AS3.02 (x64) crashes sometimes at start

Discussion of bugs and problems found in Altap Salamander. In your reports, please be as descriptive as possible, and report one incident per report. Do not post crash reports here, send us the generated bug report by email instead, please.
Andre.Ziegler
Posts: 73
Joined: 10 Mar 2010, 18:31
Location: Germany

AS3.02 (x64) crashes sometimes at start

Post by Andre.Ziegler »

For me Salamander crashes on start. Here is what Windbg tells me from the dmp:

Code: Select all

*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for TortoiseOverlays.dll - 
*** ERROR: Module load completed but symbols could not be loaded for salamand.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for salrtl9.dll - 

FAULTING_IP: 
ntdll!RtlReportCriticalFailure+89
000007ff`aded9a65 eb00            jmp     ntdll!RtlReportCriticalFailure+0x8b (000007ff`aded9a67)

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007ffaded9a65 (ntdll!RtlReportCriticalFailure+0x0000000000000089)
   ExceptionCode: c0000374
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 000007ffadf2dd20

CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
rax=000000000b290000 rbx=0000000000000000 rcx=000000000b290000
rdx=0000000000000000 rsi=0000000000000000 rdi=000000000a290000
rip=000007ffaddf2c2a rsp=000000000abcb2e8 rbp=000000000abcbe90
 r8=0000000000000000  r9=0000000000000040 r10=0000000000000000
r11=0000000000000286 r12=0000000000000000 r13=0000000000000000
r14=000000000a290000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
ntdll!NtWaitForSingleObject+0xa:
000007ff`addf2c2a c3              ret

PROCESS_NAME:  salamand.exe

ERROR_CODE: (NTSTATUS) 0xc0000374 - Ein Heap wurde besch digt.

EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - Ein Heap wurde besch digt.

EXCEPTION_PARAMETER1:  000007ffadf2dd20

NTGLOBALFLAG:  400

APPLICATION_VERIFIER_FLAGS:  0

APP:  salamand.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre

BUGCHECK_STR:  APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_lfh_bitmap_mismatch_EXPLOITABLE

PRIMARY_PROBLEM_CLASS:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_lfh_bitmap_mismatch_EXPLOITABLE

DEFAULT_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_lfh_bitmap_mismatch_EXPLOITABLE

STACK_TEXT:  
000007ff`adf2dd88 000007ff`addf5911 ntdll!RtlpLowFragHeapAllocFromContext+0x35e
000007ff`adf2dd90 000007ff`addf564a ntdll!RtlAllocateHeap+0xfa
000007ff`adf2dd98 000007ff`9e0f6a57 msvcr120!malloc+0x5b
000007ff`adf2dda0 000007ff`9e0f6967 msvcr120!operator new+0x1f
000007ff`adf2dda8 00000000`7068236c tortoisegit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::_Copy+0x9c
000007ff`adf2ddb0 00000000`70682238 tortoisegit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::assign+0xb8
000007ff`adf2ddb8 00000000`7068f8c9 tortoisegit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::substr+0x29
000007ff`adf2ddc0 00000000`706b4628 tortoisegit!CRegStdBase::CRegStdBase+0xc8
000007ff`adf2ddc8 00000000`706b57d4 tortoisegit!CShellExt::CShellExt+0x1a4
000007ff`adf2ddd0 00000000`706b705a tortoisegit!CShellExtClassFactory::CreateInstance+0x6a
000007ff`adf2ddd8 00000000`707319d2 tortoiseoverlays+0x19d2
000007ff`adf2dde0 00000000`7073185b tortoiseoverlays+0x185b
000007ff`adf2dde8 00000000`707312fd tortoiseoverlays+0x12fd
000007ff`adf2ddf0 000007f7`8bca256c salamand+0x14256c
000007ff`adf2ddf8 000007f7`8bca25b6 salamand+0x1425b6
000007ff`adf2de00 000007f7`8bca2c59 salamand+0x142c59
000007ff`adf2de08 000007f7`8bbb7ca2 salamand+0x57ca2
000007ff`adf2de10 000007f7`8bbb9505 salamand+0x59505
000007ff`adf2de18 000007f7`8bbb956a salamand+0x5956a
000007ff`adf2de20 00000000`6fd02a6f salrtl9!endthreadex+0x3f
000007ff`adf2de28 00000000`6fd02b08 salrtl9!endthreadex+0xd8
000007ff`adf2de30 000007ff`adb91842 kernel32!BaseThreadInitThunk+0x1a
000007ff`adf2de38 000007ff`ade0a2b9 ntdll!RtlUserThreadStart+0x1d


FOLLOWUP_IP: 
msvcr120!operator new+1f [f:\dd\vctools\crt\crtw32\heap\new.cpp @ 59]
000007ff`9e0f6967 4885c0          test    rax,rax

