https://bugs.winehq.org/show_bug.cgi?id=21456
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |build-env CC| |focht@gmx.net Summary|Mathematica 4.0 crash |Mathematica 4.0 crash (app | |MONITORENUMPROC with | |incorrect calling | |convention, gcc 4.6.x frame | |pointer omission in Wine | |code) Fixed by SHA1| |5cfe7db1854ff1142d598eaf49f | |6050676c8d547
--- Comment #12 from Anastasius Focht focht@gmx.net --- Hello folks,
by coincidence I stumbled across this ticket while looking for bugs to test my builds of very old Wine versions with modern distros/gcc. Curious as I am - looking for the root cause and explanations ;-)
It was fixed by commit https://source.winehq.org/git/wine.git/commitdiff/5cfe7db1854ff1142d598eaf49... ("configure: Use -fno-omit-frame-pointer when available."), part of Wine 1.3.31 release.
Using Mathematica 4.1 Student edition for reproduce.
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files (x86)/Wolfram Research/Mathematica/4.1/SystemFiles/FrontEnd/Binaries/Windows
$ WINEDEBUG=+tid,+seh,+relay wine ./Mathematica.exe >>log.txt 2>&1 ... 0023:Call KERNEL32.GetProcAddress(7e6f0000,005cceb8 "EnumDisplayMonitors") ret=0054f14b 0023:Ret KERNEL32.GetProcAddress() retval=7e6fdd7c ret=0054f14b 0023:Call user32.EnumDisplayMonitors(00000000,00000000,0046cba7,005d29b0) ret=0054f173 0023:Call user32.GetMonitorInfoA(00000001,0033e210) ret=0054f08d 0023:Ret user32.GetMonitorInfoA() retval=00000001 ret=0054f08d 0023:Call gdi32.CreateDCA(00000000,0033e238 "\\.\DISPLAY1",00000000,00000000) ret=0046cbe5 0023:Ret gdi32.CreateDCA() retval=000051d8 ret=0046cbe5 0023:Call gdi32.GetDeviceCaps(000051d8,0000000e) ret=0046cbf2 0023:Ret gdi32.GetDeviceCaps() retval=00000001 ret=0046cbf2 0023:Call gdi32.GetDeviceCaps(000051d8,0000000c) ret=0046cbf9 0023:Ret gdi32.GetDeviceCaps() retval=00000020 ret=0046cbf9 0023:Call gdi32.DeleteDC(000051d8) ret=0046cc03 0023:Ret gdi32.DeleteDC() retval=00000001 ret=0046cc03 0023:trace:seh:raise_exception code=c000001d flags=0 addr=0x33e30c ip=0033e30c tid=0023 0023:trace:seh:raise_exception eax=00147834 ebx=7dce4000 ecx=005d29b0 edx=00110060 esi=00000000 edi=00000002 0023:trace:seh:raise_exception ebp=00000068 esp=0033e24c cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210246 0023:trace:seh:call_vectored_handlers calling handler at 0x7dc588d0 code=c000001d flags=0 0023:trace:seh:call_vectored_handlers handler at 0x7dc588d0 returned 0 ... 0023:Call KERNEL32.UnhandledExceptionFilter(0033de10) ret=0058b1ac wine: Unhandled illegal instruction at address 0x33e30c (thread 0023), starting debugger... 0023:trace:seh:start_debugger Starting debugger "winedbg --auto 34 144" 0023:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=0058b1ac 0023:trace:seh:call_stack_handlers handler at 0x582910 returned 1 0023:trace:seh:call_stack_handlers calling handler at 0x7efa2c20 code=c000001d flags=0 0023:Call KERNEL32.UnhandledExceptionFilter(0033de08) ret=7efa2c58 0023:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7efa2c58 0023:trace:seh:call_stack_handlers handler at 0x7efa2c20 returned 1 Unhandled exception: illegal instruction in 32-bit code (0x0033e30c). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:0033e30c ESP:0033e24c EBP:00000068 EFLAGS:00210246( R- -- I Z- -P- ) EAX:00147834 EBX:7dce4000 ECX:005d29b0 EDX:00110060 ESI:00000000 EDI:00000002 ... Backtrace: 0x0033e30c: lock jle 0x0033e320
Modules: Module Address Debug info Name (135 modules) PE 350000- 360000 Deferred mltcp32.mlp PE 3d0000- 3e4000 Deferred mlmap32.mlp PE 400000- 60b000 Deferred mathematica ELF 7be74000-7bf00000 Deferred libvorbisenc.so.2 ... --- snip ---
Wine 'X11DRV_EnumDisplayMonitors' function:
https://source.winehq.org/git/wine.git/blob/13643f59be7a1ce4b9d7486069b4a4a2...
