https://bugs.winehq.org/show_bug.cgi?id=19538
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net Summary|Publisher 2007 crashes |Microsoft Publisher 2007 | |and 2010 crash when opening | |documents/templates (TSF | |manager 'ITextStoreACPSink' | |must support QI with | |'IID_ITextStoreACPServices' | |)
--- Comment #9 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
Running with 'winedbg' gives:
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Microsoft Office/Office12
$ winedbg ./MSPUB.exe ... <open document from existing templates> ... Unhandled exception: page fault on read access to 0x00000000 in 32-bit code (0x33ef4418). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:33ef4418 ESP:0033e6c4 EBP:0033ec6c EFLAGS:00010297( R- -- I S -A-P-C) EAX:00000000 EBX:00000001 ECX:33f514ac EDX:00000001 ESI:0198c8d6 EDI:00ffffff ... Backtrace: =>0 0x33ef4418 in ptxt9 (+0x34418) (0x0033ec6c) 1 0x3024cae0 in mspub (+0x24cadf) (0x0033eca4) 2 0x3025e14a in mspub (+0x25e149) (0x0033ed44) 3 0x33d265b7 in morph9 (+0x265b6) (0x0033ee18) 4 0x3023673b in mspub (+0x23673a) (0x0033eed8) 5 0x302361f4 in mspub (+0x2361f3) (0x0033ef0c) 6 0x304e9bba in mspub (+0x4e9bb9) (0x0033f9f0) 7 0x305069eb in mspub (+0x5069ea) (0x0033faf8) 8 0x30507091 in mspub (+0x507090) (0x0033fb18) 9 0x7ec99b6a WINPROC_wrapper+0x19() in user32 (0x0033fb48) 10 0x7ec99cdf call_window_proc+0xcc(hwnd=0x200d6, msg=0x203, wp=0x1, lp=0x840071, result=0x33fcb8, arg=0x30506fdc) [/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:244] in user32 (0x0033fb88) 11 0x7ec9be78 WINPROC_call_window+0x15d(hwnd=0x200d6, msg=0x203, wParam=0x1, lParam=0x840071, result=0x33fcb8, unicode=0x1, mapping=WMCHAR_MAP_DISPATCHMESSAGE) [/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:900] in user32 (0x0033fbd8) 12 0x7ec5d7dd DispatchMessageW+0x1c4(msg=<couldn't compute location>) [/home/focht/projects/wine/wine.repo/src/dlls/user32/message.c:4022] in user32 (0x0033fce8) 13 0x326ee453 in mso (+0xee452) (0x0033fd04) 14 0x3002ddd2 in mspub (+0x2ddd1) (0x0033fd44) 15 0x30002316 in mspub (+0x2315) (0x0033fd54) 16 0x300022c3 in mspub (+0x22c2) (0x0033fd90) 17 0x3000228c in mspub (+0x228b) (0x0033fe20) 18 0x7b864378 call_process_entry+0xb() in kernel32 (0x0033fe38) ... 0x33ef4418: movl 0x0(%eax),%ecx
Wine-dbg> info process pid threads executable (all id:s are in hex)
00000022 8 'MSPUB.EXE'
0000002d 7 _ 'rpcss.exe' 00000020 1 'explorer.exe' 0000000e 5 'services.exe' 00000019 3 _ 'plugplay.exe' 00000012 4 _ 'winedevice.exe'
Wine-dbg> info thread process tid prio (all id:s are in hex) ... 00000022 (D) C:\Program Files\Microsoft Office\Office12\MSPUB.EXE 00000038 0 00000037 0 0000002c 0 0000002b 0 00000026 0 00000025 0 00000024 0 00000023 0 <==
Wine-dbg> info share Module Address Debug info Name (151 modules) PE 820000- e74000 Deferred msores PE e90000- 186d000 Deferred msointl PE 30000000-3092f000 Export mspub PE 32600000-33618000 Export mso PE 33d00000-33d7b000 Export morph9 PE 33da0000-33e12000 Deferred mor6int PE 33ec0000-33f5c000 Export ptxt9 PE 33fe0000-345bd000 Deferred pub6intl PE 34730000-3473d000 Deferred pubtrap PE 347b0000-34816000 Deferred pubwzint PE 3bd10000-3bea5000 Deferred ogl ... PE 50720000-5072e000 Deferred mshyph2 PE 6bdc0000-6be7a000 Deferred msptls ELF 7ac00000-7ac6a000 Deferred riched20<elf> --- snip ---
The crash happens within 'PTXT9.DLL', dubbed 'Microsoft Office Publisher TXT Converter' (dll resource).
After spending some hours, I found the culprit component: TSF manager
'winetricks -q msctf' works around.
