[Bug 33384] Basic WPF applications using .NET 3.5 WPF fails to handle images (windowscodecs {7543696a-bc8d-46b0-5f81-8d95728972be} = IMILBitmapSource unsupported)

http://bugs.winehq.org/show_bug.cgi?id=33384

--- Comment #14 from Anastasius Focht focht@gmx.net 2013-04-19 05:22:18 CDT --- Hello folks,

--- quote --- The interface appears to have two more methods than IWICBitmapSource, one taking a single argument and one taking 3 arguments, as determined by this excessively terrible python script. --- quote ---

The missing method where it currently crashes has indeed one argument. It looks like an out pointer as this memory is later accessed by WPF.

Creating a stub method and returning infamous 0xdeadbeef results in another crash:

--- snip --- $ WINEDEBUG=+tid,+seh,+snoop,+wincodecs wine ./WineTest.exe ... 0024:trace:wincodecs:BitmapImpl_CopyPixels (0x1ce114,0x32dc44,4,4,0x84ce6c) 0024:CALL wpfgfx_v0300.MILQueryInterface(001ce114,0032dc34,0032dc9c) ret=042f123d 0024:trace:wincodecs:BitmapImpl_QueryInterface (0x1ce114,{7543696a-bc8d-46b0-5f81-8d95728972be},0x32dc9c) 0024:trace:wincodecs:BitmapImpl_AddRef (0x1ce114) refcount=4 0024:RET wpfgfx_v0300.MILQueryInterface() retval=00000000 ret=042f123d 0024:CALL wpfgfx_v0300.MilResource_SendCommandBitmapSource(<unknown, check return>) ret=042f23d7 0024:trace:wincodecs:IMILBitmapImpl_GetPixelFormat (0x1ce110,0x32dbc4) 0024:trace:wincodecs:BitmapImpl_AddRef (0x1ce114) refcount=5 0024:trace:wincodecs:BitmapImpl_GetSize (0x1ce114,0x32dbb4,0x32dbb0) 0024:trace:wincodecs:BitmapImpl_GetResolution (0x1ce114,0x32dc40,0x32dc38) 0024:trace:wincodecs:IMILBitmapImpl_UnknownMethod1 (0x1ce110,0x32db90) 0024:trace:seh:raise_exception code=c0000005 flags=0 addr=0x5403f9dc ip=5403f9dc tid=0024 0024:trace:seh:raise_exception info[0]=00000000 0024:trace:seh:raise_exception info[1]=deadbeef 0024:trace:seh:raise_exception eax=deadbeef ebx=001ce110 ecx=00000000 edx=7bce4108 esi=00000000 edi=00000000 0024:trace:seh:raise_exception ebp=0032db88 esp=0032db7c cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 0024:trace:seh:call_stack_handlers calling handler at 0x7a00a2e7 code=c0000005 flags=0 0024:trace:seh:call_stack_handlers handler at 0x7a00a2e7 returned 1 0024:trace:seh:call_stack_handlers calling handler at 0x79edc3bc code=c0000005 flags=0 0024:trace:seh:call_stack_handlers handler at 0x79edc3bc returned 1 0024:trace:seh:call_stack_handlers calling handler at 0x79f908a2 code=c0000005 flags=0 --- snip ---

The caller code (eax -> 0xdeadbeef returned from iface "unknown" method):

--- snip --- Wine-dbg>disas 0x5403f9d9: movl 0x8(%ebp),%eax 0x5403f9dc: movl 0x0(%eax),%ecx 0x5403f9de: pushl %eax 0x5403f9df: call *0x4(%ecx) 0x5403f9e2: movl 0x8(%ebp),%eax 0x5403f9e5: movl 0x0(%eax),%ecx 0x5403f9e7: pushl %eax 0x5403f9e8: call *0x4(%ecx) 0x5403f9eb: movl 0xc(%ebp),%eax 0x5403f9ee: movl 0x8(%ebp),%ecx --- snip ---

Looks pretty much like another interface/vtable, second method being called.

So I went forward and created another simple IUnknown based interface without any additional methods and returned that. Yay, it went much further ... but still crashed at some point :|

Interestingly only AddRef() and Release() are called (pairwise) which seems reinforce the assumption that this might be indeed IUnknown based. But strangely no QueryInterface() call?

