https://bugs.winehq.org/show_bug.cgi?id=43328
Bug ID: 43328 Summary: dotnet 4.5 applications crash in factory_get_cached_fontface Product: Wine Version: 2.12 Hardware: x86 URL: http://ashita.atom0s.com/ OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: dwrite Assignee: wine-bugs@winehq.org Reporter: farmboy0+winehq@googlemail.com Distribution: ---
Created attachment 58670 --> https://bugs.winehq.org/attachment.cgi?id=58670 wine backtrace
One sample application which exhibits this problem can be downloaded from the referenced url.
Step to reproduce: 1. winetricks dotnet45 to a new prefix 2. Reset windows version to Windows 7 with winecfg 3. Run the application (Ashita.exe) with wine 4. The error will occur during auto-update
Wine backtrace is added as attachment.
Stracktrace from dotnet: Unhandled Exception: System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt. at MS.Internal.Text.TextInterface.Font.CreateFontFace() at MS.Internal.Text.TextInterface.Font.AddFontFaceToCache() at MS.Internal.Text.TextInterface.Font.GetFontFace() at MS.Internal.FontCache.FontFaceLayoutInfo.IntMap.TryGetValues(UInt32* pKeys, UInt32 characterCount, UInt16* pIndices) at System.Windows.Media.GlyphTypeface.GetGlyphMetricsAndIndicesOptimized(UInt32* pCodepoints, Int32 characterCount, Double emSize, UInt16[] glyphIndices, GlyphMetrics[] glyphMetrics, TextFormattingMode textFormattingMode, Boolean isSideways) at System.Windows.Media.GlyphTypeface.GetGlyphMetricsOptimized(CharacterBufferRange characters, Double emSize, UInt16[] glyphIndices, GlyphMetrics[] glyphMetrics, TextFormattingMode textFormattingMode, Boolean isSideways) at System.Windows.Media.TextFormatting.TextShapeableCharacters.GetAdvanceWidthsUnshaped(Char* characterString, Int32 characterLength, Double scalingFactor, Int32* advanceWidthsUnshaped) at MS.Internal.TextFormatting.LineServicesCallbacks.GetRunCharWidths(IntPtr pols, Plsrun plsrun, LsDevice device, Char* charString, Int32 stringLength, Int32 maxWidth, LsTFlow textFlow, Int32* charWidths, Int32& totalWidth, Int32& stringLengthFitted) at MS.Internal.TextFormatting.UnsafeNativeMethods.LoCreateLine(IntPtr ploc, Int32 cp, Int32 ccpLim, Int32 durColumn, UInt32 dwLineFlags, IntPtr pInputBreakRec, LsLInfo& plslinfo, IntPtr& pploline, Int32& maxDepth, LsLineWidths& lineWidths) at System.Windows.Media.TextFormatting.TextFormatterContext.CreateLine(Int32 cpFirst, Int32 lineLength, Int32 maxWidth, LineFlags lineFlags, IntPtr previousLineBreakRecord, IntPtr& ploline, LsLInfo& plslineInfo, Int32& maxDepth, LsLineWidths& lineWidths) at MS.Internal.TextFormatting.TextMetrics.FullTextLine.FormatLine(FullTextState fullText, Int32 cpFirst, Int32 lineLength, Int32 formatWidth, Int32 finiteFormatWidth, Int32 paragraphWidth, LineFlags lineFlags, FormattedTextSymbols collapsingSymbol) at MS.Internal.TextFormatting.TextFormatterImp.FormatLineInternal(TextSource textSource, Int32 firstCharIndex, Int32 lineLength, Double paragraphWidth, TextParagraphProperties paragraphProperties, TextLineBreak previousLineBreak, TextRunCache textRunCache) at MS.Internal.TextFormatting.TextFormatterImp.FormatLine(TextSource textSource, Int32 firstCharIndex, Double paragraphWidth, TextParagraphProperties