http://bugs.winehq.org/show_bug.cgi?id=10521
Summary: make test crashes msvcrt/tests/heap.c... Product: Wine Version: CVS/GIT Platform: PC OS/Version: Linux Status: UNCONFIRMED Severity: major Priority: P2 Component: wine-msvcrt AssignedTo: wine-bugs@winehq.org ReportedBy: lionel_debroux@yahoo.fr
The msvcrt heap test has been consistently crashing on my computer since the following commit: commit a1e4758f076190dbef7d06f9e10241d0aabe3788 Author: Dan Kegel dank@kegel.com Date: Tue Nov 6 16:52:19 2007 -0800 It crashes with WINEDEBUG="" (access to 0x04030205) and WINEDEBUG="warn+heap" (access to 0x55555559), and an assertion aborts the program with WINEDEBUG="+heap". It crashes when compiling (GCC 4.1.1 from Debian stable) the whole Wine DLLs, programs and executables with -O0, -O2 and -O3, so that is probably not due to a compiler optimization screwup.
I've been discussing the issue for a while with Dan, and he is able to reproduce the problem. However, all commit a1e4758f... does is fixing two memory leaks. Therefore, neither of us feels that the change in this commit should cause a crash. There may be a problem somewhere else. Since it touches the heap subsystem, I'm putting severity to major.
While commenting tests in order to reduce the testcase, by looking at the traces, I found that a crash can be triggered (but not reproducably...) with the single: test_aligned_realloc(256, 512, 16); (everything before and after this line being commented). Strange.
Attached is a tarball I sent to Dan, which contains: * a script to run the test in various situations. Compilation is not part of the script; if you want to run Valgrind, you have to edit the location of valgrind to match the location of Wine-improved Valgrind ( http://wiki.winehq.org/Wine_and_Valgrind ); * traces created by the script; * I noticed that a 'invalid arena magic' warning is triggered by warn+heap before the crash occurs, so I made a trivial patch that adds printing of the invalid arena magic values. I think it helps debugging the issue, by showing the exact kind of overwrite that occurred: 1-byte, 2-byte, 4-byte; which bytes of the arena are affected; etc. With warn+heap (crash), the arena magic is 0x00555555. With +heap (assert failed), the arena magic is 0x55555555.
http://bugs.winehq.org/show_bug.cgi?id=10521
--- Comment #1 from Lionel Debroux lionel_debroux@yahoo.fr 2007-11-21 04:48:24 --- Created an attachment (id=9264) --> (http://bugs.winehq.org/attachment.cgi?id=9264) script, traces, patch to help debugging the issue.
Bugzilla has returned a message saying that the bug was correctly submitted, but the attachment creation failed... So I'm trying again to attach the file...
http://bugs.winehq.org/show_bug.cgi?id=10521
--- Comment #2 from Alexandre Julliard julliard@winehq.org 2007-11-21 07:58:39 --- _aligned_realloc is buggy, depending on combinations of alignments and offsets it will copy data beyond the end of the block.
http://bugs.winehq.org/show_bug.cgi?id=10521
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dank@kegel.com
--- Comment #3 from Dan Kegel dank@kegel.com 2007-11-21 08:58:06 --- So Lionel, are you going to write a fix and/or better test?
BTW thanks for persisting on this. I saw this back when I made the change you mention, but couldn't pin it down, so I just sort of let it fall through the cracks.
http://bugs.winehq.org/show_bug.cgi?id=10521
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever Confirmed|0 |1 Target Milestone|--- |1.0.0
--- Comment #4 from Dan Kegel dank@kegel.com 2007-11-21 08:58:55 --- Nominating for 1.0, just in case.
http://bugs.winehq.org/show_bug.cgi?id=10521
--- Comment #5 from Lionel Debroux lionel_debroux@yahoo.fr 2007-11-21 10:40:21 ---
So Lionel, are you going to write a fix and/or better test?
I can try to write a fix and/or better test, but I'm not sure I'll have enough free time for that in the next few days.
http://bugs.winehq.org/show_bug.cgi?id=10521
--- Comment #6 from Lionel Debroux lionel_debroux@yahoo.fr 2007-11-24 09:26:52 --- Created an attachment (id=9310) --> (http://bugs.winehq.org/attachment.cgi?id=9310) Two patches for _alligned_realloc_offset & tests + one helper patch.
I think I've tracked down and fixed the problem with _aligned_realloc_offset (and therefore _aligned_realloc, which calls _aligned_realloc_offset with offset = 0).
Patch #1 contains a fix for _aligned_realloc_offset, along with an explanation of why things should go that way (based on my own understanding of the heap management). Maybe it isn't the best place to put such an explanation ? Patch #2 adds more tests for _aligned_realloc_offset, especially tests where offset > alignment (which is apriori legal, but was mostly untested). Patch #3 is an extended version of the arena magic printing patch I previously attached to this bug.
With patches #1 and #2 applied, the msvcrt heap test is valgrind-clean.
Please review and test :)
http://bugs.winehq.org/show_bug.cgi?id=10521
Lionel Debroux lionel_debroux@yahoo.fr changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #9310 is|0 |1 obsolete| |
--- Comment #7 from Lionel Debroux lionel_debroux@yahoo.fr 2007-11-25 03:28:24 --- Created an attachment (id=9335) --> (http://bugs.winehq.org/attachment.cgi?id=9335) Patches: proposed fix and augmented tests for _aligned_realloc_offset.
Following Dan's feedback: * fixed the _aligned_realloc_offset patch, while slightly improving the explanation. I didn't even notice the '/* within comment' warning because make -j3 is fast on my computer. * removed the semi-unrelated arena printing patch from the tarball.
http://bugs.winehq.org/show_bug.cgi?id=10521
--- Comment #8 from Dan Kegel dank@kegel.com 2007-11-25 23:56:09 --- Go ahead and send to wine-patches...
http://bugs.winehq.org/show_bug.cgi?id=10521
Lionel Debroux lionel_debroux@yahoo.fr changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #9 from Lionel Debroux lionel_debroux@yahoo.fr 2007-11-29 05:42:31 --- The fix and augmented tests for _aligned_realloc_offset (and the arena magic printing patch) were commited. I'm therefore closing this bug.
http://bugs.winehq.org/show_bug.cgi?id=10521
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #10 from Dan Kegel dank@kegel.com 2008-01-28 05:40:45 --- Closing all RESOLVED FIXED bugs older than four weeks.
http://bugs.winehq.org/show_bug.cgi?id=10521
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Version|CVS/GIT |unspecified
-
wine-bugs@winehq.org