[Bug 25305] New: King's Quest Collection Series (1997): setup.exe fails to add program group, then crashes
http://bugs.winehq.org/show_bug.cgi?id=25305
Summary: King's Quest Collection Series (1997): setup.exe fails to add program group, then crashes Product: Wine Version: 1.3.7 Platform: x86-64 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: shell32 AssignedTo: wine-bugs@winehq.org ReportedBy: tristan_schmelcher@alumni.uwaterloo.ca
Created an attachment (id=32146) --> (http://bugs.winehq.org/attachment.cgi?id=32146) Terminal output seen when the setup error/crash occurs (ran over VNC, hence the ALSA & XRender errors)
When attempting to install the game King's Quest Collection Series (the 1997 edition), setup.exe displays this error dialog partway through copying the game files:
"Setup was unable to add a program group for Kings Quest Collection"
Upon dismissing the dialog, a winevdm.exe crash dialog appears (i.e., "The program winevdm.exe has encountered a serious problem and needs to close ..."). After dismissing the crash dialog, the setup.exe GUI remains visible on screen in a broken state until the winevdm.exe process is killed.
Terminal output seems to implicate Dde_OnRequest and friends. Strangely, the debugger never starts, despite the message at the end.
The issue also occurred in 1.3.6 and 1.2.0, but in both those versions the debugger did start and produced a backtrace. I'm not sure why there's no backtrace in 1.3.7. Note that my 1.3.7 test is against git master, whereas for 1.3.6/1.2.0 I tested pre-built DEB packages.
http://bugs.winehq.org/show_bug.cgi?id=25305
Tristan Schmelcher tristan_schmelcher@alumni.uwaterloo.ca changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Installer
http://bugs.winehq.org/show_bug.cgi?id=25305
--- Comment #1 from Tristan Schmelcher tristan_schmelcher@alumni.uwaterloo.ca 2010-11-26 19:09:06 CST --- Created an attachment (id=32152) --> (http://bugs.winehq.org/attachment.cgi?id=32152) Backtrace of the crash when run in winedbg
I was able to get a backtrace by launching the program under winedbg from the start.
http://bugs.winehq.org/show_bug.cgi?id=25305
--- Comment #2 from Tristan Schmelcher tristan_schmelcher@alumni.uwaterloo.ca 2010-11-26 19:43:21 CST --- I think Dde_OnRequest is actually probably _not_ the root cause of the issue, because it looks like the installer's error dialog always shows up _before_ the fixme from Dde_OnRequest. So something else is precipitating the error dialog.
http://bugs.winehq.org/show_bug.cgi?id=25305
--- Comment #3 from Tristan Schmelcher tristan_schmelcher@alumni.uwaterloo.ca 2010-11-26 20:18:35 CST --- Created an attachment (id=32153) --> (http://bugs.winehq.org/attachment.cgi?id=32153) Stack trace of the setup.exe thread that displays the application error dialog
This is a stack trace of thread 0x20 in the application while the error dialog is being displayed ("Setup was unable ..."). Maybe it can shed some light on what precipitates the error ...
http://bugs.winehq.org/show_bug.cgi?id=25305
--- Comment #4 from Tristan Schmelcher tristan_schmelcher@alumni.uwaterloo.ca 2010-11-26 21:10:01 CST --- Created an attachment (id=32155) --> (http://bugs.winehq.org/attachment.cgi?id=32155) Stack trace of a call to DdeConnect() moments before the error dialog
Hmm, actually there is a call to DdeConnect() in setup.exe moments before the error dialog appears, so perhaps the shell's DDE handling is part of the problem after all. Is must be something that happens after DdeConnect() in setup.exe but before Dde_OnRequest() in explorer.exe.
http://bugs.winehq.org/show_bug.cgi?id=25305
--- Comment #5 from Tristan Schmelcher tristan_schmelcher@alumni.uwaterloo.ca 2010-11-27 03:36:39 CST --- I stepped through the 16-bit installer machine code between the DdeConnect() and the error dialog and this is the sequence of Wine calls:
DdeConnect DdeCreateDataHandle -- fails at the check for pInstance == NULL DdeClientTransaction -- fails at the check for pData == NULL in WDML_ClientQueueExecute DdeDisconnect
Then many hundreds (possibly thousands) of instructions later it calls MessageBox to display the error dialog.
http://bugs.winehq.org/show_bug.cgi?id=25305
--- Comment #6 from Tristan Schmelcher tristan_schmelcher@alumni.uwaterloo.ca 2010-11-27 15:31:29 CST --- I looked into the DdeCreateDataHandle failure and I think the problem is that Wine should not attempt to validate the idInst argument. This installer calls DdeInitialize at start-up, which succeeds and returns an idInst of 0x1, and the installer correctly passes that value to several DDE calls right after (e.g., DdeCreateStringHandle). But when it (much later) calls DdeCreateDataHandle, it passes an invalid idInst value of 0x112bf. Since idInst isn't actually needed to execute the function, I think perhaps Windows does not validate it and this installer relies on that behaviour ...
I tried commenting-out the idInst validation code in DdeCreateDataHandle and with that change the call succeeds. Also, the following DdeClientTransaction call gets farther because pData is no longer NULL ... but it fails at the DdeAccessData call in WDML_ClientQueueExecute because pData is an invalid pointer ... only the low order 16-bits of it are used, the upper half is zero. So I think maybe DdeCreateDataHandle16 needs to map the created HDDEDATA into the 16-bit address space so that the returned pointer can fit in the 16-bit registers/fields used in the installer code. Possibly MapLS/MapSL can do this?
http://bugs.winehq.org/show_bug.cgi?id=25305
--- Comment #7 from Tristan Schmelcher tristan_schmelcher@alumni.uwaterloo.ca 2010-11-28 01:04:03 CST --- Yup, using MapLS/MapSL to map HDDEDATA values to segmented pointers avoids the problems and prevents the error dialog!
However, the crash still happens, and the backtrace is no different than before. :(
http://bugs.winehq.org/show_bug.cgi?id=25305
Dmitry Timoshkov dmitry@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |DUPLICATE
--- Comment #8 from Dmitry Timoshkov dmitry@codeweavers.com 2010-11-29 02:38:29 CST --- Duplicate.
*** This bug has been marked as a duplicate of bug 9159 ***
http://bugs.winehq.org/show_bug.cgi?id=25305
Dmitry Timoshkov dmitry@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #9 from Dmitry Timoshkov dmitry@codeweavers.com 2010-11-29 02:38:44 CST --- Closing duplicate.
http://bugs.winehq.org/show_bug.cgi?id=25305
--- Comment #10 from Tristan Schmelcher tristan_schmelcher@alumni.uwaterloo.ca 2010-11-29 12:25:11 CST --- I don't think this is entirely a duplicate. I have been debugging the crash and it appears to be due to stack corruption, probably because of an incorrect argument size in one of the stdcall function in a Wine DLL. I will probably have a fix in a few days. Would you like me to open a separate bug specifically for the crash problem?
http://bugs.winehq.org/show_bug.cgi?id=25305
--- Comment #11 from Tristan Schmelcher tristan_schmelcher@alumni.uwaterloo.ca 2010-11-29 22:27:30 CST --- Just FYI, opened bug 25354 for the crash problem.
-
wine-bugs@winehq.org