NtGdiGetWidthTable does not return BOOL #1137
Comments
|
From [email protected] on February 21, 2013 14:10:00 This issue was closed by revision r1195 . Status: Fixed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From [email protected] on February 21, 2013 11:50:08
split from issue #1133 so there's a clear issue to link to
this is one regresion that came out of " issue #822 : Dr. Syscall DR Extension, part 15: return types" in r1131 (enabled in r1134 ):
NtGdiGetWidthTable bool-returning syscall wasn't considered to fail before on 0 and after the change it was considered to fail, leading to false positives. r1133 :
processing post system call #0x106a NtGdiGetWidthTable res=0x0
post considering arg 2 -3 41 0x00396590
post considering arg 4 -3 42 0x003967f8
start 0x003967f8, size 0x268
marking 0x3967f8-0x396a60 written parameter
#4post considering arg 5 16 2 0x003962f0
start 0x003962f0, size 0x10
marking 0x3962f0-0x396300 written parameter
#5post considering arg 6 4 2 0x00396300
start 0x00396300, size 0x4
marking 0x396300-0x396304 written parameter
#6post considering arg 0 0 0 0x850116a7
now:
system call 4202 NtGdiGetWidthTable failed with 0x00000000
Hmmm. Only called once, so not like a 1st call to get size.
VS2012 um/ntgdi.h has it listed as BOOL.
ReactOS has it listed as BOOL. Every google search hit I can find has it
as BOOL. But they're all wrong!
system call #0x106a NtGdiGetWidthTable
#0 GDI32.dll!bFillWidthTableForGTE+0xd7 (0x748b9d51 <GDI32.dll+0x19d51>) modid:0
#1 fp=0x0031f4a8 parent=0x0031f4d8 GDI32.dll!pcfLocateCFONT+0x1562 (0x748b93d3 <GDI32.dll+0x193d3>) modid:0
#2 fp=0x0031f4d8 parent=0x0031f504 GDI32.dll!GetTextExtentPointWInternal+0xc6 (0x748b94a4 <GDI32.dll+0x194a4>) modid:0
#3 fp=0x0031f504 parent=0x0031f520 GDI32.dll!GetTextExtentPointW+0x17 (0x748b9518 <GDI32.dll+0x19518>) modid:0
#4 fp=0x0031f520 parent=0x0031f588 GDI32.dll!GdiGetCharDimensions+0xf4 (0x748b9f61 <GDI32.dll+0x19f61>) modid:0
#5 fp=0x0031f588 parent=0x0031f650 USER32.dll!InternalCreateDialog+0x221 (0x754e1b23 <USER32.dll+0x41b23>) modid:0
#6 fp=0x0031f650 parent=0x0031f688 USER32.dll!InternalDialogBox+0xb7 (0x754dcf4b <USER32.dll+0x3cf4b>) modid:0
#7 fp=0x0031f688 parent=0x0031f73c USER32.dll!SoftModalMessageBox+0x756 (0x7550f73c <USER32.dll+0x6f73c>) modid:0
#8 fp=0x0031f73c parent=0x0031f894 USER32.dll!MessageBoxWorker+0x268 (0x7550fa18 <USER32.dll+0x6fa18>) modid:0
#9 fp=0x0031f894 parent=0x0031f900 USER32.dll!MessageBoxTimeoutW+0x51 (0x7550fb1f <USER32.dll+0x6fb1f>) modid:0
#10 fp=0x0031f900 parent=0x0031f934 USER32.dll!MessageBoxTimeoutA+0x75 (0x7550fb9e <USER32.dll+0x6fb9e>) modid:0
#11 fp=0x0031f934 parent=0x0031f954 USER32.dll!MessageBoxExA+0x1a (0x7550fcf1 <USER32.dll+0x6fcf1>) modid:0
GDI32!pcfLocateCFONT+0x24e:
748b93ce e8a7080000 call GDI32!bFillWidthTableForGTE (748b9c7a)
sure looks like -1 is the failure value:
GDI32!bFillWidthTableForGTE+0xd1:
748b9d2c bf80019074 mov edi,0x74900180