--- snip --- ... 0023:trace:msctf:DocumentMgr_CreateContext (0x1c2b50) 0x1 0x0 0x385afc0 0x385b058 0x385b064 0023:trace:msctf:Context_Constructor (0x1c5c88) 1 0x385afc0 0x385b058 0x385b064 0023:trace:msctf:CompartmentMgr_Constructor returning 0x168090 0023:trace:msctf:Context_Constructor returning 0x1c5c88 0023:trace:msctf:DocumentMgr_Push (0x1c2b50) 0x1c5c88 0023:trace:msctf:ThreadMgrEventSink_OnInitDocumentMgr (0x1c5bf0) 0x1c2b50 0023:trace:msctf:TextStoreACPSink_Constructor returning 0x161740 0023:warn:msctf:TextStoreACPSink_QueryInterface unsupported interface: {aa80e901-2021-11d2-93e0-0060b067b86e} 0023:trace:msctf:ThreadMgrEventSink_OnPushContext (0x1c5bf0) 0x1c5c88 0023:trace:msctf:ContextSource_AdviseSink (0x1c5c88) {8127d409-ccd3-4683-967a-b43d5b482bf7} 0x385afcc 0x385afec 0023:trace:msctf:ContextSource_AdviseSink cookie 3 0023:warn:msctf:Context_QueryInterface unsupported interface: {a305b1c0-c776-4523-bda0-7c5a2e0fef10} 0023:trace:msctf:ThreadMgr_SetFocus (0x1c5bf0) 0x1c2b50 0023:trace:msctf:ThreadMgrEventSink_OnSetFocus (0x1c5bf0) 0x1c2b50 (nil) 0023:trace:msctf:ThreadMgr_GetFocus (0x1c5bf0) 0023:trace:msctf:ThreadMgr_GetFocus ->0x1c2b50 --- snip ---
--- snip --- ... Wine-dbg> 0x33ec2ddd: call *0xc(%edx) Wine-dbg>si DocumentMgr_CreateContext () at /home/focht/projects/wine/wine.repo/src/dlls/msctf/documentmgr.c:148 ... Wine-dbg> 0x33ec2def: call *0x10(%ecx) Wine-dbg>si DocumentMgr_Push () at /home/focht/projects/wine/wine.repo/src/dlls/msctf/documentmgr.c:155 ... Wine-dbg> 0x33ec2e09: call *0x0(%ecx) Wine-dbg>si Context_QueryInterface () at /home/focht/projects/wine/wine.repo/src/dlls/msctf/context.c:202 ... Wine-dbg> 0x33ec2e27: call *0xc(%eax) Wine-dbg>si ContextSource_AdviseSink () at /home/focht/projects/wine/wine.repo/src/dlls/msctf/context.c:613 ... Wine-dbg> 0x33ec2e43: call *0x0(%eax) Wine-dbg>si Context_QueryInterface () at /home/focht/projects/wine/wine.repo/src/dlls/msctf/context.c:202 ... Wine-dbg> 0x33ec2e57: call *0x8(%ecx) Wine-dbg>si ContextSource_Release () at /home/focht/projects/wine/wine.repo/src/dlls/msctf/context.c:603 0x7c54537a ContextSource_Release [/home/focht/projects/wine/wine.repo/src/dlls/msctf/context.c:603] in msctf: leal 0x4(%esp),%ecx 603 { ... --- snip ---
Source: http://source.winehq.org/git/wine.git/blob/f2b29ecf7201e0bd4d84ec5d3c4be3888...
--- snip --- 893 static HRESULT WINAPI TextStoreACPSink_QueryInterface(ITextStoreACPSink *iface, REFIID iid, LPVOID *ppvOut) 894 { 895 TextStoreACPSink *This = impl_from_ITextStoreACPSink(iface); 896 *ppvOut = NULL; 897 898 if (IsEqualIID(iid, &IID_IUnknown) || IsEqualIID(iid, &IID_ITextStoreACPSink)) 899 { 900 *ppvOut = &This->ITextStoreACPSink_iface; 901 } 902 903 if (*ppvOut) 904 { 905 ITextStoreACPSink_AddRef(iface); 906 return S_OK; 907 } 908 909 WARN("unsupported interface: %s\n", debugstr_guid(iid)); 910 return E_NOINTERFACE; 911 } --- snip ---
Since 'ITextStoreACPSink::QueryInterface' rejects 'IID_ITextStoreACPServices', the previous QI is released, leading to later crash.
MSDN: http://msdn.microsoft.com/en-us/library/windows/desktop/ms538387%28v=vs.85%2...
--- quote --- The ITextStoreACPServices interface is implemented by the TSF manager to provide various services to an ACP-based application. To obtain an instance of this interface, an application calls QueryInterface on the punk parameter passed to ITextStoreACP::AdviseSink with IID_ITextStoreACPServices. --- quote ---
MSDN: http://blogs.msdn.com/b/tsfaware/archive/2007/05/05/a-tour-through-tsf-misce...
Tidbit:
MSDN: http://msdn.microsoft.com/en-us/library/windows/desktop/ms629043%28v=vs.85%2...
--- quote --- How To Modify the Text Store
The ITfDocumentMgr::Push method calls ITextStoreACP::AdviseSink with a pointer to the advise sink interface to install a new advise sink or modify an existing advise sink. The advise sink receives notifications when the text store is modified by something other than the manager, such as user input to the application. Applications must call the ITfThreadMgrEventSink::OnSetFocus method when the input method obtains the focus. Other notifications to the thread manager are provided by calling to the appropriate ITextStoreACPSink interface methods.
However, applications should not call the ITextStoreACPSink interface methods in response to ITextStoreACP interface methods. Applications should only call ITextStoreACPSink interface methods when the text store is modified by something other than the manager.
The contents of the text store can be modified with a temporary input state called a composition. --- quote ---
That article mentions functionality that might be interesting in future -> Microsoft Active Accessibility clients with anchor support (ITextStoreAnchor and ITextStoreAnchorSink).
$ wine --version wine-1.7.25-51-g60de497
Regards