[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Memory allocation conflict

From: Michael Schierl <schierlm_at_gmx.de>
Date: Sun, 02 Jun 2013 15:59:44 +0200

Am 02.06.2013 14:01, schrieb Michael Schierl:
> Am 01.06.2013 15:28, schrieb Stefan Küng:
>> On 01.06.2013 15:11, Nikita Leontiev wrote:
>>> Hello,
>>>
>>> BoundsChecker displays allocation conflict error in TortoiseSVN32.dll.
>>> See screenshot for details.
>
>> The debug symbols for TSVN are here:
>> http://www.crash-server.com:8080/public/tsvn/71040F62-F78A-4953-B5B3-5C148349FED7/symsrv

Or let me have an "educated guess", this is in

void CRegStringCommon<Base>::InternalRead

in utils/registry.h

Why?

Here is the disassembly of the function that contains the faulty offset
(and at that offset there is indeed a call to MSVCR100.operator_delete[]
- in case you want to look it up, the base address for TortoiseSVN32.dll
was 5A5B0000):

> | CPU Disasm
> | Address Hex dump Command Comments
> | 5A5CEF40 /. 6A FF PUSH -1
> | 5A5CEF42 |. 68 10F15D5A PUSH 5A5DF110 ; Entry point
> | 5A5CEF47 |. 64:A1 0000000 MOV EAX,DWORD PTR FS:[0]
> | 5A5CEF4D |. 50 PUSH EAX
> | 5A5CEF4E |. 83EC 30 SUB ESP,30
> | 5A5CEF51 |. A1 34E05E5A MOV EAX,DWORD PTR DS:[5A5EE034]
> | 5A5CEF56 |. 33C4 XOR EAX,ESP
> | 5A5CEF58 |. 894424 2C MOV DWORD PTR SS:[LOCAL.3],EAX
> | 5A5CEF5C |. 53 PUSH EBX
> | 5A5CEF5D |. 55 PUSH EBP
> | 5A5CEF5E |. 56 PUSH ESI
> | 5A5CEF5F |. 57 PUSH EDI
> | 5A5CEF60 |. A1 34E05E5A MOV EAX,DWORD PTR DS:[5A5EE034]
> | 5A5CEF65 |. 33C4 XOR EAX,ESP
> | 5A5CEF67 |. 50 PUSH EAX
> | 5A5CEF68 |. 8D4424 44 LEA EAX,[LOCAL.2]
> | 5A5CEF6C |. 64:A3 0000000 MOV DWORD PTR FS:[0],EAX
> | 5A5CEF72 |. 8B4424 58 MOV EAX,DWORD PTR SS:[ARG.2]
> | 5A5CEF76 |. 8B7C24 54 MOV EDI,DWORD PTR SS:[ARG.1]
> | 5A5CEF7A |. 8BF1 MOV ESI,ECX
> | 5A5CEF7C |. 33DB XOR EBX,EBX
> | 5A5CEF7E |. 8D4C24 18 LEA ECX,[LOCAL.13]
> | 5A5CEF82 |. 51 PUSH ECX
> | 5A5CEF83 |. 53 PUSH EBX
> | 5A5CEF84 |. 8D5424 24 LEA EDX,[LOCAL.12]
> | 5A5CEF88 |. 52 PUSH EDX
> | 5A5CEF89 |. 894424 2C MOV DWORD PTR SS:[LOCAL.11],EAX
> | 5A5CEF8D |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
> | 5A5CEF8F |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
> | 5A5CEF91 |. 53 PUSH EBX
> | 5A5CEF92 |. 8D6E 08 LEA EBP,[ESI+8]
> | 5A5CEF95 |. 55 PUSH EBP
> | 5A5CEF96 |. 8BCE MOV ECX,ESI
> | 5A5CEF98 |. 895C24 2C MOV DWORD PTR SS:[LOCAL.13],EBX
> | 5A5CEF9C |. 895C24 30 MOV DWORD PTR SS:[LOCAL.12],EBX
> | 5A5CEFA0 |. FFD2 CALL EDX
> | 5A5CEFA2 |. 50 PUSH EAX ; |Name
> | 5A5CEFA3 |. 57 PUSH EDI ; |hKey
> | 5A5CEFA4 |. FF15 00405E5A CALL DWORD PTR DS:[<&ADVAPI32.RegQueryVa ; \ADVAPI32.RegQueryValueExW
> | 5A5CEFAA |. 8946 40 MOV DWORD PTR DS:[ESI+40],EAX
> | 5A5CEFAD |. 3BC3 CMP EAX,EBX
> | 5A5CEFAF |. 0F85 D5000000 JNE 5A5CF08A
> | 5A5CEFB5 |. 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
> | 5A5CEFB9 |. 3BC3 CMP EAX,EBX
> | 5A5CEFBB |. 74 37 JE SHORT 5A5CEFF4
> | 5A5CEFBD |. 33C9 XOR ECX,ECX
> | 5A5CEFBF |. BA 02000000 MOV EDX,2
> | 5A5CEFC4 |. F7E2 MUL EDX
> | 5A5CEFC6 |. 0F90C1 SETO CL
> | 5A5CEFC9 |. F7D9 NEG ECX
> | 5A5CEFCB |. 0BC1 OR EAX,ECX
> | 5A5CEFCD |. 50 PUSH EAX
> | 5A5CEFCE |. 894424 18 MOV DWORD PTR SS:[ESP+18],EAX
> | 5A5CEFD2 |. E8 37E10000 CALL 5A5DD10E
