[Bug 26028] New: Buitin IE crash while open a activex control from Bank of Communications
http://bugs.winehq.org/show_bug.cgi?id=26028
Summary: Buitin IE crash while open a activex control from Bank of Communications Product: Wine Version: 1.3.13 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: fracting@gmail.com
1. install the active control $ rm -rf ~/.wine $ wget https://pbank.95559.com.cn/personbank/ocx/safe_bankcomm.cab $ cabextract safe_bankcomm.cab $ regsvr32 safeInput4jh.dll
2. write a html file named safeInput1.html as below: <object classid="clsid:ECCBA956-80E5-11D3-9285-0080ADB811C9" codebase="ocx/safe_bankcomm.cab#version=3,0,0,0" width="800" height="20" id="safeInput1" name="safeInput1" style="HEIGHT: 20px;WIDTH: 153px" viewastext=""></object>
host a http server to handle safeInput1.html
3. open safeInput1.html with wine buitin IE, then crash.
http://bugs.winehq.org/show_bug.cgi?id=26028
--- Comment #1 from fracting fracting@gmail.com 2011-02-07 23:07:00 CST --- Created an attachment (id=33191) --> (http://bugs.winehq.org/attachment.cgi?id=33191) log: ie crash while loading activex control
$ wine iexplore http://0.0.0.0/jiaotong/safeInput1.html
fixme:mshtml:PHPropertyNotifySink_OnChanged Unimplemented dispID -514 fixme:atl:AtlModuleRegisterWndClassInfoA 0x10022f78 0x1001f8e0 0x3a40b00 semi-stub wine: Unhandled page fault on read access to 0x00000000 at address (nil) (thread 0009), starting debugger... Unhandled exception: page fault on read access to 0x00000000 in 32-bit code (0x00000000). Register dump: CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b EIP:00000000 ESP:0032f2cc EBP:0032f2e8 EFLAGS:00210202( R- -- I - - - )
...
http://bugs.winehq.org/show_bug.cgi?id=26028
fracting fracting@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |https://pbank.95559.com.cn/ | |personbank/ocx/safe_bankcom | |m.cab CC| |jacek@codeweavers.com
http://bugs.winehq.org/show_bug.cgi?id=26028
--- Comment #2 from fracting fracting@gmail.com 2011-03-12 22:57:20 CST --- Created an attachment (id=33617) --> (http://bugs.winehq.org/attachment.cgi?id=33617) Log: IE crash while loading activex control ( with gecko-1.2.0rc1-dbg , 2011-3-13 updated)
I install gecko-dbg follow these steps:
$ wget http://sourceforge.net/projects/wine/files/Wine%20Gecko/1.2.0-rc1/wine_gecko... $ cd .wine/drive_c/windows/system32/gecko/1.2.0-rc1 $ mv wine_gecko wine_gecko.old $ tar -jxf ~/wine_gecko-1.2.0-rc1-x86-dbg.tar.bz2
After installing gecko-dbg , there is still no function names in the backtrace ( As below ), did I make any mistake while installing gecko-dbg ?
6 0x0140486f (0x0032f4c8) 7 0x01425053 (0x0032f508) 8 0x009d4ec8 (0x0032f598) 9 0x009dbeab (0x0032f5c8) 10 0x0141193c (0x0032f7e8) 11 0x014111a8 (0x0032f818) 12 0x009d4a5d (0x0032f868) 13 0x009d898c (0x0032f8f8) 14 0x00bb214c (0x0032f998) 15 0x00baca8d (0x0032fa38) 16 0x0165eb5c (0x0032fab8) 17 0x016044b2 (0x0032faf8) 18 0x0159c26f (0x0032fb28) 19 0x0156bba7 (0x0032fb58)
http://bugs.winehq.org/show_bug.cgi?id=26028
--- Comment #3 from fracting fracting@gmail.com 2011-03-12 23:15:15 CST --- loading object A3CD7F74-93C9-4BC4-B892-CCDF1514F714 will crash too. Object A3CD7F74-93C9-4BC4-B892-CCDF1514F714 and Object ECCBA956-80E5-11D3-9285-0080ADB811C9 are in the same dll: safeInput4jh.dll
<object classid="CLSID:A3CD7F74-93C9-4BC4-B892-CCDF1514F714" codebase="ocx/safe_bankcomm.cab#version=3,0,0,0" id="safeCommit1" name="safeCommit1" style="HEIGHT: 0px; WIDTH: 0px"> </object>
http://bugs.winehq.org/show_bug.cgi?id=26028
fracting fracting@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |atl
--- Comment #4 from fracting fracting@gmail.com 2011-04-27 09:49:58 CDT --- Update: test again with Wine1.3.18, confirm the crashing. However, override atl.dll will workaround for it.
http://bugs.winehq.org/show_bug.cgi?id=26028
Ken Sharp kennybobs@o2.co.uk changed:
What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |minor
http://bugs.winehq.org/show_bug.cgi?id=26028
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW CC| |focht@gmx.net Ever Confirmed|0 |1
--- Comment #5 from Anastasius Focht focht@gmx.net 2011-04-28 05:07:00 CDT --- Hello,
confirming, the problem seems to be a window creation failing.
--- snip --- ... 0023:Call atl.AtlModuleRegisterWndClassInfoA(10022f78,1001f8e0,020a0b00) ret=1000a2d3 0023:fixme:atl:AtlModuleRegisterWndClassInfoA 0x10022f78 0x1001f8e0 0x20a0b00 semi-stub 0023:trace:atl:AtlModuleRegisterWndClassInfoA wci->m_wc.lpszClassName = SECURITYBYBRYANECC 0023:Call user32.GetClassInfoExA(10000000,1001f8c8 "SECURITYBYBRYANECC",0032f0ec) ret=7a86523c 0023:Ret user32.GetClassInfoExA() retval=00000000 ret=7a86523c 0023:Call user32.RegisterClassExA(1001f8e0) ret=7a865255 0023:trace:win:alloc_winproc allocated 0xffff0033 for A 0x1000dae3 (52/4096 used) 0023:Ret user32.RegisterClassExA() retval=0000c062 ret=7a865255 0023:trace:atl:AtlModuleRegisterWndClassInfoA returning 0xc062 0023:Ret atl.AtlModuleRegisterWndClassInfoA() retval=0000c062 ret=1000a2d3 0023:Call atl.AtlModuleAddCreateWndData(10022f78,020a0aec,020a0ae4) ret=1000dc52 0023:trace:atl:AtlModuleAddCreateWndData (0x10022f78, 0x20a0aec, 0x20a0ae4) 0023:Ret atl.AtlModuleAddCreateWndData() retval=10022f78 ret=1000dc52 0023:Call user32.CreateWindowExA(00000000,0000c062,00000000,56000000,00000000,00000000,00000099,00000014,000200b8,020a0ae4,10000000,00000000) ret=1000dc9b 0023:trace:win:WIN_CreateWindowEx (null) #c062 ex=00000000 style=56000000 0,0 153x20 parent=0x200b8 menu=0x20a0ae4 inst=0x10000000 params=(nil) 0023:trace:win:dump_window_styles style: WS_CHILD WS_VISIBLE WS_CLIPSIBLINGS WS_CLIPCHILDREN 0023:trace:win:dump_window_styles exstyle: 0023:warn:win:create_window_handle error 6 creating window 0023:Ret user32.CreateWindowExA() retval=00000000 ret=1000dc9b --- snip ---
By tracing wineserver you come along this:
--- snip --- ... 0023: create_class( local=1, atom=0000, style=0000000b, instance=68330000, extra=0, win_extra=0, client_ptr=01a381b8, name=L"SECURITYBYBRYANECC" ) 0023: create_class() = 0 { atom=c062 } 0023: create_window( parent=000200b8, owner=00000000, atom=c062, instance=10000000, class=L"" ) 0023: create_window() = INVALID_HANDLE { handle=00000000, parent=00000000, owner=00000000, extra=0, class_ptr=00000000 } ... --- snip ---
This instance handle 68330000 seems to be bogus. You have to use the module provided one when creating the window class first time (wci->m_wc.hInstance = pm->m_hInst)
AtlModuleRegisterWndClassInfoA AtlModuleRegisterWndClassInfoW
With that one fixed, the window creation sequence is properly done and app supplied window proc gets called (which in turn calls AtlModuleExtractCreateWndData).
