https://bugs.winehq.org/show_bug.cgi?id=50297
Bug ID: 50297 Summary: Blindwrite 7 crashes with a stack overflow (followup to #49092) Product: Wine Version: 5.7 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: bernhardu@mailbox.org Distribution: ---
Created attachment 68867 --> https://bugs.winehq.org/attachment.cgi?id=68867 Do wineserver calls on a different stack by using fibers.
I still can reproduce this issue with wine-6.0-rc1.
00f0:err:virtual:virtual_setup_exception stack overflow 4548 bytes in thread 00f0 addr 0x40e68e stack 0x21fe3c (0x220000-0x221000-0x320000)
(rr) bt 30 #0 0xb7db9b5e in __libc_disable_asynccancel (oldtype=0) at ../nptl/cancellation.c:72 #1 0xb7e35705 in __GI___writev (iovcnt=2, iov=0x222058, fd=3) at ../sysdeps/unix/sysv/linux/writev.c:26 #2 __GI___writev (fd=3, iov=0x222058, iovcnt=2) at ../sysdeps/unix/sysv/linux/writev.c:24 #3 0xb7bd68ae in send_request (req=0x2221ac) at .../wine-git/dlls/ntdll/unix/server.c:213 #4 0xb7bd69f0 in server_call_unlocked (req_ptr=0x2221ac) at .../wine-git/dlls/ntdll/unix/server.c:273 #5 0xb7bd6a4b in wine_server_call (req_ptr=0x2221ac) at .../wine-git/dlls/ntdll/unix/server.c:289 #6 0xb7bcf1cd in NtOpenKeyEx (key=0x222340, access=131097, attr=0x2222b8, options=0) at .../wine-git/dlls/ntdll/unix/registry.c:112 #7 0xb7bb11be in __wine_syscall_dispatcher () from /home/benutzer/.local/share/rr/wine-1/mmap_pack_2_ntdll.so #8 0x7bc0bdcc in NtOpenKeyEx@16 () from /home/benutzer/.local/share/rr/wine-1/mmap_pack_343_ntdll.dll #9 0x7b0561af in RegOpenKeyExW@20 (hkey=<optimized out>, name=0x46c06dc, options=0, access=131097, retkey=0x222340) at .../wine-git/dlls/kernelbase/registry.c:208 #10 0x006996a6 in ?? () #11 0x0069ab41 in ?? () #12 0x00699e14 in ?? () #13 0x0069a89b in ?? () #14 0x0069a84f in ?? () #15 0x0073bb4b in ?? () #16 0x007354d2 in ?? () #17 0x00736cc5 in ?? () #18 0x00736f53 in ?? () #19 0x00737f77 in ?? () #20 0x007384a9 in ?? () #21 0x00a9a1a7 in ?? () #22 0x00a99388 in ?? () #23 0x00a99394 in ?? () #24 0x00a99394 in ?? () #25 0x00a99394 in ?? () #26 0x00a99394 in ?? () #27 0x00a99394 in ?? () #28 0x00a99394 in ?? () ...
I tried to have another look and got to the impression that blindwrite expects RegOpenKeyExW and RegSetValueExW too use less stack. I experimented a bit and one way to achive this was to do the work in these functions on a different stack. Attached proof of concept uses fibers for this. With this patch blindwrite can finish its stack exhaustion without visible error and shows the trial option dialog. After one successful start that patch is no longer necessarry.
Another option to might be to use some more guard pages and switch them to regular pages when we are inside wine code?
https://bugs.winehq.org/show_bug.cgi?id=50297
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |z.figura12@gmail.com
--- Comment #1 from Zebediah Figura z.figura12@gmail.com --- There's still a repeating frame there, and it's the same as in bug 49092. Are we sure that's supposed to be there?
https://bugs.winehq.org/show_bug.cgi?id=50297
--- Comment #2 from Bernhard Übelacker bernhardu@mailbox.org --- Created attachment 68869 --> https://bugs.winehq.org/attachment.cgi?id=68869 One iteration of registry accesses with WINEDEBUG=+relay
I am not sure. I have just looked into a relay log and found just the same sequence of registry accesses of QueryInfoKey, EnumValue, OpenKeyEx, SetValueEx and CloseKey. I could not see an obvious issue with them, except a GetFileAttributesW with an empty filename... (See attached file for one iteration.) Might this be a kind of anti tamper protection?
If this cannot be reproduced, it might show up when adding a local variable in wine_server_call which occupies some more bytes on the stack.
https://bugs.winehq.org/show_bug.cgi?id=50297
--- Comment #3 from Bernhard Übelacker bernhardu@mailbox.org --- Just an idea, an alternative workaround to the usage of the "fiber" hack might be using some memory allocated from heap stored via TLS for the server call.
https://bugs.winehq.org/show_bug.cgi?id=50297
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 CC| |focht@gmx.net Status|UNCONFIRMED |NEW Keywords| |download URL| |https://web.archive.org/web | |/20131210151026/http://down | |load2.vso-software.fr/Blind | |write7_setup.exe
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello folks,
adding stable download link:
https://web.archive.org/web/20131210151026/http://download2.vso-software.fr/...
Wine 5.7 from bug 49092 worked for me. From my testing it worked up to Wine 5.14. Starting with Wine 5.15 it fails with stack overflow, including Wine 6.0-rc1/HEAD.
Regression testing revealed commit https://source.winehq.org/git/wine.git/commitdiff/7a71f98640bf8fa402d6b0c3ec... ("ntdll: Use KiUserApcDispatcher() to call user APCs.").
From that commit it's not unreasonable to relate to the changed stack
behaviour.
