VirtualBox

Ticket #6443 (closed defect: fixed)

Opened 4 years ago

Last modified 3 years ago

VM crash when attempting to force shutdown (not ACPI shutdown) the VM -> Fixed in SVN

Reported by: mhanor Owned by:
Priority: major Component: other
Version: VirtualBox 3.2.10 Keywords:
Cc: Guest type: Windows
Host type: Windows

Description

VB 3.1.6 crashes when trying to force a shutdown (not an ACPI shutdown) on the active VM, by accessing the close (X) button of the VM window
I've tested Windows XP SP3 32 bit and Windows 7 32 bit as guests, by closing them during the boot process or even at the boot menu countdown. VT-X is enabled.

The host is running XP SP3 32 bit.

Attachments

VBox.log Download (54.8 KB) - added by mhanor 4 years ago.
dumps.zip Download (52.3 KB) - added by mhanor 4 years ago.
crash_no_dep.zip Download (27.0 KB) - added by mhanor 4 years ago.
VB 3.1.6 crash without DEP
320beta1.zip Download (29.0 KB) - added by mhanor 4 years ago.
3.2.0 beta1 crash (DEP enabled)
app_verifier_cases.zip Download (29.9 KB) - added by mhanor 4 years ago.
virtualbox 3.2.0 beta2 (r61317) tested with ms application verifier
VBox.2.log Download (59.7 KB) - added by mhanor 4 years ago.
VB 3.2.2 log
bad_code_flow.txt Download (38.7 KB) - added by mhanor 3 years ago.
svn 35854, reuploaded
CR_DEBUG_FILE1.TXT Download (3.0 KB) - added by mhanor 3 years ago.
svn 35998
case1.txt Download (15.0 KB) - added by mhanor 3 years ago.
case2.txt Download (15.7 KB) - added by mhanor 3 years ago.
case3.txt Download (15.5 KB) - added by mhanor 3 years ago.
case3extra.txt Download (16.1 KB) - added by mhanor 3 years ago.

Change History

Changed 4 years ago by mhanor

Changed 4 years ago by mhanor

comment:1 Changed 4 years ago by mhanor

it's not 100% reproducible, but it's pretty easy for me to reproduce it

Changed 4 years ago by mhanor

VB 3.1.6 crash without DEP

comment:2 Changed 4 years ago by mhanor

enabling DEP is not required
VT-x is also not required, although it seems I can't easily reproduce the issue without it
PAE/NX and 2D+3D acceleration are enabled... I haven't been able to crash the VM without them... maybe I'm not being patient enough

comment:3 Changed 4 years ago by mhanor

I can reproduce it with VB 3.2.0 beta1

Changed 4 years ago by mhanor

3.2.0 beta1 crash (DEP enabled)

comment:4 Changed 4 years ago by mhanor

VB 3.2.0 beta2 respin does the same
You don't even need to boot an OS, just bring up the VM boot menu (F12) or don't set up any boot disk/drive (let the VM display "FATAL: No bootable medium found"). Then click the close (X) button of the VM window, the Close Virtual Machine window appears, select Power off the machine, click OK. It's not 100% reproducible.

Changed 4 years ago by mhanor

virtualbox 3.2.0 beta2 (r61317) tested with ms application verifier

comment:5 Changed 4 years ago by mhanor

I've tried to follow the same steps with MS Application Verifier enabled for Virtualbox.exe and starting the VM under Windbg.
Sometimes I get the "some crash" case (check the zip file). I think it has the same frequency of appearance as the crash first described in this ticket (without app verifier). In every other attempt to power off the VM, Windbg stops the execution of the VM, revealing that the verifier complains about a dll being unloaded, despite having a critical section active (check the zip file, also). I hope it helps, I'm not knowledgeable enough.

comment:6 Changed 4 years ago by leonid

  • Summary changed from VM crash when attempting to force shutdown (not ACPI shutdown) the VM to VM crash when attempting to force shutdown (not ACPI shutdown) the VM -> Fixed in SVN.

comment:7 Changed 4 years ago by frank

  • Status changed from new to closed
  • Resolution set to fixed

comment:8 Changed 4 years ago by mhanor

  • Status changed from closed to reopened
  • Resolution fixed deleted

I'm sorry, but I have to reopen it... 3.2.2 crashes in the same manner

Changed 4 years ago by mhanor

VB 3.2.2 log

comment:9 Changed 4 years ago by mhanor

I've uploaded the full minidump:
 http://www.sendspace.com/file/ht6hx5

comment:10 Changed 4 years ago by mhanor

no change with 3.2.2.r62321

comment:11 Changed 4 years ago by mhanor

no change with 3.2.6 beta2

comment:12 Changed 4 years ago by mhanor

What I haven't mentioned here is that the crash always points to Unloaded_VBoxOGLrenderspu.dll, which has been reported before

I have enabled some flags and then tried to reproduce the crash. Sometimes, windbg breaks in, complaining about a heap block being modified after it was freed. This can be reproduced with 2D/3D acceleration disabled. Of course, I don't know if this is leading to the crash at Unloaded_VBoxOGLrenderspu.dll. At that moment, the stack looks like this (win32 OSE svn 30908):

