[Bug 31308] New: Remote Tools for Visual Studio 2012 RC for Windows on ARM (WoA) crashes due to invalid user TLS register value access
http://bugs.winehq.org/show_bug.cgi?id=31308
Bug #: 31308 Summary: Remote Tools for Visual Studio 2012 RC for Windows on ARM (WoA) crashes due to invalid user TLS register value access Product: Wine Version: 1.5.9 Platform: arm OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net Classification: Unclassified
Hello,
for André, some toy to play with ;-)
"Remote Tools for Visual Studio 2012 RC" for Windows on ARM (WoA) can be downloaded here:
http://www.microsoft.com/visualstudio/11/en-us/downloads#remote-tools
It crashes on my quad Cortex-A9 based i.mx6 Sabre with Ubuntu Linux 12.04
--- snip --- Unhandled exception: page fault on read access to 0xc2083992 in 32-bit code (0x00419d44). Register dump: Thumb User Mode Pc:419d44 Sp:4134f720 Lr:418ed1 Cpsr:200f0030(--C-) r0:0208 r1:0001 r2:4134f7c8 r3:0208 r4:c208398a r5:4134f7c8 r6:0000 r7:4134f728 r8:dddd r9:04e4 r10:0100 Fp:4134f758 Ip:4134f518 Stack dump: 0x4134f720: 00000000 00000000 4134f7c8 00000100 0x4134f730: 00000001 8161b1cd 4134f748 00000100 0x4134f740: 4134f7c8 00000001 4134fd38 00446530 0x4134f750: 000004e4 4006e000 4134f790 00418f91 0x4134f760: 4134fac8 000004e4 00000000 00000000 0x4134f770: 00446998 00446308 42164138 40a72801 Backtrace: =>0 0x00419d44 in rtools_setup_arm (+0x19d44) (0x4134f758) 1 0x00418ed1 in rtools_setup_arm (+0x18ed0) (0x4134f758) 0x00419d44: ldr r4, [r4, #8] Modules: Module Address Debug info Name (77 modules) ELF 8000- 12000 Deferred <wine-loader> PE 400000- 454000 Export rtools_setup_arm ELF 40031000-4003f000 Deferred libsm.so.6 ... System information: Wine build: wine-1.5.9-186-g1f6febe Platform: arm Host system: Linux Host version: 3.2.0-1000-linaro-lt-mx6 --- snip ---
WINEDEBUG=+tid,+seh,+relay doesn't reveal much, might be app init/startup code:
--- snip --- $ wine ./rtools_setup_arm.exe ... 0024:Call KERNEL32.GetLastError() ret=00416973 0024:Ret KERNEL32.GetLastError() retval=00000000 ret=00416973 0024:Call KERNEL32.MultiByteToWideChar(000004e4,00000001,4130f7c8 " \x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94"...,00000100,00000000,00000000) ret=00418e95 0024:Ret KERNEL32.MultiByteToWideChar() retval=00000100 ret=00418e95 0024:trace:seh:raise_exception info[0]=00000000 0024:trace:seh:raise_exception info[1]=c2083992 0024:trace:seh:raise_exception Pc:419d44 Sp:4130f720 Lr:418ed1 Cpsr:200f0030 r0:0208 r1:0001 r2:0100 r3:0208 0024:trace:seh:raise_exception r4:c208398a r5:4130f7c8 r6:0000 r7:4130f728 r8:dddd r9:04e4 r10:0100 Fp:4130f758 Ip:4130f518 0024:trace:seh:call_stack_handlers calling handler at 0x403e3900 code=c0000005 flags=0 0024:Call KERNEL32.UnhandledExceptionFilter(4130f574) ret=403e3964 wine: Unhandled page fault on read access to 0xc2083992 at address 0x419d44 (thread 0024), starting debugger... 0024:trace:seh:start_debugger Starting debugger "winedbg --auto 35 68" ... --- snip ---
Winedbg's builtin disassembler isn't really helpful, it's missing various thumb(2) opcodes.
Fortunately there is a free IDA 6.2 demo version for Linux which also supports ARM family for download: http://www.hex-rays.com/products/ida/support/download_demo.shtml
This is an invaluable tool which can be used to improve winedbg's disassembler and investigate other problems on ARM.
The code in question:
--- snip --- ... .text:00419D40 MRC p15, 0, R4,c13,c0, 2 .text:00419D44 LDR R4, [R4,#8] ... --- snip ---
ARM info center CP15 c13 register summary: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0388f/CIHFGFG...
Another resource: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0360f/CACEAIH...
