https://bugs.winehq.org/show_bug.cgi?id=33275
Sebastian Lackner sebastian@fds-team.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |sebastian@fds-team.de
--- Comment #12 from Sebastian Lackner sebastian@fds-team.de --- Created attachment 49581 --> https://bugs.winehq.org/attachment.cgi?id=49581 WINEDEBUG=+tid,+seh,+loaddll,+int
I can confirm this issue.
I already tried to debug it some time ago, and at first also thought that its a regression - but regression testing didn't reveal anything useful, as the issue seems to be timing related. With older versions of wine it only happend with a probability of ~50%, but with wine 1.7.x it happens always. I cannot redo the testing right now, because older versions of Wine don't compile properly anymore on my distribution without additional patches to fix ./configure issues.
I assume this issue also only exists when running the CD-version (I have the original CD), I'm pretty sure its copy-protection related, so FarCry on Steam will most likely not suffer from the same issue. Installing the FarCry update 1.4 doesn't fix the problem. All logs in this bug report are with the update 1.4 installed, to avoid debugging issues which probably have been fixed in the game itself.
The weird part: The segmentation fault message is _not_ part of the debug log, its somehow written always on the terminal? The crash happens somewhere inside of the close() syscall, and it could even be a kernel bug?! I'll explain below what I've found out so far, and attach some logs. If someone wants to work on this issue and needs any additional information, feel free to ask me.
--- snip --- $ WINEDEBUG=+tid,+seh,+loaddll,+int WINEPREFIX=~/.wine-farcry/ ./wine ~/.wine-farcry/drive_c/Program\ Files/Ubisoft/Crytek/Far\ Cry/Bin32/FarCry.exe
~/Downloads/farcry_tid_seh_loaddll_int.log 2>&1
Speicherzugriffsfehler (Speicherabzug geschrieben) --- snip ---
The last message means translated "Segmentation fault (core dumped)".
Taking a look at the generated core dump reveals that at the time of crashing two threads were active:
--- snip --- (gdb) info thread Id Target Id Frame 2 Thread 0xf73b7700 (LWP 27874) 0xf77ead85 in __kernel_vsyscall () * 1 Thread 0x9afb40 (LWP 27920) segv_handler (signal=11, siginfo=0x7ffd3c8c, sigcontext=0x7ffd3d0c) at signal_i386.c:1957 (gdb) bt #0 segv_handler (signal=11, siginfo=0x7ffd3c8c, sigcontext=0x7ffd3d0c) at signal_i386.c:1957 #1 <signal handler called> #2 0xf77ead85 in __kernel_vsyscall () #3 0xf75d972f in close () from /usr/lib32/libpthread.so.0 #4 0x7bc850b6 in exit_thread (status=1) at thread.c:394 #5 0x7bc7e661 in call_thread_func_wrapper () at signal_i386.c:2578 #6 0x7bc7e69f in call_thread_func (entry=0x3650140a, arg=0x366224, frame=0x9aeb28) at signal_i386.c:2637 #7 0x7bc7e636 in call_thread_entry_point () at signal_i386.c:2578 #8 0x7bc85213 in start_thread (info=0x7ffd0fb8) at thread.c:429 #9 0xf75d2096 in start_thread () from /usr/lib32/libpthread.so.0 #10 0xf74f4a7e in clone () from /usr/lib32/libc.so.6 (gdb) thread 2 [Switching to thread 2 (Thread 0xf73b7700 (LWP 27874))] #0 0xf77ead85 in __kernel_vsyscall () (gdb) bt #0 0xf77ead85 in __kernel_vsyscall () #1 0xf75d96bb in read () from /usr/lib32/libpthread.so.0 #2 0x7bc77d76 in wait_select_reply (cookie=0x33e7dc) at server.c:335 #3 0x7bc78a56 in server_select (select_op=0x33e834, size=8, flags=2, timeout=0x0) at server.c:599 #4 0x7bc819eb in NtWaitForMultipleObjects (count=1, handles=0x33e990, wait_any=1 '\001', alertable=0 '\000', timeout=0x0) at sync.c:863 #5 0x7b86e10d in WaitForMultipleObjectsEx (count=1, handles=0x33eb0c, wait_all=0, timeout=4294967295, alertable=0) at sync.c:188 #6 0x7b86df1b in WaitForSingleObject (handle=0xbc, timeout=4294967295) at sync.c:128 #7 0x3650227f in ?? () #8 0x000000bc in ?? () #9 0xffffffff in ?? () #10 0x00000000 in ?? () --- snip ---
Disassembling the block which caused the segmentation fault:
--- snip --- (gdb) x/10i 0xf77ead80 0xf77ead80 <__kernel_vsyscall>: push %ebp 0xf77ead81 <__kernel_vsyscall+1>: mov %ecx,%ebp 0xf77ead83 <__kernel_vsyscall+3>: syscall 0xf77ead85 <__kernel_vsyscall+5>: mov $0x2b,%ecx <---- 0xf77ead8a <__kernel_vsyscall+10>: mov %ecx,%ss 0xf77ead8c <__kernel_vsyscall+12>: mov %ebp,%ecx 0xf77ead8e <__kernel_vsyscall+14>: pop %ebp 0xf77ead8f <__kernel_vsyscall+15>: ret 0xf77ead90: sar $0xff,%cl 0xf77ead93: call *(%eax,%eax,1) -- snip ---
This means the segmentation fault was triggered by the kernel, not by an invalid memory access.
