Massimo zombie
2011-05-26 SHL
2011-06-02 SHL

Running:

I:\sla_dev2\stunnel\stunnel-4.34\0-zips\0\stunnel.exe
 1-14-11  20:09         775,694      0  stunnel.exe

a73b0119d7ae0e094e57412bbe330f72 *stunnel.exe

IBM OS/2 Dump Formatter for a retail or an hstrict SMP kernel.
Formatter is --> Internal revision 14.105_SMP
Dump file is --> Internal revision 14.104a_SMP (process dump)

Symbol (d:\devtools\pmdf\14_104a_smp_massimo\os2krnlr.sym) linked

# .p
 Slot  Pid  Ppid Csid Ord  Sta Pri  pTSD     pPTDA    pTCB     Disp SG Name
*0179# 5f39 0010 5f39 0001 crt 0200 f9178000 fe625c38 f9735afc 0f1c 26 STUNNEL
 019d  5f39 0010 5f39 0002 blk 0200 f919c000 fe625c38 f973c78c 0ebc 26 STUNNEL

# .pu
 Slot  Pid  Ord  pPTDA    Name     pstkframe  CS:EIP        SS:ESP     cbargs
*0179# 5f39 0001 fe625c38 STUNNEL  %f9178f48 005b:1f05921e 0053:002afd58 0000
 019d  5f39 0002 fe625c38 STUNNEL  %f919cf40 005b:1f057f55 0053:0270fb3c 0000

# .pb
 Slot  Sta BlockID  Name     Type        Addr        Symbol
 019d  blk fd43b904 STUNNEL  Sem32     0001 0050  Event

#            Checking call gates for all slots
Slot STUNNEL    179:
*** Not in a call ***
Slot STUNNEL    19d:
 is in a call to:
%1ffc08e8 DOSCALL1 DOS32WAITEVENTSEM

# .s (ord 1)
Current slot number: 0179

eax=00000000 ebx=006ceff8 ecx=00000db1 edx=006b0078 esi=006cf000 edi=006d4040
eip=1f05921e esp=002afd58 ebp=002afda8 iopl=0 rf -- -- nv up ei pl nz na po nc
cs=005b ss=0053 ds=0053 es=0053 fs=150b gs=0000 cr2=00000000 cr3=00000000 p=**
005b:1f05921e f3ab           repe stosd                    es:006d4040=00000000

# ln
%1f059210 LIBC063 _std_bzero + e

# k
005b:1f05a846 006b0000 00008704 00000010 00000002 [LIBC063 _um_alloc_no_lock + 86]
005b:1f05c9f3 006b0000 00008704 00000010 00000002 [LIBC063 _ucalloc + 9f]
005b:1f09b6e7 006b0000 00000001 00008704 1bc00050 [LIBC063 _std_calloc + 27]
005b:00013696 00000001 00008704 002afe58 1f09d0e5 [STUNNEL alloc_client_session + 1a]
005b:0002071c 006cb9e0 0000000c 0000000c 0000000c [STUNNEL main_execute + 188]
005b:00020bc4 00000002 0001ff70 002aff68 00000001 [STUNNEL main + c8]
005b:00010021 00000002 002aff7c 20030180 ffffffff [STUNNEL _text + 21]
005b:1f07854b 00000000 1ffece38 00001a2f 00000000 [LIBC063 __init_app + b]

# u _um_alloc_no_lock + 86-5 l1
%1f05a841 e85b010000         call      %1f05a9a1

# ln %1f05a9a1
%1f05a874 LIBC063 _um_lump_alloc + 12d (_um_lump_alloc_noexpand?)

# dd esp
                        eip
0053:002afd58  00008704 1f05abcc 006cf000 00008704
0053:002afd68  006b0078 006b0078 20035320 0000000c
0053:002afd78  002afd98 00008720 006ceff8 0000000f
0053:002afd88  00008720 006b0150 006cf000 00008720
0053:002afd98  0000000a 00008704 006b0000 00000002
                        eip      h        size
0053:002afda8  002afdd8 1f05a846 006b0000 00008704
               round    flags
0053:002afdb8  00000010 00000002 20035320 0000000c
0053:002afdc8  00000002 006b0000 006b013c 00008704

