[Bug 12406] Microsoft Document Explorer 2008 crashes when using MS Help 2 URL from command line

wine-bugs at winehq.org wine-bugs at winehq.org
Mon Feb 2 15:40:27 CST 2015 

https://bugs.winehq.org/show_bug.cgi?id=12406

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|patch                       |
                 CC|                            |focht at gmx.net
          Component|-unknown                    |ieframe
            Summary|document explorer (part of  |Microsoft Document Explorer
                   |win doc kit) won't run      |2008 crashes when using MS
                   |                            |Help 2 URL from command
                   |                            |line
           Severity|enhancement                 |normal

--- Comment #19 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming, the crash is still present.

The bug was unfortunately recycled after 'CoInternetSetFeatureEnabled' issue.

Prerequisite: 'winetricks -q dotnet20 mfc42'

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Common Files/Microsoft Shared/Help 9

$ WINEDEBUG=+tid,+seh,+relay wine ./dexplore.exe /helpcol
ms-help://ms.WDK.v10.6001.080214 /LaunchNamedUrlTopic HomePage >>log.txt 2>&1
...
002a:Call wininet.InternetCanonicalizeUrlW(009ab38c
L"ms-help://MS.WDK.v10.6001.080214/Intro_g",009ab44c,0033e654,20000000)
ret=51c22915 
...
002a:Call ole32.CoCreateInstance(0033f62c,0045e76c,00000001,3b210fa8,0033f624)
ret=3b39fd48
002a:Call ntdll.RtlInitUnicodeString(0033f310,0033f362
L"CLSID\\{8856F961-340A-11D0-A96B-00C04FD705A2}") ret=7e87e764 
...
002a:Call KERNEL32.LoadLibraryExW(0033f14e
L"C:\\windows\\system32\\ieframe.dll",00000000,00000008) ret=7e87e8f8
002a:Call PE DLL (proc=0x7cd7fd8c,module=0x7cd50000
L"ieframe.dll",reason=PROCESS_ATTACH,res=(nil)) 
...
002a:Call ieframe.DllGetClassObject(0033f4c8,7e97102c,0033f4d8) ret=7e880f05
002a:trace:ieframe:DllGetClassObject (CLSID_WebBrowser
{00000001-0000-0000-c000-000000000046} 0x33f4d8)
002a:trace:ieframe:ClassFactory_QueryInterface (0x7cc74670)->(IID_IClassFactory
0x33f4d8)
002a:trace:ieframe:ClassFactory_AddRef (0x7cc74670)
002a:Ret  ieframe.DllGetClassObject() retval=00000000 ret=7e880f05
002a:Call advapi32.RegCloseKey(0000015c) ret=7e884a88
002a:Ret  advapi32.RegCloseKey() retval=00000000 ret=7e884a88
002a:trace:ieframe:create_webbrowser (0x45e76c
{00000000-0000-0000-c000-000000000046} 0x33f624) version=2 
...
002a:trace:ieframe:WebBrowser_QueryInterface (0x107dc98)->(IID_IUnknown
0x33f624)
002a:trace:ieframe:WebBrowser_AddRef (0x107dc98) ref=2
002a:trace:ieframe:WebBrowser_Release (0x107dc98) ref=1
002a:trace:ieframe:ClassFactory_Release (0x7cc74670)
002a:Ret  ole32.CoCreateInstance() retval=00000000 ret=3b39fd48
002a:trace:ieframe:WebBrowser_QueryInterface (0x107dc98)->(IID_IUnknown
0x45e794)
002a:trace:ieframe:WebBrowser_AddRef (0x107dc98) ref=2
002a:trace:ieframe:WebBrowser_Release (0x107dc98) ref=1
002a:Call KERNEL32.InterlockedDecrement(0045e8d0) ret=3b27ae4e
002a:Ret  KERNEL32.InterlockedDecrement() retval=00000000 ret=3b27ae4e
002a:Call ntdll.RtlFreeHeap(00110000,00000000,0107b3f0) ret=7e8a05e8
002a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7e8a05e8
002a:Call KERNEL32.InterlockedDecrement(3b8c9868) ret=3b21176a
002a:Ret  KERNEL32.InterlockedDecrement() retval=00000011 ret=3b21176a
002a:Call ntdll.RtlDeleteCriticalSection(0045e8d4) ret=3b21e7dd
002a:Ret  ntdll.RtlDeleteCriticalSection() retval=00000000 ret=3b21e7dd
002a:Call msvcr90.??3 at YAXPAX@Z(0045e8c8) ret=3b27b0df
002a:Call ntdll.RtlFreeHeap(00450000,00000000,0045e8c8) ret=7ec9d1b2
002a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7ec9d1b2
002a:Ret  msvcr90.??3 at YAXPAX@Z() retval=00000001 ret=3b27b0df
002a:trace:ieframe:WebBrowser_QueryInterface (0x107dc98)->(IID_IOleObject
0x45e754)
002a:trace:ieframe:WebBrowser_AddRef (0x107dc98) ref=2
002a:trace:ieframe:WebBrowser_Release (0x107dc98) ref=1
002a:trace:ieframe:WebBrowser_Release (0x107dc98) ref=0 
...
002a:Call msvcr90.??_V at YAXPAX@Z(00000000) ret=3b644fb4
002a:Call ntdll.RtlFreeHeap(00450000,00000000,00000000) ret=7ec9d1b2
002a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7ec9d1b2
002a:Ret  msvcr90.??_V at YAXPAX@Z() retval=00000001 ret=3b644fb4 
002a:Call oleaut32.VariantClear(0045e7c8) ret=3b642a98
002a:Ret  oleaut32.VariantClear() retval=00000000 ret=3b642a98
002a:Call oleaut32.SysFreeString(00000000) ret=3b642aa7
002a:Ret  oleaut32.SysFreeString() retval=0033f5e0 ret=3b642aa7
002a:Call oleaut32.SysFreeString(00000000) ret=3b642ab0
002a:Ret  oleaut32.SysFreeString() retval=0033f5e0 ret=3b642ab0
002a:Call oleaut32.SysFreeString(00000000) ret=3b642ab9
002a:Ret  oleaut32.SysFreeString() retval=0033f5e0 ret=3b642ab9
002a:Call msvcr90.??3 at YAXPAX@Z(0045e750) ret=3b6460ed
002a:Call ntdll.RtlFreeHeap(00450000,00000000,0045e750) ret=7ec9d1b2
002a:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7ec9d1b2
002a:Ret  msvcr90.??3 at YAXPAX@Z() retval=00000001 ret=3b6460ed
002a:trace:seh:raise_exception code=c0000005 flags=0 addr=0x45009b ip=0045009b
tid=002a
002a:trace:seh:raise_exception  info[0]=00000001
002a:trace:seh:raise_exception  info[1]=01454588
002a:trace:seh:raise_exception  eax=00450088 ebx=3b211020 ecx=0033f71c
edx=00450064 esi=0045e750 edi=00000001
002a:trace:seh:raise_exception  ebp=0033f78d esp=0033f6ec cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210206
002a:trace:seh:call_vectored_handlers calling handler at 0x40e138 code=c0000005
flags=0 
...
--- snip ---