paragraphProperties, TextLineBreak previousLineBreak, TextRunCache textRunCache) at MS.Internal.Text.Line.Format(Int32 dcp, Double width, TextParagraphProperties lineProperties, TextLineBreak textLineBreak, TextRunCache textRunCache, Boolean showParagraphEllipsis) at System.Windows.Controls.TextBlock.MeasureOverride(Size constraint) at System.Windows.FrameworkElement.MeasureCore(Size availableSize) at System.Windows.UIElement.Measure(Size availableSize) at System.Windows.ContextLayoutManager.UpdateLayout() at System.Windows.ContextLayoutManager.UpdateLayoutCallback(Object arg) at System.Windows.Media.MediaContext.InvokeOnRenderCallback.DoWork() at System.Windows.Media.MediaContext.FireInvokeOnRenderCallbacks() at System.Windows.Media.MediaContext.RenderMessageHandlerCore(Object resizedCompositionTarget) at System.Windows.Media.MediaContext.RenderMessageHandler(Object resizedCompositionTarget) at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs) at MS.Internal.Threading.ExceptionFilterHelper.TryCatchWhen(Object source, Delegate method, Object args, Int32 numArgs, Delegate catchHandler) at System.Windows.Threading.DispatcherOperation.InvokeImpl() at System.Windows.Threading.DispatcherOperation.InvokeInSecurityContext(Object state) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Windows.Threading.DispatcherOperation.Invoke() at System.Windows.Threading.Dispatcher.ProcessQueue() at System.Windows.Threading.Dispatcher.WndProcHook(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled) at MS.Win32.HwndWrapper.WndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled) at MS.Win32.HwndSubclass.DispatcherCallbackOperation(Object o) at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs) at MS.Internal.Threading.ExceptionFilterHelper.TryCatchWhen(Object source, Delegate method, Object args, Int32 numArgs, Delegate catchHandler) at System.Windows.Threading.Dispatcher.LegacyInvokeImpl(DispatcherPriority priority, TimeSpan timeout, Delegate method, Object args, Int32 numArgs) at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam) at MS.Win32.UnsafeNativeMethods.DispatchMessage(MSG& msg) at System.Windows.Threading.Dispatcher.PushFrameImpl(DispatcherFrame frame) at System.Windows.Threading.Dispatcher.PushFrame(DispatcherFrame frame) at System.Windows.Application.RunDispatcher(Object ignore) at System.Windows.Application.RunInternal(Window window) at System.Windows.Application.Run(Window window) at System.Windows.Application.Run() at Ashita.App.Main()
https://bugs.winehq.org/show_bug.cgi?id=43328
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends on| |42701
--- Comment #1 from Nikolay Sivov bunglehead@gmail.com --- I don't know if 4.5 it's a valid test case at this point, because it crashes constantly, see bug 42701. With Win7 version it goes further but still crashes at lot in the background. I think this crash should be addressed first.
https://bugs.winehq.org/show_bug.cgi?id=43328
--- Comment #2 from Nikolay Sivov bunglehead@gmail.com --- Assuming CLR crash is not critical, this looks like a case of use-after-free:
