[Bug 38810] 64-bit Unity3D v5.1.1f1 chromium helper process crashes on startup (stack pointer (RSP) must be 16-byte aligned when making a call to Win64 API)

https://bugs.winehq.org/show_bug.cgi?id=38810

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, win64 Status|UNCONFIRMED |RESOLVED URL| |http://netstorage.unity3d.c | |om/unity/2046fc06d4d8/Windo | |ws64EditorInstaller/UnitySe | |tup64-5.1.1f1.exe CC| |focht@gmx.net Resolution|--- |DUPLICATE Summary|Unable to run Unity3D |64-bit Unity3D v5.1.1f1 |v5.1.1f1 |chromium helper process | |crashes on startup (stack | |pointer (RSP) must be | |16-byte aligned when making | |a call to Win64 API)

--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,

confirming.

The 64-bit libcef (Chromium Embedded Framework) is broken, dupe of bug 27680

CEF release: cef_2062_1930 x64

--- snip --- Unhandled exception: page fault in 64-bit code (0x00007ff53330fe80). Register dump: rip:00007ff53330fe80 rsp:000000000023db08 rbp:000000000023dd88 eflags:00010202 ( R- -- I - - - ) rax:000000007b86f2a8 rbx:000000000000f000 rcx:ffffffffffffffff rdx:000000000023ddc8 rsi:000002fdb0601080 rdi:0000000000000000 r8:0000000000000000 r9:000000000023ddf8 r10:0000000182e06ab0 r11:000000000023df30 r12:000000000023f300 r13:0000000000000000 r14:0000000000000000 r15:0000000182e082d0 Stack dump: 0x000000000023db08: 0000000180137955 0000000000000000 0x000000000023db18: 0000000000000000 0000000000000000 0x000000000023db28: ff00ffff00000000 0000000000620180 0x000000000023db38: 0000000180134923 0000000000620180 0x000000000023db48: 0000000182de9cb0 000000000023dd30 0x000000000023db58: 000000018012dca9 000000000023dd30 0x000000000023db68: 0000000180b45614 000000000023dd30 0x000000000023db78: 0000000000000004 0000000000000030 0x000000000023db88: 000000018012ce27 000000000001462f 0x000000000023db98: 00000000005c1300 00000000005c1000 0x000000000023dba8: 00000000005c1000 000000000295c000 0x000000000023dbb8: 000000018012ff04 00000000005c1000 Backtrace: =>0 0x00007ff53330fe80 NtAllocateVirtualMemory+0xd(process=0x180b9e3ac, ret=0x182654288, zero_bits=0x6ae000, size_ptr=0x18263ff00, type=0x1000, protect=0x4) [/home/focht/projects/wine/wine.repo/src/dlls/ntdll/virtual.c:1905] in ntdll (0x000000000023dd88) 1 0x000000007b8ef06a VirtualAllocEx+0x51(hProcess=0xffffffffffffffff, addr=0x2fdb0610000, size=0xf000, type=0x1000, protect=0x4) [/home/focht/projects/wine/wine.repo/src/dlls/kernel32/virtual.c:95] in kernel32 (0x000000000023ddd8) 2 0x000000007b8ef016 VirtualAlloc+0x42(addr=0x2fdb0610000, size=0xf000, type=0x1000, protect=0x4) [/home/focht/projects/wine/wine.repo/src/dlls/kernel32/virtual.c:68] in kernel32 (0x000000000023de18) 3 0x00000001809fd7a6 in libcef (+0x9fd7a5) (0x0000000182e06ab0) 4 0x00000001809f89fe in libcef (+0x9f89fd) (0x0000000182e06ab0) 5 0x00000001809ebb52 in libcef (+0x9ebb51) (0x0000000000000000) 6 0x0000000180ec3fcd in libcef (+0xec3fcc) (0x0000000000000000) 7 0x0000000181685904 in libcef (+0x1685903) (0x0000000000000000) 8 0x00000001821de276 in libcef (+0x21de275) (0x0000000000000000) 9 0x00000001821de7b5 in libcef (+0x21de7b4) (0x000000000023e140) 10 0x0000000180039805 in libcef (+0x39804) (0x000000000023e140) 0x00007ff53330fe80 NtAllocateVirtualMemory+0xd [/home/focht/projects/wine/wine.repo/src/dlls/ntdll/virtual.c:1905] in ntdll: 1905 { Modules: Module Address Debug info Name (129 modules) PE 1a00000- 2469000 Deferred pdf PE 2770000- 2915000 Deferred ffmpegsumo ELF 7b800000- 7bcda000 Dwarf kernel32<elf> -PE 7b860000- 7bcda000 \ kernel32 ELF 7be00000- 7c103000 Deferred <wine-loader> PE 140000000- 14004d000 Deferred unityhelper PE 180000000- 1831c3000 Export libcef ... Threads: process tid prio (all id:s are in hex) ... 00000045 (D) C:\Program Files\Unity\Editor\UnityHelper.exe 0000004d 0 0000004c 0 0000004b 0 0000004a 0 00000049 0 00000048 0 00000009 0 0000000b 0 00000046 0 <== --- snip ---

