Re: Corrupted heap

gnustep-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Corrupted heap

From:	Vincent Richomme
Subject:	Re: Corrupted heap
Date:	Wed, 17 Mar 2010 19:34:17 +0100
User-agent:	RoundCube Webmail/0.2

> Hi,
> 
> I wanted to debug ProjectCenter and I started with gdb:
> 
> Reading symbols from
>
C:\Developer\Mingw-NG\GNUstep\System\Applications\ProjectCenter.app/./ProjectCenter.exe...done.
> (gdb) r
> Starting program:
>
C:\Developer\Mingw-NG\GNUstep\System\Applications\ProjectCenter.app/./ProjectCenter.exe
> [New Thread 3144.0xf24]
> warning: Can not parse XML library list; XML support was disabled at
> compile time
> warning: HEAP[ProjectCenter.exe]:
> warning: Invalid Address specified to RtlFreeHeap( 003E0000, 004D005C )
> 
> 
> Program received signal SIGTRAP, Trace/breakpoint trap.
> 0x7c91120f in ?? ()
> 
> First I thought it was because of the fact I was using msys/mingw and
> everyone says
> that it's not a very well supported environnment.
> So I tried with my old Visual studio and I could see something similar :
> 
> ProjectCenter
> ------------------------------------------
> HEAP[ProjectCenter.exe]: Invalid Address specified to RtlFreeHeap(
> 003E0000, 00760065 )
> Windows has triggered a breakpoint in ProjectCenter.exe.
> This may be due to a corruption of the heap, which indicates a bug in
> ProjectCenter.exe or any of the DLLs it has loaded.
> This may also be due to the user pressing F12 while ProjectCenter.exe
has
> focus.
> 
> 
>>      ntdll.dll!DbgBreakPoint() 
>       [Frames below may be incorrect and/or missing, no symbols loaded for
> ntdll.dll]
>       ntdll.dll!RtlpNtMakeTemporaryKey()  + 0x6735 bytes
>       ntdll.dll!RtlpNtMakeTemporaryKey()  + 0x6b72 bytes
>       ntdll.dll!RtlpNtMakeTemporaryKey()  + 0x7d5a bytes
>       ntdll.dll!LdrAlternateResourcesEnabled()  + 0x33bd bytes
>       ntdll.dll!RtlOemStringToUnicodeString()  + 0xee bytes
>       msvcrt.dll!free()  + 0xc3 bytes
>       gnustep-gui-0_17.dll!initialize_gnustep_backend()  + 0x147ee bytes
>       gnustep-gui-0_17.dll!initialize_gnustep_backend()  + 0x12a61 bytes
>       gnustep-gui-0_17.dll!GSCurrentContext()  + 0x722d bytes
>       gnustep-gui-0_17.dll!GSCurrentContext()  + 0x9e9a bytes
>       gnustep-gui-0_17.dll!GSCurrentContext()  + 0x4d5f bytes
>       gnustep-gui-0_17.dll!GSCurrentContext()  + 0x7b49 bytes
>       gnustep-base-1_19.dll!NSExtraRefCount()  + 0xc07 bytes
>       libffi-5.dll!ffi_call_SYSV()  + 0x17 bytes
>       libffi-5.dll!ffi_call()  + 0x8c bytes
>       gnustep-base-1_19.dll!GSFFIInvokeWithTargetAndImp()  + 0x29 bytes
>       gnustep-base-1_19.dll!GSFFIInvokeWithTargetAndImp()  + 0x1d9 bytes
>       gnustep-base-1_19.dll!GSPrivateLoadModule()  + 0xbe2 bytes
>       libffi-5.dll!ffi_closure_SYSV_inner()  + 0x87 bytes
>       libffi-5.dll!ffi_closure_SYSV()  + 0x1e bytes
>       gnustep-gui-0_17.dll!gsapp_user_bundles()  + 0x10a3 bytes
>       objc-1.dll!objc_msg_sendv()  + 0x1bc bytes
>       objc-1.dll!objc_msg_lookup()  + 0x176 bytes
>       gnustep-gui-0_17.dll!gsapp_user_bundles()  + 0x326a bytes
>       gnustep-gui-0_17.dll!GSGuiBundle()  + 0xd3b bytes
>       gnustep-gui-0_17.dll!gsapp_user_bundles()  + 0x1fad bytes
>       gnustep-gui-0_17.dll!NSApplicationMain()  + 0xf8 bytes
>       ProjectCenter.exe!main()  + 0x21 bytes
>       ProjectCenter.exe!004013b9() 
>       ntdll.dll!NtQueryPerformanceCounter()  + 0xc bytes
>       kernel32.dll!QueryPerformanceCounter()  + 0x14 bytes
>       0000a6b8()
> 

Ok so let's start with this one, if I am not mistaken 
initialize_gnustep_backend() has address 0x63AE0860+0x147ee=0x63AE0860
At this address I can find :

.text:63AF5040 loc_63AF5040:                           ; CODE XREF:
_bitmapIsJPEG+84j
.text:63AF5040                 mov     eax, [ebp+var_290]
.text:63AF5046                 mov     [esp+2B8h+var_2B8], eax
.text:63AF5049                 call    free
.text:63AF504E                 lea     eax, [ebp+var_2A8]
.text:63AF5054                 mov     [ebp+var_290], 0
.text:63AF505E                 mov     [esp+2B8h+var_2B8], eax
.text:63AF5061                 call    jpeg_destroy_decompress
.text:63AF5066                 add     esp, 2B4h
.text:63AF506C                 xor     eax, eax
.text:63AF506E                 pop     ebx
.text:63AF506F                 pop     ebp
.text:63AF5070                 retn
.text:63AF5070 _bitmapIsJPEG   endp

So in the method + (BOOL) _bitmapIsJPEG: (NSData *)imageData
the call to gs_jpeg_memory_src_destroy(&cinfo) seems to be the guilty :


/* Return YES if this looks like a JPEG. */
+ (BOOL) _bitmapIsJPEG: (NSData *)imageData
{
  struct jpeg_decompress_struct  cinfo;

... BLABLA ...

 // establish return context for error handling
  if (setjmp(jerrMgr.setjmpBuffer))
    {
      gs_jpeg_memory_src_destroy(&cinfo);
      jpeg_destroy_decompress(&cinfo);
      return NO;
    }

... BLABLA ...

   return YES;
}

Are you sure you need to call free here because I suppose &cinfo->src is 
not yet valid.

What do you think ?

[Prev in Thread]

Current Thread

[Next in Thread]

Corrupted heap, Vincent Richomme, 2010/03/17
- Re: Corrupted heap, Vincent Richomme <=
  - Re: Corrupted heap, Adam Fedor, 2010/03/17
    - Re: Corrupted heap, Fred Kiefer, 2010/03/17
    - Re: Corrupted heap, Vincent Richomme, 2010/03/17
    - Re: Corrupted heap, Fred Kiefer, 2010/03/18
    - Re: Corrupted heap, Vincent Richomme, 2010/03/18
    - Re: Corrupted heap, David Chisnall, 2010/03/18
    - Re: Corrupted heap, Vincent Richomme, 2010/03/18
    - Re: Corrupted heap, David Chisnall, 2010/03/18
    - Re: Corrupted heap, Niels Grewe, 2010/03/18
    - Re: Corrupted heap, Richard Frith-Macdonald, 2010/03/18

Prev by Date: Corrupted heap
Next by Date: Re: r27812 - in /libs/gui/trunk: ChangeLog Source/NSBundleAdditions.m
Previous by thread: Corrupted heap
Next by thread: Re: Corrupted heap
Index(es):
- Date
- Thread