ChildEBP RetAddr  
03d2f99c 7c96e139 ntdll!DbgBreakPoint
03d2f9a4 7c96e9fe ntdll!RtlpBreakPointHeap+0x28
03d2f9d4 7c96f740 ntdll!RtlpValidateHeap+0x43f
03d2fa44 7c94bc4c ntdll!RtlDebugFreeHeap+0x79
03d2fb2c 7c927573 ntdll!RtlFreeHeapSlowly+0x37
03d2fbfc 78ab016a ntdll!RtlFreeHeap+0xf9
03d2fc10 01b03ff6 MSVCR100!free(
			void * pBlock = 0x02e93008)+0x1c [f:\dd\vctools\crt_bld\self_x86\crt\src\free.c @ 51]
03d2fc20 01b03b9c VBoxRT!RTMemFree(
			void * pv = 0x02e93008)+0x16 [d:\vbox\src\vbox\runtime\r3\alloc.cpp @ 246]
03d2fc2c 01adc152 VBoxRT!RTMemTmpFree(
			void * pv = 0x02e93008)+0xc [d:\vbox\src\vbox\runtime\r3\alloc.cpp @ 102]
03d2fc38 03a141ec VBoxRT!RTStrFree(
			char * pszString = 0x02e93008 "VBoxGuestPropSvc")+0x12 [d:\vbox\src\vbox\runtime\common\string\stringalloc.cpp @ 96]
03d2fc80 03a157e8 VBoxC!HGCMService::instanceDestroy(void)+0x1ac [d:\vbox\src\vbox\main\hgcm\hgcm.cpp @ 809]
03d2fcd4 03a150de VBoxC!HGCMService::ReleaseService(void)+0x2a8 [d:\vbox\src\vbox\main\hgcm\hgcm.cpp @ 1054]
03d2fd18 03a15107 VBoxC!HGCMService::UnloadService(void)+0x2ee [d:\vbox\src\vbox\main\hgcm\hgcm.cpp @ 969]
03d2fd20 03a1b863 VBoxC!HGCMService::UnloadAll(void)+0x17 [d:\vbox\src\vbox\main\hgcm\hgcm.cpp @ 980]
03d2fee0 03a0fcbd VBoxC!hgcmThread(
			unsigned int ThreadHandle = 0x80000001, 
			void * pvUser = 0x00000000)+0xdb3 [d:\vbox\src\vbox\main\hgcm\hgcm.cpp @ 1763]
03d2ff18 01acbc15 VBoxC!hgcmWorkerThreadFunc(
			struct RTTHREADINT * ThreadSelf = 0x02dbb008, 
			void * pvUser = 0x0003f760)+0x1cd [d:\vbox\src\vbox\main\hgcm\hgcmthread.cpp @ 195]
03d2ff4c 01b3fa97 VBoxRT!rtThreadMain(
			struct RTTHREADINT * pThread = 0x02dbb008, 
			unsigned int NativeThread = 0xfe8, 
			char * pszThreadName = 0x02dbb584 "MainHGCMthread")+0x185 [d:\vbox\src\vbox\runtime\common\misc\thread.cpp @ 679]
03d2ff70 78afc6de VBoxRT!rtThreadNativeMain(
			void * pvArgs = 0x02dbb008)+0xb7 [d:\vbox\src\vbox\runtime\r3\win\thread-win.cpp @ 102]
03d2ffa8 78afc788 MSVCR100!_callthreadstartex(void)+0x1b [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 314]
03d2ffb4 7c80b729 MSVCR100!_threadstartex(
			void * ptd = 0x0003fbe8)+0x64 [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 292]
03d2ffec 00000000 kernel32!BaseThreadStart+0x37

