http://bugs.winehq.org/show_bug.cgi?id=33031
Bug #: 33031 Summary: Microsoft Windows Driver Development Kit (win7 ddk/wdk) fails Product: Wine Version: 1.3.28 Platform: x86 URL: https://www.microsoft.com/en-us/download/details.aspx? id=11800 OS/Version: Linux Status: NEW Keywords: download, Installer Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: austinenglish@gmail.com Classification: Unclassified
Prerequisite: winetricks mfc42
Mount the iso, run kitsetup.exe. I chose to install 'Build Environments' (a subset of 'Full Development Environment'). This fails:
wine: Unhandled page fault on read access to 0x84d5c3a5 at address 0x100228d (thread 0027), starting debugger... ... Backtrace: =>0 0x0100228d in eula (+0x228d) (0x0033f708) 1 0x0100236b in eula (+0x236a) (0x0033f790) 2 0x5f8019d1 in mfc42u (+0x19d0) (0x0033f7b0) 3 0x5f80195a in mfc42u (+0x1959) (0x0033f810) 4 0x5f8018e2 in mfc42u (+0x18e1) (0x0033f82c) 5 0x5f8018a1 in mfc42u (+0x18a0) (0x0033f858)
the backtrace makes me suspect riched20, trying native gives: wine: Call from 0x7b83f2a9 to unimplemented function msls31.dll.LssbFDonePresSubline, aborting
which may be a future problem, but belongs in a separate bug.
austin@aw25 ~ $ sha1sum GRMWDK_EN_7600_1.ISO du -hde6abdb8eb4e08942add4aa270c763ed4e3d8242 GRMWDK_EN_7600_1.ISO austin@aw25 ~ $ du -h GRMWDK_EN_7600_1.ISO 620M GRMWDK_EN_7600_1.ISO austin@aw25 ~ $ wine --version wine-1.5.24-74-g5069ad7
luckily, I only wanted the headers, and running: $ msiexec /i wdk/headers.msi
installs the headers fine.
http://bugs.winehq.org/show_bug.cgi?id=33031
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Version|1.3.28 |1.5.24
http://bugs.winehq.org/show_bug.cgi?id=33031
--- Comment #1 from Ken Jackson KenJackson@ieee.org 2013-07-24 06:51:17 CDT --- Created attachment 45379 --> http://bugs.winehq.org/attachment.cgi?id=45379 Backtrace from kitsetup.exe trying to run eula.exe
It failed similarly for me when I tried to installing WDK in wine-1.6-59-g7e136d6 (compiled from source pulled last night) on my Fedora 3.9.9-201.fc18.x86_64 host.
I fuse mounted GRMWDK_EN_7600_1.ISO and redirected drive I: to it in wine.
For this attempt of several, I did this: wine cmd I: .\kitsetup
It proceeded normally to the point where the progress popup said: Microsoft WDK Configuration 0% complete Configuration task 1 of 124 installing component Microsoft Windows Debuggers
http://bugs.winehq.org/show_bug.cgi?id=33031
Ken Jackson KenJackson@ieee.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |KenJackson@ieee.org
http://bugs.winehq.org/show_bug.cgi?id=33031
Alon Levy alon@pobox.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |alon@pobox.com
--- Comment #2 from Alon Levy alon@pobox.com 2013-09-01 07:11:20 CDT --- I have the exact same stack trace. I've installed mfc42 via winetricks. I'm running fedora, using wine 1.7.0: wine-core-1.7.0-1.fc19.i686
https://bugs.winehq.org/show_bug.cgi?id=33031
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net Component|-unknown |richedit Summary|Microsoft Windows Driver |Microsoft Windows Driver |Development Kit (win7 |Development Kit 7.1.0 (Win7 |ddk/wdk) fails |DDK/WDK) installer fails: | |'eula.exe' crashes on exit | |(COM apartment already | |initialized by RichEdit)
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
Can be reproduced by running 'eula.exe' directly with required arguments.
The problem is not deduceable from the trace log, one has to debug it.
