https://bugs.winehq.org/show_bug.cgi?id=43774
Bug ID: 43774 Summary: Chromium-based browser engine (CEFv3) used by several games crashes on shutdown (World of Warships 0.6.x) Product: Wine Version: 2.17 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks
to track https://source.winehq.org/patches/data/137313
--- quote --- ntdll: Do not queue a completion status if pipe ops fail synchronously.
This fixes random crashes when exiting Chromium or shutting down CEF. It is similar to 7a1142035d7ee04839417176ff93fd0953e2a4e1, just for pipes. --- quote ---
Can be reproduced with games that use Chromium/CEFv3 as in-game browser, for example World of Warships 0.6.x. In World of Warships 0.6.x switch multiple times between "[Port]" and "[CLAN]" tabs (CLAN page uses in-game browser) to force a crash. With the patch applied the crash disappears.
NOTE: Currently Wine-Staging must be used for reproduce because there are still some patches missing from vanilla Wine (https://github.com/wine-compholio/wine-staging/tree/master/patches/kernel32-... etc.)
--- snip --- 0x11fc9c62: int $3 Modules: Module Address Debug info Name (186 modules) PE 400000- 514000 Deferred cef_browser_process PE 1c20000- 1c94000 Deferred chrome_elf PE 10000000-14113000 Export libcef ELF 7a800000-7a942000 Deferred opengl32<elf> -PE 7a840000-7a942000 \ opengl32 ELF 7b400000-7b7f5000 Deferred kernel32<elf> -PE 7b420000-7b7f5000 \ kernel32 ELF 7bc00000-7bd15000 Dwarf ntdll<elf> -PE 7bc30000-7bd15000 \ ntdll ELF 7c000000-7c004000 Deferred <wine-loader> ... 0000015f (D) C:\Games\World_of_Warships\cef\cef_browser_process.exe [C:/Games/World_of_Warships/cef/cef_browser_process.exe --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 WOWS/1.0" --cache-path="C:/Games/World_of_Warships/profile/cef_cache" --disable-gpu --disable-gpu-compositing --enable-begin-frame-scheduling --max-frame-rate=30 --log-severity="info" --accept-language-list="en" --id=138] 000001cb 0 ... 00000172 0 <== ... --- snip ---
Disassembly:
--- snip --- ... 11FC9C0D 50 PUSH EAX 11FC9C0E 6A 60 PUSH 60 ; ASCII "y:\work\cef3_git\chromium\src\mojo\edk\system\channel_win.cc" 11FC9C10 68 E86E6913 PUSH libcef.13696EE8 11FC9C15 68 286F6913 PUSH libcef.13696F28 ; ASCII "ShutDownImpl" 11FC9C1A 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20] 11FC9C1D E8 1E1576FE CALL libcef.1072B140 11FC9C22 50 PUSH EAX 11FC9C23 8BCE MOV ECX,ESI 11FC9C25 E8 668176FE CALL libcef.10731D90 11FC9C2A 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4] 11FC9C2D E8 CE290DFE CALL libcef.1009C600 11FC9C32 5E POP ESI 11FC9C33 8BE5 MOV ESP,EBP 11FC9C35 5D POP EBP 11FC9C36 C3 RETN 11FC9C37 55 PUSH EBP 11FC9C38 8BEC MOV EBP,ESP 11FC9C3A 83EC 0C SUB ESP,0C 11FC9C3D 53 PUSH EBX 11FC9C3E 8BD9 MOV EBX,ECX 11FC9C40 8BD3 MOV EDX,EBX 11FC9C42 F7DA NEG EDX 11FC9C44 56 PUSH ESI 11FC9C45 8D43 10 LEA EAX,DWORD PTR DS:[EBX+10] 11FC9C48 1BD2 SBB EDX,EDX 11FC9C4A 23D0 AND EDX,EAX 11FC9C4C 57 PUSH EDI 11FC9C4D 52 PUSH EDX 11FC9C4E E8 1D7A79FE CALL libcef.10761670 11FC9C53 8BC8 MOV ECX,EAX 11FC9C55 E8 367B79FE CALL libcef.10761790 11FC9C5A 8D7B 1C LEA EDI,DWORD PTR DS:[EBX+1C] 11FC9C5D 833F FF CMP DWORD PTR DS:[EDI],-1 11FC9C60 75 01 JNZ SHORT libcef.11FC9C63 11FC9C62 CC INT3 ; triggers CHECK(handle_.is_valid()); 11FC9C63 FF37 PUSH DWORD PTR DS:[EDI] 11FC9C65 FF15 E8043513 CALL DWORD PTR DS:[<&KERNEL32.CancelIo>] 11FC9C6B 80BB 85000000 00 CMP BYTE PTR DS:[EBX+85],0 11FC9C72 74 0B JE SHORT libcef.11FC9C7F ... --- snip ---
https://chromium.googlesource.com/chromium/src/+/refs/heads/master/mojo/edk/...
--- snip --- void ShutDownOnIOThread() { base::MessageLoop::current()->RemoveDestructionObserver(this); // BUG(crbug.com/583525): This function is expected to be called once, and // |handle_| should be valid at this point. CHECK(handle_.is_valid()); CancelIo(handle_.get().handle); if (leak_handle_) ignore_result(handle_.release()); handle_.reset(); // May destroy the |this| if it was the last reference. self_ = nullptr; } --- snip ---
Regards