https://bugs.winehq.org/show_bug.cgi?id=39078
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Visual Pinball 9.9.1 |Visual Pinball 8.x, 9.x, |crashes on exit after |10.x crash on exit after |creating a new table |creating a new table, needs | |support for VBScript | |IActiveScriptDebug CC| |focht@gmx.net
--- Comment #8 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
--- snip --- $ pwd /home/focht/.wine/drive_c/Visual Pinball
$ WINEDEBUG=+tid,+seh,+relay,+vbscript,+ole,+variant wine ./VPinballX.exe
log.txt 2>&1
... 0036:trace:vbscript:VBScript_SetScriptState (0x1ba958)->(3) 0036:fixme:vbscript:VBScript_SetScriptState unimplemented state 3 0036:trace:vbscript:VBScript_SetScriptState (0x1ba958)->(4) 0036:fixme:vbscript:VBScript_SetScriptState unimplemented state 4 0036:trace:vbscript:VBScript_Release (0x1ba958) ref=1 0036:trace:vbscript:VBScript_Release (0x1ba958) ref=0 0036:trace:vbscript:DispatchEx_AddRef (0x17d290) ref=2 0036:trace:vbscript:DispatchEx_Release (0x17d290) ref=1 0036:trace:vbscript:DispatchEx_AddRef (0x17d328) ref=2 0036:trace:vbscript:DispatchEx_Release (0x17d328) ref=1 0036:trace:vbscript:DispatchEx_Release (0x17d328) ref=0 ... 0036:trace:vbscript:DispatchEx_Release (0x17d290) ref=0 ... 0036:trace:vbscript:ScriptDisp_Release (0x1a7e00) ref=0 ... 0036:trace:seh:raise_exception code=c0000005 flags=0 addr=0x4499d4 ip=004499d4 tid=0036 0036:trace:seh:raise_exception info[0]=00000000 0036:trace:seh:raise_exception info[1]=00000000 0036:trace:seh:raise_exception eax=00000000 ebx=001af7a0 ecx=0033e980 edx=00110064 esi=001b0bf0 edi=00000010 0036:trace:seh:raise_exception ebp=00190f30 esp=0033e980 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210216 0036:trace:seh:call_stack_handlers calling handler at 0x528470 code=c0000005 flags=0 ... wine: Unhandled page fault on read access to 0x00000000 at address 0x4499d4 (thread 0036), starting debugger... ... Backtrace: =>0 0x00000018 (0xe8f18b56) 0x00000018: -- no code accessible -- Modules: Module Address Debug info Name (157 modules) PE 400000- 149f000 Export vpinballx PE 14a0000- 1a1b000 Deferred freeimage PE 1c40000- 1cd0000 Deferred scilexervp PE 10000000-10050000 Deferred bass ELF 7a800000-7a942000 Deferred opengl32<elf> -PE 7a840000-7a942000 \ opengl32 ELF 7b400000-7b7f0000 Deferred kernel32<elf> -PE 7b420000-7b7f0000 \ kernel32 ELF 7bc00000-7bd0a000 Deferred ntdll<elf> -PE 7bc30000-7bd0a000 \ ntdll ELF 7c000000-7c004000 Deferred <wine-loader> ... Threads: process tid prio (all id:s are in hex) ... 00000035 (D) C:\Visual Pinball\VPinballX.exe 0000003b 0 0000003a 0 00000039 15 00000038 15 00000037 0 00000036 0 <== --- snip ---
Application code call site:
--- snip --- 00449990 PUSH ESI 00449991 MOV ESI,DWORD PTR SS:[ESP+8] 00449995 MOV ECX,DWORD PTR DS:[ESI+104] 0044999B TEST ECX,ECX 0044999D JE SHORT VPinball.004499D9 0044999F MOV EAX,DWORD PTR DS:[ECX] 004499A1 PUSH 3 004499A3 PUSH ECX 004499A4 CALL DWORD PTR DS:[EAX+14] ; vbscript.VBScript_SetScriptState 004499A7 MOV EAX,DWORD PTR DS:[ESI+104] 004499AD PUSH 4 004499AF PUSH EAX 004499B0 MOV ECX,DWORD PTR DS:[EAX] 004499B2 CALL DWORD PTR DS:[ECX+14] ; vbscript.VBScript_SetScriptState 004499B5 MOV EAX,DWORD PTR DS:[ESI+104] 004499BB PUSH EAX 004499BC MOV ECX,DWORD PTR DS:[EAX] 004499BE CALL DWORD PTR DS:[ECX+8] ; vbscript.VBScript_Release 004499C1 MOV EAX,DWORD PTR DS:[ESI+11C] 004499C7 PUSH EAX 004499C8 MOV ECX,DWORD PTR DS:[EAX] 004499CA CALL DWORD PTR DS:[ECX+8] ; vbscript.VBScriptParse_Release 004499CD MOV EAX,DWORD PTR DS:[ESI+120] 004499D3 PUSH EAX 004499D4 MOV ECX,DWORD PTR DS:[EAX] ; *boom* 004499D6 CALL DWORD PTR DS:[ECX+8] 004499D9 XOR EAX,EAX 004499DB POP ESI 004499DC RETN 4 --- snip ---
The game tries to release an interface/instance which is not present.
