[Bug 25249] New: Wine crash running Leonardo.exe - Process /usr/bin/wine-preloader was killed by signal 11 (SIGSEGV)
http://bugs.winehq.org/show_bug.cgi?id=25249
Summary: Wine crash running Leonardo.exe - Process /usr/bin/wine-preloader was killed by signal 11 (SIGSEGV) Product: Wine Version: 1.3.7 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: mothlight@fastmail.fm
Steps to Reproduce: 1. Install http://www.envi-met.com/download30.htm (password is 49152cwRt) 2. Start Leonardo component
[nice@politemadness ENVImet31]$ wine Leonardo.exe wine: Unhandled exception 0x0eedfade at address 0x0000:0x7b837a03 (thread 0009), starting debugger... err:seh:setup_exception_record stack overflow 992 bytes in thread 0009 eip 7bc712e1 esp 00230f50 stack 0x230000-0x231000-0x330000 Process of pid=0008 has terminated No process loaded, cannot execute 'echo Modules:' Cannot get info on module while no process is loaded No process loaded, cannot execute 'echo Threads:' Segmentation fault (core dumped) process tid prio (all id:s are in hex) 0000000e services.exe 00000014 0 00000010 0 0000000f 0 00000011 winedevice.exe 00000017 0 00000016 0 00000013 0 00000012 0 [nice@politemadness ENVImet31]$ 00000019 explorer.exe 0000001a 0 You must be attached to a process to run this command. No process loaded, cannot execute 'detach'
[nice@politemadness ENVImet31]$ rpm -q wine-core wine-core-1.3.7-2.fc14.i686 [nice@politemadness ENVImet31]$ pwd /home/nice/.wine/drive_c/ENVImet31
Output from abrt
warning: core file may not match specified executable file. [New Thread 14488] [New Thread 14509] [New Thread 14510] Failed to read a valid object file image from memory. Core was generated by `Leonardo.exe '. Program terminated with signal 11, Segmentation fault. #0 0x687c853e in ?? ()
Thread 3 (Thread 14510): #0 0x68000852 in ?? () No symbol table info available. #1 0x681709eb in ?? () No symbol table info available. #2 0x7bcac868 in ?? () No symbol table info available. #3 0x7bc713f1 in ?? () No symbol table info available. #4 0x00000013 in ?? () No symbol table info available. #5 0x7ffd31d0 in ?? () No symbol table info available. #6 0x7bc3e6a4 in ?? () No symbol table info available. #7 0x7ffd381c in ?? () No symbol table info available. #8 0x7bc732e5 in ?? () No symbol table info available. #9 0x7ffd38e0 in ?? () No symbol table info available. #10 0x68171e00 in ?? () No symbol table info available. #11 0x0000000a in ?? () No symbol table info available. #12 0x7ffd3c4c in ?? () No symbol table info available. Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Thread 2 (Thread 14509): #0 0x68000852 in ?? () No symbol table info available. #1 0x681709eb in ?? () No symbol table info available. #2 0x7bcac868 in ?? () No symbol table info available. #3 0x7bc79463 in ?? () No symbol table info available. #4 0x7ffd718c in ?? () No symbol table info available. #5 0x7bc3e6e6 in ?? () No symbol table info available. #6 0x00000000 in ?? () No symbol table info available.
Thread 1 (Thread 14488): #0 0x687c853e in ?? () No symbol table info available. #1 0x00000000 in ?? () No symbol table info available. No shared libraries loaded at this time. No symbol "__abort_msg" in current context. No symbol "__glib_assert_msg" in current context. eax 0x1 1 ecx 0x231d88 2301320 edx 0x680214dc 1744966876 ebx 0x687cf220 1753018912 esp 0x7ffdb834 0x7ffdb834 ebp 0x7ffdb88c 0x7ffdb88c esi 0x7ffdb9d0 2147334608 edi 0x7ffdb994 2147334548 eip 0x687c853e 0x687c853e eflags 0x10246 [ PF ZF IF RF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x33 51 gs 0x3b 59 No function contains program counter for selected frame.
