Changeset 21662 for trunk/src

Timestamp:

Jul 5, 2011, 7:52:42 PM (14 years ago)

Author:

dmik

Message:

kernel32: SEH: Disabled unwinding Win32 exception handlers in response to the OS/2 unwind procedure to prevent endless recursive crashes inside OS2RtlUnwind() happening due to stack corruption under SMP kernel when too many threads are being unwound at once. Closes #37.

Location:

trunk/src/kernel32

Files:

• exceptions.cpp (modified) (9 diffs)
• seh/sehutil.s (modified) (4 diffs)

trunk/src/kernel32/exceptions.cpp

@@ -462 +462 @@
 {
   PWINEXCEPTION_FRAME frame, prevFrame, dispatch;
-  WINEXCEPTION_RECORD record, newrec;
+  WINEXCEPTION_RECORD record; //, newrec;
   WINCONTEXT          context;
   DWORD               rc;
@@ -471 +471 @@
   if (!winteb)
   {
-      /* We're being called from __seh_handler called upon unwinding the OS/2
-       * exception chain after the Win32 TIB structure is destroyed. This for
-       * example happens when we terminate the thread or the process from within
-       * the __try block. Just ignore this call retur (note that the Win32
-       * exception chain should be already unwound by this moment). */
-      dprintf(("KERNEL32: RtlUnwind returning due to zero Win32 TEB.\n"));
+      dprintf(("KERNEL32: RtlUnwind TEB is NULL\n"));
+      DebugInt3();
       return 0;
   }
@@ -526 +522 @@
         if (pEndFrame && (frame > pEndFrame))
         {
+#if 0
+            // TODO
             newrec.ExceptionCode    = STATUS_INVALID_UNWIND_TARGET;
             newrec.ExceptionFlags   = EH_NONCONTINUABLE;
             newrec.ExceptionRecord  = pRecord;
             newrec.NumberParameters = 0;
+            RtlRaiseException(&newrec, NULL);
+#else
             dprintf(("KERNEL32: RtlUnwind terminating thread (invalid target).\n"));
             DosExit(EXIT_THREAD, 0);
+#endif
         }
         if (((void*)frame < winteb->stack_low) ||
@@ -537 +538 @@
             (int)frame & 3)
         {
+#if 0
+            // TODO
             newrec.ExceptionCode    = STATUS_BAD_STACK;
             newrec.ExceptionFlags   = EH_NONCONTINUABLE;
             newrec.ExceptionRecord  = pRecord;
             newrec.NumberParameters = 0;
+#else
             dprintf(("KERNEL32: RtlUnwind terminating thread (bad stack).\n"));
             DosExit(EXIT_THREAD, 0);
+#endif
         }
 
@@ -548 +553 @@
         dprintf(("KERNEL32: RtlUnwind - calling exception handler %08X", frame->Handler));
         if(frame->Handler) {
+            // ensure the Win32 FS (may be accessed directly in the handler)
+            DWORD oldsel = SetReturnFS(winteb->teb_sel);
             rc = EXC_CallHandler(pRecord, frame, &context, &dispatch, frame->Handler, EXC_UnwindHandler );
+            // restore FS
+            SetFS(oldsel);
         }
         else {
@@ -563 +572 @@
             break;
         default:
+#if 0
+            // TODO
             newrec.ExceptionCode    = STATUS_INVALID_DISPOSITION;
             newrec.ExceptionFlags   = EH_NONCONTINUABLE;
             newrec.ExceptionRecord  = pRecord;
             newrec.NumberParameters = 0;
-            dprintf(("KERNEL32: RtlUnwind terminating thread.\n"));
+#else
+            dprintf(("KERNEL32: RtlUnwind terminating thread (invalid disposition).\n"));
             DosExit(EXIT_THREAD, 0);
+#endif
             break;
         }
         dprintf(("KERNEL32: RtlUnwind (before)- frame=%08X, frame->Prev=%08X", frame, prevFrame));
-        SetExceptionChain((DWORD)prevFrame);
+        winteb->except = (void*)prevFrame;
         frame = prevFrame;
         dprintf(("KERNEL32: RtlUnwind (after) - frame=%08X, frame->Prev=%08X", frame,
@@ -1209 +1222 @@
 #endif
 
