[Bug 39570] New: Multiple application crash handlers fail to load symbol information using 'dbghelp.SymLoadModule64', reporting 'dbghelp:validate_addr64 Unsupported address 0xfffffffffxxxxxxx'
https://bugs.winehq.org/show_bug.cgi?id=39570
Bug ID: 39570 Summary: Multiple application crash handlers fail to load symbol information using 'dbghelp.SymLoadModule64', reporting 'dbghelp:validate_addr64 Unsupported address 0xfffffffffxxxxxxx' Product: Wine Version: 1.7.54 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: dbghelp Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
the issue/question was raised in https://bugs.winehq.org/show_bug.cgi?id=32237#c15
--- quote --- I did try 2012 this time and I end up crashing
fixme:dbghelp:validate_addr64 Unsupported address fffffffff33a0000 err:seh:raise_exception Unhandled exception code c0000005 flags 0 addr 0x7bc3db51
What's wrong with the address? --- quote ---
Searching the Internet reveals this pattern/message many times - also in Wine Bugzilla - but no or even incorrect explanation - until now ;-)
On 64-bit Linux machines, the Wine loader allows 32-bit dlls being mapped at high >2GB, >3GB address ranges in 32-bit processes, not having certain (design) restrictions of 32-bit process address space layout on 64-bit Windows machines (even with /LARGEADDRESSWARE).
Good case, 32-bit Wine builtin dll mapped < 2 GiB virtual address space range:
--- snip --- ... 0009:Call PE DLL (proc=0x7e1b6838,module=0x7e1b0000 L"wsock32.dll",reason=PROCESS_ATTACH,res=0x1) ... 0027:Call dbghelp.SymLoadModule64(ffffffff,00000000,0b36a960 "C:\windows\system32\wsock32.dll",0b36a988 "wsock32.dll",7e1b0000,00000000,0000e000) ret=005eff32 0027:trace:dbghelp:SymLoadModuleEx (0xffffffff (nil) "C:\windows\system32\wsock32.dll" "wsock32.dll" 7e1b0000 0000e000 (nil) 00000000) ... 0027:trace:dbghelp:SymLoadModuleExW (0xffffffff (nil) L"C:\windows\system32\wsock32.dll" L"wsock32.dll" 7e1b0000 0000e000 (nil) 00000000) ... 0027:trace:dbghelp:elf_load_file Processing elf file 'L"/home/focht/projects/wine/wine.repo/install/bin/../lib/wine/wsock32.dll.so"' at 7e1a2000 ... 0027:Ret dbghelp.SymLoadModule64() retval=7e1b0000 ret=005eff32 --- snip ---
Bad case, 32-bit Wine builtin dll mapped near end of 4 GiB virtual address space range:
--- snip --- ... 0009:Call PE DLL (proc=0xf734e3fc,module=0xf72f0000 L"winex11.drv",reason=PROCESS_ATTACH,res=(nil)) ... 0027:Call dbghelp.SymLoadModule64(ffffffff,00000000,0b36a960 "C:\windows\system32\winex11.drv",0b36a988 "winex11.drv",f72f0000,ffffffff,00090000) ret=005eff32 0027:trace:dbghelp:SymLoadModuleEx (0xffffffff (nil) "C:\windows\system32\winex11.drv" "winex11.drv" fffffffff72f0000 00090000 (nil) 00000000) "winex11.drv",ffffffff,2d053b40,0000000c) ret=edbc2fa6 ... 0027:trace:dbghelp:SymLoadModuleExW (0xffffffff (nil) L"C:\windows\system32\winex11.drv" L"winex11.drv" fffffffff72f0000 00090000 (nil) 00000000) 0027:fixme:dbghelp:validate_addr64 Unsupported address fffffffff72f0000 ... 0027:Ret dbghelp.SymLoadModule64() retval=00000000 ret=005eff32 --- snip ---
In this specific case, the game registered an own crash handler which dumps various debugging information in case of a crash.
'dbghelp.SymLoadModule64' is called by the custom crash handler.
Source: https://source.winehq.org/git/wine.git/blob/1fa7710ff92dd9555b2b4753e22ce5fc...
--- snip --- 656 DWORD64 WINAPI SymLoadModule64(HANDLE hProcess, HANDLE hFile, PCSTR ImageName, 657 PCSTR ModuleName, DWORD64 BaseOfDll, DWORD SizeOfDll) 658 { 659 return SymLoadModuleEx(hProcess, hFile, ImageName, ModuleName, BaseOfDll, SizeOfDll, 660 NULL, 0); 661 } --- snip ---
So how does high DWORD of 'BaseOfDll' parameter get the 0xffffffff value?
A few caller frames up in the app crash handler:
--- snip --- ... 005F06D6 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30] 005F06D9 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34] 005F06DC 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 005F06DF 52 PUSH EDX 005F06E0 99 CDQ 005F06E1 52 PUSH EDX ; high DWORD BaseOfDll 005F06E2 50 PUSH EAX ; low DWORD BaseOfDll 005F06E3 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 005F06E6 50 PUSH EAX 005F06E7 51 PUSH ECX 005F06E8 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18] 005F06EB 56 PUSH ESI 005F06EC E8 EFF7FFFF CALL A_Slower.005EFEE0 ... --- snip ---
'winex11.drv' -> 0xf72f0000
Since the highest bit in low 32-bit 'BaseOfDll' DWORD is set, the 'CDQ' instruction copies the sign (bit 31) of the value in the EAX register into every bit position in the EDX register.
Voila - you get the 0xffffffff EDX value which is then propagated through the caller chain as high 32-bit 'BaseOfDll' DWORD to 'dbghelp.SymLoadModule64', leading to symbol load failure and fixme/warning messages.
This should be fixed, allowing symbol information even for dlls mapped in high address range to be loaded.
$ wine --version wine-1.7.54-261-g61c49bd
Regards
https://bugs.winehq.org/show_bug.cgi?id=39570
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |austinenglish@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=39570
Vlad Blanton vblanton@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |vblanton@gmail.com
--- Comment #1 from Vlad Blanton vblanton@gmail.com --- It is possible that this bug is present with Borderlands. I see a similar message when attempting to run the game in explicitly directx9 mode, a publicized method for achieving higher frame-rates. See:
https://bugs.winehq.org/show_bug.cgi?id=40291
https://bugs.winehq.org/show_bug.cgi?id=39570
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://web.archive.org/web | |/20141116142554/http://web. | |mit.edu/gambit/summer12/spe | |edoflight/A_Slower_Speed_of | |_Light.zip Keywords| |download
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, still present. Lots of time has passed since the initial report and many bugs have been fixed which triggered app crash handlers. There is always some way - by using fault injection technique.
Taking the game from bug 32237 as example.
https://web.archive.org/web/20141116142554/http://web.mit.edu/gambit/summer1...
Requirements to fulfil:
* app crash handler is registered * at least one (builtin) module loaded into > 2GB range
--- snip --- Base Module ... 00400000 a slower speed of light.exe 00D50000 rpcrt4.dll 00EA0000 shcore.dll 00ED0000 ole32.dll 01230000 winmm.dll 01350000 msacm32.dll 01390000 oleaut32.dll 015F0000 imm32.dll 01620000 hid.dll 01640000 wsock32.dll 05E20000 mono.dll 06040000 psapi.dll 06050000 mswsock.dll 09130000 d3d9.dll 10000000 setupapi.dll 7A840000 opengl32.dll 7B000000 kernelbase.dll 7B420000 kernel32.dll 7BC30000 ntdll.dll 7DA60000 iphlpapi.dll 7DAB0000 netapi32.dll 7DAF0000 dnsapi.dll 7DB40000 shell32.dll 7E540000 gdi32.dll 7E680000 advapi32.dll 7E720000 ucrtbase.dll 7E830000 user32.dll 7EFD0000 ws2_32.dll F75A0000 wined3d.dll <--- suitable F7B20000 winex11.drv <--- suitable --- snip ---
Find suitable place for fault injection:
--- snip --- 006A4780 | 55 | push ebp | 006A4781 | 8BEC | mov ebp,esp | 006A4783 | 8B45 08 | mov eax,dword ptr ss:[ebp+8] | 006A4786 | 83EC 10 | sub esp,10 | 006A4789 | 56 | push esi | 006A478A | 68 C816B800 | push a slower speed of light.B816C8 | 006A478F | A3 C06DC600 | mov dword ptr ds:[C66DC0],eax | 006A4794 | FF15 6453B200 | call dword ptr ds:[B25364] | load D3D9.dll 006A479A | 33F6 | xor esi,esi | 006A479C | A3 186EC600 | mov dword ptr ds:[C66E18],eax | lets die here 006A47A1 | 3BC6 | cmp eax,esi | 006A47A3 | 75 14 | jne a slower speed of light.6A47B9 | 006A47A5 | 68 B016B800 | push a slower speed of light.B816B0 | 006A47AA | E8 E127F6FF | call a slower speed of light.606F90 | 006A47AF | 83C4 04 | add esp,4 | 006A47B2 | 32C0 | xor al,al | 006A47B4 | 5E | pop esi | 006A47B5 | 8BE5 | mov esp,ebp | 006A47B7 | 5D | pop ebp | 006A47B8 | C3 | ret | --- snip ---
D3D9.dll -> wined3d = target
Trigger NULL pointer access by patching the game binary:
--- snip --- 006A479C | A3 00000000 | mov dword ptr ds:[0],eax --- snip ---
--- snip --- $ pwd /home/focht/Downloads/A Slower Speed of Light
# backup $ mv 'A Slower Speed of Light.exe' 'A Slower Speed of Light.exe.bak'
$ printf '\x00\x00\x00' | \ dd of='A Slower Speed of Light.exe' bs=1 seek=2767774 count=3 conv=notrunc --- snip ---
Run the game:
--- snip --- $ WINEDEBUG=+seh,+loaddll,+dbghelp wine ./A\ Slower\ Speed\ of\ Light.exe ... 00b0:trace:loaddll:load_so_dll Loaded L"C:\windows\system32\wined3d.dll" at 0xf75a0000: builtin 00b0:trace:loaddll:load_native_dll Loaded L"C:\windows\system32\d3d9.dll" at 0x9130000: PE builtin 00b0:trace:seh:raise_exception code=c0000005 flags=0 addr=0x6a479c ip=006a479c tid=00b0 00b0:trace:seh:raise_exception info[0]=00000001 00b0:trace:seh:raise_exception info[1]=00000018 00b0:trace:seh:raise_exception eax=09130000 ebx=01e073e8 ecx=0911fc90 edx=7bc7f9b9 esi=00000000 edi=00000000 00b0:trace:seh:raise_exception ebp=0911ff0c esp=0911fef8 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 00b0:trace:seh:call_stack_handlers calling handler at 0x7bcd7650 code=c0000005 flags=0 00b0:trace:loaddll:load_native_dll Loaded L"C:\windows\system32\dbghelp.dll" at 0x9260000: PE builtin 00b0:trace:dbghelp:SymInitializeW (FFFFFFFF L".;Z:\home\focht\Downloads\A Slower Speed of Light;Z:\home\focht\Downloads\A Slower Speed of Light;C:\windows;C:\windows\system32;SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;" 0) 00b0:trace:dbghelp:check_live_target got debug info address 0x7c000000 from PEB 7FFDF000 00b0:trace:dbghelp:get_wine_loader_name returning L"wine" 00b0:trace:dbghelp:elf_load_file Processing elf file 'L"wine"' at 7c000000 00b0:trace:dbghelp:get_wine_loader_name returning L"wine" 00b0:trace:dbghelp:pcs_callback 01B82C10 8 0911D7F8 00b0:trace:dbghelp:SymLoadModuleEx (FFFFFFFF 00000000 "Z:\home\focht\Downloads\A Slower Speed of Light\A Slower Speed of Light.exe" "A Slower Speed of Light.exe" 400000 00945000 00000000 00000000) 00b0:trace:dbghelp:SymLoadModuleExW (FFFFFFFF 00000000 L"Z:\home\focht\Downloads\A Slower Speed of Light\A Slower Speed of Light.exe" L"A Slower Speed of Light.exe" 400000 00945000 00000000 00000000) 00b0:warn:dbghelp:module_is_container_loaded Couldn't find container for L"Z:\home\focht\Downloads\A Slower Speed of Light\A Slower Speed of Light.exe" 00b0:trace:dbghelp:module_new => PE 400000-d45000 L"Z:\home\focht\Downloads\A Slower Speed of Light\A Slower Speed of Light.exe" 00b0:trace:dbghelp:pe_load_stabs failed to load the STABS debug info 00b0:trace:dbghelp:pe_load_dwarf failed to load the DWARF debug info ... 