https://bugs.winehq.org/show_bug.cgi?id=28420
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Summary|Schrankplaner (german |Schrankplaner (german |cupboard/furniture planning |cupboard/furniture planning |software) crashes |software) crashes on | |startup (OSMesa/OpenGL | |bitmap driver writes past | |DIB render buffer) Ever confirmed|0 |1
--- Comment #6 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting and confirming now.
It seems this is one of the few apps requiring OpenGL bitmap support (libOSMesa). Without OpenGL bitmap support enabled Wine you don't get the startup crash.
libOSMesa on my system: mesa-libOSMesa-9.2.4-1.20131128.fc19 (i686 and x86_64)
--- snip --- $ WINEDEBUG=+tid,+seh,+relay,+opengl wine ./Schrankplaner.exe >>log.txt 2>&1 ... 0025:Ret opengl32.wglMakeCurrent() retval=00000001 ret=10042672 0025:Call opengl32.glViewport(00000000,00000000,000005e0,00000359) ret=1004268d 0025:trace:opengl:glViewport (0, 0, 1504, 857) 0025:Ret opengl32.glViewport() retval=7ca85d7c ret=1004268d 0025:Call opengl32.glRenderMode(00001c00) ret=100426e7 0025:trace:opengl:glRenderMode (7168) 0025:Ret opengl32.glRenderMode() retval=00000000 ret=100426e7 0025:Call opengl32.glClear(00000100) ret=100426f7 0025:trace:opengl:glClear (256) 0025:Ret opengl32.glClear() retval=7ca78c40 ret=100426f7 ... 0025:Call opengl32.wglMakeCurrent(000202ad,00010001) ret=10038b33 0025:Call opengl32.wglGetPixelFormat(000202ad) ret=7ebf8713 0025:Call gdi32.__wine_get_wgl_driver(000202ad,0000000b) ret=7d3cf675 0025:Ret gdi32.__wine_get_wgl_driver() retval=7ec3b480 ret=7d3cf675 0025:Ret opengl32.wglGetPixelFormat() retval=00000001 ret=7ebf8713 0025:Ret opengl32.wglMakeCurrent() retval=00000001 ret=10038b33 0025:Call opengl32.glViewport(00000000,00000000,000005e0,00000359) ret=10038b4e 0025:trace:opengl:glViewport (0, 0, 1504, 857) 0025:Ret opengl32.glViewport() retval=7ca85d7c ret=10038b4e 0025:Call opengl32.glClearColor(3f800000,3f800000,3f800000,00000000) ret=10038bb6 0025:trace:opengl:glClearColor (1.000000, 1.000000, 1.000000, 0.000000) 0025:Ret opengl32.glClearColor() retval=7ca78c40 ret=10038bb6 0025:Call opengl32.glClear(00004000) ret=10038bc6 0025:trace:opengl:glClear (16384) 0025:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7b56cf97 ip=7b56cf97 tid=0025 0025:trace:seh:raise_exception info[0]=00000001 0025:trace:seh:raise_exception info[1]=08111000 0025:trace:seh:raise_exception eax=08111004 ebx=7b7e5000 ecx=00000283 edx=00ffffff esi=000005e0 edi=00001780 0025:trace:seh:raise_exception ebp=08111e00 esp=00e0cf50 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210287 0025:trace:seh:call_stack_handlers calling handler at 0x101ce5d6 code=c0000005 flags=0 0025:trace:seh:call_stack_handlers handler at 0x101ce5d6 returned 1 0025:trace:seh:call_stack_handlers calling handler at 0x73dc2e0a code=c0000005 flags=0 0025:trace:seh:call_stack_handlers handler at 0x73dc2e0a returned 1 0025:trace:seh:call_stack_handlers calling handler at 0x101ce470 code=c0000005 flags=0 0025:trace:seh:call_stack_handlers handler at 0x101ce470 returned 1 ... 0025:Call user32.MessageBoxA(00010090,04eed9c4 "Zugriffsverletzung bei Adresse 7B56CF97. Schreiben von Adresse 08111000.",072dfb9c "Schrankplaner",00000010) ret=004895eb --- snip ---
The crash happens in glClear(GL_ACCUM_BUFFER_BIT) The call is issued from 'vdpro.ocx' library and the mask is hard coded.
Using gdb proxy mode I gathered the following infos
--- snip --- $ winedbg --gdb ./Schrankplaner.exe ... Wine-gdb> handle SIGSEGV Signal Stop Print Pass to program Description SIGSEGV Yes Yes Yes Segmentation fault
Wine-gdb> c Continuing. fixme:ole:RemUnknown_QueryInterface No interface for iid {00000019-0000-0000-c000-000000000046}
Program received signal SIGSEGV, Segmentation fault. 0x7b56cf97 in clear_rgba_buffer (colorMask=0x7ce00e14 '\377' <repeats 32 times>, "\004\004", rb=0x7cca7b40, ctx=0x7ce00008) at ../../src/mesa/swrast/s_clear.c:147 147 SIMPLE_TYPE_CLEAR(GLuint);
Wine-gdb> bt #0 0x7b56cf97 in clear_rgba_buffer (colorMask=0x7ce00e14 '\377' <repeats 32 times>, "\004\004", rb=0x7cca7b40, ctx=0x7ce00008) at ../../src/mesa/swrast/s_clear.c:147
#1 clear_color_buffers (ctx=<optimized out>) at ../../src/mesa/swrast/s_clear.c:190
#2 _swrast_Clear (ctx=0x7ce00008, buffers=1) at ../../src/mesa/swrast/s_clear.c:230
#3 0x7b4525d7 in _mesa_Clear (mask=<optimized out>) at ../../src/mesa/main/clear.c:202
#4 0x7b6584f6 in glClear (mask=16384) at ../../../src/mapi/glapi/glapi_mapi_tmp.h:2823
#5 0x7d30774a in glClear (mask=16384) at /home/focht/projects/wine/wine.repo/src/dlls/opengl32/opengl_norm.c:110
#6 0x10038bc6 in ?? ()
Wine-gdb> info locals row = <optimized out> pixel = 16777215 pixelMask = 2095054856 height = 857 width = 1504 pixelSize = 4 j = <optimized out> x = <optimized out> map = 0x6680680 "\377\377\377" rowStride = 6016 y = <optimized out> doMasking = <optimized out> clearColor = <optimized out> mapMode = <optimized out> i = 643
Wine-gdb> disas ... 0x7b56cf3f <+2191>: call 0x7b493330 <_mesa_pack_float_rgba_row> ... 0x7b56cf90 <+2272>: mov 0x60(%esp),%edx 0x7b56cf94 <+2276>: lea 0x4(%eax),%eax => 0x7b56cf97 <+2279>: mov %edx,-0x4(%eax)
Wine-gdb> p $eax-4 0x6681000 --- snip ---
--- snip --- $ cat /proc/32502/maps | grep 06681000 062d0000-06681000 rwxp 00000000 00:00 0 06681000-06690000 ---p 00000000 00:00 0 --- snip ---
Source code:
http://cgit.freedesktop.org/mesa/mesa/tree/src/mesa/swrast/s_clear.c?id=mesa...
http://cgit.freedesktop.org/mesa/mesa/tree/src/mesa/swrast/s_clear.c?id=mesa...
--- snip --- /* for 1, 2, 4-byte clearing */ #define SIMPLE_TYPE_CLEAR(TYPE) \ do { \ TYPE pixel, pixelMask; \ _mesa_pack_float_rgba_row(rb->Format, 1, clearColor, &pixel); \ if (doMasking) { \ _mesa_pack_colormask(rb->Format, colorMask, &pixelMask); \ pixel &= pixelMask; \ pixelMask = ~pixelMask; \ } \ for (i = 0; i < height; i++) { \ TYPE *row = (TYPE *) map; \ if (doMasking) { \ for (j = 0; j < width; j++) { \ row[j] = (row[j] & pixelMask) | pixel; \ } \ } \ else { \ for (j = 0; j < width; j++) { \ row[j] = pixel; \ } \ } \ map += rowStride; \ } \ } while (0) --- snip ---
From a quick calculation it seems the crash is caused by OSMesa code writing
past the end of render buffer so it seems Wine's gdi/dib driver allocates to small?
map (render buffer) = 0x062d0000 (range: 062d0000-06681000) height = 857 rowStride = 6016 (w=1504*bpp=4)
$ sha1sum schrankplaner_setup.exe 1ba6e22ba4f8e5be409337daff8a2d57db5d8723 schrankplaner_setup.exe
$ du -sh schrankplaner_setup.exe 36M schrankplaner_setup.exe
$ wine --version wine-1.7.14
Regards