[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Memory allocation conflict

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Sun, 02 Jun 2013 18:17:39 +0200

On 02.06.2013 15:59, Michael Schierl wrote:
> Am 02.06.2013 14:01, schrieb Michael Schierl:
>> Am 01.06.2013 15:28, schrieb Stefan Küng:
>>> On 01.06.2013 15:11, Nikita Leontiev wrote:
>>>> Hello,
>>>>
>>>> BoundsChecker displays allocation conflict error in TortoiseSVN32.dll.
>>>> See screenshot for details.
>>
>>> The debug symbols for TSVN are here:
>>> http://www.crash-server.com:8080/public/tsvn/71040F62-F78A-4953-B5B3-5C148349FED7/symsrv
>
> Or let me have an "educated guess", this is in
>
> void CRegStringCommon<Base>::InternalRead
>
> in utils/registry.h
>
> Why?
>
> Here is the disassembly of the function that contains the faulty offset
> (and at that offset there is indeed a call to MSVCR100.operator_delete[]
> - in case you want to look it up, the base address for TortoiseSVN32.dll
> was 5A5B0000):
>
>> | CPU Disasm
>> | Address Hex dump Command Comments
>> | 5A5CEF40 /. 6A FF PUSH -1
>> | 5A5CEF42 |. 68 10F15D5A PUSH 5A5DF110 ; Entry point
>> | 5A5CEF47 |. 64:A1 0000000 MOV EAX,DWORD PTR FS:[0]
>> | 5A5CEF4D |. 50 PUSH EAX
>> | 5A5CEF4E |. 83EC 30 SUB ESP,30
>> | 5A5CEF51 |. A1 34E05E5A MOV EAX,DWORD PTR DS:[5A5EE034]
>> | 5A5CEF56 |. 33C4 XOR EAX,ESP
>> | 5A5CEF58 |. 894424 2C MOV DWORD PTR SS:[LOCAL.3],EAX
>> | 5A5CEF5C |. 53 PUSH EBX
>> | 5A5CEF5D |. 55 PUSH EBP
>> | 5A5CEF5E |. 56 PUSH ESI
>> | 5A5CEF5F |. 57 PUSH EDI
>> | 5A5CEF60 |. A1 34E05E5A MOV EAX,DWORD PTR DS:[5A5EE034]
>> | 5A5CEF65 |. 33C4 XOR EAX,ESP
>> | 5A5CEF67 |. 50 PUSH EAX
>> | 5A5CEF68 |. 8D4424 44 LEA EAX,[LOCAL.2]
>> | 5A5CEF6C |. 64:A3 0000000 MOV DWORD PTR FS:[0],EAX
>> | 5A5CEF72 |. 8B4424 58 MOV EAX,DWORD PTR SS:[ARG.2]
>> | 5A5CEF76 |. 8B7C24 54 MOV EDI,DWORD PTR SS:[ARG.1]
>> | 5A5CEF7A |. 8BF1 MOV ESI,ECX
>> | 5A5CEF7C |. 33DB XOR EBX,EBX
>> | 5A5CEF7E |. 8D4C24 18 LEA ECX,[LOCAL.13]
>> | 5A5CEF82 |. 51 PUSH ECX
>> | 5A5CEF83 |. 53 PUSH EBX
>> | 5A5CEF84 |. 8D5424 24 LEA EDX,[LOCAL.12]
>> | 5A5CEF88 |. 52 PUSH EDX
>> | 5A5CEF89 |. 894424 2C MOV DWORD PTR SS:[LOCAL.11],EAX
>> | 5A5CEF8D |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
>> | 5A5CEF8F |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
>> | 5A5CEF91 |. 53 PUSH EBX
>> | 5A5CEF92 |. 8D6E 08 LEA EBP,[ESI+8]
>> | 5A5CEF95 |. 55 PUSH EBP
>> | 5A5CEF96 |. 8BCE MOV ECX,ESI
>> | 5A5CEF98 |. 895C24 2C MOV DWORD PTR SS:[LOCAL.13],EBX
>> | 5A5CEF9C |. 895C24 30 MOV DWORD PTR SS:[LOCAL.12],EBX
>> | 5A5CEFA0 |. FFD2 CALL EDX
>> | 5A5CEFA2 |. 50 PUSH EAX ; |Name
>> | 5A5CEFA3 |. 57 PUSH EDI ; |hKey
>> | 5A5CEFA4 |. FF15 00405E5A CALL DWORD PTR DS:[<&ADVAPI32.RegQueryVa ; \ADVAPI32.RegQueryValueExW
