[Bug 31684] New: Crash in winealsa driver when exiting World of Warcraft

Bug #: 31684 Summary: Crash in winealsa driver when exiting World of Warcraft Product: Wine Version: 1.5.12 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: directx-dsound AssignedTo: wine-bugs@winehq.org ReportedBy: rankincj@yahoo.com Classification: Unclassified

Created attachment 41655 --> http://bugs.winehq.org/attachment.cgi?id=41655 Backtrace of the crash

Playing WoW 5.0.4, 32 bit ("Mists of Pandaria"), but it crashed on exit. The backtrace suggests memory corruption.

-- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

Show replies by date

wine-bugs＠winehq.org

12 Sep 12 Sep

12:07 a.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

Bruno Jesus 00cpxxx@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |00cpxxx@gmail.com

--- Comment #1 from Bruno Jesus 00cpxxx@gmail.com 2012-09-11 19:07:56 CDT --- I guess in this case you could try a WINEDEBUG=warn+heap It will possibly show a HEAP_ValidateInUseArena line, then do WINEDEBUG=warn+heap,+relay and find the call tree that leads to the agressor.

See http://bugs.winehq.org/show_bug.cgi?id=10111#c0 for an example.

wine-bugs＠winehq.org

11:30 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #2 from rankincj@yahoo.com 2012-09-12 18:30:13 CDT --- Definitely heap corruption:

0009:Call KERNEL32.MulDiv(01312d00,00001f40,00989680) ret=7f66cf035bdc 0009:Ret KERNEL32.MulDiv() retval=00003e80 ret=7f66cf035bdc 0009:Call KERNEL32.MulDiv(00001f40,00009c40,00989680) ret=7f66cf035c06 0009:Ret KERNEL32.MulDiv() retval=00000020 ret=7f66cf035c06 0009:Call ntdll.RtlAllocateHeap(00010000,00000000,00007d00) ret=7f66cf035ca7 0009:Ret ntdll.RtlAllocateHeap() retval=039b4cc0 ret=7f66cf035ca7

...

0009:Call ntdll.RtlFreeHeap(00010000,00000000,039b4cc0) ret=7f66cf031e2c err:heap:HEAP_ValidateInUseArena Heap 0x10000: block 0x39b4cc0 tail overwritten at 0x39bc9c0 (byte 0/24 == 0x00)

I generated this from the WoW login screen without even logging in.

wine-bugs＠winehq.org

11:42 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #3 from Bruno Jesus 00cpxxx@gmail.com 2012-09-12 18:42:39 CDT --- Please, attach the compressed warn+heap,+relay so other developers can take a look.

wine-bugs＠winehq.org

11:48 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #4 from rankincj@yahoo.com 2012-09-12 18:48:27 CDT --- (In reply to comment #3)

Please, attach the compressed warn+heap,+relay so other developers can take a look.

I've tried, but the compressed output is too big to be attached. Is there an email address I can send it to instead, please?

wine-bugs＠winehq.org

13 Sep 13 Sep

12:06 a.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #5 from rankincj@yahoo.com 2012-09-12 19:06:37 CDT --- Created attachment 41660 --> http://bugs.winehq.org/attachment.cgi?id=41660 WINEDEBUG=warn+heap,+relay Wow-64.exe

This is a different WINEDEBUG output that I generated directly from Wow-64.exe instead of via the Launcher.

wine-bugs＠winehq.org

12:58 a.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

Jerome Leclanche adys.wh@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |adys.wh@gmail.com

--- Comment #6 from Jerome Leclanche adys.wh@gmail.com 2012-09-12 19:58:09 CDT --- Does it happen with the 32-bit client?

wine-bugs＠winehq.org

7:45 a.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #7 from rankincj@yahoo.com 2012-09-13 02:45:53 CDT --- (In reply to comment #6)

Does it happen with the 32-bit client?

