[Bug 50801] New: Wine Mono crashes on macOS
https://bugs.winehq.org/show_bug.cgi?id=50801 Bug ID: 50801 Summary: Wine Mono crashes on macOS Product: Wine Version: 6.4 Hardware: x86-64 OS: Mac OS X Status: NEW Severity: normal Priority: P2 Component: mscoree Assignee: wine-bugs(a)winehq.org Reporter: madewokherd(a)gmail.com Running the csc.exe shipped with Wine Mono on macOS 11.2.1 crashes with: 0024:err:virtual:virtual_setup_exception stack overflow 1456 bytes in thread 0024 addr 0x7bc2bd61 stack 0x130a50 (0x130000-0x131000-0x230000)
From a +relay,+seh log, trimmed by thread:
0024:Call msvcrt.memcpy(0022dec0,02950f35,00000010) ret=1801013e1 0024:Ret msvcrt.memcpy() retval=0022dec0 ret=1801013e1 0024:trace:seh:dispatch_exception code=c0000005 flags=0 addr=0000000002951170 ip=0000000002951170 tid=0024 0024:trace:seh:dispatch_exception info[0]=0000000000000001 0034:Call KERNEL32.HeapFree(00020000,00000000,000b96f0) ret=68765c83 0024:trace:seh:dispatch_exception info[1]=0000000000000498 0024:warn:seh:dispatch_exception EXCEPTION_ACCESS_VIOLATION exception (code=c0000005) raised 0024:trace:seh:dispatch_exception rax=0000000000000498 rbx=0000000000000000 rcx=0000000000000001 rdx=0000000000000010 0024:trace:seh:dispatch_exception rsi=0000000000000010 rdi=0000000000a24dd0 rbp=000000000022e2c0 rsp=000000000022e270 0024:trace:seh:dispatch_exception r8=000000000022e5f0 r9=0000000002950f00 r10=000000000000000a r11=0000000002950f64 0024:trace:seh:dispatch_exception r12=0000000000a32e88 r13=000000000022e928 r14=000000000022e5f0 r15=0000000000000000 0024:trace:seh:call_vectored_handlers calling handler at 00000001801038F0 code=c0000005 flags=0 I haven't been able to get winedbg working well enough to give me any real information, but that memcpy call is from the end of mono_breakpoint_clean_code. I also got this from WINE_MONO_VERBOSE=1: Method (wrapper alloc) object object:AllocSmall (intptr,intptr) emitted at 0000000002951110 to 000000000295123b (code length 299) [csc.exe] So we're crashing on access to JIT-compiled code. There's probably a way to tell from the +seh log whether that's on execute access, but I'm just going to assume it is. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=50801 Esme Povirk <madewokherd(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, source, testcase -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=50801 Esme Povirk <madewokherd(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |madewokherd(a)gmail.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=50801 Zebediah Figura <z.figura12(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |z.figura12(a)gmail.com --- Comment #1 from Zebediah Figura <z.figura12(a)gmail.com> --- (In reply to Esme Povirk from comment #0)
So we're crashing on access to JIT-compiled code. There's probably a way to tell from the +seh log whether that's on execute access, but I'm just going to assume it is.
You can tell from info[0]—0 is read, 1 is write, 8 is execute. It looks like it's trying to write into (%rax). -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=50801 --- Comment #2 from Esme Povirk <madewokherd(a)gmail.com> --- Yep, looks like the crashing instruction is a movl %ecx,(%rax).
From disassembling the function:
0x000000000295115b: movq %gs:0x00000000000014e8,%r15 0x0000000002951164: leaq 0x0000000000000498(%r15),%rax 0x000000000295116b: movl $0x200000001,%rcx 0x0000000002951170: movl %ecx,(%rax) So it has to do with our inability to set %gs maybe? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=50801 --- Comment #3 from Esme Povirk <madewokherd(a)gmail.com> --- Setting MONO_DEBUG=use-fallback-tls works around this, probably at a performance penalty. Is there some way we could detect this situation and apply the work-around on macOS only? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=50801 --- Comment #4 from Esme Povirk <madewokherd(a)gmail.com> --- I guess another possibility would be to tweak the generated code to go through TIB.Self which should work per https://stackoverflow.com/questions/53244454/how-did-wine64-manage-to-handle... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=50801 --- Comment #5 from Esme Povirk <madewokherd(a)gmail.com> --- Fix pushed using the approach of going through TIB.Self, bug can be resolved once this is in a release: https://github.com/madewokherd/mono/commit/4882fc51621b60f26809db20b73a6c5dd... -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=50801 Esme Povirk <madewokherd(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |2c94b7a609fe40a79ea30096bdb | |2dcac4198069e Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #6 from Esme Povirk <madewokherd(a)gmail.com> --- Fixed in Wine Mono 6.1.1. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=50801 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #7 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 6.7. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla