[Bug 37460] Sid Meier's Civilization: Beyond Earth (Steam) crashes on startup

https://bugs.winehq.org/show_bug.cgi?id=37460

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Component|-unknown |directx-d3d Ever confirmed|0 |1

--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello folks,

from DX10/DX11 perspective this would be a dupe of bug 34008

--- snip --- Backtrace: =>0 0x7df41f48 D3D11CreateDevice(adapter=(nil), driver_type=D3D_DRIVER_TYPE_HARDWARE, swrast=(nil), flags=0, feature_levels=0x33b474, levels=0x3, sdk_version=0x7, device=0x46a340c, feature_level=0x33b484, context=0x46a3418) [/home/focht/projects/wine/wine.repo/src/dlls/d3d11/d3d11_main.c:51] in d3d11 (0x0033b48c) 1 0x009b9c50 in civilizationbe_dx11 (+0x5b9c4f) (0x0033b4a0) 2 0x006f7e7c in civilizationbe_dx11 (+0x2f7e7b) (0x0033c4c8) 3 0x0047316e in civilizationbe_dx11 (+0x7316d) (0x0033cd34) 4 0x00794fd4 in civilizationbe_dx11 (+0x394fd3) (0x0033cdc4) 5 0x009b4d62 in civilizationbe_dx11 (+0x5b4d61) (0x0033d218) 6 0x009b4fdb in civilizationbe_dx11 (+0x5b4fda) (0x0033dac4) 7 0x005a3aaf in civilizationbe_dx11 (+0x1a3aae) (0x0033fdd4) 8 0x00a96dd4 in civilizationbe_dx11 (+0x696dd3) (0x0033fe20) 9 0x7b86468c call_process_entry+0xb() in kernel32 (0x0033fe38) ...

Wine-dbg>p feature_levels[0] D3D_FEATURE_LEVEL_11_0 Wine-dbg>p feature_levels[1] D3D_FEATURE_LEVEL_10_1 Wine-dbg>p feature_levels[2] D3D_FEATURE_LEVEL_10_0 --- snip ---

There is another bug in here, highlighted by the crash - a reference counting problem with DXGI factory's own wined3d object.

Full relay won't exhibit this crash due to the way heap chunks are recycled.

