[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thomas Faber updated CORE-14449:
--------------------------------
Status: Open (was: Untriaged)
Component/s: NTCore
Priority: Critical (was: Major)
Module: ntoskrnl ke hal
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=102645#comment-102645 ]

Serge Gautherie commented on CORE-14449:
----------------------------------------

Similar:
{{Mar 09 19:13 45ed51c1ba0b... failure #19709}}
{noformat}
Eip:
<NTOSKRNL.EXE:14c335 (:0 (RtlpBreakWithStatusInstruction))>
Frames:
<NTOSKRNL.EXE:8813d (ntoskrnl/ke/bug.c:1100 (KeBugCheckWithTf))>
<NTOSKRNL.EXE:12b4df (ntoskrnl/ke/i386/exp.c:1144 (KiSystemFatalException))>
<NTOSKRNL.EXE:12f563 (ntoskrnl/ke/i386/traphdlr.c:856 (KiTrap08Handler))>
<NTOSKRNL.EXE:335e (:0 (KiTrap08))>
<uniata.sys:148a>
<uniata.sys:f2e1>
<uniata.sys:4fd1>
<uniata.sys:c70b>
<scsiport.sys:1442>
<NTOSKRNL.EXE:12b6cb (sdk/include/crt/mingw32/intrin_x86.h:95 (KiInterruptDispatch))>
<NTOSKRNL.EXE:12baee (ntoskrnl/ke/i386/irqobj.c:315 (KiInterruptTemplateHandler))>
<f77db1a8>
<HAL.DLL:9e7a (hal/halx86/up/pic.c:377 (HalpHardwareInterrupt14))>
<HAL.DLL:a7c9 (hal/halx86/up/pic.c:1184 (HalEndSystemInterrupt2))>
<HAL.DLL:adfd (:0 (HalEndSystemInterrupt))>
<HAL.DLL:9afb (hal/halx86/generic/timer.c:176 (HalpClockInterruptHandler))>
<HAL.DLL:ad42 (:0 (HalpClockInterrupt))>
<NTOSKRNL.EXE:12cd16 (sdk/include/crt/mingw32/intrin_x86.h:1682 (KiSwapContextExit))>
<NTOSKRNL.EXE:28bc (:0 (KiSwitchThreads))>
<HAL.DLL:a2ce (hal/halx86/up/pic.c:1278 (HalpDispatchInterrupt2ndEntry))>
<f77ddca0>
...
<f77ddca0>
<b244dd98>
<f77ddc83>
<NTOSKRNL.EXE:12baee (ntoskrnl/ke/i386/irqobj.c:315 (KiInterruptTemplateHandler))>
<f77ddd5c>
<NTOSKRNL.EXE:df44a (ntoskrnl/mm/ARM3/zeropage.c:104 (MmZeroPageThread))>
<NTOSKRNL.EXE:34c12 (ntoskrnl/ex/init.c:2018 (Phase1Initialization))>
<NTOSKRNL.EXE:115604 (ntoskrnl/ps/thread.c:156 (PspSystemThreadStartup))>
<NTOSKRNL.EXE:12c949 (ntoskrnl/ke/i386/thrdini.c:78 (KiThreadStartup))>
<NTOSKRNL.EXE:1155cb (ntoskrnl/ps/state.c:565 (NtQueueApcThread))>
<5d8950ec>
<01000002>
Couldn't access memory at 0x51000004!
{noformat}
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=102703#comment-102703 ]

Serge Gautherie commented on CORE-14449:
----------------------------------------

{{14:52 82fba961cd59... failure #19745}}
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=102703#comment-102703 ]

Serge Gautherie edited comment on CORE-14449 at 3/15/18 9:14 PM:
-----------------------------------------------------------------

{{Mar 15 14:52 82fba961cd59... failure #19745}}



was (Author: serge gautherie):
{{14:52 82fba961cd59... failure #19745}}
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=103169#comment-103169 ]

Serge Gautherie commented on CORE-14449:
----------------------------------------

This issue is also triggered while testing CORE-14349 recent patches, "reliably"...
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=103210#comment-103210 ]

Serge Gautherie commented on CORE-14449:
----------------------------------------

{{Apr 07 21:04 9ea2783e5640... retry #20131}}
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thomas Faber reassigned CORE-14449:
-----------------------------------

Assignee: Thomas Faber
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thomas Faber updated CORE-14449:
--------------------------------
Attachment: ke-interrupt-stack-debug.patch
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thomas Faber updated CORE-14449:
--------------------------------
Attachment: ke-interrupt-stack-debug.patch
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=103236#comment-103236 ]