--- 0097:trace:dwrite:dwritefontface_GetDesignGlyphMetrics (0x6cad4a0)->(0x1a0dace 1 0x33e454 0) 009a:trace:dwrite:glyphrunanalysis_Release (0x6c3dd90)->(0) 009a:trace:dwrite:dwritefont_Release (0x6c6aab0)->(7) 009a:trace:dwrite:dwritefont_Release (0x6c6aab0)->(6) 009a:trace:dwrite:dwritefontface_Release (0x6cad4a0)->(1) 0097:trace:dwrite:dwritefontface_Release (0x6cad4a0)->(0) 009a:trace:dwrite:dwritefont_CreateFontFace (0x6c6aab0)->(0x5c4e59c) 009a:trace:dwrite:dwritefont3_CreateFontFace (0x6c6aab0)->(0x5c4e59c) 009a:trace:dwrite:dwritefontfile_GetReferenceKey (0x3b08e78)->(0x5c4e43c, 0x5c4e438) 009a:trace:dwrite:dwritefontfile_GetLoader (0x3b08e78)->(0x5c4e434) 009a:trace:dwrite:localfontfileloader_AddRef (0x3ae8708)->(580) 009a:trace:dwrite:localfontfileloader_Release (0x3ae8708)->(579) 009a:trace:dwrite:dwritefontface_GetIndex (0x6cad4a0) 009a:trace:dwrite:dwritefontface_GetSimulations (0x6cad4a0) 009a:trace:dwrite:dwritefontface_GetFiles (0x6cad4a0)->(0x5c4e444 0x5c4e44c) 009a:trace:dwrite:dwritefontface_GetFiles file 0x3b08e78 009a:trace:dwrite:dwritefontfile_AddRef (0x3b08e78)->(6) 009a:trace:dwrite:dwritefontfile_GetReferenceKey (0x3b08e78)->(0x5c4e448, 0x5c4e440) 009a:trace:dwrite:dwritefontfile_Release (0x3b08e78/0x3b08e78)->(5) 009a:trace:dwrite:factory_get_cached_fontface returning cached fontface 0x6cad4a0 009a:trace:dwrite:dwritefontface_AddRef (0x6cad4a0)->(1) 009a:trace:dwrite:dwritefont_AddRef (0x6c6aab0)->(7) 009a:trace:dwrite:dwritefontface_AddRef (0x6cad4a0)->(2) ---
https://bugs.winehq.org/show_bug.cgi?id=43328
--- Comment #3 from farmboy0+winehq@googlemail.com --- I think the problem is unsynchronized access to the cached fontfaces:
0037:trace:dwrite:dwritefontface_AddRef (0x14458b68)->(2) 0037:trace:dwrite:dwritefontface_GetRecommendedRenderingMode (0x14458b68)->(12.00 1.00 1 0x1b88c0 0x5b5e558) 0037:trace:dwrite:dwritefontface_TryGetFontTable (0x14458b68)->("gasp" 0x14458bf0 0x14458bf8 0x14458bf4 0x14458bfc) 0037:trace:dwrite:dwritefontface_Release (0x14458b68)->(1) 0037:trace:dwrite:dwritefontface_Release (0x14458b68)->(0) 0009:trace:dwrite:dwritefontface_GetIndex (0x14458b68) 0009:trace:dwrite:dwritefontface_GetSimulations (0x14458b68) 0009:trace:dwrite:dwritefontface_GetFiles (0x14458b68)->(0x33a960 0x33a968) 0037:trace:dwrite:dwritefontface_GetFiles (0x14458b68)->(0x5b5e288 0x5b5e280) 0037:trace:dwrite:dwritefontface_GetIndex (0x14458b68) 0037:trace:dwrite:dwritefontface_TryGetFontTable (0x14458b68)->("GSUB" 0x5b5e380 0x5b5e388 0x5b5e384 0x5b5e37c) 0037:trace:dwrite:dwritefontface_ReleaseFontTable (0x14458b68)->((nil)) 0037:trace:dwrite:dwritefontface_TryGetFontTable (0x14458b68)->("glyf" 0x5b5e320 0x5b5e328 0x5b5e324 0x5b5e31c) 0037:trace:dwrite:dwritefontface_ReleaseFontTable (0x14458b68)->((nil)) 0037:trace:dwrite:dwritefontface_TryGetFontTable (0x14458b68)->("CFF " 0x5b5e320 0x5b5e328 0x5b5e324 0x5b5e31c) 0037:trace:dwrite:dwritefontface_TryGetFontTable (0x14458b68)->("COLR" 0x5b5e320 0x5b5e328 0x5b5e324 0x5b5e31c) 0037:trace:dwrite:dwritefontface_TryGetFontTable (0x14458b68)->("SVG " 0x5b5e320 0x5b5e328 0x5b5e324 0x5b5e31c) 0037:trace:dwrite:dwritefontface_TryGetFontTable (0x14458b68)->("sbix" 0x5b5e320 0x5b5e328 0x5b5e324 0x5b5e31c)
0009 is the thread calling factory_get_cached_fontface while 0037 is in the process of releasing the font face for good.
