https://bugs.winehq.org/show_bug.cgi?id=54267
Bug ID: 54267 Summary: regression: free() invalid pointer error then crash in WoW Product: Wine Version: 8.0-rc2 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: blocker Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: kdt3rd@gmail.com Distribution: ---
Created attachment 73831 --> https://bugs.winehq.org/attachment.cgi?id=73831 tail snippet of +seh,+unwind surrounding the free(): invalid pointer error
This worked fine in 7.22, but with 8.0-rc2 I am seeing a behavior where World of Warcraft will run fine for a while (as short as 5 minutes, up to 30 minutes), then eventually hard abort with
0454:err:seh:dispatch_exception unknown exception (code=c0000420) raised 0454:err:seh:dispatch_exception unknown exception (code=c0000420) raised 0454:fixme:sync:NtQueryDirectoryObject multiple entries not implemented 0454:fixme:sync:NtQueryDirectoryObject multiple entries not implemented free(): invalid pointer 0560:err:seh:call_stack_handlers invalid frame 000000000418E330 (0000000003F92000-0000000004090000) 0560:err:seh:NtRaiseException Exception frame is not in stack limits => unable to dispatch exception. 0588:fixme:wtsapi:WTSUnRegisterSessionNotification Stub 0000000000020082 0588:fixme:kernelbase:AppPolicyGetProcessTerminationMethod FFFFFFFFFFFFFFFA, 000000000011FD70
There may be two issues here, I am not sure. I do not know how to find where that free() invalid pointer is happening (I tried setting the normal environment variable MALLOC_CHECK_=3 to see if I could get a unix-side stack trace to no avail), so not sure how to pursue that.
Seeing the stack frame invalid and some recent patches to convert to a new assembly-based implementation of the call handlers, I also have run (and attached) the tail of a log with +seh,+unwind surrounding the crash (stackfail.log). Although seeing that the "usual" stream of exceptions (WoW has always had this c0000420 unknown error / assertion failure stream) are in a separate thread (0454 vs 0560 above), I suspect that the free() invalid pointer issue is the real problem.
This is against a wine compiled w/ mingw gcc 12.2 in wow64 dual-build.
If it helps, Wow.exe is a 64-bit (PE32+) executable
Unfortunately, I am unable to test this with only vanilla wine to bisect, as the game does not run with vanilla as far as I know.
Please let me know any suggestions how to find out where something is free'd not malloc'ed, bisect with staging stuff still applied, or how I can help debug further.
https://bugs.winehq.org/show_bug.cgi?id=54267
--- Comment #1 from Kimball kdt3rd@gmail.com --- I did checkout 8.0-rc1 and that seems to be fine, so this is only a regression between -rc1 and -rc2, will attempt to manually bisect
https://bugs.winehq.org/show_bug.cgi?id=54267
Kimball kdt3rd@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |ntdll Resolution|--- |NOTOURBUG CC| |gofmanp@gmail.com Status|UNCONFIRMED |RESOLVED
--- Comment #2 from Kimball kdt3rd@gmail.com --- The issue is in the ntdll-NtDevicePath patch which was reenabled into staging between 8.0-rc1 and 8.0-rc2, and not within wine proper.
Adding Paul Gofman for visibility. I do not immediately see what is wrong with the patch, but it causes this slow failure, if I disable that patch, everything runs fine with 8.0-rc2. I presume there is a buffer overrun or uninitialized value that has been missed.
https://bugs.winehq.org/show_bug.cgi?id=54267
Gijs Vermeulen gijsvrm@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|NOTOURBUG |--- Product|Wine |Wine-staging Component|ntdll |-unknown Severity|blocker |normal CC| |leslie_alistair@hotmail.com | |, z.figura12@gmail.com Status|RESOLVED |UNCONFIRMED
--- Comment #3 from Gijs Vermeulen gijsvrm@gmail.com --- I'll reopen this as a staging bug instead.
https://bugs.winehq.org/show_bug.cgi?id=54267
--- Comment #4 from Kimball kdt3rd@gmail.com --- *** Bug 54272 has been marked as a duplicate of this bug. ***
https://bugs.winehq.org/show_bug.cgi?id=54267
--- Comment #5 from Kimball kdt3rd@gmail.com --- I was doing some more research, and typed up additional information in https://bugs.winehq.org/show_bug.cgi?id=54272 but didn't know bugs could be moved between components...
https://bugs.winehq.org/show_bug.cgi?id=54267
Paul Gofman pgofman@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |pgofman@codeweavers.com
--- Comment #6 from Paul Gofman pgofman@codeweavers.com --- I think I see an one-off buffer size error for 'name' in the latest version of ntdll-NtDevicePath which in principle can lead to such consequences. I've just updated the patchset in Staging, could you please check if that fixes the issue?
https://bugs.winehq.org/show_bug.cgi?id=54267
Kimball kdt3rd@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #7 from Kimball kdt3rd@gmail.com --- That patch does fix it. I should have noticed that, I was looking for something like that. Thanks!
https://bugs.winehq.org/show_bug.cgi?id=54267
Zeb Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|regression: free() invalid |World of Warcraft crashes |pointer error then crash in |with "free(): invalid |WoW |pointer" Keywords| |regression Fixed by SHA1| |d1bde95011f48593b56b27abbb7 | |7f0960e16ea5a Regression SHA1| |ffc4a7a5a04a71745e67232dcec | |ee6ece5abd69a
https://bugs.winehq.org/show_bug.cgi?id=54267
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #8 from Alistair Leslie-Hughes leslie_alistair@hotmail.com --- Closing Fixed wine-staging bug.
-
WineHQ Bugzilla