[Bug 12406] Microsoft Document Explorer 2008 crashes when using MS Help 2 URL from command line

https://bugs.winehq.org/show_bug.cgi?id=12406

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords|patch | CC| |focht@gmx.net Component|-unknown |ieframe Summary|document explorer (part of |Microsoft Document Explorer |win doc kit) won't run |2008 crashes when using MS | |Help 2 URL from command | |line Severity|enhancement |normal

--- Comment #19 from Anastasius Focht focht@gmx.net --- Hello folks,

confirming, the crash is still present.

The bug was unfortunately recycled after 'CoInternetSetFeatureEnabled' issue.

Prerequisite: 'winetricks -q dotnet20 mfc42'

--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Common Files/Microsoft Shared/Help 9

$ WINEDEBUG=+tid,+seh,+relay wine ./dexplore.exe /helpcol ms-help://ms.WDK.v10.6001.080214 /LaunchNamedUrlTopic HomePage >>log.txt 2>&1 ... 002a:Call wininet.InternetCanonicalizeUrlW(009ab38c L"ms-help://MS.WDK.v10.6001.080214/Intro_g",009ab44c,0033e654,20000000) ret=51c22915 ... 002a:Call ole32.CoCreateInstance(0033f62c,0045e76c,00000001,3b210fa8,0033f624) ret=3b39fd48 002a:Call ntdll.RtlInitUnicodeString(0033f310,0033f362 L"CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}") ret=7e87e764 ... 002a:Call KERNEL32.LoadLibraryExW(0033f14e L"C:\windows\system32\ieframe.dll",00000000,00000008) ret=7e87e8f8 002a:Call PE DLL (proc=0x7cd7fd8c,module=0x7cd50000 L"ieframe.dll",reason=PROCESS_ATTACH,res=(nil)) ... 002a:Call ieframe.DllGetClassObject(0033f4c8,7e97102c,0033f4d8) ret=7e880f05 002a:trace:ieframe:DllGetClassObject (CLSID_WebBrowser {00000001-0000-0000-c000-000000000046} 0x33f4d8) 002a:trace:ieframe:ClassFactory_QueryInterface (0x7cc74670)->(IID_IClassFactory 0x33f4d8) 002a:trace:ieframe:ClassFactory_AddRef (0x7cc74670) 002a:Ret ieframe.DllGetClassObject() retval=00000000 ret=7e880f05 002a:Call advapi32.RegCloseKey(0000015c) ret=7e884a88 002a:Ret advapi32.RegCloseKey() retval=00000000 ret=7e884a88 002a:trace:ieframe:create_webbrowser (0x45e76c {00000000-0000-0000-c000-000000000046} 0x33f624) version=2 ... 002a:trace:ieframe:WebBrowser_QueryInterface (0x107dc98)->(IID_IUnknown 0x33f624) 002a:trace:ieframe:WebBrowser_AddRef (0x107dc98) ref=2 002a:trace:ieframe:WebBrowser_Release (0x107dc98) ref=1 002a:trace:ieframe:ClassFactory_Release (0x7cc74670) 002a:Ret ole32.CoCreateInstance() retval=00000000 ret=3b39fd48 002a:trace:ieframe:WebBrowser_QueryInterface (0x107dc98)->(IID_IUnknown 0x45e794) 002a:trace:ieframe:WebBrowser_AddRef (0x107dc98) ref=2 002a:trace:ieframe:WebBrowser_Release (0x107dc98) ref=1 002a:Call KERNEL32.InterlockedDecrement(0045e8d0) ret=3b27ae4e 002a:Ret KERNEL32.InterlockedDecrement() retval=00000000 ret=3b27ae4e 002a:Call ntdll.RtlFreeHeap(00110000,00000000,0107b3f0) ret=7e8a05e8 002a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e8a05e8 002a:Call KERNEL32.InterlockedDecrement(3b8c9868) ret=3b21176a 002a:Ret KERNEL32.InterlockedDecrement() retval=00000011 ret=3b21176a 002a:Call ntdll.RtlDeleteCriticalSection(0045e8d4) ret=3b21e7dd 002a:Ret ntdll.RtlDeleteCriticalSection() retval=00000000 ret=3b21e7dd 002a:Call msvcr90.??3@YAXPAX@Z(0045e8c8) ret=3b27b0df 002a:Call ntdll.RtlFreeHeap(00450000,00000000,0045e8c8) ret=7ec9d1b2 002a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ec9d1b2 002a:Ret msvcr90.??3@YAXPAX@Z() retval=00000001 ret=3b27b0df 002a:trace:ieframe:WebBrowser_QueryInterface (0x107dc98)->(IID_IOleObject 0x45e754) 002a:trace:ieframe:WebBrowser_AddRef (0x107dc98) ref=2 002a:trace:ieframe:WebBrowser_Release (0x107dc98) ref=1 002a:trace:ieframe:WebBrowser_Release (0x107dc98) ref=0 ... 002a:Call msvcr90.??_V@YAXPAX@Z(00000000) ret=3b644fb4 002a:Call ntdll.RtlFreeHeap(00450000,00000000,00000000) ret=7ec9d1b2 002a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ec9d1b2 002a:Ret msvcr90.??_V@YAXPAX@Z() retval=00000001 ret=3b644fb4 002a:Call oleaut32.VariantClear(0045e7c8) ret=3b642a98 002a:Ret oleaut32.VariantClear() retval=00000000 ret=3b642a98 002a:Call oleaut32.SysFreeString(00000000) ret=3b642aa7 002a:Ret oleaut32.SysFreeString() retval=0033f5e0 ret=3b642aa7 002a:Call oleaut32.SysFreeString(00000000) ret=3b642ab0 002a:Ret oleaut32.SysFreeString() retval=0033f5e0 ret=3b642ab0 002a:Call oleaut32.SysFreeString(00000000) ret=3b642ab9 002a:Ret oleaut32.SysFreeString() retval=0033f5e0 ret=3b642ab9 002a:Call msvcr90.??3@YAXPAX@Z(0045e750) ret=3b6460ed 002a:Call ntdll.RtlFreeHeap(00450000,00000000,0045e750) ret=7ec9d1b2 002a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ec9d1b2 002a:Ret msvcr90.??3@YAXPAX@Z() retval=00000001 ret=3b6460ed 002a:trace:seh:raise_exception code=c0000005 flags=0 addr=0x45009b ip=0045009b tid=002a 002a:trace:seh:raise_exception info[0]=00000001 002a:trace:seh:raise_exception info[1]=01454588 002a:trace:seh:raise_exception eax=00450088 ebx=3b211020 ecx=0033f71c edx=00450064 esi=0045e750 edi=00000001 002a:trace:seh:raise_exception ebp=0033f78d esp=0033f6ec cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210206 002a:trace:seh:call_vectored_handlers calling handler at 0x40e138 code=c0000005 flags=0 ... --- snip ---

