[Bug 29358] New: Vit Registry Fix 9.5 crashes when clicking "close" button in "about" dialog
http://bugs.winehq.org/show_bug.cgi?id=29358
Bug #: 29358 Summary: Vit Registry Fix 9.5 crashes when clicking "close" button in "about" dialog Product: Wine Version: 1.3.34 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net Classification: Unclassified
Hello,
this is a bug split off from bug 7816
http://bugs.winehq.org/show_bug.cgi?id=7816#c16
--- quote --- It's also issue with http://www.vitsoft.org.ua/Download/Vit%20Registry%20Fix%20Free%20Edition%20S... and Wine 1.3.19.
Steps to reproduce: 1) start application 2) click "about" 3) close "about" window --- quote ---
Both bugs have nothing in common - except the crashing apps are VB6 apps.
The crash:
--- snip --- 0023:Ret window proc 0x6605f626 (hwnd=0x3036e,msg=WM_LBUTTONUP,wp=00000000,lp=00020029) retval=00000000 0023:Ret user32.CallWindowProcA() retval=00000000 ret=016570cd 0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x1657117 ip=01657117 tid=0023 0023:trace:seh:raise_exception info[0]=00000001 0023:trace:seh:raise_exception info[1]=00000001 0023:trace:seh:raise_exception eax=00000000 ebx=6846a690 ecx=00000000 edx=00000000 esi=00000023 edi=01680458 0023:trace:seh:raise_exception ebp=0032f808 esp=0032f7f4 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 ... Backtrace: =>0 0x01657117 (0x0032f808) 1 0x6842f2d2 WINPROC_wrapper+0x19() in user32 (0x0032f838) 2 0x6842f427 call_window_proc+0xcd(hwnd=0x3036e, msg=0x202, wp=0, lp=0x20029, result=0x32f8b8, arg=0x1657050) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:242] in user32 (0x0032f888) 3 0x68431876 CallWindowProcA+0x63(func=0x1657050, hwnd=0x3036e, msg=0x202, wParam=0, lParam=0x20029) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:954] in user32 (0x0032f8c8) 4 0x7bc64852 call_entry_point+0x29() in ntdll (0x0032f8f8) 5 0x7bc64a7d relay_call+0x1bb(descr=0x6846f120, idx=0x50019, stack=0x32f95c) [/home/focht/projects/wine/wine-git/dlls/ntdll/relay.c:435] in ntdll (0x0032f948) 6 0x68387ee9 in user32 (+0x7ee8) (0x0032f9a8) 7 0x2b28bdee DefSubclassProc+0x16c(hWnd=0x3036e, uMsg=0x202, wParam=0, lParam=0x20029) [/home/focht/projects/wine/wine-git/dlls/comctl32/commctrl.c:1267] in comctl32 (0x0032f9a8) 8 0x2b310fac TOOLTIPS_SubclassProc+0x9b(hwnd=0x3036e, uMsg=0x202, wParam=0, lParam=0x20029, uID=0x1, dwRef=0x60372) [/home/focht/projects/wine/wine-git/dlls/comctl32/tooltips.c:2145] in comctl32 (0x0032f9e8) 9 0x2b28be44 DefSubclassProc+0x1c2(hWnd=0x3036e, uMsg=0x202, wParam=0, lParam=0x20029) [/home/focht/projects/wine/wine-git/dlls/comctl32/commctrl.c:1272] in comctl32 (0x0032fa38) 10 0x2b28bb7b COMCTL32_SubclassProc+0x134(hWnd=0x3036e, uMsg=0x202, wParam=0, lParam=0x20029) [/home/focht/projects/wine/wine-git/dlls/comctl32/commctrl.c:1214] in comctl32 (0x0032fa98) 11 0x6842f2d2 WINPROC_wrapper+0x19() in user32 (0x0032fac8) 12 0x6842f427 call_window_proc+0xcd(hwnd=0x3036e, msg=0x202, wp=0, lp=0x20029, result=0x32fc48, arg=0x2b28ba46) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:242] in user32 (0x0032fb18) 13 0x684317b3 WINPROC_call_window+0x211(hwnd=0x3036e, msg=0x202, wParam=0, lParam=0x20029, result=0x32fc48, unicode=0, mapping=WMCHAR_MAP_DISPATCHMESSAGE) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:908] in user32 (0x0032fb68) 14 0x683f434c DispatchMessageA+0x17d(msg=0x32fd10) [/home/focht/projects/wine/wine-git/dlls/user32/message.c:3742] in user32 (0x0032fc78) 15 0x7bc64852 call_entry_point+0x29() in ntdll (0x0032fc98) 16 0x7bc64a7d relay_call+0x1bb(descr=0x6846f120, idx=0x1009e, stack=0x32fcfc) [/home/focht/projects/wine/wine-git/dlls/ntdll/relay.c:435] in ntdll (0x0032fce8) 17 0x68388b01 in user32 (+0x8b00) (0x0032fd38) 18 0x6600a4a3 in msvbvm60 (+0xa4a2) (0x0032fd38) --- snip ---
The VB6 app subclasses controls, installing its own window proc thunks...
Convert hex opcodes to binary:
--- snip --- 0023:Call oleaut32.VarBstrCat(0014f254 L"5589E583C4F85731C08945FC8945F8EB0EE80000000083F802742185C07424E830000000837DF800750AE838000000E84D0000005F8B45FCC9C21000E826000000EBF168000000006AFCFF7508E800000000EBE031D24ABF00000000B900000000E82D000000C3FF7514FF7510FF750CFF75086800000000E8000000008945FCC331D2BF00000000B900000000E801000000C3E33209",0049b38c L"C978078B450CF2AF75278D4514508D4510508D450C508D4508508D45FC508D45F85052B800000000508B00FF90A4070000C3",0032f4e4) ret=660e5f4d ... 0023:Call oleaut32.VarParseNumFromStr(0014e674 L"&H55",00000409,80000000,0032f4a0,0032f480) ret=660d31fd ... 0023:Call oleaut32.VarParseNumFromStr(01698094 L"&HC3",00000409,80000000,0032e75c,0032e73c) ret=660d31fd 0023:Ret oleaut32.VarParseNumFromStr() retval=00000000 ret=660d31fd ... --- snip ---
Alloc heap memory for window proc thunk:
01657050-0x1657118
--- snip --- ... 0023:Call KERNEL32.GlobalAlloc(00000000,000000c8) ret=0081bf65 0023:Ret KERNEL32.GlobalAlloc() retval=01657050 ret=0081bf65 ... --- snip ---
Set window proc:
--- snip --- 0023:Call user32.SetWindowLongA(0003036e,fffffffc,01657050) ret=0081bf84 0023:trace:win:WIN_SetWindowLong 0x3036e -4 1657050 A 0023:trace:win:alloc_winproc allocated 0xffff006c for A 0x1657050 (109/4096 used) 0023:Ret user32.SetWindowLongA() retval=6605f626 ret=0081bf84 ... --- snip ---
Filling thunk with code:
--- snip --- 0023:Call ntdll.RtlMoveMemory(01657050,01665ba0,000000c8) ret=0081bfa7 0023:Ret ntdll.RtlMoveMemory() retval=01657050 ret=0081bfa7 ... --- snip ---
Patch all intermodular calls
--- snip --- 0023:Call ntdll.RtlMoveMemory(01657062,0032e770,00000004) ret=0081c825 0023:Ret ntdll.RtlMoveMemory() retval=01657062 ret=0081c825 ... 0023:Call ntdll.RtlMoveMemory(01657094,0032e7a4,00000004) ret=0081c89d 0023:Ret ntdll.RtlMoveMemory() retval=01657094 ret=0081c89d ... 0023:Call ntdll.RtlMoveMemory(0165709e,0032e770,00000004) ret=0081c825 0023:Ret ntdll.RtlMoveMemory() retval=0165709e ret=0081c825 ... 0023:Call ntdll.RtlMoveMemory(016570c4,0032e7a4,00000004) ret=0081c89d 0023:Ret ntdll.RtlMoveMemory() retval=016570c4 ret=0081c89d ... 0023:Call ntdll.RtlMoveMemory(016570c9,0032e770,00000004) ret=0081c825 0023:Ret ntdll.RtlMoveMemory() retval=016570c9 ret=0081c825 ... 0023:Call ntdll.RtlMoveMemory(0165710a,0032e7a4,00000004) ret=0081c89d 0023:Ret ntdll.RtlMoveMemory() retval=0165710a ret=0081c89d ... 0023:Call oleaut32.SysFreeString(016572bc L"5589E583C4F85731C08945FC8945F8EB0EE80000000083F802742185C07424E830000000837DF800750AE838000000E84D0000005F8B45FCC9C21000E826000000EBF168000000006AFCFF7508E800000000EBE031D24ABF00000000B900000000E82D000000C3FF7514FF7510FF750CFF75086800000000E8000000008945FCC331D2BF00000000B900000000E801000000C3E33209C"...) ret=660e60c0 ... --- snip ---
Subclassing once more (old = 01657050, new = 2b28ba46)...
--- snip --- 0023:Call user32.SetWindowLongA(0003036e,fffffffc,2b28ba46) ret=2b28b5d9 0023:trace:win:WIN_SetWindowLong 0x3036e -4 2b28ba46 A 0023:trace:win:alloc_winproc reusing 0xffff0069 for 0x2b28ba46 0023:Ret user32.SetWindowLongA() retval=01657050 ret=2b28b5d9 ... 0023:Call user32.CallWindowProcA(01657050,0003036e,00000055,00060372,00000003) ret=2b28bdee 0023:Call window proc 0x1657050 (hwnd=0x3036e,msg=WM_NOTIFYFORMAT,wp=00060372,lp=00000003) 0023:Call user32.CallWindowProcA(6605f626,0003036e,00000055,00060372,00000003) ret=016570cd 0023:Call window proc 0x6605f626 (hwnd=0x3036e,msg=WM_NOTIFYFORMAT,wp=00060372,lp=00000003) ... 0023:Call user32.CallWindowProcA(01657050,0003036e,00000046,00000000,0032ebc8) ret=2b28bdee 0023:Call window proc 0x1657050 (hwnd=0x3036e,msg=WM_WINDOWPOSCHANGING,wp=00000000,lp=0032ebc8) 0023:Call user32.CallWindowProcA(6605f626,0003036e,00000046,00000000,0032ebc8) ret=016570cd 0023:Call window proc 0x6605f626 (hwnd=0x3036e,msg=WM_WINDOWPOSCHANGING,wp=00000000,lp=0032ebc8) --- snip ---
Destruction of windows/controls and restoration of old window proc: NOTE: the subclassed window proc thunk memory is released here!
--- snip --- ... 0023:Call user32.SetWindowLongA(0003036e,fffffffc,6605f626) ret=0081c270 0023:trace:win:WIN_SetWindowLong 0x3036e -4 6605f626 A 0023:trace:win:alloc_winproc reusing 0xffff0028 for 0x6605f626 0023:Ret user32.SetWindowLongA() retval=2b28ba46 ret=0081c270 ... 0023:Call ntdll.RtlMoveMemory(016570ad,0032f0d8,00000004) ret=0081c89d 0023:Ret ntdll.RtlMoveMemory() retval=016570ad ret=0081c89d ... 0023:Call ntdll.RtlMoveMemory(016570d9,0032f0d8,00000004) ret=0081c89d 0023:Ret ntdll.RtlMoveMemory() retval=016570d9 ret=0081c89d ... 0023:Call KERNEL32.GlobalFree(01657050) ret=0081c2a6 0023:Ret KERNEL32.GlobalFree() retval=00000000 ret=0081c2a6 ... 0023:Ret window proc 0x6605f626 (hwnd=0x3036e,msg=WM_DESTROY,wp=00000000,lp=00000000) retval=00000000 0023:trace:win:WIN_DestroyWindow 0x3036e 0023:trace:msg:WINPROC_CallProcWtoA (hwnd=0x3036e,msg=WM_NCDESTROY,wp=00000000,lp=00000000) 0023:Call window proc 0x6605f626 (hwnd=0x3036e,msg=WM_NCDESTROY,wp=00000000,lp=00000000) ... 0023:Call user32.DefWindowProcA(0003036e,00000082,00000000,00000000) ret=6605d591 0023:Ret user32.DefWindowProcA() retval=00000000 ret=6605d591 0023:Ret window proc 0x6605f626 (hwnd=0x3036e,msg=WM_NCDESTROY,wp=00000000,lp=00000000) retval=00000000 0023:trace:win:dc_hook hDC = 0xc534, 1 0023:Ret user32.DestroyWindow() retval=00000001 ret=6605b4f6 --- snip ---
How the thunk looks like (virtual addresses from another run = don't match with other trace snippets):
--- snip --- 0165A040 55 PUSH EBP 0165A041 89E5 MOV EBP,ESP 0165A043 83C4 F8 ADD ESP,-8 0165A046 57 PUSH EDI ... 0165A0FF 8B00 MOV EAX,DWORD PTR DS:[EAX] 0165A101 FF90 A4070000 CALL DWORD PTR DS:[EAX+7A4] 0165A107 C3 RETN --- snip ---
Memory dump while the thunk was intact (virtual addresses from another run = don't match with other trace snippets):
--- snip --- 0165F780 000000C8 <len> 0165F784 00455355 USE <magic> 0165F788 83E58955 <window proc start> 0165F78C 3157F8C4 ... 0165F844 8B500000 0165F848 A490FF00 0165F84C C3000007 <window proc start end = ret opcode> 0165F850 00000071 <len> 0165F854 45455246 FREE <magic> 0165F858 001100E8 0165F85C 001100D8 0165F860 00000000 --- snip ---
When the window proc memory chunk was marked free, the "c3" opcode = "ret" is overwritten which leads to the crash after returning from call "CALL DWORD PTR DS:[EAX+7A4]" (0165A101).
A window/control hierarchy destruction sequence happens while in nested message handling for WM_LBUTTONUP ("about" dialog, tooltip).
Either the nested message handling (COMCTL32_SubclassProc) has a bug or this might be an application bug which is hidden in Windows due to different heap management (ret opcode not immediately overwritten upon heap free operation, allowing the window proc to return to its caller).
$ sha1sum "Vit Registry Fix Free Edition Setup.exe" 0319916dff8a57ab11a1796f3fff817379936fae Vit Registry Fix Free Edition Setup.exe
$ wine --version wine-1.3.34-353-g6fe14a0
Regards
http://bugs.winehq.org/show_bug.cgi?id=29358
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |http://www.vitsoft.org.ua/D | |ownload/Vit%20Registry%20Fi | |x%20Free%20Edition%20Setup. | |exe
--- Comment #1 from Anastasius Focht focht@gmx.net 2011-12-16 11:36:00 CST --- Hello,
filling fields ...
Regards
http://bugs.winehq.org/show_bug.cgi?id=29358
--- Comment #2 from Dmitry Timoshkov dmitry@baikal.ru 2011-12-20 07:45:57 CST --- It would be interesting to test it with native oleaut32 or comctl32.
http://bugs.winehq.org/show_bug.cgi?id=29358
--- Comment #3 from Anastasius Focht focht@gmx.net 2011-12-20 12:07:50 CST --- Hello Dmitry,
--- quote --- It would be interesting to test it with native oleaut32 or comctl32. --- quote ---
'winetricks comctl32' doesn't help here, the backtrace looks pretty similar to Wine builtin:
--- snip --- =>0 0x016685a7 (0x0032e6b8) 1 0x722032d2 WINPROC_wrapper+0x19() in user32 (0x0032e6e8) 2 0x72203427 call_window_proc+0xcd(hwnd=0x10356, msg=0x202, wp=0, lp=0xb0028, result=0x32f078, arg=0x16684e0) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:242] in user32 (0x0032e738) 3 0x7220557e WINPROC_CallProcWtoA+0xe71(callback=0x72203359, hwnd=0x10356, msg=0x202, wParam=0, lParam=0xb0028, result=0x32f078, arg=0x16684e0) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:857] in user32 (0x0032f048) 4 0x72205a5d CallWindowProcW+0x11f(func=0xffff0062, hwnd=0x10356, msg=0x202, wParam=0, lParam=0xb0028) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:986] in user32 (0x0032f088) 5 0x71595723 in comctl32 (+0x5722) (0x0032f0a4) 6 0x71595642 in comctl32 (+0x5641) (0x0032f100) 7 0x71595701 in comctl32 (+0x5700) (0x0032f124) 8 0x715b72ba in comctl32 (+0x272b9) (0x0032f140) 9 0x71595642 in comctl32 (+0x5641) (0x0032f19c) 10 0x71595562 in comctl32 (+0x5561) (0x0032f1f8) 11 0x722032d2 WINPROC_wrapper+0x19() in user32 (0x0032f228) 12 0x72203427 call_window_proc+0xcd(hwnd=0x10356, msg=0x202, wp=0, lp=0xb0028, result=0x32fcc8, arg=0x715954dd) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:242] in user32 (0x0032f278) 13 0x722046e0 WINPROC_CallProcAtoW+0xf3a(callback=0x72203359, hwnd=0x10356, msg=0x202, wParam=0, lParam=0xb0028, result=0x32fcc8, arg=0x715954dd, mapping=WMCHAR_MAP_DISPATCHMESSAGE) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:601] in user32 (0x0032fb98) 14 0x722057f7 WINPROC_call_window+0x255(hwnd=0x10356, msg=0x202, wParam=0, lParam=0xb0028, result=0x32fcc8, unicode=0, mapping=WMCHAR_MAP_DISPATCHMESSAGE) [/home/focht/projects/wine/wine-git/dlls/user32/winproc.c:910] in