Discussion of bugs and problems found in Altap Salamander. In your reports, please be as descriptive as possible, and report one incident per report. Do not post crash reports here, send us the generated bug report by email instead, please.
does the issue come from TGit or Salamander? I'm also worried about the potential security issue
"Theory is when you know something, but it doesn't work. Practice is when something works, but you don't know why. Programmers combine theory and practice: Nothing works and they don't know why."
It looks like some bug in TortoiseGIT shell extension (probably icon overlay handler). Did you install a new version of TortoiseGIT recently? We didn't change code related to shell extensions in AS 3.01 and 3.02...
I assume Salamander didn't report bug using our bug reporting system because it was handled by your WinDBG session?
Could you reproduce it again and send us bug report using our system?
TGit 1.8.8.0 is the latest version. I can't remember when AS started to crash. It only happened when I do a full boot of Win8 or reboot and don't use hibernation. I've uploaded all dumps with the reporting tool. So maybe you can find them in your system.
"Theory is when you know something, but it doesn't work. Practice is when something works, but you don't know why. Programmers combine theory and practice: Nothing works and they don't know why."
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Module load completed but symbols could not be loaded for salamand.exe
APPLICATION_VERIFIER_LOCKS_LOCK_IN_UNLOADED_DLL (201)
Unloading DLL containing an active critical section.
This stop is generated if a DLL has a global variable containing a critical section
and the DLL is unloaded but the critical section has not been deleted. To debug
this stop use the following debugger commands:
$ du parameter3 - to dump the name of the culprit DLL.
$ .reload dllname or .reload dllname = parameter4 - to reload the symbols for that DLL.
$ !cs -s parameter1 - dump information about this critical section.
$ ln parameter1 - to show symbols near the address of the critical section.
This should help identify the leaked critical section.
$ dps parameter2 - to dump the stack trace for this critical section initialization.
Arguments:
Arg1: 000000005b53a560, Critical section address. Run !cs -s <address> to get more information.
Arg2: 000000000131f3e0, Critical section initialization stack trace. Run dps <address> to dump the stack trace.
Arg3: 0000000003b9bec2, DLL name address.
Arg4: 000000005b4e0000, DLL base address.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for salrtl9.dll -
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007ff8ce4a7fc (verifier!VerifierStopMessageEx+0x00000000000006d0)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 1
Parameter[0]: 0000000000000000
DEFAULT_BUCKET_ID: STATUS_BREAKPOINT
PROCESS_NAME: salamand.exe
CRITICAL_SECTION: 000000005b53a560 -- (!cs -s 000000005b53a560)
ERROR_CODE: (NTSTATUS) 0x80000003 - {AUSNAHME} Haltepunkt Im Quellprogramm wurde ein Haltepunkt erreicht.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - Mindestens ein Argument ist ung ltig.
EXCEPTION_PARAMETER1: 0000000000000000
