mimalloc icon indicating copy to clipboard operation
mimalloc copied to clipboard
verified publisher icon microsoft

"minject.exe --inplace --force --postfix=override <exe>" intermittently crashes (v2.1.2)

Open LPhil opened this issue 1 year ago • 5 comments

We have the problem that minject.exe crashes sporadically during the build in our build environment (building with jekins, running a service in the background). The crash occurs in about 30% of the builds in this environment. When building as a user in the foreground (VS2022 with v143), the problem is not reproducible. In our environment there are about 5 unit tests where minject.exe crashes.

Question: Is there a way to start minject.exe to generate more debug output via <options> to find out where and what causes the crash? The problem occurs in both the debug and the release environment.

In a BAD case, the output looks like this. minject.exe -v --inplace --force --postfix=override unit.test.exe reading 'unit.test.exe' inject 'mimalloc-redirect.dll' module 'mimalloc-override' is already imported leave at position 0: 'mimalloc-redirect.dll' leave at position 1: 'mimalloc-override.dll'

module order unchanged ==> Crash / exited with code -1073740940

In a GOOD case, the output looks like this. reading 'unit.test.exe' inject 'mimalloc-redirect.dll' module 'mimalloc-override' is already imported leave at position 0: 'mimalloc-redirect.dll' leave at position 1: 'mimalloc-override.dll'

module order unchanged original imported modules (36): 0: mimalloc-override.dll 1: KERNEL32.dll 2: MSVCP140.dll 3: VCRUNTIME140.dll 4: VCRUNTIME140_1.dll 5: api-ms-win-crt-runtime-l1-1-0.dll ... 32: WINTRUST.dll 33: CRYPT32.dll 34: NETAPI32.dll 35: WS2_32.dll

wrote (intermediate) 'unit.test-mi.exe' with new import order. wrote 'unit.test.exe' with new import order.

Thanks for your support

LPhil avatar Feb 08 '24 21:02 LPhil

We are using the latest dev-slice version of minject.exe because we had the problem under ticket #734.

What exactly are the differences between the two versions of minject.exe? Can the changes from 2531f5708bffc50eaf15383e676c8ebe8a3d9ac5 be merged into the main branch with the next release?

LPhil avatar Feb 22 '24 16:02 LPhil

Code 0xC0000374 (-1073740940) is STATUS_HEAP_CORRUPTION (A heap has been corrupted.)

Faulting application name: minject.exe, version: 0.0.0.0, time stamp: 0x62167569 Faulting module name: ntdll.dll, version: 10.0.19041.3996, time stamp: 0x39215800 Exception code: 0xc0000374 Fault offset: 0x00000000000ff349 Faulting process id: 0xef8 Faulting application start time: 0x01da6bd602dd37c4 Faulting application path: [PathToMinject]\minject.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll ...

LPhil avatar Mar 07 '24 15:03 LPhil

Hi -- thanks for the report; I understand that minject itself is crashing? Not the exe generated by minject ? Very strange. If it crashes, you cannot reproduce it as a normal user right? That is, if it crashed, it may just work if you try it manually?

the heap corruption error is strange too as it does not allocate much, .. but I guess there is a buffer overflow in minject itself (which would also explain why it only crashes sometimes as it would depend on the heap layout). If you can repro on a certain binary that would be great. I will look into it as well but it is hard to find a bug without repro.. tbc

daanx avatar Mar 08 '24 17:03 daanx

Hey, sorry for the long delay.

I understand that minject itself is crashing? Not the exe generated by minject ? Correct, the minject.exe crashes during the reordering process.

If it crashes, you cannot reproduce it as a normal user right? Correct, minject.exe only crashes when it is called with Jenkins (java) background process. I have never been able to reproduce the problem in a native Windows environment.

That is, if it crashed, it may just work if you try it manually? Correct, if I call minject.exe with the same parameters with the exe that led the problem in the background, it does not cause any problems.

The crash occurs sporadically with the same 5 exe files, as I said it cannot be reproduced manually.

@daanx: Did your analye reveal anything?

