http://bugs.winehq.org/show_bug.cgi?id=34982
Bug #: 34982 Summary: Horizon (xbox tool) installer crashes on startup Product: Wine Version: 1.7.7 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: mshtml AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net Classification: Unclassified
Hello folks,
reported in WineHQ forums.
Clean WINEPREFIX, no prerequisites used (yet).
--- snip --- $ WINEDEBUG=+tid,+seh,+loaddll,+process,+jscript,+mshtml wine ./horizon-setup.exe >>log.txt 2>&1 ... 0009:trace:mshtml:dispex_query_interface (0x6ed09ec)->(IID_IDispatchJS 0x33c048) returning NULL 0009:trace:mshtml:HTMLWindow2_QueryInterface (0x6ed09b8)->(IID_IDispatchEx 0x33c08c) 0009:trace:mshtml:HTMLWindow2_AddRef (0x6ed09b8) ref=13 0009:trace:mshtml:WindowDispEx_GetDispID (0x6ed09b8)->(L"_external" 10000001 0x33c10c) 0009:trace:jscript:JScript_GetScriptDispatch (0x6ef7a68)->(0x33befc) 0009:trace:jscript:DispatchEx_QueryInterface (0x6f15a88)->(IID_IDispatchEx 0x33bf38) 0009:trace:jscript:DispatchEx_GetDispID (0x6f15a88)->(L"_external" 10000001 0x33bfa0) 0009:trace:jscript:jsdisp_get_id not found L"_external" 0009:trace:mshtml:DispatchEx_GetDispID (0x6ed09ec)->(L"_external" 10000001 0x33c10c) 0009:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7d624547 ip=7d624547 tid=0009 0009:trace:seh:raise_exception info[0]=00000000 0009:trace:seh:raise_exception info[1]=00000048 0009:trace:seh:raise_exception eax=00000000 ebx=7d6f0000 ecx=80000002 edx=05d7fa8c esi=0033c060 edi=7c690f72 0009:trace:seh:raise_exception ebp=0033bfb8 esp=0033bf00 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010206 0009:trace:seh:call_stack_handlers calling handler at 0x7bc9dc13 code=c0000005 flags=0 wine: Unhandled page fault on read access to 0x00000048 at address 0x7d624547 (thread 0009), starting debugger... 0009:trace:seh:start_debugger Starting debugger "winedbg --auto 8 848" 0009:trace:seh:call_stack_handlers handler at 0x7bc9dc13 returned 1 Unhandled exception: page fault on read access to 0x00000048 in 32-bit code (0x7d624547). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:7d624547 ESP:0033bf00 EBP:0033bfb8 EFLAGS:00010206( R- -- I - -P- ) EAX:00000000 EBX:7d6f0000 ECX:80000002 EDX:05d7fa8c ESI:0033c060 EDI:7c690f72 Stack dump: 0x0033bf00: 06f112f8 00000000 0033bf40 7d5a1257 0x0033bf10: 7ffd8000 7bcea705 0033bf68 7d5a1495 0x0033bf20: 07263678 0714fae4 0033bf68 00000001 0x0033bf30: 0714fae4 00000009 00000001 7d6845a5 0x0033bf40: 06f11308 00000000 06ac5868 00000009 0x0033bf50: 00000000 070226b0 06f11308 0033bf40 000c: sel=0067 base=00000000 limit=00000000 16-bit --x Backtrace: =>0 0x7d624547 get_frame_by_name+0x282(This=0x6d03f78, name="_external", deep=0, ret=0x33bfec) [/home/focht/projects/wine/wine-git/dlls/mshtml/htmlwindow.c:420] in mshtml (0x0033bfb8) 1 0x7d62bdf5 WindowDispEx_GetDispID+0x162(iface=<couldn't compute location>, bstrName=<couldn't compute location>, grfdex=<couldn't compute location>, pid=<couldn't compute location>) [/home/focht/projects/wine/wine-git/dlls/mshtml/htmlwindow.c:2520] in mshtml (0x0033c048) 2 0x7c6961c9 