FAULTING_SOURCE_LINE:  f:\dd\vctools\crt\crtw32\heap\new.cpp

FAULTING_SOURCE_FILE:  f:\dd\vctools\crt\crtw32\heap\new.cpp

FAULTING_SOURCE_LINE_NUMBER:  59

IMAGE_NAME:  msvcr120.dll

STACK_COMMAND:  dps 7ffadf2dd88 ; kb

FAILURE_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_lfh_bitmap_mismatch_EXPLOITABLE_c0000374_msvcr120.dll!operator_new

BUCKET_ID:  APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_lfh_bitmap_mismatch_EXPLOITABLE_msvcr120!operator_new+1f

FAILURE_ID_HASH_STRING:  um:actionable_heap_corruption_heap_failure_lfh_bitmap_mismatch_exploitable_c0000374_msvcr120.dll!operator_new



0:010>   dps 7ffadf2dd88 ; kb
000007ff`adf2dd88  000007ff`addf5911 ntdll!RtlpLowFragHeapAllocFromContext+0x35e
000007ff`adf2dd90  000007ff`addf564a ntdll!RtlAllocateHeap+0xfa
000007ff`adf2dd98  000007ff`9e0f6a57 msvcr120!malloc+0x5b
000007ff`adf2dda0  000007ff`9e0f6967 msvcr120!operator new+0x1f
000007ff`adf2dda8  00000000`7068236c TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::_Copy+0x9c
000007ff`adf2ddb0  00000000`70682238 TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::assign+0xb8
000007ff`adf2ddb8  00000000`7068f8c9 TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::substr+0x29
000007ff`adf2ddc0  00000000`706b4628 TortoiseGit!CRegStdBase::CRegStdBase+0xc8
000007ff`adf2ddc8  00000000`706b57d4 TortoiseGit!CShellExt::CShellExt+0x1a4
000007ff`adf2ddd0  00000000`706b705a TortoiseGit!CShellExtClassFactory::CreateInstance+0x6a
000007ff`adf2ddd8  00000000`707319d2 TortoiseOverlays+0x19d2
000007ff`adf2dde0  00000000`7073185b TortoiseOverlays+0x185b
000007ff`adf2dde8  00000000`707312fd TortoiseOverlays+0x12fd
000007ff`adf2ddf0  000007f7`8bca256c salamand+0x14256c
000007ff`adf2ddf8  000007f7`8bca25b6 salamand+0x1425b6
000007ff`adf2de00  000007f7`8bca2c59 salamand+0x142c59
 # RetAddr           : Args to Child                                                           : Call Site
00 000007ff`adeb0ee0 : 00000000`00000000 00000000`0abcb428 00000000`0abcb424 00000000`0abcb440 : ntdll!NtWaitForSingleObject+0xa
01 000007ff`adeb129b : 00000000`00000644 00000000`00000390 00000000`0abcc4f0 01ceb9c2`ebedf471 : ntdll!RtlReportExceptionEx+0x22c
02 000007ff`aded9ae2 : 000007ff`adf2018c 00000000`0abcc4a0 00000000`00000000 ffffffff`ee1e5d00 : ntdll!RtlReportException+0xbb
03 000007ff`ade0dcba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlReportCriticalFailure$filt$0+0x33
04 000007ff`adee7e82 : 000007ff`adf20190 00000000`0abcc4a0 00000000`0abcc4f0 00000000`0abcc4a0 : ntdll!_C_specific_handler+0x8e
05 000007ff`ade0d31d : 00000000`00000000 00000000`0abcb6b0 00000000`0abcc4a0 00000000`00000000 : ntdll!_GSHandlerCheck_SEH+0x76
06 000007ff`ade0e35c : 00000000`0abcc4f0 00000000`0abcbe90 00000000`00000002 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xd
07 000007ff`ade0e800 : 00000000`00000002 000007ff`9dd56b11 00000000`0abcc4f0 00000000`00000000 : ntdll!RtlDispatchException+0x392
08 000007ff`aded9a65 : 00000000`00000000 00000000`c0000374 00000000`00000000 000007ff`adf2dd20 : ntdll!RtlRaiseException+0x27e
09 000007ff`adede880 : 00000000`006f0000 00000000`00000400 00000000`006f0000 00000000`00000000 : ntdll!RtlReportCriticalFailure+0x89
0a 000007ff`addf5911 : 00000000`007bf1d0 00000000`007b6670 00000000`007be990 00000000`00000101 : ntdll!RtlpLogHeapFailure+0xa4
0b 000007ff`addf564a : 00000000`00000000 00000000`00000020 00000000`00000030 00000000`00000000 : ntdll!RtlpLowFragHeapAllocFromContext+0x35e
0c 000007ff`9e0f6a57 : 00000000`0abcdda0 00000000`00000000 00000000`00000040 00000000`00000000 : ntdll!RtlAllocateHeap+0xfa
0d (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : msvcr120!_heap_alloc+0x3e
0e 000007ff`9e0f6967 : 00000000`00000030 00000000`00000000 00000000`00000000 00000000`707100f0 : msvcr120!malloc+0x5b
0f 00000000`7068236c : 00007d5b`39f8fe22 00000000`0abcc880 00000000`0abcdda0 00000000`0abcdd9c : msvcr120!operator new+0x1f
10 (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : TortoiseGit!std::_Allocate+0x23