Opcode_2=3 register "TPIDRURO" is actually ARM HW TLS register, used by libc (__get_tls()).
Opcode_2=2 register "TPIDRURW" is "Software Thread ID, User, R/W"
Not sure if this is a "free for use" register or if any user space threading library code actually manages this register. One would have to search eglibc sources for ARM and any userspace libraries mapped into process address space, not part of Wine. The values don't seem very random but they point to invalid (not mapped) memory locations. I couldn't find any MCR opcodes in application code, so it's probably written elsewhere.
This linux kernel patch has a bit of information: http://www.kernelhub.org/?p=2&msg=57979 It got committed to Linux 3.3.5: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.3.5 (search for TPIDRURW). I'm running 3.2.0 so it's obviously not cleared by kernel side on context switch.
Anyway, I fear this will be most likely upstream if the kernel deliberately clears it on every context switch (starting with 3.3.5).
$ du -sh rtools_setup_arm.exe 16M rtools_setup_arm.exe
$ sha1sum rtools_setup_arm.exe 6f75e6dad60b64e1f074884829b63ca00bcdb531 rtools_setup_arm.exe
Regards
http://bugs.winehq.org/show_bug.cgi?id=31308
--- Comment #1 from Anastasius Focht focht@gmx.net 2012-07-24 19:17:47 CDT --- Hello,
until the meaning/working of this "user" TLS register is known we could just write some magic value to it on thread init, forcing exception on access/dereference. This allows to trap/emulate the TLS access, checking for the magic value and give back some chunk of good memory. The problem would be newer Linux 3.3.5+ kernels that clear the value on context switch. We would have to analyse the code sequence, looking at previous opcode(s) for "MRC p15, 0, <Rd>, c13, c0, 2" to figure out if this was not a simple null pointer access by other code.
Best solution would be to have the kernel preserve TPIDRURW on context switch so Wine could mimic whatever Windows on ARM does.
Regards
http://bugs.winehq.org/show_bug.cgi?id=31308
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |http://www.microsoft.com/vi | |sualstudio/11/en-us/downloa | |ds#remote-tools CC| |nerv@dawncrow.de
http://bugs.winehq.org/show_bug.cgi?id=31308
--- Comment #2 from André H. nerv@dawncrow.de 2012-07-25 14:55:07 CDT --- Hi,
thx for the work ;)
right now i'm on my pandaboard with: $ uname -a Linux fedora-arm 3.4.2-3.fc17.armv7hl.omap #1 SMP PREEMPT Tue Jun 12 22:50:46 UTC 2012 armv7l armv7l armv7l GNU/Linux
so this Software Thread ID thing is cleared as you can see here: Register dump: Thumb User Mode Pc:419d44 Sp:b634f760 Lr:418ed1 Cpsr:a00f0130(N-C-) r0:0208 r1:0001 r2:b634f808 r3:0208 r4:0000 r5:b634f808 r6:0000 r7:b634f768 r8:dddd r9:04e4 r10:0100 Fp:b634f798 Ip:b634f558 Stack dump: 0xb634f760: 00000000 00000000 b634f808 00000100 0xb634f770: 00000001 61a31f45 b634f788 00000100 0xb634f780: b634f808 00000001 b634fd78 00446530 0xb634f790: 000004e4 b6dd61c0 b634f7d0 00418f91 0xb634f7a0: b634fb08 000004e4 00000000 00000000 0xb634f7b0: 00446998 00446308 b55af138 b634f701 Backtrace: =>0 0x00419d44 in rtools_setup_arm (+0x19d44) (0xb634f798) 1 0x00418ed1 in rtools_setup_arm (+0x18ed0) (0xb634f798) 0x00419d44: ldr r4, [r4, #8] Modules: Module Address Debug info Name (57 modules) ELF 8000- 11000 Deferred <wine-loader> PE 400000- 454000 Export rtools_setup_arm
I'll play a bit with, let's see what happens
http://bugs.winehq.org/show_bug.cgi?id=31308
--- Comment #3 from André H. nerv@dawncrow.de 2012-07-25 15:25:00 CDT --- Created attachment 41160 --> http://bugs.winehq.org/attachment.cgi?id=41160 hack
After this patch it gets further and crashes like:
Register dump: Thumb User Mode Pc:43593a Sp:b55fe3e8 Lr:b607a29c Cpsr:600f0130(-ZC-) r0:0000 r1:0001 r2:0000 r3:0000 r4:0000 r5:b63afa68 r6:b63afa68 r7:0152 r8:0050 r9:b6e231ec r10:002d Fp:b55fefac Ip:4348418c Stack dump: 0xb55fe3e8: b6de6cc4 00000152 00000000 b55fe4c8 0xb55fe3f8: 00000152 b6de6de8 00000000 00000000 0xb55fe408: 00000000 313107b9 00000000 b6e3f000 0xb55fe418: 00435905 b63afa68 00000152 00000050 0xb55fe428: b6e231ec b6de83c8 00435905 b63afa68 0xb55fe438: ffffffff b6df8a90 b6782dcc b55fefac Backtrace: =>0 0x0043593a in rtools_setup_arm (+0x3593a) (0xb55fefac) 1 0xb607a29c CoInitializeEx+0x2cf() in ole32 (0xb55fefac) 2 0xb607a29c CoInitializeEx+0x2cf() in ole32 (0xb55fefac) 3 0x313107b9 (0xb55fefac) 4 0xb63afa68 (0xb55fefac) 0x0043593a: ldr r3, [r3, #44] Modules: Module Address Debug info Name (57 modules) ELF 8000- 11000 Deferred <wine-loader> PE 400000- 454000 Export rtools_setup_arm
could you please be so kind and check out why it crashes there?
