[Bug 8539] VMXBuider 0.8 (VB6 app) fails to create new VM, reporting "Run-time error '-2147417848 (80010108)': Automation error"

wine-bugs at winehq.org wine-bugs at winehq.org
Thu Jan 9 16:44:05 CST 2014


http://bugs.winehq.org/show_bug.cgi?id=8539

--- Comment #18 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

commit
http://source.winehq.org/git/wine.git/commitdiff/b058c96136850e543d171d766e5b132ba952cfb5
from bug 23005 helped a bit, the pre-checks of 'psa->fFeatures' on
__vbaAryRecCopy() entry are now passed.

Still crashes though.

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/RDPSoftware/VMware/VMX Builder

$ WINEDEBUG=+tid,+seh,+relay,+snoop,+ole,+variant wine ./VMXBuilder.exe
>>log.txt 2>&1
...
0028:Call oleaut32.SafeArrayAllocData(01ba6c98) ret=660db9e8
0028:trace:variant:SafeArrayAllocData (0x1ba6c98)
0028:Call ntdll.RtlAllocateHeap(00110000,00000008,000001a0) ret=7e7b19ac
0028:Ret  ntdll.RtlAllocateHeap() retval=01ba6e58 ret=7e7b19ac
0028:trace:variant:SafeArrayAllocData 416 bytes allocated for data at 0x1ba6e58
(52 objects).
0028:Ret  oleaut32.SafeArrayAllocData() retval=00000000 ret=660db9e8
0028:Call oleaut32.SafeArraySetRecordInfo(01ba6c98,01ba5668) ret=660dba31
0028:trace:variant:SafeArraySetRecordInfo (0x1ba6c98,0x1ba5668) 
...
0028:Call oleaut32.SafeArrayCopy(01ba6d04,01ba6c90) ret=66103c0e
0028:trace:variant:SafeArrayCopy (0x1ba6d04,0x1ba6c90)
0028:trace:variant:SafeArrayGetVartype (0x1ba6d04,0x33e102)
0028:trace:variant:SafeArrayAllocDescriptorEx (36->VT_RECORD,2,0x1ba6c90)
0028:trace:variant:SafeArrayAllocDescriptor (2,0x1ba6c90)
0028:Call ntdll.RtlAllocateHeap(00110000,00000008,00000030) ret=7e7b19ac
0028:Ret  ntdll.RtlAllocateHeap() retval=01bc5b90 ret=7e7b19ac
0028:trace:variant:SafeArrayAllocDescriptor (2): 32 bytes allocated for
descriptor.
0028:Call ntdll.RtlAllocateHeap(00110000,00000008,000001a0) ret=7e7b19ac
0028:Ret  ntdll.RtlAllocateHeap() retval=01bc5bc8 ret=7e7b19ac
0028:trace:variant:SafeArrayGetRecordInfo (0x1ba6d04,0x33e0a4)
0028:trace:ole:IRecordInfoImpl_AddRef (0x1ba5668) -> 14
0028:trace:variant:SafeArraySetRecordInfo (0x1bc5ba0,0x1ba5668)
0028:trace:ole:IRecordInfoImpl_AddRef (0x1ba5668) -> 15
0028:trace:ole:IRecordInfoImpl_Release (0x1ba5668) -> 14
0028:Ret  oleaut32.SafeArrayCopy() retval=00000000 ret=66103c0e
0028:RET  MSVBVM60.__vbaAryRecCopy(4872ce2c,01ba6c90,0033e1ac) retval=00000000
ret=48754a9c 
0028:CALL MSVBVM60.__vbaAryRecCopy(4872ce2c,01ba6c90,0033e1ac) ret=48754a9c
0028:Call oleaut32.SafeArrayDestroyData(01bc5ba0) ret=660db598
0028:trace:variant:SafeArrayDestroyData (0x1bc5ba0)
0028:trace:variant:SafeArrayGetRecordInfo (0x1bc5ba0,0x33e0b8)
0028:trace:ole:IRecordInfoImpl_AddRef (0x1ba5668) -> 15
0028:trace:ole:IRecordInfoImpl_RecordClear (0x1ba5668)->(0x1bc5bc8)
0028:trace:ole:IRecordInfoImpl_RecordClear (0x1ba5668)->(0x1bc5be8)
0028:trace:ole:IRecordInfoImpl_RecordClear (0x1ba5668)->(0x1bc5c08)
0028:Call ntdll.RtlFreeHeap(00110000,00000000,01bab4f0) ret=7e7a03d6
0028:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e7a03d6
0028:trace:ole:IRecordInfoImpl_RecordClear (0x1ba5668)->(0x1bc5c28)
0028:Call ntdll.RtlFreeHeap(00110000,00000000,01bab530) ret=7e7a03d6
0028:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e7a03d6
...
0028:trace:ole:IRecordInfoImpl_RecordClear (0x1ba5668)->(0x1bc5d48)
0028:Call ntdll.RtlFreeHeap(00110000,00000000,01bab838) ret=7e7a03d6
0028:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e7a03d6
0028:Call ntdll.RtlFreeHeap(00110000,00000000,01bab870) ret=7e7a03d6
0028:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e7a03d6
0028:trace:ole:IRecordInfoImpl_RecordClear (0x1ba5668)->(0x1bc5d68)
0028:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7e7a01e5
ip=7e7a01e5 tid=0028
0028:trace:seh:raise_exception  info[0]=00000000
0028:trace:seh:raise_exception  info[1]=00002935
0028:trace:seh:raise_exception  eax=00002935 ebx=7e8aa000 ecx=0033e010
edx=00000000 esi=0033e090 edi=7e7aff38
0028:trace:seh:raise_exception  ebp=0033dff8 esp=0033dfc0 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210206
0028:trace:seh:call_stack_handlers calling handler at 0x48723286 code=c0000005
flags=0
0028:CALL MSVBVM60.__vbaExceptHandler(<unknown, check return>) ret=7bc866c9 
--- snip ---

