https://bugs.winehq.org/show_bug.cgi?id=33031
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|https://www.microsoft.com/e |https://web.archive.org/web |n-us/download/details.aspx? |/20120503053053/https://dow |id=11800 |nload.microsoft.com/downloa | |d/4/A/2/4A25C7D5-EFBE-4182- | |B6A9-AE6850409A78/GRMWDK_EN | |_7600_1.ISO
--- Comment #6 from Anastasius Focht focht@gmx.net --- Hello folks,
the crash disappeared with https://source.winehq.org/git/wine.git/commitdiff/cf9f185901f5f0718e6e59e3ad... ("kernel32: GMEM_FIXED blocks cannot be 0 size.") -> wine-1.9.18-101-gcf9f185901f but that's just by pure chance due to stack usage.
The original problem is still present.
Running with +relay or under a debugger still results in the same crash - even with most recent Wine.
Prerequisite without running the full installer: 'winetricks -q mfc42'
--- snip --- Unhandled exception: page fault on read access to 0x00000084 in 32-bit code (0x0100228d). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:0100228d ESP:0021f714 EBP:0021f750 EFLAGS:00010206( R- -- I - -P- ) EAX:00010058 EBX:00275668 ECX:00000060 EDX:0021f73c ESI:01001408 EDI:0021f74c Stack dump: 0x0021f714: 00275668 00010058 fffffffc 00000000 0x0021f724: 0021f73c 00000001 0021fc48 0021fc48 0x0021f734: 01002346 00010058 608d3df8 4aa78128 0x0021f744: 5ef528a4 91722649 2f2db8aa 0021f7d8 0x0021f754: 0100236b 00275668 00010058 00000000 0x0021f764: 5f801c9c 0021fc48 0021fc48 0026cb48 Backtrace: =>0 0x0100228d EntryPoint+0xffffffff() in eula (0x0021f750) 1 0x0100236b EntryPoint+0xffffffff() in eula (0x0021f7d8) 2 0x5f8019d1 EntryPoint+0xffffffff() in mfc42u (0x0021f7f8) 3 0x5f80195a EntryPoint+0xffffffff() in mfc42u (0x0021f858) 4 0x5f8018e2 EntryPoint+0xffffffff() in mfc42u (0x0021f874) 5 0x5f8018a1 EntryPoint+0xffffffff() in mfc42u (0x0021f8a0) 6 0x004b378c make_rect_onscreen+0xab() in user32 (0x0021f8d0) --- snip ---
Although I've already analyzed the problem seven years ago, adding application disassembly for further proof.
CoInitialize() via RichEdit control on main thread:
--- snip --- 0021F4A4 008E3449 009BB750 44 combase._CoInitializeEx@8 0021F4E8 7AC067E8 008E3449 20 ole32.OleInitialize+39 0021F508 7AC2ADA4 7AC067E8 30 riched20.ME_MakeEditor+538 0021F538 7AC28ED0 7AC2ADA4 9C riched20.create_text_services+94 0021F5D4 7AC29EC5 7AC28ED0 20 riched20.RichEditWndProc_common+1D0 0021F5F4 004B378C 7AC29EC5 30 riched20.RichEditWndProcW+35 0021F624 004B44A1 004B378C 28 user32._WINPROC_wrapper+1C 0021F64C 004B4678 004B44A1 38 user32.call_window_proc+71 0021F684 0047FB10 004B4678 58 user32.WINPROC_call_window+178 0021F6DC 0047A407 0047FB10 50 user32.call_window_proc+60 0021F72C 0047A632 0047A407 40 user32.send_message+E7 0021F76C 004A7E4B 