# ln %1f05abcc
%1f05a874 LIBC063 _um_lump_alloc + 358 (_um_lump_alloc_noexpand?)

# u _um_lump_alloc + 358-5
%1f05abc7 e844e6ffff         call      %1f059210 ; _std_bzero

# ln %1f059210
%1f059210 LIBC063 _std_bzero

# ln %1f05a846
%1f05a7c0 LIBC063 _um_alloc_no_lock + 86

# u %1f05a846-5 l1
%1f05a841 e85b010000         call      %1f05a9a1

# ln %1f05a9a1
%1f05a874 LIBC063 _um_lump_alloc + 12d (_um_lump_alloc_noexpand?)

# u _um_alloc_no_lock _um_alloc_no_lock + 86 ( code does not seem to match source )
LIBC063 _um_alloc_no_lock:
%1f05a7c0 55                 push      ebp
%1f05a7c1 89e5               mov       ebp,esp
%1f05a7c3 57                 push      edi
%1f05a7c4 56                 push      esi
%1f05a7c5 53                 push      ebx
%1f05a7c6 83ec0c             sub       esp,+0c
%1f05a7c9 8b7508             mov       esi,dword ptr [ebp+08]
%1f05a7cc 8b5d0c             mov       ebx,dword ptr [ebp+0c]
%1f05a7cf 8b7d14             mov       edi,dword ptr [ebp+14]
%1f05a7d2 8b86e8000000       mov       eax,dword ptr [esi+000000e8]
                             ; if...
%1f05a7d8 85c0               test      eax,eax
%1f05a7da 7e4e               jle       %1f05a82a

%1f05a7dc c1e004             shl       eax,04
%1f05a7df 3b9c06dc000000     cmp       ebx,dword ptr [esi+eax+000000dc]
%1f05a7e6 7742               ja        %1f05a82a

%1f05a7e8 31d2               xor       edx,edx
                             ; while...
%1f05a7ea 3b9eec000000       cmp       ebx,dword ptr [esi+000000ec]
%1f05a7f0 760e               jbe       %1f05a800
%1f05a7f2 8d86ec000000       lea       eax,[esi+000000ec]
%1f05a7f8 83c010             add       eax,+10
%1f05a7fb 42                 inc       edx
%1f05a7fc 3b18               cmp       ebx,dword ptr [eax]
%1f05a7fe 77f8               ja        %1f05a7f8

%1f05a800 83ec0c             sub       esp,+0c
%1f05a803 8b4d10             mov       ecx,dword ptr [ebp+10]
%1f05a806 c1e204             shl       edx,04
%1f05a809 57                 push      edi
%1f05a80a 51                 push      ecx
%1f05a80b 8d8c32ec000000     lea       ecx,[edx+esi+000000ec]
%1f05a812 53                 push      ebx
%1f05a813 51                 push      ecx
%1f05a814 56                 push      esi
%1f05a815 e8ab040000         call      %1f05acc5 ; _um_lump_alloc + 451 (_um_crateset_alloc)
%1f05a81a 83c420             add       esp,+20          ;' '
%1f05a81d 85c0               test      eax,eax
%1f05a81f 7409               jz        %1f05a82a
%1f05a821 90                 nop

                             ; exit
%1f05a822 8d65f4             lea       esp,[ebp-0c]
%1f05a825 5b                 pop       ebx
%1f05a826 5e                 pop       esi
%1f05a827 5f                 pop       edi
%1f05a828 5d                 pop       ebp
%1f05a829 c3                 retd

