http://bugs.winehq.org/show_bug.cgi?id=27340
Summary: WoW Launcher crashes, NULL pointer dereferenced Product: Wine Version: 1.3.21 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: mshtml AssignedTo: wine-bugs@winehq.org ReportedBy: rankincj@yahoo.com
This bug started happening at about the same time as the 1.3.21 release. What is happening is that the get_script_guid() function in dlls/mshtml/script.c is being passed nsscript=NULL. This function contains the line:
nsres = nsIDOMHTMLScriptElement_GetType(nsscript, &val_str);
where nsIDOMHTMLScriptElement_GetType() is really a macro defined as:
#define nsIDOMHTMLScriptElement_GetType(This,aType) (This)->lpVtbl->GetType(This,aType)
So being passed NULL for This is a "Bad Thing", obviously.
I have no idea *why* nsscript is NULL suddenly; presumably doc_insert_script() is being passed NULL.
http://bugs.winehq.org/show_bug.cgi?id=27340
Jerome Leclanche adys.wh@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |adys.wh@gmail.com
--- Comment #1 from Jerome Leclanche adys.wh@gmail.com 2011-05-31 03:58:18 CDT --- Please post the results of a regression test:
http://wiki.winehq.org/RegressionTesting
http://bugs.winehq.org/show_bug.cgi?id=27340
--- Comment #2 from rankincj@yahoo.com 2011-06-01 03:13:35 CDT --- This crash might actually be the result of upgrading to Fedora 15/GNOME 3, because WoW also crashes with Fedora's wine packages:
$ rpm -q wine-core-1.3.20-1.fc15.i686 --info Name : wine-core Version : 1.3.20 Release : 1.fc15 Architecture: i686 Install Date: Fri 27 May 2011 00:03:49 BST Group : Applications/Emulators Size : 95484534 License : LGPLv2+ Signature : RSA/SHA256, Mon 16 May 2011 22:55:27 BST, Key ID b4ebf579069c8460 Source RPM : wine-1.3.20-1.fc15.src.rpm Build Date : Sun 15 May 2011 15:11:42 BST Build Host : x86-03.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.winehq.org/ Summary : Wine core package Description : Wine core package includes the basic wine stuff needed by all other packages.
This package was built on 15th May, and I was using wine from git without problems back then.
http://bugs.winehq.org/show_bug.cgi?id=27340
--- Comment #3 from rankincj@yahoo.com 2011-06-01 03:18:02 CDT --- The exact stack trace of the crash is:
Backtrace: =>0 0x7cc98ed0 doc_insert_script+0x30() in mshtml (0x0032e474) 1 0x7cc6cff6 run_insert_script+0xb5() in mshtml (0x037628e8) 2 0x0032e550 (0x047c95b8) 3 0x00000002 (0x7ccf0a28) 4 0x7cc6cb30 in mshtml (+0x6cb2f) (0x7cc6df60) 5 0x00000010 (0xb94cec83)
The code in run_insert_script() is:
nsres = nsISupports_QueryInterface(script_iface, &IID_nsIDOMHTMLScriptElement, (void**)&nsscript); if(NS_FAILED(nsres)) { ERR("Could not get nsIDOMHTMLScriptElement: %08x\n", nsres); return nsres; }
So nsscript must still be NULL after calling nsISupports_QueryInterface(), and NS_FAILED(nsres) is not true.
http://bugs.winehq.org/show_bug.cgi?id=27340
--- Comment #4 from Juan Lang juan_lang@yahoo.com 2011-06-01 09:52:57 CDT --- (In reply to comment #3)
So nsscript must still be NULL after calling nsISupports_QueryInterface(), and NS_FAILED(nsres) is not true.
That's not how QueryInterface is supposed to work. Either your assumption is wrong, or there's a bug in gecko (i.e., not in Wine.) I suspect the bug is elsewhere. Getting a backtrace with debug symbols would be more useful.
http://bugs.winehq.org/show_bug.cgi?id=27340
--- Comment #5 from rankincj@yahoo.com 2011-06-01 17:38:06 CDT --- (In reply to comment #4)
That's not how QueryInterface is supposed to work... I suspect the bug is elsewhere.
According to my fprintf statements, nsscript is not NULL immediately before:
if(nsparser) nsIParser_BeginEvaluatingParserInsertedScript(nsparser);
in mutation.c, and is NULL immediately afterwards.
http://bugs.winehq.org/show_bug.cgi?id=27340
--- Comment #6 from rankincj@yahoo.com 2011-06-02 14:54:11 CDT --- (In reply to comment #4)
Getting a backtrace with debug symbols would be more useful.