+// borrowed from ntddk.h
+extern "C"
+void WIN32API RtlUnwind(
+        LPVOID,
+        LPVOID,
+        LPVOID,DWORD);
+
 // Assembly wrapper for clearing the direction flag before calling our real
 // exception handler
@@ -1234 +1254 @@
 //        sprintfException(pERepRec, pERegRec, pCtxRec, p, szTrapDump);
 //    }
+
+    // We have to disable unwinding of the Win32 exception handlers because
+    // experiments have shown that when running under SMP kernel the stack
+    // becomes corrupt at the time when unwinding takes place: attempts to
+    // to follow the exception chain crash when accessing one of the the
+    // previous frame. Although it may seem that performing unwinding here
+    // (when we are definitely above any Win32 exception frames installed by
+    // the application so that the OS could theoretically already discard lower
+    // stack areas) is wrong, it's not the case of the crash. First, doing the
+    // very same thing from the SEH handler (see comments in sehutil.s), i.e.
+    // when the given Win32 stack frame (and all previous ones) is definitely
+    // alive, crahes due to the same stack corruption too. Second, when running
+    // under UNI kernel, BOTH approaches don't crash (i.e. the stack is fine).
+    // This looks like the SMP kernel doesn't manage the stack right during
+    // exception handling :( See also http://svn.netlabs.org/odin32/ticket/37.
+    //
+    // Note that disabling unwinding also breaks support for performing
+    // setjmp()/lonjmp() that crosses the bounds of the __try {} block.
+#if 0
+    if (pERepRec->fHandlerFlags & EH_UNWINDING)
+    {
+        // unwind the appropriate portion of the Win32 exception chain
+        if (pERepRec->fHandlerFlags & EH_EXIT_UNWIND)
+        {
+            dprintf(("KERNEL32: OS2ExceptionHandler: EH_EXIT_UNWIND, "
+                     "unwinding all the Win32 exception chain"));
+            RtlUnwind(NULL, 0, 0, 0);
+        }
+        else
+        {
+            dprintf(("KERNEL32: OS2ExceptionHandler: EH_UNWINDING, "
+                     "unwinding the Win32 exception chain up to 0x%p", pERegRec));
+
+            // find a Win32 exception frame closest to the OS/2 one (pERegRec)
+            // and unwind up to the previous one (to unwind the closest frame
+            // itself too as we are definitely jumping out of it)
+            TEB *winteb = GetThreadTEB();
+            PWINEXCEPTION_FRAME frame = (PWINEXCEPTION_FRAME)winteb->except;
+            while (frame != NULL && ((ULONG)frame)!= 0xFFFFFFFF &&
+                   ((ULONG)frame) <= ((ULONG)pERegRec))
+                frame = __seh_get_prev_frame(frame);
+            if (((ULONG)frame) == 0xFFFFFFFF)
+                frame = NULL;
+
+            RtlUnwind(frame, 0, 0, 0);
+        }
+        goto continuesearch;
+    }
+#endif
 
     /* Access violation at a known location */
@@ -1517 +1586 @@
             if(OSLibDispatchException(pERepRec, pERegRec, pCtxRec, p) == TRUE)
             {
+                dprintf(("KERNEL32: OS2ExceptionHandler: fix and continue\n"));
                 goto continueexecution;
             }
             else
             {
+                dprintf(("KERNEL32: OS2ExceptionHandler: continue search\n"));
                 goto continuesearch;
             }

trunk/src/kernel32/seh/sehutil.s

@@ -49 +49 @@
     jne ___seh_handler_Win32 /* No, assume the Win32 chain */
 
+    /* Note: Unwinding is disabled here since a) it is more correct to do
+     * centralized unwinding from OS2ExceptionHandler2ndLevel() (i.e. not only
+     * for SEH frames) and b) it crashes under SMP kernel due to stack being
+     * corrupt by the time when unwinding happens. See comments in
+     * OS2ExceptionHandler2ndLevel() for more details. */
+
+#if 0
+
     movl 8(%ebp), %eax
     movl 4(%eax), %eax /* fHandlerFlags */
@@ -64 +72 @@
 ___seh_handler_OS2_Unwind:
 
+    /* unwind the Win32 chain including our frame as someone's definitely
+     * jumping outside it if we're being unwound by OS/2 */
+    movl 12(%ebp), %eax
+    cmpl $0, 64(%eax)                   /* Win32FS == 0? */
+    je ___seh_handler_OS2_Unwind_End    /* Yes, we already unwound this frame */
+
     /* restore the Win32 chain in our frame */
-    movl 12(%ebp), %eax
     movl 60(%eax), %ebx /* pPrevFrameWin32 */
     movl %ebx, 0(%eax)  /* pPrev */
 
-    /* unwind the Win32 chain including our frame as someone's definitely
-     * jumping outside it if we're being unwound */
     pushl %fs
 
@@ -89 +100 @@
     movl %ecx, 0(%eax)  /* pPrev */
 
+___seh_handler_OS2_Unwind_End:
+
     xor %eax, %eax  /* return code is irrelevant for EH_UNWINDING */
     jmp ___seh_handler_Return
+
+#else
+
+    /* restore the OS/2 chain in our frame */
+    movl 12(%ebp), %eax
+    movl 44(%eax), %ecx /* pPrevFrameOS2 */
+    movl %ecx, 0(%eax)  /* pPrev */
+
+    xorl %eax, %eax  /* return XCPT_CONTINUE_SEARCH (0) */
+    jmp ___seh_handler_Return
+
+#endif
 
 ___seh_handler_Win32:
@@ -101 +126 @@
     /* skip EH_UNWINDING calls (for compatibility with MSVC) */
     movl 8(%ebp), %ebx
-    movl 4(%ebx), %eax /* pRec->ExceptionFlags */
-    testl $0x2, %eax /* EH_UNWINDING? */
+    movl 4(%ebx), %eax                      /* pRec->ExceptionFlags */
+    testl $0x2, %eax                        /* EH_UNWINDING? */
+    je ___seh_handler_Win32_NotUnwinding    /* No, continue normally */
+
+    /* See the comment above */
+#if 0
+    /* clear out the Win32FS field so that we will not attempt to unwind twice
+     * (first, as a result of forced unwind from ExitProcess/ExitThread/etc and
+     * then from the OS/2 EH_UNWINDING call of our handler) */
+    movl 12(%ebp), %eax
+    movl $0, 64(%eax)   /* Win32FS */
+#endif
+
     movl $1, %eax /* ExceptionContinueSearch */
-    jne ___seh_handler_Return
+    jmp ___seh_handler_Return
+
+___seh_handler_Win32_NotUnwinding:
 
     /* save handler's context */