https://bugs.winehq.org/show_bug.cgi?id=37563
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW CC| |focht@gmx.net Component|-unknown |richedit Summary|Skype crashes trying to |Skype 6.x crashes trying to |make an audio call |make an audio call | |(DestroyIRichEditOle must | |take reference count into | |account) Ever confirmed|0 |1
--- Comment #9 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
--- quote --- I cannot debug Skype further because it crashes immediately when being run under winedbg. --- quote ---
That's expected. Skype employs some basic anti-debug measures which can be worked around easily though :)
--- snip --- 0023:Starting process L"C:\Program Files\Skype\Phone\Skype.exe" (entryproc=0x5bb288) ... 21925.104:0023:Call KERNEL32.CreateFileW(00335ebc L"\\.\NTICE",00000000,00000000,00000000,00000003,00000000,00000000) ret=005a5658 21925.104:0023:Ret KERNEL32.CreateFileW() retval=ffffffff ret=005a5658 21925.104:0023:Call KERNEL32.CreateFileW(00335ebc L"\\.\Siwvid",00000000,00000000,00000000,00000003,00000000,00000000) ret=005a5695 21925.104:0023:Ret KERNEL32.CreateFileW() retval=ffffffff ret=005a5695 ... 21926.429:0023:Call KERNEL32.IsDebuggerPresent() ret=00d3b719 21926.429:0023:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=00d3b719 ... 21981.861:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b 21981.861:002d:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b ... 21981.880:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b 21981.880:002d:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b ... 21982.793:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b 21982.793:002d:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b ... 21983.129:002f:Call KERNEL32.IsDebuggerPresent() ret=0061648b 21983.129:002f:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b ... 21983.133:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b 21983.133:002d:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b ... <attach debugger> ... 22043.920:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b 22043.920:002d:Ret KERNEL32.IsDebuggerPresent() retval=00000001 ret=0061648b <detected> 22043.920:002d:trace:seh:raise_exception code=c0000005 flags=0 addr=0x204 ip=00000204 tid=002d 22043.920:002d:trace:seh:raise_exception info[0]=00000008 22043.920:002d:trace:seh:raise_exception info[1]=00000204 22043.920:002d:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=00000000 edx=00000204 esi=0600e4d0 edi=0600e4d0 22043.920:002d:trace:seh:raise_exception ebp=00000025 esp=0600e4d8 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 22043.920:002d:trace:seh:call_stack_handlers calling handler at 0x7bc9e6e7 code=c0000005 flags=0 22043.921:002d:Call KERNEL32.UnhandledExceptionFilter(0600dfa4) ret=7bc9e721 22043.921:002d:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bc9e721 22043.921:002d:trace:seh:call_stack_handlers handler at 0x7bc9e6e7 returned 1 --- snip ---
Multiple threads have a check for debuggers at code paths that are called periodical.
Anyway, now to the real issue here...