NTGLOBALFLAG: 2000100
APPLICATION_VERIFIER_FLAGS: 48004
APP: salamand.exe
BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT
STACK_TEXT:
00000000`0122ce90 000007ff`8ce4a7fc verifier!VerifierStopMessageEx+0x6d0
00000000`0122d210 000007ff`8ce5557b verifier!AVrfpFreeMemLockChecks+0xef
00000000`0122d270 000007ff`8ce527dc verifier!AVrfpFreeMemNotify+0x38
00000000`0122d2a0 000007ff`8ce537a7 verifier!AVrfpDllUnloadCallback+0x3f
00000000`0122d760 000007ff`af52fecd ntdll!AVrfDllUnloadNotification+0x95
00000000`0122d790 000007ff`af56d089 ntdll!LdrpUnloadNode+0xbc719
00000000`0122d7d0 000007ff`af47da96 ntdll!LdrpDecrementNodeLoadCount+0x101
00000000`0122d800 000007ff`af47d268 ntdll!LdrUnloadDll+0x34
00000000`0122d840 000007ff`ac43290a kernelbase!FreeLibrary+0x22
00000000`0122d870 00000000`5b57150e tortoisegitstub!DllCanUnloadNow+0x2e
00000000`0122d8a0 000007ff`acdd9885 combase!CClassCache::CDllPathEntry::CanUnload_rl+0xb5
00000000`0122d8d0 000007ff`acd707f3 combase!CClassCache::CleanUpDllsForApartment+0x1c3
00000000`0122ded0 000007ff`acd7031b combase!FinishShutdown+0x112
00000000`0122df70 000007ff`acd6fb15 combase!ApartmentUninitialize+0xe5
00000000`0122e000 000007ff`acd704fa combase!wCoUninitialize+0x197
00000000`0122e030 000007ff`acd675ab combase!CoUninitialize+0x143
00000000`0122e090 000007ff`8ce5a66f verifier!AVrfpCoUninitialize+0x1b
00000000`0122e0e0 000007ff`add74b3c ole32!OleUninitialize+0x15c
00000000`0122e110 000007f7`e1ebca46 salamand+0x11ca46
00000000`0122fad0 000007f7`e1ebcbc6 salamand+0x11cbc6
00000000`0122fb00 000007f7`e1f37e2f salamand+0x197e2f
00000000`0122fbb0 000007f7`e1eb5c9d salamand+0x115c9d
00000000`0122fbe0 000007ff`adad1842 kernel32!BaseThreadInitThunk+0x1a
00000000`0122fc10 000007ff`af48a2b9 ntdll!RtlUserThreadStart+0x1d
STACK_COMMAND: .ecxr ; kb ; dps 122ce90 ; kb
FOLLOWUP_IP:
TortoiseGitStub!DllCanUnloadNow+2e [d:\tortoisegit\src\tortoiseshell\tortoisestub.cpp @ 307]
00000000`5b57150e 33c0 xor eax,eax
FAULTING_SOURCE_FILE: d:\tortoisegit\src\tortoiseshell\tortoisestub.cpp
FAULTING_SOURCE_LINE_NUMBER: 307
SYMBOL_NAME: tortoisegitstub!DllCanUnloadNow+2e
IMAGE_NAME: TortoiseGitStub.dll
FAILURE_BUCKET_ID: STATUS_BREAKPOINT_80000003_TortoiseGitStub.dll!DllCanUnloadNow
BUCKET_ID: APPLICATION_FAULT_STATUS_BREAKPOINT_tortoisegitstub!DllCanUnloadNow+2e
0:000> lmvm TortoiseGitStub
start end module name
00000000`5b570000 00000000`5b58b000 TortoiseGitStub (private pdb symbols) C:\ProgramData\dbg\sym\TortoiseGitStub.pdb\F9D2C8444941442995B21BD7CAE0D1101\TortoiseGitStub.pdb
Loaded symbol image file: TortoiseGitStub.dll
Mapped memory image file: d:\sym\tgitx64\TortoiseGitStub.dll\53961F6F1b000\TortoiseGitStub.dll
Image path: C:\Program Files\TortoiseGit\bin\TortoiseGitStub.dll
Image name: TortoiseGitStub.dll
Timestamp: Mon Jun 09 22:56:15 2014 (53961F6F)
CheckSum: 00025B4C
ImageSize: 0001B000
File version: 1.8.9.0
Product version: 1.8.9.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0400.04e4
CompanyName: http://tortoisegit.org/
ProductName: TortoiseGit
InternalName: TortoiseStub.dll
OriginalFilename: TortoiseStub.dll
ProductVersion: 1.8.9.0
FileVersion: 1.8.9.0
FileDescription: TortoiseGit shell extension client
