We have an application which uses, somewhat extensively, the embedded web browser control as a mechanism to display HTML-formatted reports. We embed the control via COM into a native window, and we can communicate in via COM, and out (from Javascript) via the window.external object. Because of the interaction, viewing pages in an external browser is not sufficient.
For added complexity, our application can run stand-alone, or as a plugin in AutoCAD.
KB2962872 and now KB2976627 both break our application's HTML windows when run inside a version of AutoCAD prior to 2015. In standalone mode, we are fine.
The crashes are very reproducible with a stack trace that show that the crash location is not directly in our code. With KB2976627 installed, we have a very reproducible case where our application will crash when the window is being CLOSED. The stack trace shows that it is inside something called CMemoryProtector::MarkBlocks().
mshtml.dll!MemoryProtection::CMemoryProtector::MarkBlocks(void *) Unknown
mshtml.dll!MemoryProtection::CMemoryProtector::ReclaimMemory(unsigned __int64) Unknown
mshtml.dll!MemoryProtection::HeapFree(void *,unsigned long,void *) Unknown
mshtml.dll!_MemIsolatedFree<class CTextArea>(void *) Unknown
mshtml.dll!CLegendElement::`vector deleting destructor'(unsigned int) Unknown
mshtml.dll!CBase::SubRelease(void) Unknown
mshtml.dll!CTableRowLayout::ClearRowLayoutCache(void) Unknown
mshtml.dll!CTableRowLayout::~CTableRowLayout(void) Unknown
mshtml.dll!CTableRowLayout::`vector deleting destructor'(unsigned int) Unknown
mshtml.dll!CLayout::Release(void) Unknown
mshtml.dll!CElement::Passivate(void) Unknown
mshtml.dll!CBase::PrivateRelease(void) Unknown
mshtml.dll!CElement::PrivateExitTree(class CMarkup *) Unknown
mshtml.dll!CMarkup::DestroySplayTree(int,int) Unknown
mshtml.dll!CMarkup::UnloadContents(int,int) Unknown
mshtml.dll!CMarkup::TearDownMarkupHelper(int,int) Unknown
mshtml.dll!CMarkup::TearDownMarkup(int,int) Unknown
mshtml.dll!CDoc::UnloadContents(int,int) Unknown
mshtml.dll!CDoc::Passivate(void) Unknown
mshtml.dll!CBase::PrivateRelease(void) Unknown
mshtml.dll!PlainEmbeddedDocRelease(struct TEAROFF_THUNK *) Unknown
ieframe.dll!CFindEngine::DisconnectDocument(void) Unknown
ieframe.dll!CFindInTrident::SetSite(struct IUnknown *) Unknown
ieframe.dll!CDocObjectHost::DestroyHostWindow(void) Unknown
ieframe.dll!CDocObjectView::DestroyViewWindow(void) Unknown
ieframe.dll!CBaseBrowser2::v_ReleaseShellView(void) Unknown
ieframe.dll!CBaseBrowser2::v_OnDestroy(void) Unknown
ieframe.dll!CBaseBrowser2::v_WndProc(struct HWND__ *,unsigned int,unsigned __int64,__int64) Unknown
ieframe.dll!CWebBrowserSB::v_WndProc(struct HWND__ *,unsigned int,unsigned __int64,__int64) Unknown
ieframe.dll!CWebBrowserOC::v_WndProc(struct HWND__ *,unsigned int,unsigned __int64,__int64) Unknown
ieframe.dll!CImpWndProc::s_WndProc(struct HWND__ *,unsigned int,unsigned __int64,__int64) Unknown
user32.dll!UserCallWinProcCheckWow‑() Unknown
user32.dll!DispatchClientMessage‑() Unknown
user32.dll!__fnDWORD‑() Unknown
ntdll.dll!KiUserCallbackDispatcherContinue‑() Unknown
user32.dll!ZwUserDestroyWindow‑() Unknown
ieframe.dll!CShellEmbedding::_OnSetClientSite(void) Unknown
ieframe.dll!CWebBrowserOC::_OnSetClientSite(void) Unknown
ieframe.dll!CShellEmbedding::SetClientSite(struct IOleClientSite *) Unknown
> gw32pck3.dll!ActiveXContainer::Shutdown() Line 161 C++
In the debugger, we see:
if (ioleobject) {
ioleobject->SetClientSite(NULL);
è ioleobject->Close(OLECLOSE_NOSAVE);
ioleobject = 0;
}
Interestingly, it is in the call to SetClientSite() that we are failing.
if (ioleobject) {
0000000037FF0723 mov rcx,qword ptr [this]
0000000037FF0728 add rcx,30h
0000000037FF072C call _com_ptr_t<_com_IIID<IOleObject,&_GUID_00000112_0000_0000_c000_000000000046> >::operator bool (037FC18C0h)
0000000037FF0731 movzx eax,al
0000000037FF0734 test eax,eax
0000000037FF0736 je ActiveXContainer::Shutdown+95h (037FF0795h)
ioleobject->SetClientSite(NULL);
0000000037FF0738 mov rcx,qword ptr [this]
0000000037FF073D add rcx,30h
0000000037FF0741 call _com_ptr_t<_com_IIID<IOleObject,&_GUID_00000112_0000_0000_c000_000000000046> >::operator-> (037FC1870h)
0000000037FF0746 mov qword ptr [rsp+20h],rax
0000000037FF074B mov rax,qword ptr [rsp+20h]
0000000037FF0750 mov rax,qword ptr [rax]
0000000037FF0753 xor edx,edx
0000000037FF0755 mov rcx,qword ptr [rsp+20h]
0000000037FF075A call qword ptr [rax+18h]
ioleobject->Close(OLECLOSE_NOSAVE);
è
0000000037FF075D mov rcx,qword ptr [this]
0000000037FF0762 add rcx,30h
0000000037FF0766 call _com_ptr_t<_com_IIID<IOleObject,&_GUID_00000112_0000_0000_c000_000000000046> >::operator-> (037FC1870h)
0000000037FF076B mov qword ptr [rsp+28h],rax
0000000037FF0770 mov rax,qword ptr [rsp+28h]
0000000037FF0775 mov rax,qword ptr [rax]
0000000037FF0778 mov edx,1
0000000037FF077D mov rcx,qword ptr [rsp+28h]
0000000037FF0782 call qword ptr [rax+30h]
ioleobject = 0;
0000000037FF0785 mov rcx,qword ptr [this]
0000000037FF078A add rcx,30h
0000000037FF078E xor edx,edx
0000000037FF0790 call _com_ptr_t<_com_IIID<IOleObject,&_GUID_00000112_0000_0000_c000_000000000046> >::operator= (037FC1780h)
}
As I said earlier, this only crashes when used as a plugin inside AutoCAD < 2015. We are aware that Autodesk changed the threading model at 2015 and can only assume that the crash is happening because of a combination of threading / com apartment model, etc used in the earlier releases. We don't have the luxury of insisting that our customers upgrade AutoCAD just to run our application.
In our standalone mode, we are not multithreaded and we initialise COM with CoInitialize(NULL); we have no control over these when we are running as a plugin, however we know that AutoCAD is a threaded application.
The problem occurs across pretty much all versions of Internet Explorer (we have a mix), though I'm not sure why that is relevant, its MSHTML.DLL that is causing the problem, not the IEXPLORE.EXE that you might load it with.
I note that Flexera Software have also experienced issues with their InstallShield product, and have proposed a workaround but at this point their workaround is to disable features of their product; that is not viable for us.