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Skype/Phone
$ WINEDEBUG=+tid,+seh,+relay,+richedit wine ./Skype.exe /legacylogin >>log.txt 2>&1 ... 0023:Call KERNEL32.LoadLibraryW(004b6a10 L"RICHED20.DLL") ret=004b69b9 0023:Call PE DLL (proc=0x7a4b2ccc,module=0x7a470000 L"riched20.dll",reason=PROCESS_ATTACH,res=(nil)) ... 0023:Ret KERNEL32.LoadLibraryW() retval=7a470000 ret=004b69b9 ... 0023:Call KERNEL32.LoadLibraryW(017eb210 L"MSFTEDIT.DLL") ret=017eb1ff 0023:Call PE DLL (proc=0x7aa4d870,module=0x7aa40000 L"msftedit.dll",reason=PROCESS_ATTACH,res=(nil)) ... 0023:Ret KERNEL32.LoadLibraryW() retval=7aa40000 ret=017eb1ff 0023:Call user32.GetClassInfoW(00400000,017ed23c L"RICHEDIT50W",0033ead8) ret=004f4ed2 0023:Ret user32.GetClassInfoW() retval=0000c098 ret=004f4ed2 0023:Call user32.GetClassInfoW(00400000,0033eb00 L"TChatRichEdit",0033ea8c) ret=004f5172 0023:Ret user32.GetClassInfoW() retval=00000000 ret=004f5172 0023:Call user32.RegisterClassW(0033ead8) ret=004f51bc 0023:Ret user32.RegisterClassW() retval=0000c09b ret=004f51bc 0023:Call user32.CreateWindowExW(00000000,0033eb00 L"TChatRichEdit",0048a85c L"",44210044,0000000c,0000000a,00000134,00000025,00010150,00000000,00400000,00000000) ret=0040eb98 ... 0023:trace:richedit:RichEditWndProc_common WM_NCCREATE: hWnd 0x10154 style 0x44210044 ... 0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 2 0023:trace:richedit:RichEditWndProc_common exit hwnd 0x10154 msg 043c (EM_GETOLEINTERFACE) 0 71454a4, unicode 1 -> 1 0023:Ret window proc 0x7a48e304 (hwnd=0x10154,msg=WM_USER+60,wp=00000000,lp=071454a4) retval=00000001 0023:Ret user32.CallWindowProcW() retval=00000001 ret=004f663d 0023:Ret window proc 0x380c61 (hwnd=0x10154,msg=WM_USER+60,wp=00000000,lp=071454a4) retval=00000001 0023:Ret user32.SendMessageW() retval=00000001 ret=017ed432 0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 3 0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 4 0023:fixme:richedit:IRichEditOle_fnGetObjectCount stub 0x8d934e0 0023:trace:richedit:IRichEditOleImpl_inner_fnRelease 0x8d934e0 ref=3 0023:trace:richedit:IRichEditOleImpl_inner_fnRelease 0x8d934e0 ref=2 ... 0023:Call user32.DestroyWindow(001d0148) ret=004f558d ... 0023:Call user32.CallWindowProcW(7a48e304,00010154,00000002,00000000,00000000) ret=004f663d 0023:Call window proc 0x7a48e304 (hwnd=0x10154,msg=WM_DESTROY,wp=00000000,lp=00000000) 0023:trace:richedit:RichEditWndProc_common enter hwnd 0x10154 msg 0002 () 0 0, unicode 1 0023:Call user32.GetWindowLongW(00010154,00000000) ret=7a48dd66 0023:Ret user32.GetWindowLongW() retval=08d928e8 ret=7a48dd66 0023:trace:richedit:ME_EmptyUndoStack Emptying undo stack ... 0023:trace:richedit:ME_ReleaseStyle all style references freed (good!) ... 0023:trace:richedit:DestroyIRichEditOle Destroying 0x8d934e0 ... 0023:trace:richedit:RichEditWndProc_common exit hwnd 0x10154 msg 0002 () 0 0, unicode 1 -> 0 ... 0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 4 0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 5 0023:fixme:richedit:IRichEditOle_fnGetObjectCount stub 0x8d934e0 0023:trace:richedit:IRichEditOleImpl_inner_fnRelease 0x8d934e0 ref=4 0023:trace:richedit:IRichEditOleImpl_inner_fnRelease 0x8d934e0 ref=3 ... 