comment:13 Changed 4 years ago by mhanor

other examples of stacks, where the debugger breaked in for the same thing

ChildEBP RetAddr  
0461f918 7c96e139 ntdll!DbgBreakPoint
0461f920 7c96e9fe ntdll!RtlpBreakPointHeap+0x28
0461f950 7c96f86d ntdll!RtlpValidateHeap+0x43f
0461f9c0 7c94bc4c ntdll!RtlDebugFreeHeap+0x1a6
0461faa8 7c927573 ntdll!RtlFreeHeapSlowly+0x37
0461fb78 78ab016a ntdll!RtlFreeHeap+0xf9
0461fb8c 04629cb0 msvcr100!free(
			void * pBlock = 0x02d77348)+0x1c [f:\dd\vctools\crt_bld\self_x86\crt\src\free.c @ 51]
0461fbac 04629d96 VBoxGuestControlSvc!_CRT_INIT(
			void * hDllHandle = <Value unavailable error>, 
			unsigned long dwReason = <Value unavailable error>, 
			void * lpreserved = <Value unavailable error>)+0x1db [f:\dd\vctools\crt_bld\self_x86\crt\src\crtdll.c @ 431]
0461fbf0 04629e13 VBoxGuestControlSvc!__DllMainCRTStartup(
			void * hDllHandle = 0x04620000, 
			unsigned long dwReason = 0, 
			void * lpreserved = 0x00000000)+0xb7 [f:\dd\vctools\crt_bld\self_x86\crt\src\crtdll.c @ 526]
0461fbfc 7c90118a VBoxGuestControlSvc!_DllMainCRTStartup(
			void * hDllHandle = 0x04620000, 
			unsigned long dwReason = 0, 
			void * lpreserved = 0x00000000)+0x1e [f:\dd\vctools\crt_bld\self_x86\crt\src\crtdll.c @ 476]
0461fc1c 7c91e044 ntdll!LdrpCallInitRoutine+0x14
0461fd14 7c80ac97 ntdll!LdrUnloadDll+0x41c
0461fd28 01b319b1 kernel32!FreeLibrary+0x3f
0461fd3c 01aa2737 VBoxRT!rtldrNativeClose(
			struct RTLDRMODINTERNAL * pMod = 0x02d75fc8)+0x21 [d:\vbox\src\vbox\runtime\r3\win\ldrnative-win.cpp @ 90]
0461fd70 039b2507 VBoxRT!RTLdrClose(
			struct RTLDRMODINTERNAL * hLdrMod = 0x02d75fc8)+0x117 [d:\vbox\src\vbox\runtime\common\ldr\ldr.cpp @ 155]
0461fd84 039b2907 VBoxC!HGCMService::unloadServiceDLL(void)+0x27 [d:\vbox\src\vbox\main\hgcm\hgcm.cpp @ 326]
0461fee0 039afcbd VBoxC!hgcmServiceThread(
			unsigned int ThreadHandle = 0x80000012, 
			void * pvUser = 0x02d76978)+0x3b7 [d:\vbox\src\vbox\main\hgcm\hgcm.cpp @ 500]
0461ff18 01acbc15 VBoxC!hgcmWorkerThreadFunc(
			struct RTTHREADINT * ThreadSelf = 0x02d76bf8, 
			void * pvUser = 0x02d76a00)+0x1cd [d:\vbox\src\vbox\main\hgcm\hgcmthread.cpp @ 195]
0461ff4c 01b3fa97 VBoxRT!rtThreadMain(
			struct RTTHREADINT * pThread = 0x02d76bf8, 
			unsigned int NativeThread = 0xd98, 
			char * pszThreadName = 0x02d77174 "VBoxGuestContro")+0x185 [d:\vbox\src\vbox\runtime\common\misc\thread.cpp @ 679]
0461ff70 78afc6de VBoxRT!rtThreadNativeMain(
			void * pvArgs = 0x02d76bf8)+0xb7 [d:\vbox\src\vbox\runtime\r3\win\thread-win.cpp @ 102]
0461ffa8 78afc788 msvcr100!_callthreadstartex(void)+0x1b [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 314]
0461ffb4 7c80b729 msvcr100!_threadstartex(
			void * ptd = 0x02d77290)+0x64 [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 292]
0461ffec 00000000 kernel32!BaseThreadStart+0x37