--- snip --- $ WINEDEBUG=+tid,+seh,+loaddll,+d3d wine ./CivilizationBe_DX11.exe ... 0009:trace:d3d:wined3d_adapter_init DeviceName: L"\\.\DISPLAY1" 0009:trace:d3d:wined3d_caps_gl_ctx_destroy Destroying caps GL context. 0009:trace:d3d:wined3d_create Created wined3d object 0x6f10030. 0009:trace:d3d:wined3d_get_adapter_count wined3d 0x6f10030, reporting 1 adapters. 0009:trace:d3d:wined3d_decref 0x6f10030 decreasing refcount to 0. 0009:trace:d3d:wined3d_get_adapter_identifier wined3d 0x6f10030, adapter_idx 0, flags 0, identifier 0x33b100. 0009:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7de020fa ip=7de020fa tid=0009 0009:trace:seh:raise_exception info[0]=00000000 0009:trace:seh:raise_exception info[1]=06f10038 0009:trace:seh:raise_exception eax=06f10030 ebx=7df05000 ecx=00000000 edx=7bcedbc8 esi=0033b060 edi=0000001c 0009:trace:seh:raise_exception ebp=0033b048 esp=0033afe0 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210206 0009:trace:seh:call_stack_handlers calling handler at 0xa96f09 code=c0000005 flags=0 0009:trace:seh:call_stack_handlers handler at 0xa96f09 returned 1 0009:trace:seh:call_stack_handlers calling handler at 0x7bc9e4cb code=c0000005 flags=0 wine: Unhandled page fault on read access to 0x06f10038 at address 0x7de020fa (thread 0009), starting debugger... 0009:trace:seh:start_debugger Starting debugger "winedbg --auto 8 224" ... Unhandled exception: page fault on read access to 0x06f10038 in 32-bit code (0x7de020fa). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:7de020fa ESP:0033afe0 EBP:0033b048 EFLAGS:00210206( R- -- I - -P- ) EAX:06f10030 EBX:7df05000 ECX:00000000 EDX:7bcedbc8 ESI:0033b060 EDI:0000001c ... Backtrace: =>0 0x7de020fa wined3d_get_adapter_identifier+0x86(wined3d=<couldn't compute location>, adapter_idx=<couldn't compute location>, flags=<couldn't compute location>, identifier=<couldn't compute location>) [/home/focht/projects/wine/wine.repo/src/dlls/wined3d/directx.c:3371] in wined3d (0x0033b048) 1 0x7df1b6ad dxgi_adapter_GetDesc1+0xf4(iface=<couldn't compute location>, desc=<couldn't compute location>) [/home/focht/projects/wine/wine.repo/src/dlls/dxgi/adapter.c:150] in dxgi (0x0033b188) 2 0x7df1b8b5 dxgi_adapter_GetDesc+0x99(iface=<couldn't compute location>, desc=<couldn't compute location>) [/home/focht/projects/wine/wine.repo/src/dlls/dxgi/adapter.c:186] in dxgi (0x0033b318) 3 0x009ba1ab in civilizationbe_dx11 (+0x5ba1aa) (0x0033b48c) 4 0x009b9c50 in civilizationbe_dx11 (+0x5b9c4f) (0x0033b4a0) 5 0x006f7e7c in civilizationbe_dx11 (+0x2f7e7b) (0x0033c4c8) 6 0x0047316e in civilizationbe_dx11 (+0x7316d) (0x0033cd34) 7 0x00794fd4 in civilizationbe_dx11 (+0x394fd3) (0x0033cdc4) 8 0x009b4d62 in civilizationbe_dx11 (+0x5b4d61) (0x0033d218) 9 0x009b4fdb in civilizationbe_dx11 (+0x5b4fda) (0x0033dac4) 10 0x005a3aaf in civilizationbe_dx11 (+0x1a3aae) (0x0033fdd4) 11 0x00a96dd4 in civilizationbe_dx11 (+0x696dd3) (0x0033fe20) 12 0x7b86468c call_process_entry+0xb() in kernel32 (0x0033fe38) ... 0x7de020fa wined3d_get_adapter_identifier+0x86 [/home/focht/projects/wine/wine.repo/src/dlls/wined3d/directx.c:3371] in wined3d: movl 0x8(%eax),%eax 3371 if (adapter_idx >= wined3d->adapter_count) Modules: Module Address Debug info Name (170 modules) PE 340000- 3b6000 Deferred havokscript2013.2.0_win32_finalrC:\Program Files\Sid Meiers Civilization Beyond Earth\HavokScript2013.2.0_Win32_FinalRelease.dll PE 3c0000- 3d3000 Deferred zlib1 PE 400000- 540c000 Export civilizationbe_dx11 PE 5410000- 5a40000 Deferred cvgamedatabase_finalrelease PE 5a40000- 5b16000 Deferred msvcr110 PE 5b20000- 5ba5000 Deferred msvcp110 PE 5bb0000- 5c88000 Deferred steam_api PE 5c90000- 5d13000 Deferred mss32 PE 5d20000- 5d87000 Deferred bink2w32 PE 5d90000- 60a9000 Deferred d3dcompiler_46 PE 10000000-100d6000 Deferred cvlocalization_finalrelease ELF 7b800000-7ba64000 Dwarf kernel32<elf> -PE 7b810000-7ba64000 \ kernel32 ... Threads: process tid prio (all id:s are in hex) 00000008 (D) C:\Program Files\Sid Meiers Civilization Beyond Earth\CivilizationBe_DX11.exe 00000023 0 00000022 0 00000009 0 <== --- snip ---

Using a full relay log one can still spot the problem - even if it doesn't crash at all.

