Virtualbox crash in VBoxDD!VBoxUsbRegister

[Mihai Hanor]

This is an older crash, which I didn't understood until I VB 3.2.6 beta2. I think I first mentioned about it in #6443. Now, I can reproduce it at will. Similarly with the QtGuiVBox4!QWidget::repaint+0x5dcb crash, the reproduction steps of this one may not seem to have anything to do with the normal usage of the program.

All that is required is one click on the X button (close window button) of a VM window, at the right moment. Reproducing it at will, requires you to be relatively fast and to be able to intuit when to act (timing is important). It always crashes in VBoxDD!VBoxUsbRegister plus some offset (depending on the guest type).

Host: Windows XP SP3 32bit
Affected versions: VB 3.2.4, VB 3.2.6 beta1 and beta2

First test case: guest Windows 7 32 bit
The hot moment is at boot time, right before the guest switches from text mode (80x25 I think, empty screen, text cursor positioned in the top left corner) to 1024x768 graphics (for the eye-kandy animated boot logo).

Second test case: guest Windows XP 32 bit
The moment you're looking for is also at boot time, right before the guest switches from text mode (it has completed the text mode progress bar) to the 640x480/800x600 graphics (for boot logo and animated progress bar).

Technique:

1. Press the X button with the mouse cursor. The top-most window "Close Virtual Machine" appears.
2. Press Esc on the keyboard. The "Close Virtual Machine" window closes. Again, with a fast action, press the X button on the VM window. You must time it correctly, not too fast (the button will not "catch" it) and not too late, or you'll miss the right moment. Repeat if you have not missed it (the guest hasn't switched to the 2nd resolution). You can rest while the "Close Virtual Machine" is being displayed, but the "Esc followed by click on X" succession must be fast. Or you can crash it the first time if you're lucky or if you're able to time it correctly.

[Mihai Hanor]

btw, this crash and the one from #6443 are very different in nature

[Mihai Hanor]

step 2, I wanted to say "the guest hasn't switched to the 2nd resolution", not "the guest switched to the 2nd resolution"

-> fixed (Michael)

[Mihai Hanor]

3.2.6.r63112 (final) is also affected
I can reproduce this with and without the VirtualBox USB Support (usually I don't install the vboxusbmon driver). All USB options are disabled from VM settings.

[Mihai Hanor]

VB 3.2.6.r63112

[Mihai Hanor]

I've managed to build the OSE 32 bit svn 30690 and crash it
If I'm looking the right way, I see that there is a VBoxUsbRegister function in the compiled OSE VboxDD.dll. But the OSE crash shows something else, while there are some similarities in how the stack backtrace looks, compared with the PUEL case. Maybe the crash from the PUEL version points to the wrong function.

If you want, I can provide a full dump of the OSE crash.

[Mihai Hanor]

OSE win32 svn 30690 crash

[Mihai Hanor]

0:009> kP
ChildEBP RetAddr  
0326fb60 04ee57cd VBoxDD!vga_draw_line4_32(
			struct VGAState * s1 = 0x05960080, 
			unsigned char * d = 0x071d0020 "--- memory read error at address 0x071d0020 ---", 
			unsigned char * s = 0x05980000 "", 
			int width = 0n80)+0xe8 [d:\vbox\src\vbox\devices\graphics\devvgatmpl.h @ 264]
0326fbf8 04ee45ec VBoxDD!vga_draw_graphic(
			struct VGAState * s = 0x05960080, 
			int full_update = 0n1)+0x47d [d:\vbox\src\vbox\devices\graphics\devvga.cpp @ 2348]
0326fc24 04ee60a2 VBoxDD!vga_update_display(
			struct VGAState * s = 0x05960080, 
			bool fUpdateAll = true)+0x12c [d:\vbox\src\vbox\devices\graphics\devvga.cpp @ 2528]
0326fc3c 04ee63a9 VBoxDD!updateDisplayAll(
			struct VGAState * pThis = 0x05960080)+0xb2 [d:\vbox\src\vbox\devices\graphics\devvga.cpp @ 4888]
*** WARNING: Unable to verify checksum for D:\vbox\out\win.x86\debug\bin\VBoxC.dll
0326fce0 027daabf VBoxDD!vgaPortTakeScreenshot(
			struct PDMIDISPLAYPORT * pInterface = 0x05972dfc, 
			unsigned char ** ppu8Data = 0x00127fbc, 
			unsigned int * pcbData = 0x00127fb0, 
			unsigned int * pcx = 0x00127fa4, 
			unsigned int * pcy = 0x00127f98)+0x219 [d:\vbox\src\vbox\devices\graphics\devvga.cpp @ 4979]
*** WARNING: Unable to verify checksum for D:\vbox\out\win.x86\debug\bin\VBoxVMM.dll
0326fd58 100cfa92 VBoxC!Display::displayTakeScreenshotEMT(
			class Display * pDisplay = 0x0038e238, 
			unsigned long aScreenId = 0, 
			unsigned char ** ppu8Data = 0x00127fbc, 
			unsigned int * pcbData = 0x00127fb0, 
			unsigned int * pu32Width = 0x00127fa4, 
			unsigned int * pu32Height = 0x00127f98)+0x4f [d:\vbox\src\vbox\main\displayimpl.cpp @ 2348]
0326fddc 100cf57d VBoxVMM!vmR3ReqProcessOneU(
			struct UVM * pUVM = 0x01c7c000, 
			struct VMREQ * pReq = 0x01c81678)+0x162 [d:\vbox\src\vbox\vmm\vmreq.cpp @ 1223]
0326fe24 100ddfb8 VBoxVMM!VMR3ReqProcessU(
			struct UVM * pUVM = 0x01c7c000, 
			unsigned int idDstCpu = 0xfffffff4)+0x26d [d:\vbox\src\vbox\vmm\vmreq.cpp @ 1108]
0326ff00 100dd9e5 VBoxVMM!vmR3EmulationThreadWithId(
			struct RTTHREADINT * ThreadSelf = 0x01c80648, 
			struct UVMCPU * pUVCpu = 0x01c7c3c0, 
			unsigned int idCpu = 0)+0x5b8 [d:\vbox\src\vbox\vmm\vmemt.cpp @ 167]
*** WARNING: Unable to verify checksum for D:\vbox\out\win.x86\debug\bin\VBoxRT.dll
0326ff18 00a9bb65 VBoxVMM!vmR3EmulationThread(
			struct RTTHREADINT * ThreadSelf = 0x01c80648, 
			void * pvArgs = 0x01c7c3c0)+0x25 [d:\vbox\src\vbox\vmm\vmemt.cpp @ 60]
0326ff4c 00b0f837 VBoxRT!rtThreadMain(
			struct RTTHREADINT * pThread = 0x01c80648, 
			unsigned int NativeThread = 0x2c0, 
			char * pszThreadName = 0x01c80bc4 "EMT")+0x185 [d:\vbox\src\vbox\runtime\common\misc\thread.cpp @ 679]
0326ff70 78afc6de VBoxRT!rtThreadNativeMain(
			void * pvArgs = 0x01c80648)+0xb7 [d:\vbox\src\vbox\runtime\r3\win\thread-win.cpp @ 102]
0326ffa8 78afc788 MSVCR100!_callthreadstartex(void)+0x1b [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 314]
0326ffb4 7c80b729 MSVCR100!_threadstartex(
			void * ptd = 0x01c80ce0)+0x64 [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 292]
0326ffec 00000000 kernel32!BaseThreadStart+0x37