comment:14 Changed 4 years ago by mhanor

ChildEBP RetAddr  
00138820 7c96e139 ntdll!DbgBreakPoint
00138828 7c96e9fe ntdll!RtlpBreakPointHeap+0x28
00138858 7c96ee96 ntdll!RtlpValidateHeap+0x43f
001388d8 7c94b394 ntdll!RtlDebugAllocateHeap+0xa5
00138b08 7c918f21 ntdll!RtlAllocateHeapSlowly+0x44
00138d3c 7c9551b5 ntdll!RtlAllocateHeap+0xe64
00138d50 7c9551f1 ntdll!LdrpTagAllocateHeap+0x25
00138d68 78ab0269 ntdll!LdrpTagAllocateHeap1+0x15
00138d88 78ab02d1 msvcr100!malloc(
			unsigned int size = 0x30050)+0x4b [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 89]
00138da4 03a328f9 msvcr100!operator new(
			unsigned int size = 0x30)+0x1f [f:\dd\vctools\crt_bld\self_x86\crt\src\new.cpp @ 59]
00138dd4 0392939a VBoxC!util::AutoLockBase::AutoLockBase(
			unsigned int cHandles = 1, 
			class util::LockHandle * pHandle = 0x0003b9f8, 
			char * pszFile = 0x03a5e584 "D:\vbox\src\VBox\Main\VirtualBoxBase.cpp", 
			unsigned int iLine = 0x103, 
			char * pszFunction = 0x03a5e6fc "VirtualBoxBase::releaseCaller")+0x99 [d:\vbox\src\vbox\main\glue\autolock.cpp @ 359]
00138df4 03929327 VBoxC!util::AutoWriteLockBase::AutoWriteLockBase(
			unsigned int cHandles = 1, 
			class util::LockHandle * pHandle = 0x0003b9f8, 
			char * pszFile = 0x03a5e584 "D:\vbox\src\VBox\Main\VirtualBoxBase.cpp", 
			unsigned int iLine = 0x103, 
			char * pszFunction = 0x03a5e6fc "VirtualBoxBase::releaseCaller")+0x2a [d:\vbox\include\vbox\com\autolock.h @ 421]
00138e24 0392692b VBoxC!util::AutoWriteLock::AutoWriteLock(
			class util::LockHandle * aHandle = 0x0003b9f8, 
			char * pszFile = 0x03a5e584 "D:\vbox\src\VBox\Main\VirtualBoxBase.cpp", 
			unsigned int iLine = 0x103, 
			char * pszFunction = 0x03a5e6fc "VirtualBoxBase::releaseCaller")+0x47 [d:\vbox\include\vbox\com\autolock.h @ 493]
00138e64 039244a3 VBoxC!VirtualBoxBase::releaseCaller(void)+0x5b [d:\vbox\src\vbox\main\virtualboxbase.cpp @ 259]
00138e74 0393bf5e VBoxC!AutoCallerBase<0>::~AutoCallerBase<0>(void)+0x33 [d:\vbox\src\vbox\main\include\autocaller.h @ 77]
00138eb4 0069b71f VBoxC!Session::get_Machine(
			struct IMachine ** aMachine = 0x00138f1c)+0x22e [d:\vbox\src\vbox\main\sessionimpl.cpp @ 199]
00138f38 0060f397 VirtualBox!CSession::GetMachine(void)+0xef [d:\vbox\out\win.x86\debug\obj\virtualbox\include\comwrappers.cpp @ 10324]
0013909c 0061b083 VirtualBox!UIMachineWindow::updateAppearanceOf(
			int iElement = 0n1)+0x57 [d:\vbox\src\vbox\frontends\virtualbox\src\runtime\uimachinewindow.cpp @ 491]
001390cc 0060f8e0 VirtualBox!UIMachineWindowNormal::updateAppearanceOf(
			int iElement = 0n1)+0x33 [d:\vbox\src\vbox\frontends\virtualbox\src\runtime\normal\uimachinewindownormal.cpp @ 274]
001390e0 0061a397 VirtualBox!UIMachineWindow::sltMachineStateChanged(void)+0x20 [d:\vbox\src\vbox\frontends\virtualbox\src\runtime\uimachinewindow.cpp @ 528]
001390f0 006e183e VirtualBox!UIMachineWindowNormal::sltMachineStateChanged(void)+0x17 [d:\vbox\src\vbox\frontends\virtualbox\src\runtime\normal\uimachinewindownormal.cpp @ 114]
00139104 671c4411 VirtualBox!UIMachineWindowNormal::qt_metacall(
			QMetaObject::Call _c = InvokeMetaMethod (0n0), 
			int _id = 0n0, 
			void ** _a = 0x001391ac)+0x7e [d:\vbox\out\win.x86\debug\obj\virtualbox\qtmoc\uimachinewindownormal.cpp @ 96]
00139124 671db2f6 QtCored4!QMetaObject::metacall(
			class QObject * object = 0x02dbdaf8, 
			QMetaObject::Call cl = InvokeMetaMethod (0n0), 
			int idx = 0n31, 
			void ** argv = 0x001391ac)+0x71 [d:\qt\4.7.0\src\corelib\kernel\qmetaobject.cpp @ 238]
001391d4 006df664 QtCored4!QMetaObject::activate(
			class QObject * sender = 0x02dbc508, 
			struct QMetaObject * m = 0x00a05ab4, 
			int local_signal_index = 0n3, 
			void ** argv = 0x00000000)+0x306 [d:\qt\4.7.0\src\corelib\kernel\qobject.cpp @ 3272]
001391f4 005d57fa VirtualBox!UISession::sigMachineStateChange(void)+0x24 [d:\vbox\out\win.x86\debug\obj\virtualbox\qtmoc\uisession.cpp @ 161]
00139200 006df507 VirtualBox!UISession::sltStateChange(
			KMachineState state = KMachineState_Stopping (0n11))+0x2a [d:\vbox\src\vbox\frontends\virtualbox\src\runtime\uisession.cpp @ 556]
00139220 671c4411 VirtualBox!UISession::qt_metacall(
			QMetaObject::Call _c = InvokeMetaMethod (0n0), 
			int _id = 0n17, 
			void ** _a = 0x00139310)+0x217 [d:\vbox\out\win.x86\debug\obj\virtualbox\qtmoc\uisession.cpp @ 131]
00139240 671db2f6 QtCored4!QMetaObject::metacall(
			class QObject * object = 0x02dbc508, 
			QMetaObject::Call cl = InvokeMetaMethod (0n0), 
			int idx = 0n21, 
			void ** argv = 0x00139310)+0x71 [d:\qt\4.7.0\src\corelib\kernel\qmetaobject.cpp @ 238]
001392f0 006e0f82 QtCored4!QMetaObject::activate(
			class QObject * sender = 0x0003fc10, 
			struct QMetaObject * m = 0x00a05b54, 
			int local_signal_index = 0n3, 
			void ** argv = 0x00139310)+0x306 [d:\qt\4.7.0\src\corelib\kernel\qobject.cpp @ 3272]
00139320 006e0b55 VirtualBox!UIConsoleEventHandler::sigStateChange(