--- snip --- $ WINEDEBUG=+tid,+seh,+relay wine ./eula.exe i SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WDK_EULA_{68656B6B-555E-5459-5E5D-6363635E5F65} WDK F:\license.rtf >>~/Downloads/log.txt 2>&1 ... 0024:Call ole32.OleInitialize(00000000) ret=7ac22902 0024:trace:ole:OleInitialize ((nil)) 0024:Call ntdll.RtlAllocateHeap(00110000,00000008,000000fc) ret=7e8debdc 0024:Ret ntdll.RtlAllocateHeap() retval=0014c4f0 ret=7e8debdc 0024:trace:ole:CoInitializeEx ((nil), 2) 0024:trace:ole:CoInitializeEx () - Initializing the COM libraries 0024:trace:ole:RunningObjectTableImpl_Initialize ... 0024:Call user32.CreateWindowExW(00000000,7e9bfb00 L"OleMainThreadWndClass 0x######## ",00000000,00000000,00000000,00000000,00000000,00000000,fffffffd,00000000,7e8c0000,00000000) ret=7e8e28fd ... 0024:Call ole32.CoInitialize(00000000) ret=01002abb 0024:trace:ole:CoInitializeEx ((nil), 2) 0024:Ret ole32.CoInitialize() retval=00000001 ret=01002abb ... 0024:Call window proc 0x5f801868 (hwnd=0x10070,msg=WM_DESTROY,wp=00000000,lp=00000000) ... 0024:trace:seh:raise_exception code=c0000005 flags=0 addr=0x100228d ip=0100228d tid=0024 0024:trace:seh:raise_exception info[0]=00000000 0024:trace:seh:raise_exception info[1]=8bec55af 0024:trace:seh:raise_exception eax=00010070 ebx=7bc3b3a9 ecx=8bec558b edx=0033f694 esi=01001408 edi=0033f6a4 0024:trace:seh:raise_exception ebp=0033f6a8 esp=0033f66c cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010282 0024:trace:seh:call_stack_handlers calling handler at 0x5f890df5 code=c0000005 flags=0 0024:trace:seh:call_stack_handlers handler at 0x5f890df5 returned 1 ... Unhandled exception: page fault on read access to 0x8bec55af in 32-bit code (0x0100228d). ... Backtrace: =>0 0x0100228d in eula (+0x228d) (0x0033f6a8) 1 0x0100236b in eula (+0x236a) (0x0033f730) 2 0x5f8019d1 in mfc42u (+0x19d0) (0x0033f750) 3 0x5f80195a in mfc42u (+0x1959) (0x0033f7b0) 4 0x5f8018e2 in mfc42u (+0x18e1) (0x0033f7cc) 5 0x5f8018a1 in mfc42u (+0x18a0) (0x0033f7f8) 6 0x7ecb1de6 WINPROC_wrapper+0x19() in user32 (0x0033f828) ... 12 0x7eca3d41 WIN_SendDestroyMsg+0x7d(hwnd=0x10070) [/home/focht/projects/wine/wine.repo/src/dlls/user32/win.c:1772] in user32 (0x0033fa38)
13 0x7eca419e DestroyWindow+0x356(hwnd=<couldn't compute location>) [/home/focht/projects/wine/wine.repo/src/dlls/user32/win.c:1876] in user32 (0x0033faa8)
14 0x7bc6e39a relay_call+0x39() in ntdll (0x0033fadc) 15 0x7ec06c5d in user32 (+0x6c5c) (0x0033fb38) 16 0x5f804b68 in mfc42u (+0x4b67) (0x0033fb38) 17 0x0100213d in eula (+0x213c) (0x0033fd7c) 18 0x5f812566 in mfc42u (+0x12565) (0x0033fe20) ... 0x0100228d: call *0x24(%ecx) Modules: Module Address Debug info Name (58 modules) PE 1000000- 103f000 Export eula PE 5f800000-5f8f2000 Export mfc42u ELF 7ac00000-7ac69000 Deferred riched20<elf> -PE 7ac10000-7ac69000 \ riched20 ... Threads: process tid prio (all id:s are in hex) ... 00000023 (D) F:\eula.exe 00000024 0 <== --- snip ---
The app is MFC based and creates a dialog window with embedded RichEdit control. Upon creation of the dialog window, the app initializes COM explicitly and stores the COM init status internally.
Unfortunately at the time the app calls CoInitialize(NULL), the COM apartment is already initialized hence S_FALSE is returned and stored.
The COM apartment was created earlier by Wine's RichEdit text host (WM_NCCREATE -> ME_CreateTextHost -> ME_MakeEditor -> OleInitialize(NULL))
This is something the app doesn't expect at this place (MFC app -> OnDialogInit). The app checks the internal COM init flag on exit and reaches a different code path, causing a NULL ptr deref.
I changed RichEdit to defer COM init and it helped - the crash on exit is gone. Native RichEdit probably doesn't do explicit COM init on WM_NCCREATE/text host creation, hence the app call to CoInitialize(NULL) in dialog init returns S_OK.
$ wine --version wine-1.7.13-118-g0eb6265
Regards
https://bugs.winehq.org/show_bug.cgi?id=33031
Qian Hong fracting@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fracting@gmail.com, | |jactry92@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=33031
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello folks,
ran into this again while investigating bug 45455 Obviously still present. Analysis still applies.
$ sha1sum GRMWDK_EN_7600_1.ISO de6abdb8eb4e08942add4aa270c763ed4e3d8242 GRMWDK_EN_7600_1.ISO
$ du -sh GRMWDK_EN_7600_1.ISO 620M GRMWDK_EN_7600_1.ISO
$ wine --version wine-3.12-111-g8ae98cfdc3
Regards
https://bugs.winehq.org/show_bug.cgi?id=33031
Linards linards.liepins@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |linards.liepins@gmail.com
--- Comment #5 from Linards linards.liepins@gmail.com --- Is this issue still present?
Also, this bug might correlate with https://bugs.winehq.org/show_bug.cgi?id=39046 since UDMF is part of WDK, as per https://docs.microsoft.com/en-us/archive/blogs/peterwie/
https://bugs.winehq.org/show_bug.cgi?id=33031
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|https://www.microsoft.com/e |https://web.archive.org/web |n-us/download/details.aspx? |/20120503053053/https://dow |id=11800 |nload.microsoft.com/downloa | |d/4/A/2/4A25C7D5-EFBE-4182- | |B6A9-AE6850409A78/GRMWDK_EN | |_7600_1.ISO
--- Comment #6 from Anastasius Focht focht@gmx.net --- Hello folks,
the crash disappeared with https://source.winehq.org/git/wine.git/commitdiff/cf9f185901f5f0718e6e59e3ad... ("kernel32: GMEM_FIXED blocks cannot be 0 size.") -> wine-1.9.18-101-gcf9f185901f but that's just by pure chance due to stack usage.
The original problem is still present.
Running with +relay or under a debugger still results in the same crash - even with most recent Wine.
Prerequisite without running the full installer: 'winetricks -q mfc42'
--- snip --- Unhandled exception: page fault on read access to 0x00000084 in 32-bit code (0x0100228d). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:0100228d ESP:0021f714 EBP:0021f750 EFLAGS:00010206( R- -- I - -P- ) EAX:00010058 EBX:00275668 ECX:00000060 EDX:0021f73c ESI:01001408 EDI:0021f74c Stack dump: 0x0021f714: 00275668 00010058 fffffffc 00000000 0x0021f724: 0021f73c 00000001 0021fc48 0021fc48 0x0021f734: 01002346 00010058 608d3df8 4aa78128 0x0021f744: 5ef528a4 91722649 2f2db8aa 0021f7d8 0x0021f754: 0100236b 00275668 00010058 00000000 0x0021f764: 5f801c9c 0021fc48 0021fc48 0026cb48 Backtrace: =>0 0x0100228d EntryPoint+0xffffffff() in eula (0x0021f750) 1 0x0100236b EntryPoint+0xffffffff() in eula (0x0021f7d8) 2 0x5f8019d1 EntryPoint+0xffffffff() in mfc42u (0x0021f7f8) 3 0x5f80195a EntryPoint+0xffffffff() in mfc42u (0x0021f858) 4 0x5f8018e2 EntryPoint+0xffffffff() in mfc42u (0x0021f874) 5 0x5f8018a1 EntryPoint+0xffffffff() in mfc42u (0x0021f8a0) 6 0x004b378c make_rect_onscreen+0xab() in user32 (0x0021f8d0) --- snip ---
Although I've already analyzed the problem seven years ago, adding application disassembly for further proof.
CoInitialize() via RichEdit control on main thread:
--- snip --- 0021F4A4 008E3449 009BB750 44 combase._CoInitializeEx@8 0021F4E8 7AC067E8 008E3449 20 ole32.OleInitialize+39 0021F508 7AC2ADA4 7AC067E8 30 riched20.ME_MakeEditor+538 0021F538 7AC28ED0 7AC2ADA4 9C riched20.create_text_services+94 0021F5D4 7AC29EC5 7AC28ED0 20 riched20.RichEditWndProc_common+1D0 0021F5F4 004B378C 7AC29EC5 30 riched20.RichEditWndProcW+35 0021F624 004B44A1 004B378C 28 user32._WINPROC_wrapper+1C 0021F64C 004B4678 004B44A1 38 user32.call_window_proc+71 0021F684 0047FB10 004B4678 58 user32.WINPROC_call_window+178 0021F6DC 0047A407 0047FB10 50 user32.call_window_proc+60 0021F72C 0047A632 0047A407 40 user32.send_message+E7 0021F76C 004A7E4B 0047A632 140 user32.SendMessageW+52 0021F8AC 004A905C 004A7E4B 4C user32.WIN_CreateWindowEx+172B 0021F8F8 00450E84 004A905C 2AC user32.CreateWindowExW+6C 0021FBA4 0044FF8E 00450E84 1C user32.DIALOG_CreateIndirect+EB4 0021FBC0 5F817B05 0044FF8E 68 user32.CreateDialogIndirectParamW+1E 0021FC28 5F80E5A2 5F817B05 44 mfc42u.5F817B05 0021FC6C 0100213D 5F80E5A2 244 mfc42u.5F80E5A2 0021FEB0 5F812566 0100213D A4 eula.0100213D 0021FF54 7B624920 5F812566 18 mfc42u.5F812566 0021FF6C 7BC48997 7B624920 C kernel32.@BaseThreadInitThunk@12+10 0021FF78 7BC48AF7 7BC48997 78 ntdll._call_thread_func_wrapper+17 0021FFF0 00000000 7BC48AF7 ntdll.call_thread_func+87 --- snip ---
Explicit CoInitialize() from app code on main thread:
--- snip --- 008CC7A0 009BB750 10 combase._CoInitializeEx@8 01002ABB 008CC7A0 74 ole32.CoInitialize+10 5F8055B2 01002ABB 34 eula.01002ABB 004B53A4 5F8055B2 2C mfc42u.5F8055B2 004B54B5 004B53A4 28 user32.call_dialog_proc+74 0044DCAA 004B54B5 28 user32.WINPROC_CallDlgProcW+A5 004B378C 0044DCAA 30 user32.DefDlgProcW+EA 004B44A1 004B378C 28 user32._WINPROC_wrapper+1C 004B5266 004B44A1 30 user32.call_window_proc+71 012F7CAF 004B5266 28 user32.CallWindowProcW+86 012F6697 012F7CAF 74 comctl32.THEMING_CallOriginalClass+2F 012F7D8A 012F6697 28 comctl32.THEMING_DialogSubclassProc+1A7 004B378C 012F7D8A 30 comctl32.subclass_proc0+8A 004B44A1 004B378C 28 user32._WINPROC_wrapper+1C 004B5266 004B44A1 30 user32.call_window_proc+71 5F801D93 004B5266 20 user32.CallWindowProcW+86 5F801DBD 5F801D93 A0 mfc42u.5F801D93 5F8019D1 5F801DBD 20 mfc42u.5F801DBD 5F80195A 5F8019D1 60 mfc42u.5F8019D1 5F8018E2 5F80195A 1C mfc42u.5F80195A 5F8018A1 5F8018E2 2C mfc42u.5F8018E2 004B378C 5F8018A1 30 mfc42u.5F8018A1 004B44A1 004B378C 28 user32._WINPROC_wrapper+1C 004B4678 004B44A1 38 user32.call_window_proc+71 0047FB10 004B4678 58 user32.WINPROC_call_window+178 0047A407 0047FB10 50 user32.call_window_proc+60 0047A632 0047A407 40 user32.send_message+E7 0045110C 0047A632 28C user32.SendMessageW+52 0044FF8E 0045110C 1C user32.DIALOG_CreateIndirect+113C 5F817B05 0044FF8E 68 user32.CreateDialogIndirectParamW+1E 5F80E5A2 5F817B05 44 mfc42u.5F817B05 0100213D 5F80E5A2 244 mfc42u.5F80E5A2 5F812566 0100213D A4 eula.0100213D 7B624920 5F812566 18 mfc42u.5F812566 7BC48997 7B624920 C kernel32.@BaseThreadInitThunk@12+10 7BC48AF7 7BC48997 78 ntdll._call_thread_func_wrapper+17 00000000 7BC48AF7 ntdll.call_thread_func+87 --- snip ---