> | 5A5CEFD7 |. 8BD8 MOV EBX,EAX
> | 5A5CEFD9 |. 83C4 04 ADD ESP,4
> | 5A5CEFDC |. 85DB TEST EBX,EBX
> | 5A5CEFDE |. 74 12 JZ SHORT 5A5CEFF2
> | 5A5CEFE0 |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
> | 5A5CEFE4 |. 50 PUSH EAX ; /Arg3
> | 5A5CEFE5 |. 6A 00 PUSH 0 ; |Arg2 = 0
> | 5A5CEFE7 |. 53 PUSH EBX ; |Arg1
> | 5A5CEFE8 |. E8 61E70000 CALL <JMP.&MSVCR100.memset> ; \MSVCR100.memset
> | 5A5CEFED |. 83C4 0C ADD ESP,0C
> | 5A5CEFF0 |. EB 02 JMP SHORT 5A5CEFF4
> | 5A5CEFF2 |> 33DB XOR EBX,EBX
> | 5A5CEFF4 |> 895C24 14 MOV DWORD PTR SS:[ESP+14],EBX
> | 5A5CEFF8 |. 8D4C24 18 LEA ECX,[ESP+18]
> | 5A5CEFFC |. 51 PUSH ECX
> | 5A5CEFFD |. 53 PUSH EBX
> | 5A5CEFFE |. 8D5424 24 LEA EDX,[ESP+24]
> | 5A5CF002 |. 52 PUSH EDX
> | 5A5CF003 |. C74424 58 000 MOV DWORD PTR SS:[ESP+58],0
> | 5A5CF00B |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
> | 5A5CF00D |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
> | 5A5CF00F |. 6A 00 PUSH 0
> | 5A5CF011 |. 55 PUSH EBP
> | 5A5CF012 |. 8BCE MOV ECX,ESI
> | 5A5CF014 |. FFD2 CALL EDX
> | 5A5CF016 |. 50 PUSH EAX ; |Name
> | 5A5CF017 |. 57 PUSH EDI ; |hKey
> | 5A5CF018 |. FF15 00405E5A CALL DWORD PTR DS:[<&ADVAPI32.RegQueryVa ; \ADVAPI32.RegQueryValueExW
> | 5A5CF01E |. 8946 40 MOV DWORD PTR DS:[ESI+40],EAX
> | 5A5CF021 |. 85C0 TEST EAX,EAX
> | 5A5CF023 |. 75 5B JNZ SHORT 5A5CF080
> | 5A5CF025 |. 894424 34 MOV DWORD PTR SS:[ESP+34],EAX
> | 5A5CF029 |. 66:894424 24 MOV WORD PTR SS:[ESP+24],AX
> | 5A5CF02E |. 8BC3 MOV EAX,EBX
> | 5A5CF030 |. C74424 38 070 MOV DWORD PTR SS:[ESP+38],7
> | 5A5CF038 |. 8D50 02 LEA EDX,[EAX+2]
> | 5A5CF03B |. EB 03 JMP SHORT 5A5CF040
> | 5A5CF03D | 8D49 00 LEA ECX,[ECX]
> | 5A5CF040 |> 66:8B08 /MOV CX,WORD PTR DS:[EAX]
> | 5A5CF043 |. 83C0 02 |ADD EAX,2
> | 5A5CF046 |. 66:85C9 |TEST CX,CX
> | 5A5CF049 |.^ 75 F5 \JNZ SHORT 5A5CF040
> | 5A5CF04B |. 2BC2 SUB EAX,EDX
> | 5A5CF04D |. D1F8 SAR EAX,1
> | 5A5CF04F |. 50 PUSH EAX ; /Arg1
> | 5A5CF050 |. 8BC3 MOV EAX,EBX ; |
> | 5A5CF052 |. 8D7424 28 LEA ESI,[ESP+28] ; |
> | 5A5CF056 |. E8 F5A7FEFF CALL 5A5B9850 ; \TortoiseSVN32.5A5B9850
> | 5A5CF05B |. 8BFE MOV EDI,ESI
> | 5A5CF05D |. 8B7424 20 MOV ESI,DWORD PTR SS:[ESP+20]
> | 5A5CF061 |. C64424 4C 01 MOV BYTE PTR SS:[ESP+4C],1
> | 5A5CF066 |. E8 85A2FEFF CALL 5A5B92F0 ; [TortoiseSVN32.5A5B92F0
> | 5A5CF06B |. 837C24 38 08 CMP DWORD PTR SS:[ESP+38],8
> | 5A5CF070 |. 72 0E JB SHORT 5A5CF080
> | 5A5CF072 |. 8B4C24 24 MOV ECX,DWORD PTR SS:[ESP+24]
> | 5A5CF076 |. 51 PUSH ECX ; /Arg1
> | 5A5CF077 |. FF15 84425E5A CALL DWORD PTR DS:[<&MSVCR100.??3_at_YAXPAX ; \MSVCR100.operator_delete
> | 5A5CF07D |. 83C4 04 ADD ESP,4
> | 5A5CF080 |> 53 PUSH EBX ; /Arg1
> | 5A5CF081 |. FF15 70425E5A CALL DWORD PTR DS:[<&MSVCR100.??_V_at_YAXPA ; \MSVCR100.operator_delete[]
> | 5A5CF087 |. 83C4 04 ADD ESP,4
> | 5A5CF08A |> 8B4C24 44 MOV ECX,DWORD PTR SS:[ESP+44]
> | 5A5CF08E |. 64:890D 00000 MOV DWORD PTR FS:[0],ECX
> | 5A5CF095 |. 59 POP ECX
> | 5A5CF096 |. 5F POP EDI
> | 5A5CF097 |. 5E POP ESI
> | 5A5CF098 |. 5D POP EBP
> | 5A5CF099 |. 5B POP EBX
> | 5A5CF09A |. 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+2C]
> | 5A5CF09E |. 33CC XOR ECX,ESP
> | 5A5CF0A0 |. E8 E5E00000 CALL 5A5DD18A
> | 5A5CF0A5 |. 83C4 3C ADD ESP,3C
> | 5A5CF0A8 \. C2 0800 RETN 8

