https://bugs.winehq.org/show_bug.cgi?id=55244
Bug ID: 55244 Summary: mshtml:misc - The 32-bit test_HTMLStorage() crashes in Wine Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: mshtml Assignee: wine-bugs@winehq.org Reporter: fgouget@codeweavers.com Distribution: ---
mshtml:misc - The 32-bit test_HTMLStorage() crashes in Wine:
Unhandled exception: page fault on write access to 0x00000000 in 32-bit code (0x10045300). Backtrace: =>0 0x10045300 in xul (+0x45300) (0x000000d2) 0x10045300 xul+0x45300: movl $0x25c, 0x00000000
See https://test.winehq.org/data/patterns.html#mshtml:misc
A bisect shows that the failures started with the commit below:
commit 24a2b625545f1875b5c3177f2b9da1b7299b864f Author: Victor Chiletto vchiletto@codeweavers.com Date: Thu Jun 8 15:14:57 2023 -0300
msvcrt: Use snames instead of LCIDs in create_locinfo.
And adding traces shows that the crash happens when releasing doc2: 535: IHTMLDocument2_Release(doc2);
Sometimes the backtrace is more useful:
Backtrace: =>0 0x6ab1c9b5 in ucrtbase (+0x5c9b5) (0x0a26e4a0) 1 0x033d6536 Cert_clone+0xb6(context=<is not available>, store=<is not available>, use_link=<is not available>) [/home/fgo uget/wine/wt23/src/dlls/crypt32/cert.c:148] in crypt32 (0x0a26e4a0) 2 0x034280a4 MemStore_addContext+0x24(store=083F6948, list=<internal error>, orig_context=<internal error>, existing=<is not available>, ret_context=<is not available>, use_link=<is not available>) [/home/fgouget/wine/wt23/src/dlls/crypt32/store.c:149] in crypt32 (0x0a26e4f0) 3 0x033d9406 add_cert_to_store+0xf6(store=083F6948, cert=00000001, add_disposition=<internal error>, use_link=<is not available>, ret_context=<is not available>) [/home/fgouget/wine/wt23/src/dlls/crypt32/cert.c:267] in crypt32 (0x0a26e570) 4 0x033d99e3 CertAddCertificateContextToStore+0x1b(ppStoreContext=<internal error>, dwAddDisposition=<internal error>, pCertContext=<internal error>, hCertStore=<internal error>) [/home/fgouget/wine/wt23/src/dlls/crypt32/cert.c:289] in crypt32 (0x0a26e5c0) 5 0x033d99e3 CertAddEncodedCertificateToStore+0x53(hCertStore=<is not available>, dwCertEncodingType=<is not available>, pbCertEncoded=<is not available>, cbCertEncoded=<is not available>, dwAddDisposition=<is not available>, ppCertContext=<is not available>) [/home/fgouget/wine/wt23/src/dlls/crypt32/cert.c:64] in crypt32 (0x0a26e5c0) 6 0x0fcf6aa0 ensure_remote_cert+0x190(ctx=<internal error>) [/home/fgouget/wine/wt23/src/dlls/secur32/schannel.c:1131] in secur32 (0x0a26e640) 7 0x0fcfa74d schan_QueryContextAttributesW+0xcd(context_handle=<is not available>, attribute=<is not available>, buffer=<is not available>) [/home/fgouget/wine/wt23/src/dlls/secur32/schannel.c:1207] in secur32 (0x0a26eab0) 8 0x6c1320a9 netcon_secure_connect_setup+0x509(connection=<internal error>, compat_mode=<internal error>) [/home/fgouget/wine/wt23/src/dlls/wininet/netconnection.c:545] in wininet (0x0a26ed00) 9 0x6c133438 NETCON_secure_connect+0x38(connection=<is not available>, server=<is not available>) [/home/fgouget/wine/wt23/src/dlls/wininet/netconnection.c:615] in wininet (0x0a26ed20) 10 0x6c11fc03 HTTP_HttpSendRequestW+0x1293(request=<internal error>, lpszHeaders=<internal error>, dwHeaderLength=<internal error>, lpOptional=<is not available>, dwOptionalLength=<is not available>, dwContentLength=<is not available>, bEndRequest=<is not available>) [/home/fgouget/wine/wt23/src/dlls/wininet/http.c:5093] in wininet (0x0a26fdb0) 11 0x6c120adf AsyncHttpSendRequestProc+0x3f(hdr=<is not available>) [/home/fgouget/wine/wt23/src/dlls/wininet/http.c:5356] in wininet (0x0a26fde0) 12 0x6c124e78 INTERNET_WorkerThreadFunc+0x18(lpvParam=<is not available>) [/home/fgouget/wine/wt23/src/dlls/wininet/internet.c:4029] in wininet (0x0a26fe00) 13 0x7bc5b6fb process_rtl_work_item+0x1b(instance=<is not available>, userdata=<is not available>) [/home/fgouget/wine/wt23/src/dlls/ntdll/threadpool.c:410] in ntdll (0x0a26fe30) 14 0x7bc5c7b2 tp_object_execute+0x3a2(object=<register EBX not accessible in this frame>, wait_thread=<internal error>) [/home/fgouget/wine/wt23/src/dlls/ntdll/threadpool.c:2221] in ntdll (0x0a26fed0) 15 0x7bc5cb88 threadpool_worker_proc+0x198(param=<is not available>) [/home/fgouget/wine/wt23/src/dlls/ntdll/threadpool.c:2356] in ntdll (0x0a26ff30)
https://bugs.winehq.org/show_bug.cgi?id=55244
