[Bug 33031] Microsoft Windows Driver Development Kit 7.1.0 (Win7 DDK/WDK) installer fails: 'eula.exe' crashes on exit (COM apartment already initialized by RichEdit)
WineHQ Bugzilla
wine-bugs at winehq.org
Thu May 13 13:34:46 CDT 2021
https://bugs.winehq.org/show_bug.cgi?id=33031
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
URL|https://www.microsoft.com/e |https://web.archive.org/web
|n-us/download/details.aspx? |/20120503053053/https://dow
|id=11800 |nload.microsoft.com/downloa
| |d/4/A/2/4A25C7D5-EFBE-4182-
| |B6A9-AE6850409A78/GRMWDK_EN
| |_7600_1.ISO
--- Comment #6 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
the crash disappeared with
https://source.winehq.org/git/wine.git/commitdiff/cf9f185901f5f0718e6e59e3ad3545f4b497e622
("kernel32: GMEM_FIXED blocks cannot be 0 size.") ->
wine-1.9.18-101-gcf9f185901f but that's just by pure chance due to stack usage.
The original problem is still present.
Running with +relay or under a debugger still results in the same crash - even
with most recent Wine.
Prerequisite without running the full installer: 'winetricks -q mfc42'
--- snip ---
Unhandled exception: page fault on read access to 0x00000084 in 32-bit code
(0x0100228d).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
EIP:0100228d ESP:0021f714 EBP:0021f750 EFLAGS:00010206( R- -- I - -P- )
EAX:00010058 EBX:00275668 ECX:00000060 EDX:0021f73c
ESI:01001408 EDI:0021f74c
Stack dump:
0x0021f714: 00275668 00010058 fffffffc 00000000
0x0021f724: 0021f73c 00000001 0021fc48 0021fc48
0x0021f734: 01002346 00010058 608d3df8 4aa78128
0x0021f744: 5ef528a4 91722649 2f2db8aa 0021f7d8
0x0021f754: 0100236b 00275668 00010058 00000000
0x0021f764: 5f801c9c 0021fc48 0021fc48 0026cb48
Backtrace:
=>0 0x0100228d EntryPoint+0xffffffff() in eula (0x0021f750)
1 0x0100236b EntryPoint+0xffffffff() in eula (0x0021f7d8)
2 0x5f8019d1 EntryPoint+0xffffffff() in mfc42u (0x0021f7f8)
3 0x5f80195a EntryPoint+0xffffffff() in mfc42u (0x0021f858)
4 0x5f8018e2 EntryPoint+0xffffffff() in mfc42u (0x0021f874)
5 0x5f8018a1 EntryPoint+0xffffffff() in mfc42u (0x0021f8a0)
6 0x004b378c make_rect_onscreen+0xab() in user32 (0x0021f8d0)
--- snip ---
Although I've already analyzed the problem seven years ago, adding application
disassembly for further proof.
