[Bug 33031] Microsoft Windows Driver Development Kit 7.1.0 (Win7 DDK/WDK) installer fails: 'eula.exe' crashes on exit (COM apartment already initialized by RichEdit)

https://bugs.winehq.org/show_bug.cgi?id=33031

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net Component|-unknown |richedit Summary|Microsoft Windows Driver |Microsoft Windows Driver |Development Kit (win7 |Development Kit 7.1.0 (Win7 |ddk/wdk) fails |DDK/WDK) installer fails: | |'eula.exe' crashes on exit | |(COM apartment already | |initialized by RichEdit)

--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,

confirming.

Can be reproduced by running 'eula.exe' directly with required arguments.

The problem is not deduceable from the trace log, one has to debug it.

--- snip --- $ WINEDEBUG=+tid,+seh,+relay wine ./eula.exe i SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WDK_EULA_{68656B6B-555E-5459-5E5D-6363635E5F65} WDK F:\license.rtf >>~/Downloads/log.txt 2>&1 ... 0024:Call ole32.OleInitialize(00000000) ret=7ac22902 0024:trace:ole:OleInitialize ((nil)) 0024:Call ntdll.RtlAllocateHeap(00110000,00000008,000000fc) ret=7e8debdc 0024:Ret ntdll.RtlAllocateHeap() retval=0014c4f0 ret=7e8debdc 0024:trace:ole:CoInitializeEx ((nil), 2) 0024:trace:ole:CoInitializeEx () - Initializing the COM libraries 0024:trace:ole:RunningObjectTableImpl_Initialize ... 0024:Call user32.CreateWindowExW(00000000,7e9bfb00 L"OleMainThreadWndClass 0x######## ",00000000,00000000,00000000,00000000,00000000,00000000,fffffffd,00000000,7e8c0000,00000000) ret=7e8e28fd ... 0024:Call ole32.CoInitialize(00000000) ret=01002abb 0024:trace:ole:CoInitializeEx ((nil), 2) 0024:Ret ole32.CoInitialize() retval=00000001 ret=01002abb ... 0024:Call window proc 0x5f801868 (hwnd=0x10070,msg=WM_DESTROY,wp=00000000,lp=00000000) ... 0024:trace:seh:raise_exception code=c0000005 flags=0 addr=0x100228d ip=0100228d tid=0024 0024:trace:seh:raise_exception info[0]=00000000 0024:trace:seh:raise_exception info[1]=8bec55af 0024:trace:seh:raise_exception eax=00010070 ebx=7bc3b3a9 ecx=8bec558b edx=0033f694 esi=01001408 edi=0033f6a4 0024:trace:seh:raise_exception ebp=0033f6a8 esp=0033f66c cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010282 0024:trace:seh:call_stack_handlers calling handler at 0x5f890df5 code=c0000005 flags=0 0024:trace:seh:call_stack_handlers handler at 0x5f890df5 returned 1 ... Unhandled exception: page fault on read access to 0x8bec55af in 32-bit code (0x0100228d). ... Backtrace: =>0 0x0100228d in eula (+0x228d) (0x0033f6a8) 1 0x0100236b in eula (+0x236a) (0x0033f730) 2 0x5f8019d1 in mfc42u (+0x19d0) (0x0033f750) 3 0x5f80195a in mfc42u (+0x1959) (0x0033f7b0) 4 0x5f8018e2 in mfc42u (+0x18e1) (0x0033f7cc) 5 0x5f8018a1 in mfc42u (+0x18a0) (0x0033f7f8) 6 0x7ecb1de6 WINPROC_wrapper+0x19() in user32 (0x0033f828) ... 12 0x7eca3d41 WIN_SendDestroyMsg+0x7d(hwnd=0x10070) [/home/focht/projects/wine/wine.repo/src/dlls/user32/win.c:1772] in user32 (0x0033fa38)

13 0x7eca419e DestroyWindow+0x356(hwnd=<couldn't compute location>) [/home/focht/projects/wine/wine.repo/src/dlls/user32/win.c:1876] in user32 (0x0033faa8)

14 0x7bc6e39a relay_call+0x39() in ntdll (0x0033fadc) 15 0x7ec06c5d in user32 (+0x6c5c) (0x0033fb38) 16 0x5f804b68 in mfc42u (+0x4b67) (0x0033fb38) 17 0x0100213d in eula (+0x213c) (0x0033fd7c) 18 0x5f812566 in mfc42u (+0x12565) (0x0033fe20) ... 0x0100228d: call *0x24(%ecx) Modules: Module Address Debug info Name (58 modules) PE 1000000- 103f000 Export eula PE 5f800000-5f8f2000 Export mfc42u ELF 7ac00000-7ac69000 Deferred riched20<elf> -PE 7ac10000-7ac69000 \ riched20 ... Threads: process tid prio (all id:s are in hex) ... 00000023 (D) F:\eula.exe 00000024 0 <== --- snip ---

The app is MFC based and creates a dialog window with embedded RichEdit control. Upon creation of the dialog window, the app initializes COM explicitly and stores the COM init status internally.

Unfortunately at the time the app calls CoInitialize(NULL), the COM apartment is already initialized hence S_FALSE is returned and stored.

The COM apartment was created earlier by Wine's RichEdit text host (WM_NCCREATE -> ME_CreateTextHost -> ME_MakeEditor -> OleInitialize(NULL))

This is something the app doesn't expect at this place (MFC app -> OnDialogInit). The app checks the internal COM init flag on exit and reaches a different code path, causing a NULL ptr deref.

I changed RichEdit to defer COM init and it helped - the crash on exit is gone. Native RichEdit probably doesn't do explicit COM init on WM_NCCREATE/text host creation, hence the app call to CoInitialize(NULL) in dialog init returns S_OK.

$ wine --version wine-1.7.13-118-g0eb6265

Regards