[Bug 35838] New: MS Works 9.0 word processor crashes on startup (process heaps need to be 64K aligned)
https://bugs.winehq.org/show_bug.cgi?id=35838
Bug ID: 35838 Summary: MS Works 9.0 word processor crashes on startup (process heaps need to be 64K aligned) Product: Wine Version: 1.7.15 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net
Hello folks,
found this while verifying bug 25780 and bug 29875 All applications work fine (excel, access) - except the word processor.
Word crashes right on startup. It an be started stand-alone, without the 'MSWorks.exe' launcher:
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Microsoft Works
$ WINEDEBUG=+tid,+seh,+relay wine ./WksWP.exe >>log.txt 2>&1 ... 0047:Call KERNEL32.LoadLibraryExW(0033d66e L"C:\PROG~FBU\MICR~5BT\WkApComp.dll",00000000,00000008) ret=7e5de6cb ... 0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a 0047:Ret KERNEL32.HeapCreate() retval=016d2000 ret=690a5e0a ... 0047:Ret PE DLL (proc=0x6962bfad,module=0x69600000 L"WkApComp.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1 0047:Ret KERNEL32.LoadLibraryExW() retval=69600000 ret=7e5de6cb ... 0047:Call ntdll.RtlAllocateHeap(016d2000,00000000,00000014) ret=690a5e2e 0047:Ret ntdll.RtlAllocateHeap() retval=016d2b00 ret=690a5e2e 0047:Call KERNEL32.CreateFileW(0033d464 L"C:\users\focht\Application Data\Microsoft\Works\1033\WkAcCust.bin",80000000,00000001,00000000,00000003,08000080,00000000) ret=69624a7f 0047:Ret KERNEL32.CreateFileW() retval=ffffffff ret=69624a7f 0047:Call ntdll.RtlFreeHeap(016d0000,00000000,016d2b00) ret=690a5f32 0047:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc4ccdc ip=7bc4ccdc tid=0047 0047:trace:seh:raise_exception info[0]=00000000 0047:trace:seh:raise_exception info[1]=016d0054 0047:trace:seh:raise_exception eax=016d0000 ebx=7bcd1000 ecx=0033d3d0 edx=0000000c esi=0033d3d0 edi=0033d3dc 0047:trace:seh:raise_exception ebp=0033d358 esp=0033d320 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210206 0047:trace:seh:call_stack_handlers calling handler at 0x60c9dcef code=c0000005 flags=0 --- snip ---
Many plugins/components create their own private heaps. This missing file 'WkAcCust.bin' immediately accessed before the crash is harmless. MS Works stores both, formatted and plain text as autocorrect text in that single, RTF (formatted) file - which doesn't exist on pristine install.
Some heaps are 64K aligned by chance, some are not:
--- snip --- $ grep "HeapCreate" log.txt 0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=781349e0 0047:Ret KERNEL32.HeapCreate() retval=00340000 ret=781349e0 0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a 0047:Ret KERNEL32.HeapCreate() retval=00480000 ret=690a5e0a 0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a 0047:Ret KERNEL32.HeapCreate() retval=00590000 ret=690a5e0a 0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a 0047:Ret KERNEL32.HeapCreate() retval=006a0000 ret=690a5e0a 0047:Call KERNEL32.HeapCreate(00000000,00010000,00000000) ret=7ac22afa 0047:Ret KERNEL32.HeapCreate() retval=007c0000 ret=7ac22afa 0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a 0047:Ret KERNEL32.HeapCreate() retval=00931000 ret=690a5e0a 0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a 0047:Ret KERNEL32.HeapCreate() retval=00b00000 ret=690a5e0a 0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a 0047:Ret KERNEL32.HeapCreate() retval=00d81000 ret=690a5e0a 0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=6392c1df 0047:Ret KERNEL32.HeapCreate() retval=00e91000 ret=6392c1df 0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=0121556d 0047:Ret KERNEL32.HeapCreate() retval=01232000 ret=0121556d 0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a 0047:Ret KERNEL32.HeapCreate() retval=01342000 ret=690a5e0a 0047:Call KERNEL32.HeapCreate(00000000,00010000,00000000) ret=7cdcca7a 0047:Ret KERNEL32.HeapCreate() retval=014b2000 ret=7cdcca7a 0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a 0047:Ret KERNEL32.HeapCreate() retval=016d2000 ret=690a5e0a --- snip ---
In the crash case, Wine creates a heap with base 0x016d2000. The plugin implements its own 'new' and 'delete' operators which do some magic with heap base/handle (shifting 16 bits right indicate they somehow care for 64K alignment). In the RtlFreeHeap() call that causes the page fault the process heap handle passed in is normalized to 0x016d0000 due to that 'magic'.
I searched appdb MS Works entries and only found tests for old versions of Wine (1.5.x). No mentioning of any problems - except for the two bugs above which were outdated anyway.
So I searched the commit log .. and found a culprit :)
--- snip --- Module: wine Branch: master Commit: 0692bfda5f10e0c2dc6eed2a66e1a9f9c1092bad URL: http://source.winehq.org/git/wine.git/?a=commit;h=0692bfda5f10e0c2dc6eed2a66...
