[Bug 43328] New: dotnet 4.5 applications crash in factory_get_cached_fontface
https://bugs.winehq.org/show_bug.cgi?id=43328 Bug ID: 43328 Summary: dotnet 4.5 applications crash in factory_get_cached_fontface Product: Wine Version: 2.12 Hardware: x86 URL: http://ashita.atom0s.com/ OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: dwrite Assignee: wine-bugs(a)winehq.org Reporter: farmboy0+winehq(a)googlemail.com Distribution: --- Created attachment 58670 --> https://bugs.winehq.org/attachment.cgi?id=58670 wine backtrace One sample application which exhibits this problem can be downloaded from the referenced url. Step to reproduce: 1. winetricks dotnet45 to a new prefix 2. Reset windows version to Windows 7 with winecfg 3. Run the application (Ashita.exe) with wine 4. The error will occur during auto-update Wine backtrace is added as attachment. Stracktrace from dotnet: Unhandled Exception: System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt. at MS.Internal.Text.TextInterface.Font.CreateFontFace() at MS.Internal.Text.TextInterface.Font.AddFontFaceToCache() at MS.Internal.Text.TextInterface.Font.GetFontFace() at MS.Internal.FontCache.FontFaceLayoutInfo.IntMap.TryGetValues(UInt32* pKeys, UInt32 characterCount, UInt16* pIndices) at System.Windows.Media.GlyphTypeface.GetGlyphMetricsAndIndicesOptimized(UInt32* pCodepoints, Int32 characterCount, Double emSize, UInt16[] glyphIndices, GlyphMetrics[] glyphMetrics, TextFormattingMode textFormattingMode, Boolean isSideways) at System.Windows.Media.GlyphTypeface.GetGlyphMetricsOptimized(CharacterBufferRange characters, Double emSize, UInt16[] glyphIndices, GlyphMetrics[] glyphMetrics, TextFormattingMode textFormattingMode, Boolean isSideways) at System.Windows.Media.TextFormatting.TextShapeableCharacters.GetAdvanceWidthsUnshaped(Char* characterString, Int32 characterLength, Double scalingFactor, Int32* advanceWidthsUnshaped) at MS.Internal.TextFormatting.LineServicesCallbacks.GetRunCharWidths(IntPtr pols, Plsrun plsrun, LsDevice device, Char* charString, Int32 stringLength, Int32 maxWidth, LsTFlow textFlow, Int32* charWidths, Int32& totalWidth, Int32& stringLengthFitted) at MS.Internal.TextFormatting.UnsafeNativeMethods.LoCreateLine(IntPtr ploc, Int32 cp, Int32 ccpLim, Int32 durColumn, UInt32 dwLineFlags, IntPtr pInputBreakRec, LsLInfo& plslinfo, IntPtr& pploline, Int32& maxDepth, LsLineWidths& lineWidths) at System.Windows.Media.TextFormatting.TextFormatterContext.CreateLine(Int32 cpFirst, Int32 lineLength, Int32 maxWidth, LineFlags lineFlags, IntPtr previousLineBreakRecord, IntPtr& ploline, LsLInfo& plslineInfo, Int32& maxDepth, LsLineWidths& lineWidths) at MS.Internal.TextFormatting.TextMetrics.FullTextLine.FormatLine(FullTextState fullText, Int32 cpFirst, Int32 lineLength, Int32 formatWidth, Int32 finiteFormatWidth, Int32 paragraphWidth, LineFlags lineFlags, FormattedTextSymbols collapsingSymbol) at MS.Internal.TextFormatting.TextFormatterImp.FormatLineInternal(TextSource textSource, Int32 firstCharIndex, Int32 lineLength, Double paragraphWidth, TextParagraphProperties paragraphProperties, TextLineBreak previousLineBreak, TextRunCache textRunCache) at MS.Internal.TextFormatting.TextFormatterImp.FormatLine(TextSource textSource, Int32 firstCharIndex, Double paragraphWidth, TextParagraphProperties paragraphProperties, TextLineBreak previousLineBreak, TextRunCache textRunCache) at