LegalCopyright: Copyright (C) 2012-2013 TortoiseGit, Copyright (C) 2007-2012 TortoiseSVN
0:000> .ecxr ; kp ; dps 122ce90 ; kp
rax=000007ff8ce810a0 rbx=000007ff8ce7e5c8 rcx=000007f7e0fae000
rdx=000000000122b510 rsi=000000005b53a560 rdi=00000000000001ff
rip=000007ff8ce4a7fc rsp=000000000122ce90 rbp=000000000008c000
r8=0000000000000000 r9=000007ff8ce854e0 r10=0000000000000000
r11=000000000122bba8 r12=0000000000000201 r13=00000000000001a1
r14=0000000003b9bec2 r15=000000005b4e0000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
verifier!VerifierStopMessageEx+0x6d0:
000007ff`8ce4a7fc cc int 3
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP RetAddr Call Site
00000000`0122ce90 000007ff`8ce5557b verifier!VerifierStopMessageEx+0x6d0
00000000`0122d210 000007ff`8ce527dc verifier!AVrfpFreeMemLockChecks+0xef
00000000`0122d270 000007ff`8ce537a7 verifier!AVrfpFreeMemNotify+0x38
00000000`0122d2a0 000007ff`af52fecd verifier!AVrfpDllUnloadCallback+0x3f
00000000`0122d760 000007ff`af56d089 ntdll!AVrfDllUnloadNotification+0x95
00000000`0122d790 000007ff`af47da96 ntdll!LdrpUnloadNode+0xbc719
00000000`0122d7d0 000007ff`af47d268 ntdll!LdrpDecrementNodeLoadCount+0x101
00000000`0122d800 000007ff`ac43290a ntdll!LdrUnloadDll+0x34
00000000`0122d840 00000000`5b57150e KERNELBASE!FreeLibrary+0x22
(Inline Function) --------`-------- TortoiseGitStub!UnloadRealLibrary+0x18 [d:\tortoisegit\src\tortoiseshell\tortoisestub.cpp @ 220]
00000000`0122d870 000007ff`acdd9885 TortoiseGitStub!DllCanUnloadNow(void)+0x2e [d:\tortoisegit\src\tortoiseshell\tortoisestub.cpp @ 307]
00000000`0122d8a0 000007ff`acd707f3 combase!CClassCache::CDllPathEntry::CanUnload_rl+0xb5
00000000`0122d8d0 000007ff`acd7031b combase!CClassCache::CleanUpDllsForApartment+0x1c3
00000000`0122ded0 000007ff`acd6fb15 combase!FinishShutdown+0x112
00000000`0122df70 000007ff`acd704fa combase!ApartmentUninitialize+0xe5
00000000`0122e000 000007ff`acd675ab combase!wCoUninitialize+0x197
00000000`0122e030 000007ff`8ce5a66f combase!CoUninitialize+0x143
00000000`0122e090 000007ff`add74b3c verifier!AVrfpCoUninitialize+0x1b
00000000`0122e0e0 000007f7`e1ebca46 ole32!OleUninitialize+0x15c
00000000`0122e110 000007f7`e1ebcbc6 salamand+0x11ca46
00000000`0122fad0 000007f7`e1f37e2f salamand+0x11cbc6
00000000`0122fb00 000007f7`e1eb5c9d salamand+0x197e2f
00000000`0122fbb0 000007ff`adad1842 salamand+0x115c9d
00000000`0122fbe0 000007ff`af48a2b9 kernel32!BaseThreadInitThunk+0x1a
00000000`0122fc10 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
00000000`0122ce90 000007ff`8ce7e5c8 verifier!VfProviderLocksBreakDescriptors+0x88
00000000`0122ce98 00000000`0008c000
00000000`0122cea0 000007ff`8ce41a34 verifier!`string'
00000000`0122cea8 000007ff`8ce854e0 verifier!VrfDbgOutputBuffer
00000000`0122ceb0 00000202`00000b50
00000000`0122ceb8 00000000`04db6250
00000000`0122cec0 00000000`5b53a560 TortoiseGit!g_ShellCache+0x11f0
00000000`0122cec8 00000000`04db6330
00000000`0122ced0 00000000`0131f3e0
00000000`0122ced8 00000000`04db63e0
00000000`0122cee0 00000000`03b9bec2
00000000`0122cee8 00000000`04db64b0
00000000`0122cef0 00000000`5b4e0000 TortoiseGit!__imp_?id@?$ctype@_W@std@@2V0locale@2@A
00000000`0122cef8 00000000`04db6550
00000000`0122cf00 000007ff`8ce7fb78 verifier!AVrfpLogEntryMessageEx+0x258
