http://bugs.winehq.org/show_bug.cgi?id=18601
Summary: Google Sketchup 7 crashes early in wine's imm.dll Product: Wine Version: 1.1.21 Platform: Other URL: http://sketchup.google.com OS/Version: other Status: NEW Keywords: download, patch, regression Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com
Not sure when this started; I first noticed it about a month ago.
Sketchup 7 installs, but when you start it up, it crashes with
trace:imm:DllMain 0x7ca20000, 2, (nil) trace:imm:DllMain 0x7ca20000, 3, (nil) wine: Unhandled page fault on read access to 0x00000006 at address 0x7ca28f69 (thread 0009), starting debugger... Backtrace: =>0 0x7ca28f69 ImmAssociateContext+0x229(hWnd=0x100b6, hIMC=(nil)) [imm32/imm.c:476] in imm32 (0x0032f2d4) 1 0x02ca9a9e in xul (+0xaa9a9e) (0x0032f304)
or wine: Unhandled page fault on write access to 0x00000006 at address 0x7cc626d1 (thread 0009), starting debugger... Backtrace: =>0 0x7cc626d1 ImmGetContext+0x61(hWnd=0x10038) [imm32/imm.c:1381] in imm32 (0x0032f938) 1 0x7cc627dd ImmProcessKey+0x3d(hwnd=0x10038, hKL=0x4090409, vKey=39, lKeyData=21823489, unknown=0) [imm32/imm.c:2775] in imm32 (0x0032fa88) 2 0x7eb28dec peek_message+0x238c(msg=0x142a40, hwnd=(nil), first=0, last=4294967295, flags=83820545, changed_mask=1279) [dlls/user32/message.c:1768] in user32 (0x0032fdb8) 1381 data->IMC.hWnd = hWnd;
In both cases it looks like a bogus small value is in IMM_GetThreadData()->defaultContext Ignoring that and replacing it with NULL seems to work around the problem; see attached patch.
http://bugs.winehq.org/show_bug.cgi?id=18601
--- Comment #1 from Dan Kegel dank@kegel.com 2009-05-23 23:31:49 --- Created an attachment (id=21278) --> (http://bugs.winehq.org/attachment.cgi?id=21278) Superficial patch to avoid the crashes.
http://bugs.winehq.org/show_bug.cgi?id=18601
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net
--- Comment #2 from Anastasius Focht focht@gmx.net 2009-05-24 06:30:34 --- Hello,
it's not that easy as you think... and it affects many apps that use browser control. In short: wrong handling of TLS slots in urlmon leads to "reuse" of TLS slots with undefined behaviour in other Wine components (crash at best).
Another app suffering from this: "BinTube" (http://www.bintube.com/player/)
Trace log:
--- snip --- ... 0035:Call user32.PeekMessageW(0032c860,00000000,00000100,0000010f,00000000) ret=08c3b480 0035:Call imm32.ImmProcessKey(00030144,04090409,00000020,00390001,00000000) ret=603cc93f 0035:Call KERNEL32.TlsGetValue(00000000) ret=791ae8cf 0035:Ret KERNEL32.TlsGetValue() retval=001f3348 ret=791ae8cf 0035:Call user32.GetPropW(00030144,791b76c0 L"WineImmHIMCProperty") ret=791b2bb4 0035:Ret user32.GetPropW() retval=00000000 ret=791b2bb4 0035:Call KERNEL32.TlsGetValue(00000000) ret=791ae8cf 0035:Ret KERNEL32.TlsGetValue() retval=001f3348 ret=791ae8cf 0035:trace:seh:raise_exception code=c0000005 flags=0 addr=0x791b2beb ip=791b2beb tid=0035 0035:trace:seh:raise_exception info[0]=00000001 0035:trace:seh:raise_exception info[1]=00000006 0035:trace:seh:raise_exception eax=00030144 ebx=791b94dc ecx=00000000 edx=00000002 esi=0032c384 edi=0032c2f4 0035:trace:seh:raise_exception ebp=0032c188 esp=0032c140 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 ... --- snip ---
TLS slot 0 is the interesting one. It's allocated early by IMM. Different run in winedbg, hence different TID:
--- snip --- Wine-dbg>bt Backtrace: =>0 0x7b882040 TlsSetValue(index=0, value=0x1d28d8) [/opt/wine/wine-git/dlls/kernel32/process.c:2421] in kernel32 (0x0033a958) 1 0x60a3c055 ImmGetContext+0x6f(hWnd=(nil)) [/opt/wine/wine-git/dlls/imm32/imm.c:1380] in imm32 (0x0033a9a8) 2 0x6087fe5f IME_UpdateAssociation+0x1d(focus=(nil)) [/opt/wine/wine-git/dlls/winex11.drv/ime.c:1036] in winex11 (0x0033a9c8) 3 0x608b94c7 open_xim+0x977(display=0x7c7952a8) [/opt/wine/wine-git/dlls/winex11.drv/xim.c:502] in winex11 (0x0033aac8) 4 0x608b956b X11DRV_SetupXIM+0x2a() [/opt/wine/wine-git/dlls/winex11.drv/xim.c:517] in winex11 (0x0033ab08) 5 0x608adeed x11drv_init_thread_data+0x1ea() [/opt/wine/wine-git/dlls/winex11.drv/x11drv_main.c:660] in winex11 (0x0033ab38) ... --- snip ---
TID to be sure:
--- snip --- Wine-dbg>info thread process tid prio (all id:s are in hex) ... 0000001e (D) C:\Program Files\BinTube\BinTube Usenet Reader Pro\BinPlayer.exe 00000025 0 00000024 0 00000023 2 00000022 0 0000001f 0 <== ... --- snip ---
"Reuse" of TLS slot 0 by Gecko:
--- snip --- Wine-dbg>bt Backtrace: =>0 0x7b882040 TlsSetValue(index=0, value=0x20d218) [/opt/wine/wine-git/dlls/kernel32/process.c:2421] in kernel32 (0x0033b698) 1 0x04c8071e in nspr4 (+0x1071e) (0x0033b6b8) 2 0x04c80765 in nspr4 (+0x10765) (0x0033b6c8) 3 0x04c7568b in nspr4 (+0x568b) (0x0033b6d8) 4 0x0817b148 in xul (+0xbcb148) (0x0033b6f8) 5 0x0817b167 in xul (+0xbcb167) (0x0033b718) 6 0x0826d137 in xul (+0xcbd137) (0x0033b728) 7 0x075b10e1 in xul (+0x10e1) (0x0033b748) 8 0x7bc47ffd call_dll_entry_point+0x15() in ntdll (0x0033b768) 9 0x7bc4a3c9 MODULE_InitDLL+0x211(wm=0x208c70, reason=1, lpReserved=(nil)) [/opt/wine/wine-git/dlls/ntdll/loader.c:969] in ntdll (0x0033b8c8) 10 0x7bc4a757 process_attach+0x197(wm=0x208c70, lpReserved=(nil)) [/opt/wine/wine-git/dlls/ntdll/loader.c:1058] in ntdll (0x0033b928) 11 0x7bc4a703 process_attach+0x143(wm=0x1fde50, lpReserved=(nil)) [/opt/wine/wine-git/dlls/ntdll/loader.c:1050] in ntdll (0x0033b988) 12 0x7bc4d3df LdrLoadDll+0x88(path_name=0x208ab0, flags=0, libname=0x33ba28, hModule=0x33b9f0) [/opt/wine/wine-git/dlls/ntdll/loader.c:2015] in ntdll (0x0033b9b8) 13 0x7b86c9a3 load_library+0x118(libname=0x33ba28, flags=0) [/opt/wine/wine-git/dlls/kernel32/module.c:875] in kernel32 (0x0033ba08) ... --- snip ---
TID to be sure it's the same thread:
--- snip --- Wine-dbg>info thread process tid prio (all id:s are in hex) ... 0000001e (D) C:\Program Files\BinTube\BinTube Usenet Reader Pro\BinPlayer.exe 00000025 0 00000024 0 00000023 2 00000022 0 0000001f 0 <== ... --- snip ---
My first thought was: "oops, someone corrupted TLS bitmap?" but it wasn't the case. There was indeed a TLS free on slot 0 in between!
--- snip --- TlsFree () at /opt/wine/wine-git/dlls/kernel32/process.c:2353 2353 { Wine-dbg>bt Backtrace: =>0 0x7b881f22 TlsFree(index=0) [/opt/wine/wine-git/dlls/kernel32/process.c:2353] in kernel32 (0x0033c228) 1 0x71f06bcb get_notif_hwnd+0x17() [/opt/wine/wine-git/dlls/urlmon/bindprot.c:138] in urlmon (0x0033c278) 2 0x71f05fe5 Binding_Create+0xa6(mon=0x1fe018, binding_ctx=(nil), url=0x206b68, pbc=0x20bc18, to_obj=1, riid=0x60e05c34, binding=0x33c334) [/opt/wine/wine-git/dlls/urlmon/binding.c:1371] in urlmon (0x0033c2d8) 3 0x71f0657f start_binding+0x50(mon=0x1fe018, binding_ctx=(nil), url=0x206b68, pbc=0x20bc18, to_obj=1, riid=0x60e05c34, ret=0x33c390) [/opt/wine/wine-git/dlls/urlmon/binding.c:1463] in urlmon (0x0033c358) 4 0x71f069bf bind_to_object+0x46(mon=0x1fe018, url=0x206b68, pbc=0x20bc18, riid=0x60e05c34, ppv=0x33c434) [/opt/wine/wine-git/dlls/urlmon/binding.c:1539] in urlmon (0x0033c398) 5 0x71f1cac0 URLMoniker_BindToObject+0x137(iface=0x1fe018, pbc=0x20bc18, pmkToLeft=(nil), riid=0x60e05c34, ppv=0x33c434) [/opt/wine/wine-git/dlls/urlmon/umon.c:212] in urlmon (0x0033c3e8) 6 0x60df38d0 bind_to_object+0x286(This=0x1d2120, mon=0x1fe018, url=0x1c6ed8, bindctx=0x20bc18, callback=0x1c7928) [/opt/wine/wine-git/dlls/shdocvw/navigate.c:620] in shdocvw (0x0033c4e8) 7 0x60df3ae9 navigate_bsc+0x147(This=0x1d2120, bsc=0x1c7928, mon=(nil)) [/opt/wine/wine-git/dlls/shdocvw/navigate.c:656] in shdocvw (0x0033c538) 8 0x60df3b85 navigate_bsc_proc+0x4a(This=0x1d2120, t=0x1c6ec0) [/opt/wine/wine-git/dlls/shdocvw/navigate.c:680] in shdocvw (0x0033c568) 9 0x60de89fc process_dochost_task+0x20(This=0x1d2120, lparam=1863360) [/opt/wine/wine-git/dlls/shdocvw/dochost.c:45] in shdocvw (0x0033c588) 10 0x60df4836 shell_embedding_proc+0xb2(hwnd=0xd00c6, msg=1792, wParam=0, lParam=1863360) [/opt/wine/wine-git/dlls/shdocvw/oleobject.c:65] in shdocvw (0x0033c5c8) --- snip ---
This free leads to reuse of TLS slot 0 by different component, assigning other data structures. When IMM later queries TLS slot 0 because it still thinks it owns it bogus values are retrieved leading to crash.
The offending code :
--- snip dlls/urlmon/urlmon_main.c --- tls_data_t *get_tls_data(void) { tls_data_t *data;
if(!urlmon_tls) { DWORD tls = TlsAlloc(); tls = InterlockedCompareExchange((LONG*)&urlmon_tls, tls, 0); if(tls != urlmon_tls) TlsFree(tls); }
data = TlsGetValue(urlmon_tls); if(!data) { data = heap_alloc_zero(sizeof(tls_data_t)); if(!data) return NULL;
EnterCriticalSection(&tls_cs); list_add_tail(&tls_list, &data->entry); LeaveCriticalSection(&tls_cs);
TlsSetValue(urlmon_tls, data); }
return data; } --- snip dlls/urlmon/urlmon_main.c --
TLS slot 0 is a valid value hence you can't use "zero" value as "TLS slot not allocated yet" (use TLS_OUT_OF_INDEXES or a flag). Applies to InterlockedCompareExchange() and urlmon_tls comparisons scattered throughout the code. Also trying to free the slot doesn't make sense here.
You might want to check other Wine components for incorrect "!tls_slot" idioms.
Regards
http://bugs.winehq.org/show_bug.cgi?id=18601
--- Comment #3 from Jacek Caban jacek@codeweavers.com 2009-05-24 11:17:54 --- Created an attachment (id=21288) --> (http://bugs.winehq.org/attachment.cgi?id=21288) Use TLS_OUT_OF_INDEXES as an invalid TLS value.
Great analyze, thanks! I've attached a patch that fixes the bug.
http://bugs.winehq.org/show_bug.cgi?id=18601
--- Comment #4 from Vitaliy Margolen vitaliy@kievinfo.com 2009-05-24 11:36:01 --- Same in mshtml: dlls/mshtml/main.c:47:DWORD mshtml_tls = 0;
http://bugs.winehq.org/show_bug.cgi?id=18601
--- Comment #5 from Dan Kegel dank@kegel.com 2009-05-24 18:04:04 --- Jacek, your patch does seem to fix the problem. Thanks to both of you for your quick action.
http://bugs.winehq.org/show_bug.cgi?id=18601
--- Comment #6 from Saulius K. saulius2@gmail.com 2009-05-25 14:08:36 --- Rise of Nations demo seems to suffer from the same regression which is caused by a commit bee36fe8315cdacf2d71a903ab524c929e645122 .
And it also gets fixed with this Jackek's patch.
http://bugs.winehq.org/show_bug.cgi?id=18601
Ken Sharp kennybobs@o2.co.uk changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #7 from Ken Sharp kennybobs@o2.co.uk 2009-05-25 14:44:55 --- Patch committed. http://source.winehq.org/git/wine.git?a=commit;h=08d8a5ea259cd93f3f0fae3d467...
http://bugs.winehq.org/show_bug.cgi?id=18601
Ken Sharp kennybobs@o2.co.uk changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |9027
http://bugs.winehq.org/show_bug.cgi?id=18601
Vitaliy Margolen vitaliy@kievinfo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bugzilla_new@arcor.de
--- Comment #8 from Vitaliy Margolen vitaliy@kievinfo.com 2009-05-25 20:14:46 --- *** Bug 18624 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=18601
diafero@arcor.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |diafero@arcor.de
--- Comment #9 from diafero@arcor.de 2009-05-26 14:44:56 --- *** Bug 18609 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=18601
Ken Sharp kennybobs@o2.co.uk changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |kennybobs@o2.co.uk
--- Comment #10 from Ken Sharp kennybobs@o2.co.uk 2009-05-26 22:57:14 --- *** Bug 18547 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=18601
Ken Sharp kennybobs@o2.co.uk changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |rmlipman@gmail.com
--- Comment #11 from Ken Sharp kennybobs@o2.co.uk 2009-05-28 22:18:06 --- *** Bug 18685 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=18601
Ken Sharp kennybobs@o2.co.uk changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |drkguy.spam@gmail.com
--- Comment #12 from Ken Sharp kennybobs@o2.co.uk 2009-06-01 09:18:07 --- *** Bug 18731 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=18601
Ken Sharp kennybobs@o2.co.uk changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |cyberyoyo21@hotmail.com
--- Comment #13 from Ken Sharp kennybobs@o2.co.uk 2009-06-02 15:44:34 --- *** Bug 18630 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=18601
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |danny@orionrobots.co.uk
--- Comment #14 from Nikolay Sivov bunglehead@gmail.com 2009-06-04 08:20:51 --- *** Bug 18739 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=18601
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #15 from Alexandre Julliard julliard@winehq.org 2009-06-05 12:46:39 --- Closing bugs fixed in 1.1.23.
http://bugs.winehq.org/show_bug.cgi?id=18601
Ken Sharp kennybobs@o2.co.uk changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |tjandacw@yahoo.com
--- Comment #16 from Ken Sharp kennybobs@o2.co.uk 2009-06-10 11:56:27 --- *** Bug 18801 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=18601
Saulius K. saulius2@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |saulius2@gmail.com
http://bugs.winehq.org/show_bug.cgi?id=18601
Ken Sharp kennybobs@o2.co.uk changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |08d8a5ea259cd93f3f0fae3d467 | |cd4524b550abd
http://bugs.winehq.org/show_bug.cgi?id=18601
Jerome Leclanche adys.wh@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |adys.wh@gmail.com Regression SHA1| |bee36fe8315cdacf2d71a903ab5 | |24c929e645122
https://bugs.winehq.org/show_bug.cgi?id=18601
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Hardware|Other |x86 Summary|Google Sketchup 7 crashes |Many games and applications |early in wine's imm.dll |crash due to incorrect | |handling of TLS slots in | |urlmon (Google Sketchup 7, | |TomeRaider3, Sling Player | |2.0, Counter Strike Source, | |Troopmaster 2009, Warhammer | |Online) Component|-unknown |urlmon OS|other |Linux URL|http://sketchup.google.com |https://web.archive.org/web | |/20120726023942/http://dl.g | |oogle.com/sketchup/gsu7/PW- | |2-1-6860-EN.exe
-
wine-bugs@winehq.org -
WineHQ Bugzilla