>> | 5A5CEFAA |. 8946 40 MOV DWORD PTR DS:[ESI+40],EAX
>> | 5A5CEFAD |. 3BC3 CMP EAX,EBX
>> | 5A5CEFAF |. 0F85 D5000000 JNE 5A5CF08A
>> | 5A5CEFB5 |. 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
>> | 5A5CEFB9 |. 3BC3 CMP EAX,EBX
>> | 5A5CEFBB |. 74 37 JE SHORT 5A5CEFF4
>> | 5A5CEFBD |. 33C9 XOR ECX,ECX
>> | 5A5CEFBF |. BA 02000000 MOV EDX,2
>> | 5A5CEFC4 |. F7E2 MUL EDX
>> | 5A5CEFC6 |. 0F90C1 SETO CL
>> | 5A5CEFC9 |. F7D9 NEG ECX
>> | 5A5CEFCB |. 0BC1 OR EAX,ECX
>> | 5A5CEFCD |. 50 PUSH EAX
>> | 5A5CEFCE |. 894424 18 MOV DWORD PTR SS:[ESP+18],EAX
>> | 5A5CEFD2 |. E8 37E10000 CALL 5A5DD10E
>> | 5A5CEFD7 |. 8BD8 MOV EBX,EAX
>> | 5A5CEFD9 |. 83C4 04 ADD ESP,4
>> | 5A5CEFDC |. 85DB TEST EBX,EBX
>> | 5A5CEFDE |. 74 12 JZ SHORT 5A5CEFF2
>> | 5A5CEFE0 |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
>> | 5A5CEFE4 |. 50 PUSH EAX ; /Arg3
>> | 5A5CEFE5 |. 6A 00 PUSH 0 ; |Arg2 = 0
>> | 5A5CEFE7 |. 53 PUSH EBX ; |Arg1
>> | 5A5CEFE8 |. E8 61E70000 CALL <JMP.&MSVCR100.memset> ; \MSVCR100.memset
>> | 5A5CEFED |. 83C4 0C ADD ESP,0C
>> | 5A5CEFF0 |. EB 02 JMP SHORT 5A5CEFF4
>> | 5A5CEFF2 |> 33DB XOR EBX,EBX
>> | 5A5CEFF4 |> 895C24 14 MOV DWORD PTR SS:[ESP+14],EBX
>> | 5A5CEFF8 |. 8D4C24 18 LEA ECX,[ESP+18]
>> | 5A5CEFFC |. 51 PUSH ECX
>> | 5A5CEFFD |. 53 PUSH EBX
>> | 5A5CEFFE |. 8D5424 24 LEA EDX,[ESP+24]
>> | 5A5CF002 |. 52 PUSH EDX
>> | 5A5CF003 |. C74424 58 000 MOV DWORD PTR SS:[ESP+58],0
>> | 5A5CF00B |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
>> | 5A5CF00D |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
>> | 5A5CF00F |. 6A 00 PUSH 0
>> | 5A5CF011 |. 55 PUSH EBP
>> | 5A5CF012 |. 8BCE MOV ECX,ESI
>> | 5A5CF014 |. FFD2 CALL EDX
>> | 5A5CF016 |. 50 PUSH EAX ; |Name
>> | 5A5CF017 |. 57 PUSH EDI ; |hKey
>> | 5A5CF018 |. FF15 00405E5A CALL DWORD PTR DS:[<&ADVAPI32.RegQueryVa ; \ADVAPI32.RegQueryValueExW
>> | 5A5CF01E |. 8946 40 MOV DWORD PTR DS:[ESI+40],EAX
>> | 5A5CF021 |. 85C0 TEST EAX,EAX
>> | 5A5CF023 |. 75 5B JNZ SHORT 5A5CF080
>> | 5A5CF025 |. 894424 34 MOV DWORD PTR SS:[ESP+34],EAX
>> | 5A5CF029 |. 66:894424 24 MOV WORD PTR SS:[ESP+24],AX
>> | 5A5CF02E |. 8BC3 MOV EAX,EBX
>> | 5A5CF030 |. C74424 38 070 MOV DWORD PTR SS:[ESP+38],7
>> | 5A5CF038 |. 8D50 02 LEA EDX,[EAX+2]
>> | 5A5CF03B |. EB 03 JMP SHORT 5A5CF040
>> | 5A5CF03D | 8D49 00 LEA ECX,[ECX]
>> | 5A5CF040 |> 66:8B08 /MOV CX,WORD PTR DS:[EAX]
>> | 5A5CF043 |. 83C0 02 |ADD EAX,2
>> | 5A5CF046 |. 66:85C9 |TEST CX,CX
>> | 5A5CF049 |.^ 75 F5 \JNZ SHORT 5A5CF040
>> | 5A5CF04B |. 2BC2 SUB EAX,EDX
>> | 5A5CF04D |. D1F8 SAR EAX,1
>> | 5A5CF04F |. 50 PUSH EAX ; /Arg1
>> | 5A5CF050 |. 8BC3 MOV EAX,EBX ; |
>> | 5A5CF052 |. 8D7424 28 LEA ESI,[ESP+28] ; |
