http://bugs.winehq.org/show_bug.cgi?id=35877
Bug ID: 35877 Summary: Problems with Proshowgold 5. Product: Wine Version: 1.7.1 Hardware: x86-64 OS: Mac OS X Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: sitinh@gmail.com
Created attachment 47903 --> http://bugs.winehq.org/attachment.cgi?id=47903 page fault on read access to 0x01469258 in 32-bit code (0x004961ca). "pxplay.exe"
Problems with Proshowgold 5. page fault on read access to 0x01469258 in 32-bit code (0x004961ca). "pxplay.exe"
http://bugs.winehq.org/show_bug.cgi?id=35877
--- Comment #1 from Khang sitinh@gmail.com --- Hardware Overview:
Model Name: Mac Pro Model Identifier: MacPro3,1 Processor Name: Quad-Core Intel Xeon Processor Speed: 2.83 GHz Number of Processors: 1 Total Number of Cores: 4 L2 Cache: 12 MB Memory: 8 GB Bus Speed: 1.33 GHz Boot ROM Version: MultiBeast.tonymacx86.com SMC Version (system): 1.30f3
Graphics/Displays:
Elitegroup GeForce 9600 GT:
Chipset Model: Elitegroup GeForce 9600 GT Type: GPU Bus: PCIe Slot: Slot-1 PCIe Lane Width: x16 VRAM (Total): 1024 MB Vendor: NVIDIA (0x10de) Device ID: 0x0622 Revision ID: 0x00a1 ROM Revision: 62.94.62.00.A0 Displays: DELL 2001FP: Resolution: 1600 x 1200 @ 60 Hz Pixel Depth: 32-Bit Color (ARGB8888) Display Serial Number: C064957A13UL Main Display: Yes Mirror: Off Online: Yes Rotation: Supported
http://bugs.winehq.org/show_bug.cgi?id=35877
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download Status|UNCONFIRMED |RESOLVED URL| |http://download.cnet.com/Pr | |oShow-Gold/3000-12511_4-102 | |80465.html CC| |focht@gmx.net Component|-unknown |ntdll Resolution|--- |DUPLICATE Summary|Problems with Proshowgold |ProShow Gold 5.0.3310 |5. |crashes on startup (TLS | |slot index allocation must | |start at non-zero indexes)
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
Looks like another broken app with TLS slot index 0 access.
Windows implements a workaround for all broken apps, making TLS slot index 0 unavailable for allocation through TLS API hence the crash is prevented.
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Photodex/ProShow Gold ... $ WINEDEBUG=+tid,+seh,+relay wine ./pxplay.exe >>log.txt 2>&1 ... 0029:Starting process L"C:\Program Files\Photodex\ProShow Gold\pxplay.exe" (entryproc=0x9c1d60) ... 0029:Call KERNEL32.TlsAlloc() ret=009c3441 0029:Ret KERNEL32.TlsAlloc() retval=00000000 ret=009c3441 0029:Call ntdll.RtlAllocateHeap(01460000,00000008,00000080) ret=009c33f4 0029:Ret ntdll.RtlAllocateHeap() retval=01460138 ret=009c33f4 0029:Call ntdll.RtlAllocateHeap(01460000,00000000,00000480) ret=009c0b3d 0029:Ret ntdll.RtlAllocateHeap() retval=014601c0 ret=009c0b3d ... 0029:Call KERNEL32.GetStartupInfoA(0033fdc4) ret=009c1e17 0029:Ret KERNEL32.GetStartupInfoA() retval=00000011 ret=009c1e17 0029:Call KERNEL32.GetModuleHandleA(00000000) ret=009c1e3a 0029:Ret KERNEL32.GetModuleHandleA() retval=00400000 ret=009c1e3a 0029:trace:seh:raise_exception code=c0000005 flags=0 addr=0x49680a ip=0049680a tid=0029 0029:trace:seh:raise_exception info[0]=00000000 0029:trace:seh:raise_exception info[1]=01470258 0029:trace:seh:raise_exception eax=0129b6c0 ebx=01460138 ecx=00bb9538 edx=00bb9538 esi=00000000 edi=00000000 0029:trace:seh:raise_exception ebp=00000000 esp=0033790c cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0029:trace:seh:call_stack_handlers calling handler at 0x9c3724 code=c0000005 flags=0 0029:Call KERNEL32.GetLastError() ret=009c34a4 0029:Ret KERNEL32.GetLastError() retval=00000000 ret=009c34a4 0029:Call KERNEL32.UnhandledExceptionFilter(003373e0) ret=009c36dd wine: Unhandled page fault on read access to 0x01470258 at address 0x49680a (thread 0029), starting debugger... 