I haven't created any WINEDEBUG output for it yet, but the original crash happened with the 32 bit WoW client, yes.

wine-bugs＠winehq.org

10:15 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #8 from rankincj@yahoo.com 2012-09-13 17:15:34 CDT --- Created attachment 41666 --> http://bugs.winehq.org/attachment.cgi?id=41666 WINEDEBUG=warn+heap,+relay Wow.exe

Confirmed, the exact same problem happens with the 32 bit Wow.exe client as well. I've had to chop the top and bottom off this log output to get it below 1 MB, but hopefully the "interesting bit" is still all there.

wine-bugs＠winehq.org

16 Sep 16 Sep

10:53 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #9 from rankincj@yahoo.com 2012-09-16 17:53:42 CDT --- The "bad free" is happening in wine/dlls/winealsa.drv/mmdevdrv.c:

static ULONG WINAPI AudioClient_Release(IAudioClient *iface) { ACImpl *This = impl_from_IAudioClient(iface); ULONG ref; ref = InterlockedDecrement(&This->ref); TRACE("(%p) Refcount now %u\n", This, ref); if(!ref){ ...

// BAD FREE HERE!! HeapFree(GetProcessHeap(), 0, This->local_buffer);

... } return ref; }

0009:Call ntdll.RtlFreeHeap(00110000,00000000,001cb4a8) ret=b4906fd9 err:heap:HEAP_ValidateInUseArena Heap 0x110000: block 0x1cb4a8 tail overwritten at 0x1d31a8 (byte 0/8 == 0x00) 0009:Ret ntdll.RtlFreeHeap() retval=00000000 ret=b4906fd9

wine-bugs＠winehq.org

17 Sep 17 Sep

9:58 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

Bruno Jesus 00cpxxx@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |aeikum@codeweavers.com

--- Comment #10 from Bruno Jesus 00cpxxx@gmail.com 2012-09-17 16:58:15 CDT --- Andrew, can you please take a look at the previous comment?

wine-bugs＠winehq.org

18 Sep 18 Sep

12:38 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #11 from Andrew Eikum aeikum@codeweavers.com 2012-09-18 07:38:44 CDT --- I checked through how local_buffer is used and didn't find any obvious problems with it. So it's probably a memory corruption bug, as comment 2 suggests. Could you attach another log with the channels from http://wiki.winehq.org/Sound?

wine-bugs＠winehq.org

12:58 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #12 from rankincj@yahoo.com 2012-09-18 07:58:29 CDT --- (In reply to comment #11)

I checked through how local_buffer is used and didn't find any obvious problems with it. So it's probably a memory corruption bug, as comment 2 suggests. Could you attach another log with the channels from http://wiki.winehq.org/Sound?

OK, I'll do that tonight (although I'll have to trim the compressed log down to < 1 MB). For what it's worth, I've already tried hacking a few calls to RtlValidateHeap(This->local_buffer, ...) into the code. The first hint of heap corruption appeared when snd_pcm_readi() seemed to overflow This->local_buffer, except that then I checked the offsets and sizes and they all seemed to be within range.

Is it possible that the original This->local_buffer is somehow freed and a smaller chunk of memory reallocated at the same address? And then snd_pm_readi() continues to write to it via a stale pointer?

wine-bugs＠winehq.org

1:04 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #13 from Andrew Eikum aeikum@codeweavers.com 2012-09-18 08:04:39 CDT --- I don't think so... local_buffer is only assigned once. I think the more likely scenario is that some part of the code is overwriting the value of local_buffer itself, causing snd_pcm_readi() to read into some invalid chunk of memory, and eventually free that invalid chunk. You could try adding TRACEs near where local_buffer is used to see if/when its value changes.

wine-bugs＠winehq.org

8:15 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #14 from rankincj@yahoo.com 2012-09-18 15:15:12 CDT --- (In reply to comment #13)

You could try adding TRACEs near where local_buffer is used to see if/when its value changes.