By taking a look at the TEB (derived from $ESP, like in the Wine source) of the crashed thread we can find out which of the threads triggered the crash (UniqueThread = 0x30):
--- snip --- (gdb) print *(TEB *)0x7ffd0000 $1 = {Tib = {ExceptionList = 0x9aea48, StackBase = 0x9b0000, StackLimit = 0x8b2000, SubSystemTib = 0x0, {FiberData = 0x0, Version = 0}, ArbitraryUserPointer = 0x0, Self = 0x7ffd0000}, EnvironmentPointer = 0x0, ClientId = {UniqueProcess = 0x8, UniqueThread = 0x30}, ActiveRpcHandle = 0x0, ThreadLocalStoragePointer = 0x0, Peb = 0x7ffdf000, LastErrorValue = 6, CountOfOwnedCriticalSections = 0, CsrClientThread = 0x0, Win32ThreadInfo = 0x0, Win32ClientInfo = {0 <repeats 31 times>}, WOW32Reserved = 0x0, CurrentLocale = 0, FpSoftwareStatusRegister = 0, SystemReserved1 = {0x0 <repeats 54 times>}, ExceptionCode = 0, ActivationContextStack = {Flags = 0, NextCookieSequenceNumber = 0, ActiveFrame = 0x0, FrameListCache = {Flink = 0x0, Blink = 0x0}}, SpareBytes1 = '\000' <repeats 23 times>, SystemReserved2 = {0x63, 0x6b, 0x0, 0x9aeb44, 0x12, 0x6, 0x14, 0x15, 0x0, 0x9afb40}, GdiTebBatch = {Offset = 0, HDC = 0x0, Buffer = { 10152744, 0 <repeats 309 times>}}, gdiRgn = 0x0, gdiPen = 0x0, gdiBrush = 0x0, RealClientId = {UniqueProcess = 0x0, UniqueThread = 0x0}, GdiCachedProcessHandle = 0x0, GdiClientPID = 0, GdiClientTID = 0, GdiThreadLocaleInfo = 0x0, UserReserved = {0, 0, 0, 0, 0}, glDispachTable = {0x0 <repeats 280 times>}, glReserved1 = {0x0 <repeats 26 times>}, glReserved2 = 0x0, glSectionInfo = 0x0, glSection = 0x0, glTable = 0x0, glCurrentRC = 0x0, glContext = 0x0, LastStatusValue = 3221225480, StaticUnicodeString = {Length = 0, MaximumLength = 522, Buffer = 0x7ffd0c00}, StaticUnicodeBuffer = {0 <repeats 261 times>}, DeallocationStack = 0x8b0000, TlsSlots = { 0x0, 0x12da10, 0x0 <repeats 62 times>}, TlsLinks = {Flink = 0x0, Blink = 0x0}, Vdm = 0x0, ReservedForNtRpc = 0x0, DbgSsReserved = {0x0, 0x0}, HardErrorDisabled = 0, Instrumentation = {0x0 <repeats 16 times>}, WinSockData = 0x0, GdiBatchCount = 0, Spare2 = 0, Spare3 = 0x0, Spare4 = 0x0, ReservedForOle = 0x0, WaitingOnLoaderLock = 0, Reserved5 = {0x0, 0x0, 0x0}, TlsExpansionSlots = 0x0, ImpersonationLocale = 0, IsImpersonating = 0, NlsCache = 0x0, ShimData = 0x0, HeapVirtualAffinity = 0, CurrentTransactionHandle = 0x0, ActiveFrame = 0x0, FlsSlots = 0x0} --- snip ---
It doesn't appear at all in the attached log, only when using some more verbose debugging flags (like +relay). Besides some weird string comparisons of the processor name, there is nothing which would explain why the close syscall crashes. Immediately after the crash of this thread the second thread in the process also crashes without ever returning from the read syscall, and the game exits. Commenting out the close(...) function calls in exit_thread() gets rid of the segmentation fault, but the application still terminates. Thanks to Michael for some suggestions and ideas, nevertheless the problem isn't really solved yet. If someone wants to take a look at this and needs more logs, feel free to ask.
