http://bugs.winehq.org/show_bug.cgi?id=31360
Bug #: 31360 Summary: Bobcad v21 crashes on startup Product: Wine Version: 1.5.9 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com Classification: Unclassified
Tried installing v21 express trial from http://www.bobcad.com, sha1sum 2e986bc8e48e74d361a100d0f8ea5f7b1d41c38e v21.6.exe
Need 'winetricks mfc42' before install to avoid a DLL registration failure.
On startup, the app crashes. +relay shows it's right after ole32.OleCreateEmbeddingHelper() returns. Adding warn+heap seems to show it's using freed memory as a pointer: ... 0045:Ret ole32.OleCreateEmbeddingHelper() retval=00000000 ret=007477df 0045:Call KERNEL32.InterlockedDecrement(02813064) ret=00745900 0045:Ret KERNEL32.InterlockedDecrement() retval=00000005 ret=00745900 trace:seh:raise_exception code=c0000005 flags=0 addr=0x7492f7 ip=007492f7 tid=0045 ... Unhandled exception: page fault on read access to 0xfeeefeee in 32-bit code (0x007492f7). Backtrace: =>0 0x007492f7 in bobcad21 (+0x3492f7) (0x0033f184) 1 0x00743441 in bobcad21 (+0x343440) (0x0033f208) 2 0x7bc63e6a call_entry_point+0x29() in ntdll (0x0033f238) 3 0x7bc64a74 relay_call+0x173(descr=0x7e7dc248, idx=0x5000d, stack=0x33f2ac) [wine-git/dlls/ntdll/relay.c:466] in ntdll (0x0033f298) 4 0x7e6ff4bd in ole32 (+0xf4bc) (0x0033f2f0) 5 0x0046290c in bobcad21 (+0x6290b) (0x0033f2f0)
http://bugs.winehq.org/show_bug.cgi?id=31360
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |http://www.bobcad.com
https://bugs.winehq.org/show_bug.cgi?id=31360
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.bobcad.com |http://bobcad.com/wp-conten | |t/media/updates/archive/v21 | |.5.3.exe CC| |focht@gmx.net Component|-unknown |ole32
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming, still present.
The app passes an outer IUnknown with *zero* ref count to 'OleCreateEmbeddingHelper' and expects it to stay alive.
Wine drops the ref count of outer unknown after creating the datacache object (refcount = 1 at this point), causing the destruction (memory freed). The app accesses the outer unknown vtable after 'OleCreateEmbeddingHelper' returns, causing the crash.
Source: http://source.winehq.org/git/wine.git/blob/c0a17a4f098ea148e24f4bc802a6739e6...
--- snip --- 1881 static DefaultHandler* DefaultHandler_Construct( 1882 REFCLSID clsid, 1883 LPUNKNOWN pUnkOuter, 1884 DWORD flags, 1885 IClassFactory *pCF) 1886 { 1887 DefaultHandler* This = NULL; 1888 HRESULT hr; ... 1919 This->outerUnknown = pUnkOuter; 1920 1921 /* 1922 * Create a datacache object. 1923 * We aggregate with the datacache. Make sure we pass our outer 1924 * unknown as the datacache's outer unknown. 1925 */ 1926 hr = CreateDataCache(This->outerUnknown, 1927 clsid, 1928 &IID_IUnknown, 1929 (void**)&This->dataCache); 1930 if(SUCCEEDED(hr)) 1931 { 1932 hr = IUnknown_QueryInterface(This->dataCache, &IID_IPersistStorage, (void**)&This->dataCache_PersistStg); 1933 /* keeping a reference to This->dataCache_PersistStg causes us to keep a 1934 * reference on the outer object */ 1935 if (SUCCEEDED(hr)) 1936 IUnknown_Release(This->outerUnknown); 1937 else 1938 IUnknown_Release(This->dataCache); 1939 } ... --- snip ---
Outer unknown is gone after line 1936 which should not happen.
$ sha1sum v21.5.3.exe 03958ea4ad4877bfdcdfd253845c677a94c53294 v21.5.3.exe
$ du -sh v21.5.3.exe 56M v21.5.3.exe
$ wine --version wine-1.7.25-21-gc87901d
Regards
https://bugs.winehq.org/show_bug.cgi?id=31360
winetest@luukku.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |winetest@luukku.com
--- Comment #2 from winetest@luukku.com --- Still valid
Download is around 55Mb.
sha1sum v21.5.3.exe 03958ea4ad4877bfdcdfd253845c677a94c53294 v21.5.3.exe
My download seem to match with Focht's.
wine 2.0rc4 and staging 2.0rc3.
