curl-users
libcurl.dll crash in Curl_llist_remove
Date: Wed, 20 Jul 2011 13:57:43 +0800
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
***** OS symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: ntdll!_PEB ***
*** ***
*************************************************************************
FAULTING_IP:
libcurl!curl_getenv+8c5a
100174ca 894804 mov [eax+0x4],ecx
EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 100174ca (libcurl!curl_getenv+0x00008c5a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00000015
Attempt to write to address 00000015
DEFAULT_BUCKET_ID: APPLICATION_FAULT
PROCESS_NAME: wss.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
WRITE_ADDRESS: 00000015
BUGCHECK_STR: ACCESS_VIOLATION
THREAD_ATTRIBUTES:
LAST_CONTROL_TRANSFER: from 54d14f50 to 100174ca
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
48a8e608 54d14f50 1000f240 00000001 0003002c libcurl!curl_getenv+0x8c5a
00000011 00000000 00000000 00000000 00000000 0x54d14f50
FOLLOWUP_IP:
libcurl!curl_getenv+8c5a
100174ca 894804 mov [eax+0x4],ecx
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: libcurl!curl_getenv+8c5a
MODULE_NAME: libcurl
IMAGE_NAME: libcurl.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4e24ada5
STACK_COMMAND: .ecxr ; kb
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
0:283> u 100174ca
libcurl!curl_getenv+0x8c5a:
100174ca 894804 mov [eax+0x4],ecx <========================= Crash here
100174cd eb1e jmp libcurl!curl_getenv+0x8c7d (100174ed)
100174cf 8b5604 mov edx,[esi+0x4]
100174d2 8b4608 mov eax,[esi+0x8]
100174d5 894208 mov [edx+0x8],eax
100174d8 8b4608 mov eax,[esi+0x8]
100174db 3bc1 cmp eax,ecx
100174dd 7508 jnz libcurl!curl_getenv+0x8c77 (100174e7)
---------------------------------------------------------------------------------------
above is windbg "!analyze -v" output
below is linker codec
I find the bug in function Curl_llist_remove
---------------------------------------------------------------------------------------
_Curl_llist_remove PROC NEAR ; COMDAT
; 115 : {
00000 56 push esi
; 116 : if(e == NULL || list->size == 0)
00001 8b 74 24 0c mov esi, DWORD PTR _e$[esp]
00005 33 c9 xor ecx, ecx
00007 57 push edi
00008 3b f1 cmp esi, ecx
0000a 74 5d je SHORT $L37434
0000c 8b 7c 24 0c mov edi, DWORD PTR _list$[esp+4]
00010 39 4f 0c cmp DWORD PTR [edi+12], ecx
00013 74 54 je SHORT $L37434
; 117 : return 1;
; 118 :
; 119 : if(e == list->head) {
00015 3b 37 cmp esi, DWORD PTR [edi]
00017 75 16 jne SHORT $L37435
; 120 : list->head = e->next;
00019 8b 46 08 mov eax, DWORD PTR [esi+8]
; 121 :
; 122 : if(list->head == NULL)
0001c 3b c1 cmp eax, ecx
0001e 89 07 mov DWORD PTR [edi], eax
00020 75 05 jne SHORT $L37437
; 123 : list->tail = NULL;
00022 89 4f 04 mov DWORD PTR [edi+4], ecx
; 124 : else
00025 eb 26 jmp SHORT $L37443
$L37437:
; 125 : e->next->prev = NULL;
00027 8b 46 08 mov eax, DWORD PTR [esi+8]
0002a 89 48 04 mov DWORD PTR [eax+4], ecx <========================= Crash here
; 126 : }
; 127 : else {
0002d eb 1e jmp SHORT $L37443
$L37435:
; 128 : e->prev->next = e->next;
0002f 8b 56 04 mov edx, DWORD PTR [esi+4]
00032 8b 46 08 mov eax, DWORD PTR [esi+8]
00035 89 42 08 mov DWORD PTR [edx+8], eax
; 129 : if(!e->next)
00038 8b 46 08 mov eax, DWORD PTR [esi+8]
0003b 3b c1 cmp eax, ecx
0003d 75 08 jne SHORT $L37442
; 130 : list->tail = e->prev;
0003f 8b 4e 04 mov ecx, DWORD PTR [esi+4]
00042 89 4f 04 mov DWORD PTR [edi+4], ecx
; 131 : else
00045 eb 06 jmp SHORT $L37443
$L37442:
; 132 : e->next->prev = e->prev;
00047 8b 56 04 mov edx, DWORD PTR [esi+4]
0004a 89 50 04 mov DWORD PTR [eax+4], edx
$L37443:
; 133 : }
; 134 :
; 135 : list->dtor(user, e->ptr);
0004d 8b 06 mov eax, DWORD PTR [esi]
0004f 8b 4c 24 14 mov ecx, DWORD PTR _user$[esp+4]
00053 50 push eax
00054 51 push ecx
00055 ff 57 08 call DWORD PTR [edi+8]
; 136 :
; 137 : free(e);
00058 56 push esi
00059 ff 15 00 00 00
00 call DWORD PTR _Curl_cfree
; 138 : --list->size;
0005f 8b 47 0c mov eax, DWORD PTR [edi+12]
00062 83 c4 0c add esp, 12 ; 0000000cH
00065 48 dec eax
00066 89 47 0c mov DWORD PTR [edi+12], eax
$L37434:
00069 5f pop edi
0006a b8 01 00 00 00 mov eax, 1
0006f 5e pop esi
; 139 :
; 140 : return 1;
; 141 : }
00070 c3 ret 0
_Curl_llist_remove ENDP
-------------------------------------------------------
in C source
-------------------------------------------------------
int
Curl_llist_remove(struct curl_llist *list, struct curl_llist_element *e,
void *user)
{
if(e == NULL || list->size == 0)
return 1;
if(e == list->head) {
list->head = e->next;
if(list->head == NULL)
list->tail = NULL;
else
e->next->prev = NULL; <========================= Crash here
}
else {
e->prev->next = e->next;
if(!e->next)
list->tail = e->prev;
else
e->next->prev = e->prev;
}
list->dtor(user, e->ptr);
free(e);
--list->size;
return 1;
}
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-07-20