http://bugs.winehq.org/show_bug.cgi?id=31308
--- Comment #4 from Anastasius Focht focht@gmx.net 2012-07-25 16:21:56 CDT --- Hello André,
I think I figured out what TPIDRURW value means. The routine that accesses it looks like some inlined alloca() implementation for ARM.
I added some comments what I think it does
--- snip --- ... .text:00419D3C SUBS.W R12, SP, R4,LSL#2 ; get end addr of req. buffer .text:00419D40 MRC p15, 0, R4,c13,c0, 2 ; get TEB .text:00419D44 LDR R4, [R4,#8] ; teb->Tib.StackLimit .text:00419D48 CMP R12, R4 .text:00419D4A BCC loc_419D58 ; doesn't fit, grow active stack .text:00419D4C SUB.W R4, SP, R12 ; fits, new buffer start .text:00419D50 BX LR .text:00419D52 MOVS.W R12, #0 .text:00419D56 B loc_419D48 ; grow the stack .text:00419D58 PUSH {R5,R6} .text:00419D5A MOV R6, R12 .text:00419D5C BFC.W R6, #0, #0xC ; align .text:00419D60 SUB.W R4, R4, #0x1000 ; move down by PAGE_SIZE .text:00419D64 LDR R5, [R4] ; touch the page ; touching page below teb->Tib.StackLimit should update the field to new limit ; until DeallocationStack is reached (exhausted) .text:00419D66 CMP R4, R6 .text:00419D68 BNE loc_419D60 .text:00419D6A POP {R5,R6} .text:00419D6C SUB.W R4, SP, R12 ; new buffer start .text:00419D70 BX LR --- snip ---
I patched Wine to set TPIDRURW to the TEB value for each newly created thread in signal_init_thread(). This should work but unfortunately my kernel doesn't preserve the value of TPIDRURW (gets overwritten).
The crash you're seeing is because another thread context, where TPIDRURW has been zeroed out again.
For each newly created thread you have to set TPIDRURW to the appropriate TEB and the kernel must be modified to save/restore TPIDRURW value for each thread on context switch (hence this bug is actually upstream).
Regards
http://bugs.winehq.org/show_bug.cgi?id=31308
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Remote Tools for Visual |Remote Tools for Visual |Studio 2012 RC for Windows |Studio 2012 RC for Windows |on ARM (WoA) crashes due to |on ARM (WoA) crashes |invalid user TLS register |because TPIDRURW (user TLS |value access |register) needs to be set | |to TEB address
--- Comment #5 from Anastasius Focht focht@gmx.net 2012-07-25 16:31:03 CDT --- Hello,
--- quote --- (hence this bug is actually upstream). --- quote ---
I meant the part with Linux kernel not preserving TPIDRURW per thread.
I'll make this bug about Wine needing to set TPIDRURW to TEB address and a separate bug to track the kernel issue (upstream).
Regards
http://bugs.winehq.org/show_bug.cgi?id=31308
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |31322
http://bugs.winehq.org/show_bug.cgi?id=31308
--- Comment #6 from Anastasius Focht focht@gmx.net 2012-07-25 18:33:00 CDT --- Hello André,
I found several other inlined code snippets in the app that support the hypothesis that TPIDRURW contains most likely the TEB address for Windows on ARM:
--- snip --- ... .text:004354DC MRC p15, 0, R3,c13,c0, 2 .text:004354E0 LDR R3, [R3,#0x2C] .text:0043577C MOVS R7, #0 .text:0043577E CMP R0, #1 .text:00435780 LDR.W R2, [R3,R2,LSL#2] ; R2 = TLS index? --- snip ---
TEB+0x2C is the pointer to the TLS slots array on Windows x86.