CoInitialize() via RichEdit control on main thread:
--- snip ---
0021F4A4 008E3449 009BB750 44 combase._CoInitializeEx at 8
0021F4E8 7AC067E8 008E3449 20 ole32.OleInitialize+39
0021F508 7AC2ADA4 7AC067E8 30 riched20.ME_MakeEditor+538
0021F538 7AC28ED0 7AC2ADA4 9C riched20.create_text_services+94
0021F5D4 7AC29EC5 7AC28ED0 20 riched20.RichEditWndProc_common+1D0
0021F5F4 004B378C 7AC29EC5 30 riched20.RichEditWndProcW+35
0021F624 004B44A1 004B378C 28 user32._WINPROC_wrapper+1C
0021F64C 004B4678 004B44A1 38 user32.call_window_proc+71
0021F684 0047FB10 004B4678 58 user32.WINPROC_call_window+178
0021F6DC 0047A407 0047FB10 50 user32.call_window_proc+60
0021F72C 0047A632 0047A407 40 user32.send_message+E7
0021F76C 004A7E4B 0047A632 140 user32.SendMessageW+52
0021F8AC 004A905C 004A7E4B 4C user32.WIN_CreateWindowEx+172B
0021F8F8 00450E84 004A905C 2AC user32.CreateWindowExW+6C
0021FBA4 0044FF8E 00450E84 1C user32.DIALOG_CreateIndirect+EB4
0021FBC0 5F817B05 0044FF8E 68 user32.CreateDialogIndirectParamW+1E
0021FC28 5F80E5A2 5F817B05 44 mfc42u.5F817B05
0021FC6C 0100213D 5F80E5A2 244 mfc42u.5F80E5A2
0021FEB0 5F812566 0100213D A4 eula.0100213D
0021FF54 7B624920 5F812566 18 mfc42u.5F812566
0021FF6C 7BC48997 7B624920 C kernel32. at BaseThreadInitThunk@12+10
0021FF78 7BC48AF7 7BC48997 78 ntdll._call_thread_func_wrapper+17
0021FFF0 00000000 7BC48AF7 ntdll.call_thread_func+87
--- snip ---
Explicit CoInitialize() from app code on main thread:
--- snip ---
008CC7A0 009BB750 10 combase._CoInitializeEx at 8
01002ABB 008CC7A0 74 ole32.CoInitialize+10
5F8055B2 01002ABB 34 eula.01002ABB
004B53A4 5F8055B2 2C mfc42u.5F8055B2
004B54B5 004B53A4 28 user32.call_dialog_proc+74
0044DCAA 004B54B5 28 user32.WINPROC_CallDlgProcW+A5
004B378C 0044DCAA 30 user32.DefDlgProcW+EA
004B44A1 004B378C 28 user32._WINPROC_wrapper+1C
004B5266 004B44A1 30 user32.call_window_proc+71
012F7CAF 004B5266 28 user32.CallWindowProcW+86
012F6697 012F7CAF 74 comctl32.THEMING_CallOriginalClass+2F
012F7D8A 012F6697 28 comctl32.THEMING_DialogSubclassProc+1A7
004B378C 012F7D8A 30 comctl32.subclass_proc0+8A
004B44A1 004B378C 28 user32._WINPROC_wrapper+1C
004B5266 004B44A1 30 user32.call_window_proc+71
5F801D93 004B5266 20 user32.CallWindowProcW+86
5F801DBD 5F801D93 A0 mfc42u.5F801D93
5F8019D1 5F801DBD 20 mfc42u.5F801DBD
5F80195A 5F8019D1 60 mfc42u.5F8019D1
5F8018E2 5F80195A 1C mfc42u.5F80195A
5F8018A1 5F8018E2 2C mfc42u.5F8018E2
004B378C 5F8018A1 30 mfc42u.5F8018A1
004B44A1 004B378C 28 user32._WINPROC_wrapper+1C
004B4678 004B44A1 38 user32.call_window_proc+71
0047FB10 004B4678 58 user32.WINPROC_call_window+178
0047A407 0047FB10 50 user32.call_window_proc+60
0047A632 0047A407 40 user32.send_message+E7
0045110C 0047A632 28C user32.SendMessageW+52
0044FF8E 0045110C 1C user32.DIALOG_CreateIndirect+113C
5F817B05 0044FF8E 68 user32.CreateDialogIndirectParamW+1E
5F80E5A2 5F817B05 44 mfc42u.5F817B05
0100213D 5F80E5A2 244 mfc42u.5F80E5A2
5F812566 0100213D A4 eula.0100213D
7B624920 5F812566 18 mfc42u.5F812566
7BC48997 7B624920 C kernel32. at BaseThreadInitThunk@12+10
7BC48AF7 7BC48997 78 ntdll._call_thread_func_wrapper+17
00000000 7BC48AF7 ntdll.call_thread_func+87