MS.Internal.Text.Line.Format(Int32 dcp, Double width, TextParagraphProperties lineProperties, TextLineBreak textLineBreak, TextRunCache textRunCache, Boolean showParagraphEllipsis) at System.Windows.Controls.TextBlock.MeasureOverride(Size constraint) at System.Windows.FrameworkElement.MeasureCore(Size availableSize) at System.Windows.UIElement.Measure(Size availableSize) at System.Windows.ContextLayoutManager.UpdateLayout() at System.Windows.ContextLayoutManager.UpdateLayoutCallback(Object arg) at System.Windows.Media.MediaContext.InvokeOnRenderCallback.DoWork() at System.Windows.Media.MediaContext.FireInvokeOnRenderCallbacks() at System.Windows.Media.MediaContext.RenderMessageHandlerCore(Object resizedCompositionTarget) at System.Windows.Media.MediaContext.RenderMessageHandler(Object resizedCompositionTarget) at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs) at MS.Internal.Threading.ExceptionFilterHelper.TryCatchWhen(Object source, Delegate method, Object args, Int32 numArgs, Delegate catchHandler) at System.Windows.Threading.DispatcherOperation.InvokeImpl() at System.Windows.Threading.DispatcherOperation.InvokeInSecurityContext(Object state) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Windows.Threading.DispatcherOperation.Invoke() at System.Windows.Threading.Dispatcher.ProcessQueue() at System.Windows.Threading.Dispatcher.WndProcHook(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled) at MS.Win32.HwndWrapper.WndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled) at MS.Win32.HwndSubclass.DispatcherCallbackOperation(Object o) at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs) at MS.Internal.Threading.ExceptionFilterHelper.TryCatchWhen(Object source, Delegate method, Object args, Int32 numArgs, Delegate catchHandler) at System.Windows.Threading.Dispatcher.LegacyInvokeImpl(DispatcherPriority priority, TimeSpan timeout, Delegate method, Object args, Int32 numArgs) at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam) at MS.Win32.UnsafeNativeMethods.DispatchMessage(MSG& msg) at System.Windows.Threading.Dispatcher.PushFrameImpl(DispatcherFrame frame) at System.Windows.Threading.Dispatcher.PushFrame(DispatcherFrame frame) at System.Windows.Application.RunDispatcher(Object ignore) at System.Windows.Application.RunInternal(Window window) at System.Windows.Application.Run(Window window) at System.Windows.Application.Run() at Ashita.App.Main() -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 Nikolay Sivov <bunglehead(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |42701 --- Comment #1 from Nikolay Sivov <bunglehead(a)gmail.com> --- I don't know if 4.5 it's a valid test case at this point, because it crashes constantly, see bug 42701. With Win7 version it goes further but still crashes at lot in the background. I think this crash should be addressed first. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 --- Comment #2 from Nikolay Sivov <bunglehead(a)gmail.com> --- Assuming CLR crash is not critical, this looks like a case of use-after-free: --- 0097:trace:dwrite:dwritefontface_GetDesignGlyphMetrics (0x6cad4a0)->(0x1a0dace 1 0x33e454 0) 009a:trace:dwrite:glyphrunanalysis_Release (0x6c3dd90)->(0) 009a:trace:dwrite:dwritefont_Release (0x6c6aab0)->(7) 009a:trace:dwrite:dwritefont_Release (0x6c6aab0)->(6) 009a:trace:dwrite:dwritefontface_Release (0x6cad4a0)->(1) 0097:trace:dwrite:dwritefontface_Release (0x6cad4a0)->(0) 