https://bugs.winehq.org/show_bug.cgi?id=37563
Bug ID: 37563 Summary: Skype crashes trying to make an audio call Product: Wine Version: 1.7.31 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: t.artem@mailcity.com Distribution: Red Hat
Unhandled exception: page fault on execute access to 0x00000204 in 32-bit code (0x00000204). Register dump: CS:0073 SS:007b DS:007b ES:007b FS:0033 GS:003b EIP:00000204 ESP:0c60e58c EBP:0c60e584 EFLAGS:00210246( R- -- I Z- -P- ) EAX:00000000 EBX:00000000 ECX:00000000 EDX:00000204 ESI:0c60e584 EDI:0c60e584 Stack dump: 0x0c60e58c: 00000001 000003e8 00000000 00989680 0x0c60e59c: 00000000 00000000 00000000 036ec4a0 0x0c60e5ac: 00000000 a9948572 006d1f0d 00000000 0x0c60e5bc: 036ec478 0021ce20 00000000 00033d11 0x0c60e5cc: 00000000 00000000 00000352 00000000 0x0c60e5dc: 00033d03 00000000 036ed128 00000154 Backtrace: =>0 0x00000204 (0x0c60e584) 1 0x00000204 (0x0c60e584) 2 0x00000204 (0x0c60e584) 3 0x00000204 (0x0c60e584) 4 0x00000204 (0x0c60e584) 5 0x00000204 (0x0c60e584) 6 0x00000204 (0x0c60e584) 7 0x00000204 (0x0c60e584) 8 0x00000204 (0x0c60e584) 9 0x00000204 (0x0c60e584) 10 0x00000204 (0x0c60e584) 11 0x00000204 (0x0c60e584) 12 0x00000204 (0x0c60e584) 13 0x00000204 (0x0c60e584) 14 0x00000204 (0x0c60e584) 15 0x00000204 (0x0c60e584) 16 0x00000204 (0x0c60e584) 17 0x00000204 (0x0c60e584) 18 0x00000204 (0x0c60e584) 19 0x00000204 (0x0c60e584) 20 0x00000204 (0x0c60e584) 21 0x00000204 (0x0c60e584) 22 0x00000204 (0x0c60e584) 23 0x00000204 (0x0c60e584) 24 0x00000204 (0x0c60e584) 25 0x00000204 (0x0c60e584) 26 0x00000204 (0x0c60e584) 27 0x00000204 (0x0c60e584) 28 0x00000204 (0x0c60e584) 29 0x00000204 (0x0c60e584) 30 0x00000204 (0x0c60e584) 31 0x00000204 (0x0c60e584) 32 0x00000204 (0x0c60e584) 33 0x00000204 (0x0c60e584) 34 0x00000204 (0x0c60e584) 35 0x00000204 (0x0c60e584) 36 0x00000204 (0x0c60e584) 37 0x00000204 (0x0c60e584) 38 0x00000204 (0x0c60e584) 39 0x00000204 (0x0c60e584) 40 0x00000204 (0x0c60e584) 41 0x00000204 (0x0c60e584) 42 0x00000204 (0x0c60e584) 43 0x00000204 (0x0c60e584) 44 0x00000204 (0x0c60e584) 45 0x00000204 (0x0c60e584) 46 0x00000204 (0x0c60e584) 47 0x00000204 (0x0c60e584) 48 0x00000204 (0x0c60e584) 49 0x00000204 (0x0c60e584) 50 0x00000204 (0x0c60e584) 51 0x00000204 (0x0c60e584) 52 0x00000204 (0x0c60e584) 53 0x00000204 (0x0c60e584) 54 0x00000204 (0x0c60e584) 55 0x00000204 (0x0c60e584) 56 0x00000204 (0x0c60e584) 57 0x00000204 (0x0c60e584) 58 0x00000204 (0x0c60e584) 59 0x00000204 (0x0c60e584) 60 0x00000204 (0x0c60e584) 61 0x00000204 (0x0c60e584) 62 0x00000204 (0x0c60e584) 63 0x00000204 (0x0c60e584) 64 0x00000204 (0x0c60e584) 65 0x00000204 (0x0c60e584) 66 0x00000204 (0x0c60e584) 67 0x00000204 (0x0c60e584) 68 0x00000204 (0x0c60e584) 69 0x00000204 (0x0c60e584) 70 0x00000204 (0x0c60e584) 71 0x00000204 (0x0c60e584) 72 0x00000204 (0x0c60e584) 73 0x00000204 (0x0c60e584) 74 0x00000204 (0x0c60e584) 75 0x00000204 (0x0c60e584) 76 0x00000204 (0x0c60e584) 77 0x00000204 (0x0c60e584) 78 0x00000204 (0x0c60e584) 79 0x00000204 (0x0c60e584) 80 0x00000204 (0x0c60e584) 