https://bugs.winehq.org/show_bug.cgi?id=56406
Bug ID: 56406 Summary: wineserver crashes in set_input_desktop() Product: Wine Version: unspecified Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: wineserver Assignee: wine-bugs@winehq.org Reporter: fgouget@codeweavers.com Distribution: ---
The wineserver crashes when running the Wine test suite on my Debian 12 PC. The crash happens during the dxgi:dxgi test.
Here is some information collected by attaching gdb to wineserver while running the tests:
Program received signal SIGSEGV, Segmentation fault. 0x56683005 in set_input_desktop (winstation=0x576aea90, new_desktop=0x576af890) at /home/fgouget/wine/wt23/src/server/winstation.c:246 246 set_rawinput_process( thread->process, 0 );
(gdb) p thread $1 = (struct thread *) 0x52fff4 (gdb) p thread->process Cannot access memory at address 0x530034 (gdb) bt #0 0x56683005 in set_input_desktop (winstation=0x576aea90, new_desktop=0x576af890) at /home/fgouget/wine/wt23/src/server/winstation.c:246 #1 0x5664afac in req_send_hardware_message (req=0x577995c0, reply=0xff829300) at /home/fgouget/wine/wt23/src/server/queue.c:2808 #2 0x566561c9 in call_req_handler (thread=thread@entry=0x577994d0) at /home/fgouget/wine/wt23/src/server/request.c:305 #3 0x5665720c in read_request (thread=0x577994d0) at /home/fgouget/wine/wt23/src/server/request.c:339 #4 0x566627a1 in thread_poll_event (fd=0x5778c070, event=1) at /home/fgouget/wine/wt23/src/server/thread.c:388 #5 0x5662faf6 in fd_poll_event (event=<optimized out>, fd=<optimized out>) at /home/fgouget/wine/wt23/src/server/fd.c:505 #6 main_loop_epoll () at /home/fgouget/wine/wt23/src/server/fd.c:599 #7 0x5662fd9f in main_loop () at /home/fgouget/wine/wt23/src/server/fd.c:955 #8 0x5661fa80 in main (argc=1, argv=0xff829b04) at /home/fgouget/wine/wt23/src/server/main.c:238 (gdb) info registers eax 0x5fae9a2c 1605278252 ecx 0x576aea90 1466624656 edx 0x53002c 5439532 ebx 0x566c0ff4 1449922548 esp 0xff8291e4 0xff8291e4 ebp 0x52fff4 0x52fff4 esi 0x576eedb0 1466887600 edi 0x576af890 1466628240 eip 0x56683005 0x56683005 <set_input_desktop+101> eflags 0x10296 [ PF AF SF IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99 (gdb) p *winstation->input_desktop $23 = {obj = {refcount = 1466843598, handle_count = 2691322373, ops = 0x73006f, wait_queue = {next = 0x66006f, prev = 0x200074}, name = 0x68004a, sd = 0x6e0065, is_permanent = 1, obj_list = {next = 0x690065, prev = 0x550020}}, flags = 5439561, winstation = 0x470045, input_time = 20548038376620111, entry = { next = 0x54002e, prev = 0x460054}, threads = {next = 0x53002c, prev = 0x670065}, top_window = 0x65006f, msg_window = 0x550020, global_hooks = 0x49, hotkeys = {next = 0x49004d, prev = 0x47004e}, close_timeout = 0x49004c, foreground_input = 0x2e0055, users = 5505108, cursor = {x = 2883651, y = 6881357, clip = {left = 6750318, top = 6881356, right = 85, bottom = 5439565}, last_change = 4718681, win = 5505070}, keystate = "T\000C\000,\000M\000i\000c\000r\000o\000s\000o\000f\000t\000 \000Y\000a\000H\000e\000i\000 \000U\000I\000\000\000M\000E\000I\000R\000Y\000O\000.\000T\000T\000C\000,\000M\000e\000i\000r\000y\000o\000 \000U\000I\000\000\000M\000A\000L\000G\000U\000N\000.\000T\000T\000F\000,\000M\000a\000l\000g\000u\000n\000 \000G\000o\000t\000h\000i\000c\000\000\000Y\000U\000G\000O\000T\000H\000M\000.\000T\000T\000C\000,\000Y\000u\000 \000G\000o\000t\000h\000i\000c\000 \000U\000I\000\000\000S\000E\000G\000U\000I\000S\000Y\000"...}
So it looks like it is the first input_desktop->threads entry which is wrong.
The crashes started on 2024-02-28 and they happen most clearly when running the tests in a pure 32-bit environment[1]. Furthermore a bisect shows that the crashes started with the commit below:
commit c43b1ecbc3e8509b1f4778d799f9759eb64dda40 (HEAD) Author: Rémi Bernon rbernon@codeweavers.com Date: Sun Feb 25 09:53:09 2024 +0100
server: Keep a list of processes that can receive rawinput messages.
[1] When run in a 64-bit environment the tests succeed, and the 64-bit tests get stuck but there is no 'wineserver crashed' message in the logs.
https://bugs.winehq.org/show_bug.cgi?id=56406
François Gouget fgouget@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Regression SHA1| |c43b1ecbc3e8509b1f4778d799f | |9759eb64dda40 Keywords| |regression, source, | |testcase
https://bugs.winehq.org/show_bug.cgi?id=56406
Rémi Bernon rbernon@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |rbernon@codeweavers.com
--- Comment #1 from Rémi Bernon rbernon@codeweavers.com --- Looks like the desktop entry is fishy already...
refcount = 1466843598 users = 5505108
https://bugs.winehq.org/show_bug.cgi?id=56406
--- Comment #2 from Rémi Bernon rbernon@codeweavers.com --- https://gitlab.winehq.org/wine/wine/-/merge_requests/5265 might fix it, at least it should fix one reason for the input_desktop pointer to be invalid.
https://bugs.winehq.org/show_bug.cgi?id=56406
Rémi Bernon rbernon@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |28c52d4ac3678e7074b9b8233d0 | |27baeb825cdc7 Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #3 from Rémi Bernon rbernon@codeweavers.com --- Looking at the pattern page I see win32 runs on debian12 since two days ago, so I'm assuming this has been fixed with 28c52d4ac3678e7074b9b8233d027baeb825cdc7
https://bugs.winehq.org/show_bug.cgi?id=56406
--- Comment #4 from François Gouget fgouget@codeweavers.com --- Yep. This is fixed. Thanks.
https://bugs.winehq.org/show_bug.cgi?id=56406
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #5 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 9.5.