These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Issues, Workarounds & Localization

 
  • Topic is locked indefinitely.
 

[BUG] buffer overrun
Author
Previous Topic Next Topic
Robotech Flyer
Doomheim
#1 - 2014-06-25 15:45:27 UTC
client version: 8.45.805671
OS: windows 8.1 x64
d3d: d3d11
graphics settings: optimized for quality

Repro steps:
- launch client with windbg: "windbg exefile.exe /noconsole"
- In windbg, open main menu -> debug -> event filters, make sure that "unknown exception" is "enabled"
- continue execution
- login your character, undock, then dock back.

the client breaks into debugger, as the moment you dock back to station, with the following debug spew


HEAP[exefile.exe]: Heap block at 2861F7E8 modified at 2861F9D8 past requested size of 1e8
(e08.15a8): Break instruction exception - code 80000003 (first chance)
eax=ff429000 ebx=2861f9d8 ecx=2861f7e8 edx=00000047 esi=2861f7e8 edi=000001e8
eip=77c31756 esp=0054ac74 ebp=0054ac88 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
ntdll!RtlpBreakPointHeap+0x19:
77c31756 cc int 3
0:000> k
ChildEBP RetAddr
0054ac70 77c16fe9 ntdll!RtlpBreakPointHeap+0x19
0054ac88 77bf6463 ntdll!RtlpCheckBusyBlockTail+0x1a4
0054aca4 77c30671 ntdll!RtlpValidateHeapEntry+0x3f5f4
0054acf4 77be8033 ntdll!RtlDebugFreeHeap+0xb5
0054ae00 77b8ff39 ntdll!RtlpFreeHeap+0x580e9
0054ae54 72f3016a ntdll!RtlFreeHeap+0x1b6
*** ERROR: Symbol file could not be found. Defaulted to export symbols for F:\GAMES\EVE\main\bin\_GameWorld.dll -
0054ae68 6d4a621b MSVCR100!free+0x1c
WARNING: Stack unwind information not available. Following frames may be wrong.
0054aee0 6d3faa76 _GameWorld!PhysXentity::GetGameWorld+0x4d0b
0054af00 6d3fab13 _GameWorld!Ccp::SimpleLog::operator=+0x7876
0054af10 6d38e8b8 _GameWorld!Ccp::SimpleLog::operator=+0x7913
0054af40 6d33be77 _GameWorld!PathToMode::ExposeToBlue+0x4ba8
*** ERROR: Symbol file could not be found. Defaulted to export symbols for F:\GAMES\EVE\main\bin\blue.dll -
0054af80 6eedb07a _GameWorld!GetAllGameWorldNames+0xb877
0054afc8 6eee2320 blue!BlueNet::ClientIDFromCharID+0x674a2
0054b11c 6eee3a33 blue!BlueNet::ClientIDFromCharID+0x6e748
0054b1f8 6eee5041 blue!BlueNet::ClientIDFromCharID+0x6fe5b
*** ERROR: Symbol file could not be found. Defaulted to export symbols for F:\GAMES\EVE\main\bin\python27.dll -
0054b204 6ead6956 blue!BlueNet::ClientIDFromCharID+0x71469
0054b220 6ead68c9 python27!PyCFunction_Call+0x56
0054b23c 6ec5a36e python27!PyObject_Call+0x89
0054b25c 6eab7d67 python27!PyObject_CallFunction_SizeT+0x4a1
0054b2a4 6eab8c73 python27!PyOS_getsig+0x311
0054f78c 6eab8caa python27!PyWrapper_New+0xb3
0054f7a4 6ec9407e python27!PyWrapper_New+0xea
0054f7d4 6eee3604 python27!PyStackless_Call_Main+0x3e
*** ERROR: Module load completed but symbols could not be loaded for exefile.exe
0054f814 00f72aa1 blue!BlueNet::ClientIDFromCharID+0x6fa2c
0054f820 00f7297d exefile+0x2aa1
0054f934 00f7222a exefile+0x297d
0054fcbc 00f7e1ca exefile+0x222a
0054fd50 778e919f exefile+0xe1ca
0054fd5c 77b9a8cb KERNEL32!BaseThreadInitThunk+0xe
0054fda0 77b9a8a1 ntdll!__RtlUserThreadStart+0x20
0054fdb0 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> g
HEAP[exefile.exe]: Invalid address specified to RtlFreeHeap( 00980000, 2861F7F0 )
(e08.15a8): Break instruction exception - code 80000003 (first chance)
eax=ff429000 ebx=2861f7e8 ecx=2861f7e8 edx=0000003f esi=00980000 edi=00000000
eip=77c31756 esp=0054ac8c ebp=0054aca4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
ntdll!RtlpBreakPointHeap+0x19:
77c31756 cc int 3
0:000> g
HEAP[exefile.exe]: Heap block at 2861D118 modified at 2861D3D0 past requested size of 2b0
(e08.15a8): Break instruction exception - code 80000003 (first chance)
eax=ff429000 ebx=2861d3d0 ecx=2861d118 edx=00000047 esi=2861d118 edi=000002b0
eip=77c31756 esp=0054ac9c ebp=0054acb0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
ntdll!RtlpBreakPointHeap+0x19:
77c31756 cc int 3
0:000> g
HEAP[exefile.exe]: Invalid address specified to RtlFreeHeap( 00980000, 2861D120 )
(e08.15a8): Break instruction exception - code 80000003 (first chance)
eax=ff429000 ebx=2861d118 ecx=2861d118 edx=0000003f esi=00980000 edi=00000000
eip=77c31756 esp=0054acb4 ebp=0054accc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
ntdll!RtlpBreakPointHeap+0x19:
77c31756 cc int 3
0:000> g