00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF 1640000 0911D228 00b0:trace:dbghelp:SymLoadModuleEx (FFFFFFFF 00000000 "C:\windows\system32\winex11.drv" "winex11.drv" fffffffff7b30000 00090000 00000000 00000000) 00b0:trace:dbghelp:SymLoadModuleExW (FFFFFFFF 00000000 L"C:\windows\system32\winex11.drv" L"winex11.drv" fffffffff7b30000 00090000 00000000 00000000) ... 00b0:fixme:dbghelp:validate_addr64 Unsupported address fffffffff7b30000 ... 00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF fffffffff7b30000 0911D228 ... 00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF 6050000 0911D228 00b0:trace:dbghelp:SymLoadModuleEx (FFFFFFFF 00000000 "C:\windows\system32\d3d9.dll" "d3d9.dll" 9130000 0010b000 00000000 00000000) 00b0:trace:dbghelp:SymLoadModuleExW (FFFFFFFF 00000000 L"C:\windows\system32\d3d9.dll" L"d3d9.dll" 9130000 0010b000 00000000 00000000) 00b0:warn:dbghelp:module_is_container_loaded Couldn't find container for L"C:\windows\system32\d3d9.dll" 00b0:trace:dbghelp:module_new => PE 9130000-923b000 L"C:\windows\system32\d3d9.dll" 00b0:trace:dbghelp:pe_load_stabs failed to load the STABS debug info 00b0:trace:dbghelp:pe_load_dwarf failed to load the DWARF debug info 00b0:trace:dbghelp:path_find_symbol_file (pcs = 01B82C10, full_path = "/home/focht/projects/wine/mainline-build-i686/dlls/d3d9/d3d9.pdb", guid = {9642e7fd-fb42-11c6-4c4c-44205044422e}, dw1 = 0x00000000, dw2 = 0x00000001, buffer = 0911E3C8) ... 00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF 9130000 0911D228 00b0:trace:dbghelp:SymLoadModuleEx (FFFFFFFF 00000000 "C:\windows\system32\wined3d.dll" "wined3d.dll" fffffffff75a0000 00160000 00000000 00000000) 00b0:trace:dbghelp:SymLoadModuleExW (FFFFFFFF 00000000 L"C:\windows\system32\wined3d.dll" L"wined3d.dll" fffffffff75a0000 00160000 00000000 00000000) ... 00b0:fixme:dbghelp:validate_addr64 Unsupported address fffffffff75a0000 ... 00b0:trace:dbghelp:SymGetLineFromAddr64 FFFFFFFF 0 0911DD98 0911F808 00b0:trace:dbghelp:SymGetModuleInfoW64 FFFFFFFF 0 0911A598 00b0:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc56ae5 ip=7bc56ae5 tid=00b0 00b0:trace:seh:raise_exception info[0]=00000000 00b0:trace:seh:raise_exception info[1]=00000014 00b0:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=0911c244 edx=00000003 esi=00000000 edi=00000000 00b0:trace:seh:raise_exception ebp=0911c238 esp=0911c220 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 00b0:trace:seh:call_stack_handlers calling handler at 0x7bcb25d0 code=c0000005 flags=0 00b0:trace:seh:call_stack_handlers handler at 0x7bcb25d0 returned 2 00b0:trace:seh:call_stack_handlers calling handler at 0x7bcd7650 code=c0000005 flags=10 00b0:trace:seh:call_stack_handlers handler at 0x7bcd7650 returned 1 00b0:err:seh:raise_exception Unhandled exception code c0000005 flags 0 addr 0x7bc56ae5 --- snip ---
There is actually another fault in Wine code itself during walk, but that's a different issue.
$ sha1sum A_Slower_Speed_of_Light.zip f722493dd3afc6475500cc296d36f38d824a0d7d A_Slower_Speed_of_Light.zip
$ du -sh A_Slower_Speed_of_Light.zip 99M A_Slower_Speed_of_Light.zip
$ wine --version wine-5.7-97-g7ccc45f754
Regards
-
wine-bugs@winehq.org -
WineHQ Bugzilla