https://bugs.winehq.org/show_bug.cgi?id=38596
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW URL| |http://picturecode.cachefly | |.net/photoninja/downloads/I | |nstall_PhotoNinja32_1.2.5.e | |xe CC| |focht@gmx.net Ever confirmed|0 |1
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
I've spent some hours on this and came to conclusion the crash is the manifestation of at least one application bug. It probably just works by chance on Windows due to differences in heap management and win32 API impl (= affects heap usage).
The first (non-critical) problem is missing SRGB color profile.
--- snip --- ... 0026:Call msvcr90.fopen(4bb84700 "C:\windows\system32\spool\drivers\color\sRGB Color Space Profile.icm",00afeb10 "rb") ret=007fa8be ... 0026:trace:msvcrt:MSVCRT__wfsopen (L"C:\windows\system32\spool\drivers\color\sRGB Color Space Profile.icm",L"rb") 0026:trace:msvcrt:msvcrt_get_flags L"rb" 0026:trace:msvcrt:MSVCRT__wsopen_s fd*: 0x33f988 :file (L"C:\windows\system32\spool\drivers\color\sRGB Color Space Profile.icm") oflags: 0x8000 shflags: 0x0040 pmode: 0x0000 0026:Call KERNEL32.CreateFileW(4bb85418 L"C:\windows\system32\spool\drivers\color\sRGB Color Space Profile.icm",80000000,00000003,0033f8b4,00000003,00000001,00000000) ret=7ddeb2c2 0026:Ret KERNEL32.CreateFileW() retval=ffffffff ret=7ddeb2c2 0026:warn:msvcrt:MSVCRT__wsopen_s :failed-last error (2) 0026:trace:msvcrt:MSVCRT__wfsopen :got ((nil)) ... 0026:Call msvcr90._vsnprintf(0033f69c,000003ff,00b64048 "File '%s' not found",0033fab0) ret=007f9e3b 0026:trace:msvcrt:pf_printf_a Format is: "File '%s' not found" ... 0026:Call msvcr90._CxxThrowException(0033fb78,00be335c) ret=0049d8d1 0026:Call KERNEL32.RaiseException(e06d7363,00000001,00000003,0033faa4) ret=7ddd8881 0026:trace:seh:raise_exception code=e06d7363 flags=1 addr=0x7b83b8ab ip=7b83b8ab tid=0026 0026:trace:seh:raise_exception info[0]=19930520 0026:trace:seh:raise_exception info[1]=0033fb78 0026:trace:seh:raise_exception info[2]=00be335c 0026:trace:seh:raise_exception eax=7b827485 ebx=7b8c1000 ecx=0000000c edx=0033f9f4 esi=0033faa0 edi=0033fa60 0026:trace:seh:raise_exception ebp=0033fa38 esp=0033f9d4 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00200202 0026:trace:seh:call_stack_handlers calling handler at 0xa57edf code=e06d7363 flags=1 0026:trace:seh:cxx_frame_handler handling C++ exception rec 0x33f9e0 frame 0x33fb6c trylevel 0 descr 0xbeff28 nested_frame (nil) 0026:trace:seh:dump_exception_type flags 0 destr 0x424cb0 handler (nil) type info 0xbe336c 0026:trace:seh:dump_exception_type 0: flags 0 type 0xc99004 {vtable=0xbbf4ec name=.?AVPcEx@@ ()} offsets 0,-1,0 size 44 copy ctor 0x424c20 0026:trace:seh:dump_exception_type 1: flags 0 type 0xc9934c {vtable=0xbbf4ec name=.?AVruntime_error@std@@ ()} offsets 0,-1,0 size 40 copy ctor 0x4092b0 0026:trace:seh:dump_exception_type 2: flags 0 type 0xc99080 {vtable=0xbbf4ec name=.?AVexception@std@@ ()} offsets 0,-1,0 size 12 copy ctor 0xa4698 --- snip ---
Not a problem for the 32-bit version but a deal breaker for 64-bit Photo Ninja as the resulting C++ exception isn't propagated (bug 35092).
Can be worked around by putting 'sRGB Color Space Profile.icm' into '$WINEPREFIX/drive_c/windows/system32/spool/drivers/color'.
The actual problem is not visible through tracing, one has to debug the app.