			KMachineState _t1 = KMachineState_Stopping (0n11))+0x42 [d:\vbox\out\win.x86\debug\obj\virtualbox\qtmoc\uiconsoleeventhandler.cpp @ 148]
0013938c 671c4411 VirtualBox!UIConsoleEventHandler::qt_metacall(
			QMetaObject::Call _c = InvokeMetaMethod (0n0), 
			int _id = 0n3, 
			void ** _a = 0x02fdc700)+0x145 [d:\vbox\out\win.x86\debug\obj\virtualbox\qtmoc\uiconsoleeventhandler.cpp @ 106]
001393ac 671d71a0 QtCored4!QMetaObject::metacall(
			class QObject * object = 0x0003fc10, 
			QMetaObject::Call cl = InvokeMetaMethod (0n0), 
			int idx = 0n7, 
			void ** argv = 0x02fdc700)+0x71 [d:\qt\4.7.0\src\corelib\kernel\qmetaobject.cpp @ 238]
001393c8 671d7dfd QtCored4!QMetaCallEvent::placeMetaCall(
			class QObject * object = 0x0003fc10)+0x20 [d:\qt\4.7.0\src\corelib\kernel\qobject.cpp @ 534]
0013948c 6506afbe QtCored4!QObject::event(
			class QEvent * e = 0x03e348b8)+0x13d [d:\qt\4.7.0\src\corelib\kernel\qobject.cpp @ 1211]
001394ac 65068ce7 QtGuid4!QApplicationPrivate::notify_helper(
			class QObject * receiver = 0x0003fc10, 
			class QEvent * e = 0x03e348b8)+0xfe [d:\qt\4.7.0\src\gui\kernel\qapplication.cpp @ 4389]
001398f4 671bad91 QtGuid4!QApplication::notify(
			class QObject * receiver = 0x0003fc10, 
			class QEvent * e = 0x03e348b8)+0x2c7 [d:\qt\4.7.0\src\gui\kernel\qapplication.cpp @ 3791]
00139948 671bfc69 QtCored4!QCoreApplication::notifyInternal(
			class QObject * receiver = 0x0003fc10, 
			class QEvent * event = 0x03e348b8)+0xa1 [d:\qt\4.7.0\src\corelib\kernel\qcoreapplication.cpp @ 732]
0013995c 671bbc75 QtCored4!QCoreApplication::sendEvent(
			class QObject * receiver = 0x0003fc10, 
			class QEvent * event = 0x03e348b8)+0x39 [d:\qt\4.7.0\src\corelib\kernel\qcoreapplication.h @ 215]
001399e8 671fd5a9 QtCored4!QCoreApplicationPrivate::sendPostedEvents(
			class QObject * receiver = 0x00000000, 
			int event_type = 0n0, 
			class QThreadData * data = 0x0266e498)+0x2e5 [d:\qt\4.7.0\src\corelib\kernel\qcoreapplication.cpp @ 1373]
00139a74 7e418734 QtCored4!qt_internal_proc(
			struct HWND__ * hwnd = 0x004b03a4, 
			unsigned int message = 0x401, 
			unsigned int wp = 0, 
			long lp = 0n0)+0x289 [d:\qt\4.7.0\src\corelib\kernel\qeventdispatcher_win.cpp @ 503]
00139aa0 7e418816 user32!InternalCallWinProc+0x28
00139b08 7e4189cd user32!UserCallWinProcCheckWow+0x150
00139b68 7e418a10 user32!DispatchMessageWorker+0x306
00139b78 671fe526 user32!DispatchMessageW+0xf
0013b97c 6511dafe QtCored4!QEventDispatcherWin32::processEvents(
			class QFlags<enum QEventLoop::ProcessEventsFlag> flags = class QFlags<enum QEventLoop::ProcessEventsFlag>)+0x546 [d:\qt\4.7.0\src\corelib\kernel\qeventdispatcher_win.cpp @ 802]
0013b990 671b889e QtGuid4!QGuiEventDispatcherWin32::processEvents(
			class QFlags<enum QEventLoop::ProcessEventsFlag> flags = class QFlags<enum QEventLoop::ProcessEventsFlag>)+0x1e [d:\qt\4.7.0\src\gui\kernel\qapplication_win.cpp @ 1170]
0013b9ac 671b89d0 QtCored4!QEventLoop::processEvents(
			class QFlags<enum QEventLoop::ProcessEventsFlag> flags = class QFlags<enum QEventLoop::ProcessEventsFlag>)+0x6e [d:\qt\4.7.0\src\corelib\kernel\qeventloop.cpp @ 150]
0013ba08 004ae44b QtCored4!QEventLoop::exec(
			class QFlags<enum QEventLoop::ProcessEventsFlag> flags = class QFlags<enum QEventLoop::ProcessEventsFlag>)+0x120 [d:\qt\4.7.0\src\corelib\kernel\qeventloop.cpp @ 201]
0013ba74 0059d739 VirtualBox!QIDialog::exec(
			bool aShow = false)+0x14b [d:\vbox\src\vbox\frontends\virtualbox\src\extensions\qidialog.cpp @ 100]
0013baa8 004845af VirtualBox!VBoxProgressDialog::run(
			int aRefreshInterval = 0n350)+0xc9 [d:\vbox\src\vbox\frontends\virtualbox\src\widgets\vboxprogressdialog.cpp @ 134]
0013bb20 0060e548 VirtualBox!VBoxProblemReporter::showModalProgressDialog(
			class CProgress * aProgress = 0x0013bd14, 
			class QString * aTitle = 0x0013bbf8, 
			class QWidget * aParent = 0x00000000, 
			int aMinDuration = 0n2000)+0x7f [d:\vbox\src\vbox\frontends\virtualbox\src\globals\vboxproblemreporter.cpp @ 273]
0013c004 0061b38d VirtualBox!UIMachineWindow::closeEvent(
			class QCloseEvent * pEvent = 0x0013c78c)+0xe68 [d:\vbox\src\vbox\frontends\virtualbox\src\runtime\uimachinewindow.cpp @ 354]
0013c014 650e70fc VirtualBox!UIMachineWindowNormal::closeEvent(
			class QCloseEvent * pEvent = 0x0013c78c)+0x1d [d:\vbox\src\vbox\frontends\virtualbox\src\runtime\normal\uimachinewindownormal.cpp @ 336]
0013c1ec 655f7ac4 QtGuid4!QWidget::event(
			class QEvent * event = 0x0013c78c)+0x75c [d:\qt\4.7.0\src\gui\kernel\qwidget.cpp @ 8316]
0013c26c 0061b350 QtGuid4!QMainWindow::event(
			class QEvent * event = 0x0013c78c)+0x364 [d:\qt\4.7.0\src\gui\widgets\qmainwindow.cpp @ 1418]
0013c28c 6506afbe VirtualBox!UIMachineWindowNormal::event(
			class QEvent * pEvent = 0x0013c78c)+0x100 [d:\vbox\src\vbox\frontends\virtualbox\src\runtime\normal\uimachinewindownormal.cpp @ 323]
0013c2ac 6506ac78 QtGuid4!QApplicationPrivate::notify_helper(
			class QObject * receiver = 0x02dbdaf8, 
