http://bugs.winehq.org/show_bug.cgi?id=14790

--- Comment #2 from Will Tipton wtipton@hmc.edu 2008-08-07 15:30:17 --- Created an attachment (id=15338) --> (http://bugs.winehq.org/attachment.cgi?id=15338) DEBUG=+warn,+tooltips w/ debugging symbols

http://bugs.winehq.org/show_bug.cgi?id=14790

Tom Grim elven.thief@gmail.com changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |elven.thief@gmail.com

--- Comment #4 from Tom Grim elven.thief@gmail.com 2008-08-11 03:22:30 --- I did some debugging and tracing on my own after I found myself affected by this bug and can offer a few more tidbits.

Non-Technical details:

The crash consistently happens if you mouse over the players names in a lobby window for a table. Hovering over their name is supposed to give you a tooltip that has their username, home country, chip stack (if the game has started) and any notes that you may have created about that user.

The easiest way to avoid this crash, without fixing the code is to simply not drag your mouse over the user list in a table lobby.

Technical Details:

The crash is happening at line 1563 of TOOLTIPS_GetTextW - it's attempting to copy a unicode string from a null pointer.

How did it get this null pointer? It appears that the tooltip attached to the HWND has no string or no size for that matter.

I modified my copy of TOOLTIPS_AddToolW to figure out what was going on and got this:

trace:tooltips:TOOLTIPS_WindowProc hwnd=0x100fe msg=432 wparam=0 lParam=a1cf80 trace:tooltips:TOOLTIPS_AddToolW add tool (0x100fe) 0x100fa 1064! trace:tooltips:TOOLTIPS_AddToolW The number of Tools of HWND is 1 trace:tooltips:TOOLTIPS_AddToolW lpToolInfo->lpszText = (null) trace:tooltips:TOOLTIPS_AddToolW lpToolInfo->Rect position: 0,0 - 0,0 trace:tooltips:TOOLTIPS_AddToolW add string id 0 trace:tooltips:TOOLTIPS_AddToolW subclassing installed!

Note the "add string id 0" instead of "add text" trace.

The story appears to be that the Full Tilt people are reusing a TOOLINFO structure for the entire player list. When you hover over a players name, it then resizes the tooltip and updates the text to match what I detailed far above. The first time that the tooltip is created, it has absolutely no information, so they load it with null values and zeros.

At some point in their code, they send a TTM_GETTEXTW message when they're about to update the tooltip's dimensions, location, and text. After a small mouse move, I guess they check to see if the tooltip needs moved or the text changed.

Unforunately, on the first iteration of this process, the original TOOLINFO structure with a null string pointer gets called upon and causes the crash.

It appears that Will's quick fix above is the correct fix"

Will's quick fix above appears to be as correct as possible, given that it appears to be "legal" for a tooltip with a

http://bugs.winehq.org/show_bug.cgi?id=14790

--- Comment #6 from Will Tipton wtipton@hmc.edu 2008-08-11 17:40:49 --- Cool, thanks for looking into it Tom.

I went ahead and submitted a patch...

Will

http://bugs.winehq.org/show_bug.cgi?id=14790

Lei Zhang thestig@google.com changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever Confirmed|0 |1

--- Comment #8 from Lei Zhang thestig@google.com 2008-08-12 13:09:43 --- Please try to add a conformance test to your patches in the future.

http://www.winehq.org/pipermail/wine-patches/2008-August/059413.html

http://bugs.winehq.org/show_bug.cgi?id=14790

Alexandre Julliard julliard@winehq.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED

--- Comment #10 from Alexandre Julliard julliard@winehq.org 2008-08-22 10:49:02 --- Closing bugs fixed in 1.1.3.