Heap corruption (0xC0000374) when running 16-bit module on Windows 10 #1548
Description
Try the latest version first.
Already tested with the latest AppVeyor build:
Environment: THIS_BUILD_IS_RECOMMENDED__VCXPROJ_BUILD=1 (latest build at the time of writing).
Describe the bug
We are running a legacy 16-bit business application called with OTVDM on Windows 10.
The main menu starts correctly and several modules work, but when opening specific modules (for example ), OTVDM (otvdmw.exe`) eventually crashes with a heap corruption error.
On Windows XP NTVDM the same modules only show some warning dialogs but continue to work.
On Windows 10 + OTVDM the process otvdmw.exe is terminated.
Windbg analysis of one of the crash dumps (otvdmw.exe.9196.dmp - otvdmw.exe.9032.dmp) shows:
- Exception code:
0xC0000374(heap corruption) - Failure bucket:
HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE_c0000374_ntdll.dll!RtlpFreeHeapInternal - Heap error:
HEAP_FAILURE_BLOCK_NOT_BUSY– "The caller performed an operation (such as a free or a size check) that is illegal on a free block."
Stack around the heap failure (from !heap -s and !analyze -v):
ntdll!RtlpLogHeapFailure
ntdll!RtlpFreeHeapInternal
ntdll!RtlFreeHeap
AcLayers!NS_FaultTolerantHeap::APIHook_RtlFreeHeap
krnl386!GlobalFree16
krnl386!GlobalSize16
krnl386!LoadLibrary16
krnl386!LoadLibrary16
krnl386!RegFlushKey16
krnl386!vm_debug_get_entry_point
vm86!disassemble_debug
vm86!wine_call_to_16_regs_vm86
krnl386!K32WOWCallback16Ex
krnl386!LoadModule16
krnl386!RestoreThunkLock
kernel32!BaseThreadInitThunk
So it looks like a Win16 GlobalFree16 call ends up in RtlFreeHeap, and the Windows heap
detects a "BlockNotBusy / double free" situation and aborts the process.
In the WINEDEBUG trace we also see messages like:
err:winevdm:set_peb_compatible_flag user32.dll has already been loaded. (Anti-virus software may be the cause.)
err:winevdm:set_peb_compatible_flag Some compatibility flags can not be applied.
which suggests that some AppCompat / FaultTolerantHeap hooks are active in the process.
Environment (please complete the following information):
OS: Windows 10 Pro 22H2 x64 (build 19045.xxxx)
OTVDM / winevdm version: latest AppVeyor build
Environment: THIS_BUILD_IS_RECOMMENDED__VCXPROJ_BUILD=1
Execution:
(In production we normally call this via a PowerShell script and VBS, but the crash is reproducible
when running otvdmw.exe directly as shown above.)
16-bit application: internal legacy business system..
Additional context
On Windows XP with NTVDM, these modules show some warning boxes but the application does not crash.
On Windows 10 with OTVDM, several modules work fine, but opening (and some other
modules that use similar logic) eventually leads to the heap corruption described above.
I tested with the latest AppVeyor "THIS_BUILD_IS_RECOMMENDED__VCXPROJ_BUILD=1" build and the behavior
is the same.
To generate the trace, I used:
set WINEDEBUG=+all,-snoop,-ldt,-fixup,-module,-global,-local,-disasm,-syslevel,-thunk
and then reproduced the crash by logging into and opening the module that load
I have attached:
A crash dump: otvdmw.exe.12508.dmp (zipped)
My otvdm.ini
If needed, I can also provide (privately if required) the 16-bit module that seems
to trigger the crash, as this is part of an internal legacy system