factory wined3d object 0x21ce50 ref counting

--- snip --- ... 0023:trace:d3d:wined3d_create Created wined3d object 0x21ce50. 0023:Ret wined3d.wined3d_create() retval=0021ce50 ret=7df1eec6 0023:Call wined3d.wined3d_get_adapter_count(0021ce50) ret=7df1eeff 0023:trace:d3d:wined3d_get_adapter_count wined3d 0x21ce50, reporting 1 adapters. 0023:Ret wined3d.wined3d_get_adapter_count() retval=00000001 ret=7df1eeff 0023:Call ntdll.RtlAllocateHeap(00110000,00000000,00000004) ret=7df1ef46 0023:Ret ntdll.RtlAllocateHeap() retval=00179280 ret=7df1ef46 0023:Call ntdll.RtlAllocateHeap(00110000,00000000,00000014) ret=7df1efe1 0023:Ret ntdll.RtlAllocateHeap() retval=0021ff10 ret=7df1efe1 0023:Call ntdll.RtlAllocateHeap(00110000,00000008,0000000c) ret=7df1ba3f 0023:Ret ntdll.RtlAllocateHeap() retval=0021ff30 ret=7df1ba3f 0023:trace:dxgi:dxgi_factory_create Created factory 0x194608. 0023:trace:dxgi:dxgi_factory_QueryInterface iface 0x194608, iid {7b7166ec-21c7-44ae-b21a-c9ae321ae369}, out 0x33b488. 0023:trace:dxgi:dxgi_factory_AddRef 0x194608 increasing refcount to 2. 0023:trace:dxgi:dxgi_factory_Release 0x194608 decreasing refcount to 1. 0023:Ret dxgi.CreateDXGIFactory1() retval=00000000 ret=009b9beb 0023:trace:dxgi:dxgi_factory_EnumAdapters iface 0x194608, adapter_idx 0, adapter 0x33b484. 0023:trace:dxgi:dxgi_factory_EnumAdapters1 iface 0x194608, adapter_idx 0, adapter 0x33b484. 0023:trace:dxgi:dxgi_adapter_AddRef 0x21ff10 increasing refcount to 2. 0023:trace:dxgi:dxgi_factory_EnumAdapters1 Returning adapter 0x21ff10. 0023:trace:dxgi:dxgi_factory_Release 0x194608 decreasing refcount to 0. 0023:trace:dxgi:dxgi_adapter_Release 0x21ff10 decreasing refcount to 1. 0023:Call ntdll.RtlFreeHeap(00110000,00000000,00179280) ret=7df1e43a 0023:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7df1e43a 0023:Call wined3d.wined3d_decref(0021ce50) ret=7df1e45c 0023:trace:d3d:wined3d_decref 0x21ce50 decreasing refcount to 0. 0023:Call ntdll.RtlFreeHeap(00110000,00000000,06a2b2c8) ret=7ddf6527 0023:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ddf6527 0023:Call ntdll.RtlFreeHeap(00110000,00000000,06a28090) ret=7ddf6556 0023:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ddf6556 0023:Call ntdll.RtlFreeHeap(00110000,00000000,0021ce50) ret=7ddf66ff 0023:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ddf66ff 0023:Ret wined3d.wined3d_decref() retval=00000000 ret=7df1e45c 0023:Call ntdll.RtlFreeHeap(00110000,00000000,00194608) ret=7df1e493 0023:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7df1e493 0023:trace:dxgi:dxgi_adapter_GetDesc iface 0x21ff10, desc 0x33b334. 0023:trace:dxgi:dxgi_adapter_GetDesc1 iface 0x21ff10, desc 0x33b1cc. 0023:Call wined3d.wined3d_get_adapter_identifier(0021ce50,00000000,00000000,0033b100) ret=7df1b6ad 0023:trace:d3d:wined3d_get_adapter_identifier wined3d 0x21ce50, adapter_idx 0, flags 0, identifier 0x33b100. 0023:Ret wined3d.wined3d_get_adapter_identifier() retval=00000000 ret=7df1b6ad 0023:Call KERNEL32.MultiByteToWideChar(00000000,00000000,0033b080 "NVIDIA GeForce GTX 470",ffffffff,0033b1cc,00000080) ret=7df1b704 0023:Ret KERNEL32.MultiByteToWideChar() retval=00000017 ret=7df1b704 0023:Call KERNEL32.LoadLibraryA(00d6d0b4 "nvapi.dll") ret=009ca75f 0023:Ret KERNEL32.LoadLibraryA() retval=00000000 ret=009ca75f 0023:Call d3d11.D3D11CreateDevice(00000000,00000001,00000000,00000000,0033b474,00000003,00000007,046a340c,0033b484,046a3418) ret=009ba2f3 0023:fixme:d3d11:D3D11CreateDevice stub: adapter (nil), driver_type D3D_DRIVER_TYPE_HARDWARE, swrast (nil), flags 0, feature_levels 0x33b474, levels 0x3, sdk_version 7, device 0x46a340c, feature_level 0x33b484, context 0x46a3418 0023:Ret d3d11.D3D11CreateDevice() retval=8007000e ret=009ba2f3 0023:trace:dxgi:dxgi_adapter_Release 0x21ff10 decreasing refcount to 0. 0023:trace:dxgi:dxgi_output_Release 0x21ff30 decreasing refcount to 0. ... --- snip ---