00000000`0122cf08 00000000`04de3820
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP RetAddr Call Site
00000000`0122ce90 000007ff`8ce5557b verifier!VerifierStopMessageEx+0x6d0
00000000`0122d210 000007ff`8ce527dc verifier!AVrfpFreeMemLockChecks+0xef
00000000`0122d270 000007ff`8ce537a7 verifier!AVrfpFreeMemNotify+0x38
00000000`0122d2a0 000007ff`af52fecd verifier!AVrfpDllUnloadCallback+0x3f
00000000`0122d760 000007ff`af56d089 ntdll!AVrfDllUnloadNotification+0x95
00000000`0122d790 000007ff`af47da96 ntdll!LdrpUnloadNode+0xbc719
00000000`0122d7d0 000007ff`af47d268 ntdll!LdrpDecrementNodeLoadCount+0x101
00000000`0122d800 000007ff`ac43290a ntdll!LdrUnloadDll+0x34
00000000`0122d840 00000000`5b57150e KERNELBASE!FreeLibrary+0x22
(Inline Function) --------`-------- TortoiseGitStub!UnloadRealLibrary+0x18 [d:\tortoisegit\src\tortoiseshell\tortoisestub.cpp @ 220]
00000000`0122d870 000007ff`acdd9885 TortoiseGitStub!DllCanUnloadNow(void)+0x2e [d:\tortoisegit\src\tortoiseshell\tortoisestub.cpp @ 307]
00000000`0122d8a0 000007ff`acd707f3 combase!CClassCache::CDllPathEntry::CanUnload_rl+0xb5
00000000`0122d8d0 000007ff`acd7031b combase!CClassCache::CleanUpDllsForApartment+0x1c3
00000000`0122ded0 000007ff`acd6fb15 combase!FinishShutdown+0x112
00000000`0122df70 000007ff`acd704fa combase!ApartmentUninitialize+0xe5
00000000`0122e000 000007ff`acd675ab combase!wCoUninitialize+0x197
00000000`0122e030 000007ff`8ce5a66f combase!CoUninitialize+0x143
00000000`0122e090 000007ff`add74b3c verifier!AVrfpCoUninitialize+0x1b
00000000`0122e0e0 000007f7`e1ebca46 ole32!OleUninitialize+0x15c
00000000`0122e110 000007f7`e1ebcbc6 salamand+0x11ca46
00000000`0122fad0 000007f7`e1f37e2f salamand+0x11cbc6
00000000`0122fb00 000007f7`e1eb5c9d salamand+0x197e2f
00000000`0122fbb0 000007ff`adad1842 salamand+0x115c9d
00000000`0122fbe0 000007ff`af48a2b9 kernel32!BaseThreadInitThunk+0x1a
00000000`0122fc10 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
0:000> !cs -s 000000005b53a560
-----------------------------------------
Critical section = 0x000000005b53a560 (TortoiseGit!g_ShellCache+0x11F0)
DebugInfo = 0x0000000003b47c90
NOT LOCKED
LockSemaphore = 0x0
SpinCount = 0x00000000020007d0
Cannot read structure field value at 0x0000000003b47c92, error 0
So salamand.exe calls ole32!OleUninitialize. Do you do this explicitly to unload dlls?
"Theory is when you know something, but it doesn't work. Practice is when something works, but you don't know why. Programmers combine theory and practice: Nothing works and they don't know why."
but I use TGit sometimes, so disabling is no option.
"Theory is when you know something, but it doesn't work. Practice is when something works, but you don't know why. Programmers combine theory and practice: Nothing works and they don't know why."
Andre.Ziegler wrote:I've uploaded all dumps with the reporting tool. So maybe you can find them in your system.
Did you specify your email and link to this thread in Bug Reporting dialog box? I'm unable to find any related report in AS 3.02 bugs.
If no, could you please do it now?
Andre.Ziegler wrote:So salamand.exe calls ole32!OleUninitialize. Do you do this explicitly to unload dlls?