Thomas Faber commented on CORE-14449:
-------------------------------------

Alright, the problem is that the stack cleanup done by HalEndSystemInterrupt/HalpEndSoftwareInterrupt is not enough.
DEFINE_END_INTERRUPT_WRAPPER in pic.S knows how to clean up the function's own return address and parameters, however these functions are called from other C functions that have a stack frame and local variables. And this is exactly what we see when the stack overflow happens:
{noformat}
HalpDispatchInterrupt2ndEntry
ebp ret local2 local1 ebx esi ebp ret
(ntoskrnl/ke/i386/irqobj.c:255) F77DC174: F77DC18C 802742E3 F77DC198 80274DF5 F77DDC70 00000000 F77DC198 F77DDC70 802742E3 = HalpDispatchInterrupt2ndEntry, 80274DF5 = HalpEndSoftwareInterrupt
ebp ret ebp ret ebp
(ntoskrnl/ke/i386/irqobj.c:255) F77DC194: 00000000 F77DC1A4 F77DDC70 00000000 F77DC1B0 F77DDC70 00000000 F77DC1BC
ret ebp ret ebp ret
(ntoskrnl/ke/i386/irqobj.c:255) F77DC1B4: F77DDC70 00000000 F77DC1C8 F77DDC70 00000000 F77DC1D4 F77DDC70 00000000
ebp ret ebp ret ebp ret
(ntoskrnl/ke/i386/irqobj.c:255) F77DC1D4: F77DC1E0 F77DDC70 00000000 F77DC1EC F77DDC70 00000000 F77DC1F8 F77DDC70
ebp ret ebp ret ebp
(ntoskrnl/ke/i386/irqobj.c:255) F77DC1F4: 00000000 F77DC204 F77DDC70 00000000 F77DC210 F77DDC70 00000000 F77DC21C
{noformat}

These are repeated instances of {{push ebp; mov ebp, esp; sub esp, 8}} as found, for example, in HalpDispatchInterrupt2ndEntry:
{code}
HalpDispatchInterrupt2ndEntry:
0001A2BE: 55 push ebp
0001A2BF: 89 E5 mov ebp,esp
0001A2C1: 56 push esi
0001A2C2: 53 push ebx
0001A2C3: 83 EC 08 sub esp,8
0001A2C6: 89 CB mov ebx,ecx
0001A2C8: 0F B6 35 24 F0 DF movzx esi,byte ptr ds:[FFDFF024h]
FF
0001A2CF: C6 05 24 F0 DF FF mov byte ptr ds:[FFDFF024h],2
02
0001A2D6: 83 25 28 F0 DF FF and dword ptr ds:[FFDFF028h],0FFFFFFFBh
FB
0001A2DD: FB sti
0001A2DE: E8 FD 12 00 00 call 0001B5E0 <KiDispatchInterrupt>
0001A2E3: FA cli
0001A2E4: 89 5C 24 04 mov dword ptr [esp+4],ebx
0001A2E8: 81 E6 FF 00 00 00 and esi,0FFh
0001A2EE: 89 34 24 mov dword ptr [esp],esi
0001A2F1: E8 F2 0A 00 00 call 0001ADE8 <HalpEndSoftwareInterrupt>
0001A2F6: 83 EC 08 sub esp,8
0001A2F9: 89 D9 mov ecx,ebx
0001A2FB: E8 98 12 00 00 call 0001B598 <KiEoiHelper>
{code}

So the fix is that HalEndSystemInterrupt and HalpEndSoftwareInterrupt must only ever be called from assembly code.
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thomas Faber updated CORE-14449:
--------------------------------
Attachment: hal-trapframe-cleanup.patch
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thomas Faber updated CORE-14449:
--------------------------------
Fix Version/s: 0.4.9

Alright, no crash with [^hal-trapframe-cleanup.patch]!
Simpler fix: reset the stack pointer to the location of the trap frame.

https://reactos.org/testman/compare.php?ids=60085,60188 (merge-base of Pierre's Cc branch against branch+patch)
https://reactos.org/testman/compare.php?ids=60184,60191 (master against master+patch)

Looks like that's a winner.
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thomas Faber resolved CORE-14449.
---------------------------------
Resolution: Fixed

Fixed in fc9bc9390d.
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=103288#comment-103288 ]

Serge Gautherie commented on CORE-14449:
----------------------------------------

Great!

