http://bugs.winehq.org/show_bug.cgi?id=7369

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net

--- Comment #9 from Anastasius Focht focht@gmx.net 2009-06-27 16:26:24 --- Hello,

--- quote --- Confirming. This works fine using only native ole32.dll. Just before trouble starts there's a call to ole32.CreateDataCache. Guess something goes wrong there. I'll attach a log --- quote ---

Yes, its most likely ole32 CreateDataCache() that does something wrong.

--- snip --- ... 0009:Call KERNEL32.LoadLibraryW(0032b880 L"C:\windows\system32\tx14_doc.dll") ret=03043784 0009:trace:loaddll:load_native_dll Loaded L"C:\windows\system32\tx14_doc.dll" at 0x36d0000: native 0009:Call PE DLL (proc=0x3747a83,module=0x36d0000 L"tx14_doc.dll",reason=PROCESS_ATTACH,res=(nil)) ... 0009:Ret PE DLL (proc=0x3747a83,module=0x36d0000 L"tx14_doc.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1 ... 0009:Call ole32.CreateDataCache(00000000,0375a6b0,0375a6c0,0032b1ec) ret=0370c19f 0009:trace:ole:CreateDataCache ({00000000-0000-0000-0000-000000000000}, (nil), {00000000-0000-0000-c000-000000000046}, 0x32b1ec) ... 0009:Ret ole32.CreateDataCache() retval=00000000 ret=0370c19f 0009:trace:seh:raise_exception code=c0000005 flags=0 addr=(nil) ip=00000000 tid=0009 0009:trace:seh:raise_exception info[0]=00000000 0009:trace:seh:raise_exception info[1]=00000000 0009:trace:seh:raise_exception eax=00000000 ebx=03890168 ecx=75096484 edx=0032b1b0 esi=00000020 edi=00000000 0009:trace:seh:raise_exception ebp=0032b1ac esp=0032b0d4 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 0009:trace:seh:call_vectored_handlers calling handler at 0x706fab65 code=c0000005 flags=0 0009:trace:seh:call_vectored_handlers handler at 0x706fab65 returned 0 0009:trace:seh:call_vectored_handlers calling handler at 0x7b83ffd9 code=c0000005 flags=0 0009:trace:seh:call_vectored_handlers handler at 0x7b83ffd9 returned 0 0009:trace:seh:call_stack_handlers calling handler at 0x3754568 code=c0000005 flags=0 ... 0009:trace:msgbox:MSGBOX_OnInit L"20058 : Unexpected Text Control error.\n(1-1d09)\r\n-2146808230\r\ntx4ole14" ... --- snip ---

-> CreateDataCache(NULL, &CLSID_NULL, &IID_IUnknown, (LPVOID *)&pUnknown);

The app crashes while trying to call vtable member on returned interface.

Reference: http://msdn.microsoft.com/en-us/library/ms688476.aspx

Relevant Wine code:

--- snip dlls/ole32/datacache.c ---

static HRESULT WINAPI DataCache_NDIUnknown_QueryInterface( IUnknown* iface, REFIID riid, void** ppvObject) { DataCache *this = impl_from_NDIUnknown(iface); ... /* * Compare the riid with the interface IDs implemented by this object. */ if (memcmp(&IID_IUnknown, riid, sizeof(IID_IUnknown)) == 0) { *ppvObject = iface; } ... }

...

HRESULT WINAPI CreateDataCache( LPUNKNOWN pUnkOuter, REFCLSID rclsid, REFIID riid, LPVOID* ppvObj) { ... /* * Make sure it supports the interface required by the caller. */ hr = IUnknown_QueryInterface((IUnknown*)&(newCache->lpvtblNDIUnknown), riid, ppvObj);

/* * Release the reference obtained in the constructor. If * the QueryInterface was unsuccessful, it will free the class. */ IUnknown_Release((IUnknown*)&(newCache->lpvtblNDIUnknown));

return hr; } ... static const IUnknownVtbl DataCache_NDIUnknown_VTable = { DataCache_NDIUnknown_QueryInterface, DataCache_NDIUnknown_AddRef, DataCache_NDIUnknown_Release }; --- snip dlls/ole32/datacache.c ---

The app code after call to ole32.CreateDataCache() gives some hints (annotated):

--- snip tx14_doc.dll --- PE 3460000- 3504000 Export tx14_doc

-> call to ole32.CreateDataCache()

0x0349c19f: cmpl %edi,%eax 0x0349c1a1: jnl 0x0349c1b5 ; S_OK 0x0349c1a3: xorl %ecx,%ecx 0x0349c1a5: cmpl $-2147024882,%eax 0x0349c1aa: setnz %cl 0x0349c1ad: addl $3,%ecx 0x0349c1b0: call 0x034b8f10 0x0349c1b5: movl 0x40(%ebp),%eax ; ppvObj 0x0349c1b8: movl 0x0(%eax),%ecx ; ole32.DataCache_NDIUnknown_VTable 0x0349c1ba: leal 0x0(%ebp),%edx 0x0349c1bd: pushl %edx 0x0349c1be: pushl $0x10 0x0349c1c0: leal 0x4(%ebp),%edx 0x0349c1c3: pushl %edx 0x0349c1c4: pushl %eax 0x0349c1c5: movl 0xc(%ecx),%eax ; DataCache_NDIUnknown_VTable->fn4 0x0349c1c8: call *%eax ; *boom* 0x0349c1ca: cmpl %edi,%eax --- snip tx14_doc.dll ---

The first hint is the call of the interface member function. Vtable offset 0xC basically means the interface must contain at least four member functions hence this can't be plain IUnknown (DataCache_NDIUnknown).

The next hint are the parameters. Four parameters get pushed before the iface member call. The last one pushed is actually the implicit iface pThis, so the interface function takes 3 parameters. The second parameter can't obviously be a pointer one (0x10).

Looking through interfaces to match the constraints it seems IOleCache/IOleCache2 is the best bet (IOleCache::Cache Method). See: http://msdn.microsoft.com/en-us/library/ms680087.aspx

I tried to return IOleCache2 interface but it didn't work out in the end, it conflicted with dlls/ole32/defaulthandler.c:DefaultHandler_Construct() which also passes IID_IUnknown to CreateDataCache() and seems to expect this DataCache_NDIUnknown (where does this come from, there doesn't seem to be any documentation on it?).

Regards