http://bugs.winehq.org/show_bug.cgi?id=35273
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW CC| |focht@gmx.net Component|-unknown |quartz Summary|PotPlayer Crashes When |PotPlayer 1.5.x crashes |Loading Video File |when loading video file | |(FilterGraph_create | |releases/destroys | |controlling IUnknown) Ever confirmed|0 |1
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
Workaround: 'winetricks -q quartz'
Relevant part of trace log:
NOTE: There is lots of interleaving heap activity from multiple threads, filtered out for the important thread.
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Daum/PotPlayer
$ WINEDEBUG=+tid,+seh,+relay,+heap,+quartz,+olemalloc wine ./PotPlayerMini.exe
log.txt 2>&1
... 0039:Call ntdll.RtlAllocateHeap(00747000,00000000,00000128) ret=105c89ac 0039:trace:heap:RtlAllocateHeap (0x747000,70000062,00000128): returning 0x1378940 0039:Ret ntdll.RtlAllocateHeap() retval=01378940 ret=105c89ac ... 0039:Call ole32.CoCreateInstance(107dbfdc,01378940,00000017,1075cb90,01378974) ret=1033fd30 ... 0039:trace:quartz:DSCF_CreateInstance (0x5718638)->(0x1378940,{00000000-0000-0000-c000-000000000046},0x1378974) 0039:trace:quartz:FilterGraph_create (0x1378940,0xf4e3dc) ... 0039:Call ole32.CoCreateInstance(f5a7620c,01378940,00000001,f5a7af88,001ed340) ret=1033fd30 ... 0039:trace:quartz:DSCF_CreateInstance (0x20c020)->(0x1378940,{00000000-0000-0000-c000-000000000046},0x1ed340) 0039:trace:quartz:FilterMapper2_create (0x1378940, 0xf4e1ec) ... 0039:trace:quartz:Inner_QueryInterface (0x20e7b8)->({b79bb0b0-33c1-11d1-abe1-00a0c905f375}, 0x1ed344) 0039:Call KERNEL32.InterlockedIncrement(01378948) ret=1058c08f 0039:Ret KERNEL32.InterlockedIncrement() retval=00000001 ret=1058c08f 0039:Call KERNEL32.InterlockedDecrement(01378948) ret=1058c0b0 0039:Ret KERNEL32.InterlockedDecrement() retval=00000000 ret=1058c0b0 0039:Call ntdll.RtlDeleteCriticalSection(01378a1c) ret=102f9951 0039:trace:heap:RtlFreeHeap (0x110000,70000062,0x5686770): returning TRUE 0039:Ret ntdll.RtlDeleteCriticalSection() retval=00000000 ret=102f9951 0039:Call ntdll.RtlDeleteCriticalSection(0137895c) ret=102f9a0d 0039:trace:heap:RtlFreeHeap (0x110000,70000062,0x56efe80): returning TRUE 0039:Ret ntdll.RtlDeleteCriticalSection() retval=00000000 ret=102f9a0d 0039:Call KERNEL32.InterlockedDecrement(10c1e928) ret=1058bedb 0039:Ret KERNEL32.InterlockedDecrement() retval=00000004 ret=1058bedb 0039:Call ntdll.RtlFreeHeap(00747000,00000000,01378940) ret=105c839e 0039:trace:heap:RtlFreeHeap (0x747000,70000062,0x1378940): returning TRUE 0039:Ret ntdll.RtlFreeHeap() retval=00000001 ret=105c839e ... 0039:Ret ole32.CoCreateInstance() retval=00000000 ret=1033fd30 0039:Call ntdll.RtlAllocateHeap(00747000,00000000,0000005e) ret=105c89ac 0039:err:heap:HEAP_ValidateInUseArena Heap 0x747000: free block 0x1378940 overwritten at 0x1378940 by 107afa00 ... <crash> --- snip ---
The problem seems to be the release of the controlling IUnknown in FilterGraph_create() -> memory block: 0x1378940
After returning from CoCreateInstance() sequences to app code, the memory block is initialized with some vtable and other data members. The value 0x107afa00 looks like some function offset to 'addref' located in 'potplayer.dll' (references InterlockedIncrement() somewhere in code). Similar with offsets following ... 0x107afa04 = 'release' like function with InterlockedDecrement(), indicating IUnknown.
Source: http://source.winehq.org/git/wine.git/blob/bacd9abbc0bb53993b4ee9b370bf33548...
Line 5685
--- snip --- 5615 /* This is the only function that actually creates a FilterGraph class... */ 5616 HRESULT FilterGraph_create(IUnknown *pUnkOuter, LPVOID *ppObj) 5617 { 5618 IFilterGraphImpl *fimpl; 5619 HRESULT hr; 5620 5621 TRACE("(%p,%p)\n", pUnkOuter, ppObj); 5622 5623 *ppObj = NULL; 5624 5625 fimpl = CoTaskMemAlloc(sizeof(*fimpl)); ... 5675 /* create Filtermapper aggregated. */ 5676 hr = CoCreateInstance(&CLSID_FilterMapper2, fimpl->outer_unk, CLSCTX_INPROC_SERVER, &IID_IUnknown, (void**)&fimpl->punkFilterMapper2); 5678 5679 if (SUCCEEDED(hr)) 5680 hr = IUnknown_QueryInterface(fimpl->punkFilterMapper2, &IID_IFilterMapper2, (void**)&fimpl->pFilterMapper2); 5682 5683 if (SUCCEEDED(hr)) 5684 /* Release controlling IUnknown - compensate refcount increase from caching IFilterMapper2 interface. */ 5685 IUnknown_Release(fimpl->outer_unk); ... 5698 *ppObj = &fimpl->IUnknown_inner; 5699 return S_OK; 5700 } --- snip ---
Tidbit: the app hooks various win32 API (including ole), though that doesn't seem to cause harm.
Example: 'CoCreateInstance'
--- snip --- 7ECD7AFC E9 7F7F6691 JMP 1033FA80 7ECD7B01 E4 F0 IN AL,0F0 7ECD7B03 FF71 FC PUSH DWORD PTR DS:[ECX-4] 7ECD7B06 55 PUSH EBP --- snip ---
$ sha1sum PotPlayer1.5.40688.EXE e9f1295ff03634c61db2964f87988c7e0ff0481d PotPlayer1.5.40688.EXE
$ du -sh PotPlayer1.5.40688.EXE 16M PotPlayer1.5.40688.EXE
$ wine --version wine-1.7.9-209-gb231b4b
Regards