--- James Hawkins truiken@gmail.com wrote:
Just because Mozilla is passing a bad memory address doesn't mean it's a bug in Mozilla. For example Mozilla could have requested some information from wine and we gave them the bad memory address.
While that's certainly possible in general, that doesn't appear to be the case here. The bad pointer is the destination address of WideCharToMultiByte, not the source. Typically this will some buffer or other internal to Mozilla.
I'm not claiming there isn't a bug in Wine. But I think the immediate thing we're seeing is a bug in Mozilla (likely triggered by a bug in Wine.) The nls trace might be interesting, because the source pointer appears to be valid. So, what string are they trying to translate? An error message perhaps? That might point to the cause of the problem.
--Juan
__________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
On Fri, Apr 22, 2005 at 05:18:58PM -0700, Juan Lang wrote:
--- James Hawkins truiken@gmail.com wrote:
Just because Mozilla is passing a bad memory address doesn't mean it's a bug in Mozilla. For example Mozilla could have requested some information from wine and we gave them the bad memory address.
While that's certainly possible in general, that doesn't appear to be the case here. The bad pointer is the destination address of WideCharToMultiByte, not the source. Typically this will some buffer or other internal to Mozilla.
I'm not claiming there isn't a bug in Wine. But I think the immediate thing we're seeing is a bug in Mozilla (likely triggered by a bug in Wine.) The nls trace might be interesting, because the source pointer appears to be valid. So, what string are they trying to translate? An error message perhaps? That might point to the cause of the problem.
Well, here is a +relay,+nls log of what's happening just before the invalid memory address gets passed back. I might take a look in the mozilla source in the future, but for now I've got a more nagging bug to look at. I just wanted mozilla installed for the ActiveX component, so that I could install the latest version of World of Warcraft. WoW crashes infrequently, unless there's a lot of action when it crashes very quickly. I'm finally fed up with it, so my bug-fixing priority lies there right now ;)
trace:nls:WideCharToMultiByte cp 0 L"SYSTEMROOT=c:\windows" -> "SYSTEMROOT=c:\windows" trace:nls:WideCharToMultiByte cp 0 L"TEMP=c:\windows\temp" -> "TEMP=c:\windows\temp" trace:nls:WideCharToMultiByte cp 0 L"TMP=c:\windows\temp" -> "TMP=c:\windows\temp" trace:nls:WideCharToMultiByte cp 0 L"USERPROFILE=c:\windows\profiles\alex" -> "USERPROFILE=c:\windows\profiles\alex" trace:nls:WideCharToMultiByte cp 0 L"windir=c:\windows" -> "windir=c:\windows" trace:nls:WideCharToMultiByte cp 0 L"winsysdir=c:\windows\system" -> "winsysdir=c:\windows\system" 0011:Call ntdll.RtlReleasePebLock() ret=55a1fac8 0011:Ret ntdll.RtlReleasePebLock() retval=00000000 ret=55a1fac8 0011:Ret kernel32.GetEnvironmentStringsA() retval=55973ff8 ret=572b286c 0011:Call ntdll.RtlAllocateHeap(558c0000,00000000,00000b95) ret=572b297a 0011:Ret ntdll.RtlAllocateHeap() retval=55974ac0 ret=572b297a 0011:Call kernel32.FreeEnvironmentStringsA(55973ff8) ret=572b2907 0011:Call ntdll.RtlFreeHeap(558c0000,00000000,55973ff8) ret=55a2b7bb 0011:Ret ntdll.RtlFreeHeap() retval=00000001 ret=55a2b7bb 0011:Ret kernel32.FreeEnvironmentStringsA() retval=00000001 ret=572b2907 0011:Ret msvcrt.getenv() retval=00000000 ret=60f58ed1 0011:Call msvcrt.calloc(00000001,0000000c) ret=60f53690 