[Bug 43930] iCopy 1.6.x (.NET 2.0 app) crashes on startup (IWiaDevMgr:: SelectDeviceDlg DeviceID pointer parameter can be NULL, needs be declared 'unique' for RPC marshalling)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Oct 29 08:45:25 CDT 2017 

https://bugs.winehq.org/show_bug.cgi?id=43930

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|-unknown                    |wia
                 CC|                            |focht at gmx.net
            Summary|iCopy will not load         |iCopy 1.6.x (.NET 2.0 app)
                   |                            |crashes on startup
                   |                            |(IWiaDevMgr::SelectDeviceDl
                   |                            |g DeviceID pointer
                   |                            |parameter can be NULL,
                   |                            |needs be declared 'unique'
                   |                            |for RPC marshalling)

--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming.

The initial report is Wine-Mono specific.
Targeting the more interesting bug with native MS .NET Framework here.

The app makes use of WIA service (out-of-proc COM server).

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/iCopy

$ WINEDEBUG=+tid,+seh,+relay,+wia,+sti,+ole,+variant,+rpc wine ./iCopy.exe
>>log.txt 2>&1
...
002d:Call
rpcrt4.NdrProxyInitialize(0018e18c,0033ee08,0033eee8,7d4dade0,00000005)
ret=7d4d3184
002d:trace:ole:NdrProxyInitialize (0x18e18c,0x33ee08,0x33eee8,0x7d4dade0,5)
002d:trace:rpc:NdrClientInitializeNew (pRpcMessage == ^0x33ee08, pStubMsg ==
^0x33eee8, pStubDesc == ^0x7d4dade0, ProcNum == 5)
002d:trace:ole:StdProxy_GetChannel (0x18e188)->GetChannel(0x33ef6c) IWiaDevMgr
002d:trace:ole:ClientRpcChannelBuffer_GetDestCtx (0x33ef5c,0x33ef60)
002d:trace:ole:NdrProxyInitialize channel=0x18ec90
002d:Ret  rpcrt4.NdrProxyInitialize() retval=00000033 ret=7d4d3184
002d:Call rpcrt4.RpcRaiseException(000006f4) ret=7d4d319d
002d:Call KERNEL32.RaiseException(000006f4,00000000,00000000,00000000)
ret=7e64d04f
002d:trace:seh:raise_exception code=6f4 flags=0 addr=0x7b44647b ip=7b44647b
tid=002d
002d:trace:seh:raise_exception  eax=7b434c05 ebx=0033efe4 ecx=0033ed30
edx=00000000 esi=0033ed80 edi=0033ed40
002d:trace:seh:raise_exception  ebp=0033ed18 esp=0033ecb4 cs=330023 ds=002b
es=7bd0002b fs=0063 gs=33006b flags=00200216
002d:trace:seh:call_stack_handlers calling handler at 0x7d4d2238 code=6f4
flags=0
002d:trace:seh:__regs_RtlUnwind code=6f4 flags=2
002d:trace:seh:__regs_RtlUnwind eax=00000000 ebx=7d4d21cd ecx=0033ecc0
edx=0033ecc0 esi=0033ee34 edi=7d4d21cd
002d:trace:seh:__regs_RtlUnwind ebp=0033e818 esp=0033e7e8 eip=7d4d9bed cs=0023
ds=002b fs=0063 gs=006b flags=00200206
002d:trace:seh:__regs_RtlUnwind calling handler at 0x7bc8e5be code=6f4 flags=2
002d:trace:seh:__regs_RtlUnwind handler at 0x7bc8e5be returned 1
...
002d:warn:ole:NdrProxyErrorHandler (0x000006f4): a proxy call failed
002d:Ret  rpcrt4.NdrProxyErrorHandler() retval=800706f4 ret=7d4d3521
002d:Call
KERNEL32.FormatMessageW(00001300,00000000,800706f4,00000400,0033baa8,00000000,00000000)
ret=0384e197
002d:Ret  KERNEL32.FormatMessageW() retval=00000019 ret=0384e197 
...
002d:trace:ole:ICreateErrorInfoImpl_SetSource (0x18d8e0): L"WIA.CommonDialog.1"
...
002d:trace:ole:ICreateErrorInfoImpl_SetDescription (0x18d8e0): L"Null reference
pointer.\r\n"
...
002d:Call msvcr80._CxxThrowException(0033efe8,79f9acc4) ret=79f97365
002d:Call KERNEL32.RaiseException(e06d7363,00000001,00000003,0033ef24)
ret=7e846dbb
002d:trace:seh:raise_exception code=e06d7363 flags=1 addr=0x7b44647b
ip=7b44647b tid=002d
002d:trace:seh:raise_exception  info[0]=19930520
002d:trace:seh:raise_exception  info[1]=0033efe8
002d:trace:seh:raise_exception  info[2]=79f9acc4
002d:trace:seh:raise_exception  eax=7b434c05 ebx=0018f868 ecx=0000000c
edx=0033ee74 esi=0033ef20 edi=0033eee0
002d:trace:seh:raise_exception  ebp=0033eeb8 esp=0033ee54 cs=0023 ds=002b
es=33002b fs=7e890063 gs=33006b flags=00200212
002d:trace:seh:call_stack_handlers calling handler at 0x79f9ab98 code=e06d7363
flags=1
002d:trace:seh:call_stack_handlers handler at 0x79f9ab98 returned 1
002d:trace:seh:call_stack_handlers calling handler at 0x79f9ac4c code=e06d7363
flags=1
002d:trace:seh:call_stack_handlers handler at 0x79f9ac4c returned 1
002d:trace:seh:call_stack_handlers calling handler at (nil) code=e06d7363
flags=1
002d:trace:seh:raise_exception code=c0000005 flags=0 addr=(nil) ip=00000000
tid=002d
002d:trace:seh:raise_exception  info[0]=00000000
002d:trace:seh:raise_exception  info[1]=00000000
002d:trace:seh:raise_exception  eax=0033ea6c ebx=00000023 ecx=00000000
edx=7bc8e5be esi=0000002b edi=0033002b
002d:trace:seh:raise_exception  ebp=0033ea18 esp=0033e9ec cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210216
002d:trace:seh:call_stack_handlers calling handler at 0x7bc8e5be code=c0000005
flags=0
002d:trace:seh:call_stack_handlers handler at 0x7bc8e5be returned 2
002d:trace:seh:call_stack_handlers calling handler at 0x79f9ab98 code=c0000005
flags=10
002d:trace:seh:call_stack_handlers handler at 0x79f9ab98 returned 1 
...
<exception recursion, leading to stack overflow>
--- snip ---

