0 Replies Latest reply on Sep 19, 2014 8:37 AM by JayRandom

    Acrobat reader and pro crash when UIA or MSAA is being collected

    JayRandom

      Hello,

       

      Internet explorer crashes when using UIA and MSAA with Adobe Acrobat XI Pro and regular reader inside of internet explorer 9 through 11.

      I was also able to reproduce it with regular Adobe reader although it took a bit longer and in regular reader the default is to enable protected mode which seems to resolve it.

       

      It should be noted that some enterprise users cannot work with reader when protected mode is ON, so enabling it is not always a solution.

      I can supply videos, dumps (both from me and others) and VMs for testing (please PM me for details)

       

       

      UIA - crash

      1. Download https://mega.co.nz/#!2ptBwQIJ!OHF7a5aaotYgQi0xnXjdDZ1OfkkqxdQa0WI9CerzWQE and place it somewhere locally, The pdf has both an editable form and is accessible (we could reproduce it without it, but it takes a bit more time)
      2. Start internet explorer
      3. Start the inspect tool that comes with Windows SDK, make sure it is using UIA and is following the mouse.
      4. Open the PDF (drag drop)
      5. Play with it a bit, it should crash

       

      You can see a short gif showing the crash here: https://mega.co.nz/#!WocETABR!gb9_SYvOTCaIMHjeJakPqr3MNi1lyja1amcUzASiKzU

       

      MSAA crash - with regular Reader

      1. go to: https://github.com/boostcon/cppnow_presentations_2014/raw/master/files/ConceptClang.pdf
      2. Download it locally (not sure if needed, but it worked for me)
      3. Start inspect make sure you are using MSAA and have focus tracking and mouse tracking on.
      4. Open it with IE (protected mode off)
      5. When the tagged dialog pops select, the default settings and click “Start”
      6. Play with the document (scroll down and up while pressing space)
      7. Crash

       

      see:

      Movie(gif): https://mega.co.nz/#!2k82BJQZ!ve8uuAL4i2kCrDPhcxNCRhEQQm8god36Wc36Aux6wUI

       

      The inspect tool is part of Windows SDK (either 7.1 or 8)

      1. 7.1: http://www.microsoft.com/en-us/download/details.aspx?id=8279

       

      There are all kinds of crash stacks, some examples:

      0:029> .ecxr

      *** WARNING: Unable to verify checksum for Accessibility.api

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for Accessibility.api -

      eax=0c6b1750 ebx=0c759078 ecx=0c6b1050 edx=00000000 esi=0c70eda0 edi=00000000

      eip=0000ffff esp=0b14ddc8 ebp=0b14dddc iopl=0         nv up ei pl nz na pe nc

      cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206

      0000ffff ??              ???

      0:029> k

        *** Stack trace for last set context - .thread/.cxr resets it

      ChildEBP RetAddr 

      WARNING: Frame IP not in any known module. Following frames may be wrong.