Hard to tell.

Memory dump of the block in question:

--- snip --- 0045ED70 00000170 ; block size 0045ED74 00455355 ; 'USE' heap magic 0045ED78 3B3BBCA0 ; msenv.3B3BBCA0 (vtable?) 0045ED7C 010A9754 ; OFFSET ieframe.OleObjectVtbl (set by QI) 0045ED80 00000000 0045ED84 3B2ED7C4 ; msenv.3B2ED7C4 (vtable?) 0045ED88 3B2E3A40 ; msenv.3B2E3A40 (vtable?) 0045ED8C 3B2ED86C ; msenv.3B2ED86C (vtable?) 0045ED90 00000000 0045ED94 3B3BBD0C ; msenv.3B3BBD0C (controlling IUnknown to CoCreateInstance) 0045ED98 3B3BBD2C ; msenv.3B3BBD2C (vtable?) 0045ED9C 3B2ED4AC ; msenv.3B2ED4AC (vtable?) 0045EDA0 3B2E2540 ; msenv.3B2E2540 (vtable?) 0045EDA4 3B3BBD40 ; msenv.3B3BBD40 (vtable?) 0045EDA8 3B2E481C ; msenv.3B2E481C (vtable?) 0045EDAC 3B2E9688 ; msenv.3B2E9688 (vtable?) 0045EDB0 3B3BBD54 ; msenv.3B3BBD54 (vtable?) 0045EDB4 3B3BBD68 ; msenv.3B3BBD68 (vtable?) 0045EDB8 00000001 ; refcount ? 0045EDBC 010A9750 ; OFFSET ieframe.WebBrowser2Vtbl (set by QI) 0045EDC0 00000000 --- snip ---

The app decrements what looks like a reference count at 0x0045EDB8. With the reference count gone to zero, the memory block is freed which seems wrong as it tries to access member data later (expecting the block to be still alive).

Likely an aggregation issue which Wine doesn't do correctly here, similar class as bug 29709 (refcount must be somehow incremented by QI).

The crash can be worked around by using 'winetricks -q ie8' and removing all overrides except 'shdocvw'. It's a rather invasive way though, polluting the whole prefix. But even then, the MS Document Explorer is still not fully usable and prone to crashes.

Component to fix would be still ieframe (WebBrowser -> shdocvw (old) vs. ieframe (new)).

$ sha1sum WDKDocs_02222008.EXE e55c58c8d7a822d2e31f8054abfae724c6ea6923 WDKDocs_02222008.EXE

$ du -sh WDKDocs_02222008.EXE 56M WDKDocs_02222008.EXE

$ wine --version wine-1.7.35-42-g9defaa5

Regards