François Gouget fgouget@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Regression SHA1| |24a2b625545f1875b5c3177f2b9 | |da1b7299b864f Keywords| |regression, source, | |testcase
https://bugs.winehq.org/show_bug.cgi?id=55244
François Gouget fgouget@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|mshtml:misc - The 32-bit |mshtml:misc - |test_HTMLStorage() crashes |test_HTMLStorage() crashes |in Wine |in Wine
--- Comment #1 from François Gouget fgouget@codeweavers.com --- The 64-bit test_HTMLStorage() crashes in Wine too:
Unhandled exception: page fault on write access to 0x00007efad9160158 in 64-bit code (0x000001de168190). Backtrace: =>0 0x000001de168190 Binding_Abort+0x30(iface=00007EFAD9160040) [/home/fgouget/wine/wt23/src/dlls/urlmon/binding.c:894] in urlmon (0x000002643b39a0) 1 0x0000026435d47c list_remove(This=<internal error>) [/home/fgouget/wine/wt23/src/include/wine/list.h:100] in mshtml (0x000002643b39a0) 2 0x0000026435d47c abort_window_bindings+0x6c(window=<register RDI not accessible in this frame>) [/home/fgouget/wine/wt23/src/dlls/mshtml/navigate.c:1998] in mshtml (0x000002643b39a0) 3 0x00000264348b0a release_outer_window+0x42(This=<internal error>) [/home/fgouget/wine/wt23/src/dlls/mshtml/htmlwindow.c:227] in mshtml (0x000002643b34e0) 4 0x00000264348b0a HTMLWindow2_Release+0x271(iface=<internal error>) [/home/fgouget/wine/wt23/src/dlls/mshtml/htmlwindow.c:329] in mshtml (0x000002643b34e0) 5 0x00000264348b0a HTMLWindow2_Release+0x2aa(iface=<register RBX not accessible in this frame>) [/home/fgouget/wine/wt23/src/dlls/mshtml/htmlwindow.c:320] in mshtml (0x000002643b34e0) 6 0x00000264366565 detach_gecko_browser+0x55(This=<register RBX not accessible in this frame>) [/home/fgouget/wine/wt23/src/dlls/mshtml/nsembed.c:2346] in mshtml (0x000001400be1b8) 7 0x0000026437c7fa HTMLDocumentObj_Release+0x14b(iface=<internal error>) [/home/fgouget/wine/wt23/src/dlls/mshtml/oleobj.c:3477] in mshtml (0x000001400be1b8) 8 0x0000026437c7fa HTMLDocumentObj_Release+0x17a(iface=<register RBX not accessible in this frame>) [/home/fgouget/wine/wt23/src/dlls/mshtml/oleobj.c:3439] in mshtml (0x000001400be1b8) 9 0x00000140068301 in mshtml_test (+0x68301) (0x000001400be1b8) 10 0x00000140098a9b in mshtml_test (+0x98a9b) (0x0000000024a082) 11 0x00000140098467 in mshtml_test (+0x98467) (0000000000000000) 12 0x00000178028a39 BaseThreadInitThunk+0x9(unknown=<internal error>, entry=<internal error>, arg=<internal error>) [/home/fgouget/wine/wt23/src/dlls/kernel32/thread.c:61] in kernel32 (0000000000000000) 13 0x0000017005cd85 __wine_pop_frame(entry=[<register RSP not accessible in this frame>, arg=[<register RSP not accessible in this frame>) [/home/fgouget/wine/wt23/src/include/wine/exception.h:277] in ntdll (0000000000000000) 14 0x0000017005cd85 RtlUserThreadStart+0x85(entry=[<register RSP not accessible in this frame>, arg=[<register RSP not accessible in this frame>) [/home/fgouget/wine/wt23/src/dlls/ntdll/thread.c:294] in ntdll (0000000000000000) 0x000001de168190 Binding_Abort+0x30 [/home/fgouget/wine/wt23/src/dlls/urlmon/binding.c:894] in urlmon: orl $0x08, 0x118(%rbx)
This one is not a NULL dereference but the crash also happens in a IHTMLDocument2_Release(doc) call (the last one), a bisect points to the same commit and one more readily gets a meaningful backtrace.
https://bugs.winehq.org/show_bug.cgi?id=55244
alasky@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |alasky@codeweavers.com
https://bugs.winehq.org/show_bug.cgi?id=55244
Victor Chiletto victor.vasconceloschiletto@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |victor.vasconceloschiletto@ | |gmail.com
--- Comment #2 from Victor Chiletto victor.vasconceloschiletto@gmail.com --- This was introduced by a heap overflow which is being fixed by MR !3358. It ended up uncovering a use-after-free in mshtml which was fixed by MR !3354
https://bugs.winehq.org/show_bug.cgi?id=55244
Hans Leidekker hans@meelstraat.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |8713e2ad6497e6eba63a4dd7136 | |d47a80a430815 Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #3 from Hans Leidekker hans@meelstraat.net --- Fixed by 8713e2ad6497e6eba63a4dd7136d47a80a430815.
https://bugs.winehq.org/show_bug.cgi?id=55244
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #4 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 8.16.
-
WineHQ Bugzilla