--- snip --- 0021:Call atl.AtlModuleRegisterWndClassInfoA(10022f78,1001f8e0,02161b00) ret=1000a2d3 0021:fixme:atl:AtlModuleRegisterWndClassInfoA 0x10022f78 0x1001f8e0 0x2161b00 semi-stub 0021:trace:atl:AtlModuleRegisterWndClassInfoA wci->m_wc.lpszClassName = SECURITYBYBRYANECC 0021:Call user32.GetClassInfoExA(10000000,1001f8c8 "SECURITYBYBRYANECC",0032f0ec) ret=20ac1248 0021:Ret user32.GetClassInfoExA() retval=00000000 ret=20ac1248 0021:Call user32.RegisterClassExA(1001f8e0) ret=20ac1261 0021:trace:win:alloc_winproc allocated 0xffff0033 for A 0x1000dae3 (52/4096 used) 0021:Ret user32.RegisterClassExA() retval=0000c060 ret=20ac1261 0021:trace:atl:AtlModuleRegisterWndClassInfoA returning 0xc060 0021:Ret atl.AtlModuleRegisterWndClassInfoA() retval=0000c060 ret=1000a2d3 0021:Call atl.AtlModuleAddCreateWndData(10022f78,02161aec,02161ae4) ret=1000dc52 0021:trace:atl:AtlModuleAddCreateWndData (0x10022f78, 0x2161aec, 0x2161ae4) 0021:Ret atl.AtlModuleAddCreateWndData() retval=10022f78 ret=1000dc52 0021:Call user32.CreateWindowExA(00000000,0000c060,00000000,56000000,00000000,00000000,00000099,00000014,00030028,02161ae4,10000000,00000000) ret=1000dc9b 0021:trace:win:WIN_CreateWindowEx (null) #c060 ex=00000000 style=56000000 0,0 153x20 parent=0x30028 menu=0x2161ae4 inst=0x10000000 params=(nil) 0021:trace:win:dump_window_styles style: WS_CHILD WS_VISIBLE WS_CLIPSIBLINGS WS_CLIPCHILDREN 0021:trace:win:dump_window_styles exstyle: 0021:trace:win:WIN_SetWindowLong 0x20050 -12 2161ae4 W 0021:trace:win:GetWindowRect hwnd 0x20050 (14,158)-(167,178) 0021:trace:win:invalidate_dce 0x20050 scope hwnd = 0x30028 (14,158)-(167,178) ((14,158)-(14,158)) 0021:trace:win:invalidate_dce 0x1ba6e88: hwnd 0x20030 dcx 00000013 Cache 0021:trace:win:invalidate_dce 0x146550: hwnd 0x30028 dcx 0000001a Cache 0021:trace:win:GetWindowRect hwnd 0x30028 (14,158)-(167,178) 0021:trace:win:make_dc_dirty purged 0x146550 dce [0x30028] 0021:trace:win:invalidate_dce 0x143328: hwnd 0x20030 dcx 00000013 Cache InUse 0021:trace:win:WIN_CreateWindowEx hwnd 0x20050 cs 0,0 153x20 .. 0021:Call window proc 0x1000dae3 (hwnd=0x20050,msg=WM_NCCREATE,wp=00000000,lp=0032f090) 0021:Call atl.AtlModuleExtractCreateWndData(10022f78) ret=1000daf0 0021:trace:atl:AtlModuleExtractCreateWndData (0x10022f78) 0021:Ret atl.AtlModuleExtractCreateWndData() retval=02161ae4 ret=1000daf0 --- snip ---
Though it crashes a bit later ... but thats another bug (most likely a duplicate to various "use native atl override" bugs).
Regards
http://bugs.winehq.org/show_bug.cgi?id=26028
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |23492
--- Comment #6 from Anastasius Focht focht@gmx.net 2011-04-28 09:36:23 CDT --- Hello,
adding bug 23492 as follow up. With both (this and bug 23492) fixed, the app starts successfully.
Regards
http://bugs.winehq.org/show_bug.cgi?id=26028
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED Summary|Buitin IE crash while open |Buitin IE crash while open |a activex control from Bank |a activex control from Bank |of Communications |of Communications (wrong | |instance handle when | |registering a class using | |AtlModuleRegisterWndClassIn | |foA/W)
--- Comment #7 from Anastasius Focht focht@gmx.net 2011-04-28 13:42:01 CDT --- Hello,
this bug is fixed by: http://source.winehq.org/git/wine.git/commit/20e24bff70bc041ab41e7f6333ed54a...
Thanks.
NOTE: the ActiveX control still crashes (a bit later) but that crash is covered by bug 23492
Regards
http://bugs.winehq.org/show_bug.cgi?id=26028
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #8 from Alexandre Julliard julliard@winehq.org 2011-04-29 13:14:52 CDT --- Closing bugs fixed in 1.3.19.
http://bugs.winehq.org/show_bug.cgi?id=26028
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |20e24bff70bc041ab41e7f6333e | |d54a20c8df178
-
wine-bugs@winehq.org