11 (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : TortoiseGit!std::allocator<wchar_t>::allocate+0x23
12 (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : TortoiseGit!std::_Wrap_alloc<std::allocator<wchar_t> >::allocate+0x23
13 00000000`70682238 : 00000000`0abcc928 00000000`00000014 00000000`00000000 00000000`00000000 : TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::_Copy+0x9c
14 (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::_Grow+0x35
15 00000000`7068f8c9 : 00000000`0abcc928 00000000`0abcca30 00000000`0abd26a0 00000000`0000001e : TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::assign+0xb8
16 (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::{ctor}+0x1e
17 00000000`706b4628 : 00000000`0abd26b0 00000000`0abd26a0 00000000`0abd26d0 00000000`00000000 : TortoiseGit!std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >::substr+0x29
18 00000000`706b57d4 : 00000000`00000000 00000000`00000004 00000000`0abd26a0 00000000`0abcca19 : TortoiseGit!CRegStdBase::CRegStdBase+0xc8
19 (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : TortoiseGit!CRegTypedBase<std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >,CRegStdBase>::{ctor}+0x13
1a (Inline Function) : --------`-------- --------`-------- --------`-------- --------`-------- : TortoiseGit!CRegStringCommon<CRegStdBase>::{ctor}+0x13
1b 00000000`706b705a : 00000000`7073b310 00000000`00000000 00000000`007a0010 00000000`707114e0 : TortoiseGit!CShellExt::CShellExt+0x1a4
1c 00000000`707319d2 : 00000000`70710000 00000000`0abcddb0 00000000`09f17680 00000000`0abd2380 : TortoiseGit!CShellExtClassFactory::CreateInstance+0x6a
1d 00000000`7073185b : 00000000`09f10000 000007ff`ade18475 00000000`09f177aa 00000000`00000000 : TortoiseOverlays+0x19d2
1e 00000000`707312fd : 00000000`00000000 00000000`7073d850 00000000`0abcdd9c 00000000`00000004 : TortoiseOverlays+0x185b
1f 000007f7`8bca256c : 00000000`00000000 00000000`00000000 00009cdc`f89d1ca9 00000000`000001f0 : TortoiseOverlays+0x12fd
20 000007f7`8bca25b6 : 00007994`3f161f6d 00000000`00000004 00000000`00000000 00000000`00000000 : salamand+0x14256c
21 000007f7`8bca2c59 : 00000000`00000000 00000000`0093eac0 00000000`0abcde40 00000000`00000000 : salamand+0x1425b6
22 000007f7`8bbb7ca2 : 00000000`0097af60 00000000`0097af60 00000000`00000000 00000000`00000000 : salamand+0x142c59
23 000007f7`8bbb9505 : 00000000`00000000 00000000`0097af60 00000000`00000000 00000000`00000000 : salamand+0x57ca2
24 000007f7`8bbb956a : 00000000`0abce8a0 00000000`0097af60 00000000`00000000 00000000`00000000 : salamand+0x59505
25 00000000`6fd02a6f : 00000000`6fd8cb90 00000000`00000000 00000000`00000000 00000000`00000000 : salamand+0x5956a
26 00000000`6fd02b08 : 00000000`6fd8c5c0 00000000`00983640 00000000`00000000 00000000`00000000 : salrtl9!endthreadex+0x3f
27 000007ff`adb91842 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : salrtl9!endthreadex+0xd8
28 000007ff`ade0a2b9 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x1a
29 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
0:010> lmvm TortoiseGit
Browse full module list
start             end                 module name
00000000`70680000 00000000`7070b000   TortoiseGit   (private pdb symbols)  C:\ProgramData\dbg\sym\TortoiseGit.pdb\EFDE6FB66EEC4C64AD95C4B9A00B8CFC1\TortoiseGit.pdb
    Image path: C:\Program Files\TortoiseGit\bin\TortoiseGit.dll
    Image name: TortoiseGit.dll
    Browse all global symbols  functions  data
    Timestamp:        Tue Apr 01 18:02:09 2014 (533AE301)
    CheckSum:         0009481E
    ImageSize:        0008B000
    File version:     1.8.8.0
    Product version:  1.8.8.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0400.04e4
    CompanyName:      http://tortoisegit.org/
    ProductName:      TortoiseGit
    InternalName:     TortoiseGit.dll
    OriginalFilename: TortoiseGit.dll
    ProductVersion:   1.8.8.0
    FileVersion:      1.8.8.0
    FileDescription:  TortoiseGit shell extension client
    LegalCopyright:   Copyright (C) 2008-2014 - TortoiseGit and Copyright (C) 2003-2013 - TortoiseSVN