%1f05a82a 8d4b2b             lea       ecx,[ebx+2b]
%1f05a82d 31d2               xor       edx,edx
%1f05a82f 83e1e0             and       ecx,-20
%1f05a832 39d9               cmp       ecx,ebx
%1f05a834 7304               jnc       %1f05a83a

%1f05a836 89d0               mov       eax,edx
%1f05a838 ebe8               jmp       %1f05a822

%1f05a83a 8b4510             mov       eax,dword ptr [ebp+10]
%1f05a83d 57                 push      edi
%1f05a83e 50                 push      eax
%1f05a83f 53                 push      ebx
%1f05a840 56                 push      esi
%1f05a841 e85b010000         call      %1f05a9a1        ; _um_lump_alloc + 12d (_um_lump_alloc_noexpand?)
%1f05a846 83c410             add       esp,+10
%1f05a849 89c2               mov       edx,eax
%1f05a84b 85c0               test      eax,eax
%1f05a84d 75e7               jnz       %1f05a836
%1f05a84f 52                 push      edx
%1f05a850 52                 push      edx
%1f05a851 53                 push      ebx
%1f05a852 56                 push      esi
%1f05a853 e811040000         call      %1f05ac69        ; _um_lump_alloc + 3f5 (_um_crateset_alloc?)
%1f05a858 83c410             add       esp,+10
%1f05a85b 31d2               xor       edx,edx
%1f05a85d 85c0               test      eax,eax
%1f05a85f 74d5               jz        %1f05a836
%1f05a861 8b5510             mov       edx,dword ptr [ebp+10]
%1f05a864 57                 push      edi
%1f05a865 52                 push      edx
%1f05a866 53                 push      ebx
%1f05a867 56                 push      esi
%1f05a868 e834010000         call      %1f05a9a1        ; _um_lump_alloc + 12d (_um_lump_alloc_noexpand?)
%1f05a86d 83c410             add       esp,+10
%1f05a870 89c2               mov       edx,eax
%1f05a872 ebc2               jmp       %1f05a836

LIBC063 _um_lump_alloc:
%1f05a874 55                 push      ebp
%1f05a875 89e5               mov       ebp,esp

# ln %1f05a9a1
%1f05a874 LIBC063 _um_lump_alloc + 12d

# ln %1f05acc5
%1f05a874 LIBC063 _um_lump_alloc + 451

# ln %1f05ac69
%1f05a874 LIBC063 _um_lump_alloc + 3f5

# ln %1f05acc5
%1f05a874 LIBC063 _um_lump_alloc + 451 (_um_crateset_alloc)

_um_alloc_no_lock ->
  _um_lump_alloc_noexpand->
    _std_bzero

Looks OK, but can't run because ORD2 in critical section

-------------------------------------------------------------------------

# .s19d
Current slot number: 019d (ord 2)

# r
eax=00000000 ebx=006b013c ecx=00010050 edx=00000bb8 esi=00000001 edi=0270fb4c
eip=1f057f55 esp=0270fb3c ebp=0270fb64 iopl=0 -- -- -- nv up ei pl nz na pe nc
cs=005b ss=0053 ds=0053 es=0053 fs=150b gs=0000 cr2=00000000 cr3=00000000 p=**
005b:1f057f55 83c410         add       esp,+10