https://bugs.winehq.org/show_bug.cgi?id=31360
joaopa jeremielapuree@yahoo.fr changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jeremielapuree@yahoo.fr
--- Comment #3 from joaopa jeremielapuree@yahoo.fr --- With wine-5.22 and mfc42u.dll installed, install process finished properly. Can an administrator close this bug as FIXED?
https://bugs.winehq.org/show_bug.cgi?id=31360
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://bobcad.com/wp-conten |https://web.archive.org/web |t/media/updates/archive/v21 |/20111102035423/http://www. |.5.3.exe |bobcad.com/wp-content/media | |/updates/archive/v21.5.3.ex | |e
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello joaopa,
--- quote --- With wine-5.22 and mfc42u.dll installed, install process finished properly. Can an administrator close this bug as FIXED? --- quote ---
No, nothing has been fixed. The app still crashes on startup. It was never about the installer.
Adding stable download link via Internet Archive:
https://web.archive.org/web/20111102035423/http://www.bobcad.com/wp-content/...
To prove it's exactly the same issue I analysed six years ago:
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files (x86)/BobCAD-CAM
$ WINEDEBUG=+seh,+loaddll,+relay,+ole wine ./Bobcad21.exe >>log.txt 2>&1 ... 0128:Call combase.CoCreateInstance(00c896bc,00000000,00000001,00ce7524,0031f47c) ret=0046291c 0128:trace:ole:CoCreateInstance {76330d00-8446-11d2-9fac-00a024d91db2}, 00000000, 0x1, {0000010b-0000-0000-c000-000000000046}, 0031F47C. 0128:trace:ole:CoCreateInstanceEx {76330d00-8446-11d2-9fac-00a024d91db2}, 00000000, 0x1, 00000000, 1, 0031F3F0 0128:trace:ole:CoGetTreatAsClass {76330d00-8446-11d2-9fac-00a024d91db2}, 0031F388. ... 0128:trace:ole:apartment_release 12400000128: after = 1 ... 0128:Call KERNEL32.OutputDebugStringA(0361f844 "COleHelperObject::COleHelperObject 0361F758\n") ret=007620a5 0128:Ret KERNEL32.OutputDebugStringA() retval=00000000 ret=007620a5 ... 0128:Call KERNEL32.OutputDebugStringA(0361f844 "COleHelperObject::FinalConstruct 0361F758\n") ret=007620a5 0128:Ret KERNEL32.OutputDebugStringA() retval=00000000 ret=007620a5 ... 0128:Call ole32.OleCreateEmbeddingHelper(00c896bc,0361f758,00010001,0361f638,00ce9244,0361f778) ret=00746f2f 0128:trace:ole:OleCreateEmbeddingHelper ({76330d00-8446-11d2-9fac-00a024d91db2}, 0361F758, 00010001, 0361F638, {00000000-0000-0000-c000-000000000046}, 0361F778) ... 0128:trace:ole:CreateDataCache ({76330d00-8446-11d2-9fac-00a024d91db2}, 0361F758, {00000000-0000-0000-c000-000000000046}, 03ABAAC8) ... 0128:Call KERNEL32.OutputDebugStringA(0361f844 "COleHelperObject::FinalRelease 0361F758\n") ret=007620a5 0128:Ret KERNEL32.OutputDebugStringA() retval=00000000 ret=007620a5 ... 0128:Call KERNEL32.OutputDebugStringA(0361f854 "COleHelperObject::~COleHelperObject 0361F758\n") ret=007620a5 0128:Ret KERNEL32.OutputDebugStringA() retval=00000000 ret=007620a5 ... 0128:Ret ole32.OleCreateEmbeddingHelper() retval=00000000 ret=00746f2f 0128:Call KERNEL32.InterlockedDecrement(0361f63c) ret=00745050 0128:Ret KERNEL32.InterlockedDecrement() retval=00000003 ret=00745050 0128:trace:seh:dispatch_exception code=c0000005 flags=0 addr=036000BC ip=036000bc tid=0128 0128:trace:seh:dispatch_exception info[0]=00000001 0128:trace:seh:dispatch_exception info[1]=00000000 0128:trace:seh:dispatch_exception eax=00000000 ebx=0031f39c ecx=03633720 edx=00ce7524 esi=0361f758 edi=00000000 0128:trace:seh:dispatch_exception ebp=0031f308 esp=003192fc cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210246 0128:trace:seh:call_vectored_handlers calling handler at 7B00F270 code=c0000005 flags=0 0128:trace:seh:call_vectored_handlers handler at 7B00F270 returned 0 0128:trace:seh:call_stack_handlers calling handler at 00C36AC0 code=c0000005 flags=0 0128:trace:seh:cxx_frame_handler handling C exception code c0000005 rec 00319128 frame 0031F338 trylevel -1 descr 00D2D030 nested_frame 00000000 0128:trace:seh:call_stack_handlers handler at 00C36AC0 returned 1 0128:trace:seh:call_stack_handlers calling handler at 00C168C8 code=c0000005 flags=0 ... wine: Unhandled page fault on write access to 00000000 at address 036000BC (thread 0128), starting debugger... --- snip ---