0:010> .load MSEC
0:010> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Heap Corruption starting at ntdll!RtlReportCriticalFailure+0x0000000000000089 called from msvcr120!malloc+0x000000000000005b (Hash=0x55961209.0x0e271ed6)

Heap Corruption has been detected. This is considered exploitable, and must be fixed.


does the issue come from TGit or Salamander? I'm also worried about the potential security issue :? :?
"Theory is when you know something, but it doesn't work. Practice is when something works, but you don't know why. Programmers combine theory and practice: Nothing works and they don't know why."
Jan Rysavy
ALTAP Staff
ALTAP Staff
Posts: 5229
Joined: 08 Dec 2005, 06:34
Location: Novy Bor, Czech Republic
Contact:

Re: AS3.02 (x64) crashes sometimes at start

Post by Jan Rysavy »

It looks like some bug in TortoiseGIT shell extension (probably icon overlay handler). Did you install a new version of TortoiseGIT recently? We didn't change code related to shell extensions in AS 3.01 and 3.02...

I assume Salamander didn't report bug using our bug reporting system because it was handled by your WinDBG session?

Could you reproduce it again and send us bug report using our system?

EDIT: we changed linker options in AS 3.02: http://forum.altap.cz/viewtopic.php?f=2&t=7537
Could it be related?
Andre.Ziegler
Posts: 73
Joined: 10 Mar 2010, 18:31
Location: Germany

Re: AS3.02 (x64) crashes sometimes at start

Post by Andre.Ziegler »

TGit 1.8.8.0 is the latest version. I can't remember when AS started to crash. It only happened when I do a full boot of Win8 or reboot and don't use hibernation. I've uploaded all dumps with the reporting tool. So maybe you can find them in your system.
"Theory is when you know something, but it doesn't work. Practice is when something works, but you don't know why. Programmers combine theory and practice: Nothing works and they don't know why."
Andre.Ziegler
Posts: 73
Joined: 10 Mar 2010, 18:31
Location: Germany

Re: AS3.02 (x64) crashes sometimes at start

Post by Andre.Ziegler »

ok, the 1.8.9 also doesn't fix it. I've activated appverifier for salamand.exe and it shows and APPLICATION_VERIFIER_LOCKS_LOCK_IN_UNLOADED_DLL error:

Code: Select all

*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Module load completed but symbols could not be loaded for salamand.exe
APPLICATION_VERIFIER_LOCKS_LOCK_IN_UNLOADED_DLL (201)
Unloading DLL containing an active critical section.
This stop is generated if a DLL has a global variable containing a critical section
and the DLL is unloaded but the critical section has not been deleted. To debug
this stop use the following debugger commands:
$ du parameter3 - to dump the name of the culprit DLL.
$ .reload dllname or .reload dllname = parameter4 - to reload the symbols for that DLL.
$ !cs -s parameter1 - dump information about this critical section.
$ ln parameter1 - to show symbols near the address of the critical section.
This should help identify the leaked critical section.
$ dps parameter2 - to dump the stack trace for this critical section initialization. 
Arguments:
Arg1: 000000005b53a560, Critical section address. Run !cs -s <address> to get more information. 
Arg2: 000000000131f3e0, Critical section initialization stack trace. Run dps <address> to dump the stack trace. 
Arg3: 0000000003b9bec2, DLL name address. 
Arg4: 000000005b4e0000, DLL base address. 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for salrtl9.dll - 

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007ff8ce4a7fc (verifier!VerifierStopMessageEx+0x00000000000006d0)
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 1
   Parameter[0]: 0000000000000000

DEFAULT_BUCKET_ID:  STATUS_BREAKPOINT

PROCESS_NAME:  salamand.exe

CRITICAL_SECTION:  000000005b53a560 -- (!cs -s 000000005b53a560)

ERROR_CODE: (NTSTATUS) 0x80000003 - {AUSNAHME}  Haltepunkt  Im Quellprogramm wurde ein Haltepunkt erreicht.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - Mindestens ein Argument ist ung ltig.

EXCEPTION_PARAMETER1:  0000000000000000

NTGLOBALFLAG:  2000100

APPLICATION_VERIFIER_FLAGS:  48004

APP:  salamand.exe

BUGCHECK_STR:  APPLICATION_FAULT_STATUS_BREAKPOINT

STACK_TEXT:  
00000000`0122ce90 000007ff`8ce4a7fc verifier!VerifierStopMessageEx+0x6d0
00000000`0122d210 000007ff`8ce5557b verifier!AVrfpFreeMemLockChecks+0xef
00000000`0122d270 000007ff`8ce527dc verifier!AVrfpFreeMemNotify+0x38
00000000`0122d2a0 000007ff`8ce537a7 verifier!AVrfpDllUnloadCallback+0x3f
00000000`0122d760 000007ff`af52fecd ntdll!AVrfDllUnloadNotification+0x95
00000000`0122d790 000007ff`af56d089 ntdll!LdrpUnloadNode+0xbc719
00000000`0122d7d0 000007ff`af47da96 ntdll!LdrpDecrementNodeLoadCount+0x101
00000000`0122d800 000007ff`af47d268 ntdll!LdrUnloadDll+0x34
00000000`0122d840 000007ff`ac43290a kernelbase!FreeLibrary+0x22
00000000`0122d870 00000000`5b57150e tortoisegitstub!DllCanUnloadNow+0x2e
00000000`0122d8a0 000007ff`acdd9885 combase!CClassCache::CDllPathEntry::CanUnload_rl+0xb5
00000000`0122d8d0 000007ff`acd707f3 combase!CClassCache::CleanUpDllsForApartment+0x1c3
00000000`0122ded0 000007ff`acd7031b combase!FinishShutdown+0x112
00000000`0122df70 000007ff`acd6fb15 combase!ApartmentUninitialize+0xe5
00000000`0122e000 000007ff`acd704fa combase!wCoUninitialize+0x197
00000000`0122e030 000007ff`acd675ab combase!CoUninitialize+0x143
00000000`0122e090 000007ff`8ce5a66f verifier!AVrfpCoUninitialize+0x1b
00000000`0122e0e0 000007ff`add74b3c ole32!OleUninitialize+0x15c
00000000`0122e110 000007f7`e1ebca46 salamand+0x11ca46
00000000`0122fad0 000007f7`e1ebcbc6 salamand+0x11cbc6
00000000`0122fb00 000007f7`e1f37e2f salamand+0x197e2f
00000000`0122fbb0 000007f7`e1eb5c9d salamand+0x115c9d
00000000`0122fbe0 000007ff`adad1842 kernel32!BaseThreadInitThunk+0x1a
00000000`0122fc10 000007ff`af48a2b9 ntdll!RtlUserThreadStart+0x1d


STACK_COMMAND:  .ecxr ; kb ; dps 122ce90 ; kb

FOLLOWUP_IP: 
TortoiseGitStub!DllCanUnloadNow+2e [d:\tortoisegit\src\tortoiseshell\tortoisestub.cpp @ 307]
00000000`5b57150e 33c0            xor     eax,eax

FAULTING_SOURCE_FILE:  d:\tortoisegit\src\tortoiseshell\tortoisestub.cpp

FAULTING_SOURCE_LINE_NUMBER:  307

SYMBOL_NAME:  tortoisegitstub!DllCanUnloadNow+2e

IMAGE_NAME:  TortoiseGitStub.dll

FAILURE_BUCKET_ID:  STATUS_BREAKPOINT_80000003_TortoiseGitStub.dll!DllCanUnloadNow

BUCKET_ID:  APPLICATION_FAULT_STATUS_BREAKPOINT_tortoisegitstub!DllCanUnloadNow+2e

0:000> lmvm TortoiseGitStub
start             end                 module name
00000000`5b570000 00000000`5b58b000   TortoiseGitStub   (private pdb symbols)  C:\ProgramData\dbg\sym\TortoiseGitStub.pdb\F9D2C8444941442995B21BD7CAE0D1101\TortoiseGitStub.pdb
    Loaded symbol image file: TortoiseGitStub.dll
    Mapped memory image file: d:\sym\tgitx64\TortoiseGitStub.dll\53961F6F1b000\TortoiseGitStub.dll
    Image path: C:\Program Files\TortoiseGit\bin\TortoiseGitStub.dll
    Image name: TortoiseGitStub.dll
    Timestamp:        Mon Jun 09 22:56:15 2014 (53961F6F)
    CheckSum:         00025B4C
    ImageSize:        0001B000
    File version:     1.8.9.0
    Product version:  1.8.9.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0400.04e4
    CompanyName:      http://tortoisegit.org/
    ProductName:      TortoiseGit
    InternalName:     TortoiseStub.dll
    OriginalFilename: TortoiseStub.dll
    ProductVersion:   1.8.9.0
    FileVersion:      1.8.9.0
    FileDescription:  TortoiseGit shell extension client
    LegalCopyright:   Copyright (C) 2012-2013 TortoiseGit, Copyright (C) 2007-2012 TortoiseSVN