LPhil avatar Apr 08 '24 11:04 LPhil

Hi Dan,

the crashes already exists in mimalloc version 2.1.9 (minject: v1.2) i've found an .dmp file on my system with the following information. Maybe you can do something with this. It would be good if we could fix the problem.

minject.exe.30468.analyse.txt

STACK_TEXT: 000000707e4fe790 00007fff50b2f393 : 00007fff50b76e80 000000707e4ff7a0 00000000fffffffe fffffffffff0bdc0 : ntdll!RtlReportFatalFailure+0x9 000000707e4fe7e0 00007fff50b38112 : 000000707e4fe8f8 00007fff50b997f0 0000000000000003 0000023683280000 : ntdll!RtlReportCriticalFailure+0x97 000000707e4fe8d0 00007fff50b383fa : 0000000000000003 0000000000000000 0000023683280000 000000007ffe0385 : ntdll!RtlpHeapHandleError+0x12 000000707e4fe900 00007fff50b3e081 : 0000023683280000 0000023683280000 0000023683480001 0000023683481ce8 : ntdll!RtlpHpHeapHandleError+0x7a 000000707e4fe930 00007fff50ad7952 : 0000000000000409 0000000000000142 0000000000000000 0000000000000000 : ntdll!RtlpLogHeapFailure+0x45 000000707e4fe960 00007fff50a547b1 : 000000707e4fea30 0000023683280000 0000000000000000 0000000000000000 : ntdll!RtlpFreeHeapInternal+0x82242 000000707e4fea20 00007fff50aa498e : 00000000c0000139 0000000000000001 00007fff4e321194 00007fff4e6f90fb : ntdll!RtlFreeHeap+0x51 000000707e4fea60 00007fff4e6fbae2 : 0000023683470002 0000023683470000 0000000000000000 000000707e4feff4 : ntdll!LdrRemoveLoadAsDataTable+0xbe 000000707e4feac0 00007fff4e6f929c : 0000023683470002 00007fff4e321194 0000023683484014 0000000000000000 : KERNELBASE!FreeLibrary+0x72 000000707e4feaf0 00007fff4e6f8f48 : 0000000000000020 000000707e4fee80 0000000000000020 000000707e4ff048 : KERNELBASE!ConvertTimeZoneMuiString+0x13c 000000707e4fed80 00007fff4e6f7a74 : 00007fff4e2ec848 000000707e4ff150 0000000000000030 0000000000000002 : KERNELBASE!ConvertTimeZoneMuiStrings+0x168 000000707e4fefc0 00007fff4e2323d6 : 0000000000000000 0000000000000000 0000000000000000 000000707e4f0000 : KERNELBASE!GetTimeZoneInformation+0xa4 000000707e4ff0c0 00007fff4e232036 : 00007fff00007080 0000000000000001 00000000fffff1f0 0000000000000004 : ucrtbase!tzset_from_system_nolock+0x9a 000000707e4ff130 00007fff4e23393b : 00007fff4e321180 0000000000000005 0000000000000005 0000000000000000 : ucrtbase!tzset_nolock+0x86 000000707e4ff380 00007fff4e2d7eb7 : 000a000000000000 0000000000030005 0000000000000000 0072007a00740040 : ucrtbase!_tzset+0x47 000000707e4ff3b0 00007fff4e2d2ce4 : 000000707e4ff650 000000707e4ff650 00000000000000a4 0000023683292730 : ucrtbase!common_loctotime_t<__int64>+0xab 000000707e4ff450 00007fff4e2d2aed : 000000707e4ff650 00000000000000a4 000000707e4ff650 0000000000000001 : ucrtbase!convert_filetime_to_time_t<__int64>+0x80 000000707e4ff4d0 00007fff4e2d2274 : 0000000000000000 00000000000000a4 00007fff4e31f4e8 00007fff4e31f4e8 : ucrtbase!common_stat_handle_file_opened<_stat64i32>+0xb9 000000707e4ff580 00007fff4e2d3496 : 000000707e4ff650 00000236832a2600 000002368328f8dc 0000000000000024 : ucrtbase!common_stat<_stat64i32>+0x94 000000707e4ff5d0 00007ff6c91626d0 : 00000236832a1320 00007ff6c9164640 00000236832a1320 0000000000000000 : ucrtbase!stat64i32+0x76 000000707e4ff630 00000236832a1320 : 00007ff6c9164640 00000236832a1320 0000000000000000 81ff000000000004 : minject+0x26d0 000000707e4ff638 00007ff6c9164640 : 00000236832a1320 0000000000000000 81ff000000000004 0000000000000001 : 0x00000236832a1320 000000707e4ff640 00000236832a1320 : 0000000000000000 81ff000000000004 0000000000000001 0000000000000004 : minject+0x4640 000000707e4ff648 0000000000000000 : 81ff000000000004 0000000000000001 0000000000000004 0000000000000000 : 0x00000236832a1320

LPhil avatar May 28 '25 10:05 LPhil