[Bug 18114] New: rpcrt4.NdrDllCanUnloadNow: COM proxy/stub factory reference count eval incorrect (crashes Visual Studio 2005 on exit)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Apr 19 11:55:26 CDT 2009 

http://bugs.winehq.org/show_bug.cgi?id=18114

           Summary: rpcrt4.NdrDllCanUnloadNow: COM proxy/stub factory
                    reference count eval incorrect (crashes Visual Studio
                    2005 on exit)
           Product: Wine
           Version: 1.1.19
          Platform: Other
               URL: http://download.microsoft.com/download/3/f/4/3f435aaa-
                    49ce-44c3-a2cc-d40bca9af941/ENU/vcssetup.exe
        OS/Version: other
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: -unknown
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: focht at gmx.net


Hello,

a user reported multiple issues in bug 18106
I picked out the interesting one because it's actually a long-timer - present
since the component exists - 2002 ;-)

--- quote ---
When exiting Visual C#, after the UI is
closed, an error dialog pops up telling me "Microsoft Visual C# has encountered
a problem and needs to close." I uncheck restart and click Don't Send. I've
also attached a screenshot.
--- quote ---

WINEDEBUG=+tid,+seh,+ole trace gives:

--- snip ---
0009:fixme:shell:DllCanUnloadNow stub
0009:trace:ole:COMPOBJ_DllList_ReleaseRef freeing 0x51bc0000
0009:trace:ole:OleUninitialize ()
0009:trace:ole:CoUninitialize ()
0009:trace:ole:OleUninitialize ()
0009:trace:ole:OleUninitialize () - Freeing the last reference count
0009:trace:ole:OLEClipbrd_UnInitialize ()
0009:trace:ole:CoUninitialize ()
0009:trace:ole:apartment_release 800000009: after = 0
0009:trace:ole:apartment_release destroying apartment 0x134d38, oxid 800000009
0009:trace:ole:stub_manager_int_release after 0
0009:trace:ole:stub_manager_delete destroying 0xd7ff20 (oid=2)
0009:trace:ole:stub_manager_delete_ifstub m=0xd7ff20, m->oid=2,
ipid={00000003-0009-0008-aca8-b13a1ed334ff}
0009:trace:ole:stub_manager_delete_ifstub  ifstub->stubbuffer = 0xf7f7e8
0009:trace:ole:NdrCStdStubBuffer_Release (0xf7f7e8)->Release()
0009:trace:ole:CStdStubBuffer_Disconnect (0xf7f7e8)->Disconnect()
0009:trace:ole:CStdPSFactory_Release (0x62510954)->Release()
0009:trace:ole:stub_manager_delete_ifstub  ifstub->iface = 0x8812d8
0009:trace:ole:stub_manager_delete_ifstub  ifstub->chan = 0xf7f848
0009:trace:ole:stub_manager_delete_ifstub  ifstub = 0xf7f808
0009:trace:ole:stub_manager_delete_ifstub m=0xd7ff20, m->oid=2,
ipid={00000001-0009-0008-a2a7-955c363af248}
0009:trace:ole:stub_manager_delete_ifstub  ifstub->stubbuffer = 0xd7ff00
0009:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7075735f
ip=0x7075735f tid=0009
0009:trace:seh:raise_exception  info[0]=00000000
0009:trace:seh:raise_exception  info[1]=7075735f
0009:trace:seh:raise_exception  eax=00d7ff00 ebx=605dca7c ecx=00000000
edx=7075735f esi=7bcb81d9 edi=00000000
0009:trace:seh:raise_exception  ebp=0032fa18 esp=0032f9bc cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010206
0009:trace:seh:call_vectored_handlers calling handler at 0x60a16e2a
code=c0000005 flags=0
0009:trace:seh:call_vectored_handlers handler at 0x60a16e2a returned 0
0009:trace:seh:call_vectored_handlers calling handler at 0x7b8408f7
code=c0000005 flags=0
0009:trace:seh:call_vectored_handlers handler at 0x7b8408f7 returned 0
0009:trace:seh:call_vectored_handlers calling handler at 0x40f744 code=c0000005
flags=0
0009:trace:seh:call_vectored_handlers handler at 0x40f744 returned 0
0009:trace:seh:call_stack_handlers calling handler at 0x412615 code=c0000005
flags=0
--- snip ---

Culprit:

--- snip ---
if (ifstub->stubbuffer) IUnknown_Release(ifstub->stubbuffer);
--- snip ---

Disassembly with annotations:

--- snip ---

0x60525f42 stub_manager_delete_ifstub+0x106
[/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: movl   
0xc(%ebp),%eax ; ifstub
0x60525f45 stub_manager_delete_ifstub+0x109
[/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: movl   
0x8(%eax),%eax ; ifstub->stubbuffer
0x60525f48 stub_manager_delete_ifstub+0x10c
[/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: movl   
0x0(%eax),%eax ; IRpcStubBufferVtbl* lpVtbl: eax = garbage
0x60525f4a stub_manager_delete_ifstub+0x10e
[/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: movl   
0x8(%eax),%edx
0x60525f4d stub_manager_delete_ifstub+0x111
[/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: movl   
0xc(%ebp),%eax
0x60525f50 stub_manager_delete_ifstub+0x114
[/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: movl   
0x8(%eax),%eax
0x60525f53 stub_manager_delete_ifstub+0x117
[/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: movl   
%eax,0x0(%esp)
0x60525f56 stub_manager_delete_ifstub+0x11a
[/opt/wine/wine-git/dlls/ole32/stubmanager.c:562] in ole32: call    *%edx
--- snip ---

The vtable address is actually invalid at this point (no backed by committed
memory/module).

By tracking all proxy stub (factory) creations one comes across this:

--- snip ---
...
0009:Call KERNEL32.LoadLibraryExW(00327f9e
L"C:\\windows\\system32\\actxprxy.dll",00000000,00000008) ret=603a1373
0009:trace:loaddll:load_builtin_dll Loaded
L"C:\\windows\\system32\\actxprxy.dll" at 0x60ba0000: builtin
0009:Call PE DLL (proc=0x60ba3824,module=0x60ba0000
L"actxprxy.dll",reason=PROCESS_ATTACH,res=(nil))
0009:Call KERNEL32.DisableThreadLibraryCalls(60ba0000) ret=60ba378f
0009:Ret  KERNEL32.DisableThreadLibraryCalls() retval=00000001 ret=60ba378f
0009:Ret  PE DLL (proc=0x60ba3824,module=0x60ba0000
L"actxprxy.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1
0009:Ret  KERNEL32.LoadLibraryExW() retval=60ba0000 ret=603a1373
0009:Call KERNEL32.GetProcAddress(60ba0000,6046cc19 "DllCanUnloadNow")
ret=603a13f8
0009:Ret  KERNEL32.GetProcAddress() retval=60ba281c ret=603a13f8
0009:Call KERNEL32.GetProcAddress(60ba0000,6046cc29 "DllGetClassObject")
ret=603a1413
0009:Ret  KERNEL32.GetProcAddress() retval=60ba2834 ret=603a1413
0009:Call KERNEL32.GetProcessHeap() ret=603a14e3
0009:Ret  KERNEL32.GetProcessHeap() retval=00110000 ret=603a14e3
0009:Call ntdll.RtlAllocateHeap(00110000,00000000,0000001c) ret=603a14fb
0009:Ret  ntdll.RtlAllocateHeap() retval=00d93eb8 ret=603a14fb
0009:Call KERNEL32.GetProcessHeap() ret=603a1516
0009:Ret  KERNEL32.GetProcessHeap() retval=00110000 ret=603a1516
0009:Call ntdll.RtlAllocateHeap(00110000,00000000,00000042) ret=603a152a
0009:Ret  ntdll.RtlAllocateHeap() retval=00d93d78 ret=603a152a
0009:trace:ole:apartment_getclassobject added new loaded dll
L"C:\\windows\\system32\\actxprxy.dll"
0009:trace:ole:apartment_getclassobject calling DllGetClassObject 0x60ba2834
0009:Call actxprxy.DllGetClassObject(0032829c,6047b9d4,003282dc) ret=603a10ad
0009:Call
rpcrt4.NdrDllGetClassObject(0032829c,6047b9d4,003282dc,60ba4944,60ba3af0,60ba4954)
ret=60ba3709
0009:trace:ole:NdrDllGetClassObject ({b8da6310-e19b-11d0-933c-00a0c90dcaa9},
{d5f569d0-593b-101a-b569-08002b2dbf7a}, 0x3282dc, 0x60ba4944,
{b8da6310-e19b-11d0-933c-00a0c90dcaa9}, 0x60ba4954)
0009:trace:ole:CStdPSFactory_QueryInterface
(0x60ba4954)->QueryInterface({d5f569d0-593b-101a-b569-08002b2dbf7a},0x3282dc)
0009:Call KERNEL32.InterlockedIncrement(60ba4958) ret=604a5e76
0009:Ret  KERNEL32.InterlockedIncrement() retval=00000001 ret=604a5e76
0009:Ret  rpcrt4.NdrDllGetClassObject() retval=00000000 ret=60ba3709
0009:Ret  actxprxy.DllGetClassObject() retval=00000000 ret=603a10ad 
...
0009:trace:ole:CStdPSFactory_CreateStub
(0x60ba4954)->CreateStub({6d5140c1-7436-11ce-8034-00aa006009fa},0x8812d8,0x3282e4)
0009:trace:ole:FindProxyInfo found: ProxyInfo 0x60ba4060 Index 0
0009:trace:ole:CStdStubBuffer_Construct
(0x8812d8,0x60ba40c0,0x60ba4954,0x3282e4) IServiceProvider
0009:trace:ole:CStdStubBuffer_Construct
iid={6d5140c1-7436-11ce-8034-00aa006009fa}
0009:trace:ole:CStdStubBuffer_Construct vtbl=0x60ba40d0 
...
0009:trace:ole:new_stub_manager Created new stub manager (oid=2) at 0xd93de8
for object with IUnknown 0x8812d8
0009:trace:ole:stub_manager_new_ifstub oid=2, stubbuffer=0xd93dc8,
iptr=0x8812d8, iid={6d5140c1-7436-11ce-8034-00aa006009fa} 
...
0009:trace:ole:stub_manager_new_ifstub ifstub 0xd94000 created with ipid
{00000001-0009-0008-86bb-a932497ebe65} 
--- snip ---