https://bugs.winehq.org/show_bug.cgi?id=43328
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever confirmed|0 |1 Assignee|wine-bugs@winehq.org |bunglehead@gmail.com
--- Comment #4 from Nikolay Sivov bunglehead@gmail.com --- I was hoping addd8e69ff09e8620aa3c9c2120d2161df478ac2 would help, but it didn't. So yes, now it looks like concurrency issue. I'll take a closer look.
https://bugs.winehq.org/show_bug.cgi?id=43328
Anton Romanov theli.ua@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |theli.ua@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=43328
--- Comment #5 from Anton Romanov theli.ua@gmail.com --- Just protecting get/release cached fontface fixes this for me EG: https://github.com/theli-ua/wine/commit/178104b59b0415fd24f48a14f921a30d03fc...
Not sure if this solution is acceptable , if yes I can just send this to wine-patches I guess
I was testing this with "Magic The Gathering: Online" that is a .net 4.5.2 app that was constantly crashing for me in get_cached_fontface before the patch
https://bugs.winehq.org/show_bug.cgi?id=43328
--- Comment #6 from Anton Romanov theli.ua@gmail.com --- *** Bug 43487 has been marked as a duplicate of this bug. ***
https://bugs.winehq.org/show_bug.cgi?id=43328
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |leslie_alistair@hotmail.com
--- Comment #7 from Alistair Leslie-Hughes leslie_alistair@hotmail.com --- (In reply to Anton Romanov from comment #5)
Just protecting get/release cached fontface fixes this for me EG: https://github.com/theli-ua/wine/commit/ 178104b59b0415fd24f48a14f921a30d03fcef3e
Can you please attach the patch? (just so it not lost)
https://bugs.winehq.org/show_bug.cgi?id=43328
--- Comment #8 from Anton Romanov theli.ua@gmail.com --- (In reply to Alistair Leslie-Hughes from comment #7)
Can you please attach the patch? (just so it not lost)
That one is more of a duct tape fix. I haven't yet looked closely at that cache implementation and this was just to verify if race condition is indeed whats causing this. For example this one does not protect insertion to the cache I think. Once I have time to work on the proper patch I'll give it a shot and submit it to wine-patches. That is unless nsivov or someone else beats me to it.
https://bugs.winehq.org/show_bug.cgi?id=43328
Omar Pakker wine@opakker.nl changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |wine@opakker.nl
https://bugs.winehq.org/show_bug.cgi?id=43328
--- Comment #9 from Nikolay Sivov bunglehead@gmail.com --- Please retest with 2.15, it seems to work for me know.
https://bugs.winehq.org/show_bug.cgi?id=43328
--- Comment #10 from farmboy0+winehq@googlemail.com --- LGTM
https://bugs.winehq.org/show_bug.cgi?id=43328
--- Comment #11 from Omar Pakker wine@opakker.nl --- Testing an application that had this issue as well and it is also solved for me with 2.15.
https://bugs.winehq.org/show_bug.cgi?id=43328
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED Fixed by SHA1| |fb5079d887036ea35c8aa8dabdb | |d126c4df52dab Assignee|bunglehead@gmail.com |wine-bugs@winehq.org
--- Comment #12 from Nikolay Sivov bunglehead@gmail.com --- Marking fixed, fb5079d887036ea35c8aa8dabdbd126c4df52dab.
https://bugs.winehq.org/show_bug.cgi?id=43328
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #13 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 2.16.
https://bugs.winehq.org/show_bug.cgi?id=43328 Bug 43328 depends on bug 42701, which changed state.
Bug 42701 Summary: Multiple apps and games using MS .NET Framework 4.x need api-ms-win-core-winrt-roparameterizediid-l1-1-0.dll.RoGetParameterizedTypeInstanceIID (Mafia III, Daylight) https://bugs.winehq.org/show_bug.cgi?id=42701
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED
-
wine-bugs@winehq.org