Need help debugging a memory corruption bug in shfldr_unixfs.c

Hi,

Sometimes while browsing the unixfs namespace in the file dialog wine crashes with the following console output:

============================================================================= wine: Unhandled exception (thread 0009), starting debugger... WineDbg starting on pid 0x8 Unhandled exception: page fault on read access to 0x00004005 in 32-bit code (0x7b24fbf2). In 32 bit mode. Register dump: CS:0073 SS:007b DS:007b ES:007b FS:003b GS:0033 EIP:7b24fbf2 ESP:7b8af188 EBP:7b8af1ac EFLAGS:00210202( - 00 - -RI1) EAX:00000000 EBX:7b2e8b70 ECX:78560110 EDX:7b8af258 ESI:7b2e88f6 EDI:00004001 Stack dump: 0x7b8af188: 00000000 000007d0 7b8af298 00000000 0x7b8af198: 00000008 00000001 7b2e8b70 00000000 0x7b8af1a8: 7b8af1f8 7b8af244 7b2696a2 00004001 0x7b8af1b8: 00000015 00000040 00000000 78561a78 0x7b8af1c8: 78561a78 7b4e8448 7b8af298 00000000 0x7b8af1d8: 7b8af204 7b47bfd1 0036003e 0000004e Backtrace: =>1 0x7b24fbf2 DPA_GetPtr+0x32(hdpa=0x4001, nIndex=0x15) [dpa.c:479] in comctl32 (0x7b8af1ac) 2 0x7b2696a2 LISTVIEW_GetItemT(infoPtr=0x78560110, lpLVItem=0x7b8af258, isW=0x1) [/home/mjung/compile/wine/dlls/comctl32/listview.c:5225] in comctl32 (0x7b8af244) 3 0x7b273e7a notify_itemactivate+0x6a(infoPtr=0x78560110, htInfo=0x7b8af308) [/home/mjung/compile/wine/dlls/comctl32/listview.c:791] in comctl32 (0x7b8af2d4) 4 0x7b26fd5f LISTVIEW_LButtonDblClk+0x8f(infoPtr=0x78560110, wKey=0x1, x=0xad, y=0x39) [/home/mjung/compile/wine/dlls/comctl32/listview.c:8103] in comctl32 (0x7b8af334)

...

===============================================================================

As you see, the hdpa parameter to DPA_GetPtr is invalid. The relevant code in LISTVIEW_GetItemT is (dlls/comctl32/listview.c, line 5126):

/* find the item and subitem structures before we proceed */ hdpaSubItems = (HDPA)DPA_GetPtr(infoPtr->hdpaItems, lpLVItem->iItem); lpItem = (ITEM_INFO *)DPA_GetPtr(hdpaSubItems, 0); assert (lpItem);

It's the first call to DPA_GetPtr that crashes. So the structure pointed to by infoPtr seems to be corrupted (infoPtr is a LISTVIEW_INFO *, which represents the listview item and which given as the first parameter to LISTVIEW_GetItemT).

As I never saw this with the original shfldr_fs.c code, I assume that shfldr_unixfs.c has a memory corruption bug somewhere. I've tried to figure the problem for some time now, but to now avail.

So my questions are:

1) Can someone give me some advice on how to debug such a problem? 2) Did other people see this bug already? 3) Would valgrind be of help to debug this?

Thanks,