https://bugs.winehq.org/show_bug.cgi?id=50801
Bug ID: 50801 Summary: Wine Mono crashes on macOS Product: Wine Version: 6.4 Hardware: x86-64 OS: Mac OS X Status: NEW Severity: normal Priority: P2 Component: mscoree Assignee: wine-bugs@winehq.org Reporter: madewokherd@gmail.com
Running the csc.exe shipped with Wine Mono on macOS 11.2.1 crashes with:
0024:err:virtual:virtual_setup_exception stack overflow 1456 bytes in thread 0024 addr 0x7bc2bd61 stack 0x130a50 (0x130000-0x131000-0x230000)
From a +relay,+seh log, trimmed by thread:
0024:Call msvcrt.memcpy(0022dec0,02950f35,00000010) ret=1801013e1 0024:Ret msvcrt.memcpy() retval=0022dec0 ret=1801013e1 0024:trace:seh:dispatch_exception code=c0000005 flags=0 addr=0000000002951170 ip=0000000002951170 tid=0024 0024:trace:seh:dispatch_exception info[0]=0000000000000001 0034:Call KERNEL32.HeapFree(00020000,00000000,000b96f0) ret=68765c83 0024:trace:seh:dispatch_exception info[1]=0000000000000498 0024:warn:seh:dispatch_exception EXCEPTION_ACCESS_VIOLATION exception (code=c0000005) raised 0024:trace:seh:dispatch_exception rax=0000000000000498 rbx=0000000000000000 rcx=0000000000000001 rdx=0000000000000010 0024:trace:seh:dispatch_exception rsi=0000000000000010 rdi=0000000000a24dd0 rbp=000000000022e2c0 rsp=000000000022e270 0024:trace:seh:dispatch_exception r8=000000000022e5f0 r9=0000000002950f00 r10=000000000000000a r11=0000000002950f64 0024:trace:seh:dispatch_exception r12=0000000000a32e88 r13=000000000022e928 r14=000000000022e5f0 r15=0000000000000000 0024:trace:seh:call_vectored_handlers calling handler at 00000001801038F0 code=c0000005 flags=0
I haven't been able to get winedbg working well enough to give me any real information, but that memcpy call is from the end of mono_breakpoint_clean_code.
I also got this from WINE_MONO_VERBOSE=1:
Method (wrapper alloc) object object:AllocSmall (intptr,intptr) emitted at 0000000002951110 to 000000000295123b (code length 299) [csc.exe]
So we're crashing on access to JIT-compiled code. There's probably a way to tell from the +seh log whether that's on execute access, but I'm just going to assume it is.
https://bugs.winehq.org/show_bug.cgi?id=50801
Esme Povirk madewokherd@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, source, testcase
https://bugs.winehq.org/show_bug.cgi?id=50801
Esme Povirk madewokherd@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |madewokherd@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=50801
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |z.figura12@gmail.com
--- Comment #1 from Zebediah Figura z.figura12@gmail.com --- (In reply to Esme Povirk from comment #0)
So we're crashing on access to JIT-compiled code. There's probably a way to tell from the +seh log whether that's on execute access, but I'm just going to assume it is.
You can tell from info[0]—0 is read, 1 is write, 8 is execute. It looks like it's trying to write into (%rax).
https://bugs.winehq.org/show_bug.cgi?id=50801
--- Comment #2 from Esme Povirk madewokherd@gmail.com --- Yep, looks like the crashing instruction is a movl %ecx,(%rax).
From disassembling the function:
0x000000000295115b: movq %gs:0x00000000000014e8,%r15 0x0000000002951164: leaq 0x0000000000000498(%r15),%rax 0x000000000295116b: movl $0x200000001,%rcx 0x0000000002951170: movl %ecx,(%rax)
So it has to do with our inability to set %gs maybe?
https://bugs.winehq.org/show_bug.cgi?id=50801
--- Comment #3 from Esme Povirk madewokherd@gmail.com --- Setting MONO_DEBUG=use-fallback-tls works around this, probably at a performance penalty.
Is there some way we could detect this situation and apply the work-around on macOS only?
https://bugs.winehq.org/show_bug.cgi?id=50801
--- Comment #4 from Esme Povirk madewokherd@gmail.com --- I guess another possibility would be to tweak the generated code to go through TIB.Self which should work per https://stackoverflow.com/questions/53244454/how-did-wine64-manage-to-handle...
https://bugs.winehq.org/show_bug.cgi?id=50801
--- Comment #5 from Esme Povirk madewokherd@gmail.com --- Fix pushed using the approach of going through TIB.Self, bug can be resolved once this is in a release: https://github.com/madewokherd/mono/commit/4882fc51621b60f26809db20b73a6c5dd...
https://bugs.winehq.org/show_bug.cgi?id=50801
Esme Povirk madewokherd@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |2c94b7a609fe40a79ea30096bdb | |2dcac4198069e Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #6 from Esme Povirk madewokherd@gmail.com --- Fixed in Wine Mono 6.1.1.
https://bugs.winehq.org/show_bug.cgi?id=50801
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #7 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 6.7.
-
WineHQ Bugzilla