[Bug 52073] New: The builtin libxml2/libxslt libraries break msxml3:domdoc in wow64 mode
https://bugs.winehq.org/show_bug.cgi?id=52073
Bug ID: 52073 Summary: The builtin libxml2/libxslt libraries break msxml3:domdoc in wow64 mode Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: msxml3 Assignee: wine-bugs@winehq.org Reporter: fgouget@codeweavers.com Distribution: ---
The builtin libxml2 / libxslt libraries break msxml3:domdoc in wow64 mode. More specifically msxml3:domdoc started crashing on 2021-10-20:
domdoc.c:7004: Test marked todo: expected refcount 2, got 1 Unhandled exception: page fault on read access to 0x00000000ffffffff in 64-bit code (0x00000000013682a8). [...] Backtrace: =>0 0x00000000013682a8 xmlXPathNodeCollectAndTest+0x28(ctxt=<is not available>, op=<is not available>, first=<is not available>, last=<is not available>, toBool=<is not available>) [Z:\home\winetest\winetest\src\libs\xml2\xpath.c:12028] in msxml3 (0x0000000001388348) 1 0x0000000001369d51 xmlXPathNodeCollectAndTest+0x1ad0(ctxt=<is not available>, op=<is not available>, first=<is not available>, last=<is not available>, toBool=<is not available>) [Z:\home\winetest\winetest\src\libs\xml2\xpath.c:13113] in msxml3 (0x0000000001388348) 2 0x000000000136a024 xmlXPathNodeCollectAndTest+0x1da3(ctxt=<is not available>, op=<is not available>, first=<is not available>, last=<is not available>, toBool=<is not available>) [Z:\home\winetest\winetest\src\libs\xml2\xpath.c:13361] in msxml3 (0x0000000001388348) 3 0x000000000136b559 xmlXPathRunEval+0xc8(ctxt=<is not available>, toBool=<is not available>) [Z:\home\winetest\winetest\src\libs\xml2\xpath.c:13954] in msxml3 (0x0000000001388348) 4 0x000000000136b775 xmlXPathCompiledEvalInternal+0xc4(comp=<is not available>, ctxt=<is not available>, resObjPtr=<is not available>, toBool=<is not available>) [Z:\home\winetest\winetest\src\libs\xml2\xpath.c:14337] in msxml3 (0x0000000001388348) 5 0x000000000136bb3a xmlXPathCompiledEval+0x19(comp=<is not available>, ctx=<is not available>) [Z:\home\winetest\winetest\src\libs\xml2\xpath.c:14383] in msxml3 (0x0000000000fae760) 6 0x0000000001298edc xsltProcessOneNode+0x18b(ctxt=<is not available>, contextNode=<is not available>, withParams=<is not available>) [Z:\home\winetest\winetest\src\libs\xslt\libxslt\transform.c:385] in msxml3 (0x0000000000fae760) 7 0x0000000001296517 xsltCopyText+0x706(ctxt=<is not available>, target=<is not available>, cur=<is not available>, interned=<is not available>) [Z:\home\winetest\winetest\src\libs\xslt\libxslt\transform.c:2798] in msxml3 (0x0000000000fadc90) 8 0x0000000001298638 xsltLocalVariablePush+0x267(ctxt=<is not available>, variable=<is not available>, level=<is not available>) [Z:\home\winetest\winetest\src\libs\xslt\libxslt\transform.c:2388] in msxml3 (0x0000000000fa3c70) 9 0x0000000001298da2 xsltProcessOneNode+0x51(ctxt=0000000000FC2DC0, contextNode=0000000000FAE760, withParams=0000000000000000) [Z:\home\winetest\winetest\src\libs\xslt\libxslt\transform.c:3145] in msxml3 (0x0000000000000000) 10 0x000000000129b28f xsltApplyStylesheetInternal+0x3ce(style=0000000000FA2030, doc=0000000000FAE760, params=<is not available>, output=<is not available>, profile=<is not available>, userCtxt=<is not available>) [Z:\home\winetest\winetest\src\libs\xslt\libxslt\transform.c:6089] in msxml3 (0x0000000000000000) 11 0x000000000129b95e xsltApplyStylesheet+0x1d(style=<is not available>, doc=<is