Regards
http://bugs.winehq.org/show_bug.cgi?id=31308
--- Comment #7 from André H. nerv@dawncrow.de 2012-07-26 15:18:48 CDT --- (In reply to comment #6)
Hello André,
I found several other inlined code snippets in the app that support the hypothesis that TPIDRURW contains most likely the TEB address for Windows on ARM:
knowing to what to set the register can easily turn my hack into a valid patch, i'll keep an eye on it
http://bugs.winehq.org/show_bug.cgi?id=31308
André H. nerv@dawncrow.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #41160|0 |1 is obsolete| |
--- Comment #8 from André H. nerv@dawncrow.de 2012-07-29 07:36:57 CDT --- Created attachment 41189 --> http://bugs.winehq.org/attachment.cgi?id=41189 patch (TEB)
does this patch works with your kernel changes?
http://bugs.winehq.org/show_bug.cgi?id=31308
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Installer Component|-unknown |ntdll Summary|Remote Tools for Visual |Remote Tools for Visual |Studio 2012 RC for Windows |Studio 2012 RC installer |on ARM (WoA) crashes |for Windows on ARM (WoA) |because TPIDRURW (user TLS |crashes because TPIDRURW |register) needs to be set |(user TLS register) needs |to TEB address |to be set to TEB address
--- Comment #9 from Anastasius Focht focht@gmx.net 2012-07-29 12:25:22 CDT --- Hello André,
--- quote --- Created attachment 41189 [details] patch (TEB)
does this patch works with your kernel changes? --- quote ---
Well, it doesn't crash but the runtime behaviour with your patch is clearly different from mine -> worse.
I found a package from Windows 8 SDK (Windows Performance Toolkit) to contain some PE32 binaries for ARM to play with ("WPTarm-arm_en-us.msi").
I get console output from console apps (synopsys) and one app crashes with unimpl. API backtrace which is completely sane in this case (I'll file a bug later for that) - all with my patch.
Yours doesn't come that far. It complains about missing dlls etc. and silently exits.
Both have the kernel patch applied and only Wine ntdll is different.
Regards
http://bugs.winehq.org/show_bug.cgi?id=31308
--- Comment #10 from Anastasius Focht focht@gmx.net 2012-07-29 15:33:25 CDT --- Hello André,
I attached two kernel patches to bug 31322 so you can test your Wine patches too ;-) You need to apply both because TPIDRURW is cleared in your 3.4.x kernel.
http://bugs.winehq.org/attachment.cgi?id=41194 (Patch to revert "ARM: tls: remove covert channel via TPIDRURW")
http://bugs.winehq.org/attachment.cgi?id=41195 (Patch to preserve TPIDRURW per thread to allow TEB access for Windows on ARM applications)
I have an older 3.2 kernel where TPIDRURW is not touched at all (only last patch that implements per thread preservation of TPIDRURW needs to be applied).
Regards
http://bugs.winehq.org/show_bug.cgi?id=31308
André H. nerv@dawncrow.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |32743
http://bugs.winehq.org/show_bug.cgi?id=31308
André H. nerv@dawncrow.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |32755
http://bugs.winehq.org/show_bug.cgi?id=31308
André H. nerv@dawncrow.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #41189|0 |1 is obsolete| |
--- Comment #11 from André H. nerv@dawncrow.de 2013-01-21 13:24:16 CST --- Created attachment 43280 --> http://bugs.winehq.org/attachment.cgi?id=43280 patch v2 (TEB)
Hi, it's time to get this fixed. @Anastasius Does the attached patch works with your kernel changes? Did you contact the kernel/arm developers? Otherwise i'd be willing to do that.
http://bugs.winehq.org/show_bug.cgi?id=31308
--- Comment #12 from Anastasius Focht focht@gmx.net 2013-01-21 17:43:53 CST --- Hello André,
--- quote --- Hi, it's time to get this fixed. @Anastasius Does the attached patch works with your kernel changes? --- quote ---
Yep, that's pretty much what I did except I had that one line inline asm after pthread_setspecific without additional function call.
--- quote --- Did you contact the kernel/arm developers? Otherwise i'd be willing to do that. --- quote ---
Nope, you can move forward and freely use the kernel patch.