0023:Call user32.GetClassInfoW(00400000,00489bd0 L"EDIT",0033ee64) ret=004f4ed2 0023:Ret user32.GetClassInfoW() retval=0000c012 ret=004f4ed2 0023:Call user32.GetClassInfoW(00400000,004b6a2c L"RICHEDIT20W",0033ee64) ret=004f4ed2 0023:Ret user32.GetClassInfoW() retval=0000c097 ret=004f4ed2 0023:Call user32.GetClassInfoW(00400000,017ed23c L"RICHEDIT50W",0033ee64) ret=004f4ed2 0023:Ret user32.GetClassInfoW() retval=0000c098 ret=004f4ed2 0023:Call user32.GetClassInfoW(00400000,0033ee8c L"TChatRichEdit",0033ee18) ret=004f5172 0023:Ret user32.GetClassInfoW() retval=0000c09b ret=004f5172 0023:Call user32.CreateWindowExW(00000000,0033ee8c L"TChatRichEdit",0048a85c L"",44210044,0000000c,0000000a,0000027e,00000025,0002014c,00000000,00400000,00000000) ret=0040eb98 ... 0023:trace:richedit:ME_UpdateScrollBar min=0 max=4 page=636 0023:trace:richedit:ME_UpdateScrollBar min=0 max=16 page=37 ... 0023:trace:richedit:ME_UpdateScrollBar min=0 max=4 page=609 0023:trace:richedit:ME_UpdateScrollBar min=0 max=16 page=27 ... 0023:trace:richedit:RichEditWndProc_common exit hwnd 0x2014a msg 00b3 (EM_SETRECT) 0 33cf38, unicode 1 -> 0 0023:Ret window proc 0x7a48e304 (hwnd=0x2014a,msg=EM_SETRECT,wp=00000000,lp=0033cf38) retval=00000000 0023:Ret user32.CallWindowProcW() retval=00000000 ret=004f663d 0023:Ret window proc 0x380c61 (hwnd=0x2014a,msg=EM_SETRECT,wp=00000000,lp=0033cf38) retval=00000000 0023:Ret user32.SendMessageW() retval=00000000 ret=019b7d07 0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x8d90118 ip=08d90118 tid=0023 0023:trace:seh:raise_exception info[0]=00000008 0023:trace:seh:raise_exception info[1]=08d90118 0023:trace:seh:raise_exception eax=08d90128 ebx=07145180 ecx=00000000 edx=08d934e4 esi=0033cf18 edi=00000001 0023:trace:seh:raise_exception ebp=0033cf68 esp=0033cee4 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010206 0023:trace:seh:call_stack_handlers calling handler at 0x17ee6df code=c0000005 flags=0 0023:trace:seh:call_stack_handlers handler at 0x17ee6df returned 1 0023:trace:seh:call_stack_handlers calling handler at 0x4f5bf3 code=c0000005 flags=0 0023:trace:seh:call_stack_handlers handler at 0x4f5bf3 returned 1 0023:trace:seh:call_stack_handlers calling handler at 0x4f5c04 code=c0000005 flags=0 ... <double fault due to exception handling> --- snip ---
The app creates and destroys RichEdit control(s) while holding explicit references via 'EM_GETOLEINTERFACE' and 'riched20.IRichEditOle_fnAddRef' to the COM object in between.
--- snip --- 017ED41D PUSH EAX 017ED41E PUSH 0 017ED420 PUSH 43C 017ED425 MOV EAX,EBX 017ED427 CALL Skype.004F9304 017ED42C PUSH EAX 017ED42D CALL Skype.0040E968 ; JMP to OFFSET user32.SendMessageW 017ED432 CMP DWORD PTR DS:[EBX+324],0 017ED439 JNZ SHORT Skype.017ED447 017ED43B MOV EDX,Skype.017ED464 ; "EM_GETOLEINTERFACE for RichEditOle failed" 017ED440 MOV EAX,EBX 017ED442 CALL Skype.00522908 017ED447 MOV EAX,ESI 017ED449 MOV EDX,DWORD PTR DS:[EBX+324] 017ED44F CALL Skype.0040B4FC 017ED454 POP ESI 017ED455 POP EBX 017ED456 RETN ... 0040B4FC TEST EDX,EDX 0040B4FE JE SHORT Skype.0040B519 0040B500 PUSH EDX 0040B501 PUSH EAX 0040B502 MOV EAX,DWORD PTR DS:[EDX] 0040B504 PUSH EDX 0040B505 CALL DWORD PTR DS:[EAX+4] ; riched20.IRichEditOle_fnAddRef 0040B508 POP EAX 0040B509 MOV ECX,DWORD PTR DS:[EAX] 0040B50B POP DWORD PTR DS:[EAX] 0040B50D TEST ECX,ECX 0040B50F JNZ SHORT Skype.0040B512 0040B511 RETN ... --- snip ---
Wine frees everything in 'DestroyIRichEditOle', regardless of (external) reference count.
