https://bugs.winehq.org/show_bug.cgi?id=54369

Bug ID: 54369 Summary: d2d1:d2d1 test crashes with use-after-free bug when using warn+heap Product: Wine Version: 8.0 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: d2d Assignee: wine-bugs@winehq.org Reporter: rbernon@codeweavers.com Distribution: ---

I'm unable to reproduce locally, but it pretty consistently crashes on the Gitlab CI.

The crash happens there:

---

d2d1:d2d1 start dlls/d2d1/tests/d2d1.c 01d4:err:d3d:wined3d_context_gl_update_window Failed to get a device context for window FEEEFEEE. [New LWP 293] [New LWP 294] [New LWP 295] [New LWP 296] [New LWP 333] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". YieldProcessor () at ../include/winnt.h:6833 6833 ../include/winnt.h: No such file or directory.

Thread 6 (Thread 0x465fb40 (LWP 333) "wined3d_cs"): #0 0xf7f9f559 in __kernel_vsyscall () #1 0xf7e057c3 in wait4 () from /lib/i386-linux-gnu/libc.so.6 #2 0xf7e05736 in waitpid () from /lib/i386-linux-gnu/libc.so.6 #3 0xf7d7fc9a in ?? () from /lib/i386-linux-gnu/libc.so.6 #4 0xf7f41488 in system_compat () from /lib/i386-linux-gnu/libpthread.so.0 #5 0xf7cc6abc in __wine_dbg_start_debugger () at ../dlls/ntdll/unix/signal_i386.c:1855 #6 segv_handler (signal=11, siginfo=0x7ff8f3cc, sigcontext=0x7ff8f44c) at ../dlls/ntdll/unix/signal_i386.c:1870 #7 <signal handler called> #8 wined3d_context_gl_update_window (context_gl=0x9d4db0) at ../dlls/wined3d/context_gl.c:1353 #9 wined3d_context_gl_activate (context_gl=context_gl@entry=0x9d4db0, texture=texture@entry=0x594f388, sub_resource_idx=sub_resource_idx@entry=0) at ../dlls/wined3d/context_gl.c:4508 #10 0x00b47c64 in wined3d_context_gl_acquire (device=0x9f3eb8, texture=<optimized out>, sub_resource_idx=<optimized out>) at ../dlls/wined3d/context_gl.c:4579 #11 0x00bea568 in context_acquire (sub_resource_idx=0, texture=0x0, device=0x9f3eb8) at ../dlls/wined3d/wined3d_private.h:6550 #12 texture_resource_unload (resource=0x594f388) at ../dlls/wined3d/texture.c:3625 #13 0x00b5d17b in wined3d_cs_execute_next (queue=0x3a5c3a0, cs=0x3a50020) at ../dlls/wined3d/cs.c:3307 #14 wined3d_cs_run (ctx=<optimized out>) at ../dlls/wined3d/cs.c:3386 #15 0x7b62a290 in WriteTapemark@16 () from /builds/rbernon/wine/usr/local/lib/wine/i386-windows/kernel32.dll #16 0x7bc5d0d7 in call_thread_func_wrapper () from /builds/rbernon/wine/usr/local/lib/wine/i386-windows/ntdll.dll #17 0x7bc5d900 in call_thread_func (entry=0xb5d040 <wined3d_cs_run>, arg=0x3a50020) at ../dlls/ntdll/thread.c:270 #18 0x00000000 in ?? ()

Thread 5 (Thread 0x7257cb40 (LWP 296) "d2d1_te:disk$3"): #0 0xf7f9f559 in __kernel_vsyscall () #1 0xf7f3becc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/i386-linux-gnu/libpthread.so.0 #2 0x794ad4bd in ?? () from /usr/lib/i386-linux-gnu/dri/swrast_dri.so #3 0xf7f350b4 in start_thread () from /lib/i386-linux-gnu/libpthread.so.0 #4 0xf7e3f2c6 in clone () from /lib/i386-linux-gnu/libc.so.6

