[Bug 19505] Multiple MDI-based applications crash on startup due to insertion of system menu into MDI frame menu (AMIS Daisy Book Reader, EEP v5-v16 - Eisenbahn.exe)

https://bugs.winehq.org/show_bug.cgi?id=19505

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Summary|Multiple MDI-based |Multiple MDI-based |applications crash on |applications crash on |startup due to insertion of |startup due to insertion of |system menu into MDI frame |system menu into MDI frame |menu (AMIS Daisy Book |menu (AMIS Daisy Book |Reader, EEP 5) |Reader, EEP v5-v16 - | |Eisenbahn.exe)

--- Comment #19 from Anastasius Focht focht@gmx.net --- Hello folks,

revisiting, still present. I encountered this problem again while investigating a crash related to the DRM scheme of EEP 14.0 - Eisenbahn.exe (Basic-Version) with mainline Wine.

https://store.steampowered.com/app/722190/EEP_14/

It was 2,39 EUR on Steam = cheap enough for one debug session so I looked into it. This bug is a follow-up to the DRM problem.

Adjusting the summary accordingly. It's likely present even with latest EEP 16.

--- snip --- $ pwd /home/focht/wine-games/wineprefix64-steam/drive_c/Program Files (x86)/Steam

$ WINEDEBUG=+pid,+seh,+relay wine ./steam.exe \ -no-cef-sandbox -applaunch 722190 >>log_ 2>&1 ... 041c:0420:Call window proc 0000000008DEE6A0 (hwnd=00000000000202FA,msg=WM_GETTEXT,wp=00000100,lp=0021c910) ... 041c:0420:Call user32.DefMDIChildProcA(000202fa,0000000d,00000100,0021c910) ret=08f5f1b2 041c:0420:Ret user32.DefMDIChildProcA() retval=00000000 ret=08f5f1b2 041c:0420:Ret window proc 0000000008DEE6A0 (hwnd=00000000000202FA,msg=WM_GETTEXT,wp=00000100,lp=0021c910) retval=00000000 041c:0420:Ret user32.GetWindowTextA() retval=00000000 ret=08f83457 041c:0420:Call KERNEL32.lstrcmpA(0021c910 "",0021ca70 "") ret=08f83469 ... 041c:0420:Ret KERNEL32.lstrcmpA() retval=00000000 ret=08f83469 041c:0420:Call user32.GetWindowRect(000102dc,0021ec70) ret=1401f7cb1 041c:0420:Ret user32.GetWindowRect() retval=00000001 ret=1401f7cb1 ... 041c:0420:Call user32.GetMenu(000102dc) ret=08f74aa9 041c:0420:Ret user32.GetMenu() retval=00010250 ret=08f74aa9 ... 041c:0420:Call user32.ModifyMenuA(00010250,00000000,00000400,00000000,140967100) ret=1401e9fe9 ... 041c:0420:Call ntdll.strlen(140967100 "&File") ret=7b027564 041c:0420:Ret ntdll.strlen() retval=00000005 ret=7b027564 041c:0420:Ret user32.ModifyMenuA() retval=00000001 ret=1401e9fe9 ... 041c:0420:Call user32.GetMenu(000102dc) ret=08f74aa9 041c:0420:Ret user32.GetMenu() retval=00010250 ret=08f74aa9 ... 041c:0420:Call user32.ModifyMenuA(00010250,00000001,00000400,00000001,140967100) ret=1401ea02c ... 041c:0420:Call ntdll.strlen(140967100 "&Insert") ret=7b027564 041c:0420:Ret ntdll.strlen() retval=00000007 ret=7b027564 041c:0420:Ret user32.ModifyMenuA() retval=00000001 ret=1401ea02c ... 041c:0420:Call user32.GetMenu(000102dc) ret=08f74aa9 041c:0420:Ret user32.GetMenu() retval=00010250 ret=08f74aa9 ... 041c:0420:Call user32.ModifyMenuA(00010250,00000002,00000400,00000002,140967100) ret=1401ea06f ... 041c:0420:Call ntdll.strlen(140967100 "&View") ret=7b027564 041c:0420:Ret ntdll.strlen() retval=00000005 ret=7b027564 041c:0420:Ret user32.ModifyMenuA() retval=00000001 ret=1401ea06f ... 041c:0420:Call user32.GetMenu(000102dc) ret=08f74aa9 041c:0420:Ret user32.GetMenu() retval=00010250 ret=08f74aa9 ... 041c:0420:Call user32.GetSubMenu(00010250,00000002) ret=1401ea0b0 041c:0420:Ret user32.GetSubMenu() retval=00010254 ret=1401ea0b0 ... 041c:0420:Call user32.ModifyMenuA(00010254,0000000a,00000400,00008fea,00dc51b8) ret=1401ea0e6 ... 041c:0420:Call ntdll.strlen(00dc51b8 "View 2D window") ret=7b027564 041c:0420:Ret ntdll.strlen() retval=0000000e ret=7b027564 041c:0420:Ret user32.ModifyMenuA() retval=00000000 ret=1401ea0e6 041c:0420:Call user32.GetMenu(000102dc) ret=08f74aa9 041c:0420:Ret user32.GetMenu() retval=00010250 ret=08f74aa9 ... 