Author: Alexandre Julliard <julliard at winehq.org> Date: Thu Jan 28 19:47:01 2010 +0100
ntdll: Don't require heap sizes to be 64K aligned. --- snip ---
Reverting that commit lets the word processor successfully start.
$ sha1sum X14-02658.exe 056fb46da532b0bac1a2504b5bfc527debde0535 X14-02658.exe
$ du -sh X14-02658.exe 248M X14-02658.exe
$ wine --version wine-1.7.15
Regards
https://bugs.winehq.org/show_bug.cgi?id=35838
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, regression URL| |http://azcdn01.digitalriver | |content.net/msoffice/pub/X1 | |4-02658/X14-02658.exe Regression SHA1| |0692bfda5f10e0c2dc6eed2a66e | |1a9f9c1092bad
https://bugs.winehq.org/show_bug.cgi?id=35838
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |395df1aa2d50dc4622e64b552c8 | |5fca200798b0e Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
this is fixed by commit http://source.winehq.org/git/wine.git/commitdiff/395df1aa2d50dc4622e64b552c8...
Thanks Alexandre
Works word works ;-)
Regards
https://bugs.winehq.org/show_bug.cgi?id=35838
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #2 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 1.7.16.
https://bugs.winehq.org/show_bug.cgi?id=35838
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://azcdn01.digitalriver |https://web.archive.org/web |content.net/msoffice/pub/X1 |/20150405122849/https://drc |4-02658/X14-02658.exe |dn.blob.core.windows.net/ms | |office/pub/X14-02658/X14-02 | |658.exe
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
adding stable download link via Internet Archive.
Reminder for all folks scraping archive.org for existing snapshots: You need to be extra careful with larger application installers. Several times I found truncated / corrupted ones. Always test the downloads before adding archive.org links to bug reports.
Example:
https://web.archive.org/web/*/http://azcdn01.digitalrivercontent.net/msoffic...
Lists two same-day (minute) snapshots where one is seemingly usable.
--- snip --- $ wget http://web.archive.org/cdx/search/cdx?url=%22azcdn01.digitalrivercontent.net..." -q -O - | grep application/
net,digitalrivercontent,azcdn01)/msoffice/pub/x14-02658/x14-02658.exe 20140329161252 http://azcdn01.digitalrivercontent.net/msoffice/pub/X14-02658/X14-02658.exe application/octet-stream 200 TVBNHRO2SRWRMOG3WGC6G7JOHXZABEYB 209492129 --- snip ---
'X14-02658.exe' snapshot payload size is 209492129 bytes = 201M while the original installer is 248M (comment #0). When running the installer, loader reports that the executable resource section has been truncated - which is correct.
--- snip --- $ wine ./X14-02658.exe
00d0:err:module:map_image_into_view Could not map L"\??\Z:\home\focht\Downloads\X14-02658.exe" section .rsrc, file probably truncated wine: failed to start L"Z:\home\focht\Downloads\X14-02658.exe" Application could not be started, or no application associated with the specified file. ShellExecuteEx failed: Bad EXE format for Z:\home\focht\Downloads\X14-02658.exe. --- snip ---
Fortunately I found this reddit thread:
https://www.reddit.com/r/windows/comments/6hkrrk/does_anyone_still_have_the_...
Where the user betacollector64 posted an alternate site link:
https://web.archive.org/web/20140914052509/https://drcdn.blob.core.windows.n...
Victory? Nope. Even that one is corrupted. No idea why OP/no one bothered to correct him in the thread. By using archive.org CDX API via command line interface one can find:
--- snip --- $ wget http://web.archive.org/cdx/search/cdx?url=%22drcdn.blob.core.windows.net/mso..." -q -O - | grep application/
net,windows,core,blob,drcdn)/msoffice/pub/x14-02658/x14-02658.exe 20140914052509 https://drcdn.blob.core.windows.net/msoffice/pub/X14-02658/X14-02658.exe application/octet-stream 200 TVBNHRO2SRWRMOG3WGC6G7JOHXZABEYB 209492105
net,windows,core,blob,drcdn)/msoffice/pub/x14-02658/x14-02658.exe 20140914052514 https://drcdn.blob.core.windows.net/msoffice/pub/X14-02658/X14-02658.exe application/octet-stream 200 TVBNHRO2SRWRMOG3WGC6G7JOHXZABEYB 209492102
net,windows,core,blob,drcdn)/msoffice/pub/x14-02658/x14-02658.exe 20150405122849 https://drcdn.blob.core.windows.net/msoffice/pub/X14-02658/X14-02658.exe application/octet-stream 200 AVX3I3NFGKYLVQNCKBFVX7CSPXV54BJV 259415540 --- snip ---
The last one with 259415540 bytes in size is the only snapshot that didn't get truncated / corrupted.
https://web.archive.org/web/20150405122849/https://drcdn.blob.core.windows.n...
MicrosoftInstaller.exe = X14-02658.exe
$ sha1sum MicrosoftInstaller.exe 056fb46da532b0bac1a2504b5bfc527debde0535 MicrosoftInstaller.exe
$ du -sh MicrosoftInstaller.exe 248M MicrosoftInstaller.exe
Regards
-
wine-bugs@winehq.org -
WineHQ Bugzilla