--- snip ---
--- snip ---
01002A9F | push 4C |
01002AA1 | mov eax,eula.10042A4 |
01002AA6 | call eula.100352D |
01002AAB | mov esi,ecx |
01002AAD | call <JMP.&Ordinal#4704> |
01002AB2 | xor ebx,ebx |
01002AB4 | push ebx |
01002AB5 | call dword ptr ds:[<&_CoInitialize at 4>] |
01002ABB | push 1 |
01002ABD | push dword ptr ds:[esi+60] |
01002AC0 | mov ecx,esi |
01002AC2 | mov dword ptr ds:[esi+F0],eax | HRESULT = S_FALSE
01002AC8 | mov byte ptr ds:[esi+E8],bl |
01002ACE | call eula.10024DD |
--- snip ---
on stack (0x21FC80):
esi=0021FC80
dword ptr ds:[esi+F0]=[0021FD70]=2B002B (will become 1)
ebx=0021FC80
dword ptr ds:[ebx+EC]=[0021FD6C]=1 (will remain uninitialized)
App code that checks the COM apartment init status to initialize more COM
controls during dialog init:
--- snip ---
01002771 | mov edi,edi |
01002773 | push ebx |
01002774 | push esi |
01002775 | push edi |
01002776 | mov ebx,ecx |
01002778 | xor edi,edi |
0100277A | cmp dword ptr ds:[ebx+F0],edi | only S_OK is expected
01002780 | jne eula.1002A49 |
01002786 | lea esi,dword ptr ds:[ebx+EC] | code path skipped!
0100278C | push esi |
0100278D | push eula.10019FC |
01002792 | push 15 |
01002794 | push edi |
01002795 | push eula.1001A0C |
0100279A | mov dword ptr ds:[esi],edi |
0100279C | call dword ptr ds:[<&_CoCreateInstance at 20>] |
010027A2 | test eax,eax |
010027A4 | jne eula.1002A49 |
...
01002A3E | movsd |
01002A3F | movsd |
01002A40 | movsd |
01002A41 | mov ecx,ebx |
01002A43 | movsd |
01002A44 | call eula.10023F7 |
01002A49 | pop edi |
01002A4A | pop esi |
01002A4B | pop ebx |
01002A4C | ret |
--- snip ---
Teardown code:
--- snip ---
01002346 | mov edi,edi |
01002348 | push esi |
01002349 | mov esi,ecx |
0100234B | cmp dword ptr ds:[esi+F0],0 | S_OK -> skip
01002352 | je eula.10023EA |
01002358 | mov eax,dword ptr ds:[esi+EC] | access of uninit var!
0100235E | test eax,eax |
01002360 | je eula.10023DD |
01002362 | push dword ptr ds:[esi+20] |
01002365 | push eax |
01002366 | call eula.1002255 | *boom* (within sub)
0100236B | push dword ptr ds:[esi+88] |
01002371 | push dword ptr ds:[esi+EC] |
01002377 | call eula.1002255 |
0100237C | push dword ptr ds:[esi+C8] |
01002382 | push dword ptr ds:[esi+EC] |
01002388 | call eula.1002255 |
0100238D | push dword ptr ds:[esi+114] |
01002393 | push dword ptr ds:[esi+EC] |
01002399 | call eula.1002255 |
0100239E | push dword ptr ds:[esi+154] |
010023A4 | push dword ptr ds:[esi+EC] |
010023AA | call eula.1002255 |
010023AF | push dword ptr ds:[esi+194] |
010023B5 | push dword ptr ds:[esi+EC] |
010023BB | call eula.1002255 |
010023C0 | push dword ptr ds:[esi+1D4] |
010023C6 | push dword ptr ds:[esi+EC] |
010023CC | call eula.1002255 |
010023D1 | mov eax,dword ptr ds:[esi+EC] |
010023D7 | mov ecx,dword ptr ds:[eax] |
010023D9 | push eax |
010023DA | call dword ptr ds:[ecx+8] |
010023DD | call dword ptr ds:[<&_CoUninitialize at 0>] |
010023E3 | and dword ptr ds:[esi+EC],0 |
010023EA | mov ecx,esi |
010023EC | pop esi |
010023ED | jmp <JMP.&Ordinal#6451> |
--- snip ---
$ wine --version
wine-6.8-77-g0a50674c6aa
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list