[Bug 35838] New: MS Works 9.0 word processor crashes on startup (process heaps need to be 64K aligned)

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Mar 22 05:15:55 CDT 2014 

https://bugs.winehq.org/show_bug.cgi?id=35838

            Bug ID: 35838
           Summary: MS Works 9.0 word processor crashes on startup
                    (process heaps need to be 64K aligned)
           Product: Wine
           Version: 1.7.15
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net

Hello folks,

found this while verifying bug 25780 and bug 29875
All applications work fine (excel, access) - except the word processor.

Word crashes right on startup.
It an be started stand-alone, without the 'MSWorks.exe' launcher:

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Microsoft Works

$ WINEDEBUG=+tid,+seh,+relay wine ./WksWP.exe >>log.txt 2>&1
...
0047:Call KERNEL32.LoadLibraryExW(0033d66e
L"C:\\PROG~FBU\\MICR~5BT\\WkApComp.dll",00000000,00000008) ret=7e5de6cb 
...
0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a
0047:Ret  KERNEL32.HeapCreate() retval=016d2000 ret=690a5e0a 
...
0047:Ret  PE DLL (proc=0x6962bfad,module=0x69600000
L"WkApComp.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1
0047:Ret  KERNEL32.LoadLibraryExW() retval=69600000 ret=7e5de6cb
...
0047:Call ntdll.RtlAllocateHeap(016d2000,00000000,00000014) ret=690a5e2e
0047:Ret  ntdll.RtlAllocateHeap() retval=016d2b00 ret=690a5e2e
0047:Call KERNEL32.CreateFileW(0033d464 L"C:\\users\\focht\\Application
Data\\Microsoft\\Works\\1033\\WkAcCust.bin",80000000,00000001,00000000,00000003,08000080,00000000)
ret=69624a7f
0047:Ret  KERNEL32.CreateFileW() retval=ffffffff ret=69624a7f
0047:Call ntdll.RtlFreeHeap(016d0000,00000000,016d2b00) ret=690a5f32
0047:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bc4ccdc
ip=7bc4ccdc tid=0047
0047:trace:seh:raise_exception  info[0]=00000000
0047:trace:seh:raise_exception  info[1]=016d0054
0047:trace:seh:raise_exception  eax=016d0000 ebx=7bcd1000 ecx=0033d3d0
edx=0000000c esi=0033d3d0 edi=0033d3dc
0047:trace:seh:raise_exception  ebp=0033d358 esp=0033d320 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210206
0047:trace:seh:call_stack_handlers calling handler at 0x60c9dcef code=c0000005
flags=0 
--- snip ---

Many plugins/components create their own private heaps.
This missing file 'WkAcCust.bin' immediately accessed before the crash is
harmless.
MS Works stores both, formatted and plain text as autocorrect text in that
single, RTF (formatted) file - which doesn't exist on pristine install.

Some heaps are 64K aligned by chance, some are not:

--- snip ---
$ grep "HeapCreate" log.txt 
0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=781349e0
0047:Ret  KERNEL32.HeapCreate() retval=00340000 ret=781349e0
0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a
0047:Ret  KERNEL32.HeapCreate() retval=00480000 ret=690a5e0a
0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a
0047:Ret  KERNEL32.HeapCreate() retval=00590000 ret=690a5e0a
0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a
0047:Ret  KERNEL32.HeapCreate() retval=006a0000 ret=690a5e0a
0047:Call KERNEL32.HeapCreate(00000000,00010000,00000000) ret=7ac22afa
0047:Ret  KERNEL32.HeapCreate() retval=007c0000 ret=7ac22afa
0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a
0047:Ret  KERNEL32.HeapCreate() retval=00931000 ret=690a5e0a
0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a
0047:Ret  KERNEL32.HeapCreate() retval=00b00000 ret=690a5e0a
0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a
0047:Ret  KERNEL32.HeapCreate() retval=00d81000 ret=690a5e0a
0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=6392c1df
0047:Ret  KERNEL32.HeapCreate() retval=00e91000 ret=6392c1df
0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=0121556d
0047:Ret  KERNEL32.HeapCreate() retval=01232000 ret=0121556d
0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a
0047:Ret  KERNEL32.HeapCreate() retval=01342000 ret=690a5e0a
0047:Call KERNEL32.HeapCreate(00000000,00010000,00000000) ret=7cdcca7a
0047:Ret  KERNEL32.HeapCreate() retval=014b2000 ret=7cdcca7a
0047:Call KERNEL32.HeapCreate(00000000,00001000,00000000) ret=690a5e0a
0047:Ret  KERNEL32.HeapCreate() retval=016d2000 ret=690a5e0a
--- snip ---

In the crash case, Wine creates a heap with base 0x016d2000.
The plugin implements its own 'new' and 'delete' operators which do some magic
with heap base/handle (shifting 16 bits right indicate they somehow care for
64K alignment).
In the RtlFreeHeap() call that causes the page fault the process heap handle
passed in is normalized to 0x016d0000 due to that 'magic'.

I searched appdb MS Works entries and only found tests for old versions of Wine
(1.5.x).
No mentioning of any problems - except for the two bugs above which were
outdated anyway.

So I searched the commit log .. and found a culprit :)

--- snip ---
Module: wine
Branch: master
Commit: 0692bfda5f10e0c2dc6eed2a66e1a9f9c1092bad
URL:   
http://source.winehq.org/git/wine.git/?a=commit;h=0692bfda5f10e0c2dc6eed2a66e1a9f9c1092bad

Author: Alexandre Julliard <julliard at winehq.org>
Date:   Thu Jan 28 19:47:01 2010 +0100

ntdll: Don't require heap sizes to be 64K aligned.
--- snip ---

Reverting that commit lets the word processor successfully start.

$ sha1sum X14-02658.exe 
056fb46da532b0bac1a2504b5bfc527debde0535  X14-02658.exe

$ du -sh X14-02658.exe 
248M    X14-02658.exe

$ wine --version
wine-1.7.15

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list