			class QEvent * e = 0x0013c78c)+0xfe [d:\qt\4.7.0\src\gui\kernel\qapplication.cpp @ 4389]
0013c6f4 671bad91 QtGuid4!QApplication::notify(
			class QObject * receiver = 0x02dbdaf8, 
			class QEvent * e = 0x0013c78c)+0x2258 [d:\qt\4.7.0\src\gui\kernel\qapplication.cpp @ 4354]
0013c748 67261c98 QtCored4!QCoreApplication::notifyInternal(
			class QObject * receiver = 0x02dbdaf8, 
			class QEvent * event = 0x0013c78c)+0xa1 [d:\qt\4.7.0\src\corelib\kernel\qcoreapplication.cpp @ 732]
0013c75c 650e6191 QtCored4!QCoreApplication::sendSpontaneousEvent(
			class QObject * receiver = 0x02dbdaf8, 
			class QEvent * event = 0x0013c78c)+0x38 [d:\qt\4.7.0\src\corelib\kernel\qcoreapplication.h @ 218]
0013c7b4 65124f98 QtGuid4!QWidgetPrivate::close_helper(
			QWidgetPrivate::CloseMode mode = CloseWithSpontaneousEvent (0n2))+0xc1 [d:\qt\4.7.0\src\gui\kernel\qwidget.cpp @ 7721]
0013c7c4 651201c7 QtGuid4!QETWidget::translateCloseEvent(
			struct tagMSG * __formal = 0x0013cd7c)+0x18 [d:\qt\4.7.0\src\gui\kernel\qapplication_win.cpp @ 3839]
0013cde4 7e418734 QtGuid4!QtWndProc(
			struct HWND__ * hwnd = 0x005203ce, 
			unsigned int message = 0x10, 
			unsigned int wParam = 0, 
			long lParam = 0n0)+0x1d67 [d:\qt\4.7.0\src\gui\kernel\qapplication_win.cpp @ 2152]
0013ce10 7e418816 user32!InternalCallWinProc+0x28
0013ce78 7e428ea0 user32!UserCallWinProcCheckWow+0x150
0013cecc 7e428eec user32!DispatchClientMessage+0xa3
0013cef4 7c90e473 user32!__fnDWORD+0x24
0013cf18 7e4194be ntdll!KiUserCallbackDispatcher+0x13
0013cf6c 7e428dd9 user32!NtUserMessageCall+0xc
0013cf88 7e428d77 user32!RealDefWindowProcW+0x47
0013cfd0 65818f72 user32!DefWindowProcW+0x72
0013cfec 65121570 QtGuid4!QWinInputContext::DefWindowProcW(
			struct HWND__ * hwnd = 0x005203ce, 
			unsigned int msg = 0x112, 
			unsigned int wParam = 0xf060, 
			long lParam = 0n4391836)+0x52 [d:\qt\4.7.0\src\gui\inputmethod\qwininputcontext_win.cpp @ 365]
0013d618 7e418734 QtGuid4!QtWndProc(
			struct HWND__ * hwnd = 0x005203ce, 
			unsigned int message = 0x112, 
			unsigned int wParam = 0xf060, 
			long lParam = 0n4391836)+0x3110 [d:\qt\4.7.0\src\gui\kernel\qapplication_win.cpp @ 2632]
0013d644 7e418816 user32!InternalCallWinProc+0x28
0013d6ac 7e428ea0 user32!UserCallWinProcCheckWow+0x150
0013d700 7e428eec user32!DispatchClientMessage+0xa3
0013d728 7c90e473 user32!__fnDWORD+0x24
0013d74c 7e4194be ntdll!KiUserCallbackDispatcher+0x13
0013d7a0 7e428dd9 user32!NtUserMessageCall+0xc
0013d7bc 7e428d77 user32!RealDefWindowProcW+0x47
0013d804 65818f72 user32!DefWindowProcW+0x72
0013d820 65121570 QtGuid4!QWinInputContext::DefWindowProcW(
			struct HWND__ * hwnd = 0x005203ce, 
			unsigned int msg = 0xa1, 
			unsigned int wParam = 0x14, 
			long lParam = 0n4391836)+0x52 [d:\qt\4.7.0\src\gui\inputmethod\qwininputcontext_win.cpp @ 365]
0013de4c 7e418734 QtGuid4!QtWndProc(
			struct HWND__ * hwnd = 0x005203ce, 
			unsigned int message = 0xa1, 
			unsigned int wParam = 0x14, 
			long lParam = 0n4391836)+0x3110 [d:\qt\4.7.0\src\gui\kernel\qapplication_win.cpp @ 2632]
0013de78 7e418816 user32!InternalCallWinProc+0x28
0013dee0 7e4189cd user32!UserCallWinProcCheckWow+0x150
0013df40 7e418a10 user32!DispatchMessageWorker+0x306
0013df50 671fe526 user32!DispatchMessageW+0xf
0013fd54 6511dafe QtCored4!QEventDispatcherWin32::processEvents(
			class QFlags<enum QEventLoop::ProcessEventsFlag> flags = class QFlags<enum QEventLoop::ProcessEventsFlag>)+0x546 [d:\qt\4.7.0\src\corelib\kernel\qeventdispatcher_win.cpp @ 802]
0013fd68 671b889e QtGuid4!QGuiEventDispatcherWin32::processEvents(
			class QFlags<enum QEventLoop::ProcessEventsFlag> flags = class QFlags<enum QEventLoop::ProcessEventsFlag>)+0x1e [d:\qt\4.7.0\src\gui\kernel\qapplication_win.cpp @ 1170]
0013fd84 671b89d0 QtCored4!QEventLoop::processEvents(
			class QFlags<enum QEventLoop::ProcessEventsFlag> flags = class QFlags<enum QEventLoop::ProcessEventsFlag>)+0x6e [d:\qt\4.7.0\src\corelib\kernel\qeventloop.cpp @ 150]
0013fde0 671bb2cd QtCored4!QEventLoop::exec(
			class QFlags<enum QEventLoop::ProcessEventsFlag> flags = class QFlags<enum QEventLoop::ProcessEventsFlag>)+0x120 [d:\qt\4.7.0\src\corelib\kernel\qeventloop.cpp @ 201]
0013fe14 65068a19 QtCored4!QCoreApplication::exec(void)+0xfd [d:\qt\4.7.0\src\corelib\kernel\qcoreapplication.cpp @ 1009]
0013fe1c 0040157f QtGuid4!QApplication::exec(void)+0x9 [d:\qt\4.7.0\src\gui\kernel\qapplication.cpp @ 3666]
0013fedc 00402110 VirtualBox!TrustedMain(
			int argc = 0n6, 
			char ** argv = 0x000360f0, 
			char ** __formal = 0x000337a0)+0x48f [d:\vbox\src\vbox\frontends\virtualbox\src\main.cpp @ 500]
0013ff7c 006e4464 VirtualBox!main(
			int argc = 0n6, 
			char ** argv = 0x000360f0, 
			char ** envp = 0x000337a0)+0x3b0 [d:\vbox\src\vbox\frontends\virtualbox\src\main.cpp @ 651]
0013ffc0 7c817077 VirtualBox!__tmainCRTStartup(void)+0x122 [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 555]
0013fff0 00000000 kernel32!BaseProcessStart+0x23