Using the referenced memory locations on heap, one can find the game code that QI/stores the interface pointers (hw bp). Another way is to go back in time, looking for any vbscript QI failures in trace log.
--- snip --- ... 0036:trace:vbscript:VBScriptFactory_CreateInstance ((nil) {bb1a2ae2-a4f9-11cf-8f20-00805f2cd064} 0x33f2fc) ... 0036:trace:vbscript:VBScript_QueryInterface (0x1ba958)->(IID_IActiveScriptParse 0x33f2fc) 0036:trace:vbscript:VBScript_AddRef (0x1ba958) ref=2 0036:trace:vbscript:VBScript_Release (0x1ba958) ref=1 0036:trace:vbscript:ClassFactory_Release (0xf298e440) 0036:Ret ole32.CoCreateInstance() retval=00000000 ret=004498f4 0036:trace:vbscript:VBScript_QueryInterface (0x1ba958)->(IID_IActiveScript 0x1b0cf4) 0036:trace:vbscript:VBScript_AddRef (0x1ba958) ref=2 0036:fixme:vbscript:VBScript_QueryInterface (0x1ba958)->({51973c10-cb0c-11d0-b5c9-00a0244a0e7a} 0x1b0d10) 0036:trace:vbscript:VBScriptParse_InitNew (0x1ba958) ... --- snip ---
It's the only QI failure present for that component and indeed the culprit here.
51973c10-cb0c-11d0-b5c9-00a0244a0e7a = IID_IActiveScriptDebug(32)
https://source.winehq.org/git/wine.git/blob/4eaaf06ce4e5d7424eec2cf303c82566...
--- snip --- 106 /************************************************************ 107 * interface IActiveScriptDebug32 108 */ 109 [ 110 object, 111 uuid(51973c10-cb0c-11d0-b5c9-00a0244a0e7a), 112 pointer_default(unique) 113 ] 114 interface IActiveScriptDebug32 : IUnknown 115 { 116 HRESULT GetScriptTextAttributes( 117 [in, size_is(uNumCodeChars)] LPCOLESTR pstrCode, 118 [in] ULONG uNumCodeChars, 119 [in] LPCOLESTR pstrDelimiter, 120 [in] DWORD dwFlags, 121 [in, out, size_is(uNumCodeChars)] SOURCE_TEXT_ATTR *pattr); 122 123 HRESULT GetScriptletTextAttributes( 124 [in, size_is(uNumCodeChars)] LPCOLESTR pstrCode, 125 [in] ULONG uNumCodeChars, 126 [in] LPCOLESTR pstrDelimiter, 127 [in] DWORD dwFlags, 128 [in, out, size_is(uNumCodeChars)] SOURCE_TEXT_ATTR *pattr); 129 130 HRESULT EnumCodeContextsOfPosition( 131 [in] DWORD dwSourceContext, 132 [in] ULONG uCharacterOffset, 133 [in] ULONG uNumChars, 134 [out] IEnumDebugCodeContexts **ppescc); 135 } --- snip ---
https://source.winehq.org/git/wine.git/blob/4eaaf06ce4e5d7424eec2cf303c82566...