Disassembly before crash:
--- snip --- 00746EC0 | push FFFFFFFF 00746EC2 | push bobcad21.C368A8 00746EC7 | mov eax,dword ptr fs:[0] 00746ECD | push eax 00746ECE | mov dword ptr fs:[0],esp 00746ED5 | push ecx 00746ED6 | push esi 00746ED7 | mov esi,ecx 00746ED9 | mov dword ptr ss:[esp+4],0 00746EE1 | push esi 00746EE2 | push bobcad21.CA3CD0 ; "COleHelperObject::FinalConstruct" 00746EE7 | mov dword ptr ss:[esp+18],0 00746EEF | call bobcad21.762010 ; debug_log_message() 00746EF4 | add esp,8 00746EF7 | lea eax,dword ptr ss:[esp+4] 00746EFB | push eax 00746EFC | push bobcad21.CE9224 00746F01 | push bobcad21.C896BC 00746F06 | mov ecx,bobcad21.DE4AE0 00746F0B | call bobcad21.570270 00746F10 | mov edx,dword ptr ss:[esp+4] 00746F14 | lea ecx,dword ptr ds:[esi+20] 00746F17 | push ecx 00746F18 | push bobcad21.CE9244 00746F1D | push edx 00746F1E | push 10001 00746F23 | push esi 00746F24 | push bobcad21.C896BC 00746F29 | call dword ptr ds:[&_OleCreateEmbeddingHelper@24] 00746F2F | mov esi,eax 00746F31 | mov eax,dword ptr ss:[esp+4] 00746F35 | test eax,eax 00746F37 | mov dword ptr ss:[esp+10],FFFFFFFF 00746F3F | je bobcad21.746F47 00746F41 | mov ecx,dword ptr ds:[eax] ; 00CA3BE8 00746F43 | push eax 00746F44 | call dword ptr ds:[ecx+8] 00746F47 | mov ecx,dword ptr ss:[esp+8] 00746F4B | mov eax,esi 00746F4D | pop esi 00746F4E | mov dword ptr fs:[0],ecx 00746F55 | add esp,10 00746F58 | ret --- snip ---
Wine DefaultHandler_Construct():
--- snip --- ... 02215A80 | push ecx 02215A81 | push eax 02215A82 | push dword ptr ss:[ebp+8] 02215A85 | push ebx ; _IID_IPersistStorage 02215A86 | call ole32._CreateDataCache@16 02215A8B | test eax,eax 02215A8D | js ole32.2215B84 02215A93 | mov eax,dword ptr ds:[esi+30] 02215A96 | mov ebx,dword ptr ds:[<.refptr._IID_IPersistStorage>] 02215A9C | lea edx,dword ptr ds:[esi+34] 02215A9F | mov ecx,dword ptr ds:[eax] 02215AA1 | push edx 02215AA2 | push ebx ; _IID_IPersistStorage 02215AA3 | push eax 02215AA4 | call dword ptr ds:[ecx] ; IUnknown_QueryInterface 02215AA6 | test eax,eax 02215AA8 | js ole32.2215B78 02215AAE | mov eax,dword ptr ds:[esi+1C] ; 0x0361F758 02215AB1 | mov ecx,dword ptr ds:[eax] 02215AB3 | push eax 02215AB4 | call dword ptr ds:[ecx+8] ; IUnknown_Release(This->outerUnknown) 02215AB7 | mov eax,dword ptr ss:[ebp+8] 02215ABA | test dword ptr ss:[ebp+10],10000 ... --- snip ---
Before outer unknown release:
--- snip --- 0361F750 00000028 0361F754 04455355 ; heap magic "USE" 0361F758 00CA3CF4 0361F75C 00000001 ; refcount 0361F760 03A83420 0361F764 FFFFFFFF --- snip ---
Calling app COleHelperObject outer unknown release:
--- snip --- 00CA3CF4 00747110 ; COleHelperObject::Release() 00CA3CF8 007470C0 00CA3CFC 007470E0 00CA3D00 00747130 00CA3D04 00C86D2C 00CA3D08 00000000 --- snip ---
App COleHelperObject::Release():
--- snip --- 007470E0 | push esi 007470E1 | mov esi,dword ptr ss:[esp+8] 007470E5 | push edi 007470E6 | lea eax,dword ptr ds:[esi+4] 007470E9 | push eax 007470EA | call dword ptr ds:[&_InterlockedDecrement@4] 007470F0 | mov edi,eax 007470F2 | test edi,edi 007470F4 | jne bobcad21.747103 007470F6 | test esi,esi 007470F8 | je bobcad21.747103 007470FA | mov edx,dword ptr ds:[esi] 007470FC | push 1 007470FE | mov ecx,esi 00747100 | call dword ptr ds:[edx+C] ; COleHelperObject::FinalRelease() 00747103 | mov eax,edi 00747105 | pop edi 00747106 | pop esi 00747107 | ret 4 --- snip ---
The COleHelperObject::FinalRelease() call also matches the debug message in trace log.
