https://bugs.winehq.org/show_bug.cgi?id=36012
Bug ID: 36012 Summary: OllyDbg 2.x debugger crashes with Wine builtin dbghelp Product: Wine Version: 1.7.16 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: dbghelp Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net
Hello folks,
noticed this a while ago ... reporting now :)
Ollydbg v2.x crashes for me with Wine builtin dbghelp. Interestingly the old Ollydbg v1.x doesn't crash with builtin.
So I ended up with:
Ollydbg 1.x debugging Ollydbg 2.x debugging Wine builtin 'notepad' :)
Relevant part of tracelog (with some helper traces added by me):
--- snip --- $ WINEDEBUG=+tid,+seh,+dbghelp,+dbghelp_symt wine ./ollydbg.exe >>log2.txt 2>&1 ... 0023:trace:dbghelp_symt:symt_new_function Adding global function L"kernel32<elf>":WCEL_InsertChar @7b83839a-7b8383c8 0023:trace:dbghelp_symt:symt_add_func_local Adding local symbol (L"kernel32<elf>":WCEL_InsertChar): ctx 0x20acd44 0023:trace:dbghelp_symt:symt_add_func_local Adding local symbol (L"kernel32<elf>":WCEL_InsertChar): c 0x20aaba0 0023:trace:dbghelp_symt:symt_add_func_local Adding local symbol (L"kernel32<elf>":WCEL_InsertChar): buffer 0x20ad7f0 ... 0023:trace:dbghelp_symt:symt_add_func_line (0x20ae608)WCEL_InsertChar:0 /home/focht/projects/wine/wine.repo/src/dlls/kernel32/editline.c:328 0023:trace:dbghelp_symt:symt_add_func_line (0x20ae608)WCEL_InsertChar:d /home/focht/projects/wine/wine.repo/src/dlls/kernel32/editline.c:331 0023:trace:dbghelp_symt:symt_add_func_line (0x20ae608)WCEL_InsertChar:15 /home/focht/projects/wine/wine.repo/src/dlls/kernel32/editline.c:332 0023:trace:dbghelp_symt:symt_add_func_line (0x20ae608)WCEL_InsertChar:1b /home/focht/projects/wine/wine.repo/src/dlls/kernel32/editline.c:333 0023:trace:dbghelp_symt:symt_add_func_line (0x20ae608)WCEL_InsertChar:2d /home/focht/projects/wine/wine.repo/src/dlls/kernel32/editline.c:334 ... 0023:trace:dbghelp_symt:symt_new_public Adding public symbol L"kernel32<elf>":WCEL_InsertChar @7b83839a ... 0023:trace:dbghelp:SymMatchStringW L"WCEL_InsertChar" L"*" N 0023:trace:dbghelp_symt:symt_fill_sym_info 0x20ae608 => WCEL_InsertChar 47 7b83839a 0023:trace:dbghelp:send_symbol se->cb=0x7d7f4fd1 se->sym_info=0x335fd8, se->sym_info->Size=47 se->user=0x33683c 0023:trace:dbghelp:sym_enumW sew->cb=0x4c90bc sew->sym_info=0x336848 size=47 sew->ctx=0x337098 0023:trace:dbghelp:SymSetContext Setting same frame {rtn=0 frm=0 stk=0} 0023:trace:dbghelp:symt_enum_locals_helper pair=0x3312fc match=0x7d800bd2 se=0x331398 func=0x20ae608 v=0x20ae63c vlen=4 0023:trace:dbghelp:symt_enum_locals_helper i=0 lsym=0x20ae66c, lsym->tag=0x7 0023:trace:dbghelp:SymMatchStringW L"ctx" L"*" Y 0023:trace:dbghelp_symt:symt_fill_sym_info 0x20ae66c => ctx 4 4 0023:trace:dbghelp:send_symbol se->cb=0x7d7f4fd1 se->sym_info=0x3313b8, se->sym_info->Size=4 se->user=0x331c1c 0023:trace:dbghelp:sym_enumW sew->cb=0x4c8f54 sew->sym_info=0x331c28 size=4 sew->ctx=0x33250c 0023:trace:dbghelp:symt_enum_locals_helper i=1 lsym=0x20ae6e4, lsym->tag=0x7 0023:trace:dbghelp:SymMatchStringW L"c" L"*" Y 0023:trace:dbghelp_symt:symt_fill_sym_info 0x20ae6e4 => c 2 ffffffe0 0023:trace:dbghelp:send_symbol se->cb=0x7d7f4fd1 se->sym_info=0x3313b8, se->sym_info->Size=2 se->user=0x331c1c 0023:trace:dbghelp:sym_enumW sew->cb=0x4c8f54 sew->sym_info=0x331c28 size=2 sew->ctx=0x33250c 0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7d7f1208 ip=7d7f1208 tid=0023 0023:trace:seh:raise_exception info[0]=00000000 0023:trace:seh:raise_exception info[1]=00000064 0023:trace:seh:raise_exception eax=00000058 ebx=7d80d000 ecx=003311f0 edx=fffffd6f esi=00000040 edi=0033689c 0023:trace:seh:raise_exception ebp=00331248 esp=00331248 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0023:trace:seh:call_stack_handlers calling handler at 0x4e87c0 code=c0000005 flags=0 --- snip ---
'WCEL_InsertChar' seems to be the offender. Populating the symbol info for that function causes the crash in the debugger callback.