The value of This->local_buffer looks the same both before and after. But on at least one occasion, the first Heap warning looked like this:

err:heap:HEAP_ValidateInUseArena Heap 0x110000: in-use arena 0x1ed328 next block 0x1f5038 has PREV_FREE flag 5e

wine-bugs＠winehq.org

11:31 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #15 from rankincj@yahoo.com 2012-09-18 18:31:13 CDT --- Created attachment 41728 --> http://bugs.winehq.org/attachment.cgi?id=41728 WINEDEBUG=warn+heap,+tid,+mmdevapi,+winmm,+driver,+midi,+dsound,+dsound3d,+dmusic,+mci,+oss,+alsa,+coreaudio Wow.exe

wine-bugs＠winehq.org

26 Sep 26 Sep

9:31 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

Michael Stefaniuc mstefani@redhat.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |mstefani@redhat.com

--- Comment #16 from Michael Stefaniuc mstefani@redhat.com 2012-09-26 16:31:49 CDT --- Can you please try with today's Wine wine-1.5.13-402-gcd9451c or later? I have fixed (4e06eead8f446f0167e6c92f0cc09f943122a7cd) a memory issue in DirectSoundDevice_RemoveBuffer() which is called prior to AudioClient_Release(). The code was doing a HeapReAlloc() with size 0 when removing the last secondary buffer. Valgrind didn't like it at all.

wine-bugs＠winehq.org

27 Sep 27 Sep

8:49 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #17 from rankincj@yahoo.com 2012-09-27 15:49:26 CDT --- (In reply to comment #16)

Can you please try with today's Wine wine-1.5.13-402-gcd9451c or later?

I have just compiled Wine locally, git HEAD at:

commit cd9451c4993ae852df69cac4fe22e2838ae9fbe1 Author: Jason Edmeades jason@edmeades.me.uk Date: Tue Sep 25 23:16:54 2012 +0100

cmd: Display 'set' sort ordering correctly.

But running Wow.exe with WINEDEBUG=warn+heap,+relay enabled is still generating the same "Heap Validation" error when AudioClient_Release() tries to free This->local_buffer.

wine-bugs＠winehq.org

25 Oct 25 Oct

8:13 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #18 from rankincj@yahoo.com 2012-10-25 15:13:55 CDT --- Created attachment 42254 --> http://bugs.winehq.org/attachment.cgi?id=42254 Valgrind output of WoW

Fedora 17 upgraded Valgrind to 3.8.1 today, so here's the output for WoW.

wine-bugs＠winehq.org

30 Oct 30 Oct

12:40 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #19 from Jörg Höhle hoehle@users.sourceforge.net 2012-10-30 07:40:50 CDT --- Created attachment 42326 --> http://bugs.winehq.org/attachment.cgi?id=42326 mmdevapi fix capture overrun

Please investigate the effects of the attached patch and separately of: ntdll: Do not execute callbacks past DeleteTimer(INVALID_HANDLE_VALUE) http://www.winehq.org/pipermail/wine-patches/2012-October/119350.html

wine-bugs＠winehq.org

31 Oct 31 Oct

12:36 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #20 from rankincj@yahoo.com 2012-10-31 07:36:26 CDT --- Created attachment 42349 --> http://bugs.winehq.org/attachment.cgi?id=42349 Valgrind output from WoW with ALSA mmdevdrv.c patch

The patch to Wine's ALSA driver does not fix the memory corruption. Valgrind output attached. (This is against Wine 1.5.16).

wine-bugs＠winehq.org

12:39 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #21 from rankincj@yahoo.com 2012-10-31 07:39:54 CDT --- Created attachment 42350 --> http://bugs.winehq.org/attachment.cgi?id=42350 Valgrind output from WoW with NTDLL patch

The timer callback patch for NTDLL does not fix the heap corruption. Valgrind output against Wine 1.5.16 is attached.

wine-bugs＠winehq.org

9 Nov 9 Nov

4:25 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

Jörg Höhle hoehle@users.sourceforge.net changed:

--- Comment #22 from Jörg Höhle hoehle@users.sourceforge.net 2012-11-09 10:25:24 CST ---

The timer callback patch for NTDLL does not fix the heap corruption.

Not really surprising, I'm sorry. It fixes intermittent misbehaviour, whereas what you observe is systematic.

