http://bugs.winehq.org/show_bug.cgi?id=15338
Summary: setup_exception_record stack overflow when running wineboot Product: Wine Version: 1.1.5 Platform: Other OS/Version: other Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: aelschuring@hotmail.com
Created an attachment (id=16164) --> (http://bugs.winehq.org/attachment.cgi?id=16164) wineboot output with WINEDEBUG=+seh
After upgrading to 1.1.5 (using budgetdedicated repo on Ubuntu 8.04), wineboot crashes when updating wineprefix:
aschuring@neminis:~$ wineboot -u fixme:iphlpapi:NotifyAddrChange (Handle 0x7dc30a08, overlapped 0x7dc309ec): stub fixme:shell:DllCanUnloadNow stub wine: configuration in '/home/aschuring/.wine' has been updated. err:seh:setup_exception_record stack overflow 828 bytes in thread 0009 eip 7bc65bc5 esp 00240ff4 stack 0x240000-0x241000-0x340000 aschuring@neminis:~$ wineboot aschuring@neminis:~$ wine --version wine-1.1.5
This happens on a newly created prefix as well. The attached log is created using the following commands: aschuring@neminis:~$ rm -fr /tmp/test aschuring@neminis:~$ mkdir /tmp/test aschuring@neminis:~$ WINEDEBUG=+seh WINEPREFIX=/tmp/test wineboot -u 2> wineboot.log aschuring@neminis:~$ gzip wineboot.log
I have found several references to setup_exception_record in other bugs, but none referred to wineboot specifically. They might be duplicates, but I'm not in a good position to judge that: bug #15259 bug #13411
http://bugs.winehq.org/show_bug.cgi?id=15338
Vitaliy Margolen vitaliy@kievinfo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- OS/Version|other |Linux
--- Comment #1 from Vitaliy Margolen vitaliy@kievinfo.com 2008-09-20 11:15:46 --- Please compile Wine yourself and check that the problem still exists. Refer to this page for more details: http://wiki.winehq.org/Recommended_Packages
If the problem still persists, run this and attach output to this bug: rm -rf /tmp/test WINEDEBUG=+tid,+seh,+relay wineboot &> /tmp/winelog.txt
http://bugs.winehq.org/show_bug.cgi?id=15338
--- Comment #2 from Austin English austinenglish@gmail.com 2008-09-20 12:14:40 --- Is this a regression?
http://bugs.winehq.org/show_bug.cgi?id=15338
--- Comment #3 from Arno Schuring aelschuring@hotmail.com 2008-09-21 09:46:19 --- @Austin: yes this is a regression. Unfortunately I haven't used Wine a lot lately, and can only tell you that the issue did not appear in the 1.0 release. I don't think I have used Wine since.
@Vitaly: yes I can reproduce the problem with a native build. After installing several -dev packages, here is my history:
507 ./configure 509 make 511 rm -fr /tmp/test 512 mkdir /tmp/test 513 WINEDEBUG=+tid,+seh,+relay WINEPREFIX=/tmp/test programs/wineboot/wineboot &> /tmp/winelog.txt 514 WINEDEBUG=+tid,+seh,+relay WINEPREFIX=/tmp/test programs/wineboot/wineboot -u &> /tmp/wineboot.txt
I will attach only the second run, which should have been a no-op. The first log (which created the wineprefix) is about 3MB even when compressed with gzip -9, do you want me to attach it or get it to you via some other means? I also saved the config.log, if it is of any interest I can attach it as well.
http://bugs.winehq.org/show_bug.cgi?id=15338
--- Comment #4 from Arno Schuring aelschuring@hotmail.com 2008-09-21 09:48:38 --- Created an attachment (id=16196) --> (http://bugs.winehq.org/attachment.cgi?id=16196) wineboot output with WINEDEBUG=+tid,+seh,+relay
http://bugs.winehq.org/show_bug.cgi?id=15338
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |regression
--- Comment #5 from Austin English austinenglish@gmail.com 2008-09-21 18:19:28 --- (In reply to comment #3)
@Austin: yes this is a regression. Unfortunately I haven't used Wine a lot lately, and can only tell you that the issue did not appear in the 1.0 release. I don't think I have used Wine since.