http://source.winehq.org/git/wine.git/blob/fc38254fed5dbc07a2a61a2411bfaadcc...
--- snip --- 327 static void WCEL_InsertChar(WCEL_Context* ctx, WCHAR c) 328 { 329 WCHAR buffer[2]; 330 331 buffer[0] = c; 332 buffer[1] = 0; 333 WCEL_InsertString(ctx, buffer); 334 } --- snip ---
During symbol evaluation of second function parameter 'c', the debugger syminfo callback corrupts parts of the caller stack hence the next for-loop iteration 'vector_length(v)' which ought to prepare 'buffer' local symbol info crashes.
Source: http://source.winehq.org/git/wine.git/blob/d0665616255ae8b720e14e02072996b7a...
--- snip --- 909 static BOOL symt_enum_locals_helper(struct module_pair* pair, 910 const WCHAR* match, const struct sym_enum* se, 911 struct symt_function* func, const struct vector* v) 912 { 913 struct symt* lsym = NULL; 914 DWORD pc = pair->pcs->ctx_frame.InstructionOffset; 915 unsigned int i; 916 WCHAR* nameW; 917 BOOL ret; 918 919 for (i=0; i<vector_length(v); i++) 920 { 921 lsym = *(struct symt**)vector_at(v, i); 922 switch (lsym->tag) 923 { ... 933 case SymTagData: 934 nameW = symt_get_nameW(lsym); 935 ret = SymMatchStringW(nameW, match, 936 !(dbghelp_options & SYMOPT_CASE_INSENSITIVE)); 937 HeapFree(GetProcessHeap(), 0, nameW); 938 if (ret) 939 { 940 if (send_symbol(se, pair, func, lsym)) return FALSE; 941 } 942 break; ... 951 } 952 } 953 return TRUE; 954 } --- snip ---
Dump of symbol info for second parameter 'c':
--- snip --- Wine-dbg>p *se.sym_info {SizeOfStruct=0x58, TypeIndex=0x20a2b90, Reserved={0, 0}, info=0x20a66d4, Size=0x2, ModBase=0x7b810000, Flags=0xd0, Value=0, Address=0xffffffe0, Register=0x15, Scope=0, Tag=0x7, NameLen=0x1, MaxNameLen=0x7d0, Name=""} --- snip ---
Flags: 0xD0 = SYMFLAG_LOCAL | SYMFLAG_PARAMETER | SYMFLAG_REGREL Register: 0x15 = CV_REG_ESP
Disassembly of 'WCEL_InsertChar':
--- snip --- $ objdump -d editline.o
00000cba <WCEL_InsertChar>: cba: 55 push %ebp cbb: 89 e5 mov %esp,%ebp cbd: 83 ec 28 sub $0x28,%esp cc0: 8b 45 0c mov 0xc(%ebp),%eax ; parameter 'c' cc3: 66 89 45 e4 mov %ax,-0x1c(%ebp) ; 'c' as stack variable cc7: 0f b7 45 e4 movzwl -0x1c(%ebp),%eax ccb: 66 89 45 f4 mov %ax,-0xc(%ebp) ; buffer[0] = c ccf: 66 c7 45 f6 00 00 movw $0x0,-0xa(%ebp) ; buffer[1] = 0 cd5: 8d 45 f4 lea -0xc(%ebp),%eax cd8: 89 44 24 04 mov %eax,0x4(%esp) cdc: 8b 45 08 mov 0x8(%ebp),%eax ; 'ctx' parameter passthru cdf: 89 04 24 mov %eax,(%esp) ce2: e8 30 fe ff ff call b17 <WCEL_InsertString> ce7: c9 leave ce8: c3 ret --- snip ---
DWARF(2) symbol info:
--- snip --- $ objdump -W editline.o
<1><cf7>: Abbrev Number: 43 (DW_TAG_subprogram) <cf8> DW_AT_name : (indirect string, offset: 0x25b): WCEL_InsertChar <cfc> DW_AT_decl_file : 3 <cfd> DW_AT_decl_line : 327 <cff> DW_AT_prototyped : 1 <d00> DW_AT_low_pc : 0xcba <d04> DW_AT_high_pc : 0xce9 <d08> DW_AT_frame_base : 0x3b8 (location list) <d0c> DW_AT_sibling : <0xd3c> <2><d10>: Abbrev Number: 27 (DW_TAG_formal_parameter) <d11> DW_AT_name : ctx <d15> DW_AT_decl_file : 3 <d16> DW_AT_decl_line : 327 <d18> DW_AT_type : <0x847> <d1c> DW_AT_location : 2 byte block: 91 0 (DW_OP_fbreg: 0) <2><d1f>: Abbrev Number: 27 (DW_TAG_formal_parameter) <d20> DW_AT_name : c <d22> DW_AT_decl_file : 3 <d23> DW_AT_decl_line : 327 <d25> DW_AT_type : <0xf7> <d29> DW_AT_location : 2 byte block: 91 5c (DW_OP_fbreg: -36) <2><d2c>: Abbrev Number: 44 (DW_TAG_variable) <d2d> DW_AT_name : (indirect string, offset: 0x67a): buffer <d31> DW_AT_decl_file : 3 <d32> DW_AT_decl_line : 329 <d34> DW_AT_type : <0xa2a> <d38> DW_AT_location : 2 byte block: 91 6c (DW_OP_fbreg: -20) --- snip ---
DW_AT_frame_base = 0x3b8 -> Location list for 0x3b8
--- snip --- $ objdump --dwarf=loc editline.o
editline.o: file format elf32-i386
Contents of the .debug_loc section:
... 000003b8 00000cba 00000cbb (DW_OP_breg4 (esp): 4) 000003c4 00000cbb 00000cbd (DW_OP_breg4 (esp): 8) 000003d0 00000cbd 00000ce8 (DW_OP_breg5 (ebp): 8) 000003dc 00000ce8 00000ce9 (DW_OP_breg4 (esp): 4) 000003e8 <End of list> ... --- snip ---
What might be the culprit here (see disassembly) is that 'c' is actually both: a function parameter ('DW_TAG_formal_parameter' -> 'cc0:') and a local variable ('cc3:'). The DWARF symbol info contains only one entry.
Maybe that's something that confuses the debugger (function parameter handler combined with negative addressing mode which ought to apply for local variable).
$ sha1sum odbg201.zip d41fe77a2801d38476f20468ab61ddce14c3abb8 odbg201.zip
$ du -sh odbg201.zip 6.7M odbg201.zip
$ wine --version wine-1.7.16-178-g7e874ae
Regards
https://bugs.winehq.org/show_bug.cgi?id=36012
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |http://www.ollydbg.de/versi | |on2.html
https://bugs.winehq.org/show_bug.cgi?id=36012
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |austinenglish@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=36012
Ruslan Kabatsayev b7.10110111@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |b7.10110111@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=36012
--- Comment #1 from Ruslan Kabatsayev b7.10110111@gmail.com --- Strangely, I can't reproduce this neither in Ubuntu 12.04, nor in 14.04, but still can easily reproduce on LFS — all with the same compiler versions.
https://bugs.winehq.org/show_bug.cgi?id=36012
Qian Hong fracting@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fracting@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=36012
--- Comment #2 from Ruslan Kabatsayev b7.10110111@gmail.com --- This also reproduces with x32dbg, which is open-source (GPLv3, see https://github.com/x64dbg/x64dbg ). I.e. when I do `winetricks vcrun2013` to make it run, it crashes after an attempt to load x32dbg.exe as inferior. Then `winetricks dbghelp` makes it work, similarly to OllyDbg-2.01.
https://bugs.winehq.org/show_bug.cgi?id=36012
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.ollydbg.de/versi |https://web.archive.org/web |on2.html |/20140822033457/http://www. | |ollydbg.de/odbg201.zip
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, still present.