--

There seems to be typos in commit comment and code comment.
I assume
{code:c}
42 /* We got a pointer to call. Since it won't return, reset the stack to
43 the location of the stack frame. This frees up our own stack as well
44 as that of the functions above us, and avoids an overflow due to
45 excessive recursion.
46 The next function takes the trap frame as its (fastcall) argument. */
{code}
should be
{{... reset the stack +pointer+ to the location of the +trap+ frame ...}}
shouldn't it?
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=103939#comment-103939 ]

Serge Gautherie commented on CORE-14449:
----------------------------------------

I completed the history of occurrences, which confirms this issue did not happen again.
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=103923#comment-103923 ]

Thomas Faber commented on CORE-14449:
-------------------------------------

Are you expecting me to read all these comment edits to find the difference? If there are still issues, please file a new ticket. Otherwise try to leave resolved tickets alone, it's not important for every comment in Jira to be perfect. Thanks.
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=103288#comment-103288 ]

Serge Gautherie edited comment on CORE-14449 at 5/10/18 2:25 AM:
-----------------------------------------------------------------

Your patches: 20155 (*3), 20157 (*6).

Same or similar: [Apr 12 01:32 1afc87ee572d... success #20174|https://build.reactos.org/builders/Test%20KVM/builds/20174]

---

??Fixed in fc9bc9390d.??

Great!

--

There seems to be typos in commit comment and code comment.
I assume
{code:c}
42 /* We got a pointer to call. Since it won't return, reset the stack to
43 the location of the stack frame. This frees up our own stack as well
44 as that of the functions above us, and avoids an overflow due to
45 excessive recursion.
46 The next function takes the trap frame as its (fastcall) argument. */
{code}
should be
{{... reset the stack +pointer+ to the location of the +trap+ frame ...}}
shouldn't it?



was (Author: serge gautherie):
Great!

--

There seems to be typos in commit comment and code comment.
I assume
{code:c}
42 /* We got a pointer to call. Since it won't return, reset the stack to
43 the location of the stack frame. This frees up our own stack as well
44 as that of the functions above us, and avoids an overflow due to
45 excessive recursion.
46 The next function takes the trap frame as its (fastcall) argument. */
{code}
should be
{{... reset the stack +pointer+ to the location of the +trap+ frame ...}}
shouldn't it?
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=103210#comment-103210 ]

Serge Gautherie edited comment on CORE-14449 at 5/10/18 2:22 AM:
-----------------------------------------------------------------

{{Apr 07 21:04 9ea2783e5640... retry #20131}}

--

Same or similar: 20144.



was (Author: serge gautherie):
{{Apr 07 21:04 9ea2783e5640... retry #20131}}
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=103169#comment-103169 ]

Serge Gautherie edited comment on CORE-14449 at 5/10/18 2:21 AM:
-----------------------------------------------------------------

This issue is also triggered while testing CORE-14349 recent patches, "reliably"...

CORE-14349 patches: 20066 (*2), 20109-20110 (*4), 20114, 20117, 20142 (*3).


was (Author: serge gautherie):
This issue is also triggered while testing CORE-14349 recent patches, "reliably"...
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=102703#comment-102703 ]

Serge Gautherie edited comment on CORE-14449 at 5/10/18 2:20 AM:
-----------------------------------------------------------------

{{Mar 15 14:52 82fba961cd59... failure #19745}}

--

Same or similar: 19782.



was (Author: serge gautherie):
{{Mar 15 14:52 82fba961cd59... failure #19745}}
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

[ https://jira.reactos.org/browse/CORE-14449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=102645#comment-102645 ]

Serge Gautherie edited comment on CORE-14449 at 5/10/18 2:14 AM:
-----------------------------------------------------------------

Same or similar: 19650.