0029:trace:seh:start_debugger Starting debugger "winedbg --auto 40 92" 0029:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=009c36dd 0029:trace:seh:call_stack_handlers handler at 0x9c3724 returned 1 0029:trace:seh:call_stack_handlers calling handler at 0x7bc9eb03 code=c0000005 flags=0 0029:Call KERNEL32.UnhandledExceptionFilter(003373d4) ret=7bc9eb3d 0029:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bc9eb3d 0029:trace:seh:call_stack_handlers handler at 0x7bc9eb03 returned 1 Unhandled exception: page fault on read access to 0x01470258 in 32-bit code (0x0049680a). ... Backtrace: =>0 0x0049680a in pxplay (+0x9680a) (0x00000000) 0x0049680a: movl 0x10120(%ebx),%esi --- snip ---
The app code that allocates and sets the first slot:
--- snip --- 009C3435 PUSH ESI 009C3436 CALL 009C4D94 009C343B CALL DWORD PTR DS:[<&KERNEL32.TlsAlloc>] 009C3441 CMP EAX,-1 009C3444 MOV DWORD PTR DS:[11A4EC4],EAX ; index 009C3449 JE SHORT 009C3485 009C344B PUSH 74 009C344D PUSH 1 009C344F CALL 009C32F8 009C3454 MOV ESI,EAX 009C3456 POP ECX 009C3457 TEST ESI,ESI 009C3459 POP ECX 009C345A JZ SHORT 009C3485 009C345C PUSH ESI ; value, buffer ptr 009C345D PUSH DWORD PTR DS:[11A4EC4] ; index 009C3463 CALL DWORD PTR DS:[<&KERNEL32.TlsSetValue>] 009C3469 TEST EAX,EAX 009C346B JZ SHORT 009C3485 ... --- snip ---
Unlike Windows, Wine happily gives slot index 0 to the app which writes a buffer pointer using TlsSetValue(). The buffer (0x80 bytes) was allocated here:
--- snip --- 0029:Call ntdll.RtlAllocateHeap(01460000,00000008,00000080) ret=009c33f4 0029:Ret ntdll.RtlAllocateHeap() retval=01460138 ret=009c33f4 --- snip ---
Offending app code:
--- snip --- 004967B0 MOV EAX,8150 004967B5 CALL 009BF760 004967BA MOV EAX,DWORD PTR DS:[1249A30] 004967BF PUSH EBX 004967C0 PUSH EBP 004967C1 PUSH ESI 004967C2 PUSH EDI 004967C3 PUSH EAX ; index => [0x1249A30] = 0 004967C4 CALL DWORD PTR DS:[<&KERNEL32.TlsGetValue>] 004967CA MOV EBX,EAX 004967CC XOR EBP,EBP 004967CE CMP EBX,EBP 004967D0 JE SHORT 004967EB ... 0049680A MOV ESI,DWORD PTR DS:[EBX+10120] ; *boom* 00496810 JMP SHORT pxplay.00496817 --- snip ---
The buggy app calls TlsGetValue(0) which returns the buffer pointer set by earlier code, as shown in snippet before. That code path at 0x49680A should never be reached if the app gets NULL for slot index 0 - which would be the case if the first slot is reserved by system. The app code accesses offset 0x10120 which causes the fault (buffer was allocated with 0x80 size).
$ sha1sum psgold_50_3310.exe 10aaacabded20869391db41e296fd97cb833ffa1 psgold_50_3310.exe
$ du -sh psgold_50_3310.exe 32M psgold_50_3310.exe
$ wine --version wine-1.7.15-87-g5b55563
Regards
*** This bug has been marked as a duplicate of bug 20466 ***
http://bugs.winehq.org/show_bug.cgi?id=35877
--- Comment #3 from Khang sitinh@gmail.com --- Hi Master
Can u tell me how to fix this bug step by step ? . I dont understand about code . Can u help me , please ....
(In reply to Anastasius Focht from comment #2)
Hello folks,
confirming.
Looks like another broken app with TLS slot index 0 access.
Windows implements a workaround for all broken apps, making TLS slot index 0 unavailable for allocation through TLS API hence the crash is prevented.