and then:

--- snip ---
0009:Call ole32.CoFreeUnusedLibraries() ret=501b8b3f 
...
0009:Call KERNEL32.FreeLibrary(54cf0000) ret=50f22b97
...
0009:trace:loaddll:free_modref Unloaded module L"C:\\Program Files\\Microsoft
Visual Studio 8\\Common7\\Packages\\Debugger\\encmgr.dll" : native
0009:Ret  KERNEL32.FreeLibrary() retval=00000001 ret=50f22b97 
...
0009:Call shell32.DllCanUnloadNow() ret=603a11df
0009:fixme:shell:DllCanUnloadNow stub
0009:Ret  shell32.DllCanUnloadNow() retval=00000001 ret=603a11df
0009:Call actxprxy.DllCanUnloadNow() ret=603a11df
0009:Call rpcrt4.NdrDllCanUnloadNow(60ba4954) ret=60ba3733
0009:Ret  rpcrt4.NdrDllCanUnloadNow() retval=00000000 ret=60ba3733
0009:Ret  actxprxy.DllCanUnloadNow() retval=00000000 ret=603a11df
0009:Call KERNEL32.InterlockedDecrement(00d93eb8) ret=603a16c2
0009:Ret  KERNEL32.InterlockedDecrement() retval=00000000 ret=603a16c2
0009:trace:ole:COMPOBJ_DllList_ReleaseRef freeing 0x60ba0000
0009:Call KERNEL32.FreeLibrary(60ba0000) ret=603a1768
0009:Call PE DLL (proc=0x60ba3824,module=0x60ba0000
L"actxprxy.dll",reason=PROCESS_DETACH,res=(nil))
0009:Ret  PE DLL (proc=0x60ba3824,module=0x60ba0000
L"actxprxy.dll",reason=PROCESS_DETACH,res=(nil)) retval=1
0009:trace:loaddll:free_modref Unloaded module
L"C:\\windows\\system32\\actxprxy.dll" : builtin
0009:Ret  KERNEL32.FreeLibrary() retval=00000001 ret=603a1768
...
--- snip ---

The proxy stub dll which provides IServiceProvider was unloaded at some point
(CoFreeUnusedLibraries) - while the stub buffer iface was still in use.
When the application exited, the release of proxy stub buffer iface failed
because the vtable was no longer backed by a module.

By looking up default proxy stub dll reference count management one comes
across the following snippet:

--- snip ---
HRESULT WINAPI NdrDllCanUnloadNow(CStdPSFactoryBuffer *pPSFactoryBuffer)
{
  return !(pPSFactoryBuffer->RefCount);
}
--- snip ---

Can you spot the error? ;-)
Still perplexed that this one slipped through for so long time ...

After fixing the bug, Visual Studio 2005 cleanly exits (already verified).

Regards


-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list