>> | 5A5CF056 |. E8 F5A7FEFF CALL 5A5B9850 ; \TortoiseSVN32.5A5B9850
>> | 5A5CF05B |. 8BFE MOV EDI,ESI
>> | 5A5CF05D |. 8B7424 20 MOV ESI,DWORD PTR SS:[ESP+20]
>> | 5A5CF061 |. C64424 4C 01 MOV BYTE PTR SS:[ESP+4C],1
>> | 5A5CF066 |. E8 85A2FEFF CALL 5A5B92F0 ; [TortoiseSVN32.5A5B92F0
>> | 5A5CF06B |. 837C24 38 08 CMP DWORD PTR SS:[ESP+38],8
>> | 5A5CF070 |. 72 0E JB SHORT 5A5CF080
>> | 5A5CF072 |. 8B4C24 24 MOV ECX,DWORD PTR SS:[ESP+24]
>> | 5A5CF076 |. 51 PUSH ECX ; /Arg1
>> | 5A5CF077 |. FF15 84425E5A CALL DWORD PTR DS:[<&MSVCR100.??3_at_YAXPAX ; \MSVCR100.operator_delete
>> | 5A5CF07D |. 83C4 04 ADD ESP,4
>> | 5A5CF080 |> 53 PUSH EBX ; /Arg1
>> | 5A5CF081 |. FF15 70425E5A CALL DWORD PTR DS:[<&MSVCR100.??_V_at_YAXPA ; \MSVCR100.operator_delete[]
>> | 5A5CF087 |. 83C4 04 ADD ESP,4
>> | 5A5CF08A |> 8B4C24 44 MOV ECX,DWORD PTR SS:[ESP+44]
>> | 5A5CF08E |. 64:890D 00000 MOV DWORD PTR FS:[0],ECX
>> | 5A5CF095 |. 59 POP ECX
>> | 5A5CF096 |. 5F POP EDI
>> | 5A5CF097 |. 5E POP ESI
>> | 5A5CF098 |. 5D POP EBP
>> | 5A5CF099 |. 5B POP EBX
>> | 5A5CF09A |. 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+2C]
>> | 5A5CF09E |. 33CC XOR ECX,ESP
>> | 5A5CF0A0 |. E8 E5E00000 CALL 5A5DD18A
>> | 5A5CF0A5 |. 83C4 3C ADD ESP,3C
>> | 5A5CF0A8 \. C2 0800 RETN 8
>
> Big picture: There is a RegQueryValue call, then a long conditional
> branch jumping to the end of the function, and then a memset, another
> RegQueryValue call with the first parameter the same as before and the
> second parameter a result of the same virtual function call as before,
> then a delete and a delete[].
>
> But there were too many RegQueryValue calls inside the TortoiseSVN
> checkout from http://tortoisesvn.googlecode.com/svn/tags/version-1.7.13,
> so I put a breakpoint on there, and found the first two calls when
> opening a file open dialog being for OverlayExcludeList and
> OverlayIncludeList.
>
> As there are two CRegString constructor calls that use these key names
> in SetOverlayPage.cpp, I'd "guess" this is the right call. However, I
> cannot tell you where the delete[] call comes from - the template magic
> inside that C++ function is too high for me, sorry. I think it may be
> caused by assigning the reference &value with a new value, so it has to
> delete the old one first, but if that is wrong, please don't complain.

In that case: the problem is fixed on trunk since we don't use
new/delete anymore but std::unique_ptr.

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest interface to (Sub)version control
    /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3056921
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2013-06-02 18:17:54 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.