Disassembly:
--- snip --- 7DC98837 89F6 MOV ESI,ESI 7DC98839 8DBC27 00000000 LEA EDI,DWORD PTR DS:[EDI] 7DC98840 8D4424 30 LEA EAX,DWORD PTR SS:[ESP+30] 7DC98844 31ED XOR EBP,EBP 7DC98846 894424 0C MOV DWORD PTR SS:[ESP+C],EAX 7DC9884A 8B83 0C760000 MOV EAX,DWORD PTR DS:[EBX+760C] 7DC98850 89EF MOV EDI,EBP 7DC98852 85C0 TEST EAX,EAX 7DC98854 7E D4 JLE SHORT winex11.7DC9882A 7DC98856 8D76 00 LEA ESI,DWORD PTR DS:[ESI] 7DC98859 8DBC27 00000000 LEA EDI,DWORD PTR DS:[EDI] 7DC98860 6BEF 68 IMUL EBP,EDI,68 7DC98863 8B83 10760000 MOV EAX,DWORD PTR DS:[EBX+7610] 7DC98869 83C7 01 ADD EDI,1 7DC9886C 01E8 ADD EAX,EBP 7DC9886E 83C0 04 ADD EAX,4 7DC98871 85F6 TEST ESI,ESI 7DC98873 74 1E JE SHORT winex11.7DC98893 7DC98875 83EC 04 SUB ESP,4 7DC98878 56 PUSH ESI 7DC98879 50 PUSH EAX 7DC9887A FF7424 18 PUSH DWORD PTR SS:[ESP+18] 7DC9887E E8 55DAFAFF CALL winex11.7DC462D8 7DC98883 5A POP EDX 7DC98884 85C0 TEST EAX,EAX 7DC98886 74 1F JE SHORT winex11.7DC988A7 7DC98888 8B8B 10760000 MOV ECX,DWORD PTR DS:[EBX+7610] 7DC9888E 01E9 ADD ECX,EBP 7DC98890 8D41 04 LEA EAX,DWORD PTR DS:[ECX+4] 7DC98893 FF7424 6C PUSH DWORD PTR SS:[ESP+6C] 7DC98897 50 PUSH EAX 7DC98898 6A 00 PUSH 0 7DC9889A 57 PUSH EDI 7DC9889B FF5424 78 CALL DWORD PTR SS:[ESP+78] ; MONITORENUMPROC() 7DC9889F 85C0 TEST EAX,EAX 7DC988A1 0F84 C4FEFFFF JE winex11.7DC9876B 7DC988A7 39BB 0C760000 CMP DWORD PTR DS:[EBX+760C],EDI 7DC988AD 7F B1 JG SHORT winex11.7DC98860 7DC988AF B8 01000000 MOV EAX,1 7DC988B4 E9 76FFFFFF JMP winex11.7DC9882F 7DC988B9 66:90 NOP 7DC988BB 66:90 NOP 7DC988BD 66:90 NOP 7DC988BF 90 NOP 7DC988C0 B8 01000000 MOV EAX,1 7DC988C5 C3 RETN --- snip ---
Mathematica 'MONITORENUMPROC':
--- snip --- 0046CBA7 PUSH EBP 0046CBA8 MOV EBP,ESP 0046CBAA SUB ESP,48 0046CBAD PUSH EBX 0046CBAE PUSH ESI 0046CBAF PUSH EDI 0046CBB0 LEA EAX,DWORD PTR SS:[EBP-48] 0046CBB3 PUSH EAX 0046CBB4 PUSH DWORD PTR SS:[EBP+8] 0046CBB7 MOV DWORD PTR SS:[EBP-48],48 0046CBBE CALL Mathemat.0054F046 0046CBC3 MOV ECX,EAX 0046CBC5 NEG ECX 0046CBC7 SBB ECX,ECX 0046CBC9 LEA EDX,DWORD PTR SS:[EBP-20] 0046CBCC AND ECX,EDX 0046CBCE NEG EAX 0046CBD0 PUSH 0 ; pInitData = NULL 0046CBD2 SBB EAX,EAX 0046CBD4 PUSH 0 ; Output = NULL 0046CBD6 NOT EAX 0046CBD8 PUSH ECX ; Device 0046CBD9 AND EAX,5B3B10 0046CBDE PUSH EAX ; Driver 0046CBDF CALL DWORD PTR DS:[<&GDI32.CreateDCA>] 0046CBE5 MOV EDI,DWORD PTR DS:[<&GDI32.GetDeviceC> 0046CBEB MOV EBX,EAX 0046CBED PUSH 0E ; Index = PLANES 0046CBEF PUSH EBX ; hDC 0046CBF0 CALL EDI ; GetDeviceCaps 0046CBF2 PUSH 0C ; Index = BITSPIXEL 0046CBF4 PUSH EBX ; hDC 0046CBF5 MOV ESI,EAX 0046CBF7 CALL EDI ; GetDeviceCaps 0046CBF9 IMUL ESI,EAX 0046CBFC PUSH EBX ; hDC 0046CBFD CALL DWORD PTR DS:[<&GDI32.DeleteDC>] ; DeleteDC 0046CC03 MOV ECX,DWORD PTR SS:[EBP+14] 0046CC06 MOV EAX,DWORD PTR DS:[ECX] 0046CC08 CMP EAX,ESI 0046CC0A JG SHORT Mathemat.0046CC0E 0046CC0C MOV EAX,ESI 0046CC0E PUSH 1 0046CC10 MOV DWORD PTR DS:[ECX],EAX 0046CC12 POP EAX 0046CC13 POP EDI 0046CC14 POP ESI 0046CC15 POP EBX 0046CC16 LEAVE 0046CC17 RETN --- snip ---
App braindamage. That MONITORENUMPROC doesn't look like CALLBACK.