--- snip --- ... 0026:Call ntdll.RtlAllocateHeap(00ee0000,00000000,00000018) ret=7dd47f4b 0026:Ret ntdll.RtlAllocateHeap() retval=4ff43170 ret=7dd47f4b 0026:trace:msvcrt:MSVCRT_operator_new (24) returning 0x4ff43170 0026:Ret msvcr90.??2@YAPAXI@Z() retval=4ff43170 ret=00a14b3e 0026:Call msvcr90.??2@YAPAXI@Z(00001b6e) ret=008ff629 0026:Call ntdll.RtlAllocateHeap(00ee0000,00000000,00001b6e) ret=7dd47f4b 0026:Ret ntdll.RtlAllocateHeap() retval=50098b00 ret=7dd47f4b 0026:trace:msvcrt:MSVCRT_operator_new (7022) returning 0x50098b00 0026:Ret msvcr90.??2@YAPAXI@Z() retval=50098b00 ret=008ff629 0026:Call msvcr90.memmove_s(50098b00,00000002,00000000,00000002) ret=00a14579 0026:trace:msvcrt:MSVCRT_memmove_s (0x50098b00 2 (nil) 2) 0026:err:msvcrt:MSVCRT__invalid_parameter (null):0 (null): (null) 0 0026:Call KERNEL32.RaiseException(c0000417,00000001,00000000,00000000) ret=7dd366ba 0026:trace:seh:raise_exception code=c0000417 flags=1 addr=0x7b83b8ab ip=7b83b8ab tid=0026 0026:trace:seh:raise_exception eax=7b827485 ebx=7b8c1000 ecx=0033d090 edx=7b83b81c esi=0033d0e0 edi=0033d0a0 0026:trace:seh:raise_exception ebp=0033d078 esp=0033d014 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00200246 0026:trace:seh:call_stack_handlers calling handler at 0xabebe3 code=c0000417 flags=1 0026:trace:seh:call_stack_handlers handler at 0xabebe3 returned 1 0026:trace:seh:call_stack_handlers calling handler at 0xabec61 code=c0000417 flags=1 0026:trace:seh:call_stack_handlers handler at 0xabec61 returned 1 0026:trace:seh:call_stack_handlers calling handler at 0xab56c8 code=c0000417 flags=1 ... --- snip ---
The culprit is an internal structure - allocated on heap - only getting partially initialized. Some uninitialized members are getting accessed and depending on prior heap usage, different code paths are taken or worse it ends with a crash (Wine).
Internal structure layout on heap:
--- snip --- $-8 00000018 ; length $-4 00455355 ; Wine heap magic 'USE' $+0 ==> 4FF2B3D0 ; .m1 = uninit $+4 00000000 ; .m2 = zero-init (app) $+8 00000000 ; .m3 = zero-init (app) $+C 00000000 ; .m4 = zero-init (app) $+10 00000002 ; .m5 = uninit $+14 4FD66500 ; .m6 = uninit --- snip ---
Relevant app code:
--- snip --- ... 00A14B10 6A FF PUSH -1 00A14B12 68 E3EBAB00 PUSH PhotoNin.00ABEBE3 00A14B17 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 00A14B1D 50 PUSH EAX 00A14B1E 83EC 10 SUB ESP,10 00A14B21 53 PUSH EBX 00A14B22 55 PUSH EBP 00A14B23 56 PUSH ESI 00A14B24 57 PUSH EDI 00A14B25 A1 80FBCC00 MOV EAX,DWORD PTR DS:[CCFB80] 00A14B2A 33C4 XOR EAX,ESP 00A14B2C 50 PUSH EAX 00A14B2D 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24] 00A14B31 64:A3 00000000 MOV DWORD PTR FS:[0],EAX 00A14B37 6A 18 PUSH 18 ; len = 0x18 00A14B39 E8 E01C0300 CALL <JMP.&MSVCR90.??2@YAPAXI@Z> ; struc alloc 00A14B3E 83C4 04 ADD ESP,4 00A14B41 894424 14 MOV DWORD PTR SS:[ESP+14],EAX 00A14B45 33F6 XOR ESI,ESI 00A14B47 897424 2C MOV DWORD PTR SS:[ESP+2C],ESI 00A14B4B 3BC6 CMP EAX,ESI 00A14B4D 74 09 JE SHORT PhotoNin.00A14B58 00A14B4F 8BC8 MOV ECX,EAX 00A14B51 E8 1373F1FF CALL PhotoNin.0092BE69 ; (partial) struc init ... 0092BE69 56 PUSH ESI 0092BE6A 6A 00 PUSH 0 0092BE6C 8BF1 MOV ESI,ECX 0092BE6E E8 FF38FDFF CALL PhotoNin.008FF772 0092BE73 8BC6 MOV EAX,ESI 0092BE75 5E POP ESI 0092BE76 C3 RETN ... 008FF772 55 PUSH EBP 008FF773 8BEC MOV EBP,ESP 008FF775 56 PUSH ESI 008FF776 33C0 XOR EAX,EAX 008FF778 57 PUSH EDI 008FF779 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] 008FF77C 8BF1 MOV ESI,ECX 008FF77E 8946 04 MOV DWORD PTR DS:[ESI+4],EAX ; .m2 = 0 008FF781 8946 08 MOV DWORD PTR DS:[ESI+8],EAX ; .m3 = 0 008FF784 8946 0C MOV DWORD PTR DS:[ESI+C],EAX ; .m4 = 0 008FF787 3BF8 CMP EDI,EAX ... --- snip ---
