http://bugs.winehq.org/show_bug.cgi?id=30826
Bug #: 30826 Summary: Gigasoft's ProEssentials demo crashes on startup Product: Wine Version: 1.5.5 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com Classification: Unclassified
To reproduce, wget http://www.gigasoft.com/PE7-Pro-Setup.exe wine PE7-Pro-Setup.exe cd .wine/drive_c/ProEssentials7/DEMO wine PEDemo.exe Click the popup window to make it go away.
Unhandled exception: page fault on read access to 0x5050ff98 in 32-bit code (0x7ed36a26).
Or, sometimes: Unhandled exception: page fault on read access to 0x00000048 in 32-bit code (0x7ed2ea26).
The backtrace seems the same either way:
Backtrace: =>0 get_log_fontW+0x16(font=0x720041, graphics=0x154780, lf=0x32e92c) [dlls/gdiplus/font.c:486] 1 get_font_hfont+0x10e(graphics=0x154780, font=0x720041, hfont=0x32eb58) [dlls/gdiplus/graphics.c:2139] 2 GdipDrawString+0x2c1(graphics=0x154780, string="Bollinger Upper", length=0xf, font=0x720041, rect=0x32eba8, format=0x149e28, brush=0x154b68) [dlls/gdiplus/graphics.c:5210]
486 lf->lfHeight = -em_size_to_pixel(font->emSize, font->unit, font->family->dpi);
Installing corefonts doesn't help.
http://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #1 from Vincent Povirk madewokherd@gmail.com 2012-06-02 19:29:55 CDT --- Can you get a +gdiplus log and corresponding backtrace?
http://bugs.winehq.org/show_bug.cgi?id=30826
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |http://www.gigasoft.com/PE7 | |-Pro-Setup.exe
--- Comment #2 from Dan Kegel dank@kegel.com 2012-06-02 19:42:18 CDT --- More info: - EnumMetaFile() is on the stack, I should have shown that. - winetricks gdiplus doesn't help. - warn+heap gets it to fail with a different stack at about the same point:
Unhandled exception: page fault on read access to 0x253a7335 in 32-bit code (0x7ea37afa). Backtrace: =>0 0x7ea37afa delete_element+0x1a(element=0x253a7335) [dlls/gdiplus/gdiplus.c:424] 1 0x7ea65127 GdipDeleteRegion+0x36() 2 0x101f5f32 in pegrp32e (+0x1f5f31) (0x0033eb5c) 3 0x101f5eff in pegrp32e (+0x1f5efe) (0x0033eb68) 4 0x101f5e76 in pegrp32e (+0x1f5e75) (0x0033ebc0) 5 0x10180c8f in pegrp32e (+0x180c8e) (0x0033ebcc) 6 0x1017f16a in pegrp32e (+0x17f169) (0x0033f7ac) 7 0x7e7f9d8e EnumMetaFile+0x12d(hdc=0x12b0, hmf=0x1294, lpEnumFunc=0x10179090, lpData=0x33f884) [dlls/gdi32/metafile.c:537]
I'll attach a warn+heap,+gdiplus,+seh log.
http://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #3 from Dan Kegel dank@kegel.com 2012-06-02 19:44:45 CDT --- Created attachment 40371 --> http://bugs.winehq.org/attachment.cgi?id=40371 +gdiplus,warn+heap,+seh log
http://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #4 from Vincent Povirk madewokherd@gmail.com 2012-06-02 19:52:18 CDT --- trace:gdiplus:GdipDeleteRegion 0x253a7325
Of course, this is a call from the application, the log has no earlier mention of that value, and it is the value that causes the crash.
Maybe the program is doing cleanup before its region variable is initialized because something went wrong elsewhere?
http://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #5 from Vincent Povirk madewokherd@gmail.com 2012-06-02 19:55:19 CDT --- Either that or it's overrunning a buffer somewhere. 0x253a7325 is "%s:%" in ascii, which looks suspiciously like a string format.
http://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #6 from Dan Kegel dank@kegel.com 2012-06-02 20:02:11 CDT --- Yes, it does seem like a buffer overrun or use-after-free somehow.
With native gdiplus, I get
Unhandled exception: page fault on read access to 0xfeeefeee in 32-bit code (0x4ecaa381). Backtrace: =>0 0x4ecaa381 in gdiplus (+0x5a381) (0x0033ea40) 1 0x10178669 in pegrp32e (+0x178668) (0x0033ea84) 2 0x1017b6ec in pegrp32e (+0x17b6eb) (0x0033f678) 3 0x7e850d8e EnumMetaFile+0x12d(hdc=0x5ac0, hmf=0x5aa4, lpEnumFunc=0x10179090, lpData=0x33f7f0) [/home/dank/wine-git/dlls/gdi32/metafile.c:537] in gdi32 (0x0033f6d8)
I'm guessing it's an app bug, will try to confirm.
http://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #7 from Dan Kegel dank@kegel.com 2012-06-02 20:20:29 CDT --- Or it could be metafile memory management problems in wine.