--

Similar:
{{Mar 09 19:13 45ed51c1ba0b... failure #19709}}
{noformat}
Eip:
<NTOSKRNL.EXE:14c335 (:0 (RtlpBreakWithStatusInstruction))>
Frames:
<NTOSKRNL.EXE:8813d (ntoskrnl/ke/bug.c:1100 (KeBugCheckWithTf))>
<NTOSKRNL.EXE:12b4df (ntoskrnl/ke/i386/exp.c:1144 (KiSystemFatalException))>
<NTOSKRNL.EXE:12f563 (ntoskrnl/ke/i386/traphdlr.c:856 (KiTrap08Handler))>
<NTOSKRNL.EXE:335e (:0 (KiTrap08))>
<uniata.sys:148a>
<uniata.sys:f2e1>
<uniata.sys:4fd1>
<uniata.sys:c70b>
<scsiport.sys:1442>
<NTOSKRNL.EXE:12b6cb (sdk/include/crt/mingw32/intrin_x86.h:95 (KiInterruptDispatch))>
<NTOSKRNL.EXE:12baee (ntoskrnl/ke/i386/irqobj.c:315 (KiInterruptTemplateHandler))>
<f77db1a8>
<HAL.DLL:9e7a (hal/halx86/up/pic.c:377 (HalpHardwareInterrupt14))>
<HAL.DLL:a7c9 (hal/halx86/up/pic.c:1184 (HalEndSystemInterrupt2))>
<HAL.DLL:adfd (:0 (HalEndSystemInterrupt))>
<HAL.DLL:9afb (hal/halx86/generic/timer.c:176 (HalpClockInterruptHandler))>
<HAL.DLL:ad42 (:0 (HalpClockInterrupt))>
<NTOSKRNL.EXE:12cd16 (sdk/include/crt/mingw32/intrin_x86.h:1682 (KiSwapContextExit))>
<NTOSKRNL.EXE:28bc (:0 (KiSwitchThreads))>
<HAL.DLL:a2ce (hal/halx86/up/pic.c:1278 (HalpDispatchInterrupt2ndEntry))>
<f77ddca0>
...
<f77ddca0>
<b244dd98>
<f77ddc83>
<NTOSKRNL.EXE:12baee (ntoskrnl/ke/i386/irqobj.c:315 (KiInterruptTemplateHandler))>
<f77ddd5c>
<NTOSKRNL.EXE:df44a (ntoskrnl/mm/ARM3/zeropage.c:104 (MmZeroPageThread))>
<NTOSKRNL.EXE:34c12 (ntoskrnl/ex/init.c:2018 (Phase1Initialization))>
<NTOSKRNL.EXE:115604 (ntoskrnl/ps/thread.c:156 (PspSystemThreadStartup))>
<NTOSKRNL.EXE:12c949 (ntoskrnl/ke/i386/thrdini.c:78 (KiThreadStartup))>
<NTOSKRNL.EXE:1155cb (ntoskrnl/ps/state.c:565 (NtQueueApcThread))>
<5d8950ec>
<01000002>
Couldn't access memory at 0x51000004!
{noformat}



was (Author: serge gautherie):
Similar:
{{Mar 09 19:13 45ed51c1ba0b... failure #19709}}
{noformat}
Eip:
<NTOSKRNL.EXE:14c335 (:0 (RtlpBreakWithStatusInstruction))>
Frames:
<NTOSKRNL.EXE:8813d (ntoskrnl/ke/bug.c:1100 (KeBugCheckWithTf))>
<NTOSKRNL.EXE:12b4df (ntoskrnl/ke/i386/exp.c:1144 (KiSystemFatalException))>
<NTOSKRNL.EXE:12f563 (ntoskrnl/ke/i386/traphdlr.c:856 (KiTrap08Handler))>
<NTOSKRNL.EXE:335e (:0 (KiTrap08))>
<uniata.sys:148a>
<uniata.sys:f2e1>
<uniata.sys:4fd1>
<uniata.sys:c70b>
<scsiport.sys:1442>
<NTOSKRNL.EXE:12b6cb (sdk/include/crt/mingw32/intrin_x86.h:95 (KiInterruptDispatch))>
<NTOSKRNL.EXE:12baee (ntoskrnl/ke/i386/irqobj.c:315 (KiInterruptTemplateHandler))>
<f77db1a8>
<HAL.DLL:9e7a (hal/halx86/up/pic.c:377 (HalpHardwareInterrupt14))>
<HAL.DLL:a7c9 (hal/halx86/up/pic.c:1184 (HalEndSystemInterrupt2))>
<HAL.DLL:adfd (:0 (HalEndSystemInterrupt))>
<HAL.DLL:9afb (hal/halx86/generic/timer.c:176 (HalpClockInterruptHandler))>
<HAL.DLL:ad42 (:0 (HalpClockInterrupt))>
<NTOSKRNL.EXE:12cd16 (sdk/include/crt/mingw32/intrin_x86.h:1682 (KiSwapContextExit))>
<NTOSKRNL.EXE:28bc (:0 (KiSwitchThreads))>
<HAL.DLL:a2ce (hal/halx86/up/pic.c:1278 (HalpDispatchInterrupt2ndEntry))>
<f77ddca0>
...
<f77ddca0>
<b244dd98>
<f77ddc83>
<NTOSKRNL.EXE:12baee (ntoskrnl/ke/i386/irqobj.c:315 (KiInterruptTemplateHandler))>
<f77ddd5c>
<NTOSKRNL.EXE:df44a (ntoskrnl/mm/ARM3/zeropage.c:104 (MmZeroPageThread))>
<NTOSKRNL.EXE:34c12 (ntoskrnl/ex/init.c:2018 (Phase1Initialization))>
<NTOSKRNL.EXE:115604 (ntoskrnl/ps/thread.c:156 (PspSystemThreadStartup))>
<NTOSKRNL.EXE:12c949 (ntoskrnl/ke/i386/thrdini.c:78 (KiThreadStartup))>
<NTOSKRNL.EXE:1155cb (ntoskrnl/ps/state.c:565 (NtQueueApcThread))>
<5d8950ec>
<01000002>
Couldn't access memory at 0x51000004!
{noformat}
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)