Please run a regression test: http://wiki.winehq.org/RegressionTesting
http://bugs.winehq.org/show_bug.cgi?id=15338
--- Comment #6 from Arno Schuring aelschuring@hotmail.com 2008-09-23 11:12:42 --- bisection in progress. It will take a few days for the results to be available, as I'm short on time and have a lot of ground to cover (over 1800 commits). Also, the pc I'm running this on is not the fastest I have: 50 minutes for a full recompile, and ccache isn't helping (90% cache misses on the first four runs).
http://bugs.winehq.org/show_bug.cgi?id=15338
--- Comment #7 from Arno Schuring aelschuring@hotmail.com 2008-09-25 15:33:07 --- now this is getting interesting. Performing a full bisection did not yield any results because I could not reproduce the error, not even in a rebuild of 1.1.5; but now I can reproduce it even in 1.0... that's what you get when you mix two desktop environments.
I'm now testing a build of 0.9.50. I'm not sure this is worth pursuing, because it seems to me the cause is outside of Wine. Problem is, there are too many factors between the two environments to find out what causes it: ati vs fglrx, e17 vs xfce, pulseaudio vs alsa, gnome-settings-daemon vs xfce-mcs-manager.
Right now, I'm not even sure this is a regression in Wine. Could be a regression in one of its dependencies. I'll keep testing and post my results if I find something useful.
http://bugs.winehq.org/show_bug.cgi?id=15338
Arno Schuring aelschuring@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|regression |
--- Comment #8 from Arno Schuring aelschuring@hotmail.com 2008-09-26 12:27:10 --- ok, I've gotten further and I do not believe this is a regression in Wine. Arguably, it's still a bug because the exception handler seems to be tripping over itself, until it runs out of stack space.
I've built several old versions from git, with both gcc-4.1 and gcc-4.2. The results are consistent between different versions of gcc, and between all wine versions tested. I have found that this only appears when I'm using the ati X.org driver, and does not appear when I switch to fglrx. Other factors (WM, sound system) do not appear to have an effect.
My results: 0.9.50 and 0.9.52 have no wineboot executable, so I have used wineprefix to populate a new prefix. Both give several backtraces but I'm having a hard time taking them serious. The last function call in Wine listed is NtSetInformationKey, in ntdll/reg.c. But this is a stub that only logs a message and returns, and yet it still triggers a page fault. I'll attach a wpc log, as I think it's still the same error, but the stack trace seems tainted.
0.9.60 does have a wineboot executable, and it faults in the same way as 1.1.5 (but only when I'm using the ati driver). The following is a snippet from a gdb backtrace on wineboot (args /usr/lib/wine/wineboot.exe.so -u). Note that the end of the stack trace looks a lot like the one from 0.9.52 (but it lists NtTerminateProcess instead of NtSetInformationKey):
What I think is happening, is that libGL does a function call to the X.org driver. The ati driver gives an unexpected response, and libGL causes a segfault. This segfault is then sent to the signal handler of wine, and that causes another segfault, ad nauseam.
Program received signal SIGSEGV, Segmentation fault. 0xb7f09b9d in ?? () from /lib/ld-linux.so.2 (gdb) bt #0 0xb7f09b9d in ?? () from /lib/ld-linux.so.2 #1 0xb7c35cb4 in ?? () from /lib/tls/i686/cmov/libdl.so.2 #2 0xb7f045c6 in ?? () from /lib/ld-linux.so.2 #3 0xb7c362bc in ?? () from /lib/tls/i686/cmov/libdl.so.2 #4 0xb7c35cea in dlclose () from /lib/tls/i686/cmov/libdl.so.2 #5 0x7e68d7bd in ?? () from /usr/lib/libGL.so.1 #6 0x7e66d84a in ?? () from /usr/lib/libGL.so.1 #7 0x7e66f924 in ?? () from /usr/lib/libGL.so.1 #8 0x7e668ba4 in ?? () from /usr/lib/libGL.so.1 #9 0x7e6ab9bc in ?? () from /usr/lib/libGL.so.1 #10 0xb7f04fcf in ?? () from /lib/ld-linux.so.2 #11 0xb7c67084 in exit () from /lib/tls/i686/cmov/libc.so.6 #12 0x7bc51e50 in NtTerminateProcess () from /usr/bin/../lib/wine/ntdll.dll.so #13 0x7b87462f in ExitProcess () from /usr/bin/../lib/wine/kernel32.dll.so #14 0x7fd195aa in ?? () from /tmp/test/dosdevices/z:/usr/lib/wine/wineboot.exe.so #15 0x7b877b37 in ?? () from /usr/bin/../lib/wine/kernel32.dll.so #16 0xb7dc59d7 in wine_switch_to_stack () from /usr/bin/../lib/libwine.so.1 (gdb) c Continuing.