http://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #8 from Dan Kegel dank@kegel.com 2012-06-02 21:32:10 CDT --- Created attachment 40372 --> http://bugs.winehq.org/attachment.cgi?id=40372 valgrind log of crash
Valgrind-svn finds quite a bit to complain about. Not sure how much of it from the app, and how much is from wine.
http://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #9 from Dan Kegel dank@kegel.com 2012-06-02 21:42:55 CDT --- Looks like get_bitmap_argb() tries to free something that wasn't allocated on the heap. This patch gets rid of one valgrind error, but doesn't solve the crash:
diff --git a/dlls/winex11.drv/window.c b/dlls/winex11.drv/window.c index 720a49c..e980b08 100644 --- a/dlls/winex11.drv/window.c +++ b/dlls/winex11.drv/window.c @@ -847,7 +847,7 @@ static unsigned long *get_bitmap_argb( HDC hdc, HBITMAP color, HBITMAP mask, uns if (!((mask_bits[i * width_bytes + j / 8] << (j % 8)) & 0x80)) *ptr |= 0xff000000; HeapFree( GetProcessHeap(), 0, mask_bits ); } - HeapFree( GetProcessHeap(), 0, info ); + //HeapFree( GetProcessHeap(), 0, info );
http://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #10 from Dan Kegel dank@kegel.com 2012-06-02 22:27:46 CDT --- Next problem found by valgrind is bug 30827
http://bugs.winehq.org/show_bug.cgi?id=30826
Dan Kegel dank@kegel.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |source
--- Comment #11 from Dan Kegel dank@kegel.com 2012-06-05 00:27:13 CDT --- The demo comes with source, and it wasn't too hard to build (I used Visual C++ 2005 Trial installed in wine, and built it from the commandline). When I do that, it seems to crash at about the same place.
I fear that knowledge of MFC might be required to understand what's going on in this app.
http://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #12 from Dan Kegel dank@kegel.com 2012-06-05 16:31:03 CDT --- See also bug 30850 for a smaller test case that skips past the mfc problems; it doesn't crash, but valgrind reports heap corruption.
https://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #13 from Austin English austinenglish@gmail.com --- Still in wine-1.7.19-70-gd6a59f7
https://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #14 from Austin English austinenglish@gmail.com --- austin@aw25 ~ $ sha1sum PE7-Pro-Setup.exe 243744fa95377ecf5c2580ece4285caa18f207f4 PE7-Pro-Setup.exe austin@aw25 ~ $ du -h PE7-Pro-Setup.exe 17M PE7-Pro-Setup.exe
https://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #15 from Austin English austinenglish@gmail.com --- Created attachment 48703 --> https://bugs.winehq.org/attachment.cgi?id=48703 WINEDEBUG=gdiplus
https://bugs.winehq.org/show_bug.cgi?id=30826
super_man@post.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |super_man@post.com
--- Comment #16 from super_man@post.com --- The provided exe crash at startup after you click the note popup.
the crash location is at
Backtrace: =>0 0x7eb9de33 get_log_fontW
wine 1.7.49
https://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #17 from super_man@post.com --- Still crashes 1.7.53
https://bugs.winehq.org/show_bug.cgi?id=30826
super_man@post.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |00cpxxx@gmail.com
--- Comment #18 from super_man@post.com --- There are at least 2 issues here.
My analyze is not perfect, but I was able to fix/hack around the 1st crash.
it crashes get_log_fontW
because font gets NULL value.
http://source.winehq.org/git/wine.git/blob/65d699eb5f7fc151197f3dc9f36499ee3...
I just added if(font == NULL) FIXME("Print something");
then it moves the crash location
GdipDrawString (same file) it has similar issue.
https://bugs.winehq.org/show_bug.cgi?id=30826
winetest@luukku.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |winetest@luukku.com
--- Comment #19 from winetest@luukku.com --- Still crash location
=>0 0x7ebafb13 get_log_fontW
wine 1.9.15-git
https://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #20 from winetest@luukku.com --- Still valid 1.9.16-git and staging 1.9.16.
Crash location seem to be the same too...but staging gives a slightly different output, it indicates into gdiplus, but winetricks -q gdiplus doesnt fix this.
https://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #21 from winetest@luukku.com --- (In reply to winetest from comment #19)
Still crash location
=>0 0x7ebafb13 get_log_fontW
wine 1.9.15-git
Still crash location the same. wine 2.0.rc2.
https://bugs.winehq.org/show_bug.cgi?id=30826
Bartosz gang65@poczta.onet.pl changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |gang65@poczta.onet.pl
--- Comment #22 from Bartosz gang65@poczta.onet.pl --- The link to download application was changed to: https://gigasoft.com/files/PE7-Pro-Setup.exe
https://bugs.winehq.org/show_bug.cgi?id=30826
--- Comment #23 from Bartosz gang65@poczta.onet.pl --- The crash is triggered by invocation of the GdipDrawString function:
41164.829:029c:trace:gdiplus:GdipDrawString (026156D8, L"Fast %K", 7, 7DABD150, (143.00,398.00,0.00,0.00), 02738630, 0217D800) 41164.829:029c:trace:gdiplus:GdipDrawString may be ignoring some format flags: attr 0 41164.829:029c:trace:gdiplus:GdipDrawString line align 0, offsety 0.000000