[Bug 35273] PotPlayer 1.5.x crashes when loading video file (FilterGraph_create releases/destroys controlling IUnknown)
wine-bugs at winehq.org
wine-bugs at winehq.org
Mon Dec 30 08:07:45 CST 2013
http://bugs.winehq.org/show_bug.cgi?id=35273
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
CC| |focht at gmx.net
Component|-unknown |quartz
Summary|PotPlayer Crashes When |PotPlayer 1.5.x crashes
|Loading Video File |when loading video file
| |(FilterGraph_create
| |releases/destroys
| |controlling IUnknown)
Ever confirmed|0 |1
--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
Workaround: 'winetricks -q quartz'
Relevant part of trace log:
NOTE: There is lots of interleaving heap activity from multiple threads,
filtered out for the important thread.
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Daum/PotPlayer
$ WINEDEBUG=+tid,+seh,+relay,+heap,+quartz,+olemalloc wine ./PotPlayerMini.exe
>>log.txt 2>&1
...
0039:Call ntdll.RtlAllocateHeap(00747000,00000000,00000128) ret=105c89ac
0039:trace:heap:RtlAllocateHeap (0x747000,70000062,00000128): returning
0x1378940
0039:Ret ntdll.RtlAllocateHeap() retval=01378940 ret=105c89ac
...
0039:Call ole32.CoCreateInstance(107dbfdc,01378940,00000017,1075cb90,01378974)
ret=1033fd30
...
0039:trace:quartz:DSCF_CreateInstance
(0x5718638)->(0x1378940,{00000000-0000-0000-c000-000000000046},0x1378974)
0039:trace:quartz:FilterGraph_create (0x1378940,0xf4e3dc)
...
0039:Call ole32.CoCreateInstance(f5a7620c,01378940,00000001,f5a7af88,001ed340)
ret=1033fd30
...
0039:trace:quartz:DSCF_CreateInstance
(0x20c020)->(0x1378940,{00000000-0000-0000-c000-000000000046},0x1ed340)
0039:trace:quartz:FilterMapper2_create (0x1378940, 0xf4e1ec)
...
0039:trace:quartz:Inner_QueryInterface
(0x20e7b8)->({b79bb0b0-33c1-11d1-abe1-00a0c905f375}, 0x1ed344)
0039:Call KERNEL32.InterlockedIncrement(01378948) ret=1058c08f
0039:Ret KERNEL32.InterlockedIncrement() retval=00000001 ret=1058c08f
0039:Call KERNEL32.InterlockedDecrement(01378948) ret=1058c0b0
0039:Ret KERNEL32.InterlockedDecrement() retval=00000000 ret=1058c0b0
0039:Call ntdll.RtlDeleteCriticalSection(01378a1c) ret=102f9951
0039:trace:heap:RtlFreeHeap (0x110000,70000062,0x5686770): returning TRUE
0039:Ret ntdll.RtlDeleteCriticalSection() retval=00000000 ret=102f9951
0039:Call ntdll.RtlDeleteCriticalSection(0137895c) ret=102f9a0d
0039:trace:heap:RtlFreeHeap (0x110000,70000062,0x56efe80): returning TRUE
0039:Ret ntdll.RtlDeleteCriticalSection() retval=00000000 ret=102f9a0d
0039:Call KERNEL32.InterlockedDecrement(10c1e928) ret=1058bedb
0039:Ret KERNEL32.InterlockedDecrement() retval=00000004 ret=1058bedb
0039:Call ntdll.RtlFreeHeap(00747000,00000000,01378940) ret=105c839e
0039:trace:heap:RtlFreeHeap (0x747000,70000062,0x1378940): returning TRUE
0039:Ret ntdll.RtlFreeHeap() retval=00000001 ret=105c839e
...
0039:Ret ole32.CoCreateInstance() retval=00000000 ret=1033fd30
0039:Call ntdll.RtlAllocateHeap(00747000,00000000,0000005e) ret=105c89ac
0039:err:heap:HEAP_ValidateInUseArena Heap 0x747000: free block 0x1378940
overwritten at 0x1378940 by 107afa00
...
<crash>
--- snip ---
The problem seems to be the release of the controlling IUnknown in
FilterGraph_create() -> memory block: 0x1378940
After returning from CoCreateInstance() sequences to app code, the memory block
is initialized with some vtable and other data members.
The value 0x107afa00 looks like some function offset to 'addref' located in
'potplayer.dll' (references InterlockedIncrement() somewhere in code).
Similar with offsets following ... 0x107afa04 = 'release' like function with
InterlockedDecrement(), indicating IUnknown.
Source:
http://source.winehq.org/git/wine.git/blob/bacd9abbc0bb53993b4ee9b370bf33548f3e6780:/dlls/quartz/filtergraph.c#l5615
Line 5685
--- snip ---
5615 /* This is the only function that actually creates a FilterGraph class...
*/
5616 HRESULT FilterGraph_create(IUnknown *pUnkOuter, LPVOID *ppObj)
5617 {
5618 IFilterGraphImpl *fimpl;
5619 HRESULT hr;
5620
5621 TRACE("(%p,%p)\n", pUnkOuter, ppObj);
5622
5623 *ppObj = NULL;
5624
5625 fimpl = CoTaskMemAlloc(sizeof(*fimpl));
...
5675 /* create Filtermapper aggregated. */
5676 hr = CoCreateInstance(&CLSID_FilterMapper2, fimpl->outer_unk,
CLSCTX_INPROC_SERVER, &IID_IUnknown, (void**)&fimpl->punkFilterMapper2);
5678
5679 if (SUCCEEDED(hr))
5680 hr = IUnknown_QueryInterface(fimpl->punkFilterMapper2,
&IID_IFilterMapper2, (void**)&fimpl->pFilterMapper2);
5682
5683 if (SUCCEEDED(hr))
5684 /* Release controlling IUnknown - compensate refcount increase
from caching IFilterMapper2 interface. */
5685 IUnknown_Release(fimpl->outer_unk);
...
5698 *ppObj = &fimpl->IUnknown_inner;
5699 return S_OK;
5700 }
--- snip ---
Tidbit: the app hooks various win32 API (including ole), though that doesn't
seem to cause harm.
Example: 'CoCreateInstance'
--- snip ---
7ECD7AFC E9 7F7F6691 JMP 1033FA80
7ECD7B01 E4 F0 IN AL,0F0
7ECD7B03 FF71 FC PUSH DWORD PTR DS:[ECX-4]
7ECD7B06 55 PUSH EBP
--- snip ---
$ sha1sum PotPlayer1.5.40688.EXE
e9f1295ff03634c61db2964f87988c7e0ff0481d PotPlayer1.5.40688.EXE
$ du -sh PotPlayer1.5.40688.EXE
16M PotPlayer1.5.40688.EXE
$ wine --version
wine-1.7.9-209-gb231b4b
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list