0047A632 140 user32.SendMessageW+52 0021F8AC 004A905C 004A7E4B 4C user32.WIN_CreateWindowEx+172B 0021F8F8 00450E84 004A905C 2AC user32.CreateWindowExW+6C 0021FBA4 0044FF8E 00450E84 1C user32.DIALOG_CreateIndirect+EB4 0021FBC0 5F817B05 0044FF8E 68 user32.CreateDialogIndirectParamW+1E 0021FC28 5F80E5A2 5F817B05 44 mfc42u.5F817B05 0021FC6C 0100213D 5F80E5A2 244 mfc42u.5F80E5A2 0021FEB0 5F812566 0100213D A4 eula.0100213D 0021FF54 7B624920 5F812566 18 mfc42u.5F812566 0021FF6C 7BC48997 7B624920 C kernel32.@BaseThreadInitThunk@12+10 0021FF78 7BC48AF7 7BC48997 78 ntdll._call_thread_func_wrapper+17 0021FFF0 00000000 7BC48AF7 ntdll.call_thread_func+87 --- snip ---
Explicit CoInitialize() from app code on main thread:
--- snip --- 008CC7A0 009BB750 10 combase._CoInitializeEx@8 01002ABB 008CC7A0 74 ole32.CoInitialize+10 5F8055B2 01002ABB 34 eula.01002ABB 004B53A4 5F8055B2 2C mfc42u.5F8055B2 004B54B5 004B53A4 28 user32.call_dialog_proc+74 0044DCAA 004B54B5 28 user32.WINPROC_CallDlgProcW+A5 004B378C 0044DCAA 30 user32.DefDlgProcW+EA 004B44A1 004B378C 28 user32._WINPROC_wrapper+1C 004B5266 004B44A1 30 user32.call_window_proc+71 012F7CAF 004B5266 28 user32.CallWindowProcW+86 012F6697 012F7CAF 74 comctl32.THEMING_CallOriginalClass+2F 012F7D8A 012F6697 28 comctl32.THEMING_DialogSubclassProc+1A7 004B378C 012F7D8A 30 comctl32.subclass_proc0+8A 004B44A1 004B378C 28 user32._WINPROC_wrapper+1C 004B5266 004B44A1 30 user32.call_window_proc+71 5F801D93 004B5266 20 user32.CallWindowProcW+86 5F801DBD 5F801D93 A0 mfc42u.5F801D93 5F8019D1 5F801DBD 20 mfc42u.5F801DBD 5F80195A 5F8019D1 60 mfc42u.5F8019D1 5F8018E2 5F80195A 1C mfc42u.5F80195A 5F8018A1 5F8018E2 2C mfc42u.5F8018E2 004B378C 5F8018A1 30 mfc42u.5F8018A1 004B44A1 004B378C 28 user32._WINPROC_wrapper+1C 004B4678 004B44A1 38 user32.call_window_proc+71 0047FB10 004B4678 58 user32.WINPROC_call_window+178 0047A407 0047FB10 50 user32.call_window_proc+60 0047A632 0047A407 40 user32.send_message+E7 0045110C 0047A632 28C user32.SendMessageW+52 0044FF8E 0045110C 1C user32.DIALOG_CreateIndirect+113C 5F817B05 0044FF8E 68 user32.CreateDialogIndirectParamW+1E 5F80E5A2 5F817B05 44 mfc42u.5F817B05 0100213D 5F80E5A2 244 mfc42u.5F80E5A2 5F812566 0100213D A4 eula.0100213D 7B624920 5F812566 18 mfc42u.5F812566 7BC48997 7B624920 C kernel32.@BaseThreadInitThunk@12+10 7BC48AF7 7BC48997 78 ntdll._call_thread_func_wrapper+17 00000000 7BC48AF7 ntdll.call_thread_func+87 --- snip ---
--- snip --- 01002A9F | push 4C | 01002AA1 | mov eax,eula.10042A4 | 01002AA6 | call eula.100352D | 01002AAB | mov esi,ecx | 01002AAD | call <JMP.&Ordinal#4704> | 01002AB2 | xor ebx,ebx | 01002AB4 | push ebx | 01002AB5 | call dword ptr ds:[&_CoInitialize@4] | 01002ABB | push 1 | 01002ABD | push dword ptr ds:[esi+60] | 01002AC0 | mov ecx,esi | 01002AC2 | mov dword ptr ds:[esi+F0],eax | HRESULT = S_FALSE 01002AC8 | mov byte ptr ds:[esi+E8],bl | 01002ACE | call eula.10024DD | --- snip ---