comment:15 Changed 4 years ago by mhanor

Each occured in different threads of the VirtualBox.exe process, using the same "Power off the machine" option, at the Close Virtual Machine window
I've seen that Huihong Luo (huisinro) reported something similar on the vbox-dev mailing list

comment:16 Changed 4 years ago by mhanor

VB 3.2.10 doesn't fix this

comment:17 Changed 4 years ago by frank

  • Version changed from VirtualBox 3.1.6 to VirtualBox 3.2.10
  • Summary changed from VM crash when attempting to force shutdown (not ACPI shutdown) the VM -> Fixed in SVN. to VM crash when attempting to force shutdown (not ACPI shutdown) the VM

comment:18 Changed 3 years ago by mhanor

no change with VB 4.0 beta2

comment:19 Changed 3 years ago by mhanor

 http://vbox.innotek.de/pipermail/vbox-dev/2010-July/003009.html

having full pageheap enabled, disabled heap coalesce on free,
the SVN 35302, non-debug, build always crashes in:
\vbox\src\vbox\main\hgcm\hgcmthread.cpp line 205,
which is the function static DECLCALLBACK(int) hgcmWorkerThreadFunc (RTTHREAD ThreadSelf, void *pvUser), when it should return the exit value

with the same gflags enabled, the full crash minidump for the official 4.0 final build:
 http://www.sendspace.com/file/h5vukm

comment:20 Changed 3 years ago by mhanor

I think I have found the cause, at least the tip of it, why a HGCMThread object gets released before it should.
Two threads running concurently, a parent thread and its child thread, while the VM closing process has begun. While the child is running hgcmObjDeleteHandle, the handle belongs to the object passed by the parent (HGCMThread *pThread = (HGCMThread *)pvUser;), the object's current refCnt is 2. If they're properly syncronised, the parent thread gets a chance to execute HGCMObject::Dereference() on the same object, right before the child gets to execute Dereference() on it. Now refCnt has reached 0, while Dereference in the child calls the destructor of the HGCMThread object, with "delete this".

Because I haven't managed to understand how to use and activate the LogFlow() functions, already found in place, I've inserted RTPrintf functions of my own. With all my RTPrintf functions in place, it's seems that the delaying induced by I can trigger the issue at every attempt to close the VM. I've used a VM with no OS install, with all the features disabled, including no IDE/SCSI controller, VT-x, NX, etc. Note that if 2D/3D are disabled, VirtualBox doesn't crash and the operating system doesn't detect anything unusual, so you'll have to activate full page heap to catch the memory access violation in the parent thread (pThread->m_thread = NIL_RTTHREAD;). Also, I see that it's possible to catch the issue while still in the child thread, with an Assert(m_thread == NIL_RTTHREAD) at the begginging of the HGCMThread::~HGCMThread() destructor. I've used Notepad++ to indent the text and to better observe different objects and threads, because it's able to highlight the multiple occurences of a text selection.

