[Bug 5807] Mercora IMRadio crashes while attempting to run

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Mar 30 08:59:33 CDT 2008 

http://bugs.winehq.org/show_bug.cgi?id=5807





--- Comment #6 from Anastasius Focht <focht at gmx.net>  2008-03-30 08:59:32 ---
Created an attachment (id=11740)
 --> (http://bugs.winehq.org/attachment.cgi?id=11740)
patch which supplies correct browser dispatch to completion event handlers

Hello,

another random pick (now from 1.0 buglist *g*).

The app was rechristened "Social·fm Desktop" and is now found at:
http://www.mercora.com/product_desktop.php

The GUI is based on dynamic HTML with the usual browser (shdocvw) event
sequence:

BeforeNavigate2
NavigateComplete2
DocumentComplete

In the app "DocumentComplete" handler, NULL interface pointers are referenced
leading to crash.
Was a bit nasty to debug because the app simultaneously loads two pages (main
gui DHTML view) and a splash like DHTML dialog (login window).

The app uses the "NavigateComplete2" event to setup several internal stuff,
e.g. HTML document dispatch from browser (for IID_IHTMLDocument2) and wire up
the event sinks for DHTML events.

Due to a misconception in shdocvw's navigate_complete() this setup phase is
completely skipped, leading to later NULL references when the app's
"DocumentComplete" handler is executed.

The problem basically boils down to app "NavigateComplete2" handler comparing
the dispatch pointer which is supplied as first argument to the browser
dispatch which was stored when the control was initially created.
On mismatch it immediately bails out of the handler.

--- snip dlls/shdocvw/dochost.c ---
static void navigate_complete(DocHost *This)
{ 
 ...
  hres = IUnknown_QueryInterface(This->document, &IID_IDispatch,
(void**)&disp);
    if(FAILED(hres))
        FIXME("Could not get IDispatch interface\n"); 

 dispparams.cArgs = 2;
    dispparams.cNamedArgs = 0;
    dispparams.rgdispidNamedArgs = NULL;
    dispparams.rgvarg = params;

    V_VT(params) = (VT_BYREF|VT_VARIANT);
    V_BYREF(params) = &url;

    V_VT(params+1) = VT_DISPATCH;
    V_DISPATCH(params+1) = disp;  <--- incorrect dispatch supplied!

    V_VT(&url) = VT_BSTR;
    V_BSTR(&url) = SysAllocString(This->url);

    call_sink(This->cps.wbe2, DISPID_NAVIGATECOMPLETE2, &dispparams);
    call_sink(This->cps.wbe2, DISPID_DOCUMENTCOMPLETE, &dispparams);
...
}

HTMLDocument IDispatch given to both sinks results in a vtable pointer mismatch
when the handler compares against WebBrowser2 IDispatch.

Attached patch fixes this.
Now the app "NavigateComplete2" handler fetches and stores additional document
interfaces and wires up the event sinks for DHTML events.
When the "DocumentComplete" handler is called, the elements collection is now
correctly accessed with the interface pointers stored.

Unfortunately the app will crash again at later stage.

--- snip ---
0009:trace:mshtml:HTMLDocument_Release (0x15c7f90) ref = 3
0009:Call oleaut32.VariantClear(0033ed78) ret=0058466e
0009:Ret  oleaut32.VariantClear() retval=00000000 ret=0058466e
0009:Call KERNEL32.MultiByteToWideChar(00000003,00000000,0060286e
"",ffffffff,00000000,00000000) ret=00425006
0009:Ret  KERNEL32.MultiByteToWideChar() retval=00000001 ret=00425006
0009:trace:mshtml:HTMLDocument_AddRef (0x15c7f90) ref = 4
0009:fixme:mshtml:HTMLDocument_get_Script (0x15c7f90)->(0x33edcc)
0009:trace:seh:raise_exception code=c0000005 flags=0 addr=0x4cd8aa
0009:trace:seh:raise_exception  info[0]=00000000
0009:trace:seh:raise_exception  info[1]=ffffffff
0009:trace:seh:raise_exception  eax=0060286e ebx=727798bc ecx=00420000
edx=c10ff0ff esi=00000000 edi=00f19340
0009:trace:seh:raise_exception  ebp=00f19330 esp=0033edbc cs=0073 ds=007b
es=007b fs=0033 gs=003b flags=00210206
0009:trace:seh:call_stack_handlers calling handler at 0x5d21f3 code=c0000005
flags=0
--- snip ---

This is due to mshtml insufficiency.

--- snip ---
static HRESULT WINAPI HTMLDocument_get_Script(IHTMLDocument2 *iface, IDispatch
**p)
{
    FIXME("(%p)->(%p)\n", iface, p);
    return E_NOTIMPL;
} 
--- snip ---

The app doesn't check the return value and tries to use the dispatch pointer
directly. *boom*

Regards


-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list