CPU usage has also climbed, with a setup that's basically just idling(not receiving VRM data or anything) the model stands and moves around in an idle pose. CPU was idling around 12% initially and it's up to an average of 17% now. The slowness of this leak and CPU increase could be on the Warudo side at this point. On a side nite, we tried running the Unity script for several hours, with normal Proton 10, and haven't seen the leak. We likely haven't setup the script properly. We don't develop in Unity, just use it enough to work with our VRM model so maybe we set it up wrong? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #32 from Madalee <madalee@ohlmeyers.com> --- It is, indeed, hammering the CPU and running around 886 threads. The memory usage, however, didn't go up after leaving it running all night on GE-Proton10-10 (original, no leak patch) We know Unity has several different engine modes and stuff, maybe our project is in the wrong one? If you're willing, feel free to reach out to us on discord at "madalee" (In reply to Adalyn from comment #31)

if the script is applied correctly, it should be using at least 800 threads, and basically every available CPU cycle the kernel will provide all that should be necessary to use it is adding the script as a component to any object in the scene

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #34 from Hoshino Lina <lina@lina.yt> --- Created attachment 80435 --> http://bugs.winehq.org/attachment.cgi?id=80435 Bug repro Attached is a non-Unity repro that catches the bug within a few seconds. It also shows that very often contexts within __wine_syscall_dispatcher_return are returned (which is still wrong, but won't break Unity by itself), and only a fraction of those have the bad sp (which breaks Unity). I still don't understand the point of the `leaq 0x70(%rcx),%rsp`. Why is rsp being set to anything arbitrary at all? Just replacing that line with `movq 0x88(%rcx),%rsp` might go a long way towards fixing this, at least for Unity. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #36 from easyaspi314 <easy-as-pi314.ttv@proton.me> --- Did a quick scan over the patch. Is the local label supposed to be 11? I don't understand this code so I might be wrong but the jz 1f followed by 11: seems a bit due to me. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #38 from Madalee <madalee@ohlmeyers.com> --- Doing a build with Hoshino Lina's patch. Will post link once ready. We applied this to Proton 10.0-4 @Hoshino Lina: what version did you base the patch on? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #40 from easyaspi314 <easy-as-pi314.ttv@proton.me> --- Lina's patched version doesn't report a bogus %rsp and assert, but I can confirm that it does report %rip in the 0x7xxxxxxxxxxx Wine range very often. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59333 --- Comment #42 from easyaspi314 <easy-as-pi314.ttv@proton.me> --- Madalee's results check out. So far my own test results: - wine-8.0 (Debian 8.0~repack-4) on Bookworm: seems to pass - wine-10.0 (Ubuntu 10.0~repack-6ubuntu1) on Ubuntu 25.10: fail - wine-11.3 from source: fail - wine-11.3 from source with Lina's patch: seems to pass - GE-Proton 10-28/29: fail I'm putting "seems to pass" here since being a race condition it's hard to say with 100% certainty. Again, all of these (including Wine 8) regularly report %rip in Wine code though, meaning that this part of the behavior is not a regression and may be a different bug. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.