--- snip --- $ winedbg --gdb ./ollydbg.exe
Wine-gdb> set output-radix 16
Wine-gdb> c
Program received signal SIGSEGV, Segmentation fault. symt_fill_sym_info (pair=0x32138c, func=0x1f8cf10, sym=0x1f8d098, sym_info=0x321458) at /home/focht/projects/wine/mainline-src/dlls/dbghelp/symbol.c:577 577 sym_info->ModBase = pair->requested->module.BaseOfImage;
Wine-gdb> bt #0 symt_fill_sym_info (pair=0x32138c, func=0x1f8cf10, sym=0x1f8d098, sym_info=0x321458) at /home/focht/projects/wine/mainline-src/dlls/dbghelp/symbol.c:577 #1 0x7bf5ac92 in send_symbol (se=0x321438, pair=0x32138c, func=0x1f8cf10, sym=0x1f8d098) at /home/focht/projects/wine/mainline-src/dlls/dbghelp/symbol.c:732 #2 0x7bf5b63d in symt_enum_locals_helper (pair=0x32138c, match=0x7bf68484 <starW>, se=0x321438, func=0x1f8cf10, v=0x1f8cf44) at /home/focht/projects/wine/mainline-src/dlls/dbghelp/symbol.c:962 #3 0x7bf5b796 in symt_enum_locals (pcs=0x1d3f88, mask=0x0, se=0x321438) at /home/focht/projects/wine/mainline-src/dlls/dbghelp/symbol.c:995 #4 0x7bf5b926 in sym_enum (hProcess=0x80, BaseOfDll=0x4000000000, Mask=0x0, se=0x321438) at /home/focht/projects/wine/mainline-src/dlls/dbghelp/symbol.c:1045 #5 0x00000074 in ?? () #6 0x00000080 in ?? () #7 0x00000000 in ?? ()
Wine-gdb> p *func $2 = {symt = {tag = SymTagFunction}, hash_elt = {name = 0x1f8cf5c "RtlSetControlSecurityDescriptor", next = 0x2188890}, address = 0x7bc92a07, container = 0x1ef2808, type = 0x1f8ceec, size = 0xd4, vlines = {buckets = 0x1f9a2a0, elt_size = 0xc, shift = 0x6, num_elts = 0xf, num_buckets = 0x1, buckets_allocated = 0x1}, vchildren = {buckets = 0x1f8d020, elt_size = 0x4, shift = 0x3, num_elts = 0x6, num_buckets = 0x1, buckets_allocated = 0x1}}
Wine-gdb> p *sym_info $1 = {SizeOfStruct = 0x58, TypeIndex = 0x1ef49a8, Reserved = {0x0, 0x0}, Index = 0x1f8d098, Size = 0x2, ModBase = 0x7bc30000, Flags = 0xd0, Value = 0x0, Address = 0xffffffe0, Register = 0x16, Scope = 0x0, Tag = 0x7, NameLen = 0x10, MaxNameLen = 0x7d0, Name = "C"}
Wine-gdb> x/s sym_info.Name 0x3214ac: "ControlBitsToSet"
Wine-gdb> p *pair $3 = {pcs = 0x450048, requested = 0x58, effective = 0x1921018} --- snip ---
https://source.winehq.org/git/wine.git/blob/fdc51fc27835b411b3af976e6011fa72...