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Photodex/ProShow Gold ... $ WINEDEBUG=+tid,+seh,+relay wine ./pxplay.exe >>log.txt 2>&1 ... 0029:Starting process L"C:\Program Files\Photodex\ProShow Gold\pxplay.exe" (entryproc=0x9c1d60) ... 0029:Call KERNEL32.TlsAlloc() ret=009c3441 0029:Ret KERNEL32.TlsAlloc() retval=00000000 ret=009c3441 0029:Call ntdll.RtlAllocateHeap(01460000,00000008,00000080) ret=009c33f4 0029:Ret ntdll.RtlAllocateHeap() retval=01460138 ret=009c33f4 0029:Call ntdll.RtlAllocateHeap(01460000,00000000,00000480) ret=009c0b3d 0029:Ret ntdll.RtlAllocateHeap() retval=014601c0 ret=009c0b3d ... 0029:Call KERNEL32.GetStartupInfoA(0033fdc4) ret=009c1e17 0029:Ret KERNEL32.GetStartupInfoA() retval=00000011 ret=009c1e17 0029:Call KERNEL32.GetModuleHandleA(00000000) ret=009c1e3a 0029:Ret KERNEL32.GetModuleHandleA() retval=00400000 ret=009c1e3a 0029:trace:seh:raise_exception code=c0000005 flags=0 addr=0x49680a ip=0049680a tid=0029 0029:trace:seh:raise_exception info[0]=00000000 0029:trace:seh:raise_exception info[1]=01470258 0029:trace:seh:raise_exception eax=0129b6c0 ebx=01460138 ecx=00bb9538 edx=00bb9538 esi=00000000 edi=00000000 0029:trace:seh:raise_exception ebp=00000000 esp=0033790c cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0029:trace:seh:call_stack_handlers calling handler at 0x9c3724 code=c0000005 flags=0 0029:Call KERNEL32.GetLastError() ret=009c34a4 0029:Ret KERNEL32.GetLastError() retval=00000000 ret=009c34a4 0029:Call KERNEL32.UnhandledExceptionFilter(003373e0) ret=009c36dd wine: Unhandled page fault on read access to 0x01470258 at address 0x49680a (thread 0029), starting debugger... 0029:trace:seh:start_debugger Starting debugger "winedbg --auto 40 92" 0029:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=009c36dd 0029:trace:seh:call_stack_handlers handler at 0x9c3724 returned 1 0029:trace:seh:call_stack_handlers calling handler at 0x7bc9eb03 code=c0000005 flags=0 0029:Call KERNEL32.UnhandledExceptionFilter(003373d4) ret=7bc9eb3d 0029:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bc9eb3d 0029:trace:seh:call_stack_handlers handler at 0x7bc9eb03 returned 1 Unhandled exception: page fault on read access to 0x01470258 in 32-bit code (0x0049680a). ... Backtrace: =>0 0x0049680a in pxplay (+0x9680a) (0x00000000) 0x0049680a: movl 0x10120(%ebx),%esi --- snip ---
The app code that allocates and sets the first slot:
--- snip --- 009C3435 PUSH ESI 009C3436 CALL 009C4D94 009C343B CALL DWORD PTR DS:[<&KERNEL32.TlsAlloc>] 009C3441 CMP EAX,-1 009C3444 MOV DWORD PTR DS:[11A4EC4],EAX ; index 009C3449 JE SHORT 009C3485 009C344B PUSH 74 009C344D PUSH 1 009C344F CALL 009C32F8 009C3454 MOV ESI,EAX 009C3456 POP ECX 009C3457 TEST ESI,ESI 009C3459 POP ECX 009C345A JZ SHORT 009C3485 009C345C PUSH ESI ; value, buffer ptr 009C345D PUSH DWORD PTR DS:[11A4EC4] ; index 009C3463 CALL DWORD PTR DS:[<&KERNEL32.TlsSetValue>] 009C3469 TEST EAX,EAX 009C346B JZ SHORT 009C3485 ... --- snip ---
Unlike Windows, Wine happily gives slot index 0 to the app which writes a buffer pointer using TlsSetValue(). The buffer (0x80 bytes) was allocated here:
--- snip --- 0029:Call ntdll.RtlAllocateHeap(01460000,00000008,00000080) ret=009c33f4 0029:Ret ntdll.RtlAllocateHeap() retval=01460138 ret=009c33f4 --- snip ---
Offending app code:
--- snip --- 004967B0 MOV EAX,8150 004967B5 CALL 009BF760 004967BA MOV EAX,DWORD PTR DS:[1249A30] 004967BF PUSH EBX 004967C0 PUSH EBP 004967C1 PUSH ESI 004967C2 PUSH EDI 004967C3 PUSH EAX ; index => [0x1249A30] = 0 004967C4 CALL DWORD PTR DS:[<&KERNEL32.TlsGetValue>] 004967CA MOV EBX,EAX 004967CC XOR EBP,EBP 004967CE CMP EBX,EBP 004967D0 JE SHORT 004967EB ... 0049680A MOV ESI,DWORD PTR DS:[EBX+10120] ; *boom* 00496810 JMP SHORT pxplay.00496817 --- snip ---
The buggy app calls TlsGetValue(0) which returns the buffer pointer set by earlier code, as shown in snippet before. That code path at 0x49680A should never be reached if the app gets NULL for slot index 0 - which would be the case if the first slot is reserved by system. The app code accesses offset 0x10120 which causes the fault (buffer was allocated with 0x80 size).
$ sha1sum psgold_50_3310.exe 10aaacabded20869391db41e296fd97cb833ffa1 psgold_50_3310.exe
$ du -sh psgold_50_3310.exe 32M psgold_50_3310.exe
$ wine --version wine-1.7.15-87-g5b55563
Regards
*** This bug has been marked as a duplicate of bug 20466 ***
http://bugs.winehq.org/show_bug.cgi?id=35877
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello Khang
--- quote --- Can u tell me how to fix this bug step by step ? . I dont understand about code . Can u help me , please .... --- quote ---
You have to build Wine from source and apply the patch from bug 20466
A short HOWTO can be found here: http://wiki.winehq.org/Patching
For further questions, please visit WineHQ user forums and get help here: http://forum.winehq.org/
Regards
http://bugs.winehq.org/show_bug.cgi?id=35877
Bruno Jesus 00cpxxx@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #5 from Bruno Jesus 00cpxxx@gmail.com --- Closing duplicate bugs.
-
wine-bugs@winehq.org