0x000006f4 -> RPC_X_NULL_REF_POINTER

--- snip ---
Wine-dbg>bt
Backtrace:
=>0 0x7d4d2081 IWiaDevMgr_SelectDeviceDlg_Proxy(This=0x1b3424,
hwndParent=(nil), lDeviceType=0x1, lFlags=0x1, pbstrDeviceID=(nil),
ppItemRoot=0x33f020)
[/home/focht/projects/wine/wine.repo/build-x86/dlls/sti/sti_wia_p.c:510] in sti
(0x0033f008)
  1 0x79f21268 in mscorwks (+0xb1267) (0x0033f118)
  2 0x0037af9a (0x0033f154)
  3 0x0376344d (0x0033f1a8)
  4 0x037632ae (0x0033f340)
  5 0x79e88f63 in mscorwks (+0x18f62) (0x0033f350)
  6 0x79e88ee4 in mscorwks (+0x18ee3) (0x0033f3d0)
  7 0x79e88e31 in mscorwks (+0x18e30) (0x0033f510)
  8 0x79e88d19 in mscorwks (+0x18d18) (0x0033f5e4)
  9 0x00383340 (0x00383198)
  10 0x0020000a (0x0906002d)
...
  Wine-dbg>l
  521            if (!pbstrDeviceID) RpcRaiseException(RPC_X_NULL_REF_POINTER);
  522            if (!ppItemRoot) RpcRaiseException(RPC_X_NULL_REF_POINTER);
  523            RpcTryFinally
  524            {
  525                __frame->_StubMsg.BufferLength = 16;
  526                NdrUserMarshalBufferSize(
  527                    &__frame->_StubMsg,
  528                    (unsigned char *)&hwndParent,
  529                    (PFORMAT_STRING)&__MIDL_TypeFormatString.Format[104]);
  530
  531                NdrUserMarshalBufferSize(
--- snip ---

https://msdn.microsoft.com/en-us/library/windows/desktop/ms630148(v=vs.85).aspx

--- quote ---
pbstrDeviceID [in, out]

    Type: BSTR*

    On output, receives a string which contains the device's identifier string.
On input, pass the address of a pointer if this information is needed, or NULL
if it is not needed.
--- quote ---

Wine generated 'sti_wia_p.c':

--- snip ---
...
HRESULT STDMETHODCALLTYPE IWiaDevMgr_SelectDeviceDlg_Proxy(
    IWiaDevMgr* This,
    HWND hwndParent,
    LONG lDeviceType,
    LONG lFlags,
    BSTR *pbstrDeviceID,
    IWiaItem **ppItemRoot)
{
    struct __proxy_frame __f, * const __frame = &__f;
    HRESULT _RetVal;
    RPC_MESSAGE _RpcMessage;

    RpcExceptionInit( __proxy_filter,
__finally_IWiaDevMgr_SelectDeviceDlg_Proxy );
    __frame->This = This;
    if (ppItemRoot) MIDL_memset( ppItemRoot, 0, sizeof( *ppItemRoot ));
    RpcTryExcept
    {
        NdrProxyInitialize(This, &_RpcMessage, &__frame->_StubMsg,
&Object_StubDesc, 5);
        if (!pbstrDeviceID) RpcRaiseException(RPC_X_NULL_REF_POINTER);
        if (!ppItemRoot) RpcRaiseException(RPC_X_NULL_REF_POINTER);
        RpcTryFinally
        { 
...
--- snip ---