on stack (0x21FC80):
esi=0021FC80
dword ptr ds:[esi+F0]=[0021FD70]=2B002B (will become 1)
ebx=0021FC80
dword ptr ds:[ebx+EC]=[0021FD6C]=1 (will remain uninitialized)
App code that checks the COM apartment init status to initialize more COM controls during dialog init:
--- snip --- 01002771 | mov edi,edi | 01002773 | push ebx | 01002774 | push esi | 01002775 | push edi | 01002776 | mov ebx,ecx | 01002778 | xor edi,edi | 0100277A | cmp dword ptr ds:[ebx+F0],edi | only S_OK is expected 01002780 | jne eula.1002A49 | 01002786 | lea esi,dword ptr ds:[ebx+EC] | code path skipped! 0100278C | push esi | 0100278D | push eula.10019FC | 01002792 | push 15 | 01002794 | push edi | 01002795 | push eula.1001A0C | 0100279A | mov dword ptr ds:[esi],edi | 0100279C | call dword ptr ds:[&_CoCreateInstance@20] | 010027A2 | test eax,eax | 010027A4 | jne eula.1002A49 | ... 01002A3E | movsd | 01002A3F | movsd | 01002A40 | movsd | 01002A41 | mov ecx,ebx | 01002A43 | movsd | 01002A44 | call eula.10023F7 | 01002A49 | pop edi | 01002A4A | pop esi | 01002A4B | pop ebx | 01002A4C | ret | --- snip ---
Teardown code:
--- snip --- 01002346 | mov edi,edi | 01002348 | push esi | 01002349 | mov esi,ecx | 0100234B | cmp dword ptr ds:[esi+F0],0 | S_OK -> skip 01002352 | je eula.10023EA | 01002358 | mov eax,dword ptr ds:[esi+EC] | access of uninit var! 0100235E | test eax,eax | 01002360 | je eula.10023DD | 01002362 | push dword ptr ds:[esi+20] | 01002365 | push eax | 01002366 | call eula.1002255 | *boom* (within sub) 0100236B | push dword ptr ds:[esi+88] | 01002371 | push dword ptr ds:[esi+EC] | 01002377 | call eula.1002255 | 0100237C | push dword ptr ds:[esi+C8] | 01002382 | push dword ptr ds:[esi+EC] | 01002388 | call eula.1002255 | 0100238D | push dword ptr ds:[esi+114] | 01002393 | push dword ptr ds:[esi+EC] | 01002399 | call eula.1002255 | 0100239E | push dword ptr ds:[esi+154] | 010023A4 | push dword ptr ds:[esi+EC] | 010023AA | call eula.1002255 | 010023AF | push dword ptr ds:[esi+194] | 010023B5 | push dword ptr ds:[esi+EC] | 010023BB | call eula.1002255 | 010023C0 | push dword ptr ds:[esi+1D4] | 010023C6 | push dword ptr ds:[esi+EC] | 010023CC | call eula.1002255 | 010023D1 | mov eax,dword ptr ds:[esi+EC] | 010023D7 | mov ecx,dword ptr ds:[eax] | 010023D9 | push eax | 010023DA | call dword ptr ds:[ecx+8] | 010023DD | call dword ptr ds:[&_CoUninitialize@0] | 010023E3 | and dword ptr ds:[esi+EC],0 | 010023EA | mov ecx,esi | 010023EC | pop esi | 010023ED | jmp <JMP.&Ordinal#6451> | --- snip ---
$ wine --version wine-6.8-77-g0a50674c6aa
Regards