[Bug 30588] Houdini 12.x (3D animation tool) crashes on startup

http://bugs.winehq.org/show_bug.cgi?id=30588

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW CC| |focht@gmx.net Component|-unknown |user32 Summary|Houdini: Segmentation fault |Houdini 12.x (3D animation |at startup |tool) crashes on startup Ever Confirmed|0 |1

--- Comment #2 from Anastasius Focht focht@gmx.net 2012-05-04 06:17:02 CDT --- Hello,

confirming. It seems the app inserts menu some items with text and bitmap and retrieves them later. On retrieval of menu items that have both, text and bitmap associated it crashes at one point because data is accessed as string (bitmap type).

--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Side Effects Software/Houdini 12.0.581/bin

$ WINEDEBUG=+tid,+seh,+menu wine ./hkey

003b:trace:menu:InsertMenuItemA hmenu 0x100ac, item 0000, by pos 1, info 0x441df54 003b:trace:menu:MENU_InsertItem inserting at 0 flags 400 003b:trace:menu:do_debug_print_menuitem SetMenuItemInfo_common from: { ID=0x0 } 003b:trace:menu:do_debug_print_menuitem SetMenuItemInfo_common to : { ID=0x20, State=check, Text=L"Always On Top", ItemData=0x000100a8 } 003b:trace:menu:InsertMenuItemA hmenu 0x100ac, item 0001, by pos 1, info 0x441df54 003b:trace:menu:MENU_InsertItem inserting at 1 flags 400 003b:trace:menu:do_debug_print_menuitem SetMenuItemInfo_common from: { ID=0x0 } 003b:trace:menu:do_debug_print_menuitem SetMenuItemInfo_common to : { ID=0x0, fType=sep } 003b:trace:menu:do_debug_print_menuitem GetMenuItemInfo_common: { ID=0x20, State=check, Text=L"Always On Top", ItemData=0x000100a8 } 003b:trace:menu:do_debug_print_menuitem GetMenuItemInfo_common: { ID=0x20, State=check, Text=L"Always On Top", ItemData=0x000100a8 } 003b:trace:menu:do_debug_print_menuitem GetMenuItemInfo_common: { ID=0x0, fType=sep } 003b:trace:menu:do_debug_print_menuitem GetMenuItemInfo_common: { ID=0xf120, Text=L"&Restore", hbitmap=HBMMENU_POPUP_RESTORE } 003b:trace:menu:do_debug_print_menuitem GetMenuItemInfo_common: { ID=0xf120, Text=L"&Restore", hbitmap=HBMMENU_POPUP_RESTORE } 003b:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7855b4c8 ip=7855b4c8 tid=003b 003b:trace:seh:raise_exception info[0]=00000000 003b:trace:seh:raise_exception info[1]=00000009 003b:trace:seh:raise_exception eax=00000900 ebx=00000009 ecx=00000009 edx=00000009 esi=05b76740 edi=000100ac 003b:trace:seh:raise_exception ebp=00000002 esp=0441df24 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 --- snip ---

Dump of last calls to GetMenuItemInfo() before returning to caller:

--- snip --- Wine-dbg>p *lpmii {cbSize=0x30, fMask=0x10, fType=0, fState=0, wID=0x20, hSubMenu=(nil), hbmpChecked=(nil), hbmpUnchecked=(nil), dwItemData=0x40096, dwTypeData=0x0(nil), cch=0xd, hbmpItem=(nil)}

Wine-dbg>p *lpmii {cbSize=0x30, fMask=0x10, fType=0, fState=0, wID=0x20, hSubMenu=(nil), hbmpChecked=(nil), hbmpUnchecked=(nil), dwItemData=0x40096, dwTypeData="Always On Top", cch=0xd, hbmpItem=(nil)}

Wine-dbg>p *lpmii {cbSize=0x30, fMask=0x10, fType=0x800, fState=0, wID=0x20, hSubMenu=(nil), hbmpChecked=(nil), hbmpUnchecked=(nil), dwItemData=0x40096, dwTypeData=0x0(nil), cch=0, hbmpItem=(nil)}

Wine-dbg>p *lpmii {cbSize=0x30, fMask=0x10, fType=0x4, fState=0, wID=0x20, hSubMenu=(nil), hbmpChecked=(nil), hbmpUnchecked=(nil), dwItemData=0x40096, dwTypeData=*** invalid address 0x9 ***, cch=0x8, hbmpItem=0x9}

Wine-dbg>p *lpmii {cbSize=0x30, fMask=0x10, fType=0x4, fState=0, wID=0x20, hSubMenu=(nil), hbmpChecked=(nil), hbmpUnchecked=(nil), dwItemData=0x40096, dwTypeData=*** invalid address 0x9 ***, cch=0x8, hbmpItem=0x9} --- snip ---

The last one is accessed as "string" data, causing a page fault in strchr():

--- snip --- 003b:Call user32.GetMenuItemInfoA(000100ac,00000002,00000001,0441df54) ret=05b8f0c8 003b:Ret user32.GetMenuItemInfoA() retval=00000001 ret=05b8f0c8 003b:Call user32.GetMenuItemInfoA(000100ac,00000002,00000001,0441df54) ret=05b8f078 003b:Ret user32.GetMenuItemInfoA() retval=00000001 ret=05b8f078 003b:CALL MSVCR90.strchr(00000009,00000009) ret=05b8f085 003b:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7855b4c8 ip=7855b4c8 tid=003b 003b:trace:seh:raise_exception info[0]=00000000 003b:trace:seh:raise_exception info[1]=00000009 003b:trace:seh:raise_exception eax=00000900 ebx=00000009 ecx=00000000 edx=00000009 esi=05e66740 edi=000100ac 003b:trace:seh:raise_exception ebp=00000002 esp=0441df24 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 003b:trace:seh:call_stack_handlers calling handler at 0x5b95f6c code=c0000005 flags=0 --- snip ---

0x0 = MFT_STRING 0x4 = MFT_BITMAP 0x800 = MFT_SEPARATOR

$ du -sh houdini-12.0.581-win32-vc9.exe 218M houdini-12.0.581-win32-vc9.exe

$ sha1sum houdini-12.0.581-win32-vc9.exe b475599d669d35b6af9016726f1ef933caaf92a4 houdini-12.0.581-win32-vc9.exe

$ wine --version wine-1.5.3-143-g081b06c

Regards