Flags: 0xD0 = SYMFLAG_LOCAL | SYMFLAG_PARAMETER | SYMFLAG_REGREL Register: 0x16 = CV_REG_EBP
--- snip --- $ objdump -W mainline-build-i686/dlls/ntdll/sec.o | grep -B2 -A44 RtlSetControlSecurityDescriptor <1><11246>: Abbrev Number: 47 (DW_TAG_subprogram) <11247> DW_AT_external : 1 <11248> DW_AT_name : (indirect string, offset: 0x1b25): RtlSetControlSecurityDescriptor <1124c> DW_AT_decl_file : 3 <1124d> DW_AT_decl_line : 1067 <1124f> DW_AT_decl_column : 17 <11250> DW_AT_prototyped : 1 <11251> DW_AT_type : <0x1119> <11255> DW_AT_low_pc : 0x1acb <11259> DW_AT_high_pc : 0x1b9f <1125d> DW_AT_frame_base : 0x710 (location list) <11261> DW_AT_sibling : <0x112f0> <2><11265>: Abbrev Number: 48 (DW_TAG_formal_parameter) <11266> DW_AT_name : (indirect string, offset: 0x86fc): SecurityDescriptor <1126a> DW_AT_decl_file : 3 <1126b> DW_AT_decl_line : 1068 <1126d> DW_AT_decl_column : 26 <1126e> DW_AT_type : <0x8de> <11272> DW_AT_location : 2 byte block: 91 0 (DW_OP_fbreg: 0) <2><11275>: Abbrev Number: 48 (DW_TAG_formal_parameter) <11276> DW_AT_name : (indirect string, offset: 0x5e79): ControlBitsOfInterest <1127a> DW_AT_decl_file : 3 <1127b> DW_AT_decl_line : 1069 <1127d> DW_AT_decl_column : 33 <1127e> DW_AT_type : <0xb3e> <11282> DW_AT_location : 2 byte block: 75 64 (DW_OP_breg5 (ebp): -28) <2><11285>: Abbrev Number: 48 (DW_TAG_formal_parameter) <11286> DW_AT_name : (indirect string, offset: 0x69a3): ControlBitsToSet <1128a> DW_AT_decl_file : 3 <1128b> DW_AT_decl_line : 1070 <1128d> DW_AT_decl_column : 33 <1128e> DW_AT_type : <0xb3e> <11292> DW_AT_location : 2 byte block: 75 60 (DW_OP_breg5 (ebp): -32) <2><11295>: Abbrev Number: 51 (DW_TAG_variable) <11296> DW_AT_name : (indirect string, offset: 0x79d2): immutable <1129a> DW_AT_decl_file : 3 <1129b> DW_AT_decl_line : 1072 <1129d> DW_AT_decl_column : 39 <1129e> DW_AT_type : <0xb4b> <112a2> DW_AT_location : 2 byte block: 75 76 (DW_OP_breg5 (ebp): -10) <2><112a5>: Abbrev Number: 51 (DW_TAG_variable) <112a6> DW_AT_name : (indirect string, offset: 0x8369): lpsd <112aa> DW_AT_decl_file : 3 <112ab> DW_AT_decl_line : 1079 <112ad> DW_AT_decl_column : 26 <112ae> DW_AT_type : <0x11240> <112b2> DW_AT_location : 2 byte block: 75 70 (DW_OP_breg5 (ebp): -16) ... --- snip ---
--- snip --- $ objdump --dwarf=loc mainline-build-i686/dlls/ntdll/sec.o | grep -m1 -A5 00000710 00000710 00001acb 00001acf (DW_OP_breg4 (esp): 4) 0000071c 00001acf 00001ad9 (DW_OP_breg1 (ecx): 0) 00000728 00001ad9 00001b98 (DW_OP_breg5 (ebp): -4; DW_OP_deref) 00000735 00001b98 00001b9c (DW_OP_breg1 (ecx): -4; DW_OP_deref) 00000742 00001b9c 00001b9f (DW_OP_breg4 (esp): -4; DW_OP_deref; DW_OP_plus_uconst: 4) 00000751 <End of list> --- snip ---
$ sha1sum odbg201.zip d41fe77a2801d38476f20468ab61ddce14c3abb8 odbg201.zip
$ du -sh odbg201.zip 6.7M odbg201.zip
$ wine --version wine-4.3-229-g6d82b2f1ad
Regards
https://bugs.winehq.org/show_bug.cgi?id=36012
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |z.figura12@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=36012
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|OllyDbg 2.x debugger |OllyDbg 2.x debugger |crashes with Wine builtin |crashes with Wine builtin |dbghelp |dbghelp when built with GCC | |4.8 (DWARF2 symbol name is | |both, a function parameter | |and a local variable but | |only one entry exists) Resolution|--- |NOTOURBUG Status|NEW |RESOLVED
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello folks,
I've revisited this one a while ago but couldn't reproduce it anymore with an old-style build (no LLVM/MinGW) on modern Fedora 32 distro with GCC 9.x. Maybe there were improvements/fixes in area of DWARF symbol generation -> upstream toolchain issue.
Resolving as 'NOTOURBUG' for now.
Regards
-
wine-bugs@winehq.org -
WineHQ Bugzilla