disp_get_id+0x11b(ctx=0x6f12360, disp=0x6ed09b8, name="_external", name_bstr="_external", flags=0, id=0x33c10c) [/home/focht/projects/wine/wine-build32/dlls/jscript/../../include/dispex.h:296] in jscript (0x0033c0d8) 3 0x7c697d9d interp_member+0xc6(ctx=0x7256a78) [/home/focht/projects/wine/wine-git/dlls/jscript/engine.c:887] in jscript (0x0033c138) 4 0x7c69cfa1 enter_bytecode+0xfc(ctx=0x6f12360, code=0x72064c8, func=0x71499b8, ret=0x33c1e4) [/home/focht/projects/wine/wine-git/dlls/jscript/engine.c:2462] in jscript (0x0033c1a8) 5 0x7c69d37c exec_source+0x1ea(ctx=0x7256a78, code=0x72064c8, func=0x71499b8, from_eval=0, ret=0x33c6a0) [/home/focht/projects/wine/wine-git/dlls/jscript/engine.c:2534] in jscript (0x0033c208) 6 0x7c69f792 invoke_source+0x213(ctx=0x6f12360, function=0x7253968, this_obj=0x6f15a88, argc=0x2, argv=0x7182390, r=0x33c6a0) [/home/focht/projects/wine/wine-git/dlls/jscript/function.c:240] in jscript (0x0033c268) 7 0x7c69fc9e Function_invoke+0x194(func_this=0x7253968, jsthis=0x6f15a88, flags=0x1, argc=0x2, argv=0x7182390, r=0x33c6a0) [/home/focht/projects/wine/wine-git/dlls/jscript/function.c:357] in jscript (0x0033c2a8) 8 0x7c693351 jsdisp_call_value+0x53(jsfunc=0x7253968, jsthis=0x6f15a88, flags=0x1, argc=0x2, argv=0x7182390, r=0x33c6a0) [/home/focht/projects/wine/wine-git/dlls/jscript/dispex.c:1061] in jscript (0x0033c2e8) ... --- snip ---
Crash location: http://source.winehq.org/git/wine.git/blob/0be56d27d2d4b22367313fa4c6f1e6586...
$ sha1sum horizon-setup.exe d622f53253ee3ae8a3e4f180759e8e4e821a2466 horizon-setup.exe
$ du -sh horizon-setup.exe 788K horizon-setup.exe
$ wine --version wine-1.7.7-119-g3197262
Regards
http://bugs.winehq.org/show_bug.cgi?id=34982
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, Installer URL| |https://www.xboxmb.com/down | |load
http://bugs.winehq.org/show_bug.cgi?id=34982
--- Comment #1 from Anastasius Focht focht@gmx.net 2013-11-23 06:36:15 CST --- Created attachment 46617 --> http://bugs.winehq.org/attachment.cgi?id=46617 WINEDEBUG=+tid,+seh,+loaddll,+process,+jscript,+mshtml wine ./horizon-setup.exe
log.txt 2>&1
tail -n 10000 log.txt
http://bugs.winehq.org/show_bug.cgi?id=34982
Rosanne DiMesio dimesio@earthlink.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |chaviusmiller@gmail.com
--- Comment #2 from Rosanne DiMesio dimesio@earthlink.net --- *** Bug 35262 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=34982
--- Comment #3 from Austin English austinenglish@gmail.com --- A user in #winehq asked about this, so I checked on it. Still in wine-1.7.11-237-g00aeadc.
http://bugs.winehq.org/show_bug.cgi?id=34982
jobo joenow@live.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |joenow@live.com
http://bugs.winehq.org/show_bug.cgi?id=34982
--- Comment #4 from Anastasius Focht focht@gmx.net --- *** Bug 36522 has been marked as a duplicate of this bug. ***
https://bugs.winehq.org/show_bug.cgi?id=34982
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Horizon (xbox tool) |Multiple web-installers |installer crashes on |crash in |startup |'get_frame_by_name' with | |NULL 'HTMLOuterWindow' | |(Horizon XBOX tool, MAGIX | |Video Deluxe MX Plus 18)
--- Comment #5 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, still present.