81 0x00000204 (0x0c60e584) 82 0x00000204 (0x0c60e584) 83 0x00000204 (0x0c60e584) 84 0x00000204 (0x0c60e584) 85 0x00000204 (0x0c60e584) 86 0x00000204 (0x0c60e584) 87 0x00000204 (0x0c60e584) 88 0x00000204 (0x0c60e584) 89 0x00000204 (0x0c60e584) 90 0x00000204 (0x0c60e584) 91 0x00000204 (0x0c60e584) 92 0x00000204 (0x0c60e584) 93 0x00000204 (0x0c60e584) 94 0x00000204 (0x0c60e584) 95 0x00000204 (0x0c60e584) 96 0x00000204 (0x0c60e584) 97 0x00000204 (0x0c60e584) 98 0x00000204 (0x0c60e584) 99 0x00000204 (0x0c60e584) 100 0x00000204 (0x0c60e584) 101 0x00000204 (0x0c60e584) 102 0x00000204 (0x0c60e584) 103 0x00000204 (0x0c60e584) 104 0x00000204 (0x0c60e584) 105 0x00000204 (0x0c60e584) 106 0x00000204 (0x0c60e584) 107 0x00000204 (0x0c60e584) 108 0x00000204 (0x0c60e584) 109 0x00000204 (0x0c60e584) 110 0x00000204 (0x0c60e584) 111 0x00000204 (0x0c60e584) 112 0x00000204 (0x0c60e584) 113 0x00000204 (0x0c60e584) 114 0x00000204 (0x0c60e584) 115 0x00000204 (0x0c60e584) 116 0x00000204 (0x0c60e584) 117 0x00000204 (0x0c60e584) 118 0x00000204 (0x0c60e584) 119 0x00000204 (0x0c60e584) 120 0x00000204 (0x0c60e584) 121 0x00000204 (0x0c60e584) 122 0x00000204 (0x0c60e584) 123 0x00000204 (0x0c60e584) 124 0x00000204 (0x0c60e584) 125 0x00000204 (0x0c60e584) 126 0x00000204 (0x0c60e584) 127 0x00000204 (0x0c60e584) 128 0x00000204 (0x0c60e584) 129 0x00000204 (0x0c60e584) 130 0x00000204 (0x0c60e584) 131 0x00000204 (0x0c60e584) 132 0x00000204 (0x0c60e584) 133 0x00000204 (0x0c60e584) 134 0x00000204 (0x0c60e584) 135 0x00000204 (0x0c60e584) 136 0x00000204 (0x0c60e584) 137 0x00000204 (0x0c60e584) 138 0x00000204 (0x0c60e584) 139 0x00000204 (0x0c60e584) 140 0x00000204 (0x0c60e584) 141 0x00000204 (0x0c60e584) 142 0x00000204 (0x0c60e584) 143 0x00000204 (0x0c60e584) 144 0x00000204 (0x0c60e584) 145 0x00000204 (0x0c60e584) 146 0x00000204 (0x0c60e584) 147 0x00000204 (0x0c60e584) 148 0x00000204 (0x0c60e584) 149 0x00000204 (0x0c60e584) 150 0x00000204 (0x0c60e584) 151 0x00000204 (0x0c60e584) 152 0x00000204 (0x0c60e584) 153 0x00000204 (0x0c60e584) 154 0x00000204 (0x0c60e584) 155 0x00000204 (0x0c60e584) 156 0x00000204 (0x0c60e584) 157 0x00000204 (0x0c60e584) 158 0x00000204 (0x0c60e584) 159 0x00000204 (0x0c60e584) 160 0x00000204 (0x0c60e584) 161 0x00000204 (0x0c60e584) 162 0x00000204 (0x0c60e584) 163 0x00000204 (0x0c60e584) 164 0x00000204 (0x0c60e584) 165 0x00000204 (0x0c60e584) 166 0x00000204 (0x0c60e584) 167 0x00000204 (0x0c60e584) 168 0x00000204 (0x0c60e584) 169 0x00000204 (0x0c60e584) 170 0x00000204 (0x0c60e584) 171 0x00000204 (0x0c60e584) 172 0x00000204 (0x0c60e584) 173 0x00000204 (0x0c60e584) 174 0x00000204 (0x0c60e584) 175 0x00000204 (0x0c60e584) 176 0x00000204 (0x0c60e584) 177 0x00000204 (0x0c60e584) 178 0x00000204 (0x0c60e584) 179 0x00000204 (0x0c60e584) 180 0x00000204 (0x0c60e584) 181 0x00000204 (0x0c60e584) 182 0x00000204 (0x0c60e584) 183 0x00000204 (0x0c60e584) 184 0x00000204 (0x0c60e584) 185 0x00000204 (0x0c60e584) 186 0x00000204 (0x0c60e584) 187 0x00000204 (0x0c60e584) 188 0x00000204 (0x0c60e584) 189 0x00000204 (0x0c60e584) 190 0x00000204 (0x0c60e584) 191 0x00000204 (0x0c60e584) 192 0x00000204 (0x0c60e584) 193 0x00000204 (0x0c60e584) 194 0x00000204 (0x0c60e584) 195 0x00000204 (0x0c60e584) 196 0x00000204 (0x0c60e584) 197 0x00000204 (0x0c60e584) 198 0x00000204 (0x0c60e584) 199 0x00000204 (0x0c60e584) 200 0x00000204 (0x0c60e584) 0x00000204: -- no code accessible -- Modules: <cut>
