I am having a problem with the attached segfault in ie6
I have attached a gdb backtrace and the last part of a relay dump. hModule is 0xffffffffe and gets dereferenced to find e_magic presumably from the psp.
Obviously dereferencing 0xfffffffe is not good which raises an exception
The exception is caught and appears to be ignored the first time it occurs but this seems unusual to me
Can anyone shed light on this, is this normal or do I have a problem. What's going on here ?
More info follows
Bob ============================================================================
Starting program: /opt/cfw/wine/bin/wine iexplore
Program received signal SIGSEGV, Segmentation fault. 0xd1cbfb5f in RtlImageNtHeader (hModule=0xfffffffe) at loader.c:1907 1907 if (dos->e_magic == IMAGE_DOS_SIGNATURE) (gdb) print dos $1 = (IMAGE_DOS_HEADER *) 0xfffffffe
*** Aparrently in this code 1895 /*********************************************************************** 1896 * RtlImageNtHeader (NTDLL.@) 1897 */ 1898 PIMAGE_NT_HEADERS WINAPI RtlImageNtHeader(HMODULE hModule) 1899 { 1900 IMAGE_NT_HEADERS *ret; 1901 1902 __TRY 1903 { 1904 IMAGE_DOS_HEADER *dos = (IMAGE_DOS_HEADER *)hModule; (gdb) 1905 1906 ret = NULL; 1907 if (dos->e_magic == IMAGE_DOS_SIGNATURE) 1908 { 1909 ret = (IMAGE_NT_HEADERS *)((char *)dos + dos->e_lfanew); 1910 if (ret->Signature != IMAGE_NT_SIGNATURE) ret = NULL; 1911 } 1912 } 1913 __EXCEPT(page_fault) 1914 { (gdb) 1915 return NULL; 1916 } 1917 __ENDTRY 1918 return ret; 1919 }
**** Relay output
00b:Ret kernel32.LoadLibraryA() retval=00000000 ret=70c2429c 000b:Call kernel32.GetLastError() ret=70c242a9 000b:Ret kernel32.GetLastError() retval=0000007e ret=70c242a9 000b:Call kernel32.InterlockedExchange(70c2bd84,ffffffff) ret=70c242f0 000b:Ret kernel32.InterlockedExchange() retval=00000000 ret=70c242f0 000b:Call kernel32.GetProcAddress(ffffffff,70c24832 "ApphelpCheckShellObject") ret=70c24399 000b:Call ntdll.RtlInitAnsiString(7fd8dc18,70c24832 "ApphelpCheckShellObject") ret=7fe1e655 000b:Ret ntdll.RtlInitAnsiString() retval=7fd80018 ret=7fe1e655 000b:Call ntdll.LdrGetProcedureAddress(ffffffff,7fd8dc18,00000000,7fd8dc20) ret=7fe1e667
**** GDB Backtrace
(gdb) bt #0 0xd1cbfb5f in RtlImageNtHeader (hModule=0xfffffffe) at loader.c:1907 #1 0xd1cc0018 in RtlImageDirectoryEntryToData (module=0xfffffffe, image=0, dir=0, size=0x7fd8db3c) at loader.c:2025 #2 0xd1cbdcd1 in LdrGetProcedureAddress (module=0xffffffff, name=0x7fd8dc18, ord=0, address=0x7fd8dc20) at loader.c:1154 #3 0xd1ccabcf in call_stdcall_function (func=0xd1cbdc9b <LdrGetProcedureAddress>, nb_args=4, args=0x7fd8dc08) at relay.c:521 #4 0xd1ccb2e0 in RELAY_CallFrom32 (ret_addr=2145511015) at relay.c:603 #5 0xd1d00025 in __wine_spec_exp_ordinals () from /opt/cfw/wine/lib/wine/ntdll.dll.so #6 0xd1ccab7d in call_stdcall_function (func=0x7fe1e62b <GetProcAddress>, nb_args=2, args=0x7fd8dce4) at relay.c:519 #7 0xd1ccb2e0 in RELAY_CallFrom32 (ret_addr=1891779481) at relay.c:603 #8 0x7fec08dd in __wine_spec_forwards () from /opt/cfw/wine/lib/wine/kernel32.dll.so #9 0x70c23bd1 in ?? () #10 0x71191420 in ?? () #11 0x711819aa in ?? () #12 0x7118a3c9 in ?? () #13 0x71165a1c in ?? () #14 0x7fbab1af in WINPROC_wrapper () from /opt/cfw/wine/lib/wine/user32.dll.so #15 0x7fbab61d in WINPROC_CallWndProc (proc=0x71165af5, hwnd=0x20022, msg=129, wParam=0, lParam=2144920548) at ../../windows/winproc.c:418 #16 0x7fbb21a6 in CallWindowProcA (func=0x71165af5, hwnd=0x20022, msg=129, wParam=0, lParam=2144920548) at ../../windows/winproc.c:3202 #17 0x7fbea1f4 in call_window_proc (hwnd=0x20022, msg=129, wparam=0, lparam=2144920548, unicode=0, same_thread=1) at message.c:1521 #18 0x7fbec0cb in SendMessageTimeoutA (hwnd=0x20022, msg=129, wparam=0, lparam=2144920548, flags=0, timeout=4294967295, res_ptr=0x7fd8df78) at message.c:2376 #19 0x7fbec299 in SendMessageA (hwnd=0x20022, msg=129, wparam=0, lparam=2144920548) at message.c:2420 #20 0xd1ccabcf in call_stdcall_function (func=0x7fbec266 <SendMessageA>, nb_args=4, args=0x7fd8e040) at relay.c:521 #21 0xd1ccb2e0 in RELAY_CallFrom32 (ret_addr=2137925787) at relay.c:603 #22 0x7fc3e3a1 in __wine_spec_exp_ordinals () from /opt/cfw/wine/lib/wine/user32.dll.so #23 0xd1cca480 in call_cdecl_function (func=0x7f6e23b6 <X11DRV_CreateWindow>, nb_args=3, args=0x7fd8e1c0) at relay.c:462 #24 0xd1ccb2c2 in RELAY_CallFrom32 (ret_addr=2142912231) at relay.c:599 #25 0x7f71a3a1 in __wine_spec_exp_ordinals () from /opt/cfw/wine/lib/wine/x11drv.dll.so #26 0x7fba4554 in CreateWindowExA (exStyle=256, className=0x7fd8e538 "IEFrame", windowName=0x7fd8e74c "Microsoft Internet Explorer", style=47120384, x=-2147483648, y=-2147483648, width=-2147483648, height=-2147483648, parent=0x0, menu=0x94, instance=0x71160000, data=0x7ff39fb8) at ../../windows/win.c:1245 #27 0xd1ccae57 in call_stdcall_function (func=0x7fba43da <CreateWindowExA>, nb_args=12, args=0x7fd8e4fc) at relay.c:535 #28 0xd1ccb2e0 in RELAY_CallFrom32 (ret_addr=1891617362) at relay.c:603 #29 0x7fc3c851 in __wine_spec_exp_ordinals () from /opt/cfw/wine/lib/wine/user32.dll.so #30 0x71181c0e in ?? () #31 0x71181acf in ?? () #32 0x71181a86 in ?? () #33 0x7101f031 in ?? () #34 0x00401ecd in ?? () #35 0x00401f7d in ?? () #36 0x7fe2cbf2 in start_process (arg=0x0) at process.c:1044
Robert Lunnon wrote:
I am having a problem with the attached segfault in ie6
I have attached a gdb backtrace and the last part of a relay dump. hModule is 0xffffffffe and gets dereferenced to find e_magic presumably from the psp.
Obviously dereferencing 0xfffffffe is not good which raises an exception
The exception is caught and appears to be ignored the first time it occurs but this seems unusual to me
Can anyone shed light on this, is this normal or do I have a problem. What's going on here ?
This is normal. IE expects a DLL (apphelp.dll?) to be loaded at the point where it does the GetProcAddress and it doesn't do any checking on the return value from GetModuleHandle. As there is an exception handler in RtlImageNtHeader it shouldn't crash IE and it should fail gracefully.
Rob
-
Robert Lunnon -
Robert Shearman