Can also be reproduced with MAGIX Video Deluxe MX Plus 18 web-installer (bootstrapper).
--- snip --- $ WINEDEBUG=+tid,+seh,+relay,+mshtml,+ieframe,+jscript wine ./Magix_Video_Deluxe_Mx_Plus_18.exe >>log.txt 2>&1 ... 0041:Call KERNEL32.CreateProcessA(00d611a0 "C:\users\focht\Temp\netdownloader",0013e040 ""C:\users\focht\Temp\netdownloader"",00000000,00000000,00000001,01000204,00000000,00000000,0033fa0c,0033fa58) ret=10006f7f ... 0043:Call KERNEL32.__wine_kernel_init() ret=7bc5a89d 0041:Ret KERNEL32.CreateProcessA() retval=00000001 ret=10006f7f ... 0043:trace:jscript:interp_ident L"window" 0043:trace:jscript:identifier_eval L"window" 0043:trace:jscript:jsdisp_get_id not found L"window" 0043:trace:jscript:jsdisp_get_id not found L"window" 0043:trace:mshtml:HTMLWindow2_AddRef (0x12b3e180) ref=14 ... 0043:trace:jscript:interp_member 0043:trace:mshtml:HTMLWindow2_QueryInterface (0x12b3e180)->(IID_IDispatchJS 0x33bf08) 0043:trace:mshtml:HTMLWindow2_QueryInterface (0x12b3e180)->(IID_IDispatchEx 0x33bf4c) 0043:trace:mshtml:HTMLWindow2_AddRef (0x12b3e180) ref=15 0043:trace:mshtml:WindowDispEx_GetDispID (0x12b3e180)->(L"_external" 10000001 0x33bfcc) 0043:trace:jscript:JScript_GetScriptDispatch (0x12910d90)->(0x33bdbc) 0043:trace:jscript:DispatchEx_QueryInterface (0x12b68248)->(IID_IDispatchEx 0x33bdf8) 0043:trace:jscript:DispatchEx_GetDispID (0x12b68248)->(L"_external" 10000001 0x33be60) 0043:trace:jscript:jsdisp_get_id not found L"_external" 0043:trace:mshtml:DispatchEx_GetDispID (0x12b3e1b4)->(L"_external" 10000001 0x33bfcc) 0043:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7d5f4011 ip=7d5f4011 tid=0043 0043:trace:seh:raise_exception info[0]=00000000 0043:trace:seh:raise_exception info[1]=00000048 0043:trace:seh:raise_exception eax=00000000 ebx=7d6dc000 ecx=7d6dc000 edx=05d329e0 esi=0033bf20 edi=00000001 0043:trace:seh:raise_exception ebp=0033be78 esp=0033bdc0 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010206 ... Unhandled exception: page fault on read access to 0x00000048 in 32-bit code (0x7d5f4011). ... Backtrace: =>0 0x7d5f4011 get_frame_by_name+0x282(This=0x12904c28, name="_external", deep=0, ret=0x33beac) [/home/focht/projects/wine/wine.repo/src/dlls/mshtml/htmlwindow.c:409] in mshtml (0x0033be78)
1 0x7d5fbc3d WindowDispEx_GetDispID+0x162(iface=<couldn't compute location>, bstrName=<couldn't compute location>, grfdex=<couldn't compute location>, pid=<couldn't compute location>) [/home/focht/projects/wine/wine.repo/src/dlls/mshtml/htmlwindow.c:2556] in mshtml (0x0033bf08)
2 0x7c97eead disp_get_id+0x11b(ctx=0x129102d0, disp=0x12b3e180, name="_external", name_bstr="_external", flags=0, id=0x33bfcc) [/home/focht/projects/wine/wine.repo/build-x86/dlls/jscript/../../include/dispex.h:296] in jscript (0x0033bf98)