COleHelperObject gone:
--- snip --- 0361F750 0000DFA9 0361F754 45455246 ; heap magic "FREE" 0361F758 03633720 0361F75C 036002C8 0361F760 00000000 0361F764 FFFFFFFF 0361F768 00000000 --- snip ---
--- snip --- 00748A34 | call bobcad21.746EC0 ; create embedding helper object 00748A39 | mov edi,eax 00748A3B | test edi,edi 00748A3D | jl bobcad21.748A4F 00748A3F | mov edx,dword ptr ss:[ebp+C] 00748A42 | mov ecx,dword ptr ds:[esi] 00748A44 | push ebx 00748A45 | push edx 00748A46 | push esi 00748A47 | call dword ptr ds:[ecx] ; *boom* 00748A49 | mov edi,eax 00748A4B | test edi,edi 00748A4D | je bobcad21.748A58 --- snip ---
Wine source:
https://source.winehq.org/git/wine.git/blob/842b38e29166a429d59331be40761335...
$ wine --version wine-6.0-rc1
Regards
https://bugs.winehq.org/show_bug.cgi?id=31360
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |toolitkwic@yahoo.com
--- Comment #5 from Austin English austinenglish@gmail.com --- *** Bug 54208 has been marked as a duplicate of this bug. ***
https://bugs.winehq.org/show_bug.cgi?id=31360
--- Comment #6 from melesio toolitkwic@yahoo.com --- 01/29/2023
I tried again but no success.
Gives me a "Self-Registration Error'
Message is:
"The following files did not register or unregister: 1.C:\Program Files (x86)\Common Files\Solidworks Shared\SwDocumentMgr.dll Module not found.
To continue, click OK; otherwise click Cancel."
https://bugs.winehq.org/show_bug.cgi?id=31360
--- Comment #7 from melesio toolitkwic@yahoo.com --- (In reply to Austin English from comment #5)
*** Bug 54208 has been marked as a duplicate of this bug. ***
Is anyone working on this one yet?
https://bugs.winehq.org/show_bug.cgi?id=31360
--- Comment #8 from joaopa jeremielapuree@yahoo.fr --- console output with wine-8.6 wine Bobcad21.exe 0144:fixme:imm:ImeSetActiveContext himc 00040048, flag 0x1 stub! 0144:fixme:imm:ImmReleaseContext (0003003E, 00040048): stub 0154:fixme:imm:ImeSetActiveContext himc 00030072, flag 0 stub! 0154:fixme:imm:ImmReleaseContext (00040084, 00030072): stub 0144:fixme:cryptasn:CryptDecodeObjectEx Unsupported decoder for lpszStructType 1.3.6.1.4.1.311.2.1.4 0144:fixme:cryptasn:CryptDecodeObjectEx Unsupported decoder for lpszStructType 1.3.6.1.4.1.311.2.1.4 0144:fixme:cryptasn:CryptDecodeObjectEx Unsupported decoder for lpszStructType 1.3.6.1.4.1.311.2.1.4 0144:fixme:cryptasn:CryptDecodeObjectEx Unsupported decoder for lpszStructType 1.3.6.1.4.1.311.2.1.4 0144:fixme:ntdll:NtQuerySystemInformation info_class SYSTEM_PERFORMANCE_INFORMATION Seattle Debug: <<<<<<<<<< Created CSmCurve: 0414FC90 >>>>>>>>>> 0144:fixme:toolbar:TOOLBAR_SetRows Separators unhandled 0144:fixme:toolbar:TOOLBAR_SetRows Separators unhandled 0144:fixme:toolbar:TOOLBAR_SetRows Separators unhandled 0144:fixme:toolbar:TOOLBAR_SetRows Separators unhandled
https://bugs.winehq.org/show_bug.cgi?id=31360
--- Comment #9 from melesio toolitkwic@yahoo.com --- 05/01/23
I tried again with 8.7 but no success.
Gives me a "Self-Registration Error'
Message is:
"The following files did not register or unregister: 1.C:\Program Files (x86)\Common Files\Solidworks Shared\SwDocumentMgr.dll Module not found.
To continue, click OK; otherwise click Cancel."
-
wine-bugs@winehq.org -
WineHQ Bugzilla