On 26.07.2011 10:12, Dave Huang wrote:
> On 7/25/2011 1:58 PM, Stefan Küng wrote:
>>
>> I tried to install the bluetooth stack on my machine, but it won't
>> install since I don't have a compatible bluetooth device. So I can't
>> debug this myself.
>>
>> Does this happen as well if you force the TSVN shell extension to
>> only load in explorer? Settings dialog->Icon Overlays->Show overlays
>> and context menu only in explorer
>
> It still crashes...
>
>> If it doesn't crash, then it hooks into the shell and therefore also
>> into the TSVN shell extension.
>>
>> Searching the web about this, there really seems to be a big problem
>> in BtMmHook.dll - TSVN isn't the only app affected by this :(
>
> Hmm, I spotted various crash reports where BtMmHook.dll happened to be
> loaded, but didn't see many reports of the crash actually occurring in
> that DLL... I didn't look that hard though.
>
> In any case, the problem seems to be related to TSVN's CrashRpt.dll...
> does it seriously patch kernel32.dll in-memory? CCrashHandler::Install()
> seems to GetProcAddress on kernel32's "SetUnhandledExceptionFilter",
> then does a WriteProcessMemory() to that address:
> http://code.google.com/p/tortoisesvn/source/browse/trunk/src/crashrpt/CrashHandler.cpp#124
>
> The problem is that BtMmHook's DllMain DLL_PROCESS_DETACH handler calls
> SetUnhandledExceptionFilter() to remove its handler from the chain, but
> the first instructions of SetUnhandledExceptionFilter() are mov r11,
> offset CrashRpt.dll+0xe614 (which is what CCrashHandler::Install()
> patched it to be) followed by jmp r11. And the problem with that is
> CrashRpt.dll has already been unloaded, but it didn't clean up after
> itself, so BtMmHook ends up jmp-ing to memory that's already been unmapped.
>
> This kernel32 patching business was added in r20060:
>
> Prevent the CRT from removing our exception handler.
> See this blog post for more details:
> http://blog.kalmbach-software.de/2008/04/02/unhandled-exceptions-in-vc8-and-above-for-x86-and-x64/
>
> That code is problematic though; as commenter huasheng says, "First of all, thanks for posting the solution. One question is if this
> function is invoked in a dll which is loaded and free dynamically, the application may crash because the dummy funciton address becomes
> invalid." The blog author agrees: "Good point… I need to make an “undo” function;)"
>
> So, from what I see, the bug is in TSVN after all, not BtMmHook.dll.
Wow, very good and detailed analysis! Thanks a lot!
Fixed the hooking in r21724.
Can you try the next nightly build please?
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2803746
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-07-26 19:59:52 CEST