[Bug 7054] Pure Pinball game crashes trying to access freed texture objects

http://bugs.winehq.org/show_bug.cgi?id=7054

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net Component|-unknown |directx-d3d Summary|Pure Pinball fails to start |Pure Pinball game crashes | |trying to access freed | |texture objects

--- Comment #11 from Anastasius Focht focht@gmx.net 2012-02-26 07:19:19 CST --- Hello,

--- snip --- ... 0024:trace:d3d8:IDirect3DDevice8Impl_SetPixelShader iface 0x154280, shader 0. 0024:Call wined3d.wined3d_mutex_lock() ret=7e7d2ccf 0024:Ret wined3d.wined3d_mutex_lock() retval=00000000 ret=7e7d2ccf 0024:Call wined3d.wined3d_device_set_pixel_shader(00183140,00000000) ret=7e7d2ceb 0024:Ret wined3d.wined3d_device_set_pixel_shader() retval=00000000 ret=7e7d2ceb 0024:Call wined3d.wined3d_mutex_unlock() ret=7e7d2cf3 0024:Ret wined3d.wined3d_mutex_unlock() retval=00000000 ret=7e7d2cf3 0024:trace:d3d8:IDirect3DDevice8Impl_SetStreamSource iface 0x154280, stream_idx 0, buffer (nil), stride 0. 0024:Call wined3d.wined3d_mutex_lock() ret=7e7d3680 0024:Ret wined3d.wined3d_mutex_lock() retval=00000000 ret=7e7d3680 0024:Call wined3d.wined3d_device_set_stream_source(00183140,00000000,00000000,00000000,00000000) ret=7e7d36bb 0024:Ret wined3d.wined3d_device_set_stream_source() retval=00000000 ret=7e7d36bb 0024:Call wined3d.wined3d_mutex_unlock() ret=7e7d36c3 0024:Ret wined3d.wined3d_mutex_unlock() retval=00000000 ret=7e7d36c3 0024:trace:seh:raise_exception code=c0000005 flags=0 addr=0x428c5a ip=00428c5a tid=0024 0024:trace:seh:raise_exception info[0]=00000000 0024:trace:seh:raise_exception info[1]=feeefef6 0024:trace:seh:raise_exception eax=feeefeee ebx=03254560 ecx=00123bb8 edx=00000000 esi=00000113 edi=0033fcc8 0024:trace:seh:raise_exception ebp=0033fa90 esp=0033fa80 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210206 0024:trace:seh:call_stack_handlers calling handler at 0x45bd96 code=c0000005 flags=0 ... 0024:Call user32.MessageBoxA(000100a0,08277008 "Access violation at address 00428C5A in module 'Pure Pinball Demo.exe'. Read of address FEEEFEF6.",08277078 "Pure pinball demo",00000010) ret=0045a0cb --- snip ---

Sometimes the page fault address changes.

Using +heap you get more reliable results (in conjunction with +relay,+snoop).

Code around crash, annotated through debugging:

--- snip --- ... 00428C35 call dword ptr [edx+14Ch] ; IDirect3DDevice8Impl_SetStreamSource(iface=0x1309e8, StreamNumber=0, pStreamData=(nil), Stride=0) 00428C3B xor ecx, ecx 00428C3D mov [ebp+var_4], ecx 00428C40 mov eax, [ebp+var_4] 00428C43 cmp dword_C43FD0[eax*4], 0 ; texture obj table 00428C4B jz short loc_428C7D 00428C4D mov edx, [ebp+var_4] 00428C50 mov ecx, dword_C43FD0[edx*4] ; texture obj table 00428C57 push ecx 00428C58 mov eax, [ecx] ; deref to Direct3DTexture8_Vtbl 00428C5A call dword ptr [eax+8] ; *boom* --- snip ---

The game creates some textures from files and stores the pointers globally.

Using "ecx" from exception frame -> 0x00123bb8 as hint you search the trace log from beginning again .. and find:

Creation of texture:

--- snip --- ... 0024:CALL d3dx8bor.D3DXCreateTextureFromFileExA(<unknown, check return>(0x110000,70000062,00000040): returning 0x2111b0 ) ret=004290e3 0024:Call KERNEL32.CreateFileA(004917f5 "data\menu\logo_iridon.jpg",80000000,00000001,00000000,00000003,10000000,00000000) ret=1002cb3f ... 0024:trace:d3d8:IDirect3DDevice8Impl_CreateTexture iface 0x154280, width 1024, height 1024, levels 1, usage 0, format 0x16, pool 0x1, texture 0x33f9e8. 0024:Call ntdll.RtlAllocateHeap(00110000,00000008,00000010) ret=7e7cd3b1 0024:trace:heap:RtlAllocateHeap (0x110000,7000006a,00000010): returning 0x123bb8 0024:Ret ntdll.RtlAllocateHeap() retval=00123bb8 ret=7e7cd3b1 0024:Call wined3d.wined3d_mutex_lock() ret=7e7d9260 0024:Ret wined3d.wined3d_mutex_lock() retval=00000000 ret=7e7d9260 0024:Call wined3d.wined3d_texture_create_2d(00183140,00000400,00000400,00000001,00000000,00000073,00000001,00123bb8,7e7e946c,00123bc0) ret=7e7d92c3 ... 0024:trace:d3d8:IDirect3DDevice8Impl_CreateTexture Created texture 0x123bb8. 0024:trace:d3d8:IDirect3DTexture8Impl_GetSurfaceLevel iface 0x123bb8, level 0, surface 0x33f9ec. 0024:Call wined3d.wined3d_mutex_lock() ret=7e7d8eaa 0024:Ret wined3d.wined3d_mutex_lock() retval=00000000 ret=7e7d8eaa 0024:Call wined3d.wined3d_texture_get_sub_resource(002115a0,00000000) ret=7e7d8ebf 0024:Ret wined3d.wined3d_texture_get_sub_resource() retval=002116e8 ret=7e7d8ebf 0024:Call wined3d.wined3d_resource_get_parent(002116e8) ret=7e7d8edf 0024:Ret wined3d.wined3d_resource_get_parent() retval=0012e870 ret=7e7d8edf 0024:trace:d3d8:IDirect3DSurface8Impl_AddRef iface 0x12e870. 0024:trace:d3d8:IDirect3DSurface8Impl_AddRef (0x12e870) : Forwarding to 0x123bb8 0024:trace:d3d8:IDirect3DTexture8Impl_AddRef 0x123bb8 increasing refcount to 2. ... 0024:trace:d3d8:IDirect3DSurface8Impl_Release iface 0x12e870. 0024:trace:d3d8:IDirect3DSurface8Impl_Release (0x12e870) : Forwarding to 0x123bb8 0024:trace:d3d8:IDirect3DTexture8Impl_Release 0x123bb8 decreasing refcount to 1. 0024:Call ntdll.RtlFreeHeap(02f26000,00000000,08455020) ret=10001ed3 0024:trace:heap:RtlFreeHeap (0xffa10000,70000061,0xffa19fc0): returning TRUE 0024:trace:heap:RtlFreeHeap (0x2f26000,70000062,0x8455020): returning TRUE 0024:Ret ntdll.RtlFreeHeap() retval=00000001 ret=10001ed3 0024:Call KERNEL32.UnmapViewOfFile(00390000) ret=1002cbad ... 0024:RET d3dx8bor.D3DXCreateTextureFromFileExA(00154280,004917f5,ffffffff,ffffffff,00000001,00000000,00000000,00000001,00000003,00000003,00000000,00000000,00000000,00c3fb6c) retval=00000000 ret=004290e3 --- snip ---

Usage and freeing:

--- snip --- 0024:trace:d3d8:IDirect3DDevice8Impl_DrawPrimitiveUP iface 0x154280, primitive_type 0x6, primitive_count 2, data 0x33f92c, stride 28. ... 0024:trace:d3d8:IDirect3DDevice8Impl_SetTexture iface 0x154280, stage 0, texture 0x123bb8. ... 0024:trace:d3d8:IDirect3DDevice8Impl_SetTexture iface 0x154280, stage 0, texture 0x123bb8. ... 0024:trace:d3d8:IDirect3DDevice8Impl_Release 0x154280 decreasing refcount to 3. 0024:trace:d3d8:IDirect3DTexture8Impl_Release 0x123bb8 decreasing refcount to 0. ... 0024:Call ntdll.RtlFreeHeap(00110000,00000000,00123bb8) ret=7e7d9228 0024:trace:heap:RtlFreeHeap (0x110000,70000062,0x123bb8): returning TRUE ... 0024:Call wined3d.wined3d_texture_decref(002115a0) ret=7e7d8565 ... 0024:trace:d3d8:IDirect3DDevice8Impl_Release 0x154280 decreasing refcount to 2. 0024:CALL d3dx8bor.D3DXCreateTexture(00154280,00000320,00000258,00000001,00000000,00000016,00000000,00c3fb64) ret=0042c735 0024:trace:d3d8:IDirect3DDevice8Impl_GetDirect3D iface 0x154280, d3d8 0x33fa3c. 0024:trace:d3d8:IDirect3D8Impl_QueryInterface iface 0x134270, riid {1dd9e8da-1c77-4d40-b0cf-98fefdff9512}, object 0x33fa3c. 0024:trace:d3d8:IDirect3D8Impl_AddRef 0x134270 increasing refcount to 3. 0024:trace:d3d8:IDirect3DDevice8Impl_GetDeviceCaps iface 0x154280, caps 0x33f918. 0024:Call ntdll.RtlAllocateHeap(00110000,00000008,00000180) ret=7e7cc235 0024:trace:heap:RtlAllocateHeap (0x110000,7000006a,00000180): returning 0x21f8a8 --- snip ---

I'm not sure if d3d8 is at fault here (reference counting?).

It could also be a bug in the game itself that is hidden due to different heap management in Windows (freed memory block contents not erased/reused). I've seen many broken apps that "worked" due to this "feature".

For testing I disabled freeing these textures (dlls/d3d8/texture.c -> IDirect3DTexture8Impl_Release) and the crash was gone.

The menu animation was shown but I was unable to make any input (mouse cursor also hidden).

You can start the game in windowed mode using "-win" parameter.

$ sha1sum PurePinballDemo_English.exe 1a513e5817591bbd86acfb779f1bd7bd8a98658b PurePinballDemo_English.exe

Regards