009a:trace:dwrite:dwritefont_CreateFontFace (0x6c6aab0)->(0x5c4e59c) 009a:trace:dwrite:dwritefont3_CreateFontFace (0x6c6aab0)->(0x5c4e59c) 009a:trace:dwrite:dwritefontfile_GetReferenceKey (0x3b08e78)->(0x5c4e43c, 0x5c4e438) 009a:trace:dwrite:dwritefontfile_GetLoader (0x3b08e78)->(0x5c4e434) 009a:trace:dwrite:localfontfileloader_AddRef (0x3ae8708)->(580) 009a:trace:dwrite:localfontfileloader_Release (0x3ae8708)->(579) 009a:trace:dwrite:dwritefontface_GetIndex (0x6cad4a0) 009a:trace:dwrite:dwritefontface_GetSimulations (0x6cad4a0) 009a:trace:dwrite:dwritefontface_GetFiles (0x6cad4a0)->(0x5c4e444 0x5c4e44c) 009a:trace:dwrite:dwritefontface_GetFiles file 0x3b08e78 009a:trace:dwrite:dwritefontfile_AddRef (0x3b08e78)->(6) 009a:trace:dwrite:dwritefontfile_GetReferenceKey (0x3b08e78)->(0x5c4e448, 0x5c4e440) 009a:trace:dwrite:dwritefontfile_Release (0x3b08e78/0x3b08e78)->(5) 009a:trace:dwrite:factory_get_cached_fontface returning cached fontface 0x6cad4a0 009a:trace:dwrite:dwritefontface_AddRef (0x6cad4a0)->(1) 009a:trace:dwrite:dwritefont_AddRef (0x6c6aab0)->(7) 009a:trace:dwrite:dwritefontface_AddRef (0x6cad4a0)->(2) --- -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 --- Comment #3 from farmboy0+winehq(a)googlemail.com --- I think the problem is unsynchronized access to the cached fontfaces: 0037:trace:dwrite:dwritefontface_AddRef (0x14458b68)->(2) 0037:trace:dwrite:dwritefontface_GetRecommendedRenderingMode (0x14458b68)->(12.00 1.00 1 0x1b88c0 0x5b5e558) 0037:trace:dwrite:dwritefontface_TryGetFontTable (0x14458b68)->("gasp" 0x14458bf0 0x14458bf8 0x14458bf4 0x14458bfc) 0037:trace:dwrite:dwritefontface_Release (0x14458b68)->(1) 0037:trace:dwrite:dwritefontface_Release (0x14458b68)->(0) 0009:trace:dwrite:dwritefontface_GetIndex (0x14458b68) 0009:trace:dwrite:dwritefontface_GetSimulations (0x14458b68) 0009:trace:dwrite:dwritefontface_GetFiles (0x14458b68)->(0x33a960 0x33a968) 0037:trace:dwrite:dwritefontface_GetFiles (0x14458b68)->(0x5b5e288 0x5b5e280) 0037:trace:dwrite:dwritefontface_GetIndex (0x14458b68) 0037:trace:dwrite:dwritefontface_TryGetFontTable (0x14458b68)->("GSUB" 0x5b5e380 0x5b5e388 0x5b5e384 0x5b5e37c) 0037:trace:dwrite:dwritefontface_ReleaseFontTable (0x14458b68)->((nil)) 0037:trace:dwrite:dwritefontface_TryGetFontTable (0x14458b68)->("glyf" 0x5b5e320 0x5b5e328 0x5b5e324 0x5b5e31c) 0037:trace:dwrite:dwritefontface_ReleaseFontTable (0x14458b68)->((nil)) 0037:trace:dwrite:dwritefontface_TryGetFontTable (0x14458b68)->("CFF " 0x5b5e320 0x5b5e328 0x5b5e324 0x5b5e31c) 0037:trace:dwrite:dwritefontface_TryGetFontTable (0x14458b68)->("COLR" 0x5b5e320 0x5b5e328 0x5b5e324 0x5b5e31c) 0037:trace:dwrite:dwritefontface_TryGetFontTable (0x14458b68)->("SVG " 0x5b5e320 0x5b5e328 0x5b5e324 0x5b5e31c) 0037:trace:dwrite:dwritefontface_TryGetFontTable (0x14458b68)->("sbix" 0x5b5e320 0x5b5e328 0x5b5e324 0x5b5e31c) 0009 is the thread calling factory_get_cached_fontface while 0037 is in the process of releasing the font face for good. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 Nikolay Sivov <bunglehead(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever confirmed|0 |1 Assignee|wine-bugs(a)winehq.org |bunglehead(a)gmail.com --- Comment #4 from Nikolay Sivov <bunglehead(a)gmail.com> --- I was hoping addd8e69ff09e8620aa3c9c2120d2161df478ac2 would help, but it didn't. So yes, now it looks like concurrency issue. I'll take a closer look. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 Anton Romanov <theli.ua(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |theli.ua(a)gmail.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 --- Comment #5 from Anton Romanov <theli.ua(a)gmail.com> --- Just protecting get/release cached fontface fixes this for me EG: https://github.com/theli-ua/wine/commit/178104b59b0415fd24f48a14f921a30d03fc... Not sure if this solution is acceptable , if yes I can just send this to wine-patches I guess I was testing this with "Magic The Gathering: Online" that is a .net 4.5.2 app that was constantly crashing for me in get_cached_fontface before the patch -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 --- Comment #6 from Anton Romanov <theli.ua(a)gmail.com> --- *** Bug 43487 has been marked as a duplicate of this bug. *** -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |leslie_alistair(a)hotmail.com --- Comment #7 from Alistair Leslie-Hughes <leslie_alistair(a)hotmail.com> --- (In reply to Anton Romanov from comment #5)
Just protecting get/release cached fontface fixes this for me EG: https://github.com/theli-ua/wine/commit/ 178104b59b0415fd24f48a14f921a30d03fcef3e
Can you please attach the patch? (just so it not lost) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 --- Comment #8 from Anton Romanov <theli.ua(a)gmail.com> --- (In reply to Alistair Leslie-Hughes from comment #7)
Can you please attach the patch? (just so it not lost)
That one is more of a duct tape fix. I haven't yet looked closely at that cache implementation and this was just to verify if race condition is indeed whats causing this. For example this one does not protect insertion to the cache I think. Once I have time to work on the proper patch I'll give it a shot and submit it to wine-patches. That is unless nsivov or someone else beats me to it. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 Omar Pakker <wine(a)opakker.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wine(a)opakker.nl -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 --- Comment #9 from Nikolay Sivov <bunglehead(a)gmail.com> --- Please retest with 2.15, it seems to work for me know. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 --- Comment #10 from farmboy0+winehq(a)googlemail.com --- LGTM -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 --- Comment #11 from Omar Pakker <wine(a)opakker.nl> --- Testing an application that had this issue as well and it is also solved for me with 2.15. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 Nikolay Sivov <bunglehead(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED Fixed by SHA1| |fb5079d887036ea35c8aa8dabdb | |d126c4df52dab Assignee|bunglehead(a)gmail.com |wine-bugs(a)winehq.org --- Comment #12 from Nikolay Sivov <bunglehead(a)gmail.com> --- Marking fixed, fb5079d887036ea35c8aa8dabdbd126c4df52dab. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #13 from Alexandre Julliard <julliard(a)winehq.org> --- Closing bugs fixed in 2.16. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=43328 Bug 43328 depends on bug 42701, which changed state. Bug 42701 Summary: Multiple apps and games using MS .NET Framework 4.x need api-ms-win-core-winrt-roparameterizediid-l1-1-0.dll.RoGetParameterizedTypeInstanceIID (Mafia III, Daylight) https://bugs.winehq.org/show_bug.cgi?id=42701 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
wine-bugs@winehq.org