The game code, annotated:

--- snip --- 009B9C30 CMP DWORD PTR DS:[46A3410],0 009B9C37 JNZ SHORT Civiliza.009B9C42 009B9C39 CALL Civiliza.009B9BD0 ; enum adapters via DXGI 009B9C3E TEST AL,AL 009B9C40 JE SHORT Civiliza.009B9C6E 009B9C42 CMP DWORD PTR DS:[46A340C],0 009B9C49 JNZ SHORT Civiliza.009B9C71 009B9C4B CALL Civiliza.009BA190 ; get adapter description via DXGI 009B9C50 TEST AL,AL 009B9C52 JNZ SHORT Civiliza.009B9C71 ... 009B9BD0 PUSH EBP 009B9BD1 MOV EBP,ESP 009B9BD3 SUB ESP,8 009B9BD6 LEA EAX,DWORD PTR SS:[EBP-4] 009B9BD9 PUSH EAX 009B9BDA PUSH Civiliza.00D6C49C 009B9BDF MOV DWORD PTR SS:[EBP-4],0 009B9BE6 CALL <JMP.&dxgi.CreateDXGIFactory1> 009B9BEB TEST EAX,EAX 009B9BED JE SHORT Civiliza.009B9BF5 009B9BEF XOR AL,AL 009B9BF1 MOV ESP,EBP 009B9BF3 POP EBP 009B9BF4 RETN 009B9BF5 MOV EAX,DWORD PTR SS:[EBP-4] 009B9BF8 PUSH ESI 009B9BF9 LEA EDX,DWORD PTR SS:[EBP-8] 009B9BFC PUSH EDX 009B9BFD MOV DWORD PTR SS:[EBP-8],0 009B9C04 MOV ECX,DWORD PTR DS:[EAX] 009B9C06 PUSH 0 009B9C08 PUSH EAX 009B9C09 CALL DWORD PTR DS:[ECX+1C] ; IDXGIFactory::EnumAdapters 009B9C0C MOV ECX,DWORD PTR SS:[EBP-4] 009B9C0F PUSH ECX 009B9C10 MOV EDX,DWORD PTR DS:[ECX] 009B9C12 MOV ESI,EAX 009B9C14 CALL DWORD PTR DS:[EDX+8] ; IDXGIFactory::Release 009B9C17 MOV ECX,DWORD PTR SS:[EBP-8] 009B9C1A TEST ESI,ESI 009B9C1C MOV DWORD PTR DS:[46A3410],ECX 009B9C22 SETE AL 009B9C25 POP ESI 009B9C26 MOV ESP,EBP 009B9C28 POP EBP 009B9C29 RETN ... 009BA190 PUSH EBP 009BA191 MOV EBP,ESP 009BA193 MOV EAX,DWORD PTR DS:[46A3410] 009BA198 SUB ESP,158 009BA19E MOV ECX,DWORD PTR DS:[EAX] 009BA1A0 LEA EDX,DWORD PTR SS:[EBP-158] 009BA1A6 PUSH EDX 009BA1A7 PUSH EAX 009BA1A8 CALL DWORD PTR DS:[ECX+20] ; IDXGIAdapter::GetDesc 009BA1AB XOR ECX,ECX 009BA1AD LEA ECX,DWORD PTR DS:[ECX] 009BA1B0 CMP WORD PTR SS:[EBP+ECX*2-158],0 ... --- snip ---

The game engine releases the DXGI factory object which destroys the factory's own wined3d object. The returned IDXGIAdapter object references this through 'parent' hence needs to keep a ref to work.

Regards