--- snip --- 228 static HRESULT WINAPI VBScript_QueryInterface(IActiveScript *iface, REFIID riid, void **ppv) 229 { 230 VBScript *This = impl_from_IActiveScript(iface); 231 232 if(IsEqualGUID(riid, &IID_IUnknown)) { 233 TRACE("(%p)->(IID_IUnknown %p)\n", This, ppv); 234 *ppv = &This->IActiveScript_iface; 235 }else if(IsEqualGUID(riid, &IID_IActiveScript)) { 236 TRACE("(%p)->(IID_IActiveScript %p)\n", This, ppv); 237 *ppv = &This->IActiveScript_iface; 238 }else if(IsEqualGUID(riid, &IID_IActiveScriptParse)) { 239 TRACE("(%p)->(IID_IActiveScriptParse %p)\n", This, ppv); 240 *ppv = &This->IActiveScriptParse_iface; 241 }else if(IsEqualGUID(riid, &IID_IActiveScriptParseProcedure2)) { 242 TRACE("(%p)->(IID_IActiveScriptParseProcedure2 %p)\n", This, ppv); 243 *ppv = &This->IActiveScriptParseProcedure2_iface; 244 }else if(IsEqualGUID(riid, &IID_IObjectSafety)) { 245 TRACE("(%p)->(IID_IObjectSafety %p)\n", This, ppv); 246 *ppv = &This->IObjectSafety_iface; 247 }else { 248 FIXME("(%p)->(%s %p)\n", This, debugstr_guid(riid), ppv); 249 *ppv = NULL; 250 return E_NOINTERFACE; 251 } 252 253 IUnknown_AddRef((IUnknown*)*ppv); 254 return S_OK; 255 } --- snip ---
ProtectionID scan for completeness:
--- snip --- -=[ ProtectionID v0.6.8.5 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/16-13:09:21 Ready... Scanning -> C:\Visual Pinball\VPinballX.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 5188096 (04F2A00h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x585C1547 -> Thu 22nd Dec 2016 18:02:47 (GMT) [TimeStamp] 0x585C1547 -> Thu 22nd Dec 2016 18:02:47 (GMT) | PE Header | - | Offset: 0x00000160 | VA: 0x00400160 | - [File Heuristics] -> Flag #1 : 00000000000000001100001000100011 (0x0000C223) [Entrypoint Section Entropy] : 7.90 (section #1) "UPX1 " | Size : 0x4B6200 (4940288) byte(s) [DllCharacteristics] -> Flag : (0x8100) -> DEP | TSA [SectionCount] 3 (0x3) | ImageSize 0x109F000 (17428480) byte(s) [VersionInfo] Product Name : Visual Pinball [VersionInfo] Product Version : 10. 2. 0. 0 [VersionInfo] File Description : Visual Pinball 10.2.0 [VersionInfo] File Version : 10. 2. 0. 0 [VersionInfo] Original FileName : VPinballX.exe [VersionInfo] Internal Name : Visual Pinball [VersionInfo] Legal Copyrights : Copyright 2000-2016 [ModuleReport] [IAT] Modules -> KERNEL32.DLL | ADVAPI32.dll | bass.dll | COMCTL32.dll | COMDLG32.dll | d3d9.dll | d3dx9_43.dll | dbghelp.dll | DINPUT.dll | DSOUND.dll | FreeImage.dll | GDI32.dll | HID.DLL | ole32.dll | OLEAUT32.dll | SETUPAPI.dll | USER32.dll | WINMM.dll [!] UPX 3.07 compressed ! upx internal version : 013 / compression method : 08 (M_NRV2E_LE32) - Level : 09 decompressed adler32 : 0x7740E8F9 / compressed adler32 : 0x2B703B89 uncompressed size : 0x0105ED5C (017165660) / compressed size : 0x004B5F22 (04939554) original file size : 0x01053C00 (017120256) / filter : 0x026 / ct0 0x15 / linkchecksum : 0x0D4 - Scan Took : 0.979 Second(s) [0000003D3h (979) tick(s)] [506 of 580 scan(s) done] --- snip ---
$ sha1sum VPX2setup.zip e862530f81c1305c9cc2c2f1e2789df901fdf4d6 VPX2setup.zip
$ sha1sum VPX2setup.exe 74795af49709b0d13f33bd41342f60fcc7a4eb06 VPX2setup.exe
$ du -sh VPX2setup.exe 36M VPX2setup.exe
$ wine --version wine-2.8
Regards