http://bugs.winehq.org/show_bug.cgi?id=35877
--- Comment #3 from Khang sitinh@gmail.com --- Hi Master
Can u tell me how to fix this bug step by step ? . I dont understand about code . Can u help me , please ....
(In reply to Anastasius Focht from comment #2)
Hello folks,
confirming.
Looks like another broken app with TLS slot index 0 access.
Windows implements a workaround for all broken apps, making TLS slot index 0 unavailable for allocation through TLS API hence the crash is prevented.
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Photodex/ProShow Gold ... $ WINEDEBUG=+tid,+seh,+relay wine ./pxplay.exe >>log.txt 2>&1 ... 0029:Starting process L"C:\Program Files\Photodex\ProShow Gold\pxplay.exe" (entryproc=0x9c1d60) ... 0029:Call KERNEL32.TlsAlloc() ret=009c3441 0029:Ret KERNEL32.TlsAlloc() retval=00000000 ret=009c3441 0029:Call ntdll.RtlAllocateHeap(01460000,00000008,00000080) ret=009c33f4 0029:Ret ntdll.RtlAllocateHeap() retval=01460138 ret=009c33f4 0029:Call ntdll.RtlAllocateHeap(01460000,00000000,00000480) ret=009c0b3d 0029:Ret ntdll.RtlAllocateHeap() retval=014601c0 ret=009c0b3d ... 0029:Call KERNEL32.GetStartupInfoA(0033fdc4) ret=009c1e17 0029:Ret KERNEL32.GetStartupInfoA() retval=00000011 ret=009c1e17 0029:Call KERNEL32.GetModuleHandleA(00000000) ret=009c1e3a 0029:Ret KERNEL32.GetModuleHandleA() retval=00400000 ret=009c1e3a 0029:trace:seh:raise_exception code=c0000005 flags=0 addr=0x49680a ip=0049680a tid=0029 0029:trace:seh:raise_exception info[0]=00000000 0029:trace:seh:raise_exception info[1]=01470258 0029:trace:seh:raise_exception eax=0129b6c0 ebx=01460138 ecx=00bb9538 edx=00bb9538 esi=00000000 edi=00000000 0029:trace:seh:raise_exception ebp=00000000 esp=0033790c cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0029:trace:seh:call_stack_handlers calling handler at 0x9c3724 code=c0000005 flags=0 0029:Call KERNEL32.GetLastError() ret=009c34a4 0029:Ret KERNEL32.GetLastError() retval=00000000 ret=009c34a4 0029:Call KERNEL32.UnhandledExceptionFilter(003373e0) ret=009c36dd wine: Unhandled page fault on read access to 0x01470258 at address 0x49680a (thread 0029), starting debugger... 0029:trace:seh:start_debugger Starting debugger "winedbg --auto 40 92" 0029:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=009c36dd 0029:trace:seh:call_stack_handlers handler at 0x9c3724 returned 1 0029:trace:seh:call_stack_handlers calling handler at 0x7bc9eb03 code=c0000005 flags=0 0029:Call KERNEL32.UnhandledExceptionFilter(003373d4) ret=7bc9eb3d 0029:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bc9eb3d 0029:trace:seh:call_stack_handlers handler at 0x7bc9eb03 returned 1 Unhandled exception: page fault on read access to 0x01470258 in 32-bit code (0x0049680a). ... Backtrace: =>0 0x0049680a in pxplay (+0x9680a) (0x00000000) 0x0049680a: movl 0x10120(%ebx),%esi --- snip ---
The app code that allocates and sets the first slot:
--- snip --- 009C3435 PUSH ESI 009C3436 CALL 009C4D94 009C343B CALL DWORD PTR DS:[<&KERNEL32.TlsAlloc>] 009C3441 CMP EAX,-1 009C3444 MOV DWORD PTR DS:[11A4EC4],EAX ; index 009C3449 JE SHORT 009C3485 009C344B PUSH 74 009C344D PUSH 1 009C344F CALL 009C32F8 009C3454 MOV ESI,EAX 009C3456 POP ECX 009C3457 TEST ESI,ESI 009C3459 POP ECX 009C345A JZ SHORT 009C3485 009C345C PUSH ESI ; value, buffer ptr 009C345D PUSH DWORD PTR DS:[11A4EC4] ; index 009C3463 CALL DWORD PTR DS:[<&KERNEL32.TlsSetValue>] 009C3469 TEST EAX,EAX 009C346B JZ SHORT 009C3485 ... --- snip ---
Unlike Windows, Wine happily gives slot index 0 to the app which writes a buffer pointer using TlsSetValue(). The buffer (0x80 bytes) was allocated here:
--- snip --- 0029:Call ntdll.RtlAllocateHeap(01460000,00000008,00000080) ret=009c33f4 0029:Ret ntdll.RtlAllocateHeap() retval=01460138 ret=009c33f4 --- snip ---
Offending app code:
--- snip --- 004967B0 MOV EAX,8150 004967B5 CALL 009BF760 004967BA MOV EAX,DWORD PTR DS:[1249A30] 004967BF PUSH EBX 004967C0 PUSH EBP 004967C1 PUSH ESI 004967C2 PUSH EDI 004967C3 PUSH EAX ; index => [0x1249A30] = 0 004967C4 CALL DWORD PTR DS:[<&KERNEL32.TlsGetValue>] 004967CA MOV EBX,EAX 004967CC XOR EBP,EBP 004967CE CMP EBX,EBP 004967D0 JE SHORT 004967EB ... 0049680A MOV ESI,DWORD PTR DS:[EBX+10120] ; *boom* 00496810 JMP SHORT pxplay.00496817 --- snip ---
The buggy app calls TlsGetValue(0) which returns the buffer pointer set by earlier code, as shown in snippet before. That code path at 0x49680A should never be reached if the app gets NULL for slot index 0 - which would be the case if the first slot is reserved by system. The app code accesses offset 0x10120 which causes the fault (buffer was allocated with 0x80 size).
$ sha1sum psgold_50_3310.exe 10aaacabded20869391db41e296fd97cb833ffa1 psgold_50_3310.exe
$ du -sh psgold_50_3310.exe 32M psgold_50_3310.exe
$ wine --version wine-1.7.15-87-g5b55563
Regards
*** This bug has been marked as a duplicate of bug 20466 ***