0:000>  .ecxr ; kp ; dps 122ce90 ; kp
rax=000007ff8ce810a0 rbx=000007ff8ce7e5c8 rcx=000007f7e0fae000
rdx=000000000122b510 rsi=000000005b53a560 rdi=00000000000001ff
rip=000007ff8ce4a7fc rsp=000000000122ce90 rbp=000000000008c000
 r8=0000000000000000  r9=000007ff8ce854e0 r10=0000000000000000
r11=000000000122bba8 r12=0000000000000201 r13=00000000000001a1
r14=0000000003b9bec2 r15=000000005b4e0000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
verifier!VerifierStopMessageEx+0x6d0:
000007ff`8ce4a7fc cc              int     3
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`0122ce90 000007ff`8ce5557b verifier!VerifierStopMessageEx+0x6d0
00000000`0122d210 000007ff`8ce527dc verifier!AVrfpFreeMemLockChecks+0xef
00000000`0122d270 000007ff`8ce537a7 verifier!AVrfpFreeMemNotify+0x38
00000000`0122d2a0 000007ff`af52fecd verifier!AVrfpDllUnloadCallback+0x3f
00000000`0122d760 000007ff`af56d089 ntdll!AVrfDllUnloadNotification+0x95
00000000`0122d790 000007ff`af47da96 ntdll!LdrpUnloadNode+0xbc719
00000000`0122d7d0 000007ff`af47d268 ntdll!LdrpDecrementNodeLoadCount+0x101
00000000`0122d800 000007ff`ac43290a ntdll!LdrUnloadDll+0x34
00000000`0122d840 00000000`5b57150e KERNELBASE!FreeLibrary+0x22
(Inline Function) --------`-------- TortoiseGitStub!UnloadRealLibrary+0x18 [d:\tortoisegit\src\tortoiseshell\tortoisestub.cpp @ 220]
00000000`0122d870 000007ff`acdd9885 TortoiseGitStub!DllCanUnloadNow(void)+0x2e [d:\tortoisegit\src\tortoiseshell\tortoisestub.cpp @ 307]
00000000`0122d8a0 000007ff`acd707f3 combase!CClassCache::CDllPathEntry::CanUnload_rl+0xb5
00000000`0122d8d0 000007ff`acd7031b combase!CClassCache::CleanUpDllsForApartment+0x1c3
00000000`0122ded0 000007ff`acd6fb15 combase!FinishShutdown+0x112
00000000`0122df70 000007ff`acd704fa combase!ApartmentUninitialize+0xe5
00000000`0122e000 000007ff`acd675ab combase!wCoUninitialize+0x197
00000000`0122e030 000007ff`8ce5a66f combase!CoUninitialize+0x143
00000000`0122e090 000007ff`add74b3c verifier!AVrfpCoUninitialize+0x1b
00000000`0122e0e0 000007f7`e1ebca46 ole32!OleUninitialize+0x15c
00000000`0122e110 000007f7`e1ebcbc6 salamand+0x11ca46
00000000`0122fad0 000007f7`e1f37e2f salamand+0x11cbc6
00000000`0122fb00 000007f7`e1eb5c9d salamand+0x197e2f
00000000`0122fbb0 000007ff`adad1842 salamand+0x115c9d
00000000`0122fbe0 000007ff`af48a2b9 kernel32!BaseThreadInitThunk+0x1a
00000000`0122fc10 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
00000000`0122ce90  000007ff`8ce7e5c8 verifier!VfProviderLocksBreakDescriptors+0x88
00000000`0122ce98  00000000`0008c000
00000000`0122cea0  000007ff`8ce41a34 verifier!`string'
00000000`0122cea8  000007ff`8ce854e0 verifier!VrfDbgOutputBuffer
00000000`0122ceb0  00000202`00000b50
00000000`0122ceb8  00000000`04db6250
00000000`0122cec0  00000000`5b53a560 TortoiseGit!g_ShellCache+0x11f0
00000000`0122cec8  00000000`04db6330
00000000`0122ced0  00000000`0131f3e0
00000000`0122ced8  00000000`04db63e0
00000000`0122cee0  00000000`03b9bec2
00000000`0122cee8  00000000`04db64b0
00000000`0122cef0  00000000`5b4e0000 TortoiseGit!__imp_?id@?$ctype@_W@std@@2V0locale@2@A
00000000`0122cef8  00000000`04db6550
00000000`0122cf00  000007ff`8ce7fb78 verifier!AVrfpLogEntryMessageEx+0x258
00000000`0122cf08  00000000`04de3820
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
00000000`0122ce90 000007ff`8ce5557b verifier!VerifierStopMessageEx+0x6d0
00000000`0122d210 000007ff`8ce527dc verifier!AVrfpFreeMemLockChecks+0xef
00000000`0122d270 000007ff`8ce537a7 verifier!AVrfpFreeMemNotify+0x38
00000000`0122d2a0 000007ff`af52fecd verifier!AVrfpDllUnloadCallback+0x3f
00000000`0122d760 000007ff`af56d089 ntdll!AVrfDllUnloadNotification+0x95
00000000`0122d790 000007ff`af47da96 ntdll!LdrpUnloadNode+0xbc719
00000000`0122d7d0 000007ff`af47d268 ntdll!LdrpDecrementNodeLoadCount+0x101
00000000`0122d800 000007ff`ac43290a ntdll!LdrUnloadDll+0x34
00000000`0122d840 00000000`5b57150e KERNELBASE!FreeLibrary+0x22
(Inline Function) --------`-------- TortoiseGitStub!UnloadRealLibrary+0x18 [d:\tortoisegit\src\tortoiseshell\tortoisestub.cpp @ 220]
00000000`0122d870 000007ff`acdd9885 TortoiseGitStub!DllCanUnloadNow(void)+0x2e [d:\tortoisegit\src\tortoiseshell\tortoisestub.cpp @ 307]
00000000`0122d8a0 000007ff`acd707f3 combase!CClassCache::CDllPathEntry::CanUnload_rl+0xb5
00000000`0122d8d0 000007ff`acd7031b combase!CClassCache::CleanUpDllsForApartment+0x1c3
00000000`0122ded0 000007ff`acd6fb15 combase!FinishShutdown+0x112
00000000`0122df70 000007ff`acd704fa combase!ApartmentUninitialize+0xe5
00000000`0122e000 000007ff`acd675ab combase!wCoUninitialize+0x197
00000000`0122e030 000007ff`8ce5a66f combase!CoUninitialize+0x143
00000000`0122e090 000007ff`add74b3c verifier!AVrfpCoUninitialize+0x1b
00000000`0122e0e0 000007f7`e1ebca46 ole32!OleUninitialize+0x15c
00000000`0122e110 000007f7`e1ebcbc6 salamand+0x11ca46
00000000`0122fad0 000007f7`e1f37e2f salamand+0x11cbc6
00000000`0122fb00 000007f7`e1eb5c9d salamand+0x197e2f
00000000`0122fbb0 000007ff`adad1842 salamand+0x115c9d
00000000`0122fbe0 000007ff`af48a2b9 kernel32!BaseThreadInitThunk+0x1a
00000000`0122fc10 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

