[Bug 33031] Microsoft Windows Driver Development Kit 7.1.0 (Win7 DDK/WDK) installer fails: 'eula.exe' crashes on exit (COM apartment already initialized by RichEdit)

wine-bugs at winehq.org wine-bugs at winehq.org
Fri Feb 28 17:09:09 CST 2014 

https://bugs.winehq.org/show_bug.cgi?id=33031

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net
          Component|-unknown                    |richedit
            Summary|Microsoft Windows Driver    |Microsoft Windows Driver
                   |Development Kit (win7       |Development Kit 7.1.0 (Win7
                   |ddk/wdk) fails              |DDK/WDK) installer fails:
                   |                            |'eula.exe' crashes on exit
                   |                            |(COM apartment already
                   |                            |initialized by RichEdit)

--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming.

Can be reproduced by running 'eula.exe' directly with required arguments.

The problem is not deduceable from the trace log, one has to debug it.

--- snip ---
$ WINEDEBUG=+tid,+seh,+relay wine ./eula.exe  i
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WDK_EULA_{68656B6B-555E-5459-5E5D-6363635E5F65}
WDK F:\\license.rtf >>~/Downloads/log.txt 2>&1
...
0024:Call ole32.OleInitialize(00000000) ret=7ac22902
0024:trace:ole:OleInitialize ((nil))
0024:Call ntdll.RtlAllocateHeap(00110000,00000008,000000fc) ret=7e8debdc
0024:Ret  ntdll.RtlAllocateHeap() retval=0014c4f0 ret=7e8debdc
0024:trace:ole:CoInitializeEx ((nil), 2)
0024:trace:ole:CoInitializeEx () - Initializing the COM libraries
0024:trace:ole:RunningObjectTableImpl_Initialize  
...
0024:Call user32.CreateWindowExW(00000000,7e9bfb00 L"OleMainThreadWndClass
0x########
",00000000,00000000,00000000,00000000,00000000,00000000,fffffffd,00000000,7e8c0000,00000000)
ret=7e8e28fd 
...
0024:Call ole32.CoInitialize(00000000) ret=01002abb
0024:trace:ole:CoInitializeEx ((nil), 2)
0024:Ret  ole32.CoInitialize() retval=00000001 ret=01002abb
...
0024:Call window proc 0x5f801868
(hwnd=0x10070,msg=WM_DESTROY,wp=00000000,lp=00000000)
...
0024:trace:seh:raise_exception code=c0000005 flags=0 addr=0x100228d ip=0100228d
tid=0024
0024:trace:seh:raise_exception  info[0]=00000000
0024:trace:seh:raise_exception  info[1]=8bec55af
0024:trace:seh:raise_exception  eax=00010070 ebx=7bc3b3a9 ecx=8bec558b
edx=0033f694 esi=01001408 edi=0033f6a4
0024:trace:seh:raise_exception  ebp=0033f6a8 esp=0033f66c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010282
0024:trace:seh:call_stack_handlers calling handler at 0x5f890df5 code=c0000005
flags=0
0024:trace:seh:call_stack_handlers handler at 0x5f890df5 returned 1 
...
Unhandled exception: page fault on read access to 0x8bec55af in 32-bit code
(0x0100228d). 
...
Backtrace:
=>0 0x0100228d in eula (+0x228d) (0x0033f6a8)
  1 0x0100236b in eula (+0x236a) (0x0033f730)
  2 0x5f8019d1 in mfc42u (+0x19d0) (0x0033f750)
  3 0x5f80195a in mfc42u (+0x1959) (0x0033f7b0)
  4 0x5f8018e2 in mfc42u (+0x18e1) (0x0033f7cc)
  5 0x5f8018a1 in mfc42u (+0x18a0) (0x0033f7f8)
  6 0x7ecb1de6 WINPROC_wrapper+0x19() in user32 (0x0033f828)
...
  12 0x7eca3d41 WIN_SendDestroyMsg+0x7d(hwnd=0x10070)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/win.c:1772] in user32
(0x0033fa38)

  13 0x7eca419e DestroyWindow+0x356(hwnd=<couldn't compute location>)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/win.c:1876] in user32
(0x0033faa8)

  14 0x7bc6e39a relay_call+0x39() in ntdll (0x0033fadc)
  15 0x7ec06c5d in user32 (+0x6c5c) (0x0033fb38)
  16 0x5f804b68 in mfc42u (+0x4b67) (0x0033fb38)
  17 0x0100213d in eula (+0x213c) (0x0033fd7c)
  18 0x5f812566 in mfc42u (+0x12565) (0x0033fe20) 
...
0x0100228d: call    *0x24(%ecx)
Modules:
Module    Address            Debug info    Name (58 modules)
PE     1000000- 103f000    Export          eula
PE    5f800000-5f8f2000    Export          mfc42u
ELF    7ac00000-7ac69000    Deferred        riched20<elf>
  \-PE    7ac10000-7ac69000    \               riched20 
...
Threads:
process  tid      prio (all id:s are in hex)
...
00000023 (D) F:\eula.exe
    00000024    0 <== 
--- snip ---

The app is MFC based and creates a dialog window with embedded RichEdit
control.
Upon creation of the dialog window, the app initializes COM explicitly and
stores the COM init status internally.

Unfortunately at the time the app calls CoInitialize(NULL), the COM apartment
is already initialized hence S_FALSE is returned and stored.

The COM apartment was created earlier by Wine's RichEdit text host (WM_NCCREATE
-> ME_CreateTextHost -> ME_MakeEditor -> OleInitialize(NULL))

This is something the app doesn't expect at this place (MFC app ->
OnDialogInit).
The app checks the internal COM init flag on exit and reaches a different code
path, causing a NULL ptr deref.

I changed RichEdit to defer COM init and it helped - the crash on exit is gone.
Native RichEdit probably doesn't do explicit COM init on WM_NCCREATE/text host
creation, hence the app call to CoInitialize(NULL) in dialog init returns S_OK.

$ wine --version
wine-1.7.13-118-g0eb6265

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list