3 0x7c980a25 interp_member+0xc6(ctx=0x12ff62f8) [/home/focht/projects/wine/wine.repo/src/dlls/jscript/engine.c:896] in jscript (0x0033bff8)
4 0x7c985c08 enter_bytecode+0xfc(ctx=0x129102d0, code=0x12e4db48, func=0x12d99390, ret=0x33c0a4) [/home/focht/projects/wine/wine.repo/src/dlls/jscript/engine.c:2471] in jscript (0x0033c068)
5 0x7c985fe3 exec_source+0x1ea(ctx=0x12ff62f8, code=0x12e4db48, func=0x12d99390, from_eval=0, ret=0x33c560) [/home/focht/projects/wine/wine.repo/src/dlls/jscript/engine.c:2543] in jscript (0x0033c0c8)
6 0x7c988462 invoke_source+0x27b(ctx=0x129102d0, function=0x12e9b1f8, this_obj=0x12b68248, argc=0x2, argv=0x12fffc60, r=0x33c560) [/home/focht/projects/wine/wine.repo/src/dlls/jscript/function.c:245] in jscript (0x0033c138)
7 0x7c98896e Function_invoke+0x194(func_this=0x12e9b1f8, jsthis=0x12b68248, flags=0x1, argc=0x2, argv=0x12fffc60, r=0x33c560) [/home/focht/projects/wine/wine.repo/src/dlls/jscript/function.c:362] in jscript (0x0033c178)
8 0x7c97b9f8 jsdisp_call_value+0x53(jsfunc=0x12e9b1f8, jsthis=0x12b68248, flags=0x1, argc=0x2, argv=0x12fffc60, r=0x33c560) [/home/focht/projects/wine/wine.repo/src/dlls/jscript/dispex.c:1061] in jscript (0x0033c1b8) ... 57 0x6aa33972 in xul (+0xdf3971) (0x05cfeb90) 0x7d5f4011 get_frame_by_name+0x282 [/home/focht/projects/wine/wine.repo/src/dlls/mshtml/htmlwindow.c:409] in mshtml: movl 0x48(%eax),%eax 409 hres = IHTMLElement_get_id(&window_iter->frame_element->element.IHTMLElement_iface, &id); Modules: Module Address Debug info Name (180 modules) PE 350000- 356000 Deferred system PE 3d0000- 3d9000 Deferred luaxml_lib PE 3e0000- 3f6000 Deferred 87a5250e7389d052be3fdc257872ebd8C:\users\focht\Temp\nst2161.tmp\87a5250e7389d052be3fdc257872ebd873ef2deb.dll PE 400000- 44c000 Deferred netdownloader ... Threads: process tid prio (all id:s are in hex) ... 0000003e netdownloader 0000003f 0 00000042 (D) C:\users\focht\Temp\netdownloader ... 00000043 0 <== --- snip ---
Source: http://source.winehq.org/git/wine.git/blob/679ddf24d442885ff5dc943d6239278fb...
At least a NULL check along with a FIXME/WARN should be added.
$ sha1sum Magix_Video_Deluxe_Mx_Plus_18.exe 1c05058b5dfc7084b361784353dc3e71d132fbf9 Magix_Video_Deluxe_Mx_Plus_18.exe
$ du -sh Magix_Video_Deluxe_Mx_Plus_18.exe 3.6M Magix_Video_Deluxe_Mx_Plus_18.exe
$ wine --version wine-1.7.35-24-g3873c93
Regards
https://bugs.winehq.org/show_bug.cgi?id=34982
Béla Gyebrószki gyebro69@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |gyebro69@gmail.com
--- Comment #6 from Béla Gyebrószki gyebro69@gmail.com --- Affects Microsoft Chat 2.5 web installer: http://www.tucows.com/preview/193891
Backtrace: =>0 0x7cb18cd9 get_frame_by_name+0x259(This=0xbf32a50, name="_external", deep=0, ret=0x33c48c) [/home/gyebro/sources/wine-git/dlls/mshtml/htmlwindow.c:409] in mshtml (0x0033c458)
...