0:000> !cs -s 000000005b53a560
-----------------------------------------
Critical section   = 0x000000005b53a560 (TortoiseGit!g_ShellCache+0x11F0)
DebugInfo          = 0x0000000003b47c90
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000020007d0
Cannot read structure field value at 0x0000000003b47c92, error 0
So salamand.exe calls ole32!OleUninitialize. Do you do this explicitly to unload dlls?
"Theory is when you know something, but it doesn't work. Practice is when something works, but you don't know why. Programmers combine theory and practice: Nothing works and they don't know why."
User avatar
SelfMan
Posts: 1142
Joined: 05 Apr 2006, 20:51
Contact:

Re: AS3.02 (x64) crashes sometimes at start

Post by SelfMan »

Try to temporary disable the github shell extensions using http://www.nirsoft.net/utils/shexview.html tool.
Then check the stability of Salamander.
Andre.Ziegler
Posts: 73
Joined: 10 Mar 2010, 18:31
Location: Germany

Re: AS3.02 (x64) crashes sometimes at start

Post by Andre.Ziegler »

but I use TGit sometimes, so disabling is no option.
"Theory is when you know something, but it doesn't work. Practice is when something works, but you don't know why. Programmers combine theory and practice: Nothing works and they don't know why."
Jan Rysavy
ALTAP Staff
ALTAP Staff
Posts: 5229
Joined: 08 Dec 2005, 06:34
Location: Novy Bor, Czech Republic
Contact:

Re: AS3.02 (x64) crashes sometimes at start

Post by Jan Rysavy »

Andre.Ziegler wrote:I've uploaded all dumps with the reporting tool. So maybe you can find them in your system.
Did you specify your email and link to this thread in Bug Reporting dialog box? I'm unable to find any related report in AS 3.02 bugs.
If no, could you please do it now?
Andre.Ziegler wrote:So salamand.exe calls ole32!OleUninitialize. Do you do this explicitly to unload dlls?
We call OleInitialize / OleUninitialize on Salamander start / end. We also call this pair runtime, but it is probably ignored:
The OleInitialize and OleUninitialize calls must be balanced — if there are multiple calls to the OleInitialize function, there must be the same number of calls to OleUninitialize; only the OleUninitialize call corresponding to the OleInitialize call that actually initialized the library can close it.
Still seems like tortoisegitstub.dll bug to me.
User avatar
SelfMan
Posts: 1142
Joined: 05 Apr 2006, 20:51
Contact:

Re: AS3.02 (x64) crashes sometimes at start

Post by SelfMan »

Andre, I jsut want you to disable the shellextension temporarily to test if it is the culprit or not.
Andre.Ziegler
Posts: 73
Joined: 10 Mar 2010, 18:31
Location: Germany

Re: AS3.02 (x64) crashes sometimes at start

Post by Andre.Ziegler »

Ok, I now selected that Salopen.exe is used to open files. this improves the stability a bit. Today I got a crash without any 3rd party DLL involved:

Code: Select all

*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

FAULTING_IP: 
ntdll!RtlpLowFragHeapAllocateFromZone+149
000007fd`33321bb7 cd29            int     29h

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007fd33321bb7 (ntdll!RtlpLowFragHeapAllocateFromZone+0x0000000000000149)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003

PROCESS_NAME:  salamand.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - Das System hat in dieser Anwendung den  berlauf eines stapelbasierten Puffers ermittelt. Dieser  berlauf k nnte einem b sartigen Benutzer erm glichen, die Steuerung der Anwendung zu  bernehmen.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - Das System hat in dieser Anwendung den  berlauf eines stapelbasierten Puffers ermittelt. Dieser  berlauf k nnte einem b sartigen Benutzer erm glichen, die Steuerung der Anwendung zu  bernehmen.

EXCEPTION_PARAMETER1:  0000000000000003

NTGLOBALFLAG:  400

APPLICATION_VERIFIER_FLAGS:  0

APP:  salamand.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre

FAULTING_THREAD:  000000000000123c

BUGCHECK_STR:  APPLICATION_FAULT_LIST_ENTRY_CORRUPT_EXPLOITABLE_SEHOP

PRIMARY_PROBLEM_CLASS:  LIST_ENTRY_CORRUPT_EXPLOITABLE_SEHOP

DEFAULT_BUCKET_ID:  LIST_ENTRY_CORRUPT_EXPLOITABLE_SEHOP

LAST_CONTROL_TRANSFER:  from 000007fd3328d998 to 000007fd33321bb7

STACK_TEXT:
00 ntdll!RtlpLowFragHeapAllocateFromZone
01 ntdll!RtlpLowFragHeapAllocFromContext
02 ntdll!RtlAllocateHeap
03 KERNELBASE!LocalAlloc
04 shell32!AllocHashItem
05 shell32!LookupItemInHashTable
06 shell32!LowercaseHashItem
07 shell32!RECOVERY_ENTRY::Load
08 shell32!CLookupTable<CRecoveryTable,RECOVERY_ENTRY>::Load
09 shell32!CRecoveryTable::Load
0a shell32!IconCacheRestore
0b shell32!FileIconInitInternal
0c shell32!`Microsoft::WRL::Module<1,Microsoft::WRL::Details::DefaultModule<5> >::Create'::`2'::`dynamic atexit destructor for 'module''
0d shell32!CFileExtension::_EnsureIconIndex
0e shell32!CFileSysItemString::ClassIconFlags
0f shell32!CFSFolder::_CreateDefExtIcon
10 shell32!CFSFolder::s_GetExtractIcon
11 shell32!CFSFolder::_BindHandler
12 shell32!CFSFolder::GetUIObjectOf
13 salamand
14 salamand
15 salamand
16 salamand
17 salamand
18 salamand
19 salrtl9!endthreadex
1a salrtl9!endthreadex
1b kernel32!BaseThreadInitThunk
1c ntdll!RtlUserThreadStart


FAILURE_BUCKET_ID:  LIST_ENTRY_CORRUPT_EXPLOITABLE_SEHOP_c0000409_shell32.dll!AllocHashItem

BUCKET_ID:  APPLICATION_FAULT_LIST_ENTRY_CORRUPT_EXPLOITABLE_SEHOP_shell32!AllocHashItem+3a

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:list_entry_corrupt_exploitable_sehop_c0000409_shell32.dll!allochashitem

Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Stack Buffer Overrun (/GS Exception) starting at ntdll!RtlpLowFragHeapAllocateFromZone+0x0000000000000149 called from KERNELBASE!LocalAlloc+0x000000000000006e (Hash=0xa8058517.0xad2be1bb)

An overrun of a protected stack buffer has been detected. This is considered exploitable, and must be fixed.
"Theory is when you know something, but it doesn't work. Practice is when something works, but you don't know why. Programmers combine theory and practice: Nothing works and they don't know why."
Post Reply