I cannot debug Skype further because it crashes immediately when being run under winedbg.
P.S. Make sure you deleted login.cab before trying to debug this issue (proper HTML support is not yet there, see bug 28457).
Skype version: 6.21.32.104
https://bugs.winehq.org/show_bug.cgi?id=37563
--- Comment #1 from Nikolay Sivov bunglehead@gmail.com --- Did you see a stop sign? In any case don't paste logs, backtraces or any huge chunks of text in comments. Removing applications files like login.cab is not an option, you need to workaround mshtml issue and try with all files present. Otherwise removing it potentially invalidates your report.
https://bugs.winehq.org/show_bug.cgi?id=37563
--- Comment #2 from Artem S. Tashkinov t.artem@mailcity.com --- Setting Windows version to 8.1 fixes the problem.
https://bugs.winehq.org/show_bug.cgi?id=37563
Guillaume Charifi guillaume.charifi@sfr.fr changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |guillaume.charifi@sfr.fr
https://bugs.winehq.org/show_bug.cgi?id=37563
--- Comment #3 from Guillaume Charifi guillaume.charifi@sfr.fr --- (In reply to Nikolay Sivov from comment #1)
Did you see a stop sign? In any case don't paste logs, backtraces or any huge chunks of text in comments. Removing applications files like login.cab is not an option, you need to workaround mshtml issue and try with all files present. Otherwise removing it potentially invalidates your report.
Login.cab is only related to login page. I can assert that it is not linked at all to this bug (it did not exist in an earlier version of Skype). By the way, by passing /legacylogin parameter to Skype, you get exactly the same problem, without deleting login.cab.
https://bugs.winehq.org/show_bug.cgi?id=37563
--- Comment #4 from Artem S. Tashkinov t.artem@mailcity.com --- (In reply to Guillaume Charifi from comment #3)
Login.cab is only related to login page. I can assert that it is not linked at all to this bug (it did not exist in an earlier version of Skype). By the way, by passing /legacylogin parameter to Skype, you get exactly the same problem, without deleting login.cab.
This switch is very hard to find and even harder to remember. ;-)
Deleting login.cab is a no-brainer )))
https://bugs.winehq.org/show_bug.cgi?id=37563
--- Comment #5 from Artem S. Tashkinov t.artem@mailcity.com --- (In reply to Nikolay Sivov from comment #1)
Did you see a stop sign? In any case don't paste logs, backtraces or any huge chunks of text in comments. Removing applications files like login.cab is not an option, you need to workaround mshtml issue and try with all files present. Otherwise removing it potentially invalidates your report.
No login.cab and /legacylogin are actually the same in regard to Skype crashes and behavior.
https://bugs.winehq.org/show_bug.cgi?id=37563
--- Comment #6 from Artem S. Tashkinov t.artem@mailcity.com --- (In reply to Nikolay Sivov from comment #1)
Did you see a stop sign? In any case don't paste logs, backtraces or any huge chunks of text in comments. Removing applications files like login.cab is not an option, you need to workaround mshtml issue and try with all files present. Otherwise removing it potentially invalidates your report.
I dislike such an attitude actually.
Bug 28457 has been open for three years already and you sound like if this bug is unresolved, I shouldn't even try to use the applications that depend on proper MSHTML behavior.
If you are sick and tired of Skype bug reports then let me explain why I want it badly to be functional under Wine. Microsoft royally f*cked Linux users when they forced Pulse Audio on us and removed ALSA support in the latest (and the only working) Skype version. You see, Wine is unfortunate enough to run on a totally unstable platform but if you decided to put your efforts into developing Wine, you should accept the fact that Linux is a total mess: https://bitly.com/gBOiz6
Again I'm sorry for spamming Wine's mailing list.
https://bugs.winehq.org/show_bug.cgi?id=37563
--- Comment #7 from Nikolay Sivov bunglehead@gmail.com --- (In reply to Artem S. Tashkinov from comment #6)
(In reply to Nikolay Sivov from comment #1)
Did you see a stop sign? In any case don't paste logs, backtraces or any huge chunks of text in comments. Removing applications files like login.cab is not an option, you need to workaround mshtml issue and try with all files present. Otherwise removing it potentially invalidates your report.
I dislike such an attitude actually.
Bug 28457 has been open for three years already and you sound like if this bug is unresolved, I shouldn't even try to use the applications that depend on proper MSHTML behavior. <..skipped..>
I see no logic in that conclusion. I never said you should wait for another bug fixed before reporting next issue.
https://bugs.winehq.org/show_bug.cgi?id=37563
--- Comment #8 from Artem S. Tashkinov t.artem@mailcity.com --- (In reply to Nikolay Sivov from comment #7)
I see no logic in that conclusion. I never said you should wait for another bug fixed before reporting next issue.
Really?
How about:
Removing applications files like login.cab is not an option, you need to workaround mshtml issue and try with all files present. Otherwise removing it potentially invalidates your report.
I actually worked around login.cab while retaining the app functions. Besides if Skype is fully functional even without this file, it might be because this file is 100% optional.
https://bugs.winehq.org/show_bug.cgi?id=37563
Artem S. Tashkinov t.artem@mailcity.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |http://download.skype.com/a | |22041668cd904272aeed6da1d43 | |a7a0/SkypeSetup.msi
https://bugs.winehq.org/show_bug.cgi?id=37563
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW CC| |focht@gmx.net Component|-unknown |richedit Summary|Skype crashes trying to |Skype 6.x crashes trying to |make an audio call |make an audio call | |(DestroyIRichEditOle must | |take reference count into | |account) Ever confirmed|0 |1
--- Comment #9 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
--- quote --- I cannot debug Skype further because it crashes immediately when being run under winedbg. --- quote ---
That's expected. Skype employs some basic anti-debug measures which can be worked around easily though :)
--- snip --- 0023:Starting process L"C:\Program Files\Skype\Phone\Skype.exe" (entryproc=0x5bb288) ... 21925.104:0023:Call KERNEL32.CreateFileW(00335ebc L"\\.\NTICE",00000000,00000000,00000000,00000003,00000000,00000000) ret=005a5658 21925.104:0023:Ret KERNEL32.CreateFileW() retval=ffffffff ret=005a5658 21925.104:0023:Call KERNEL32.CreateFileW(00335ebc L"\\.\Siwvid",00000000,00000000,00000000,00000003,00000000,00000000) ret=005a5695 21925.104:0023:Ret KERNEL32.CreateFileW() retval=ffffffff ret=005a5695 ... 21926.429:0023:Call KERNEL32.IsDebuggerPresent() ret=00d3b719 21926.429:0023:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=00d3b719 ... 21981.861:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b 21981.861:002d:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b ... 21981.880:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b 21981.880:002d:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b ... 21982.793:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b 21982.793:002d:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b ... 21983.129:002f:Call KERNEL32.IsDebuggerPresent() ret=0061648b 21983.129:002f:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b ... 21983.133:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b 21983.133:002d:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=0061648b ... <attach debugger> ... 22043.920:002d:Call KERNEL32.IsDebuggerPresent() ret=0061648b 22043.920:002d:Ret KERNEL32.IsDebuggerPresent() retval=00000001 ret=0061648b <detected> 22043.920:002d:trace:seh:raise_exception code=c0000005 flags=0 addr=0x204 ip=00000204 tid=002d 22043.920:002d:trace:seh:raise_exception info[0]=00000008 22043.920:002d:trace:seh:raise_exception info[1]=00000204 22043.920:002d:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=00000000 edx=00000204 esi=0600e4d0 edi=0600e4d0 22043.920:002d:trace:seh:raise_exception ebp=00000025 esp=0600e4d8 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 22043.920:002d:trace:seh:call_stack_handlers calling handler at 0x7bc9e6e7 code=c0000005 flags=0 22043.921:002d:Call KERNEL32.UnhandledExceptionFilter(0600dfa4) ret=7bc9e721 22043.921:002d:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bc9e721 22043.921:002d:trace:seh:call_stack_handlers handler at 0x7bc9e6e7 returned 1 --- snip ---
Multiple threads have a check for debuggers at code paths that are called periodical.
Anyway, now to the real issue here...
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Skype/Phone
$ WINEDEBUG=+tid,+seh,+relay,+richedit wine ./Skype.exe /legacylogin >>log.txt 2>&1 ... 0023:Call KERNEL32.LoadLibraryW(004b6a10 L"RICHED20.DLL") ret=004b69b9 0023:Call PE DLL (proc=0x7a4b2ccc,module=0x7a470000 L"riched20.dll",reason=PROCESS_ATTACH,res=(nil)) ... 0023:Ret KERNEL32.LoadLibraryW() retval=7a470000 ret=004b69b9 ... 0023:Call KERNEL32.LoadLibraryW(017eb210 L"MSFTEDIT.DLL") ret=017eb1ff 0023:Call PE DLL (proc=0x7aa4d870,module=0x7aa40000 L"msftedit.dll",reason=PROCESS_ATTACH,res=(nil)) ... 0023:Ret KERNEL32.LoadLibraryW() retval=7aa40000 ret=017eb1ff 0023:Call user32.GetClassInfoW(00400000,017ed23c L"RICHEDIT50W",0033ead8) ret=004f4ed2 0023:Ret user32.GetClassInfoW() retval=0000c098 ret=004f4ed2 0023:Call user32.GetClassInfoW(00400000,0033eb00 L"TChatRichEdit",0033ea8c) ret=004f5172 0023:Ret user32.GetClassInfoW() retval=00000000 ret=004f5172 0023:Call user32.RegisterClassW(0033ead8) ret=004f51bc 0023:Ret user32.RegisterClassW() retval=0000c09b ret=004f51bc 0023:Call user32.CreateWindowExW(00000000,0033eb00 L"TChatRichEdit",0048a85c L"",44210044,0000000c,0000000a,00000134,00000025,00010150,00000000,00400000,00000000) ret=0040eb98 ... 0023:trace:richedit:RichEditWndProc_common WM_NCCREATE: hWnd 0x10154 style 0x44210044 ... 0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 2 0023:trace:richedit:RichEditWndProc_common exit hwnd 0x10154 msg 043c (EM_GETOLEINTERFACE) 0 71454a4, unicode 1 -> 1 0023:Ret window proc 0x7a48e304 (hwnd=0x10154,msg=WM_USER+60,wp=00000000,lp=071454a4) retval=00000001 0023:Ret user32.CallWindowProcW() retval=00000001 ret=004f663d 0023:Ret window proc 0x380c61 (hwnd=0x10154,msg=WM_USER+60,wp=00000000,lp=071454a4) retval=00000001 0023:Ret user32.SendMessageW() retval=00000001 ret=017ed432 0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 3 0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 4 0023:fixme:richedit:IRichEditOle_fnGetObjectCount stub 0x8d934e0 0023:trace:richedit:IRichEditOleImpl_inner_fnRelease 0x8d934e0 ref=3 0023:trace:richedit:IRichEditOleImpl_inner_fnRelease 0x8d934e0 ref=2 ... 0023:Call user32.DestroyWindow(001d0148) ret=004f558d ... 0023:Call user32.CallWindowProcW(7a48e304,00010154,00000002,00000000,00000000) ret=004f663d 0023:Call window proc 0x7a48e304 (hwnd=0x10154,msg=WM_DESTROY,wp=00000000,lp=00000000) 0023:trace:richedit:RichEditWndProc_common enter hwnd 0x10154 msg 0002 () 0 0, unicode 1 0023:Call user32.GetWindowLongW(00010154,00000000) ret=7a48dd66 0023:Ret user32.GetWindowLongW() retval=08d928e8 ret=7a48dd66 0023:trace:richedit:ME_EmptyUndoStack Emptying undo stack ... 0023:trace:richedit:ME_ReleaseStyle all style references freed (good!) ... 0023:trace:richedit:DestroyIRichEditOle Destroying 0x8d934e0 ... 0023:trace:richedit:RichEditWndProc_common exit hwnd 0x10154 msg 0002 () 0 0, unicode 1 -> 0 ... 0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 4 0023:trace:richedit:IRichEditOleImpl_inner_fnAddRef 0x8d934e0 ref = 5 0023:fixme:richedit:IRichEditOle_fnGetObjectCount stub 0x8d934e0 0023:trace:richedit:IRichEditOleImpl_inner_fnRelease 0x8d934e0 ref=4 0023:trace:richedit:IRichEditOleImpl_inner_fnRelease 0x8d934e0 ref=3 ... 0023:Call user32.GetClassInfoW(00400000,00489bd0 L"EDIT",0033ee64) ret=004f4ed2 0023:Ret user32.GetClassInfoW() retval=0000c012 ret=004f4ed2 0023:Call user32.GetClassInfoW(00400000,004b6a2c L"RICHEDIT20W",0033ee64) ret=004f4ed2 0023:Ret user32.GetClassInfoW() retval=0000c097 ret=004f4ed2 0023:Call user32.GetClassInfoW(00400000,017ed23c L"RICHEDIT50W",0033ee64) ret=004f4ed2 0023:Ret user32.GetClassInfoW() retval=0000c098 ret=004f4ed2 0023:Call user32.GetClassInfoW(00400000,0033ee8c L"TChatRichEdit",0033ee18) ret=004f5172 0023:Ret user32.GetClassInfoW() retval=0000c09b ret=004f5172 0023:Call user32.CreateWindowExW(00000000,0033ee8c L"TChatRichEdit",0048a85c L"",44210044,0000000c,0000000a,0000027e,00000025,0002014c,00000000,00400000,00000000) ret=0040eb98 ... 0023:trace:richedit:ME_UpdateScrollBar min=0 max=4 page=636 0023:trace:richedit:ME_UpdateScrollBar min=0 max=16 page=37 ... 0023:trace:richedit:ME_UpdateScrollBar min=0 max=4 page=609 0023:trace:richedit:ME_UpdateScrollBar min=0 max=16 page=27 ... 0023:trace:richedit:RichEditWndProc_common exit hwnd 0x2014a msg 00b3 (EM_SETRECT) 0 33cf38, unicode 1 -> 0 0023:Ret window proc 0x7a48e304 (hwnd=0x2014a,msg=EM_SETRECT,wp=00000000,lp=0033cf38) retval=00000000 0023:Ret user32.CallWindowProcW() retval=00000000 ret=004f663d 0023:Ret window proc 0x380c61 (hwnd=0x2014a,msg=EM_SETRECT,wp=00000000,lp=0033cf38) retval=00000000 0023:Ret user32.SendMessageW() retval=00000000 ret=019b7d07 0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x8d90118 ip=08d90118 tid=0023 0023:trace:seh:raise_exception info[0]=00000008 0023:trace:seh:raise_exception info[1]=08d90118 0023:trace:seh:raise_exception eax=08d90128 ebx=07145180 ecx=00000000 edx=08d934e4 esi=0033cf18 edi=00000001 0023:trace:seh:raise_exception ebp=0033cf68 esp=0033cee4 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010206 0023:trace:seh:call_stack_handlers calling handler at 0x17ee6df code=c0000005 flags=0 0023:trace:seh:call_stack_handlers handler at 0x17ee6df returned 1 0023:trace:seh:call_stack_handlers calling handler at 0x4f5bf3 code=c0000005 flags=0 0023:trace:seh:call_stack_handlers handler at 0x4f5bf3 returned 1 0023:trace:seh:call_stack_handlers calling handler at 0x4f5c04 code=c0000005 flags=0 ... <double fault due to exception handling> --- snip ---
The app creates and destroys RichEdit control(s) while holding explicit references via 'EM_GETOLEINTERFACE' and 'riched20.IRichEditOle_fnAddRef' to the COM object in between.
--- snip --- 017ED41D PUSH EAX 017ED41E PUSH 0 017ED420 PUSH 43C 017ED425 MOV EAX,EBX 017ED427 CALL Skype.004F9304 017ED42C PUSH EAX 017ED42D CALL Skype.0040E968 ; JMP to OFFSET user32.SendMessageW 017ED432 CMP DWORD PTR DS:[EBX+324],0 017ED439 JNZ SHORT Skype.017ED447 017ED43B MOV EDX,Skype.017ED464 ; "EM_GETOLEINTERFACE for RichEditOle failed" 017ED440 MOV EAX,EBX 017ED442 CALL Skype.00522908 017ED447 MOV EAX,ESI 017ED449 MOV EDX,DWORD PTR DS:[EBX+324] 017ED44F CALL Skype.0040B4FC 017ED454 POP ESI 017ED455 POP EBX 017ED456 RETN ... 0040B4FC TEST EDX,EDX 0040B4FE JE SHORT Skype.0040B519 0040B500 PUSH EDX 0040B501 PUSH EAX 0040B502 MOV EAX,DWORD PTR DS:[EDX] 0040B504 PUSH EDX 0040B505 CALL DWORD PTR DS:[EAX+4] ; riched20.IRichEditOle_fnAddRef 0040B508 POP EAX 0040B509 MOV ECX,DWORD PTR DS:[EAX] 0040B50B POP DWORD PTR DS:[EAX] 0040B50D TEST ECX,ECX 0040B50F JNZ SHORT Skype.0040B512 0040B511 RETN ... --- snip ---
Wine frees everything in 'DestroyIRichEditOle', regardless of (external) reference count.
--- snip --- Wine-dbg>bt Backtrace: =>0 0x7a0f9080 DestroyIRichEditOle+0x20(iface=0x179134e4) [/home/focht/projects/wine/wine.repo/src/dlls/riched20/richole.c:2373] in riched20 (0x0033e918)
1 0x7a0e08a5 ME_DestroyEditor+0x131(editor=0x179128e8) [/home/focht/projects/wine/wine.repo/src/dlls/riched20/editor.c:2892] in riched20 (0x0033e958)
2 0x7a0e4841 ME_HandleMessage+0x3a60(editor=0x179128e8, msg=0x2, wParam=0, lParam=0, unicode=0x1, phresult=0x33ef50) [/home/focht/projects/wine/wine.repo/src/dlls/riched20/editor.c:4111] in riched20 (0x0033eeb8)
3 0x7a0e6249 RichEditWndProc_common+0x58c(hWnd=0x10136, msg=0x2, wParam=0, lParam=0, unicode=0x1) [/home/focht/projects/wine/wine.repo/src/dlls/riched20/editor.c:4679] in riched20 (0x0033ef98)
4 0x7a0e6354 RichEditWndProcW+0x4f(hWnd=0x10136, msg=0x2, wParam=0, lParam=0) [/home/focht/projects/wine/wine.repo/src/dlls/riched20/editor.c:4699] in riched20 (0x0033efd8)
5 0x7ea22f9a WINPROC_wrapper+0x19() in user32 (0x0033f008)
6 0x7ea2310f call_window_proc+0xcc(hwnd=0x10136, msg=0x2, wp=0, lp=0, result=0x33f078, arg=0x7a0e6304) [/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:245] in user32 (0x0033f048)
7 0x7ea25563 CallWindowProcW+0x69(func=0x7a0e6304, hwnd=0x10136, msg=0x2, wParam=0, lParam=0) [/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:982] in user32 (0x0033f08c)
8 0x004f663d in skype (+0xf663c) (0x0033f220) 9 0x004f653d in skype (+0xf653c) (0x0033f26c) 10 0x017eea5d in skype (+0x13eea5c) (0x0033f2a0) 11 0x00450312 in skype (+0x50311) (0x0033f2b8)
Wine-dbg>p *This
{IUnknown_inner={lpVtbl=0x7a124904}, IRichEditOle_iface={lpVtbl=0x7a124960}, ITextDocument_iface={lpVtbl=0x7a124ac0}, outer_unk=0x179134e0, ref=0x3, editor=0x179128e8, txtSel=0x17913510, clientSite=0x17913528, rangelist={next=0x17913500, prev=0x17913500}} --- snip ---
