RPC and dynamic array. Program crashes

Questions about Wine on Linux
Locked
Egor
Newbie
Newbie
Posts: 2
Joined: Fri Jun 28, 2013 5:22 am

RPC and dynamic array. Program crashes

Post by Egor »

Hello.
My RPC server that creates dynamic array for client, crashes inside Wine's rpc during freeing of marshalling data.

Here is IDL for bug reproducing:

Code: Select all

typedef struct _Person_info {

        [string] char *name;
        unsigned int   age;
} Person_info_t;

interface ITestRpc
{
	void GetPersons( [out] unsigned long *persons_size,
                    [out, size_is(,*persons_size)] Person_info_t **persons);
}
Here is some pieces from Wine log:
828.464:002e:trace:rpc:NdrStubCall2 phase = 5
828.464:002e:trace:rpc:stub_do_args param[0]: 0x1200ac -> 0x1200c8 type 08 IsOut IsBasetype IsSimpleRef ServerAllocSize = 8
828.464:002e:trace:ole:NdrBaseTypeMarshall pStubMsg 0xa2e294, pMemory 0x1200c8, type 0x08
828.464:002e:trace:ole:NdrBaseTypeMarshall value: 0x00000002
828.464:002e:trace:rpc:stub_do_args memory addr (after): 0x1200ac -> 0x1200c8
828.465:002e:trace:rpc:stub_do_args param[1]: 0x1200b0 -> 0x1200e0 type 11 MustSize MustFree IsOut ServerAllocSize = 8
828.465:002e:trace:ole:NdrPointerMarshall (0xa2e294,0x1200e0,0x40c5a8)
....
828.465:002e:trace:ole:PointerMarshall calling marshaller for type 0x1b
828.465:002e:trace:ole:NdrConformantArrayMarshall (0xa2e294,0x419d88,0x40c5c4)
828.465:002e:trace:ole:ComputeConformanceOrVariance toplevel conformance, ofs=4
828.465:002e:trace:ole:ComputeConformanceOrVariance dereferenced data type 9 at 0x1200c8, got 2 <=== Array contains 2 elements
828.465:002e:trace:ole:ComputeConformanceOrVariance resulting conformance is 2
...
828.465:002e:trace:rpc:NdrStubCall2 phase = 6
828.465:002e:trace:rpc:stub_do_args param[0]: 0x1200ac -> 0x1200c8 type 08 IsOut IsBasetype IsSimpleRef ServerAllocSize = 8
828.465:002e:Call ntdll.RtlFreeHeap(00110000,00000000,001200c8) ret=7ecfbd95
828.465:002e:trace:heap:RtlFreeHeap (0x110000,30000062,0x1200c8): returning TRUE
828.465:002e:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ecfbd95
828.465:002e:trace:rpc:stub_do_args memory addr (after): 0x1200ac -> 0x1200c8
828.465:002e:trace:rpc:stub_do_args param[1]: 0x1200b0 -> 0x1200e0 type 11 MustSize MustFree IsOut ServerAllocSize = 8
...
828.465:002e:trace:ole:NdrConformantArrayFree (0xa2e294,0x419d88,0x40c5c4)
828.465:002e:trace:ole:ComputeConformanceOrVariance toplevel conformance, ofs=4
828.465:002e:trace:ole:ComputeConformanceOrVariance dereferenced data type 9 at 0x1200c8, got -17891602 <=== Trash is here!!!
828.465:002e:trace:ole:ComputeConformanceOrVariance resulting conformance is -17891602

How I can workaround the problem?
Thanks.
Top
lahmbi5678
Level 7
Level 7
Posts: 823
Joined: Thu Aug 27, 2009 6:23 am

Re: RPC and dynamic array. Program crashes

Post by lahmbi5678 »

Hi,

you should file a bug and attach a small test case to the bug report.

As a workaround you could try to get the ole(aut)32.dlls from Windows XP, copy them to wine's system32 folder and override the dlls in winecfg, though this probably won't work properly. There's also a winetricks option, iirc native_oleaut32.
Top
Egor
Newbie
Newbie
Posts: 2
Joined: Fri Jun 28, 2013 5:22 am

Re: RPC and dynamic array. Program crashes

Post by Egor »

I found the reason of bug. It's obviously. When Wine frees memory allocated for parameter persons_size it loses size of array pointed by next parameter persons.
I think I found related bug
Top
User avatar
DanKegel
Moderator
Moderator
Posts: 1164
Joined: Wed May 14, 2008 11:44 am

Re: RPC and dynamic array. Program crashes

Post by DanKegel »

You should probably file a new bug.
Top
Locked

Return to “Linux”