--- snip --- #define CALLBACK __stdcall --- snip ---
--- snip --- typedef BOOL (CALLBACK *MONITORENUMPROC)(HMONITOR,HDC,LPRECT,LPARAM); --- snip ---
The stack gets imbalanced upon return from MONITORENUMPROC(). Since Wine uses ESP relative addressing for parameter setup (due to gcc default), the callback address for the next iteration is just random garbage from stack, causing a crash.
Starting with commit https://source.winehq.org/git/wine.git/commitdiff/5cfe7db1854ff1142d598eaf49... , Wine code looks like this:
Relevant part:
--- snip --- ... 7DDBEA52 MOV ECX,DWORD PTR SS:[EBP-4C] 7DDBEA55 ADD ECX,DWORD PTR DS:[EBX+7610] 7DDBEA5B LEA EAX,DWORD PTR DS:[ECX+4] 7DDBEA5E PUSH DWORD PTR SS:[EBP+14] 7DDBEA61 PUSH EAX 7DDBEA62 PUSH 0 7DDBEA64 PUSH EDI 7DDBEA65 CALL DWORD PTR SS:[EBP+10] ; MONITORENUMPROC() 7DDBEA68 TEST EAX,EAX 7DDBEA6A JE winex11.7DDBE949 7DDBEA70 CMP DWORD PTR DS:[EBX+760C],EDI 7DDBEA76 JG SHORT winex11.7DDBEA28 7DDBEA78 MOV EAX,1 7DDBEA7D JMP SHORT winex11.7DDBEA08 7DDBEA7F NOP 7DDBEA80 MOV EAX,1 7DDBEA85 RETN ... 7DDBEA03 MOV EAX,1 7DDBEA08 LEA ESP,DWORD PTR SS:[EBP-C] ; recover/restore stack (!) 7DDBEA0B POP EBX 7DDBEA0C POP ESI 7DDBEA0D POP EDI 7DDBEA0E POP EBP 7DDBEA0F RETN --- snip ---
Due to EBP-relative addressing, an imbalanced stack caused by MONITORENUMPROC having wrong calling convention doesn't matter here The imbalanced stack is restored in epilog code of 'X11DRV_EnumDisplayMonitors'.
Tidbit: Related bugs, fixed by same commit https://source.winehq.org/git/wine.git/commitdiff/5cfe7db1854ff1142d598eaf49...
https://bugs.winehq.org/buglist.cgi?bug_status=CLOSED&f1=cf_fixedby_sha1...
ProtectionID scan for documentation:
--- snip --- -=[ ProtectionID v0.6.9.0 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/17-21:05:42 Ready... Scanning -> C:\Program Files (x86)\Wolfram Research\Mathematica\4.1\SystemFiles\FrontEnd\Binaries\Windows\Mathematica.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 2002944 (01E9000h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x3A015C02 -> Thu 02nd Nov 2000 12:20:18 (GMT) [TimeStamp] 0x3A015C02 -> Thu 02nd Nov 2000 12:20:18 (GMT) | PE Header | - | Offset: 0x00000100 | VA: 0x00400100 | - [LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset 0x2000001 | Reserved 0x46A4A0 [LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558 (4629848) [LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008) [LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C [LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360 [LoadConfig] UnknownZero1 0x8000011 [File Heuristics] -> Flag #1 : 00000000000000000000000000000000 (0x00000000) [Entrypoint Section Entropy] : 6.71 (section #0) ".text " | Size : 0x18D5BC (1627580) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 4 (0x4) | ImageSize 0x20B000 (2142208) byte(s) [VersionInfo] Company Name : Wolfram Research. Inc. [VersionInfo] Product Name : Mathematica [VersionInfo] Product Version : 4. 1. 0. 0 [VersionInfo] File Description : Mathematica for Windows Version 4.1 [VersionInfo] File Version : 4. 1. 0. 0 [VersionInfo] Original FileName : MATHEMATICA.EXE [VersionInfo] Internal Name : MATHEMATICA [VersionInfo] Version Comments : Mathematica for Windows Version 4.1 [VersionInfo] Legal Copyrights : Copyright © 1988-2000 Wolfram Research. Inc. [ModuleReport] [IAT] Modules -> KERNEL32.dll | USER32.dll | GDI32.dll | comdlg32.dll | ADVAPI32.dll | SHELL32.dll | ole32.dll | COMCTL32.dll | WINMM.dll | oledlg.dll | WSOCK32.dll | ML32I2.dll [CompilerDetect] -> Visual C++ 6.0 [!] File appears to have no protection or is using an unknown protection - Scan Took : 0.618 Second(s) [00000026Ah (618) tick(s)] [506 of 580 scan(s) done] --- snip ---
Regards