[Bug 37842] PTC Mathcad Prime 3.0 (.NET 4.0 app) crashes when using copy paste or trying to calculate a result (OLE clipboard must take MTA into account)

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Jan 4 15:39:47 CST 2015 

https://bugs.winehq.org/show_bug.cgi?id=37842

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |dotnet, download
             Status|UNCONFIRMED                 |NEW
                URL|                            |http://free-dl.ptc.com/inst
                   |                            |all/pim_installmgr_mathcad.
                   |                            |exe
                 CC|                            |focht at gmx.net
          Component|-unknown                    |ole32
            Summary|Mathcad Prime 3.0 crashes   |PTC Mathcad Prime 3.0 (.NET
                   |when trying to calculate a  |4.0 app) crashes when using
                   |result                      |copy paste or trying to
                   |                            |calculate a result (OLE
                   |                            |clipboard must take MTA
                   |                            |into account)
     Ever confirmed|0                           |1

--- Comment #1 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming.

Managed backtraces:

--- snip ---
...
Unhandled Exception: System.AccessViolationException: Attempted to read or
write protected memory. This is often an indication that other memory is
corrupt.
   at MS.Win32.UnsafeNativeMethods.OleGetClipboard(IDataObject& data)
   at System.Windows.OleServicesContext.OleGetClipboard(IDataObject&
dataObject)
   at System.Windows.Clipboard.GetDataObjectInternal()
   at System.Windows.Clipboard.GetDataInternal(String format)
   at System.Windows.Clipboard.GetText(TextDataFormat format)
   at Ptc.WpfClipboard.GetText()
   at Ptc.EquationEditor.Equation.EquationModel.l()
   at Ptc.EquationEditor.Equation.EquationModel.ac.v()
   at a1.v()
   at Ptc.EquationEditor.Equation.EquationModel.CanPaste(Boolean& canPaste)
   at Ptc.Controls.Internal.VisualMathRegionNode.FireCanPaste(Object sender,
CanExecuteRoutedEventArgs e)
...
   at DevComponents.WpfRibbon.ButtonDropDown.UpdateCanExecute()
...
   at System.Windows.Application.RunDispatcher(Object ignore)
   at System.Windows.Application.RunInternal(Window window)
   at System.Windows.Application.Run(Window window)
   at Spirit.App.Main()


Unhandled Exception: System.AccessViolationException: Attempted to read or
write protected memory. This is often an indication that other memory is
corrupt.
   at MS.Win32.UnsafeNativeMethods.OleGetClipboard(IDataObject& data)
   at System.Windows.OleServicesContext.OleGetClipboard(IDataObject&
dataObject)
   at System.Windows.Clipboard.GetDataObjectInternal()
   at System.Windows.Documents.TextEditorCopyPaste.OnQueryStatusPaste(Object
target, CanExecuteRoutedEventArgs args)
   at System.Windows.Input.CommandBinding.OnCanExecute(Object sender,
CanExecuteRoutedEventArgs e)
   at
System.Windows.Input.CommandManager.FindCommandBinding(CommandBindingCollection
commandBindings, Object sender, RoutedEventArgs e, ICommand command, Boolean
execute)
   at System.Windows.Input.CommandManager.FindCommandBinding(Object sender,
RoutedEventArgs e, ICommand command, Boolean execute)
   at System.Windows.Input.CommandManager.OnCanExecute(Object sender,
CanExecuteRoutedEventArgs e)
...
--- snip ---

Trace log:

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/PTC/Mathcad Prime 3.0

$ WINEDEBUG=+tid,+seh,+relay,+ole,+variant,+clipboard wine ./MathcadPrime.exe
>>log.txt 2>&1
...
002a:Call ole32.OleGetClipboard(0033e104) ret=057bfd89
002a:trace:ole:OleGetClipboard (0x33e104)
002a:Call user32.GetClipboardSequenceNumber() ret=f6d1450a
002a:trace:clipboard:GetClipboardSequenceNumber returning 7
002a:Ret  user32.GetClipboardSequenceNumber() retval=00000007 ret=f6d1450a
002a:Call ntdll.RtlAllocateHeap(00110000,00000000,00000010) ret=f6d132e5
002a:Ret  ntdll.RtlAllocateHeap() retval=076ba090 ret=f6d132e5
002a:trace:ole:snapshot_AddRef (0x76ba090)->(count=0)
002a:Ret  ole32.OleGetClipboard() retval=00000000 ret=057bfd89
002a:trace:ole:snapshot_QueryInterface
(0x76ba090)->(IID:{00000000-0000-0000-c000-000000000046}, 0x33dba0)
002a:trace:ole:snapshot_AddRef (0x76ba090)->(count=1) 
...
002a:trace:ole:snapshot_Release (0x76ba090)->(count=3)
...
002a:trace:ole:snapshot_GetData (0x76ba090, 0x33e09c {cf 000d ptd (nil) aspect
1 lindex -1 tymed 1}, 0x33e014)
002a:Call user32.OpenClipboard(00000000) ret=f6d126af
002a:trace:clipboard:OpenClipboard ((nil))
...
002a:trace:clipboard:OpenClipboard  returning 1
002a:Ret  user32.OpenClipboard() retval=00000001 ret=f6d126af
...
002a:Call ole32.OleGetClipboard(0033e104) ret=057bfd89
002a:trace:ole:OleGetClipboard (0x33e104)
002a:Call user32.GetClipboardSequenceNumber() ret=f6d1450a
002a:trace:clipboard:GetClipboardSequenceNumber returning 7
002a:Ret  user32.GetClipboardSequenceNumber() retval=00000007 ret=f6d1450a
002a:trace:seh:raise_exception code=c0000005 flags=0 addr=0x76ba090 ip=076ba090
tid=002a
002a:trace:seh:raise_exception  info[0]=00000008
002a:trace:seh:raise_exception  info[1]=076ba090
002a:trace:seh:raise_exception  eax=076ba090 ebx=f6e42000 ecx=00000000
edx=076ba090 esi=0033e090 edi=0033e094
002a:trace:seh:raise_exception  ebp=0033e078 esp=0033e00c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210206
002a:trace:seh:call_vectored_handlers calling handler at 0x791f5a7c
code=c0000005 flags=0
002a:Call KERNEL32.GetLastError() ret=791f5aa7
002a:Ret  KERNEL32.GetLastError() retval=00000000 ret=791f5aa7
002a:trace:seh:call_vectored_handlers handler at 0x791f5a7c returned 0 
--- snip ---

Best to reproduce by just pasting external text data into the workspace of the
app.

At the point of the crash the latest snapshot object is not longer an
'IDataObject' (vtable no longer valid).
The sequence member incidentally matches hence the code tries to return the
current snapshot without generating a new one.
Either the dereferencing of vtable (what ought to be 'IDataObject') or the
following 'IDataObject->AddRef' causes the crash.

I initially made the mistake of filtering the huge relay log per thread because
there is lots of interleaving/parallel code executions on multiple threads
(with inter-thread sync), making the API call flow very hard to follow.

This usually works well - but in this case the habit hides the culprit.
The clipboard/OLE functionality is managed across different threads.

Another log, now filtered for the 'IDataObject' instance in question, with
additional custom trace message added:

--- snip ---
...
002c:Ret  ntdll.RtlAllocateHeap() retval=07953428 ret=f6d5b2e5
002c:trace:ole:OleGetClipboard *** creating latest_snapshot: seq_no=13,
ptr=0x7953428
002c:trace:ole:snapshot_AddRef (0x7953428)->(count=0)
002c:trace:ole:OleGetClipboard *** returning: seq_no=13, *obj=0x7953428
002c:trace:ole:snapshot_QueryInterface
(0x7953428)->(IID:{00000000-0000-0000-c000-000000000046}, 0x33dcac)
002c:trace:ole:snapshot_AddRef (0x7953428)->(count=1)
002c:trace:ole:snapshot_QueryInterface
(0x7953428)->(IID:{c3fcc19e-a970-11d2-8b5a-00a0c9b7c9c4}, 0x33dc28)
002c:trace:ole:snapshot_QueryInterface
(0x7953428)->(IID:{b196b283-bab4-101a-b69c-00aa00341d07}, 0x33db04)
002c:trace:ole:snapshot_AddRef (0x7953428)->(count=2)
002c:trace:ole:snapshot_QueryInterface
(0x7953428)->(IID:{00000003-0000-0000-c000-000000000046}, 0x33da4c)
002c:trace:ole:snapshot_AddRef (0x7953428)->(count=3)
002c:trace:ole:snapshot_QueryInterface
(0x7953428)->(IID:{00000144-0000-0000-c000-000000000046}, 0x33db10)
002c:trace:ole:snapshot_Release (0x7953428)->(count=4)
002c:trace:ole:snapshot_Release (0x7953428)->(count=3)
002c:trace:ole:snapshot_AddRef (0x7953428)->(count=2)
002c:trace:ole:snapshot_QueryInterface
(0x7953428)->(IID:{0000010e-0000-0000-c000-000000000046}, 0x33df10)
002c:trace:ole:snapshot_AddRef (0x7953428)->(count=3)
002c:trace:ole:snapshot_Release (0x7953428)->(count=4)
002c:trace:ole:snapshot_Release (0x7953428)->(count=3)
002c:trace:ole:snapshot_Release (0x7953428)->(count=2)
002c:trace:ole:snapshot_AddRef (0x7953428)->(count=1)
002c:trace:ole:snapshot_QueryInterface
(0x7953428)->(IID:{fe4ff803-496e-3a49-af00-13b2cc182476}, 0x33dfdc)
002c:trace:ole:snapshot_Release (0x7953428)->(count=2)
002c:trace:ole:snapshot_AddRef (0x7953428)->(count=1)
002c:trace:ole:snapshot_QueryInterface
(0x7953428)->(IID:{0000010e-0000-0000-c000-000000000046}, 0x33df68)
002c:trace:ole:snapshot_AddRef (0x7953428)->(count=2)
002c:trace:ole:snapshot_Release (0x7953428)->(count=3)
002c:trace:ole:snapshot_AddRef (0x7953428)->(count=2)
002c:fixme:ole:snapshot_QueryGetData (0x7953428, 0x33e1a8 {cf c066 ptd (nil)
aspect 1 lindex -1 tymed 75})
002c:trace:ole:snapshot_Release (0x7953428)->(count=3)
002c:fixme:ole:snapshot_QueryGetData (0x7953428, 0x33e1c4 {cf c074 ptd (nil)
aspect 1 lindex -1 tymed 75})
002c:fixme:ole:snapshot_QueryGetData (0x7953428, 0x33e1c4 {cf c065 ptd (nil)
aspect 1 lindex -1 tymed 75})
002c:fixme:ole:snapshot_QueryGetData (0x7953428, 0x33e1c4 {cf c008 ptd (nil)
aspect 1 lindex -1 tymed 75})
002c:fixme:ole:snapshot_QueryGetData (0x7953428, 0x33e1c4 {cf 000d ptd (nil)
aspect 1 lindex -1 tymed 75})
002c:trace:ole:OleGetClipboard *** clipbrd=0x712e9a0,
clipbrd->latest_snapshot=0x7953428
002c:trace:ole:snapshot_AddRef (0x7953428)->(count=2)
002c:trace:ole:OleGetClipboard *** returning: seq_no=13, *obj=0x7953428
002c:trace:ole:snapshot_QueryInterface
(0x7953428)->(IID:{00000000-0000-0000-c000-000000000046}, 0x33dcac)
002c:trace:ole:snapshot_AddRef (0x7953428)->(count=3)
002c:trace:ole:snapshot_Release (0x7953428)->(count=4)
002c:trace:ole:snapshot_AddRef (0x7953428)->(count=3)
002c:trace:ole:snapshot_Release (0x7953428)->(count=4)
002c:trace:ole:snapshot_Release (0x7953428)->(count=3)
002c:trace:ole:snapshot_AddRef (0x7953428)->(count=2)
002c:trace:ole:snapshot_QueryInterface
(0x7953428)->(IID:{fe4ff803-496e-3a49-af00-13b2cc182476}, 0x33dfdc)
002c:trace:ole:snapshot_Release (0x7953428)->(count=3)
002c:fixme:ole:snapshot_QueryGetData (0x7953428, 0x33e1a8 {cf c066 ptd (nil)
aspect 1 lindex -1 tymed 75})
002c:fixme:ole:snapshot_QueryGetData (0x7953428, 0x33e1c4 {cf c074 ptd (nil)
aspect 1 lindex -1 tymed 75})
002c:fixme:ole:snapshot_QueryGetData (0x7953428, 0x33e1c4 {cf c065 ptd (nil)
aspect 1 lindex -1 tymed 75})
002c:fixme:ole:snapshot_QueryGetData (0x7953428, 0x33e1c4 {cf c008 ptd (nil)
aspect 1 lindex -1 tymed 75})
002c:fixme:ole:snapshot_QueryGetData (0x7953428, 0x33e1c4 {cf 000d ptd (nil)
aspect 1 lindex -1 tymed 75})
0040:trace:ole:snapshot_Release (0x7953428)->(count=2)
0040:trace:ole:snapshot_Release (0x7953428)->(count=1)
0040:Call ntdll.RtlFreeHeap(00110000,00000000,07953428) ret=f6d59bba
0043:Ret  ntdll.RtlAllocateHeap() retval=07953428 ret=550013f7
...
0043:Ret  ntdll.RtlAllocateHeap() retval=07953428 ret=550013f7
0043:Call ntdll.RtlFreeHeap(00110000,00000000,07953428) ret=55003bde
002c:trace:ole:OleGetClipboard *** clipbrd=0x712e9a0,
clipbrd->latest_snapshot=0x7953428
--- snip ---

