[Bug 21579] Multiple applications crash with builtin RichEdit (text host window/gui control methods must not be called during CreateTextServices)(Yahoo Messenger 10, BSSB-Win, ICQ 6,7,8)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Feb 8 04:52:42 CST 2015 

https://bugs.winehq.org/show_bug.cgi?id=21579

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net
            Summary|Yahoo Messenger 10 crash    |Multiple applications crash
                   |when opening IM window with |with builtin RichEdit (text
                   |a contact                   |host window/gui control
                   |                            |methods must not be called
                   |                            |during
                   |                            |CreateTextServices)(Yahoo
                   |                            |Messenger 10, BSSB-Win, ICQ
                   |                            |6,7,8)

--- Comment #22 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

refining summary and copying my analysis from bug 35416 here.

--- snip ---
$ LC_ALL=de_DE WINEDEBUG=+tid,+seh,+relay,+ole,+variant,+snoop wine
./BSSB_Win.exe >>log.txt 2>&1 
...
0024:Ret  PE DLL (proc=0x7ac4b570,module=0x7ac10000
L"riched20.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1
0024:Ret  KERNEL32.LoadLibraryA() retval=7ac10000 ret=60003485
0024:Call KERNEL32.GetLastError() ret=6000348d
0024:Ret  KERNEL32.GetLastError() retval=00000000 ret=6000348d
0024:Call KERNEL32.GetProcAddress(7ac10000,600b3978 "CreateTextServices")
ret=6000353f
0024:Ret  KERNEL32.GetProcAddress() retval=7ac15644 ret=6000353f 
...
0024:Call riched20.CreateTextServices(0014ed78,0014edd4,0014eddc) ret=600200a1 
...
0024:trace:seh:raise_exception code=c0000005 flags=0 addr=0x6001ac4e
ip=6001ac4e tid=0024
0024:trace:seh:raise_exception  info[0]=00000000
0024:trace:seh:raise_exception  info[1]=00000044
0024:trace:seh:raise_exception  eax=00000000 ebx=0033f0c4 ecx=0014edd4
edx=7ac42464 esi=00000044 edi=0033f0c4
0024:trace:seh:raise_exception  ebp=0014edd4 esp=0033f034 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210206
0024:trace:seh:call_stack_handlers calling handler at 0x660291be code=c0000005
flags=0
0024:trace:seh:call_stack_handlers handler at 0x660291be returned 1
0024:trace:seh:call_stack_handlers calling handler at 0x6602e521 code=c0000005
flags=0
0024:trace:seh:call_stack_handlers handler at 0x6602e521 returned 1
0024:trace:seh:call_stack_handlers calling handler at 0x660eeead code=c0000005
flags=0 
...
Backtrace:
=>0 0x6001ac4e in fm20 (+0x1ac4e) (0x0014edd4)
  1 0x00000000 (0x600b2598)
  2 0x6001afab in fm20 (+0x1afaa) (0x6001afa1)
  3 0xf123e94c (0x04246c83)
0x6001ac4e: movsl    (%esi),%es:(%edi)
Modules:
Module    Address            Debug info    Name (88 modules)
PE      400000-  a50000    Deferred        bssb_win 
...
Threads:
process  tid      prio (all id:s are in hex) 
...
00000023 (D) C:\Program Files\BSSB_Win\BSSB_Win.exe
    00000024    0 <== 
--- snip ---

Debugger session:

--- snip ---
Wine-dbg>bt
Backtrace:
=>0 0x7ac22194 ME_SetDefaultFormatRect+0x12(editor=0x14a28e8)
[/home/focht/projects/wine/wine-git/dlls/riched20/editor.c:2708] in riched20
(0x0033f138)
  1 0x7ac277ad ME_HandleMessage+0x49b5(editor=0x14a28e8, msg=0x1, wParam=0,
lParam=0, unicode=0x1, phresult=0x33f6b0)
[/home/focht/projects/wine/wine-git/dlls/riched20/editor.c:4006] in riched20
(0x0033f688)
  2 0x7ac436cb CreateTextServices+0x1a6(pUnkOuter=<couldn't compute location>,
pITextHost=<couldn't compute location>, ppUnk=<couldn't compute location>)
[/home/focht/projects/wine/wine-git/dlls/riched20/txtsrv.c:417] in riched20
(0x0033f6d8)
  3 0x600200a1 in fm20 (+0x200a0) (0x0033f70c)
  4 0x600a64e2 in fm20 (+0xa64e1) (0x0013e184)
  5 0x00000000 (0x600b2598)
  6 0x6001afab in fm20 (+0x1afaa) (0x6001afa1)
  7 0xf123e94c (0x04246c83)

Wine-dbg>l
2708      ITextHost_TxGetClientRect(editor->texthost, &editor->rcFormat);
2709      editor->rcFormat.top += editor->exStyleFlags & WS_EX_CLIENTEDGE ? 1 :
0;
2710      editor->rcFormat.left += 1 + editor->selofs;
2711      editor->rcFormat.right -= 1;
2712    }

p *editor->texthost
{lpVtbl=0x600b2598}
--- snip ---

The problem is the app (text host) doesn't expect window/ui control methods
being called in CreateTextServices().

Source:
http://source.winehq.org/git/wine.git/blob/6c1b292f0b781c08041867f2508df5df164f61c6:/dlls/riched20/txtsrv.c#l392

--- snip ---
392 HRESULT WINAPI CreateTextServices(IUnknown *pUnkOuter, ITextHost
*pITextHost, IUnknown **ppUnk)
393 {
...
416
417     ME_HandleMessage(ITextImpl->editor, WM_CREATE, 0, 0, TRUE, &hres);
418
...
--- snip ---

Austin's workaround:
https://bugs.winehq.org/attachment.cgi?id=50272&action=diff

Also tested with ICQ 8.x: http://exe.icq.com/icq.exe

$ sha1sum icq_rfrset.exe 
f34b5b0584b329006b16fb2411c84c5d9e3dc73e  icq_rfrset.exe

$ du -sh icq_rfrset.exe 
37M    icq_rfrset.exe

$ wine --version
wine-1.7.36

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list