[ros-bugs] [Bug 2279] New: KiUserExceptionDispatcher does not clear x86 direction flag

ReactOS.Bugzilla at www.reactos.org ReactOS.Bugzilla at www.reactos.org
Mon Jun 4 07:21:24 CEST 2007 

http://www.reactos.org/bugzilla/show_bug.cgi?id=2279

           Summary: KiUserExceptionDispatcher does not clear x86 direction
                    flag
           Product: ReactOS
           Version: TRUNK
          Platform: x86 Hardware
        OS/Version: ReactOS
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Win32
        AssignedTo: ros-bugs at reactos.org
        ReportedBy: myriachan at cox.net
         QAContact: ros-bugs at reactos.org


KiUserExceptionDispatcher does not clear the x86 direction flag.  This means
that if an exception occurs while the direction flag is set (typically inside
memmove), the exception handlers will be called with the direction flag still
set.  The Windows x86-32 and x86-64 ABI requires that the direction flag be
cleared before calling a function.

Calling memset() with a compile-time constant size on both GCC and MSVC will
result in inlining a "rep stosd" instruction.  Because of the ABI, they will
assume that the direction flag is clear and not emit a "cld" instruction. 
Using memset() in an exception handler therefore will corrupt memory if the
exception occurred during a reverse copy such as a forward overlapping
memmove().

For reliability and ease of debugging, please add "cld" to the beginning of
KiUserExceptionDispatcher.  Note that the same will be true of x86-64 whenever
that happens.  This does not affect continuing execution; the CONTEXT of the
exception has the direction flag set and will be restored upon NtContinue. 
KiUserApcDispatcher and KiUserCallbackDispatcher need to be evaluated for this
issue.

Windows XP and 2003 also have this issue.  It was fixed in Vista by adding
"cld" to KiUserExceptionDispatcher.

Normal exception handlers using Microsoft libraries are not affected because
MSVC's __except_handler* have a "cld" probably for this reason.  Vectored
handlers bypass this, which is where I noticed the problem.


-- 
Configure bugmail: http://www.reactos.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
You are the assignee for the bug, or are watching the assignee.

More information about the Ros-bugs mailing list