What is happens is that 'IDataObject' instances are channelled across .NET
threads and finally released after use - but not from the originating thread.

http://source.winehq.org/git/wine.git/blob/ec8602a8125bd3838948d32747217ed794ae4068:/dlls/ole32/clipboard.c#l1031

--- snip ---
1031 static ULONG WINAPI snapshot_Release(IDataObject *iface)
1032 {
1033     snapshot *This = impl_from_IDataObject(iface);
1034     ULONG ref;
1035
1036     TRACE("(%p)->(count=%u)\n", This, This->ref);
1037
1038     ref = InterlockedDecrement(&This->ref);
1039
1040     if (ref == 0)
1041     {
1042         ole_clipbrd *clipbrd;
1043         HRESULT hr = get_ole_clipbrd(&clipbrd);
1044
1045         if(This->data) IDataObject_Release(This->data);
1046
1047         if(SUCCEEDED(hr) && clipbrd->latest_snapshot == This)
1048             clipbrd->latest_snapshot = NULL;
1049         HeapFree(GetProcessHeap(), 0, This);
1050     }
1051
1052     return ref;
1053 }
--- snip ---

Source:
http://source.winehq.org/git/wine.git/blob/ec8602a8125bd3838948d32747217ed794ae4068:/dlls/ole32/clipboard.c#l180

--- snip ---
180 static inline HRESULT get_ole_clipbrd(ole_clipbrd **clipbrd)
181 {
182     struct oletls *info = COM_CurrentInfo();
183     *clipbrd = NULL;
184
185     if(!info->ole_inits)
186         return CO_E_NOTINITIALIZED;
187     *clipbrd = theOleClipboard;
188
189     return S_OK;
190 }
--- snip ---

This code won't work if the calling (secondary) thread is in an MTA.

Wine's static 'clipbrd->latest_snapshot' instance which holds the latest
(active) snapshot is never reset while the heap block, formerly an
'IDataObject' gets reused several times for multiple things, leading to later
crash.

I tested a small fix, taking MTA into account and it prevents the crash.
It might fix other OLE clipboard related bugs that exhibit a crash, too.

$ sha1sum pim_installmgr_mathcad.exe 
d05daf8d3ab70ad10da076bce28411ee7d643a58  pim_installmgr_mathcad.exe

$ du -sh pim_installmgr_mathcad.exe 
18M    pim_installmgr_mathcad.exe

$ wine --version
wine-1.7.33-117-g6bab173

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list