Before that commit the app would show the splash / registration screen on first start after churning for several seconds due to registry queries recursion.
The repeating registry queries with same key/value patterns are looking suspicious. I wonder if the app shows the same behaviour on Windows. There is a recursive function call for these registry queries which causes very deep nesting level. About ~16k call frames until the stack is exhausted. I didn't look too far what the "give up" condition is.
--- snip --- Thread 1 "00d0" received signal SIGSEGV, Segmentation fault. 0xf7d1720f in ?? () (gdb @ 1:None) bt #0 0xf7d1720f in ?? () #1 0xf7aeaa0a in ?? () #2 0xf7acf1b1 in ?? () #3 0x7bc0bacc in ntdll!ZwOpenKeyEx () from /home/focht/.wine/dosdevices/c:/windows/syswow64/ntdll.dll #4 0x7b037505 in kernelbase!RegOpenKeyExW () from /home/focht/.wine/dosdevices/c:/windows/syswow64/kernelbase.dll #5 0x006996a6 in ?? () from /home/focht/.wine/dosdevices/c:/Program Files (x86)/VSO/BlindWrite/7/BW.exe #6 0x0069ab41 in ?? () from /home/focht/.wine/dosdevices/c:/Program Files (x86)/VSO/BlindWrite/7/BW.exe ... #16241 0x00a99394 in ?? () from /home/focht/.wine/dosdevices/c:/Program Files (x86)/VSO/BlindWrite/7/BW.exe #16242 0x00a99394 in ?? () from /home/focht/.wine/dosdevices/c:/Program Files (x86)/VSO/BlindWrite/7/BW.exe #16243 0x00b0417a in ?? () from /home/focht/.wine/dosdevices/c:/Program Files (x86)/VSO/BlindWrite/7/BW.exe #16244 0x005f9edb in ?? () from /home/focht/.wine/dosdevices/c:/Program Files (x86)/VSO/BlindWrite/7/BW.exe #16245 0x005f9b1f in ?? () from /home/focht/.wine/dosdevices/c:/Program Files (x86)/VSO/BlindWrite/7/BW.exe #16246 0x005f9ad0 in ?? () from /home/focht/.wine/dosdevices/c:/Program Files (x86)/VSO/BlindWrite/7/BW.exe #16247 0x0060452d in ?? () from /home/focht/.wine/dosdevices/c:/Program Files (x86)/VSO/BlindWrite/7/BW.exe #16248 0x00b3881a in ?? () from /home/focht/.wine/dosdevices/c:/Program Files (x86)/VSO/BlindWrite/7/BW.exe #16249 0x7b645241 in ?? () from /home/focht/.wine/dosdevices/c:/windows/syswow64/kernel32.dll #16250 0x7b6458a8 in ?? () from /home/focht/.wine/dosdevices/c:/windows/syswow64/kernel32.dll #16251 0x7b645252 in ?? () from /home/focht/.wine/dosdevices/c:/windows/syswow64/kernel32.dll #16252 0x00000000 in ?? () --- snip ---
$ sha1sum Blindwrite7_setup.exe 8b357a5613b5f348e0105d9dbb84ef42550016ee Blindwrite7_setup.exe
$ du -sh Blindwrite7_setup.exe 14M Blindwrite7_setup.exe
$ wine --version wine-5.14-105-g2a08e0e2902
$ wine --version wine-6.0-rc1-39-g76c9dbd4fb9
Regards
https://bugs.winehq.org/show_bug.cgi?id=50297
--- Comment #5 from Bernhard Übelacker bernhardu@mailbox.org --- I did a short re-test, and could no longer reproduce the issue with plain wine-6.15-329-g4a18232e455. (But still receive it if using WINEDEBUG=+seh.)
https://bugs.winehq.org/show_bug.cgi?id=50297
--- Comment #6 from Zebediah Figura z.figura12@gmail.com --- (In reply to Bernhard Übelacker from comment #5)
I did a short re-test, and could no longer reproduce the issue with plain wine-6.15-329-g4a18232e455. (But still receive it if using WINEDEBUG=+seh.)
Yeah, it sounds like it's very sensitive to stack usage...
https://bugs.winehq.org/show_bug.cgi?id=50297
--- Comment #7 from Bernhard Übelacker bernhardu@mailbox.org --- With wine-8.9-92-g6b0836e3f15 issue is still just visible if running with WINEDEBUG=+seh, without program starts up successfully.
https://bugs.winehq.org/show_bug.cgi?id=50297
Bernhard Übelacker bernhardu@mailbox.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED Fixed by SHA1| |4b458775bb8c9492ac859cfd167 | |c5f54f245dec1 Summary|Blindwrite 7 crashes with a |Blindwrite 7 crashes with a |stack overflow (followup to |stack overflow |#49092) |
--- Comment #8 from Bernhard Übelacker bernhardu@mailbox.org --- This issue I could no longer see with current git.
It looks like it got fixed by wine-9.0-rc1:
commit 4b458775bb8c9492ac859cfd167c5f54f245dec1 Author: Zebediah Figura zfigura@codeweavers.com Date: Thu Sep 21 15:38:15 2023 -0500
configure: Use -mpreferred-stack-boundary=2 on i386. .. Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=55007 Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=55899
https://bugs.winehq.org/show_bug.cgi?id=50297
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #9 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 9.1.
https://bugs.winehq.org/show_bug.cgi?id=50297
Zeb Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |REOPENED Resolution|FIXED |---
--- Comment #10 from Zeb Figura z.figura12@gmail.com --- I'm still seeing this unfortunately.
We should probably not close this until we fully debug and fix the issue.
-
WineHQ Bugzilla