user32 (0x0032fbe8) 15 0x721c834c DispatchMessageA+0x17d(msg=0x32fd10) [/home/focht/projects/wine/wine-git/dlls/user32/message.c:3742] in user32 (0x0032fcf8) 16 0x6600a4a3 in msvbvm60 (+0xa4a2) (0x0032fd38) 17 0x6600a41a in msvbvm60 (+0xa419) (0x0032fd7c) 18 0x6600a2f8 in msvbvm60 (+0xa2f7) (0x6601a098) 19 0x66006ba7 in msvbvm60 (+0x6ba6) (0x660c7f80) --- snip ---
Using native override (VB6 runtime provides oleaut32):
--- snip --- $ WINEDLLOVERRIDES="oleaut32=n" wine ./Vit\ Registry\ Fix\ 9.5.exe fixme:storage:create_storagefile Storage share mode not implemented. wine: Unhandled page fault on read access to 0x00000014 at address 0x66063fea (thread 0009), starting debugger... Unhandled exception: page fault on read access to 0x00000014 in 32-bit code (0x66063fea). err:dbghelp:pe_load_dbg_file Couldn't find .DBG file "DLL\MSVBVM60.dbg" ("") ... Backtrace: =>0 0x66063fea in msvbvm60 (+0x63fea) (0x0032eb00) 1 0x660688ac in msvbvm60 (+0x688ab) (0x0032eb28) 2 0x66068a8f in msvbvm60 (+0x68a8e) (0x0032eb58) 3 0x660ca35d in msvbvm60 (+0xca35c) (0x0032eba0) 4 0x660ca5de in msvbvm60 (+0xca5dd) (0x0032ebcc) 5 0x660ca564 in msvbvm60 (+0xca563) (0x0032ebfc) --- snip ---
completely breaks the app/vb6 runtime at startup (with or without comctl32 override).
Regards
http://bugs.winehq.org/show_bug.cgi?id=29358
--- Comment #4 from Dmitry Timoshkov dmitry@baikal.ru 2012-01-15 01:54:20 CST --- Does using native comctl32 or oleaut32 help?
http://bugs.winehq.org/show_bug.cgi?id=29358
--- Comment #5 from Dmitry Timoshkov dmitry@baikal.ru 2012-01-15 01:56:41 CST --- I'd guess this is an application bug described in the bug 13152, i.e. it calls oleaut32.SysFreeString(), and the "freed" memory stays in the oleaut32 cache, while it's freed immediately in Wine's oleaut32.
http://bugs.winehq.org/show_bug.cgi?id=29358
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #6 from Anastasius Focht focht@gmx.net 2013-05-03 04:57:06 CDT --- Hello folks,
revisiting, it seems the bug is gone. Closing "about" dialog doesn't crash the app.
Unfortunately it's not clear if the fix was on app side or Wine. I didn't manage to dig out the original version of the app this bug was reported against. The current version is "9.5.6" and has a different checksum.
Setting OANOCACHE environment variable doesn't make a difference so the fix might be on app side.
$ wine --version wine-1.5.29-107-gb94cfaf
Regards
http://bugs.winehq.org/show_bug.cgi?id=29358
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #7 from Alexandre Julliard julliard@winehq.org 2013-05-10 13:41:58 CDT --- Closing bugs fixed in 1.5.30.
https://bugs.winehq.org/show_bug.cgi?id=29358
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.vitsoft.org.ua/D |https://web.archive.org/web |ownload/Vit%20Registry%20Fi |/20110809180917/http://www. |x%20Free%20Edition%20Setup. |vitsoft.org.ua/Download/Vit |exe |%20Registry%20Fix%20Free%20 | |Edition%20Setup.exe
-
wine-bugs@winehq.org -
WineHQ Bugzilla