0011:Call ntdll.RtlAllocateHeap(558c0000,00000008,0000000c) ret=572beb67 0011:Ret ntdll.RtlAllocateHeap() retval=5595bdc8 ret=572beb67 0011:Ret msvcrt.calloc() retval=5595bdc8 ret=60f53690 0011:Call msvcrt._strdup(60f68168 "cmon") ret=60f536a2 0011:Call ntdll.RtlAllocateHeap(558c0000,00000000,00000005) ret=572bebe7 0011:Ret ntdll.RtlAllocateHeap() retval=5595bde8 ret=572bebe7 0011:Ret msvcrt._strdup() retval=5595bde8 ret=60f536a2 0011:Call msvcrt.getenv(60f664f4 "NSPR_LOG_MODULES") ret=60f58ed1 0011:Ret msvcrt.getenv() retval=00000000 ret=60f58ed1 0011:Call msvcrt.calloc(00000001,0000000c) ret=60f53690 0011:Call ntdll.RtlAllocateHeap(558c0000,00000008,0000000c) ret=572beb67 0011:Ret ntdll.RtlAllocateHeap() retval=55958da8 ret=572beb67 0011:Ret msvcrt.calloc() retval=55958da8 ret=60f53690 0011:Call msvcrt._strdup(60f68164 "io") ret=60f536a2 0011:Call ntdll.RtlAllocateHeap(558c0000,00000000,00000003) ret=572bebe7 0011:Ret ntdll.RtlAllocateHeap() retval=55944fd8 ret=572bebe7 0011:Ret msvcrt._strdup() retval=55944fd8 ret=60f536a2 0011:Call msvcrt.getenv(60f664f4 "NSPR_LOG_MODULES") ret=60f58ed1 0011:Ret msvcrt.getenv() retval=00000000 ret=60f58ed1 0011:Call msvcrt.calloc(00000001,0000000c) ret=60f53690 0011:Call ntdll.RtlAllocateHeap(558c0000,00000008,0000000c) ret=572beb67 0011:Ret ntdll.RtlAllocateHeap() retval=55944ff8 ret=572beb67 0011:Ret msvcrt.calloc() retval=55944ff8 ret=60f53690 0011:Call msvcrt._strdup(60f68160 "mon") ret=60f536a2 0011:Call ntdll.RtlAllocateHeap(558c0000,00000000,00000004) ret=572bebe7 0011:Ret ntdll.RtlAllocateHeap() retval=55945018 ret=572bebe7 0011:Ret msvcrt._strdup() retval=55945018 ret=60f536a2 0011:Call msvcrt.getenv(60f664f4 "NSPR_LOG_MODULES") ret=60f58ed1 0011:Ret msvcrt.getenv() retval=00000000 ret=60f58ed1 0011:Call msvcrt.calloc(00000001,0000000c) ret=60f53690 0011:Call ntdll.RtlAllocateHeap(558c0000,00000008,0000000c) ret=572beb67 0011:Ret ntdll.RtlAllocateHeap() retval=55945038 ret=572beb67 0011:Ret msvcrt.calloc() retval=55945038 ret=60f53690 0011:Call msvcrt._strdup(60f68158 "linker") ret=60f536a2 0011:Call ntdll.RtlAllocateHeap(558c0000,00000000,00000007) ret=572bebe7 0011:Ret ntdll.RtlAllocateHeap() retval=55945058 ret=572bebe7 0011:Ret msvcrt._strdup() retval=55945058 ret=60f536a2 0011:Call msvcrt.getenv(60f664f4 "NSPR_LOG_MODULES") ret=60f58ed1 0011:Ret msvcrt.getenv() retval=00000000 ret=60f58ed1 0011:Call msvcrt.calloc(00000001,0000000c) ret=60f53690 0011:Call ntdll.RtlAllocateHeap(558c0000,00000008,0000000c) ret=572beb67 0011:Ret ntdll.RtlAllocateHeap() retval=55945078 ret=572beb67 0011:Ret msvcrt.calloc() retval=55945078 ret=60f53690 0011:Call msvcrt._strdup(60f68150 "cvar") ret=60f536a2 0011:Call ntdll.RtlAllocateHeap(558c0000,00000000,00000005) ret=572bebe7 0011:Ret ntdll.RtlAllocateHeap() retval=55973ff8 ret=572bebe7 0011:Ret msvcrt._strdup() retval=55973ff8 ret=60f536a2 0011:Call msvcrt.getenv(60f664f4 "NSPR_LOG_MODULES") ret=60f58ed1 0011:Ret msvcrt.getenv() retval=00000000 ret=60f58ed1 0011:Call msvcrt.calloc(00000001,0000000c) ret=60f53690 0011:Call ntdll.RtlAllocateHeap(558c0000,00000008,0000000c) ret=572beb67 0011:Ret ntdll.RtlAllocateHeap() retval=55974018 ret=572beb67 0011:Ret msvcrt.calloc() retval=55974018 ret=60f53690 0011:Call msvcrt._strdup(60f68148 "sched") ret=60f536a2 0011:Call ntdll.RtlAllocateHeap(558c0000,00000000,00000006) ret=572bebe7 0011:Ret ntdll.RtlAllocateHeap() retval=55974038 ret=572bebe7 0011:Ret msvcrt._strdup() retval=55974038 ret=60f536a2 0011:Call msvcrt.getenv(60f664f4 "NSPR_LOG_MODULES") ret=60f58ed1 0011:Ret msvcrt.getenv() retval=00000000 ret=60f58ed1 0011:Call msvcrt.calloc(00000001,0000000c) ret=60f53690 0011:Call ntdll.RtlAllocateHeap(558c0000,00000008,0000000c) ret=572beb67 0011:Ret ntdll.RtlAllocateHeap() retval=55974058 ret=572beb67 0011:Ret msvcrt.calloc() retval=55974058 ret=60f53690 0011:Call msvcrt._strdup(60f68140 "thread") ret=60f536a2 0011:Call ntdll.RtlAllocateHeap(558c0000,00000000,00000007) ret=572bebe7 0011:Ret ntdll.RtlAllocateHeap() retval=55974078 ret=572bebe7 0011:Ret msvcrt._strdup() retval=55974078 ret=60f536a2 0011:Call msvcrt.getenv(60f664f4 "NSPR_LOG_MODULES") ret=60f58ed1 0011:Ret msvcrt.getenv() retval=00000000 ret=60f58ed1 0011:Call msvcrt.calloc(00000001,0000000c) ret=60f53690 0011:Call ntdll.RtlAllocateHeap(558c0000,00000008,0000000c) ret=572beb67 0011:Ret ntdll.RtlAllocateHeap() retval=55974098 ret=572beb67 0011:Ret msvcrt.calloc() retval=55974098 ret=60f53690 0011:Call msvcrt._strdup(60f6813c "gc") ret=60f536a2 0011:Call ntdll.RtlAllocateHeap(558c0000,00000000,00000003) ret=572bebe7 0011:Ret ntdll.RtlAllocateHeap() retval=559740b8 ret=572bebe7 0011:Ret msvcrt._strdup() retval=559740b8 ret=60f536a2 0011:Call msvcrt.getenv(60f664f4 "NSPR_LOG_MODULES") ret=60f58ed1 0011:Ret msvcrt.getenv() retval=00000000 ret=60f58ed1 0011:Call msvcrt.calloc(00000001,0000000c) ret=60f53690 0011:Call ntdll.RtlAllocateHeap(558c0000,00000008,0000000c) ret=572beb67 0011:Ret ntdll.RtlAllocateHeap() retval=559740d8 ret=572beb67 0011:Ret msvcrt.calloc() retval=559740d8 ret=60f53690 0011:Call msvcrt._strdup(60f68138 "shm") ret=60f536a2 0011:Call ntdll.RtlAllocateHeap(558c0000,00000000,00000004) ret=572bebe7 0011:Ret ntdll.RtlAllocateHeap() retval=559740f8 ret=572bebe7 0011:Ret msvcrt._strdup() retval=559740f8 ret=60f536a2 0011:Call msvcrt.getenv(60f664f4 "NSPR_LOG_MODULES") ret=60f58ed1 0011:Ret msvcrt.getenv() retval=00000000 ret=60f58ed1 0011:Call msvcrt.calloc(00000001,0000000c) ret=60f53690 0011:Call ntdll.RtlAllocateHeap(558c0000,00000008,0000000c) ret=572beb67 0011:Ret ntdll.RtlAllocateHeap() retval=55974118 ret=572beb67 0011:Ret msvcrt.calloc() retval=55974118 ret=60f53690 0011:Call msvcrt._strdup(60f68130 "shma") ret=60f536a2 0011:Call ntdll.RtlAllocateHeap(558c0000,00000000,00000005) ret=572bebe7 0011:Ret ntdll.RtlAllocateHeap() retval=55974138 ret=572bebe7 0011:Ret msvcrt._strdup() retval=55974138 ret=60f536a2 0011:Call msvcrt.getenv(60f664f4 "NSPR_LOG_MODULES") ret=60f58ed1 0011:Ret msvcrt.getenv() retval=00000000 ret=60f58ed1 0011:Call kernel32.GetVersionExA(55c089a0) ret=60f61cbc 0011:Call ntdll.RtlGetVersion(55c0877c) ret=55a71f38 0011:Ret ntdll.RtlGetVersion() retval=00000000 ret=55a71f38 trace:nls:WideCharToMultiByte cp 0 L"Service Pack 2" -> "Service Pack 2" 0011:Ret kernel32.GetVersionExA() retval=00000001 ret=60f61cbc 0011:Call kernel32.GetTimeZoneInformation(55c08a34) ret=60f61cd6 0011:Call ntdll.RtlQueryTimeZoneInformation(55c08a34) ret=55a6fae5 0011:Ret ntdll.RtlQueryTimeZoneInformation() retval=00000000 ret=55a6fae5 0011:Call ntdll.NtQuerySystemTime(55c08874) ret=55a6ebc5 0011:Ret ntdll.NtQuerySystemTime() retval=00000000 ret=55a6ebc5 0011:Ret kernel32.GetTimeZoneInformation() retval=00000000 ret=60f61cd6 0011:Call kernel32.WideCharToMultiByte(00000000,00000000,55c08a38 L"GMT Standard Time",ffffffff,99806858,00000020,00000000,00000000) ret=60f61cfd
--- Alex Woods wine-devel@giblets.org wrote:
Well, here is a +relay,+nls log of what's happening just before the invalid memory address gets passed back.
Sweet, this turns up what we're looking for. (That doesn't mean I have a patch though.) Hey James, we're back to it being a Wine bug, though Moz is doing something moderately questionable.
0011:Call kernel32.GetTimeZoneInformation(55c08a34) ret=60f61cd6 0011:Call ntdll.RtlQueryTimeZoneInformation(55c08a34) ret=55a6fae5 0011:Ret ntdll.RtlQueryTimeZoneInformation() retval=00000000 ret=55a6fae5 0011:Call ntdll.NtQuerySystemTime(55c08874) ret=55a6ebc5 0011:Ret ntdll.NtQuerySystemTime() retval=00000000 ret=55a6ebc5 0011:Ret kernel32.GetTimeZoneInformation() retval=00000000 ret=60f61cd6 0011:Call kernel32.WideCharToMultiByte(00000000,00000000,55c08a38 L"GMT Standard Time",ffffffff,99806858,00000020,00000000,00000000) ret=60f61cfd
I went over to lxr.mozilla.org/seamonkey and searched for GetTimeZoneInformation. That produced the following file: http://lxr.mozilla.org/seamonkey/source/nsprpub/pr/src/md/windows/ntmisc.c
They're doing a WideCharToMultiByte into the global variable _tzname. As the comment says, perhaps they shouldn't be.. Anyway, _tzname should live in msvcrt, but our include/msvcrt/time.h has: /* FIXME: Must do something for _daylight, _dstbias, _timezone, _tzname */
I'm pretty sure we don't support exporting globals from a DLL, so some other trick has to be dreamt up. I'll try to hack something up.
--Juan
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
I've sent a patch to wine-patches that works for me. Would you care to try it?
Mozilla is almost certainly wrong, though: the maximum size for the TZ environment variable is 15 chars (16 with the NULL): http://msdn.microsoft.com/library/en-us/vclib/html/_crt__tzset.asp
The corresponding names in _tzname are probably only 3 chars in length, so 4 bytes long including the NULL terminator.
Mozilla is probably scribbling over memory in this case, with who knows what consequences.
--Juan
__________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
If that is the case, shouldnt we report it as a bug in Mozilla, and is it possible that Firefox is doing the same thing, but just that nobody has tested it out on wine?
Dustin
Juan Lang wrote:
I've sent a patch to wine-patches that works for me. Would you care to try it?
Mozilla is almost certainly wrong, though: the maximum size for the TZ environment variable is 15 chars (16 with the NULL): http://msdn.microsoft.com/library/en-us/vclib/html/_crt__tzset.asp
The corresponding names in _tzname are probably only 3 chars in length, so 4 bytes long including the NULL terminator.
Mozilla is probably scribbling over memory in this case, with who knows what consequences.
--Juan
__________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
Juan Lang juan_lang@yahoo.com writes:
Mozilla is almost certainly wrong, though: the maximum size for the TZ environment variable is 15 chars (16 with the NULL): http://msdn.microsoft.com/library/en-us/vclib/html/_crt__tzset.asp
The corresponding names in _tzname are probably only 3 chars in length, so 4 bytes long including the NULL terminator.
Actually, judging from the pointer values I get on my XP box the buffers seem to be 64 chars long (though I agree they will probably always contain at most 3 chars). Still, I'm not sure why Mozilla feels the need to overwrite them, that doesn't seem right.
On Sat, Apr 23, 2005 at 10:02:09AM -0700, Juan Lang wrote:
I've sent a patch to wine-patches that works for me. Would you care to try it?
Mozilla is almost certainly wrong, though: the maximum size for the TZ environment variable is 15 chars (16 with the NULL): http://msdn.microsoft.com/library/en-us/vclib/html/_crt__tzset.asp
The corresponding names in _tzname are probably only 3 chars in length, so 4 bytes long including the NULL terminator.
Mozilla is probably scribbling over memory in this case, with who knows what consequences.
Sorry for the slow response, but I've actually spent nearly all day working, so I only just got back to playing with wine.
I updated my CVS checkout as I see the patch had made its way in there, and the mozilla installer works fine now. I'll also add that before the patch the firefox installer crashed in exactly the same way, but now works. Sweet.
Cheers.
-
Alex Woods -
Alexandre Julliard -
Dustin Navea -
Juan Lang