Regards
http://bugs.winehq.org/show_bug.cgi?id=31308
--- Comment #13 from André H. nerv@dawncrow.de 2013-02-06 09:55:34 CST --- (In reply to comment #10)
You need to apply both because TPIDRURW is cleared in your 3.4.x kernel.
As i need to test the patch i applied both of yours to my kernel, compiled it, installed it, booted from it, applied my patch to ntdll, compiled that, run wine putty_arm.exe and it doesn't work:
--- snip --- Unhandled exception: page fault on read access to 0x00000008 in 32-bit code (0x0044d38c). --- snip --- 0x0044d388: mrc p15, #0, r4, cr13, cr0, #2 0x0044d38c: ldr r4, [r4, #8] --- snip ---
what could i have missed?
http://bugs.winehq.org/show_bug.cgi?id=31308
--- Comment #14 from André H. nerv@dawncrow.de 2013-02-06 14:27:46 CST --- (In reply to comment #13)
(In reply to comment #10)
You need to apply both because TPIDRURW is cleared in your 3.4.x kernel.
As i need to test the patch i applied both of yours to my kernel, compiled it, installed it, booted from it, applied my patch to ntdll, compiled that, run wine putty_arm.exe and it doesn't work:
--- snip --- Unhandled exception: page fault on read access to 0x00000008 in 32-bit code (0x0044d38c). --- snip --- 0x0044d388: mrc p15, #0, r4, cr13, cr0, #2 0x0044d38c: ldr r4, [r4, #8] --- snip ---
what could i have missed?
never mind, i patched _Wine_ wrong, shame on me
http://bugs.winehq.org/show_bug.cgi?id=31308
André H. nerv@dawncrow.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #43280|0 |1 is obsolete| |
--- Comment #15 from André H. nerv@dawncrow.de 2013-02-08 08:58:28 CST --- Comment on attachment 43280 --> http://bugs.winehq.org/attachment.cgi?id=43280 patch v2 (TEB)
somehow this bug is fixed by http://source.winehq.org/git/wine.git/commitdiff/b288f7be1860c6373555b3d412f... but i'm not sure as it needs the linux-kernel patch to work.
http://bugs.winehq.org/show_bug.cgi?id=31308
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |b288f7be1860c6373555b3d412f | |e849a656fe165 Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #16 from Anastasius Focht focht@gmx.net 2013-02-08 09:06:57 CST --- Hello André,
yes, it's fixed. The kernel patches are needed though. Thanks.
Regards
http://bugs.winehq.org/show_bug.cgi?id=31308
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #17 from Alexandre Julliard julliard@winehq.org 2013-02-15 14:31:22 CST --- Closing bugs fixed in 1.5.24.
https://bugs.winehq.org/show_bug.cgi?id=31308
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.microsoft.com/vi |https://web.archive.org/web |sualstudio/11/en-us/downloa |/20210719085359/https://dow |ds#remote-tools |nload.microsoft.com/downloa | |d/4/1/5/41524F91-4CEE-416B- | |BB70-305756373937/VSU4/rtoo | |ls_setup_arm.exe
--- Comment #18 from Anastasius Focht focht@gmx.net --- Hello folks,
adding stable download links via Internet Archive for documentation.
Nice overview:
https://web.archive.org/web/20210719085257/https://zzz.buzz/notes/visual-stu... ("Visual Studio Remote Debugger Notes and Downloads")
--- Remote Tools for Visual Studio 2012:
https://web.archive.org/web/20210719085359/https://download.microsoft.com/do...
$ du -sh rtools_setup_arm.exe 19M rtools_setup_arm.exe
$ sha1sum rtools_setup_arm.exe 41e92bb09db780f54a210d921a1120d4d7e98a4d rtools_setup_arm.exe
--- Remote Tools for Visual Studio 2013:
https://web.archive.org/web/20210719084648/http://download.microsoft.com/dow...
$ sha1sum rtools_setup_arm.exe 2f82363adf4b396de9339a2302192fd2713be782 rtools_setup_arm.exe
$ du -sh rtools_setup_arm.exe 20M rtools_setup_arm.exe
--- Remote Tools for Visual Studio 2015:
https://web.archive.org/web/20190111183958/https://download.microsoft.com/do...
$ sha1sum rtools_setup_arm.exe 40192fac8236fa6428c27bfd2f929b7d81562d07 rtools_setup_arm.exe
$ du -sh rtools_setup_arm.exe 21M rtools_setup_arm.exe
Regards
-
wine-bugs@winehq.org -
WineHQ Bugzilla