http://bugs.winehq.org/show_bug.cgi?id=25249
Dmitry Timoshkov dmitry@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Wine crash running |Leonardo.exe crashes: |Leonardo.exe - Process |Process |/usr/bin/wine-preloader was |/usr/bin/wine-preloader was |killed by signal 11 |killed by signal 11 |(SIGSEGV) |(SIGSEGV)
--- Comment #1 from Dmitry Timoshkov dmitry@codeweavers.com 2010-11-23 01:37:12 CST --- Next time please pay more attention to requests like *** Please do not PASTE logs and back traces (attach them instead). ***
http://bugs.winehq.org/show_bug.cgi?id=25249
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Keywords| |download URL| |http://www.envi-met.com/dow | |nload30.htm Component|-unknown |comctl32 CC| |focht@gmx.net Ever Confirmed|0 |1 Summary|Leonardo.exe crashes: |Leonardo.exe from ENVI-met |Process |(microclimate model |/usr/bin/wine-preloader was |simulation software) |killed by signal 11 |crashes due to strict |(SIGSEGV) |comctl32.151 | |(CreateMRUListLazyA) input | |parameter validation
--- Comment #2 from Anastasius Focht focht@gmx.net 2011-12-16 17:11:26 CST --- Hello,
confirming. Looks like comctl32.151 -> CreateMRUListLazyA (MRU list) is the culprit here.
--- snip --- ... 0023:Call KERNEL32.CompareStringA(00000800,00000001,1a7bf178 "TJvMruList",0000000a,1a7bee18 "TJvMruList",0000000a) ret=00404c23 0023:Ret KERNEL32.CompareStringA() retval=00000002 ret=00404c23 0023:Call KERNEL32.SetErrorMode(00008000) ret=00410b1f 0023:Ret KERNEL32.SetErrorMode() retval=00000000 ret=00410b1f 0023:Call KERNEL32.LoadLibraryA(005180c8 "COMCTL32.DLL") ret=00410b4e 0023:Ret KERNEL32.LoadLibraryA() retval=68660000 ret=00410b4e ... 0023:Call comctl32.151(0032f858) ret=00517e28 0023:Ret comctl32.151() retval=00000000 ret=00517e28 0023:Call user32.LoadStringA(00400000,0000fe92,0032e818,00001000) ret=00407fbb 0023:Ret user32.LoadStringA() retval=00000014 ret=00407fbb 0023:Call KERNEL32.RaiseException(0eedfade,00000001,00000007,0032f828) ret=00517e48 0023:trace:seh:raise_exception code=eedfade flags=1 addr=0x7b838b5b ip=7b838b5b tid=0023 0023:trace:seh:raise_exception info[0]=00517e48 0023:trace:seh:raise_exception info[1]=1a7b5620 0023:trace:seh:raise_exception info[2]=1a77d1d8 0023:trace:seh:raise_exception info[3]=00156654 0023:trace:seh:raise_exception info[4]=00156654 0023:trace:seh:raise_exception info[5]=0032f870 0023:trace:seh:raise_exception info[6]=0032f844 0023:trace:seh:raise_exception eax=7b826171 ebx=7b8a97a8 ecx=00517e48 edx=0032f744 esi=0032f828 edi=0032f7a0 0023:trace:seh:raise_exception ebp=0032f788 esp=0032f724 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00200203 --- snip ---
Debugging session:
--- snip --- Wine-dbg>bt Backtrace: =>0 0x69524ed7 CreateMRUListLazyA+0x12c(lpcml=0x33f858, dwParam2=0, dwParam3=0, dwParam4=0) [/home/focht/projects/wine/wine-git/dlls/comctl32/comctl32undoc.c:792] in comctl32 (0x0033f838) 1 0x69524f4e CreateMRUListA+0x34(lpcml=0x33f858) [/home/focht/projects/wine/wine-git/dlls/comctl32/comctl32undoc.c:817] in comctl32 (0x0033f838) 2 0x00517e28 in leonardo (+0x117e27) (0x0033f870) 3 0x00517c0d in leonardo (+0x117c0c) (0x0033f8b0) 4 0x004259c6 in leonardo (+0x259c5) (0x0033f8f4) 5 0x0042558b in leonardo (+0x2558a) (0x0033f944) ... Wine-dbg>info locals 0x69524ed7 CreateMRUListLazyA+0x12c: (0033f838) MRUINFOA* lpcml=0x33f858 (parameterESP) DWORD dwParam2=0 (parameterESP) DWORD dwParam3=0 (parameterESP) DWORD dwParam4=0 (parameterESP) LPWINEMRULIST mp=0x23 (localESP) DWORD len=0x69524daf (localESP) ... Wine-dbg>p *lpcml {cbSize=0x4, uMax=0xa, fFlags=0, hKey=0x80000001, lpszSubKey="Leonardo", u={string_cmpfn=(nil), binary_cmpfn=(nil)}} --- snip ---
cbSize = 4 doesn't survive Wine's input check:
http://source.winehq.org/git/wine.git/blob/cefcadcc38fac636061bb70a64f367a97...