      0b14ddc4 6ac0b4b3 0xffff

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for oleacc.dll -

      0b14dddc 742956f8 Accessibility!PlugInMain+0x29e2b

      0b14de04 742952ce oleacc!ObjectFromLresult+0x2eb

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for uiautomationcore.dll -

      0b14de3c 691f70b9 oleacc!DllCanUnloadNow+0x3a8

      0b14de6c 691b6d25 uiautomationcore!UiaNodeFromFocus+0x22e84

      0b14de98 691b2bc5 uiautomationcore!UiaLookupId+0x38a

      0b14debc 691b2bf2 uiautomationcore!UiaReturnRawElementProvider+0x7cc

      0b14dedc 691b9ceb uiautomationcore!UiaReturnRawElementProvider+0x7f9

      0b14df50 691b9997 uiautomationcore!UiaGetPropertyValue+0x5d1

      0b14df88 691ba127 uiautomationcore!UiaGetPropertyValue+0x27d

      0b14dfe0 691ecd44 uiautomationcore!UiaHUiaNodeFromVariant+0x3f8

      0b14e020 691ed562 uiautomationcore!UiaNodeFromFocus+0x18b0f

      0b14e03c 691e7b4b uiautomationcore!UiaNodeFromFocus+0x1932d

      0b14e05c 691e27e2 uiautomationcore!UiaNodeFromFocus+0x13916

      0b14e068 691e7b94 uiautomationcore!UiaNodeFromFocus+0xe5ad

      0b14e094 691e8aac uiautomationcore!UiaNodeFromFocus+0x1395f

      0b14e0d8 691e9b47 uiautomationcore!UiaNodeFromFocus+0x14877

      0b14f13c 691fdbc9 uiautomationcore!UiaNodeFromFocus+0x15912

      0b14f21c 691fe2a0 uiautomationcore!UiaNodeFromFocus+0x29994

      0b14f234 691cfefc uiautomationcore!UiaNodeFromFocus+0x2a06b

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for user32.dll -

      0b14f254 76716381 uiautomationcore!DllGetClassObject+0xd551

      0b14f270 7674c21f user32!CallNextHookEx+0xfc

      0b14f2a4 76706e44 user32!GetRawInputDeviceInfoW+0x76

      0b14f2e0 770e010a user32!GetThreadDesktop+0x1e1

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for Acrobat.dll -

      0b14f334 6cbb8d95 ntdll!KiUserCallbackDispatcher+0x2e

      0b14f3b4 6cbb8c3c Acrobat!DllCanUnloadNow+0x20a91

      0b14f3ec 6cb44fab Acrobat!DllCanUnloadNow+0x20938

      0b14f460 6cb45167 Acrobat!AcroWinMain+0x470

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for AcroPDF.dll -

      0b14f478 7188b29c Acrobat!AcroWinBrowserMain+0x16

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ieframe.dll -

      0b14fc10 734b0293 AcroPDF!DllGetClassObject+0x965a

      0b14fc28 757833aa ieframe!Ordinal224+0x62be

      0b14fc34 77109ef2 kernel32!BaseThreadInitThunk+0x12

      0b14fc74 77109ec5 ntdll!RtlInitializeExceptionChain+0x63

      0b14fc8c 00000000 ntdll!RtlInitializeExceptionChain+0x36

       

      another one:

      0:027> .ecxr

      *** WARNING: Unable to verify checksum for Accessibility.api

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for Accessibility.api -

      eax=66915724 ebx=0bd432e0 ecx=0b6ec5c8 edx=00000000 esi=0c2cdd68 edi=0b1aefc8

      eip=61682074 esp=0b1aed5c ebp=0b1aed70 iopl=0         nv up ei pl nz na po nc

      cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202

      61682074 ??              ???

      0:027> k

        *** Stack trace for last set context - .thread/.cxr resets it

      ChildEBP RetAddr 

      WARNING: Frame IP not in any known module. Following frames may be wrong.

      0b1aed58 5b86da53 0x61682074

      0b1aed70 76250459 Accessibility!PlugInMain+0x2c3cb

      0b1aed9c 762b6311 rpcrt4!Invoke+0x2a

      0b1af1a4 7640aec1 rpcrt4!NdrStubCall2+0x2d6

      0b1af1ec 76abffd3 ole32!CStdStubBuffer_Invoke+0x3c [d:\w7rtm\com\rpc\ndrole\stub.cxx @ 1507]

      0b1af210 7640d876 oleaut32!CUnivStubWrapper::Invoke+0xcb

      0b1af258 7640ddd0 ole32!SyncStubInvoke+0x3c [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1187]

      0b1af2a4 76328a43 ole32!StubInvoke+0xb9 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1396]

      0b1af380 76328938 ole32!CCtxComChnl::ContextInvoke+0xfa [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 1262]

      0b1af39c 7632950a ole32!MTAInvoke+0x1a [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 2105]

      0b1af3c8 7640dccd ole32!STAInvoke+0x46 [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 1924]

      0b1af3fc 7640db41 ole32!AppInvoke+0xab [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1086]

      0b1af4dc 7640e1fd ole32!ComInvokeWithLockAndIPID+0x372 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1724]

      0b1af504 76329367 ole32!ComInvoke+0xc5 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1469]

      0b1af518 76329326 ole32!ThreadDispatch+0x23 [d:\w7rtm\com\ole32\com\dcomrem\chancont.cxx @ 298]

      0b1af55c 76bbc4e7 ole32!ThreadWndProc+0x161 [d:\w7rtm\com\ole32\com\dcomrem\chancont.cxx @ 654]