# ln
%1f057e14 LIBC063 __fmutex_request_internal + 141

# k
005b:1f05a758 006b013c 00000001 00000002 00000000 [LIBC063 _umalloc + 134]
005b:1f05a675 006b013c 00000001 006b0000 006b0000 [LIBC063 _umalloc + 51]
005b:1f060394 006b0000 00000064 000521d0 000521d0 [LIBC063 _std_malloc + 24]
005b:000521e4 00000064 0000001e 00115fcb 00000148 [STUNNEL TLSv1_server_method + a7]
005b:0005270d 00000064 00082f03 000000ce 00000000 [STUNNEL CRYPTO_malloc + 82]
005b:0008317d 00000064 00082f03 000000ce 00000000 [STUNNEL EVP_DigestInit_ex + 209]
005b:000b67d5 0270fca4 000843d0 00000000 00000101 [STUNNEL RAND_SSLeay + 2ae]
005b:000596cb 0270fd64 00000004 00000000 00000000 [STUNNEL RAND_add + 4d]
005b:00035b57 0270fd64 00000004 00000000 00000000 [STUNNEL ssl23_accept + 48]
005b:00022c6d 00715540 00000000 00000000 00000000 [STUNNEL SSL_accept + 2c]
005b:0001159e 00715540 0000012c 00000000 00000000
005b:00012c5a 006fc0e0 00011928 006c9aa8 006fc0e4
005b:00013616 006fc0e0 00013597 006c9aa8 20034800 [STUNNEL client + 6a]
005b:1f0899f3 006fc0e0 00000000 00000000 00000000 [LIBC063 _endthread + 7f]
005b:1ffece38 20034800 00000000 00000000 00000000

# u _umalloc + 134-5 l1
%1f05a753 e8bcd6ffff         call      %1f057e14

# ln %1f057e14
%1f057e14 LIBC063 __fmutex_request_internal

--------------------------------------------------------------------------------

# .pb
 Slot  Sta BlockID  Name     Type        Addr        Symbol
 019d  blk fd43b904 STUNNEL  Sem32     0001 0050  Event

# .d sem32 %fd43b904

 00        00
-----   -------- --------
SP-FF   00050020
   IN   00050020
   SP   00050020

RE-FF   00050020
   IN   00050020
   SP   00050020

FT-FF   00050020
   IN   00050020
   SP   00050020

UP-FF   00050020
   IN   00050020
   SP   00050020

VP-FF   00050020
   IN   00050020
   SP   00050020

GT-FF   00050020
   IN   00050020
   SP   00050020

ST-FF   00050020
   IN   00050020
   SP   00050020

        Type: Private Event
       Flags: Reset
       pMuxQ: 00000000
  Post Count: 0000
  Open Count: 0002
 Create Addr: 0010fd43
 Caller Addr: 0010ffc2

# dw %fd43b904
%fd43b904  0010 0000 0000 0000 0002 fd43 0010 ffc2
%fd43b914  0010 0000 0000 0000 0001 fd43 0010 ffc2

... .d sem32 looks broken - try another way

# .pu
 Slot  Pid  Ord  pPTDA    Name     pstkframe  CS:EIP        SS:ESP     cbargs
*0179# 5f39 0001 fe625c38 STUNNEL  %f9178f48 005b:1f05921e 0053:002afd58 0000
 019d  5f39 0002 fe625c38 STUNNEL  %f919cf40 005b:1f057f55 0053:0270fb3c 0000

# ln  %1f057f55
%1f057e14 LIBC063 __fmutex_request_internal + 141

# u %1f057f55-5 l1
%1f057f50 e89389f600         call      %1ffc08e8 ; DOS32WAITEVENTSEM

# ln %1ffc08e8
%1ffc08e8 DOSCALL1 DOS32WAITEVENTSEM

# u %1f057f36 1f057f55
%1f057f36 50                 push      eax
%1f057f37 50                 push      eax
%1f057f38 f6430501           test      byte ptr [ebx+05],01
%1f057f3c 0f94c2             sete      dl
%1f057f3f 81e2ff000000       and       edx,000000ff
%1f057f45 4a                 dec       edx
%1f057f46 81cab80b0000       or        edx,00000bb8 ; 3000
%1f057f4c 52                 push      edx
%1f057f4d 8b0b               mov       ecx,dword ptr [ebx]
%1f057f4f 51                 push      ecx
%1f057f50 e89389f600         call      %1ffc08e8 ; DOS32WAITEVENTSEM
%1f057f55 83c410             add       esp,+10

