[Bug 52073] New: The builtin libxml2/libxslt libraries break msxml3:domdoc in wow64 mode
https://bugs.winehq.org/show_bug.cgi?id=52073 Bug ID: 52073 Summary: The builtin libxml2/libxslt libraries break msxml3:domdoc in wow64 mode Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: msxml3 Assignee: wine-bugs(a)winehq.org Reporter: fgouget(a)codeweavers.com Distribution: --- The builtin libxml2 / libxslt libraries break msxml3:domdoc in wow64 mode. More specifically msxml3:domdoc started crashing on 2021-10-20: domdoc.c:7004: Test marked todo: expected refcount 2, got 1 Unhandled exception: page fault on read access to 0x00000000ffffffff in 64-bit code (0x00000000013682a8). [...] Backtrace: =>0 0x00000000013682a8 xmlXPathNodeCollectAndTest+0x28(ctxt=<is not available>, op=<is not available>, first=<is not available>, last=<is not available>, toBool=<is not available>) [Z:\home\winetest\winetest\src\libs\xml2\xpath.c:12028] in msxml3 (0x0000000001388348) 1 0x0000000001369d51 xmlXPathNodeCollectAndTest+0x1ad0(ctxt=<is not available>, op=<is not available>, first=<is not available>, last=<is not available>, toBool=<is not available>) [Z:\home\winetest\winetest\src\libs\xml2\xpath.c:13113] in msxml3 (0x0000000001388348) 2 0x000000000136a024 xmlXPathNodeCollectAndTest+0x1da3(ctxt=<is not available>, op=<is not available>, first=<is not available>, last=<is not available>, toBool=<is not available>) [Z:\home\winetest\winetest\src\libs\xml2\xpath.c:13361] in msxml3 (0x0000000001388348) 3 0x000000000136b559 xmlXPathRunEval+0xc8(ctxt=<is not available>, toBool=<is not available>) [Z:\home\winetest\winetest\src\libs\xml2\xpath.c:13954] in msxml3 (0x0000000001388348) 4 0x000000000136b775 xmlXPathCompiledEvalInternal+0xc4(comp=<is not available>, ctxt=<is not available>, resObjPtr=<is not available>, toBool=<is not available>) [Z:\home\winetest\winetest\src\libs\xml2\xpath.c:14337] in msxml3 (0x0000000001388348) 5 0x000000000136bb3a xmlXPathCompiledEval+0x19(comp=<is not available>, ctx=<is not available>) [Z:\home\winetest\winetest\src\libs\xml2\xpath.c:14383] in msxml3 (0x0000000000fae760) 6 0x0000000001298edc xsltProcessOneNode+0x18b(ctxt=<is not available>, contextNode=<is not available>, withParams=<is not available>) [Z:\home\winetest\winetest\src\libs\xslt\libxslt\transform.c:385] in msxml3 (0x0000000000fae760) 7 0x0000000001296517 xsltCopyText+0x706(ctxt=<is not available>, target=<is not available>, cur=<is not available>, interned=<is not available>) [Z:\home\winetest\winetest\src\libs\xslt\libxslt\transform.c:2798] in msxml3 (0x0000000000fadc90) 8 0x0000000001298638 xsltLocalVariablePush+0x267(ctxt=<is not available>, variable=<is not available>, level=<is not available>) [Z:\home\winetest\winetest\src\libs\xslt\libxslt\transform.c:2388] in msxml3 (0x0000000000fa3c70) 9 0x0000000001298da2 xsltProcessOneNode+0x51(ctxt=0000000000FC2DC0, contextNode=0000000000FAE760, withParams=0000000000000000) [Z:\home\winetest\winetest\src\libs\xslt\libxslt\transform.c:3145] in msxml3 (0x0000000000000000) 10 0x000000000129b28f xsltApplyStylesheetInternal+0x3ce(style=0000000000FA2030, doc=0000000000FAE760, params=<is not available>, output=<is not available>, profile=<is not available>, userCtxt=<is not available>) [Z:\home\winetest\winetest\src\libs\xslt\libxslt\transform.c:6089] in msxml3 (0x0000000000000000) 11 0x000000000129b95e xsltApplyStylesheet+0x1d(style=<is not available>, doc=<is not available>, params=<is not available>) [Z:\home\winetest\winetest\src\libs\xslt\libxslt\transform.c:6285] in msxml3 (0x00000000006bf978) 12 0x000000000125c2a7 node_transform_node_params+0xb6(This=0000000000043960, stylesheet=<is not available>, p=<is not available>, stream=0000000000000000, params=0000000000000000) [Z:\home\winetest\winetest\src\dlls\msxml3\node.c:1518] in msxml3 (0x00000000006bf978) 13 0x000000000125c845 unknode_transformNode+0x34(iface=<is not available>, domNode=<is not available>, p=<is not available>) [Z:\home\winetest\winetest\src\dlls\msxml3\node.c:1541] in msxml3 (0x00000000000384a8) 14 0x000000000123085a domdoc_transformNode+0x29(iface=<is not available>, node=0000000000045540, p=00000000006BF978) [Z:\home\winetest\winetest\src\dlls\msxml3\domdoc.c:1479] in msxml3 (0x00000000000384a8) 15 0x000000000040c180 in msxml3_test (+0xc17f) (0x00000000000384a8) [...] https://test.winehq.org/data/patterns.html#msxml3:domdoc A bisect shows that the crash started happening with the commit below: commit bca1b7f2faeb0798f4af420c15ff5a1b1f7b40af Author: Alexandre Julliard <julliard(a)winehq.org> Date: Wed Oct 20 11:39:06 2021 +0200 mxsml3: Use the bundled libxml2 and libxslt and build with msvcrt. Signed-off-by: Alexandre Julliard <julliard(a)winehq.org> The previous two commits are imports of the libxslt and libxml2 code respectively and don't compile. And msxml3:domdoc does not crash with the previous commit (9a335d89d0cc). -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52073 François Gouget <fgouget(a)codeweavers.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |regression, source, | |testcase Regression SHA1| |bca1b7f2faeb0798f4af420c15f | |f5a1b1f7b40af -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52073 Bernhard Übelacker <bernhardu(a)mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bernhardu(a)mailbox.org --- Comment #1 from Bernhard Übelacker <bernhardu(a)mailbox.org> --- Created attachment 71336 --> https://bugs.winehq.org/attachment.cgi?id=71336 Backtraces from rr of pointer invalidation and the crash. I tried to find out the reason for the crash and guess this is what happens: In function xslt_doc_default_loader a pointer of the stack based variable "xmlParserInputPtr input" is given to bind_url. Later in function import_loader_onDataAvailable this pointer appears as parameter "void *ctxt" which correctly gets casted to "xmlParserInputPtr *input", but in my opinion incorrectly given to xmlNewIOInputStream as parameter "xmlParserCtxtPtr ctxt". In the next call to xmlNewInputStream this xmlParserCtxtPtr is used to increment the input_id member. By accident this input_id member contains the pointer which causes in xmlXPathNodeCollectAndTest the segfault. Attached file contains the backtrace of the pointer invalidation and the crash. This patch just gives a NULL to xmlNewInputStream, because ctxt is really a pointer to xmlParserInputPtr: https://source.winehq.org/patches/data/222347 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52073 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Fixed by SHA1| |2ef4cde8ef65800db480588edc0 | |ea3da8f527b61 Resolution|--- |FIXED --- Comment #2 from Alexandre Julliard <julliard(a)winehq.org> --- Fixed by 2ef4cde8ef65800db480588edc0ea3da8f527b61, thanks Bernhard! -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=52073 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 7.0-rc3. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla