http://bugs.winehq.org/show_bug.cgi?id=18114

Summary: rpcrt4.NdrDllCanUnloadNow: COM proxy/stub factory reference count eval incorrect (crashes Visual Studio 2005 on exit) Product: Wine Version: 1.1.19 Platform: Other URL: http://download.microsoft.com/download/3/f/4/3f435aaa- 49ce-44c3-a2cc-d40bca9af941/ENU/vcssetup.exe OS/Version: other Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net

Hello,

a user reported multiple issues in bug 18106 I picked out the interesting one because it's actually a long-timer - present since the component exists - 2002 ;-)

--- quote --- When exiting Visual C#, after the UI is closed, an error dialog pops up telling me "Microsoft Visual C# has encountered a problem and needs to close." I uncheck restart and click Don't Send. I've also attached a screenshot. --- quote ---

WINEDEBUG=+tid,+seh,+ole trace gives:

--- snip --- 0009:fixme:shell:DllCanUnloadNow stub 0009:trace:ole:COMPOBJ_DllList_ReleaseRef freeing 0x51bc0000 0009:trace:ole:OleUninitialize () 0009:trace:ole:CoUninitialize () 0009:trace:ole:OleUninitialize () 0009:trace:ole:OleUninitialize () - Freeing the last reference count 0009:trace:ole:OLEClipbrd_UnInitialize () 0009:trace:ole:CoUninitialize () 0009:trace:ole:apartment_release 800000009: after = 0 0009:trace:ole:apartment_release destroying apartment 0x134d38, oxid 800000009 0009:trace:ole:stub_manager_int_release after 0 0009:trace:ole:stub_manager_delete destroying 0xd7ff20 (oid=2) 0009:trace:ole:stub_manager_delete_ifstub m=0xd7ff20, m->oid=2, ipid={00000003-0009-0008-aca8-b13a1ed334ff} 0009:trace:ole:stub_manager_delete_ifstub ifstub->stubbuffer = 0xf7f7e8 0009:trace:ole:NdrCStdStubBuffer_Release (0xf7f7e8)->Release() 0009:trace:ole:CStdStubBuffer_Disconnect (0xf7f7e8)->Disconnect() 0009:trace:ole:CStdPSFactory_Release (0x62510954)->Release() 0009:trace:ole:stub_manager_delete_ifstub ifstub->iface = 0x8812d8 0009:trace:ole:stub_manager_delete_ifstub ifstub->chan = 0xf7f848 0009:trace:ole:stub_manager_delete_ifstub ifstub = 0xf7f808 0009:trace:ole:stub_manager_delete_ifstub m=0xd7ff20, m->oid=2, ipid={00000001-0009-0008-a2a7-955c363af248} 0009:trace:ole:stub_manager_delete_ifstub ifstub->stubbuffer = 0xd7ff00 0009:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7075735f ip=0x7075735f tid=0009 0009:trace:seh:raise_exception info[0]=00000000 0009:trace:seh:raise_exception info[1]=7075735f 0009:trace:seh:raise_exception eax=00d7ff00 ebx=605dca7c ecx=00000000 edx=7075735f esi=7bcb81d9 edi=00000000 0009:trace:seh:raise_exception ebp=0032fa18 esp=0032f9bc cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010206 0009:trace:seh:call_vectored_handlers calling handler at 0x60a16e2a code=c0000005 flags=0 0009:trace:seh:call_vectored_handlers handler at 0x60a16e2a returned 0 0009:trace:seh:call_vectored_handlers calling handler at 0x7b8408f7 code=c0000005 flags=0 0009:trace:seh:call_vectored_handlers handler at 0x7b8408f7 returned 0 0009:trace:seh:call_vectored_handlers calling handler at 0x40f744 code=c0000005 flags=0 0009:trace:seh:call_vectored_handlers handler at 0x40f744 returned 0 0009:trace:seh:call_stack_handlers calling handler at 0x412615 code=c0000005 flags=0 --- snip ---

Culprit:

--- snip --- if (ifstub->stubbuffer) IUnknown_Release(ifstub->stubbuffer); --- snip ---

Disassembly with annotations:

--- snip ---

0x60525f42 stub_manager_delete_ifstub+0x106 [/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: movl 0xc(%ebp),%eax ; ifstub 0x60525f45 stub_manager_delete_ifstub+0x109 [/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: movl 0x8(%eax),%eax ; ifstub->stubbuffer 0x60525f48 stub_manager_delete_ifstub+0x10c [/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: movl 0x0(%eax),%eax ; IRpcStubBufferVtbl* lpVtbl: eax = garbage 0x60525f4a stub_manager_delete_ifstub+0x10e [/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: movl 0x8(%eax),%edx 0x60525f4d stub_manager_delete_ifstub+0x111 [/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: movl 0xc(%ebp),%eax 0x60525f50 stub_manager_delete_ifstub+0x114 [/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: movl 0x8(%eax),%eax 0x60525f53 stub_manager_delete_ifstub+0x117 [/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: movl %eax,0x0(%esp) 0x60525f56 stub_manager_delete_ifstub+0x11a [/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: call *%edx --- snip ---

The vtable address is actually invalid at this point (no backed by committed memory/module).

By tracking all proxy stub (factory) creations one comes across this:

--- snip --- ... 0009:Call KERNEL32.LoadLibraryExW(00327f9e L"C:\windows\system32\actxprxy.dll",00000000,00000008) ret=603a1373 0009:trace:loaddll:load_builtin_dll Loaded L"C:\windows\system32\actxprxy.dll" at 0x60ba0000: builtin 0009:Call PE DLL (proc=0x60ba3824,module=0x60ba0000 L"actxprxy.dll",reason=PROCESS_ATTACH,res=(nil)) 0009:Call KERNEL32.DisableThreadLibraryCalls(60ba0000) ret=60ba378f 0009:Ret KERNEL32.DisableThreadLibraryCalls() retval=00000001 ret=60ba378f 0009:Ret PE DLL (proc=0x60ba3824,module=0x60ba0000 L"actxprxy.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1 0009:Ret KERNEL32.LoadLibraryExW() retval=60ba0000 ret=603a1373 0009:Call KERNEL32.GetProcAddress(60ba0000,6046cc19 "DllCanUnloadNow") ret=603a13f8 0009:Ret KERNEL32.GetProcAddress() retval=60ba281c ret=603a13f8 0009:Call KERNEL32.GetProcAddress(60ba0000,6046cc29 "DllGetClassObject") ret=603a1413 0009:Ret KERNEL32.GetProcAddress() retval=60ba2834 ret=603a1413 0009:Call KERNEL32.GetProcessHeap() ret=603a14e3 0009:Ret KERNEL32.GetProcessHeap() retval=00110000 ret=603a14e3 0009:Call ntdll.RtlAllocateHeap(00110000,00000000,0000001c) ret=603a14fb 0009:Ret ntdll.RtlAllocateHeap() retval=00d93eb8 ret=603a14fb 0009:Call KERNEL32.GetProcessHeap() ret=603a1516 0009:Ret KERNEL32.GetProcessHeap() retval=00110000 ret=603a1516 0009:Call ntdll.RtlAllocateHeap(00110000,00000000,00000042) ret=603a152a 0009:Ret ntdll.RtlAllocateHeap() retval=00d93d78 ret=603a152a 0009:trace:ole:apartment_getclassobject added new loaded dll L"C:\windows\system32\actxprxy.dll" 0009:trace:ole:apartment_getclassobject calling DllGetClassObject 0x60ba2834 0009:Call actxprxy.DllGetClassObject(0032829c,6047b9d4,003282dc) ret=603a10ad 0009:Call rpcrt4.NdrDllGetClassObject(0032829c,6047b9d4,003282dc,60ba4944,60ba3af0,60ba4954) ret=60ba3709 0009:trace:ole:NdrDllGetClassObject ({b8da6310-e19b-11d0-933c-00a0c90dcaa9}, {d5f569d0-593b-101a-b569-08002b2dbf7a}, 0x3282dc, 0x60ba4944, {b8da6310-e19b-11d0-933c-00a0c90dcaa9}, 0x60ba4954) 0009:trace:ole:CStdPSFactory_QueryInterface (0x60ba4954)->QueryInterface({d5f569d0-593b-101a-b569-08002b2dbf7a},0x3282dc) 0009:Call KERNEL32.InterlockedIncrement(60ba4958) ret=604a5e76 0009:Ret KERNEL32.InterlockedIncrement() retval=00000001 ret=604a5e76 0009:Ret rpcrt4.NdrDllGetClassObject() retval=00000000 ret=60ba3709 0009:Ret actxprxy.DllGetClassObject() retval=00000000 ret=603a10ad ... 0009:trace:ole:CStdPSFactory_CreateStub (0x60ba4954)->CreateStub({6d5140c1-7436-11ce-8034-00aa006009fa},0x8812d8,0x3282e4) 0009:trace:ole:FindProxyInfo found: ProxyInfo 0x60ba4060 Index 0 0009:trace:ole:CStdStubBuffer_Construct (0x8812d8,0x60ba40c0,0x60ba4954,0x3282e4) IServiceProvider 0009:trace:ole:CStdStubBuffer_Construct iid={6d5140c1-7436-11ce-8034-00aa006009fa} 0009:trace:ole:CStdStubBuffer_Construct vtbl=0x60ba40d0 ... 0009:trace:ole:new_stub_manager Created new stub manager (oid=2) at 0xd93de8 for object with IUnknown 0x8812d8 0009:trace:ole:stub_manager_new_ifstub oid=2, stubbuffer=0xd93dc8, iptr=0x8812d8, iid={6d5140c1-7436-11ce-8034-00aa006009fa} ... 0009:trace:ole:stub_manager_new_ifstub ifstub 0xd94000 created with ipid {00000001-0009-0008-86bb-a932497ebe65} --- snip ---