We call OleInitialize / OleUninitialize on Salamander start / end. We also call this pair runtime, but it is probably ignored:
The OleInitialize and OleUninitialize calls must be balanced — if there are multiple calls to the OleInitialize function, there must be the same number of calls to OleUninitialize; only the OleUninitialize call corresponding to the OleInitialize call that actually initialized the library can close it.
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
ntdll!RtlpLowFragHeapAllocateFromZone+149
000007fd`33321bb7 cd29 int 29h
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007fd33321bb7 (ntdll!RtlpLowFragHeapAllocateFromZone+0x0000000000000149)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
PROCESS_NAME: salamand.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - Das System hat in dieser Anwendung den berlauf eines stapelbasierten Puffers ermittelt. Dieser berlauf k nnte einem b sartigen Benutzer erm glichen, die Steuerung der Anwendung zu bernehmen.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - Das System hat in dieser Anwendung den berlauf eines stapelbasierten Puffers ermittelt. Dieser berlauf k nnte einem b sartigen Benutzer erm glichen, die Steuerung der Anwendung zu bernehmen.
EXCEPTION_PARAMETER1: 0000000000000003
NTGLOBALFLAG: 400
APPLICATION_VERIFIER_FLAGS: 0
APP: salamand.exe
ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre
FAULTING_THREAD: 000000000000123c
BUGCHECK_STR: APPLICATION_FAULT_LIST_ENTRY_CORRUPT_EXPLOITABLE_SEHOP
PRIMARY_PROBLEM_CLASS: LIST_ENTRY_CORRUPT_EXPLOITABLE_SEHOP
DEFAULT_BUCKET_ID: LIST_ENTRY_CORRUPT_EXPLOITABLE_SEHOP
LAST_CONTROL_TRANSFER: from 000007fd3328d998 to 000007fd33321bb7
STACK_TEXT:
00 ntdll!RtlpLowFragHeapAllocateFromZone
01 ntdll!RtlpLowFragHeapAllocFromContext
02 ntdll!RtlAllocateHeap
03 KERNELBASE!LocalAlloc
04 shell32!AllocHashItem
05 shell32!LookupItemInHashTable
06 shell32!LowercaseHashItem
07 shell32!RECOVERY_ENTRY::Load
08 shell32!CLookupTable<CRecoveryTable,RECOVERY_ENTRY>::Load
09 shell32!CRecoveryTable::Load
0a shell32!IconCacheRestore
0b shell32!FileIconInitInternal
0c shell32!`Microsoft::WRL::Module<1,Microsoft::WRL::Details::DefaultModule<5> >::Create'::`2'::`dynamic atexit destructor for 'module''
0d shell32!CFileExtension::_EnsureIconIndex
0e shell32!CFileSysItemString::ClassIconFlags
0f shell32!CFSFolder::_CreateDefExtIcon
10 shell32!CFSFolder::s_GetExtractIcon
11 shell32!CFSFolder::_BindHandler
12 shell32!CFSFolder::GetUIObjectOf
13 salamand
14 salamand
15 salamand
16 salamand
17 salamand
18 salamand
19 salrtl9!endthreadex
1a salrtl9!endthreadex
1b kernel32!BaseThreadInitThunk
1c ntdll!RtlUserThreadStart
FAILURE_BUCKET_ID: LIST_ENTRY_CORRUPT_EXPLOITABLE_SEHOP_c0000409_shell32.dll!AllocHashItem
BUCKET_ID: APPLICATION_FAULT_LIST_ENTRY_CORRUPT_EXPLOITABLE_SEHOP_shell32!AllocHashItem+3a
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:list_entry_corrupt_exploitable_sehop_c0000409_shell32.dll!allochashitem
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Stack Buffer Overrun (/GS Exception) starting at ntdll!RtlpLowFragHeapAllocateFromZone+0x0000000000000149 called from KERNELBASE!LocalAlloc+0x000000000000006e (Hash=0xa8058517.0xad2be1bb)
An overrun of a protected stack buffer has been detected. This is considered exploitable, and must be fixed.
"Theory is when you know something, but it doesn't work. Practice is when something works, but you don't know why. Programmers combine theory and practice: Nothing works and they don't know why."