--- snip --- Wine-dbg>bt Backtrace: =>0 0x7a0f9080 DestroyIRichEditOle+0x20(iface=0x179134e4) [/home/focht/projects/wine/wine.repo/src/dlls/riched20/richole.c:2373] in riched20 (0x0033e918)
1 0x7a0e08a5 ME_DestroyEditor+0x131(editor=0x179128e8) [/home/focht/projects/wine/wine.repo/src/dlls/riched20/editor.c:2892] in riched20 (0x0033e958)
2 0x7a0e4841 ME_HandleMessage+0x3a60(editor=0x179128e8, msg=0x2, wParam=0, lParam=0, unicode=0x1, phresult=0x33ef50) [/home/focht/projects/wine/wine.repo/src/dlls/riched20/editor.c:4111] in riched20 (0x0033eeb8)
3 0x7a0e6249 RichEditWndProc_common+0x58c(hWnd=0x10136, msg=0x2, wParam=0, lParam=0, unicode=0x1) [/home/focht/projects/wine/wine.repo/src/dlls/riched20/editor.c:4679] in riched20 (0x0033ef98)
4 0x7a0e6354 RichEditWndProcW+0x4f(hWnd=0x10136, msg=0x2, wParam=0, lParam=0) [/home/focht/projects/wine/wine.repo/src/dlls/riched20/editor.c:4699] in riched20 (0x0033efd8)
5 0x7ea22f9a WINPROC_wrapper+0x19() in user32 (0x0033f008)
6 0x7ea2310f call_window_proc+0xcc(hwnd=0x10136, msg=0x2, wp=0, lp=0, result=0x33f078, arg=0x7a0e6304) [/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:245] in user32 (0x0033f048)
7 0x7ea25563 CallWindowProcW+0x69(func=0x7a0e6304, hwnd=0x10136, msg=0x2, wParam=0, lParam=0) [/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:982] in user32 (0x0033f08c)
8 0x004f663d in skype (+0xf663c) (0x0033f220) 9 0x004f653d in skype (+0xf653c) (0x0033f26c) 10 0x017eea5d in skype (+0x13eea5c) (0x0033f2a0) 11 0x00450312 in skype (+0x50311) (0x0033f2b8)
Wine-dbg>p *This
{IUnknown_inner={lpVtbl=0x7a124904}, IRichEditOle_iface={lpVtbl=0x7a124960}, ITextDocument_iface={lpVtbl=0x7a124ac0}, outer_unk=0x179134e0, ref=0x3, editor=0x179128e8, txtSel=0x17913510, clientSite=0x17913528, rangelist={next=0x17913500, prev=0x17913500}} --- snip ---
Heap block view (another run):
--- snip --- 0EE734D8 00000028 0EE734DC 00455355 ; 'USE' magic 0EE734E0 7A2CF904 ; riched20.reo_unk_vtbl 0EE734E4 7A2CF960 ; riched20.revt 0EE734E8 7A2CFAC0 ; riched20.tdvt 0EE734EC 0EE734E0 0EE734F0 00000002 ; ref 0EE734F4 0EE728E8 0EE734F8 0EE73510 0EE734FC 0EE73528 0EE73500 0EE73500 0EE73504 0EE73500 --- snip ---
Heap block view upon crash:
--- snip --- 0EE734D8 0010CB19 0EE734DC 45455246 ; 'FREE' magic 0EE734E0 0EE70088 0EE734E4 0EE70128 ; *boom* 0EE734E8 7A2CFAC0 ; riched20.tdvt 0EE734EC 0EE734E0 0EE734F0 00000003 ; ref 0EE734F4 0EE728E8 0EE734F8 0EE73510 0EE734FC 0EE73528 0EE73500 0EE73500 0EE73504 0EE73500 --- snip ---
IRichEditOleImpl vtable pointers get partially overwritten on heap after block reuse, causing a crash later when the app tries to access them.
'winetricks -q riched20' works around.
$ sha1sum SkypeSetup.msi 7b600669da6d47d9a89b2093fea845daa02c81a8 SkypeSetup.msi
$ du -sh SkypeSetup.msi 28M SkypeSetup.msi
$ wine --version wine-1.7.31
Regards