Unaligned memory access with SSE instruction from code at 0007F7ADCD6FE80

Source: dlls/ntdll/virtual.c:1905

NtAllocateVirtualMemory:

--- snip --- 00007F7ADCD6FE73 55 push rbp 00007F7ADCD6FE74 48 89 E5 mov rbp,rsp 00007F7ADCD6FE77 57 push rdi 00007F7ADCD6FE78 56 push rsi 00007F7ADCD6FE79 48 81 EC 70 02 00 00 sub rsp,270 00007F7ADCD6FE80 0F 29 B5 50 FF FF FF movaps dqword ptr ss:[rbp-B0],xmm6 00007F7ADCD6FE87 0F 29 BD 60 FF FF FF movaps dqword ptr ss:[rbp-A0],xmm7 00007F7ADCD6FE8E 44 0F 29 85 70 FF FF FF movaps dqword ptr ss:[rbp-90],xmm8 00007F7ADCD6FE96 44 0F 29 4D 80 movaps dqword ptr ss:[rbp-80],xmm9 00007F7ADCD6FE9B 44 0F 29 55 90 movaps dqword ptr ss:[rbp-70],xmm10 00007F7ADCD6FEA0 44 0F 29 5D A0 movaps dqword ptr ss:[rbp-60],xmm11 00007F7ADCD6FEA5 44 0F 29 65 B0 movaps dqword ptr ss:[rbp-50],xmm12 00007F7ADCD6FEAA 44 0F 29 6D C0 movaps dqword ptr ss:[rbp-40],xmm13 00007F7ADCD6FEAF 44 0F 29 75 D0 movaps dqword ptr ss:[rbp-30],xmm14 00007F7ADCD6FEB4 44 0F 29 7D E0 movaps dqword ptr ss:[rbp-20],xmm15 00007F7ADCD6FEB9 48 89 4D 10 mov qword ptr ss:[rbp+10],rcx 00007F7ADCD6FEBD 48 89 55 18 mov qword ptr ss:[rbp+18],rdx 00007F7ADCD6FEC1 44 89 45 20 mov dword ptr ss:[rbp+20],r8d 00007F7ADCD6FEC5 4C 89 4D 28 mov qword ptr ss:[rbp+28],r9 00007F7ADCD6FEC9 48 8B 45 28 mov rax,qword ptr ss:[rbp+28] 00007F7ADCD6FECD 48 8B 00 mov rax,qword ptr ds:[rax] 00007F7ADCD6FED0 48 89 85 40 FF FF FF mov qword ptr ss:[rbp-C0],rax 00007F7ADCD6FED7 8B 45 20 mov eax,dword ptr ss:[rbp+20] 00007F7ADCD6FEDA 89 C7 mov edi,eax 00007F7ADCD6FEDC 48 B8 7D A8 D6 DC 7A 7F . mov rax,<get_mask> 00007F7ADCD6FEE6 FF D0 call rax ... --- snip ---

To check that Wine isn't at fault here we traverse the caller chain back.

Just in case someone notices on the prolog code (unrelated to this bug): I'm running '-fno-PIC' Wine builds for some time now with good results.

Source: dlls/kernel32/virtual.c:91

VirtualAllocEx:

--- snip --- 000000007B8EF018 55 push rbp 000000007B8EF019 48 89 E5 mov rbp,rsp 000000007B8EF01C 48 83 EC 40 sub rsp,40 000000007B8EF020 48 89 4D 10 mov qword ptr ss:[rbp+10],rcx 000000007B8EF024 48 89 55 18 mov qword ptr ss:[rbp+18],rdx 000000007B8EF028 4C 89 45 20 mov qword ptr ss:[rbp+20],r8 000000007B8EF02C 44 89 4D 28 mov dword ptr ss:[rbp+28],r9d 000000007B8EF030 48 8B 45 18 mov rax,qword ptr ss:[rbp+18] 000000007B8EF034 48 89 45 F0 mov qword ptr ss:[rbp-10],rax 000000007B8EF038 48 8D 4D 20 lea rcx,qword ptr ss:[rbp+20] 000000007B8EF03C 48 8D 45 F0 lea rax,qword ptr ss:[rbp-10] 000000007B8EF040 8B 55 30 mov edx,dword ptr ss:[rbp+30] 000000007B8EF043 89 54 24 28 mov dword ptr ss:[rsp+28],edx 000000007B8EF047 8B 55 28 mov edx,dword ptr ss:[rbp+28] 000000007B8EF04A 89 54 24 20 mov dword ptr ss:[rsp+20],edx| 000000007B8EF04E 49 89 C9 mov r9,rcx 000000007B8EF051 41 B8 00 00 00 00 mov r8d,0 000000007B8EF057 48 89 C2 mov rdx,rax 000000007B8EF05A 48 8B 4D 10 mov rcx,qword ptr ss:[rbp+10] 000000007B8EF05E 48 B8 A8 F2 86 7B 00 00 . mov rax,<NtAllocateVirtualMemory> 000000007B8EF068 FF D0 call rax ... --- snip ---

Source: dlls/kernel32/virtual.c:67

VirtualAlloc:

--- snip --- 000000007B8EEFD3 55 push rbp 000000007B8EEFD4 48 89 E5 mov rbp,rsp 000000007B8EEFD7 48 83 EC 30 sub rsp,30 000000007B8EEFDB 48 89 4D 10 mov qword ptr ss:[rbp+10],rcx 000000007B8EEFDF 48 89 55 18 mov qword ptr ss:[rbp+18],rdx 000000007B8EEFE3 44 89 45 20 mov dword ptr ss:[rbp+20],r8d 000000007B8EEFE7 44 89 4D 28 mov dword ptr ss:[rbp+28],r9d 000000007B8EEFEB 8B 4D 20 mov ecx,dword ptr ss:[rbp+20] 000000007B8EEFEE 48 8B 55 18 mov rdx,qword ptr ss:[rbp+18] 000000007B8EEFF2 8B 45 28 mov eax,dword ptr ss:[rbp+28] 000000007B8EEFF5 89 44 24 20 mov dword ptr ss:[rsp+20],eax 000000007B8EEFF9 41 89 C9 mov r9d,ecx 000000007B8EEFFC 49 89 D0 mov r8,rdx 000000007B8EEFFF 48 8B 55 10 mov rdx,qword ptr ss:[rbp+10] 000000007B8EF003 48 C7 C1 FF FF FF FF mov rcx,FFFFFFFFFFFFFFFF 000000007B8EF00A 48 B8 18 F0 8E 7B 00 00 . mov rax,<VirtualAllocEx> 000000007B8EF014 FF D0 call rax 000000007B8EF016 C9 leave 000000007B8EF017 C3 ret --- snip ---

The caller (libcef):

--- snip --- 00000001809FD790 48 83 EC 28 sub rsp,28 00000001809FD794 41 B9 04 00 00 00 mov r9d,4 00000001809FD79A 41 B8 00 10 00 00 mov r8d,1000 00000001809FD7A0 FF 15 9A B6 AD 01 call qword ptr ds:[<&VirtualAlloc>] 00000001809FD7A6 48 85 C0 test rax,rax 00000001809FD7A9 75 07 jnz 1809FD7B2 00000001809FD7AB 48 83 C4 28 add rsp,28 00000001809FD7AF 48 FF E0 jmp rax 00000001809FD7B2 48 83 C4 28 add rsp,28 00000001809FD7B6 C3 ret --- snip ---

rbp from the backtrace fault context = 0x23dd88

rbp-0xb0 = 0x23dcd8 -> memory address not 16-byte aligned for SSE instructions

Using the disassembly of prolog code we can calculate the original stack pointer values backwards up to caller:

frame 0: 0x23dd88 + 8 (rbp) + 8 (rip, ret_addr) = 0x23dd98 frame 1: 0x23dd98 + 0x40 (stack vars) + 8 (rbp) + 8 (rip, ret_addr) = 0x23dde8 frame 2: 0x23dde8 + 0x30 (stack vars) + 8 (rbp) + 8 (rip, ret_addr) = 0x23de28

At time of performing the call instruction the stack has to be 16-byte aligned.

$ sha1sum UnitySetup64-5.1.1f1.exe 0cec27b0aa84bea4f8bb100051a6205f06abb638 UnitySetup64-5.1.1f1.exe

$ du -sh UnitySetup64-5.1.1f1.exe 1.3G UnitySetup64-5.1.1f1.exe

$ wine --version wine-1.7.45-213-g4f3acf3

Regards

*** This bug has been marked as a duplicate of bug 27680 ***