748b9d31 57 push edi
748b9d32 ff1520028b74 call dword ptr [GDI32!_imp__RtlLeaveCriticalSection (748b0220)]
748b9d38 8d4648 lea eax,[esi+0x48]
748b9d3b 50 push eax
748b9d3c ff750c push dword ptr [ebp+0xc]
748b9d3f ff75f8 push dword ptr [ebp-0x8]
748b9d42 ff7514 push dword ptr [ebp+0x14]
748b9d45 ff75f0 push dword ptr [ebp-0x10]
748b9d48 53 push ebx
748b9d49 ff7508 push dword ptr [ebp+0x8]
748b9d4c e8aefeffff call GDI32!NtGdiGetWidthTable (748b9bff)
748b9d51 57 push edi
748b9d52 8945fc mov [ebp-0x4],eax
748b9d55 ff1524028b74 call dword ptr [GDI32!_imp__RtlEnterCriticalSection (748b0224)]
748b9d5b 837dfcff cmp dword ptr [ebp-0x4],0xffffffff
748b9d5f 7470 jz GDI32!bFillWidthTableForGTE+0x191 (748b9dd1)
748b9dd1 cleans up and returns, so a failure path
0:001> ln 0x74900180
(74900180) GDI32!semLocal | (749000b0) GDI32!fpWcsGetUsePerUserProfiles
that was win7. here's xp32 which is almost identical:
GDI32!bFillWidthTableForGTE+0xd9:
77f1a6d4 be2040f577 mov esi,0x77f54020
77f1a6d9 56 push esi
77f1a6da ff15b011f177 call dword ptr [GDI32!_imp__RtlLeaveCriticalSection (77f111b0)]
77f1a6e0 8b7df0 mov edi,[ebp-0x10]
77f1a6e3 8d4348 lea eax,[ebx+0x48]
77f1a6e6 50 push eax
77f1a6e7 ff750c push dword ptr [ebp+0xc]
77f1a6ea 57 push edi
77f1a6eb ff75f8 push dword ptr [ebp-0x8]
77f1a6ee ff75ec push dword ptr [ebp-0x14]
77f1a6f1 ff7514 push dword ptr [ebp+0x14]
77f1a6f4 ff7508 push dword ptr [ebp+0x8]
77f1a6f7 e8c5fbffff call GDI32!NtGdiGetWidthTable (77f1a2c1)
77f1a6fc 56 push esi
77f1a6fd 8945fc mov [ebp-0x4],eax
77f1a700 ff15b411f177 call dword ptr [GDI32!_imp__RtlEnterCriticalSection (77f111b4)]
77f1a706 837dfcff cmp dword ptr [ebp-0x4],0xffffffff
77f1a70a 746d jz GDI32!bFillWidthTableForGTE+0x19b (77f1a779)
back to win7, after call:
748b9d7f 837dfc00 cmp dword ptr [ebp-0x4],0x0
748b9d83 894618 mov [esi+0x18],eax
748b9d86 0f8523080000 jne GDI32!bFillWidthTableForGTE+0x131 (748ba5af)
GDI32!bFillWidthTableForGTE+0x131:
748ba5af 834e1401 or dword ptr [esi+0x14],0x1
748ba5b3 e9d4f7ffff jmp GDI32!bFillWidthTableForGTE+0x135 (748b9d8c)
finally:
GDI32!bFillWidthTableForGTE+0x19a:
748b9dda 8b45fc mov eax,[ebp-0x4]
748b9ddd 5f pop edi
748b9dde 5e pop esi
748b9ddf 5b pop ebx
748b9de0 c9 leave
748b9de1 c21400 ret 0x14
so -1 is failure, non-0 sets a flag somewhere, and value is returned. a HANDLE?
caller doesn't free it so maybe not a HANDLE:
GDI32!pcfLocateCFONT+0x2a2:
748b7e2d 83f8ff cmp eax,0xffffffff
748b7e30 0f8591010000 jne GDI32!pcfLocateCFONT+0x2b3 (748b7fc7)
0:001> U 748b7fc7
GDI32!pcfLocateCFONT+0x2b3:
748b7fc7 8bc6 mov eax,esi
748b7fc9 5f pop edi
748b7fca 5b pop ebx
748b7fcb 5e pop esi
748b7fcc c9 leave
748b7fcd c21800 ret 0x18
just some signed int with -1 as failure:
=>
removes most of the remaining uninits:
Dr.M5 unique, 5 total uninitialized access(es)Original issue: http://code.google.com/p/drmemory/issues/detail?id=1137
The text was updated successfully, but these errors were encountered: