https://bugs.winehq.org/show_bug.cgi?id=18985
--- Comment #30 from Damjan Jovanovic damjan.jov@gmail.com --- The stack trace is lost by the call to SEH handlers. By setting a breakpoint on the first SEH handler, a better stack trace can be obtained:
=>0 0x0081f9fe in htmlkit (+0x41f9fe) (0x0031a634) 1 0x628e33eb EXC_CallHandler+0x1a() in ntdll (0x0031a654) 2 0x628e946e call_stack_handlers+0x10d(rec=0x31aaf4, context=0x31a828) [Z:\home\user\Wine\wine\dlls\ntdll\signal_i386.c:662] in ntdll (0x0031a6d0) 3 0x628e6c9d raise_exception+0x41c(rec=0x31aaf4, context=0x31a828, first_chance=0x1) [Z:\home\user\Wine\wine\dlls\ntdll\signal_i386.c:736] in ntdll (0x0031a7d8) 4 0x628e858c raise_generic_exception+0x3b(rec=0x31aaf4, context=0x31a828) [Z:\home\user\Wine\wine\dlls\ntdll\signal_i386.c:1863] in ntdll (0x0031a818) 5 0xdeadbabe (0x0031ab88) 6 0x007e28c1 in htmlkit (+0x3e28c0) (0x0031abc0) 7 0x0080c008 in htmlkit (+0x40c007) (0x0031ac1c) 8 0x0080db30 in htmlkit (+0x40db2f) (0x0031ac9c) 9 0x00801976 in htmlkit (+0x401975) (0x0031acb4) 10 0x633b389c WINPROC_wrapper+0x1b() in user32 (0x0031ace4) 11 0x633b576d call_window_proc+0x12c(hwnd=0x10282, msg=0x4e, wp=0x20286, lp=0x31c4f0, result=0x31c220, arg=0x1300190) [Z:\home\user\Wine\wine\dlls\user32\winproc.c:249] in user32 (0x0031ad80) 12 0x633b759c WINPROC_CallProcWtoA+0x151b(callback=0x633b5640, hwnd=0x10282, msg=0x4e, wParam=0x20286, lParam=0x31c4f0, result=0x31c220, arg=0x1300190) [Z:\home\user\Wine\wine\dlls\user32\winproc.c:864] in user32 (0x0031c084) 13 0x633b5bd5 WINPROC_call_window+0x384(hwnd=0x10282, msg=0x4e, wParam=0x20286, lParam=0x31c4f0, result=0x31c220, unicode=0x1, mapping=1664702431) [Z:\home\user\Wine\wine\dlls\user32\winproc.c:926] in user32 (0x0031c198) 14 0x63344f70 call_window_proc+0x12f(hwnd=0x10282, msg=0x4e, wparam=0x20286, lparam=0x31c4f0, unicode=0x1, same_thread=0x1, mapping=1664702431) [Z:\home\user\Wine\wine\dlls\user32\message.c:2225] in user32 (0x0031c238) 15 0x6333d1c0 send_message+0x1bf(info=0x31c2e8, res_ptr=0x31c318, unicode=0x1) [Z:\home\user\Wine\wine\dlls\user32\message.c:3294] in user32 (0x0031c2c8) 16 0x6333d515 SendMessageW+0x94(hwnd=0x10282, msg=0x4e, wparam=0x20286, lparam=0x31c4f0) [Z:\home\user\Wine\wine\dlls\user32\message.c:3495] in user32 (0x0031c33c) 17 0x637591f0 notify_hdr+0xdf(infoPtr=0x1d4ce8, code=0xffffff9b, pnmh=0x31c4f0) [Z:\home\user\Wine\wine\dlls\comctl32\listview.c:838] in comctl32 (0x0031c398) 18 0x6375c41c notify_listview+0xab(infoPtr=0x1d4ce8, code=0xffffff9b, plvnm=0x31c4f0) [Z:\home\user\Wine\wine\dlls\comctl32\listview.c:888] in comctl32 (0x0031c3e0) 19 0x63762c9f set_main_item+0xa8e(infoPtr=0x1d4ce8, lpLVItem=0x31c600, isNew=0, isW=0x1, bChanged=0x31c590) [Z:\home\user\Wine\wine\dlls\comctl32\listview.c:4368] in comctl32 (0x0031c538) 20 0x6374d9cd LISTVIEW_SetItemT+0x1fc(infoPtr=0x1d4ce8, lpLVItem=0x31c600, isW=0) [Z:\home\user\Wine\wine\dlls\comctl32\listview.c:4490] in comctl32 (0x0031c5b8) 21 0x6374e707 LISTVIEW_SetItemTextT+0x156(infoPtr=0x1d4ce8, nItem=0, lpLVItem=0x31ee30, isW=0) [Z:\home\user\Wine\wine\dlls\comctl32\listview.c:9117] in comctl32 (0x0031c658) 22 0x63743e24 LISTVIEW_WindowProc+0x1ee3(hwnd=0x20286, uMsg=0x102e, wParam=0, lParam=0x31ee30) [Z:\home\user\Wine\wine\dlls\comctl32\listview.c:11691] in comctl32 (0x0031c964) 23 0x633b389c WINPROC_wrapper+0x1b() in user32 (0x0031c994) 24 0x633b576d call_window_proc+0x12c(hwnd=0x20286, msg=0x102e, wp=0, lp=0x31ee30, result=0x31e99c, arg=0x63741f40) [Z:\home\user\Wine\wine\dlls\user32\winproc.c:249] in user32 (0x0031ca30) 25 0x633b5350 WINPROC_CallProcAtoW+0x157f(callback=0x633b5640, hwnd=0x20286, msg=0x102e, wParam=0, lParam=0x31ee30, result=0x31e99c, arg=0x63741f40, mapping=WMCHAR_MAP_CALLWINDOWPROC) [Z:\home\user\Wine\wine\dlls\user32\winproc.c:609] in user32 (0x0031e948) 26 0x633b776a CallWindowProcA+0x1a9(func=0xffff0015, hwnd=0x20286, msg=0x102e, wParam=0, lParam=0x31ee30) [Z:\home\user\Wine\wine\dlls\user32\winproc.c:1010] in user32 (0x0031e9d8) 27 0x0080daf5 in htmlkit (+0x40daf4) (0x00020286)
Frame 6 is where the crash happens.
Wine-dbg>disassemble 0x007e28bb 0x007e28bb: call *0x188(%ebx) 0x007e28c1: popl %ebx 0x007e28c2: ret
0x188(%ebx) is NULL, leading to a call to a NULL function pointer -> crash.
A structure of that size (at least 396 bytes) is something internal to the application, not something we pass. Why it's NULL, how it became NULL, requires an understanding of the application's internals, which is best obtained with the help of the author.