The first hint of heap corruption appeared when snd_pcm_readi() seemed to overflow This->local_buffer

The capture overrun is what attracted me to this bug report. Could you please give a stab at my lockless ALSA driver attached to bug #29531, comment #10 It changes overrun behaviour, which is currently buggy, see bug #30147, comment #5 Be aware that my patch likely applies to wine-1.4

wine-bugs＠winehq.org

16 May 16 May

7:02 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #23 from Andrew Eikum aeikum@codeweavers.com 2013-05-16 14:02:59 CDT --- There's a patch in today's Wine that fixes a memory corruption bug. I don't know if it will help this crash, but it's worth a test.

commit 508b0c9c44349a5d980e0f1ee0ba4fca871bd2cb Author: Andrew Eikum aeikum@codeweavers.com Date: Thu May 16 09:24:31 2013 -0500

dsound: Don't overrun capture buffer.

wine-bugs＠winehq.org

26 May 26 May

12:55 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #24 from rankincj@yahoo.com 2013-05-26 07:55:33 CDT --- (In reply to comment #23)

http://bugs.winehq.org/show_bug.cgi?id=32620

There's a patch in today's Wine that fixes a memory corruption bug. I don't know if it will help this crash, but it's worth a test.

commit 508b0c9c44349a5d980e0f1ee0ba4fca871bd2cb Author: Andrew Eikum aeikum@codeweavers.com Date: Thu May 16 09:24:31 2013 -0500
dsound: Don't overrun capture buffer.

Interesting - I think it might have helped, but it's too early to be sure just yet. But even more interesting is that this bug seems to be fixed now too:

Although I'm baffled who no-one else seemed to experience the "Voice Capture" bug, if that's the case.

wine-bugs＠winehq.org

27 May 27 May

9:32 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #25 from rankincj@yahoo.com 2013-05-27 16:32:14 CDT --- (In reply to comment #23)

There's a patch in today's Wine that fixes a memory corruption bug. I don't know if it will help this crash, but it's worth a test.

commit 508b0c9c44349a5d980e0f1ee0ba4fca871bd2cb Author: Andrew Eikum aeikum@codeweavers.com Date: Thu May 16 09:24:31 2013 -0500
dsound: Don't overrun capture buffer.

I've backported this patch to 1.5.29, and it alone does not stop WoW crashing on exit. (This is on my x86_64 box with Intel HDA graphics, and the PulseAudio microphone enabled).

wine-bugs＠winehq.org

28 May 28 May

10:56 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #26 from rankincj@yahoo.com 2013-05-28 17:56:17 CDT --- Is the Sound Capture code "32 bit vs 64 bit" clean? I'm seeing a crash with Wow-64.exe when the microphone is enabled, but Wow.exe seems OK.

wine-bugs＠winehq.org

11 Nov 11 Nov

5:18 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #27 from Bruno Jesus 00cpxxx@gmail.com --- May be fixed by http://source.winehq.org/git/wine.git/commitdiff/8fe52db332352946484e438581b... Please test again in wine-git.

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

wine-bugs＠winehq.org

15 Jun 15 Jun

9:55 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

Ken Sharp imwellcushtymelike@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Abandoned?

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

wine-bugs＠winehq.org

18 Sep 18 Sep

10:58 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

--- Comment #28 from Chris Rankin rankincj@yahoo.com --- This bug does appear to be fixed now, although I cannot pinpoint the specific commit that fixed it. Warcraft's "Voice Chat" is working now too - which may or may not be related.

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

wine-bugs＠winehq.org

29 Sep 29 Sep

3:15 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

Bruno Jesus 00cpxxx@gmail.com changed:

--- Comment #29 from Bruno Jesus 00cpxxx@gmail.com --- (In reply to Chris Rankin from comment #28)

This bug does appear to be fixed now, although I cannot pinpoint the specific commit that fixed it. Warcraft's "Voice Chat" is working now too - which may or may not be related.

Resolving fixed, thanks for testing.

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

wine-bugs＠winehq.org

2 Oct 2 Oct

2:23 p.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft

Alexandre Julliard julliard@winehq.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED

--- Comment #30 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 1.7.52.

-- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

wine-bugs＠winehq.org

3 Oct 3 Oct

10:21 a.m.

New subject: [Bug 31684] Crash in winealsa driver when exiting World of Warcraft