Release of old resources before copy new data:

__vbaAryRecCopy() -> __vbaErase() -> SafeArrayDestroyData() on target safearray 

Seems some double free of bstr.

--- snip ---
Wine-dbg>bt
Backtrace:
=>0 0x7e7a01e2 SysFreeString+0x36(str=<couldn't compute location>)
[/home/focht/projects/wine/wine-git/dlls/oleaut32/oleaut.c:259] in oleaut32
(0x0033e078)
  1 0x7e7aff45 IRecordInfoImpl_RecordClear+0x1f8(iface=<couldn't compute
location>, pvExisting=<couldn't compute location>)
[/home/focht/projects/wine/wine-git/dlls/oleaut32/recinfo.c:219] in oleaut32
(0x0033e0f8)
  2 0x7e7b2059 SAFEARRAY_DestroyData+0x16b(psa=0x1b53038, ulStartCell=0)
[/home/focht/projects/wine/wine-build32/dlls/oleaut32/../../include/oaidl.h:4150]
in oleaut32 (0x0033e178)
  3 0x7e7b3d4a SafeArrayDestroyData+0x9f(psa=0x1b53038)
[/home/focht/projects/wine/wine-git/dlls/oleaut32/safearray.c:1239] in oleaut32
(0x0033e1c0)
  4 0x660db598 in msvbvm60 (+0xdb597) (0x0033e1f4)
  5 0x48754a9c in vmcomps (+0x34a9b) (0x0033e238)
  6 0x004b5b1a in vmxbuilder (+0xb5b19) (0x0033e2d4)
  7 0x0047650f in vmxbuilder (+0x7650e) (0x0033e37c)
  8 0x660ca914 in msvbvm60 (+0xca913) (0x0033e3d8)

Wine-dbg>p *This
{IRecordInfo_iface={lpVtbl=0x7e8c0700}, ref=0xf, guid={Data1=0x97dfd25d,
Data2=0x596c, Data3=0x4f93, Data4="????"}, lib_index=0, n_vars=0x2, size=0x8,
name="GuestOSVer", fields=0x1b32a78, pTypeInfo=0x1b32888}

...

{vt=VT_BSTR, varkind=VAR_PERINSTANCE, offset=0, name="DisplayedName"}
{vt=VT_BSTR, varkind=VAR_PERINSTANCE, offset=0x4, name="ConfigName"}
--- snip ---

Disabling bstr caching with OANOCACHE=1 didn't change behaviour (point of crash
didn't move).

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.



More information about the wine-bugs mailing list