Heap block view (another run):
--- snip --- 0EE734D8 00000028 0EE734DC 00455355 ; 'USE' magic 0EE734E0 7A2CF904 ; riched20.reo_unk_vtbl 0EE734E4 7A2CF960 ; riched20.revt 0EE734E8 7A2CFAC0 ; riched20.tdvt 0EE734EC 0EE734E0 0EE734F0 00000002 ; ref 0EE734F4 0EE728E8 0EE734F8 0EE73510 0EE734FC 0EE73528 0EE73500 0EE73500 0EE73504 0EE73500 --- snip ---
Heap block view upon crash:
--- snip --- 0EE734D8 0010CB19 0EE734DC 45455246 ; 'FREE' magic 0EE734E0 0EE70088 0EE734E4 0EE70128 ; *boom* 0EE734E8 7A2CFAC0 ; riched20.tdvt 0EE734EC 0EE734E0 0EE734F0 00000003 ; ref 0EE734F4 0EE728E8 0EE734F8 0EE73510 0EE734FC 0EE73528 0EE73500 0EE73500 0EE73504 0EE73500 --- snip ---
IRichEditOleImpl vtable pointers get partially overwritten on heap after block reuse, causing a crash later when the app tries to access them.
'winetricks -q riched20' works around.
$ sha1sum SkypeSetup.msi 7b600669da6d47d9a89b2093fea845daa02c81a8 SkypeSetup.msi
$ du -sh SkypeSetup.msi 28M SkypeSetup.msi
$ wine --version wine-1.7.31
Regards
https://bugs.winehq.org/show_bug.cgi?id=37563
--- Comment #10 from Guillaume Charifi guillaume.charifi@sfr.fr --- Thanks for your detailed report Anastasius, I start working on it.
https://bugs.winehq.org/show_bug.cgi?id=37563
--- Comment #11 from Guillaume Charifi guillaume.charifi@sfr.fr --- Could you please try this patch ? (Worked for me) http://source.winehq.org/patches/data/107694
https://bugs.winehq.org/show_bug.cgi?id=37563
Sebastian Lackner sebastian@fds-team.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jactry92@gmail.com, | |sebastian@fds-team.de
--- Comment #12 from Sebastian Lackner sebastian@fds-team.de --- Ah, this line was very suspicious to me from the beginning.
I told Jactry about this possible problem, but he was convinced that its not an issue: https://github.com/Jactry/wine/issues/6
Adding him here to this bug report.
https://bugs.winehq.org/show_bug.cgi?id=37563
--- Comment #13 from Bruno Jesus 00cpxxx@gmail.com --- Patch commited: http://source.winehq.org/git/wine.git/?a=commit;h=27ac8d265ed12c4c6da3656531...
https://bugs.winehq.org/show_bug.cgi?id=37563
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |27ac8d265ed12c4c6da36565316 | |ee13bf9bf9b06 Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #14 from Anastasius Focht focht@gmx.net --- Hello folks,
as expected the crash is gone :)
Fixed by commit http://source.winehq.org/git/wine.git/commitdiff/27ac8d265ed12c4c6da36565316...
Thanks Guillaume
Regards
https://bugs.winehq.org/show_bug.cgi?id=37563
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #15 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 1.7.32.
-
wine-bugs@winehq.org