--- snip --- 00A14B56 8BF0 MOV ESI,EAX 00A14B58 897424 18 MOV DWORD PTR SS:[ESP+18],ESI 00A14B5C BB 01000000 MOV EBX,1 00A14B61 68 B70D0000 PUSH 0DB7 00A14B66 8BCE MOV ECX,ESI 00A14B68 895C24 30 MOV DWORD PTR SS:[ESP+30],EBX 00A14B6C E8 9FF9FFFF CALL PhotoNin.00A14510 ; fill/copy members (crash) ... 00A14510 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4] ; arg0 = 0xdb7 (len) 00A14514 56 PUSH ESI 00A14515 8BF1 MOV ESI,ECX ; struc 00A14517 81FA FFFFFF7F CMP EDX,7FFFFFFF 00A1451D 76 05 JBE SHORT PhotoNin.00A14524 00A1451F E8 AEB0EEFF CALL PhotoNin.008FF5D2 00A14524 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+C] ; .m4 (zero-init) 00A14527 85C9 TEST ECX,ECX 00A14529 75 04 JNZ SHORT PhotoNin.00A1452F ; no jump 00A1452B 33C0 XOR EAX,EAX 00A1452D EB 07 JMP SHORT PhotoNin.00A14536 00A1452F 8B46 14 MOV EAX,DWORD PTR DS:[ESI+14] 00A14532 2BC1 SUB EAX,ECX 00A14534 D1F8 SAR EAX,1 00A14536 3BC2 CMP EAX,EDX ; arg0 != 0 00A14538 73 6F JNB SHORT PhotoNin.00A145A9 ; no jump 00A1453A 53 PUSH EBX 00A1453B 57 PUSH EDI 00A1453C 6A 00 PUSH 0 00A1453E 52 PUSH EDX 00A1453F E8 CDB0EEFF CALL PhotoNin.008FF611 ; alloc block2 00A14544 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10] ; .m5 (uninit) 00A14547 83C4 08 ADD ESP,8 00A1454A 8BD8 MOV EBX,EAX ; EBX = block2 00A1454C 397E 0C CMP DWORD PTR DS:[ESI+C],EDI ; .m4 != .m5 00A1454F 76 06 JBE SHORT PhotoNin.00A14557 00A14551 FF15 C434AD00 CALL DWORD PTR DS:[<&MSVCR90._invalid_parameter> 00A14557 55 PUSH EBP 00A14558 8B6E 0C MOV EBP,DWORD PTR DS:[ESI+C] ; .m4 (zero-init) 00A1455B 3B6E 10 CMP EBP,DWORD PTR DS:[ESI+10] ; .m4 != .m5 (uninit) 00A1455E 76 06 JBE SHORT PhotoNin.00A14566 00A14560 FF15 C434AD00 CALL DWORD PTR DS:[<&MSVCR90._invalid_parameter> 00A14566 2BFD SUB EDI,EBP ; .m5 -= .m4 00A14568 D1FF SAR EDI,1 ; /2 still non-zero 00A1456A 74 10 JE SHORT PhotoNin.00A1457C ; skip copy on zero 00A1456C 8D043F LEA EAX,DWORD PTR DS:[EDI+EDI] 00A1456F 50 PUSH EAX ; count 00A14570 55 PUSH EBP ; src 00A14571 50 PUSH EAX ; num elems 00A14572 53 PUSH EBX ; dest = block2 00A14573 FF15 C034AD00 CALL DWORD PTR DS:[<&MSVCR90.memmove_s>] skip_copy: ... --- snip ---
There is no code path which initializes .m5 prior to its access. The alloc/init and the actual member accesses are not that far away and in synchronous code paths (unlike other cases when the block is allocated and later accessed through async callbacks/message handlers).
The 64-bit version of Photo Ninja works fine after working around color profile problem or overriding 64-bit msvcr90.dll (the app already ships a bundled version).
The 64-bit code initializes the same structure differently (size is also doubled to 0x30 due to 64-bit). I don't want to post all the 64-bit disassembly for comparison here. If you want to look/debug on your own, 0x1406f3a70 is the 64-bit app code equivalent to 32-bit app code 0xa14510 (with 0x1406f5cdc being struc init)
The 32-bit app should crash/exit the same way on Windows if heap debugging/poisoning is activated, for example running the app with a debugger. This prevents .m5 ever having zero value after allocation (.m5 == NULL skips the initial copy).
For 32-bit it's IMHO a WONTFIX unless the publisher/developer of the app fixes their code.
$ sha1sum Install_PhotoNinja32_1.2.5.exe 51ef332f33941c99208fde57444bcac9be79f3cc Install_PhotoNinja32_1.2.5.exe
$ du -sh Install_PhotoNinja32_1.2.5.exe 12M Install_PhotoNinja32_1.2.5.exe
$ wine --version wine-1.7.43
Regards