--- snip --- $ WINEDEBUG=+tid,+seh,+snoop,+wincodecs wine ./WineTest.exe ... 0024:CALL wpfgfx_v0300.MILQueryInterface(001ce468,0032dc34,0032dc9c) ret=042f123d 0024:trace:wincodecs:BitmapImpl_QueryInterface (0x1ce468,{7543696a-bc8d-46b0-5f81-8d95728972be},0x32dc9c) 0024:trace:wincodecs:BitmapImpl_AddRef (0x1ce468) refcount=4 0024:RET wpfgfx_v0300.MILQueryInterface() retval=00000000 ret=042f123d 0024:CALL wpfgfx_v0300.MilResource_SendCommandBitmapSource(<unknown, check return>) ret=042f23d7 0024:trace:wincodecs:IMILBitmapImpl_GetPixelFormat (0x1ce460,0x32dbc4) 0024:trace:wincodecs:BitmapImpl_AddRef (0x1ce468) refcount=5 0024:trace:wincodecs:BitmapImpl_GetSize (0x1ce468,0x32dbb4,0x32dbb0) 0024:trace:wincodecs:BitmapImpl_GetResolution (0x1ce468,0x32dc40,0x32dc38) 0024:trace:wincodecs:IMILBitmapImpl_UnknownMethod1 (0x1ce460,0x32db90) 0024:trace:wincodecs:IMILUnknown1Impl_AddRef (0x1ce464) 0024:trace:wincodecs:BitmapImpl_AddRef (0x1ce468) refcount=6 0024:trace:wincodecs:IMILUnknown1Impl_AddRef (0x1ce464) 0024:trace:wincodecs:BitmapImpl_AddRef (0x1ce468) refcount=7 0024:trace:wincodecs:IMILUnknown1Impl_Release (0x1ce464) 0024:trace:wincodecs:BitmapImpl_Release (0x1ce468) refcount=6 0024:trace:wincodecs:BitmapImpl_Release (0x1ce468) refcount=5 0024:RET wpfgfx_v0300.MilResource_SendCommandBitmapSource(00000010,001ce460,00000001,00000001,001a7858) retval=00000000 ret=042f23d7 0024:CALL wpfgfx_v0300.MilCompositionEngine_ExitCompositionEngineLock() ret=042f08c3 0024:RET wpfgfx_v0300.MilCompositionEngine_ExitCompositionEngineLock() retval=00000000 ret=042f08c3 0024:CALL wpfgfx_v0300.MilChannel_BeginCommand(001a7858,0032da6c,0000000c,00000030) ret=04dce89e 0024:RET wpfgfx_v0300.MilChannel_BeginCommand() retval=00000000 ret=04dce89e 0024:CALL wpfgfx_v0300.MilChannel_AppendCommandData(001a7858,0083f888,00000008) ret=04dcea12 0024:RET wpfgfx_v0300.MilChannel_AppendCommandData() retval=00000000 ret=04dcea12 0024:CALL wpfgfx_v0300.MilCompositionEngine_EnterCompositionEngineLock() ret=042f08c3 ... 0024:CALL wpfgfx_v0300.MilResource_SendCommand(0032deb4,00000010,001a7858) ret=046790e0 0024:RET wpfgfx_v0300.MilResource_SendCommand() retval=00000000 ret=046790e0 0024:CALL wpfgfx_v0300.MilResource_SendCommand(0032df20,00000010,001a7858) ret=046790e0 0024:RET wpfgfx_v0300.MilResource_SendCommand() retval=00000000 ret=046790e0 0024:CALL wpfgfx_v0300.MilResource_SendCommand(0032df8c,00000010,001a7858) ret=046790e0 0024:RET wpfgfx_v0300.MilResource_SendCommand() retval=00000000 ret=046790e0 0024:CALL wpfgfx_v0300.MilResource_SendCommand(0032dff8,00000010,001a7858) ret=046790e0 0024:RET wpfgfx_v0300.MilResource_SendCommand() retval=00000000 ret=046790e0 0024:CALL wpfgfx_v0300.MilChannel_CommitChannel(001a7858) ret=0467924c 0024:RET wpfgfx_v0300.MilChannel_CommitChannel() retval=00000000 ret=0467924c 0024:CALL wpfgfx_v0300.MilComposition_SyncFlush(001a7858) ret=0467945c 0027:trace:seh:raise_exception code=c0000005 flags=0 addr=0x5404056b ip=5404056b tid=0027 0027:trace:seh:raise_exception info[0]=00000000 0027:trace:seh:raise_exception info[1]=00000009 0027:trace:seh:raise_exception eax=00000005 ebx=00000000 ecx=0497cc48 edx=54009440 esi=001ce46c edi=048de5bc 0027:trace:seh:raise_exception ebp=048de590 esp=048de588 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010206 0027:trace:seh:call_stack_handlers calling handler at 0x7bc982ed code=c0000005 flags=0 ... Unhandled exception: page fault on read access to 0x00000009 in 32-bit code (0x5404056b). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:5404056b ESP:048de588 EBP:048de590 EFLAGS:00010206( R- -- I - -P- ) EAX:00000005 EBX:00000000 ECX:0497cc48 EDX:54009440 ESI:001ce46c EDI:048de5bc Stack dump: 0x048de588: 001ce46c 0497cc48 048de5a4 540405a8 0x048de598: 048de5bc 00000000 0497ac00 048de604 0x048de5a8: 54040140 048de5d0 0497ac00 00000000 0x048de5b8: 0497e500 00000000 00000000 00000000 0x048de5c8: 43a18000 43a18000 7f7fffff 7f7fffff 0x048de5d8: 048de610 00000005 00000000 00000000 000c: sel=0067 base=00000000 limit=00000000 32-bit r-x Backtrace: =>0 0x5404056b in wpfgfx_v0300 (+0x4056b) (0x048de590) 1 0x540405a8 in wpfgfx_v0300 (+0x405a7) (0x048de5a4) 2 0x54040140 in wpfgfx_v0300 (+0x4013f) (0x048de604) 3 0x540400bb in wpfgfx_v0300 (+0x400ba) (0x048de6a8) 4 0x54015944 in wpfgfx_v0300 (+0x15943) (0x048de6d8) --- snip ---

Regards