041c:0420:Call user32.GetSubMenu(00010250,00000002) ret=1401ea102 041c:0420:Ret user32.GetSubMenu() retval=00010254 ret=1401ea102 ... 041c:0420:Call user32.GetSubMenu(00010254,0000000a) ret=1401ea119 041c:0420:Ret user32.GetSubMenu() retval=00000000 ret=1401ea119 ... 041c:0420:Call ucrtbase.memcmp(00e9d670,140658f88,0000000d) ret=14023d977 041c:0420:Ret ucrtbase.memcmp() retval=00000000 ret=14023d977 041c:0420:Call ucrtbase.memcmp(00e9e8f0,140659118,0000000b) ret=14023da77 041c:0420:Ret ucrtbase.memcmp() retval=00000000 ret=14023da77 041c:0420:trace:seh:dispatch_exception code=c0000005 flags=0 addr=00000001401EA14A ip=00000001401EA14A tid=0420 041c:0420:trace:seh:dispatch_exception info[0]=0000000000000000 041c:0420:trace:seh:dispatch_exception info[1]=0000000000000008 041c:0420:warn:seh:dispatch_exception EXCEPTION_ACCESS_VIOLATION exception (code=c0000005) raised 041c:0420:trace:seh:dispatch_exception rax=0000000040967100 rbx=000000004082fc80 rcx=0000000000000000 rdx=0000000000000000 041c:0420:trace:seh:dispatch_exception rsi=000000004082fc80 rdi=0000000000000000 rbp=0000000040000000 rsp=000000000021cec0 041c:0420:trace:seh:dispatch_exception r8=0000000000000400 r9=0000000000000000 r10=000000000021c8c5 r11=0000000000000000 041c:0420:trace:seh:dispatch_exception r12=000000000cdcacf0 r13=00000000ffffffff r14=0000000000000000 r15=0000000000000001 041c:0420:trace:seh:call_vectored_handlers calling handler at 000000007B011FE0 code=c0000005 flags=0 041c:0420:trace:seh:call_vectored_handlers handler at 000000007B011FE0 returned 0 ... 041c:0420:trace:seh:call_handler calling handler 00000001405C1FE7 (rec=00000000001245A0, frame=000000000021FD70 context=0000000000123B90, dispatch=0000000000123A58) 041c:0420:Call ntdll.__C_specific_handler(001245a0,0021fd70,001240b0,00123a58) ret=7bc52686 041c:0420:trace:seh:__C_specific_handler 00000000001245A0 000000000021FD70 00000000001240B0 0000000000123A58 041c:0420:trace:seh:dump_scope_table scope table at 0000000140798550 041c:0420:trace:seh:dump_scope_table 0: 00000001405193C8-00000001405194D0 handler 0000000140600986 target 00000001405194D0 041c:0420:trace:seh:dump_scope_table 1: 00000001405194FF-0000000140519511 handler 0000000140600986 target 00000001405194D0 041c:0420:trace:seh:__C_specific_handler calling filter 0000000140600986 ptrs 0000000000123938 frame 000000000021FD70 041c:0420:Call ucrtbase._seh_filter_exe(c0000005,00123938) ret=14060099c 041c:0420:trace:seh:_XcptFilter (c0000005,0000000000123938) 041c:0420:Ret ucrtbase._seh_filter_exe() retval=00000000 ret=14060099c 041c:0420:Ret ntdll.__C_specific_handler() retval=00000001 ret=7bc52686 041c:0420:trace:seh:call_handler handler at 00000001405C1FE7 returned 1 041c:0420:trace:seh:RtlVirtualUnwind type 1 rip 000000007B62A009 rsp 000000000021FDB0 ... 041c:0420:err:virtual:virtual_setup_exception stack overflow 2000 bytes in thread 0420 addr 0x7bc521fd stack 0x120830 (0x120000-0x121000-0x220000) 0420: *killed* exit_code=0 --- snip ---

The 64-bit versions of the game will end up with stack overflow during unwinding. The old 32-bit versions of the game trigger the crash reporter.

Most likely related:

https://github.com/ValveSoftware/Proton/issues/3031

As already mentioned, there is a preceding crash with mainline Wine in the DRM scheme of EEP, related to the process memory organization. It's not encountered with Wine-Staging and derivative projects (Proton et al). I will probably create an extra bug later instead of commenting in messed up threads. On the other hand there is Janrupf (from the Proton issue) trying out x64dbg after getting a helping hand of mine on IRC. Maybe I wait a bit to not spoil the fun/challenge for him - it's not that hard to figure out ;-)

$ wine --version wine-6.2

Regards