http://bugs.winehq.org/show_bug.cgi?id=28369
jhgf bernhardloos@googlemail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bernhardloos@googlemail.com
--- Comment #3 from jhgf bernhardloos@googlemail.com 2011-09-30 06:18:26 CDT --- This is some kind of COM refcounting snafu. Basically, the DocHost ref count drops to zero and it is deleted, but the HTMLDocumentObj is still around and holds a reference to the DocHost over HTMLDocumentObj->frame. This is used during the window proc of the document:
#0 0x70ff9f31 in set_statustext (doc=0x161640, id=7550, arg=0x1c294a0) at main.c:122 #1 0x7101d6d5 in set_downloading_proc (_task=0x117abd0) at persist.c:167 #2 0x7102b816 in hidden_proc (hwnd=0x20020, msg=32776, wParam=0, lParam=0) at task.c:275 #3 0x685a2f8a in WINPROC_wrapper () from /home/asdf/wine-git/dlls/user32/user32.dll.so #4 0x685a3666 in call_window_proc (hwnd=0x20020, msg=32776, wp=0, lp=0, result=0x33f978, arg=0x7102b790) at winproc.c:242 #5 0x685a5e12 in WINPROC_call_window (hwnd=0x20020, msg=32776, wParam=0, lParam=0, result=0x33f978, unicode=1, mapping=WMCHAR_MAP_DISPATCHMESSAGE) at winproc.c:908 #6 0x6856771f in DispatchMessageW (msg=0x33fa20) at message.c:3809 #7 0x6a60097f in ?? () #8 0x6a62557a in ?? ()
At this point, the memory where DocHost was is already allocated for soemthing else and the result is a crash. Noteable, the refcount of HTMLDocumentObj is 1 at this point, so there is probably only a single Release missing, but this code is rather complex, so figuring out, where it belongs is a rather hard exercise for somebody who doesn't know it.