# r
                              hsem         timeout
eax=00000000 ebx=006b013c ecx=00010050 edx=00000bb8 esi=00000001 edi=0270fb4c
eip=1f057f55 esp=0270fb3c ebp=0270fb64 iopl=0 -- -- -- nv up ei pl nz na pe nc
cs=005b ss=0053 ds=0053 es=0053 fs=150b gs=0000 cr2=00000000 cr3=00000000 p=**
005b:1f057f55 83c410         add       esp,+10

# dd ebx
                            flfs pid tid
0053:006b013c  00010050 6d660003 5f390001 1f059c40

03 = _FMS_OWNED_HARD

# da 1f059c40
0053:1f059c40 LIBC Heap

# dd esp       hsem     timeout
0053:0270fb3c  00010050 00000bb8 00000000 00000000

Probably deadlock
Possible that ORD2 neglected to exit critical section
Possible that _FMC_MUST_COMPLETE sem held

02 = _FMC_MUST_COMPLETE

Try to find locked _FMC_MUST_COMPLETE sem

Find gmtxWait

LIBC063 __libc_back_processWaitNotifyExec:
%1f07bbf4 55                 push      ebp
%1f07bbf5 89e5               mov       ebp,esp
%1f07bbf7 56                 push      esi
%1f07bbf8 53                 push      ebx
%1f07bbf9 8b15a0ca7e18       mov       edx,dword ptr [187ecaa0] ; gpChildrenFree
%1f07bbff 8b7508             mov       esi,dword ptr [ebp+08] ; pid
%1f07bc02 85d2               test      edx,edx
%1f07bc04 0f85ae000000       jnz       %1f07bcb8

%1f07bcb8 50                 push      eax
%1f07bcb9 50                 push      eax
%1f07bcba 6a00               push      +00
%1f07bcbc 6830ba7e18         push      187eba30
%1f07bcc1 e80e060000         call      %1f07c2d4 ; _fmutex_request?
%1f07bcc6 83c410             add       esp,+10
%1f07bcc9 85c0               test      eax,eax

# dd %187eba30
%187eba30  0001004d 6d660201 00000000 1f07b6f0

# da %1f07b6f0
%1f07b6f0 b_processWait.c: gmtxWait

Check gmtx

# dd gmtx
%187d88c0  00010008 6d660201 00000000 1f05b100

# da 1f05b100
%1f05b100 LIBC SYS Filehandle Mutex

Find g_mtxFSInfoVolumes

# u __libc_back_fsInfoObjByDev

LIBC063 __libc_back_fsInfoObjByDev:
%1f1381a9 55                 push      ebp
%1f1381aa 89e5               mov       ebp,esp
%1f1381ac 57                 push      edi
%1f1381ad 56                 push      esi
%1f1381ae 31f6               xor       esi,esi
%1f1381b0 53                 push      ebx
%1f1381b1 83ec0c             sub       esp,+0c
%1f1381b4 8b5d08             mov       ebx,dword ptr [ebp+08]
%1f1381b7 0fb6cf             movzx     ecx,bh
%1f1381ba 83f956             cmp       ecx,+56          ;'V'
%1f1381bd 740b               jz        %1f1381ca

%1f1381ca 80fb40             cmp       bl,40            ;'@'
%1f1381cd 7ef0               jle       %1f1381bf
%1f1381cf 80fb5a             cmp       bl,5a            ;'Z'
%1f1381d2 7feb               jg        %1f1381bf

%1f1381d4 0fbefb             movsx     edi,bl
%1f1381d7 c1e705             shl       edi,05
%1f1381da 50                 push      eax
%1f1381db 50                 push      eax
%1f1381dc 6a00               push      +00
%1f1381de 8db7e8c18118       lea       esi,[edi+1881c1e8]
%1f1381e4 68a0737d18         push      187d73a0
%1f1381e9 e867060000         call      %1f138855
%1f1381ee 83c410             add       esp,+10

# dd %187d73a0
%187d73a0  00010053 42420201 00000000 1f13658f

# da %1f13658f
%1f13658f mtxFSInfoVolumes

Hmmm...
