[Bug 38162] New: Winemenubuilder occasionally crashes during WINEPREFIX update (race between placeholder icon extraction and placeholder update)

https://bugs.winehq.org/show_bug.cgi?id=38162

Bug ID: 38162 Summary: Winemenubuilder occasionally crashes during WINEPREFIX update (race between placeholder icon extraction and placeholder update) Product: Wine Version: 1.7.37 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: programs Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

split off from bug 19241

André unfortunately reopened that bug with this different issue.

I've seen this rarely on my machines too but didn't find it interesting enough to investigate - until now.

--- snip --- Unhandled exception: page fault on read access to 0x00480244 in 32-bit code (0x7ed7c950). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:7ed7c950 ESP:0033f8e0 EBP:0033f9d8 EFLAGS:00010216( R- -- I -A-P- ) EAX:00480240 EBX:7ed92000 ECX:0033f9e0 EDX:0033f99c ESI:0033fd80 EDI:00000000 Stack dump: 0x0033f8e0: 00000000 7b8c1000 0012d4f0 00110000 0x0033f8f0: 7bcd3000 0033f9e0 0033f938 0033f920 0x0033f900: 7b8c1000 0033f9e0 0033f938 0001fcd4 0x0033f910: 7bcdbf44 00460000 00000000 00000000 0x0033f920: 00110000 00000002 0033f950 00000000 0x0033f930: 0033f9e0 00000000 0033f968 7bc70efa 000c: sel=0067 base=00000000 limit=00000000 16-bit r-x Backtrace:

=>0 0x7ed7c950 add_module_icons_to_stream+0x6c(iconData16=(nil), hModule=0x460001, grpIconDir=0x480240) [/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:651] in winemenubuilder (0x0033f9d8)

1 0x7ed7da2d open_module_icon+0x29b(szFileName="C:\windows\system32\winhlp32.exe", nIndex=0, ppStream=0x33fad8) [/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:914] in winemenubuilder (0x0033fa68)

2 0x7ed7e12c open_icon+0x2a(filename="C:\windows\system32\winhlp32.exe", index=0, bWait=0, ppStream=0x33fad8) [/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:1056] in winemenubuilder (0x0033faa8)

3 0x7ed7e962 extract_icon+0xb0(icoPathW="C:\windows\system32\winhlp32.exe", index=0, destFilename=0x0(nil), bWait=0) [/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:1370] in winemenubuilder (0x0033fb08)

4 0x7ed82d00 generate_associations+0x6a5(xdg_data_home="/home/focht/.local/share", packages_dir="/home/focht/.local/share/mime/packages", applications_dir="/home/focht/.local/share/applications") [/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:2677] in winemenubuilder (0x0033fc68)

5 0x7ed85d72 RefreshFileTypeAssociations+0x284() [/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:3367] in winemenubuilder (0x0033fce8)

6 0x7ed86dcf wWinMain+0x102(hInstance=<couldn't compute location>,

22 0xf7406963 __libc_start_main+0xf2() in libc.so.6 (0x00000000) 0x7ed7c950 add_module_icons_to_stream+0x6c [/home/focht/projects/wine/wine.repo/src/programs/winemenubuilder/winemenubuilder.c:651] in winemenubuilder: movzwl 0x4(%eax),%eax 651 for (i = 0; i < grpIconDir->idCount; i++) Modules: Module Address Debug info Name (53 modules) PE 53000000-530b4000 Deferred windowscodecs ELF 7b800000-7ba67000 Dwarf kernel32<elf> -PE 7b810000-7ba67000 \ kernel32 ELF 7bc00000-7bcf0000 Dwarf ntdll<elf> -PE 7bc10000-7bcf0000 \ ntdll ELF 7bf00000-7bf04000 Dwarf <wine-loader> ... Threads: process tid prio (all id:s are in hex) ... 0000000c (D) C:\windows\system32\winemenubuilder.exe 0000000d 0 <== --- snip ---

'winemenubuilder' is started asynchronously before the prefix update via 'RunServices' registry key.

The prefix update rewrites Wine's builtin placeholders in the prefix. Since 'winemenubuilder' was started asynchronously, it might still populate placeholders at this time, mapping them into memory and extracting icon resources.

Source: http://source.winehq.org/git/wine.git/blob/cbc8f3c81148079a17f4062fb9bad6569...

--- snip --- 876 hModule = LoadLibraryExW(szFileName, 0, LOAD_LIBRARY_AS_DATAFILE); --- snip ---

-> FILE_SHARE_READ

This doesn't prevent concurrently running processes to write to the placeholder files which indeed happens by rundll32's processing of 'wine.inf'.

In rare situations, Winemenubuilder hits the jackpot - being affected from the concurrent rewrite of the placeholder while peeking at the in-memory image (PE/resource directory entries).

Source: http://source.winehq.org/git/wine.git/blob/57c54bc9ad1e13ee7cd730b2ffb4df834...

--- snip --- 1236 ProcessRunKeys( HKEY_LOCAL_MACHINE, RunServicesOnceW, TRUE, FALSE ); 1237 1238 if (init || (kill && !restart)) 1239 { 1240 ProcessRunKeys( HKEY_LOCAL_MACHINE, RunServicesW, FALSE, FALSE ); 1241 start_services_process(); 1242 } 1243 if (init || update) update_wineprefix( update ); ... --- snip ---

A solution to prevent this race is to move the asynchronous execution of 'winemenubuilder' after the prefix update (which runs synchronously).

This also avoids the situation where 'winemenubuilder' manages to extract potentially outdated icon resources before the placeholders are overwritten by newer versions with different icons.

Regards