Output from ProtectionId:
--- snip --- -=[ ProtectionID v0.6.5.5 OCTOBER]=- (c) 2003-2013 CDKiLLER & TippeX Build 31/10/13-21:09:09 Ready... Scanning -> C:\Program Files\Ubisoft\Crytek\Far Cry\Bin32\FarCry.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 1232572 (012CEBCh) Byte(s) -> File has 1170620 (011DCBCh) bytes of appended data starting at offset 0F200h [File Heuristics] -> Flag : 00000100000001001100000000000111 (0x0404C007) [Entrypoint Section Entropy] : 6.46 [Debug Info] Characteristics : 0x0 | TimeDateStamp : 0x406D9864 | MajorVer : 0 / MinorVer : 0 -> (0.0) Type : 2 -> CodeView | Size : 0x35 (53) AddressOfRawData : 0x65F0 | PointerToRawData : 0x4DF0 CvSig : 0x53445352 | SigGuid 1727C30E-3D32-45C4-BE7AEDE4E59292D5 Age : 0xC | Pdb : C:\MasterCD\Bin32\FarCry.pdb
[!] Safedisc v3.20.022 detected ! [i] Appended data contents.... [.] o: 0x0000F228 / t: <0xA8726B03> <0xEF01996C> <0x00000001> / s: 00206395 byte(s) -> ~de1633.tmp [.] o: 0x0004188A / t: <0xA8726B03> <0xEF01996C> <0x0000044C> / s: 00011923 byte(s) -> clcd32.dll [.] o: 0x00044744 / t: <0xA8726B03> <0xEF01996C> <0x0000044C> / s: 00004122 byte(s) -> clcd16.dll [.] o: 0x00045782 / t: <0xA8726B03> <0xEF01996C> <0x0000044D> / s: 00037971 byte(s) -> mcp.dll [.] o: 0x0004EBFC / t: <0xA8726B03> <0xEF01996C> <0x00000002> / s: 00006616 byte(s) -> SECDRV.SYS [.] o: 0x000505FB / t: <0xA8726B03> <0xEF01996C> <0x00000002> / s: 00014386 byte(s) -> DrvMgt.dll [.] o: 0x00053E56 / t: <0xA8726B03> <0xEF01996C> <0x0000000B> / s: 00005446 byte(s) -> SecDrv04.VxD [.] o: 0x000553C1 / t: <0xA8726B03> <0xEF01996C> <0x00000000> / s: 00059964 byte(s) -> ~e5.0001 [.] o: 0x00063E24 / t: <0xA8726B03> <0xEF01996C> <0x00000000> / s: 00028672 byte(s) -> PfdRun.pfd [.] o: 0x0006AE4C / t: <0xA8726B03> <0xEF01996C> <0x00000000> / s: 00794652 byte(s) -> ~df394b.tmp [CompilerDetect] -> Visual C++ 7.1 (Visual Studio 2003) - Scan Took : 0.550 Second(s) [000000226h tick(s)] [533 scan(s) done] --- snip ---
$ sha1sum ~/Downloads/far_cry_v1.4_cumulative.exe 97867730d746beec513464aa0bb30fd26ad1b2c3 /home/sebastian/Downloads/far_cry_v1.4_cumulative.exe
$ sha1sum ~/.wine-farcry/drive_c/Program\ Files/Ubisoft/Crytek/Far\ Cry/Bin32/FarCry.exe 102f23357f083df50b7a941490f5661472bda385 /home/sebastian/.wine-farcry/drive_c/Program Files/Ubisoft/Crytek/Far Cry/Bin32/FarCry.exe
$ git describe origin/master wine-1.7.26-60-g0fa8ae7