Big picture: There is a RegQueryValue call, then a long conditional
branch jumping to the end of the function, and then a memset, another
RegQueryValue call with the first parameter the same as before and the
second parameter a result of the same virtual function call as before,
then a delete and a delete[].

But there were too many RegQueryValue calls inside the TortoiseSVN
checkout from http://tortoisesvn.googlecode.com/svn/tags/version-1.7.13,
so I put a breakpoint on there, and found the first two calls when
opening a file open dialog being for OverlayExcludeList and
OverlayIncludeList.

As there are two CRegString constructor calls that use these key names
in SetOverlayPage.cpp, I'd "guess" this is the right call. However, I
cannot tell you where the delete[] call comes from - the template magic
inside that C++ function is too high for me, sorry. I think it may be
caused by assigning the reference &value with a new value, so it has to
delete the old one first, but if that is wrong, please don't complain.

Regards,

Michael

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3056908

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2013-06-02 15:59:55 CEST

This message: [ Message body ]
Next message: Stefan Küng: "Re: Memory allocation conflict"
Previous message: Michael Schierl: "Re: Memory allocation conflict"
In reply to: Michael Schierl: "Re: Memory allocation conflict"
Next in thread: Stefan Küng: "Re: Memory allocation conflict"
Reply: Stefan Küng: "Re: Memory allocation conflict"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.