Thread 4 (Thread 0x72d7db40 (LWP 295) "d2d1_te:disk$2"): #0 0xf7f9f559 in __kernel_vsyscall () #1 0xf7f3becc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/i386-linux-gnu/libpthread.so.0 #2 0x794ad4bd in ?? () from /usr/lib/i386-linux-gnu/dri/swrast_dri.so #3 0xf7f350b4 in start_thread () from /lib/i386-linux-gnu/libpthread.so.0 #4 0xf7e3f2c6 in clone () from /lib/i386-linux-gnu/libc.so.6

Thread 3 (Thread 0x7c7feb40 (LWP 294) "d2d1_te:disk$1"): #0 0xf7f9f559 in __kernel_vsyscall () #1 0xf7f3becc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/i386-linux-gnu/libpthread.so.0 #2 0x794ad4bd in ?? () from /usr/lib/i386-linux-gnu/dri/swrast_dri.so #3 0xf7f350b4 in start_thread () from /lib/i386-linux-gnu/libpthread.so.0 #4 0xf7e3f2c6 in clone () from /lib/i386-linux-gnu/libc.so.6

Thread 2 (Thread 0x7cfffb40 (LWP 293) "d2d1_te:disk$0"): #0 0xf7f9f559 in __kernel_vsyscall () #1 0xf7f3becc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/i386-linux-gnu/libpthread.so.0 #2 0x794ad4bd in ?? () from /usr/lib/i386-linux-gnu/dri/swrast_dri.so #3 0xf7f350b4 in start_thread () from /lib/i386-linux-gnu/libpthread.so.0 #4 0xf7e3f2c6 in clone () from /lib/i386-linux-gnu/libc.so.6

Thread 1 (Thread 0xf7f6e9c0 (LWP 292) "d2d1_test.exe"): #0 YieldProcessor () at ../include/winnt.h:6833 #1 wined3d_cs_mt_finish (queue_id=<optimized out>, context=<optimized out>) at ../dlls/wined3d/cs.c:3222 #2 wined3d_cs_mt_finish (context=0x3a50020, queue_id=WINED3D_CS_QUEUE_DEFAULT) at ../dlls/wined3d/cs.c:3214 #3 0x00b657a8 in wined3d_cs_finish (queue_id=WINED3D_CS_QUEUE_DEFAULT, cs=<optimized out>) at ../dlls/wined3d/wined3d_private.h:5141 #4 wined3d_device_uninit_3d (device=device@entry=0x9f3eb8) at ../dlls/wined3d/device.c:1418 #5 0x00bdf810 in wined3d_swapchain_decref (swapchain=0x9d7798) at ../dlls/wined3d/swapchain.c:156 #6 0x68503bb0 in dxgi_device_Release (iface=0x9afab8) at ../dlls/dxgi/device.c:91 #7 dxgi_device_Release (iface=0x9afab8) at ../dlls/dxgi/device.c:79 #8 0x00401e90 in IDXGIDevice_Release (This=<optimized out>) at include/dxgi.h:2118 #9 release_test_context_ (line=line@entry=5857, ctx=ctx@entry=0x7ffd04) at ../dlls/d2d1/tests/d2d1.c:1218 #10 0x0040e650 in test_draw_text_layout (d3d11=0) at ../dlls/d2d1/tests/d2d1.c:5857 #11 0x0043d10b in run_queued_tests () at ../dlls/d2d1/tests/d2d1.c:406 #12 func_d2d1 () at ../dlls/d2d1/tests/d2d1.c:13444 #13 0x0043d533 in run_test (name=0x96f2db "d2d1") at ../include/wine/test.h:718 #14 0x0043f18e in main (argc=2, argv=0x96f2a8) at ../include/wine/test.h:833 #15 0x0043ef1f in mainCRTStartup () at ../dlls/msvcrt/crt_main.c:58 #16 0x7b62a290 in WriteTapemark@16 () from /builds/rbernon/wine/usr/local/lib/wine/i386-windows/kernel32.dll #17 0x7bc5d0d7 in call_thread_func_wrapper () from /builds/rbernon/wine/usr/local/lib/wine/i386-windows/ntdll.dll #18 0x7bc5d900 in call_thread_func (entry=0x43eea0 <mainCRTStartup>, arg=0x7ffd1000) at ../dlls/ntdll/thread.c:270 #19 0x00000000 in ?? ()