(lenghty pasted content removed, see next attachment)

comment:21 Changed 3 years ago by mhanor

I forgot to mention, currently using svn 35854.

comment:22 Changed 3 years ago by frank

Thanks for the investigation but next time please attach a file to keep this ticket readable!

comment:23 Changed 3 years ago by mhanor

Sorry about that. I have attached a file so you can edit my post, if you wish.

Changed 3 years ago by mhanor

svn 35854, reuploaded

comment:24 Changed 3 years ago by sunlover

mhanor, thank you very much for debugging this issue. This is indeed a reference counting bug. The following patch for src\VBox\Main\src-client\HGCMThread.cpp should fix the crash. Could you please try this fix?

Index: HGCMThread.cpp
===================================================================
--- HGCMThread.cpp	(revision 69750)
+++ HGCMThread.cpp	(working copy)
@@ -195,8 +195,6 @@
 
     pThread->m_fu32ThreadFlags |= HGCMMSG_TF_TERMINATED;
 
-    hgcmObjDeleteHandle (pThread->Handle ());
-
     pThread->m_thread = NIL_RTTHREAD;
 
     LogFlow(("MAIN::hgcmWorkerThreadFunc: completed HGCM thread %p\n", pThread));
@@ -689,6 +687,8 @@
         hgcmObjDereference (pThread);
     }
 
+    hgcmObjDeleteHandle (hThread);
+
     LogFlowFunc(("rc = %Rrc\n", rc));
     return rc;
 }

comment:25 Changed 3 years ago by mhanor

after applying the patch, I can't reproduce it anymore, or so it seems, even with my delay-inducing RTPrintf functions

comment:26 Changed 3 years ago by sunlover

  • Summary changed from VM crash when attempting to force shutdown (not ACPI shutdown) the VM to VM crash when attempting to force shutdown (not ACPI shutdown) the VM -> Fixed in SVN

Thanks for testing.

comment:27 Changed 3 years ago by frank

  • Status changed from reopened to closed
  • Resolution set to fixed

comment:28 Changed 3 years ago by mhanor

  • Status changed from closed to reopened
  • Resolution fixed deleted

I know it's dissapointing, but the Unloaded_VBoxOGLrenderspu.dll crash is still there. I can reproduce the crash when 3D is enabled. An installed OS is not needed. I can't seem to reproduce it while some gflags are enabled for the virtualbox.exe process (including full page heap). That's why it seemed safe after the HGCMThread counting fix. But I crashed 4.0.4 in the same day it was released.

Again, Huihong Luo may have been onto something here:
 http://vbox.innotek.de/pipermail/vbox-dev/2010-July/003043.html[[br]]

The call stack looks the same as it did in the past. The crash occurs in the RenderSPU Window thread, while its parent thread (if I can call it that) is not listed in the threads window list. See the attached log, the last line is manually added by me.

Changed 3 years ago by mhanor

svn 35998

comment:29 Changed 3 years ago by mhanor

Sometimes, the RenderSPU Window thread has already exited, at the moment VBoxOGLrenderspu.dll is being unloaded (see case1.txt). Sometimes it's about to exit, still running some OS thread-exit functions (see case2.txt), which is still safe.
But when it's about to crash (see case3.txt), at the moment the dll is being unloaded, the RenderSPU Window thread is still executing the last bit of code, before "return 0":
f:\vbox\src\VBox\hostservices\sharedopengl\render\renderspu_init.c, inside renderSPUWindowThreadProc, line 128:

    SetEvent(render_spu.hWinThreadReadyEvent);

Changed 3 years ago by mhanor

Changed 3 years ago by mhanor

Changed 3 years ago by mhanor

comment:30 Changed 3 years ago by mhanor

I always thought it's stack corruption, but I don't think that anymore. When windbg breaks at the moment VBoxOGLrenderspu.dll is being unloading, it takes only a single instruction to be executed. After that, the debugger will refresh the call stack of the RenderSPU Window thread, considering the VBoxOGLrenderspu.dll as unloaded. The thread crashes at the moment when it returns from kernel32SetEvent back to VBoxOGLrenderspu!renderSPUWindowThreadProc code (return address 03474cb8 for my build). The NX/DEP feature catches this. I don't think there's anything else I can say about this problem, to help you.

Changed 3 years ago by mhanor

comment:31 Changed 3 years ago by leonid

Thanks for your info, I can't reproduce it here but the issue you described should be fixed in SVN now.

comment:32 Changed 3 years ago by sunlover

mhanor, here is a VirtualBox 4.0 build which should fix the VBoxOGLrenderspu.dll_unloaded problem:

 http://www.virtualbox.org/download/testcase/VirtualBox-win-4.0-rel-4.0.5-r70174-MultiArch.exe

comment:33 Changed 3 years ago by mhanor

It's looking good... I'll return here if necessary

comment:34 Changed 3 years ago by mhanor

4.0.6 seems fine, I can't reproduce the bug. You can close this ticket.

comment:35 Changed 3 years ago by frank

  • Status changed from reopened to closed
  • Resolution set to fixed

Thanks for the feedback!

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use