Program received signal SIGSEGV, Segmentation fault. 0x7eab66d0 in ?? () (gdb) bt #0 0x7eab66d0 in ?? () #1 0x7bc3b929 in __regs_RtlRaiseException () from /usr/bin/../lib/wine/ntdll.dll.so #2 0x7bc65bec in ?? () from /usr/bin/../lib/wine/ntdll.dll.so #3 0xdeadbabe in ?? () #4 0xb7c35cb4 in ?? () from /lib/tls/i686/cmov/libdl.so.2 #5 0xb7f045c6 in ?? () from /lib/ld-linux.so.2 #6 0xb7c362bc in ?? () from /lib/tls/i686/cmov/libdl.so.2 #7 0xb7c35cea in dlclose () from /lib/tls/i686/cmov/libdl.so.2 [...]
http://bugs.winehq.org/show_bug.cgi?id=15338
--- Comment #9 from Arno Schuring aelschuring@hotmail.com 2008-09-26 12:36:07 --- Created an attachment (id=16281) --> (http://bugs.winehq.org/attachment.cgi?id=16281) log from wineprefixcreate 0.9.52
Created using: $ git reset --hard wine-0.9.52 $ make clean && ./configure $ make depend && make $ WINEPREFIX=/tmp/test programs/wineboot/wineboot &> /tmp/wpc.log
http://bugs.winehq.org/show_bug.cgi?id=15338
--- Comment #10 from Arno Schuring aelschuring@hotmail.com 2008-09-26 12:37:00 --- (In reply to comment #9)
$ WINEPREFIX=/tmp/test programs/wineboot/wineboot &> /tmp/wpc.log
duh. $ WINEPREFIX=/tmp/test tools/wineprefixcreate &> /tmp/wpc.log
http://bugs.winehq.org/show_bug.cgi?id=15338
--- Comment #11 from Arno Schuring aelschuring@hotmail.com 2008-09-26 12:46:25 --- Created an attachment (id=16282) --> (http://bugs.winehq.org/attachment.cgi?id=16282) gdb debug session of wineboot with backtraces
gdb backtrace of the installed wine-1.1.5
I'm sorry about the missing symbols, but I don't think there's much I can do about it - I'm not about to recompile all packages on this Ubuntu box. I'm currently recompiling 1.1.5 again, I'll see if I can get a more meaningful backtrace from that.
http://bugs.winehq.org/show_bug.cgi?id=15338
Arno Schuring aelschuring@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #16282|0 |1 is obsolete| |
--- Comment #12 from Arno Schuring aelschuring@hotmail.com 2008-09-26 14:45:11 --- Created an attachment (id=16289) --> (http://bugs.winehq.org/attachment.cgi?id=16289) gdb debug log of wine-1.1.5 in source tree
This is going to be my last action for this; I have no idea what to do next, so I'll leave it up to the experts. Attached is a gdb debug log of a newly-built wine-1.1.5. It shows the same as the previous gdb log, but is now annotated with source code.
It seems to indicate that the second segv (which causes the loop) occurs from within the signal handler. But, as can be seen in the log, gdb bites me with an io error on that memory region. I'm not sure why.
Note that there is a different segv lurking there: RtlImageNtHeader does not check its argument before dereferencing it. This is actually handled correctly by Wine itself, so it may be by design, I wouldn't know.
http://bugs.winehq.org/show_bug.cgi?id=15338
--- Comment #13 from Arno Schuring aelschuring@hotmail.com 2008-12-07 11:37:12 --- This appears to be fixed (either via a fix in Wine, or a fix in the openGL/Xorg/ati driver stack). I cannot reproduce it anymore. I'm not sure if I should mark it as FIXED or INVALID, since it's not clear where the fix came from, or even if the rescursive loop in Wine's error handler is fixed.
http://bugs.winehq.org/show_bug.cgi?id=15338
Vitaliy Margolen vitaliy@kievinfo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |FIXED
--- Comment #14 from Vitaliy Margolen vitaliy@kievinfo.com 2008-12-07 12:05:27 --- Reported fixed.
http://bugs.winehq.org/show_bug.cgi?id=15338
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #15 from Alexandre Julliard julliard@winehq.org 2008-12-20 09:05:37 --- Closing bugs fixed in 1.1.11.
-
wine-bugs@winehq.org