By default, pointer parameters are treated as "ref" pointers (passed by
reference) which can't be NULL hence the code:

-> "if (!pbstrDeviceID) RpcRaiseException(RPC_X_NULL_REF_POINTER);"

Wine source:

https://source.winehq.org/git/wine.git/blob/17d43ef54e4eaaa549fba0b8aed4a816b42c7154:/include/wia_xp.idl#l30

--- snip ---
  30 cpp_quote("DEFINE_GUID(CLSID_WiaDevMgr,
0xa1f4e726,0x8cf1,0x11d1,0xbf,0x92,0x00,0x60,0x08,0x1e,0xd8,0x11);")
  31 
  32 [
  33     object,
  34     uuid(5eb2502a-8cf1-11d1-bf92-0060081ed811)
  35 ]
  36 interface IWiaDevMgr : IUnknown
  37 {
  38     HRESULT EnumDeviceInfo(
  39         [in] LONG lFlag,
  40         [retval, out] IEnumWIA_DEV_INFO **ppIEnum);
  41 
  42     HRESULT CreateDevice(
  43         [in] BSTR bstrDeviceID,
  44         [out] IWiaItem **ppWiaItemRoot);
  45 
  46     HRESULT SelectDeviceDlg(
  47         [in] HWND hwndParent,
  48         [in] LONG lDeviceType,
  49         [in] LONG lFlags,
  50         [in, out] BSTR *pbstrDeviceID,
  51         [retval, out] IWiaItem **ppItemRoot);
...
--- snip ---

Declaring 'pbstrDeviceID' pointer parameter 'unique' results in following
generated 'sti_wia_p.c':

--- snip ---
...
HRESULT STDMETHODCALLTYPE IWiaDevMgr_SelectDeviceDlg_Proxy(
    IWiaDevMgr* This,
    HWND hwndParent,
    LONG lDeviceType,
    LONG lFlags,
    BSTR *pbstrDeviceID,
    IWiaItem **ppItemRoot)
{
    struct __proxy_frame __f, * const __frame = &__f;
    HRESULT _RetVal;
    RPC_MESSAGE _RpcMessage;

    RpcExceptionInit( __proxy_filter,
__finally_IWiaDevMgr_SelectDeviceDlg_Proxy );
    __frame->This = This;
    if (ppItemRoot) MIDL_memset( ppItemRoot, 0, sizeof( *ppItemRoot ));
    RpcTryExcept
    {
        NdrProxyInitialize(This, &_RpcMessage, &__frame->_StubMsg,
&Object_StubDesc, 5);
        if (!ppItemRoot) RpcRaiseException(RPC_X_NULL_REF_POINTER);
        RpcTryFinally
        {
            __frame->_StubMsg.BufferLength = 16;
            NdrUserMarshalBufferSize(
                &__frame->_StubMsg,
                (unsigned char *)&hwndParent,
                (PFORMAT_STRING)&__MIDL_TypeFormatString.Format[104]);
...
--- snip ---

With that change applied, the .NET app now displays an error dialog with
managed exception backtrace instead:

--- snip ---
    WIA Device count: 0
    iCopy.exe Error: 0 : Exception caught.
    iCopy.exe Error: 0 : System.NotImplementedException: The method or
operation is not implemented.
   at WIA.CommonDialogClass.ShowSelectDevice(WiaDeviceType DeviceType, Boolean
AlwaysSelectDevice, Boolean CancelError)
   at iCopy.appControl.changescanner(String deviceID)
   at iCopy.appControl.CreateScanner(String deviceID)
   at iCopy.appControl.Main(String[] sArgs)
--- snip ---

This is expected:

https://source.winehq.org/git/wine.git/blob/17d43ef54e4eaaa549fba0b8aed4a816b42c7154:/dlls/wiaservc/wiadevmgr.c#l207

--- snip ---
 207 static HRESULT WINAPI wiadevmgr_SelectDeviceDlg(IWiaDevMgr *iface, HWND
hwndParent, LONG lDeviceType,
 208                                                 LONG lFlags, BSTR
*pbstrDeviceID, IWiaItem **ppItemRoot)
 209 {
 210     wiadevmgr *This = impl_from_IWiaDevMgr(iface);
 211     FIXME("(%p, %p, %d, 0x%x, %p, %p): stub\n", This, hwndParent,
lDeviceType, lFlags, pbstrDeviceID, ppItemRoot);
 212     return E_NOTIMPL;
 213 }
--- snip ---

$ sha1sum iCopy1.6.2setup.exe 
f02a0aa0883eb5d598eb9a75545a91508ca41802  iCopy1.6.2setup.exe

$ du -sh iCopy1.6.2setup.exe 
868K    iCopy1.6.2setup.exe

$ wine --version
wine-2.19-154-g17d43ef54e

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list