not available>, params=<is not available>) [Z:\home\winetest\winetest\src\libs\xslt\libxslt\transform.c:6285] in msxml3 (0x00000000006bf978) 12 0x000000000125c2a7 node_transform_node_params+0xb6(This=0000000000043960, stylesheet=<is not available>, p=<is not available>, stream=0000000000000000, params=0000000000000000) [Z:\home\winetest\winetest\src\dlls\msxml3\node.c:1518] in msxml3 (0x00000000006bf978) 13 0x000000000125c845 unknode_transformNode+0x34(iface=<is not available>, domNode=<is not available>, p=<is not available>) [Z:\home\winetest\winetest\src\dlls\msxml3\node.c:1541] in msxml3 (0x00000000000384a8) 14 0x000000000123085a domdoc_transformNode+0x29(iface=<is not available>, node=0000000000045540, p=00000000006BF978) [Z:\home\winetest\winetest\src\dlls\msxml3\domdoc.c:1479] in msxml3 (0x00000000000384a8) 15 0x000000000040c180 in msxml3_test (+0xc17f) (0x00000000000384a8) [...]
https://test.winehq.org/data/patterns.html#msxml3:domdoc
A bisect shows that the crash started happening with the commit below:
commit bca1b7f2faeb0798f4af420c15ff5a1b1f7b40af Author: Alexandre Julliard julliard@winehq.org Date: Wed Oct 20 11:39:06 2021 +0200
mxsml3: Use the bundled libxml2 and libxslt and build with msvcrt.
Signed-off-by: Alexandre Julliard julliard@winehq.org
The previous two commits are imports of the libxslt and libxml2 code respectively and don't compile. And msxml3:domdoc does not crash with the previous commit (9a335d89d0cc).
https://bugs.winehq.org/show_bug.cgi?id=52073
François Gouget fgouget@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |regression, source, | |testcase Regression SHA1| |bca1b7f2faeb0798f4af420c15f | |f5a1b1f7b40af
https://bugs.winehq.org/show_bug.cgi?id=52073
Bernhard Übelacker bernhardu@mailbox.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bernhardu@mailbox.org
--- Comment #1 from Bernhard Übelacker bernhardu@mailbox.org --- Created attachment 71336 --> https://bugs.winehq.org/attachment.cgi?id=71336 Backtraces from rr of pointer invalidation and the crash.
I tried to find out the reason for the crash and guess this is what happens:
In function xslt_doc_default_loader a pointer of the stack based variable "xmlParserInputPtr input" is given to bind_url.
Later in function import_loader_onDataAvailable this pointer appears as parameter "void *ctxt" which correctly gets casted to "xmlParserInputPtr *input", but in my opinion incorrectly given to xmlNewIOInputStream as parameter "xmlParserCtxtPtr ctxt".
In the next call to xmlNewInputStream this xmlParserCtxtPtr is used to increment the input_id member.
By accident this input_id member contains the pointer which causes in xmlXPathNodeCollectAndTest the segfault.
Attached file contains the backtrace of the pointer invalidation and the crash.
This patch just gives a NULL to xmlNewInputStream, because ctxt is really a pointer to xmlParserInputPtr: https://source.winehq.org/patches/data/222347
https://bugs.winehq.org/show_bug.cgi?id=52073
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Fixed by SHA1| |2ef4cde8ef65800db480588edc0 | |ea3da8f527b61 Resolution|--- |FIXED
--- Comment #2 from Alexandre Julliard julliard@winehq.org --- Fixed by 2ef4cde8ef65800db480588edc0ea3da8f527b61, thanks Bernhard!
https://bugs.winehq.org/show_bug.cgi?id=52073
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #3 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 7.0-rc3.
-
WineHQ Bugzilla