--- snip --- 772 HANDLE WINAPI CreateMRUListLazyA (const MRUINFOA *lpcml, DWORD dwParam2, 773 DWORD dwParam3, DWORD dwParam4) 774 { 775 LPWINEMRULIST mp; 776 DWORD len; 777 778 /* Native does not check for a NULL lpcml */ 779 780 if (lpcml->cbSize != sizeof(MRUINFOA) || !lpcml->hKey || 781 IsBadStringPtrA(lpcml->lpszSubKey, -1)) 782 return 0; --- snip ---
The app checks the returned handle and if zero it throws external (Delphi) exception (0xeedfade) which results in recursion, eating up the stack.
Pulling one of my JEDI mind tricks ... I found the JEDI source ;-)
http://www.koders.com/delphi/fidB7C89A98ECAD854275C6F0FE68AD6B80E2A3763B.asp...
Specifically "procedure TJvMruList.Open":
http://www.koders.com/delphi/fidB7C89A98ECAD854275C6F0FE68AD6B80E2A3763B.asp...
--- snip --- ... FList: THandle; ...
procedure TJvMruList.Open; var FLst: TMruRec; begin if csDesigning in ComponentState then Exit;
if FSubKey <> '' then begin FLst.cbSize := SizeOf(FList); FLst.nMaxItems := FMax; ... if UseUnicode then // Arioch changed this FLst.lpszSubKeyW := PWideChar(FSubKey) else FLst.lpszSubKey := PChar(GetSubKey);
if UseUnicode then // Arioch changed this FList := CreateMruListW(@FLst) else FList := CreateMruList(@FLst);
if FList = 0 then raise EMruException.Create(RC_ErrorMRU_Creating); --- snip ---
"FLst.cbSize := SizeOf(FList);" will always evaluate to 4 bytes (sizeof handle).
Looks like a bug in JEDI library component that Windows tolerates?
$ sha1sum ENVImet_V31BETA5setup.exe 03d362af9e9222c70c4b4db2741ede43a917dced ENVImet_V31BETA5setup.exe
$ wine --version wine-1.3.35
Regards
http://bugs.winehq.org/show_bug.cgi?id=25249
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|wine-bugs@winehq.org |bunglehead@gmail.com
--- Comment #3 from Nikolay Sivov bunglehead@gmail.com 2011-12-16 17:21:18 CST --- Yeah, I used JCL/JVCL some years ago, so I'll do tests.
http://bugs.winehq.org/show_bug.cgi?id=25249
--- Comment #4 from Nikolay Sivov bunglehead@gmail.com 2011-12-20 14:01:57 CST --- Should be fixed with 73354ef9d2480e5fd47967c2e0e74cfb75484ba9. Please retest.
http://bugs.winehq.org/show_bug.cgi?id=25249
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |73354ef9d2480e5fd47967c2e0e | |74cfb75484ba9 Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #5 from Anastasius Focht focht@gmx.net 2011-12-20 14:22:37 CST --- Hello,
--- quote --- Should be fixed with 73354ef9d2480e5fd47967c2e0e74cfb75484ba9. Please retest. --- quote ---
yep, the app starts fine now. Thanks Nikolay.
Regards
http://bugs.winehq.org/show_bug.cgi?id=25249
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #6 from Alexandre Julliard julliard@winehq.org 2011-12-30 12:57:14 CST --- Closing bugs fixed in 1.3.36.
https://bugs.winehq.org/show_bug.cgi?id=25249
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bunglehead@gmail.com |wine-bugs@winehq.org
-
wine-bugs@winehq.org