---------------- end of debug spew -----------------

the spew clearly indicates buffer overrun problem. the client did crash immediately. But it will, if I repeated this process long enough.
Robotech Flyer
Doomheim
#2 - 2014-06-25 15:50:29 UTC
another way to trigger a "heap was modified" error:

- in a station
- press ESC to bring up settings windows
- click optimize settings to bring up the "optimize settings" dialog.
- press ESC to dismiss optimize settings dialog
- press ESC again to dismiss settings dialog.

this will trigger "heap modified" exception as well:

HEAP[exefile.exe]: HEAP: Free Heap block 3747DD18 modified at 3747DD30 after it was freed
(e08.15a8): Break instruction exception - code 80000003 (first chance)
eax=ff429000 ebx=3747dd18 ecx=3747dd18 edx=00000047 esi=3747dd1a edi=00980000
eip=77c31756 esp=0054a76c ebp=0054a8b8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
ntdll!RtlpBreakPointHeap+0x19:
77c31756 cc int 3
0:000> k
ChildEBP RetAddr
0054a768 77bc9cdf ntdll!RtlpBreakPointHeap+0x19
0054a8b8 77b90b43 ntdll!RtlpAllocateHeap+0x393b6
0054a94c 77c2fc1c ntdll!RtlAllocateHeap+0x14c
0054a9a4 77bc9a73 ntdll!RtlDebugAllocateHeap+0xd5
0054aaf8 77b90b43 ntdll!RtlpAllocateHeap+0x3914a
0054ab88 6f074f59 ntdll!RtlAllocateHeap+0x14c
WARNING: Stack unwind information not available. Following frames may be wrong.
0054abb8 6f049a0d blue!CCPMallocWithTracking+0x89
0054abd0 6df53c04 blue!BlueInternalCreate+0x1d
0054abf8 6f04917f _trinity_dx11_deploy!init_trinity_dx11_deploy+0xe9044
0054ac24 6df530ec blue!BlueCreateInstanceFromPython+0xdf
0054ac3c 6eae1cc3 _trinity_dx11_deploy!init_trinity_dx11_deploy+0xe852c
00000000 00000000 python27!PyType_GenericNew+0x41
0:000> g