      0b1af588 76bbc5e7 user32!InternalCallWinProc+0x23

      0b1af600 76bbcc19 user32!UserCallWinProcCheckWow+0x14b

      0b1af660 76bbcc70 user32!DispatchMessageWorker+0x35e

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for Acrobat.dll -

      0b1af670 5b93baf4 user32!DispatchMessageW+0xf

      0b1af6e4 5b93b964 Acrobat!DllCanUnloadNow+0x20ac8

      0b1af71c 5b8c51c5 Acrobat!DllCanUnloadNow+0x20938

      0b1af790 5b8c5381 Acrobat!AcroWinMain+0x47a

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for AcroPDF.dll -

      0b1af7a8 6049b21d Acrobat!AcroWinBrowserMain+0x16

      0b1aff40 714d31a9 AcroPDF!DllGetClassObject+0x95db

      0b1aff64 76e7ee1c IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x66

      0b1aff70 76fd37eb kernel32!BaseThreadInitThunk+0xe

      0b1affb0 76fd37be ntdll!RtlInitializeExceptionChain+0xef

      0b1affc8 00000000 ntdll!RtlInitializeExceptionChain+0xc2

       

      and another one:

      0:005> .ecxr

      eax=079be778 ebx=00000000 ecx=7fffffff edx=00000000 esi=03dd0000 edi=157bb4a0

      eip=7745e753 esp=079be768 ebp=079be7e0 iopl=0         nv up ei pl zr na pe nc

      cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246

      ntdll!RtlpNtEnumerateSubKey+0x1b26:

      7745e753 eb12            jmp     ntdll!RtlpNtEnumerateSubKey+0x1b3a (7745e767)

      0:005> k

        *** Stack trace for last set context - .thread/.cxr resets it

      ChildEBP RetAddr 

      WARNING: Stack unwind information not available. Following frames may be wrong.

      079be7e0 7745f659 ntdll!RtlpNtEnumerateSubKey+0x1b26

      079be7f0 7745f739 ntdll!RtlpNtEnumerateSubKey+0x2a2c

      079be824 7740e045 ntdll!RtlpNtEnumerateSubKey+0x2b0c

      079be854 74e814ad ntdll!RtlUlonglongByteSwap+0xba5

      079be868 6a78016a kernel32!HeapFree+0x14

      *** WARNING: Unable to verify checksum for Spelling.api

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for Spelling.api -

      079be87c 2aa2b95b msvcr100!free+0x1c

      079be88c 2aa0b21e Spelling!SpellDialogShow+0x1adf3

      *** WARNING: Unable to verify checksum for EScript.api

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for EScript.api -

      079be89c 23218f90 Spelling!PlugInMain+0x9dae

      079be8b0 232186ac EScript!PlugInMain+0x6795e

      079be8e4 23218821 EScript!PlugInMain+0x6707a

      079be8ec 2322473f EScript!PlugInMain+0x671ef

      079be92c 23263f7b EScript!PlugInMain+0x7310d

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for AcroRd32.dll -

      079bed6c 5f552ac1 EScript!PlugInMain+0xb2949

      079bed78 5f552c0b AcroRd32!DllUnregisterServer+0x2766e

      079bed9c 5f2cef28 AcroRd32!DllUnregisterServer+0x277b8

      079bedc0 76ea62fa AcroRd32!AcroWinBrowserMain+0x999a

      079bedec 76ea6d3a user32!InternalCallWinProc+0x23

      079bee64 76ea77c4 user32!UserCallWinProcCheckWow+0x109

      079beec4 76ea788a user32!DispatchMessageWorker+0x3bc

      079beed4 5f3385a4 user32!DispatchMessageW+0xf

      079bef48 5f3383e8 AcroRd32!DllCanUnloadNow+0x25e28

      079bef80 5f2c53fb AcroRd32!DllCanUnloadNow+0x25c6c

      079bf000 5f2c55a6 AcroRd32!AcroWinMainSandbox+0x5f8

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for AcroPDF.dll -

      079bf020 6d7bb21d AcroRd32!AcroWinBrowserMain+0x18

      079bf7b8 0f2bbd1e AcroPDF!DllGetClassObject+0x95db

      079bf7e4 74e8338a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x71

      079bf7f0 773c9f72 kernel32!BaseThreadInitThunk+0xe

      079bf830 773c9f45 ntdll!RtlInitializeExceptionChain+0x63

      079bf848 00000000 ntdll!RtlInitializeExceptionChain+0x36

       

      Thank you for any assistance.