46 0x6ac7da31 in xul (+0x103da30) (0x089fce50) 0x7cb18cd9 get_frame_by_name+0x259 [/home/gyebro/sources/wine-git/dlls/mshtml/htmlwindow.c:409] in mshtml: movl 0x00000048,%eax 409 hres = IHTMLElement_get_id(&window_iter->frame_element->element.IHTMLElement_iface, &id);
Note: neither IE7 nor IE8 helps for me. The installer shows a blank screen with IE7 installed, crashes with IE8.
Possibly duplicates: bug #32966 and bug #34808
wine-1.7.43-166-g39d71c5
https://bugs.winehq.org/show_bug.cgi?id=34982
Indrek efbiaiinzinz@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |efbiaiinzinz@hotmail.com
--- Comment #7 from Indrek efbiaiinzinz@hotmail.com --- Sent in a test patch (not yet approved) https://source.winehq.org/patches/data/111605 Does this fix all the crashes?
https://bugs.winehq.org/show_bug.cgi?id=34982
--- Comment #8 from Béla Gyebrószki gyebro69@gmail.com --- (In reply to Indrek from comment #7)
Sent in a test patch (not yet approved) https://source.winehq.org/patches/data/111605 Does this fix all the crashes?
1. the patch fixes the crash in the web installer from Tucows.com, but the installer hangs later (could a different issue). 2. the web page from bug #32966 loads properly, without crashing 3. the web page from bug #34808 crashes with a different backtrace in recent Wine versions, so can't test it with your patch (http://pastebin.com/Q0B10Pm4)
https://bugs.winehq.org/show_bug.cgi?id=34982
--- Comment #9 from Indrek efbiaiinzinz@hotmail.com --- 1. Indeed, the tucows installer crash itself is gone but it seems to get in an endless loop, spamming the console with TranslateAccelerator fixme's. 2. Yes, that crash is gone and page load up correctly. 3. After a bit of digging it seems that nsstyle is released too soon (ref reaches zero, causing cleanup) but later on it is used again in a cleaned up state, causing the crash. I don't think my skill is high enough to fix it correctly. I got it to "work" by modding get_nsstyle_attr_nsval (line 482 in mshtml/htmlstyle.c) to return E_FAIL if nsstyle is NULL but this does not fix the issue with the early cleanup which is the root cause.
Perhaps someone with more debugging experience can take a look at it.
https://bugs.winehq.org/show_bug.cgi?id=34982
--- Comment #10 from Indrek efbiaiinzinz@hotmail.com --- Bit more digging in the logfile revealed the culprit line in jquery that causes misbehaviour.
bx = function (a, b) { var c, d = a.currentStyle && a.currentStyle[b].. The first invocation of a.currentStyle before the && sign creates instance of HTMLCurrentStyle and then releases it (I guess since it is not stored into any variable), but for some reason, the second part of && ends up using the same reference to the now-released HTMLCurrentStyle which ends up as segfault, because nsstyle has been released already.
Either the jscript releases the currentStyle too early or the mshtml incorrectly reuses the released currentStyle instance, will have to dig a bit more.
https://bugs.winehq.org/show_bug.cgi?id=34982
--- Comment #11 from Indrek efbiaiinzinz@hotmail.com --- Ok, for 3rd bug I think I found the issue, seems to be a long known Gecko bug that causes crash in wine, sent the patch (not yet accepted). https://source.winehq.org/patches/data/111647
https://bugs.winehq.org/show_bug.cgi?id=34982
--- Comment #12 from Indrek efbiaiinzinz@hotmail.com --- Fix for the crash made it in http://source.winehq.org/git/wine.git/commit/2676488fcd95c70ff18404660877f63...
Next issue seems to be the endless loop (visually looks like hanging) of the webinstallers.
https://bugs.winehq.org/show_bug.cgi?id=34982
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |2676488fcd95c70ff1840466087 | |7f63ac6838789 Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #13 from Nikolay Sivov bunglehead@gmail.com --- Fixed with 2676488fcd95c70ff18404660877f63ac6838789.
https://bugs.winehq.org/show_bug.cgi?id=34982
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #14 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 1.7.45.
-
wine-bugs@winehq.org