--- snip --- 01002A9F | push 4C | 01002AA1 | mov eax,eula.10042A4 | 01002AA6 | call eula.100352D | 01002AAB | mov esi,ecx | 01002AAD | call <JMP.&Ordinal#4704> | 01002AB2 | xor ebx,ebx | 01002AB4 | push ebx | 01002AB5 | call dword ptr ds:[&_CoInitialize@4] | 01002ABB | push 1 | 01002ABD | push dword ptr ds:[esi+60] | 01002AC0 | mov ecx,esi | 01002AC2 | mov dword ptr ds:[esi+F0],eax | HRESULT = S_FALSE 01002AC8 | mov byte ptr ds:[esi+E8],bl | 01002ACE | call eula.10024DD | --- snip ---
on stack (0x21FC80):
esi=0021FC80
dword ptr ds:[esi+F0]=[0021FD70]=2B002B (will become 1)
ebx=0021FC80
dword ptr ds:[ebx+EC]=[0021FD6C]=1 (will remain uninitialized)
App code that checks the COM apartment init status to initialize more COM controls during dialog init:
--- snip --- 01002771 | mov edi,edi | 01002773 | push ebx | 01002774 | push esi | 01002775 | push edi | 01002776 | mov ebx,ecx | 01002778 | xor edi,edi | 0100277A | cmp dword ptr ds:[ebx+F0],edi | only S_OK is expected 01002780 | jne eula.1002A49 | 01002786 | lea esi,dword ptr ds:[ebx+EC] | code path skipped! 0100278C | push esi | 0100278D | push eula.10019FC | 01002792 | push 15 | 01002794 | push edi | 01002795 | push eula.1001A0C | 0100279A | mov dword ptr ds:[esi],edi | 0100279C | call dword ptr ds:[&_CoCreateInstance@20] | 010027A2 | test eax,eax | 010027A4 | jne eula.1002A49 | ... 01002A3E | movsd | 01002A3F | movsd | 01002A40 | movsd | 01002A41 | mov ecx,ebx | 01002A43 | movsd | 01002A44 | call eula.10023F7 | 01002A49 | pop edi | 01002A4A | pop esi | 01002A4B | pop ebx | 01002A4C | ret | --- snip ---
Teardown code:
--- snip --- 01002346 | mov edi,edi | 01002348 | push esi | 01002349 | mov esi,ecx | 0100234B | cmp dword ptr ds:[esi+F0],0 | S_OK -> skip 01002352 | je eula.10023EA | 01002358 | mov eax,dword ptr ds:[esi+EC] | access of uninit var! 0100235E | test eax,eax | 01002360 | je eula.10023DD | 01002362 | push dword ptr ds:[esi+20] | 01002365 | push eax | 01002366 | call eula.1002255 | *boom* (within sub) 0100236B | push dword ptr ds:[esi+88] | 01002371 | push dword ptr ds:[esi+EC] | 01002377 | call eula.1002255 | 0100237C | push dword ptr ds:[esi+C8] | 01002382 | push dword ptr ds:[esi+EC] | 01002388 | call eula.1002255 | 0100238D | push dword ptr ds:[esi+114] | 01002393 | push dword ptr ds:[esi+EC] | 01002399 | call eula.1002255 | 0100239E | push dword ptr ds:[esi+154] | 010023A4 | push dword ptr ds:[esi+EC] | 010023AA | call eula.1002255 | 010023AF | push dword ptr ds:[esi+194] | 010023B5 | push dword ptr ds:[esi+EC] | 010023BB | call eula.1002255 | 010023C0 | push dword ptr ds:[esi+1D4] | 010023C6 | push dword ptr ds:[esi+EC] | 010023CC | call eula.1002255 | 010023D1 | mov eax,dword ptr ds:[esi+EC] | 010023D7 | mov ecx,dword ptr ds:[eax] | 010023D9 | push eax | 010023DA | call dword ptr ds:[ecx+8] | 010023DD | call dword ptr ds:[&_CoUninitialize@0] | 010023E3 | and dword ptr ds:[esi+EC],0 | 010023EA | mov ecx,esi | 010023EC | pop esi | 010023ED | jmp <JMP.&Ordinal#6451> | --- snip ---
$ wine --version wine-6.8-77-g0a50674c6aa
Regards
-
wine-bugs@winehq.org -
WineHQ Bugzilla