http://bugs.winehq.org/show_bug.cgi?id=59203 Leonardo (MrPowerGamerBR) <winehq@mrpowergamerbr.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Regression SHA1| |6ea18f668174e8122e0c192f2b6 | |7d8b2c1daca2f -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59203 Leonardo (MrPowerGamerBR) <winehq@mrpowergamerbr.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |regression -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59203 --- Comment #3 from Leonardo (MrPowerGamerBR) <winehq@mrpowergamerbr.com> --- Created attachment 80096 --> http://bugs.winehq.org/attachment.cgi?id=80096 Monster Truck Madness 2 Trial with "WINEDEBUG=trace+palette" (using old palette.c file) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59203 Bernhard Übelacker <bernhardu@mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bernhardu@mailbox.org --- Comment #5 from Bernhard Übelacker <bernhardu@mailbox.org> --- Created attachment 80098 --> http://bugs.winehq.org/attachment.cgi?id=80098 59203_monstertruckmadness2demo.txt I could reproduce this issue in a test VM, and also running in rr debugger. This allowed to replay and stop on each free with the same address detected at the end as already being freed. This file shows the backtraces of those frees. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59203 --- Comment #7 from Leonardo (MrPowerGamerBR) <winehq@mrpowergamerbr.com> --- Hello Bernhard, I have tried your patch and, while the game does not throw the "double after free" error, the game doesn't seem to start at all. On Wine 10.20, you can briefly see the game window opening before it crashes with "free(): double free detected in tcache 2". But with the patch, the game starts, the process is running, but there is no window at all (only the Wine Desktop background is shown) nor sound being played. But anyway, thanks for helping! :) I was also debugging some things, maybe it could help you out too. I found out that removing the `free( obj->entries );` call from the regression commit does not fix the issue. I mean, it does fix the issue of the game crashing, but it exhibits the same issues that happens when trying to run Wine 10.20 + jemalloc (palette corruption, incorrect colors, etc). When using 6ea18f668174e8122e0c192f2b67d8b2c1daca2f (the regression commit) as a base and "cherry-picking" the old palette.c file ("git checkout 4adb160635be8edc6ea66834d1c125990cb2b26c -- dlls/gdi32/palette.c"), the game runs correctly and there isn't any color corruption! And then I found out that removing the `free( obj->entries );` AND removing the "if (!(entries = realloc( palPtr->entries, count * sizeof(*palPtr->entries) )))" check to be only "realloc( palPtr->entries, count * sizeof(*palPtr->entries)" (essentially ignoring any errors) fixes the crash AND fixes the palette corruption issue. Of course, this """fix""" isn't good, and I haven't tested it on Wine 10.20 yet, but maybe this could shed a light on what could be causing the issue. :) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59203 --- Comment #9 from Leonardo (MrPowerGamerBR) <winehq@mrpowergamerbr.com> --- I did try making my super hacky """fix""" on a82d717ce63965bec9a06eb1452b3d09b78a6021 (essentially wine-11.0-rc4) and it also did work. I attached it as a file: https://bugs.winehq.org/attachment.cgi?id=80100 When testing, one thing worth noting is that the game does have other regressions too (such as races taking stupidly long to start compared to Wine 6.18/Windows) but for now I've only reported the game crash issue because, well, no point in reporting the other bugs if we can't even get the game to run in the first place. :P -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59203 --- Comment #10 from Bernhard Übelacker <bernhardu@mailbox.org> --- (In reply to Leonardo (MrPowerGamerBR) from comment #7)

I have tried your patch and, while the game does not throw the "double after free" error, the game doesn't seem to start at all. On Wine 10.20, you can briefly see the game window opening before it crashes with "free(): double free detected in tcache 2". But with the patch, the game starts, the process is running, but there is no window at all (only the Wine Desktop background is shown) nor sound being played.

But anyway, thanks for helping! :) I was also debugging some things, maybe it could help you out too.

Ok, thought that is because of my setup, with my patch I also just got the application in the task list, but no window opens. But when I switched wine to virtual desktop the demo started working for me. (With the 30 second wait time after "turning the key".) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59203 --- Comment #12 from Leonardo (MrPowerGamerBR) <winehq@mrpowergamerbr.com> --- I submitted another patch, I think this one is more "cleaner" than my proof of concept, and it seems to work fine :) https://bugs.winehq.org/attachment.cgi?id=80101 After Bernhard talked about the issue, I finally *get* why it was causing a double after free: 1. The game tries to resize a palette to 0 2. Because the count is 0, the "realloc" call is undefined behavior, which I think in this case it acts like it is a "free" call 3. When the game tries to delete the palette, the entries were actually freed before, which causes the game to crash. To fix this, I've added a check to validate if the count is 0 and, if it is, we just free the entries and update the current palette count to 0. When the game tries to delete the palette, we check if the palette count is zero and, if it is, we don't attempt to free the entries (because they should be already freed). However I'm not a C developer, so the code is probably very bad and probably has a lot of issues. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59203 --- Comment #14 from Bernhard Übelacker <bernhardu@mailbox.org> --- Hello Leonardo, I tried to improve the test and as far as I see, it shows when called with a count of zero ResizePalette fails in windows, but the pallet gets not freed. I have submitted a merge request: https://gitlab.winehq.org/wine/wine/-/merge_requests/9851 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59203 Austin English <austinenglish@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, patch -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59203 --- Comment #17 from Leonardo (MrPowerGamerBR) <winehq@mrpowergamerbr.com> --- (In reply to Bernhard Übelacker from comment #16)

(In reply to Leonardo (MrPowerGamerBR) from comment #15)

...

Yeah, the 30 second wait time is a Wine regression (not related to your patch of course). :)

Are you sure this is not just a delay in the demo to animate users to buy, unfortunately wine drawing this screen just as black?

Explaning via text is hard, so I've decided to record a video demonstrating... * The game running on bf58f1c4185c4067dd3d31179fdccb9e16c2aea1 (latest Wine commit when this video was recorded) * The game running on Wine 6.18 (latest Wine release before the regression) * The game running on bf58f1c4185c4067dd3d31179fdccb9e16c2aea1 + "LD_PRELOAD=/usr/lib32/libjemalloc.so" (which makes the game work on the latest Wine, albeit with a lot of palette corruption and crashes) * The game running on bf58f1c4185c4067dd3d31179fdccb9e16c2aea1 + your patch (which demonstrates the "game window does not show up at all" issue I was talking about) * The game running on bf58f1c4185c4067dd3d31179fdccb9e16c2aea1 + my patch (of course, I'm not saying that my patch should be preferred because, as I said before, I'm not a C developer and I don't know all the intricacies of the Win32 API... but it does get the game up and running) Here's the link to the video :) https://youtu.be/ESd-EBFQu68 I did change the rendering mode to Direct3D when testing, but that's because that, if you don't, the game will render a black screen when getting into the game until you press F4 to exit "Fullscreen Mode". Maybe it would be useful to test the resize palette behavior on Windows 9x versions, considering that the game targets Windows 95/98/NT 4.0? However, the game does run fine on Windows 11 (the installer doesn't, but you can copy the game install installed via Wine or an older Windows version and copy it to Windows). -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59203 Leonardo (MrPowerGamerBR) <winehq@mrpowergamerbr.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |59209 -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=59203 --- Comment #19 from Leonardo (MrPowerGamerBR) <winehq@mrpowergamerbr.com> --- Can confirm that this was fixed, thanks Bernhard! :) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.