Here it is:
Unhandled exception: page fault on read access to 0x00000000 in 32-bit code (0x7ce98b10). Register dump: CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b EIP:7ce98b10 ESP:0032e404 EBP:0032e474 EFLAGS:00010203( R- -- I - - -C) EAX:00000001 EBX:7cef22fc ECX:ffffffff EDX:00000000 ESI:00000000 EDI:037bed68 Stack dump: 0x0032e404: 0032e474 00000000 047bfb00 0032e430 0x0032e414: 6a00410b 047bfb00 04630000 0032e450 0x0032e424: 047bfb30 047bfb00 04630000 0032e470 0x0032e434: 037bed68 cbc0cbd8 037bed68 0032e480 0x0032e444: 6a617b40 037bed68 6ab94f64 0032e490 0x0032e454: 047bfb00 0000000f 0000000e 0032e480 Backtrace: =>0 0x7ce98b10 doc_insert_script+0x30(window=0x36d6350, nsscript=(nil)) [/home/chris/Programs/wine/dlls/mshtml/script.c:757] in mshtml (0x0032e474) 1 0x7ce6c696 run_insert_script+0xb5(doc=0x7ce6c03e, script_iface=0x4655f30, parser_iface=0x47bfb30) [/home/chris/Programs/wine/dlls/mshtml/mutation.c:338] in mshtml (0x04655f30) 2 0x0032e550 (0x047bf728) 3 0x00000002 (0x7cef0a48) 4 0x7ce6c1d0 in mshtml (+0x6c1cf) (0x7ce6d600) 5 0x00000010 (0xb94cec83) 0x7ce98b10 doc_insert_script+0x30 [/home/chris/Programs/wine/dlls/mshtml/script.c:757] in mshtml: movl 0x0(%esi),%eax 757 nsres = nsIDOMHTMLScriptElement_GetType(nsscript, &val_str);
http://bugs.winehq.org/show_bug.cgi?id=27340
--- Comment #7 from Juan Lang juan_lang@yahoo.com 2011-06-03 14:06:41 CDT --- Please attach a +mshtml,+tid log.
http://bugs.winehq.org/show_bug.cgi?id=27340
--- Comment #8 from rankincj@yahoo.com 2011-06-04 06:29:54 CDT --- Created an attachment (id=35013) --> (http://bugs.winehq.org/attachment.cgi?id=35013) WINEDEBUG=+mshtml,+tid
(In reply to comment #7)
Please attach a +mshtml,+tid log.
Voila.
http://bugs.winehq.org/show_bug.cgi?id=27340
--- Comment #9 from Juan Lang juan_lang@yahoo.com 2011-06-04 09:31:22 CDT --- Note that the address is no longer NULL. This suggests memory corruption.
http://bugs.winehq.org/show_bug.cgi?id=27340
Juan Lang juan_lang@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ufchrisg@gmail.com
--- Comment #10 from Juan Lang juan_lang@yahoo.com 2011-06-05 12:17:41 CDT --- *** Bug 27399 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=27340
Juan Lang juan_lang@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever Confirmed|0 |1
--- Comment #11 from Juan Lang juan_lang@yahoo.com 2011-06-05 12:18:15 CDT --- Since another reporter had the same problem, confirming.
http://bugs.winehq.org/show_bug.cgi?id=27340
--- Comment #12 from ufchrisg@gmail.com 2011-06-05 13:21:46 CDT --- I can confirm this issue also exists in 1.3.18 and 1.3.20. Both were in FC15 and gnome 3
http://bugs.winehq.org/show_bug.cgi?id=27340
--- Comment #13 from rankincj@yahoo.com 2011-06-05 16:10:03 CDT --- F15 uses gcc 4.6.0, whereas F14 uses gcc 4.5.1. Could this be relevant? Unfortunately, valgrind is failing on F15 here.
http://bugs.winehq.org/show_bug.cgi?id=27340
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE
--- Comment #14 from Austin English austinenglish@gmail.com 2011-07-04 17:43:47 CDT --- I can trigger the same crash with 'make htmldoc.ok' when compiling wine with gcc 4.6.0 (4.4.5 is fine).
The patch from bug 27375 helps, though.
*** This bug has been marked as a duplicate of bug 27375 ***
http://bugs.winehq.org/show_bug.cgi?id=27340
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #15 from Austin English austinenglish@gmail.com 2011-07-07 16:16:22 CDT --- Closing.
-
wine-bugs@winehq.org