Hard to tell.

Memory dump of the block in question:

--- snip ---
0045ED70  00000170 ; block size
0045ED74  00455355 ; 'USE' heap magic
0045ED78  3B3BBCA0 ; msenv.3B3BBCA0 (vtable?)
0045ED7C  010A9754 ; OFFSET ieframe.OleObjectVtbl (set by QI)
0045ED80  00000000
0045ED84  3B2ED7C4 ; msenv.3B2ED7C4 (vtable?)
0045ED88  3B2E3A40 ; msenv.3B2E3A40 (vtable?)
0045ED8C  3B2ED86C ; msenv.3B2ED86C (vtable?)
0045ED90  00000000
0045ED94  3B3BBD0C ; msenv.3B3BBD0C (controlling IUnknown to CoCreateInstance)
0045ED98  3B3BBD2C ; msenv.3B3BBD2C (vtable?)
0045ED9C  3B2ED4AC ; msenv.3B2ED4AC (vtable?)
0045EDA0  3B2E2540 ; msenv.3B2E2540 (vtable?)
0045EDA4  3B3BBD40 ; msenv.3B3BBD40 (vtable?)
0045EDA8  3B2E481C ; msenv.3B2E481C (vtable?)
0045EDAC  3B2E9688 ; msenv.3B2E9688 (vtable?)
0045EDB0  3B3BBD54 ; msenv.3B3BBD54 (vtable?)
0045EDB4  3B3BBD68 ; msenv.3B3BBD68 (vtable?)
0045EDB8  00000001 ; refcount ?
0045EDBC  010A9750 ; OFFSET ieframe.WebBrowser2Vtbl (set by QI)
0045EDC0  00000000
--- snip ---

The app decrements what looks like a reference count at 0x0045EDB8.
With the reference count gone to zero, the memory block is freed which seems
wrong as it tries to access member data later (expecting the block to be still
alive).

Likely an aggregation issue which Wine doesn't do correctly here, similar class
as bug 29709 (refcount must be somehow incremented by QI).

The crash can be worked around by using 'winetricks -q ie8' and removing all
overrides except 'shdocvw'.
It's a rather invasive way though, polluting the whole prefix.
But even then, the MS Document Explorer is still not fully usable and prone to
crashes.

Component to fix would be still ieframe (WebBrowser -> shdocvw (old) vs.
ieframe (new)).

$ sha1sum WDKDocs_02222008.EXE 
e55c58c8d7a822d2e31f8054abfae724c6ea6923  WDKDocs_02222008.EXE

$ du -sh WDKDocs_02222008.EXE 
56M    WDKDocs_02222008.EXE

$ wine --version
wine-1.7.35-42-g9defaa5

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list