and then:

--- snip --- 0009:Call ole32.CoFreeUnusedLibraries() ret=501b8b3f ... 0009:Call KERNEL32.FreeLibrary(54cf0000) ret=50f22b97 ... 0009:trace:loaddll:free_modref Unloaded module L"C:\Program Files\Microsoft Visual Studio 8\Common7\Packages\Debugger\encmgr.dll" : native 0009:Ret KERNEL32.FreeLibrary() retval=00000001 ret=50f22b97 ... 0009:Call shell32.DllCanUnloadNow() ret=603a11df 0009:fixme:shell:DllCanUnloadNow stub 0009:Ret shell32.DllCanUnloadNow() retval=00000001 ret=603a11df 0009:Call actxprxy.DllCanUnloadNow() ret=603a11df 0009:Call rpcrt4.NdrDllCanUnloadNow(60ba4954) ret=60ba3733 0009:Ret rpcrt4.NdrDllCanUnloadNow() retval=00000000 ret=60ba3733 0009:Ret actxprxy.DllCanUnloadNow() retval=00000000 ret=603a11df 0009:Call KERNEL32.InterlockedDecrement(00d93eb8) ret=603a16c2 0009:Ret KERNEL32.InterlockedDecrement() retval=00000000 ret=603a16c2 0009:trace:ole:COMPOBJ_DllList_ReleaseRef freeing 0x60ba0000 0009:Call KERNEL32.FreeLibrary(60ba0000) ret=603a1768 0009:Call PE DLL (proc=0x60ba3824,module=0x60ba0000 L"actxprxy.dll",reason=PROCESS_DETACH,res=(nil)) 0009:Ret PE DLL (proc=0x60ba3824,module=0x60ba0000 L"actxprxy.dll",reason=PROCESS_DETACH,res=(nil)) retval=1 0009:trace:loaddll:free_modref Unloaded module L"C:\windows\system32\actxprxy.dll" : builtin 0009:Ret KERNEL32.FreeLibrary() retval=00000001 ret=603a1768 ... --- snip ---

The proxy stub dll which provides IServiceProvider was unloaded at some point (CoFreeUnusedLibraries) - while the stub buffer iface was still in use. When the application exited, the release of proxy stub buffer iface failed because the vtable was no longer backed by a module.

By looking up default proxy stub dll reference count management one comes across the following snippet:

--- snip --- HRESULT WINAPI NdrDllCanUnloadNow(CStdPSFactoryBuffer *pPSFactoryBuffer) { return !(pPSFactoryBuffer->RefCount); } --- snip ---

Can you spot the error? ;-) Still perplexed that this one slipped through for so long time ...

After fixing the bug, Visual Studio 2005 cleanly exits (already verified).

Regards