[Bug 19538] Microsoft Publisher 2007 and 2010 crash when opening documents/templates (TSF manager 'ITextStoreACPSink' must support QI with 'IID_ITextStoreACPServices')

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Aug 31 17:13:05 CDT 2014 

https://bugs.winehq.org/show_bug.cgi?id=19538

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net
            Summary|Publisher 2007 crashes      |Microsoft Publisher 2007
                   |                            |and 2010 crash when opening
                   |                            |documents/templates (TSF
                   |                            |manager 'ITextStoreACPSink'
                   |                            |must support QI with
                   |                            |'IID_ITextStoreACPServices'
                   |                            |)

--- Comment #9 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming.

Running with 'winedbg' gives:

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Microsoft Office/Office12

$ winedbg ./MSPUB.exe
...
<open document from existing templates>
...
Unhandled exception: page fault on read access to 0x00000000 in 32-bit code
(0x33ef4418).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:33ef4418 ESP:0033e6c4 EBP:0033ec6c EFLAGS:00010297(  R- --  I S -A-P-C)
 EAX:00000000 EBX:00000001 ECX:33f514ac EDX:00000001
 ESI:0198c8d6 EDI:00ffffff
...
Backtrace:
=>0 0x33ef4418 in ptxt9 (+0x34418) (0x0033ec6c)
  1 0x3024cae0 in mspub (+0x24cadf) (0x0033eca4)
  2 0x3025e14a in mspub (+0x25e149) (0x0033ed44)
  3 0x33d265b7 in morph9 (+0x265b6) (0x0033ee18)
  4 0x3023673b in mspub (+0x23673a) (0x0033eed8)
  5 0x302361f4 in mspub (+0x2361f3) (0x0033ef0c)
  6 0x304e9bba in mspub (+0x4e9bb9) (0x0033f9f0)
  7 0x305069eb in mspub (+0x5069ea) (0x0033faf8)
  8 0x30507091 in mspub (+0x507090) (0x0033fb18)
  9 0x7ec99b6a WINPROC_wrapper+0x19() in user32 (0x0033fb48)
  10 0x7ec99cdf call_window_proc+0xcc(hwnd=0x200d6, msg=0x203, wp=0x1,
lp=0x840071, result=0x33fcb8, arg=0x30506fdc)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:244] in user32
(0x0033fb88)
  11 0x7ec9be78 WINPROC_call_window+0x15d(hwnd=0x200d6, msg=0x203, wParam=0x1,
lParam=0x840071, result=0x33fcb8, unicode=0x1,
mapping=WMCHAR_MAP_DISPATCHMESSAGE)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/winproc.c:900] in user32
(0x0033fbd8)
  12 0x7ec5d7dd DispatchMessageW+0x1c4(msg=<couldn't compute location>)
[/home/focht/projects/wine/wine.repo/src/dlls/user32/message.c:4022] in user32
(0x0033fce8)
  13 0x326ee453 in mso (+0xee452) (0x0033fd04)
  14 0x3002ddd2 in mspub (+0x2ddd1) (0x0033fd44)
  15 0x30002316 in mspub (+0x2315) (0x0033fd54)
  16 0x300022c3 in mspub (+0x22c2) (0x0033fd90)
  17 0x3000228c in mspub (+0x228b) (0x0033fe20)
  18 0x7b864378 call_process_entry+0xb() in kernel32 (0x0033fe38)
...
0x33ef4418: movl    0x0(%eax),%ecx

Wine-dbg> info process
 pid      threads  executable (all id:s are in hex)
>00000022 8        'MSPUB.EXE'
 0000002d 7        \_ 'rpcss.exe'
 00000020 1        'explorer.exe'
 0000000e 5        'services.exe'
 00000019 3        \_ 'plugplay.exe'
 00000012 4        \_ 'winedevice.exe'

Wine-dbg> info thread
process  tid      prio (all id:s are in hex)
...
00000022 (D) C:\Program Files\Microsoft Office\Office12\MSPUB.EXE
    00000038    0
    00000037    0
    0000002c    0
    0000002b    0
    00000026    0
    00000025    0
    00000024    0
    00000023    0 <==

Wine-dbg> info share
Module    Address            Debug info    Name (151 modules)
PE      820000-  e74000    Deferred        msores
PE      e90000- 186d000    Deferred        msointl
PE    30000000-3092f000    Export          mspub
PE    32600000-33618000    Export          mso
PE    33d00000-33d7b000    Export          morph9
PE    33da0000-33e12000    Deferred        mor6int
PE    33ec0000-33f5c000    Export          ptxt9
PE    33fe0000-345bd000    Deferred        pub6intl
PE    34730000-3473d000    Deferred        pubtrap
PE    347b0000-34816000    Deferred        pubwzint
PE    3bd10000-3bea5000    Deferred        ogl
...
PE    50720000-5072e000    Deferred        mshyph2
PE    6bdc0000-6be7a000    Deferred        msptls
ELF    7ac00000-7ac6a000    Deferred        riched20<elf>
--- snip ---

The crash happens within 'PTXT9.DLL', dubbed 'Microsoft Office Publisher TXT
Converter' (dll resource).

After spending some hours, I found the culprit component: TSF manager

'winetricks -q msctf' works around.

--- snip ---
...
0023:trace:msctf:DocumentMgr_CreateContext (0x1c2b50) 0x1 0x0 0x385afc0
0x385b058 0x385b064
0023:trace:msctf:Context_Constructor (0x1c5c88) 1 0x385afc0 0x385b058 0x385b064
0023:trace:msctf:CompartmentMgr_Constructor returning 0x168090
0023:trace:msctf:Context_Constructor returning 0x1c5c88
0023:trace:msctf:DocumentMgr_Push (0x1c2b50) 0x1c5c88
0023:trace:msctf:ThreadMgrEventSink_OnInitDocumentMgr (0x1c5bf0) 0x1c2b50
0023:trace:msctf:TextStoreACPSink_Constructor returning 0x161740
0023:warn:msctf:TextStoreACPSink_QueryInterface unsupported interface:
{aa80e901-2021-11d2-93e0-0060b067b86e}
0023:trace:msctf:ThreadMgrEventSink_OnPushContext (0x1c5bf0) 0x1c5c88
0023:trace:msctf:ContextSource_AdviseSink (0x1c5c88)
{8127d409-ccd3-4683-967a-b43d5b482bf7} 0x385afcc 0x385afec
0023:trace:msctf:ContextSource_AdviseSink cookie 3
0023:warn:msctf:Context_QueryInterface unsupported interface:
{a305b1c0-c776-4523-bda0-7c5a2e0fef10}
0023:trace:msctf:ThreadMgr_SetFocus (0x1c5bf0) 0x1c2b50
0023:trace:msctf:ThreadMgrEventSink_OnSetFocus (0x1c5bf0) 0x1c2b50 (nil)
0023:trace:msctf:ThreadMgr_GetFocus (0x1c5bf0)
0023:trace:msctf:ThreadMgr_GetFocus ->0x1c2b50 
--- snip ---

--- snip ---
...
Wine-dbg>
0x33ec2ddd: call    *0xc(%edx)
Wine-dbg>si
DocumentMgr_CreateContext () at
/home/focht/projects/wine/wine.repo/src/dlls/msctf/documentmgr.c:148
...
Wine-dbg>
0x33ec2def: call    *0x10(%ecx)
Wine-dbg>si
DocumentMgr_Push () at
/home/focht/projects/wine/wine.repo/src/dlls/msctf/documentmgr.c:155
...
Wine-dbg>
0x33ec2e09: call    *0x0(%ecx)
Wine-dbg>si
Context_QueryInterface () at
/home/focht/projects/wine/wine.repo/src/dlls/msctf/context.c:202
...
Wine-dbg>
0x33ec2e27: call    *0xc(%eax)
Wine-dbg>si
ContextSource_AdviseSink () at
/home/focht/projects/wine/wine.repo/src/dlls/msctf/context.c:613
...
Wine-dbg>
0x33ec2e43: call    *0x0(%eax)
Wine-dbg>si
Context_QueryInterface () at
/home/focht/projects/wine/wine.repo/src/dlls/msctf/context.c:202
...
Wine-dbg>
0x33ec2e57: call    *0x8(%ecx)
Wine-dbg>si
ContextSource_Release () at
/home/focht/projects/wine/wine.repo/src/dlls/msctf/context.c:603
0x7c54537a ContextSource_Release
[/home/focht/projects/wine/wine.repo/src/dlls/msctf/context.c:603] in msctf:
leal    0x4(%esp),%ecx
603    {
...
--- snip ---

Source:
http://source.winehq.org/git/wine.git/blob/f2b29ecf7201e0bd4d84ec5d3c4be3888f886350:/dlls/msctf/context.c#l893

--- snip ---
893 static HRESULT WINAPI TextStoreACPSink_QueryInterface(ITextStoreACPSink
*iface, REFIID iid, LPVOID *ppvOut)
894 {
895     TextStoreACPSink *This = impl_from_ITextStoreACPSink(iface);
896     *ppvOut = NULL;
897
898     if (IsEqualIID(iid, &IID_IUnknown) || IsEqualIID(iid,
&IID_ITextStoreACPSink))
899     {
900         *ppvOut = &This->ITextStoreACPSink_iface;
901     }
902
903     if (*ppvOut)
904     {
905         ITextStoreACPSink_AddRef(iface);
906         return S_OK;
907     }
908
909     WARN("unsupported interface: %s\n", debugstr_guid(iid));
910     return E_NOINTERFACE;
911 }
--- snip ---

Since 'ITextStoreACPSink::QueryInterface' rejects 'IID_ITextStoreACPServices',
the previous QI is released, leading to later crash.

MSDN:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms538387%28v=vs.85%29.aspx

--- quote ---
The ITextStoreACPServices interface is implemented by the TSF manager to
provide various services to an ACP-based application. To obtain an instance of
this interface, an application calls QueryInterface on the punk parameter
passed to ITextStoreACP::AdviseSink with IID_ITextStoreACPServices.
--- quote ---

MSDN:
http://blogs.msdn.com/b/tsfaware/archive/2007/05/05/a-tour-through-tsf-miscellaneous-functions.aspx

Tidbit:

MSDN:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms629043%28v=vs.85%29.aspx

--- quote ---
How To Modify the Text Store

The ITfDocumentMgr::Push method calls ITextStoreACP::AdviseSink with a pointer
to the advise sink interface to install a new advise sink or modify an existing
advise sink. The advise sink receives notifications when the text store is
modified by something other than the manager, such as user input to the
application. Applications must call the ITfThreadMgrEventSink::OnSetFocus
method when the input method obtains the focus. Other notifications to the
thread manager are provided by calling to the appropriate ITextStoreACPSink
interface methods.

However, applications should not call the ITextStoreACPSink interface methods
in response to ITextStoreACP interface methods. Applications should only call
ITextStoreACPSink interface methods when the text store is modified by
something other than the manager.

The contents of the text store can be modified with a temporary input state
called a composition.
--- quote ---

That article mentions functionality that might be interesting in future ->
Microsoft Active Accessibility clients with anchor support (ITextStoreAnchor
and ITextStoreAnchorSink).

$ wine --version
wine-1.7.25-51-g60de497

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list