http://bugs.winehq.org/show_bug.cgi?id=10503
Summary: Sid Meier's Alpha Centauri: Wine segfaults when clicking on a city. Product: Wine Version: 0.9.49. Platform: Other OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: wine-directx-d3d AssignedTo: wine-bugs@winehq.org ReportedBy: michael@mcdonnell.dk
Created an attachment (id=9246) --> (http://bugs.winehq.org/attachment.cgi?id=9246) Console output with error messages
The strategy game Sid Meier's Alpha Centauri starts fine. It is posibble to play a couple of turns, move around the map and move units around. Wine crashes with a segmentation fault when ever you try to bring up the city screen by clicking on a city.
From the AppDB entry:
http://appdb.winehq.org/objectManager.php?sClass=version&iId=3647
it seems like other people are getting the same crash with older versions of wine.
http://bugs.winehq.org/show_bug.cgi?id=10503
Jesse Allen the3dfxdude@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|wine-directx-d3d |wine-misc
--- Comment #1 from Jesse Allen the3dfxdude@gmail.com 2007-11-19 09:47:27 --- Alpha Centauri is not a D3D game. Please get a full backtrace.
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #2 from Michael Mc Donnell michael@mcdonnell.dk 2007-11-19 11:35:58 --- Created an attachment (id=9250) --> (http://bugs.winehq.org/attachment.cgi?id=9250) Full backtrace. Running winedbg with bt all
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #3 from Austin English austinenglish@gmail.com 2007-11-19 11:57:32 --- Are you running this from a windows partition
Z:\media\hda7\Spil\Sid Meier's Alpha Centauri\terran.exe
?
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #4 from Michael Mc Donnell michael@mcdonnell.dk 2007-11-19 12:04:20 --- (In reply to comment #3)
Are you running this from a windows partition
Z:\media\hda7\Spil\Sid Meier's Alpha Centauri\terran.exe
Yes. I'll try to install it in the .wine folder instead.
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #5 from Michael Mc Donnell michael@mcdonnell.dk 2007-11-19 13:04:31 --- (In reply to comment #4)
(In reply to comment #3)
Are you running this from a windows partition
Z:\media\hda7\Spil\Sid Meier's Alpha Centauri\terran.exe
Yes. I'll try to install it in the .wine folder instead.
That didn't help :-(
Installing the SMAC Win 2000/XP Update didn't help either.
qwertymn on #winehackers pointed me to this post:
http://www.winehq.org/pipermail/wine-devel/2005-July/038749.html
which talks about 'Exception Handling with a "bad" ESP'.
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #6 from Michael Mc Donnell michael@mcdonnell.dk 2007-11-19 13:20:54 --- Created an attachment (id=9251) --> (http://bugs.winehq.org/attachment.cgi?id=9251) Last 2000 lines with WINEDEBUG=+tid,+seh,+relay
I ran an extra test with extended debugging:
mac@mac-desktop:~/.wine/drive_c/Program Files/Firaxis Games/Sid Meier's Alpha Centauri$ WINEDEBUG=+tid,+seh,+relay wine terran.exe >& extratrace.txt Segmentation fault (core dumped)
The attached file contains the last 2000 lines of the output.
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #7 from Michael Mc Donnell michael@mcdonnell.dk 2007-11-19 13:39:30 --- (In reply to comment #6)
Last 2000 lines with WINEDEBUG=+tid,+seh,+relay
Ok I think it's the following line near the end that's problematic:
900:warn:seh:setup_exception exception outside of stack limits in thread 0009 eip 0063600d esp 00017aab stack 0x231000-0x340000
This sounds like something that could generate a segmentation fault?
PS. The link in comment #5 was supposed to be
http://www.winehq.org/pipermail/wine-devel/2005-July/038687.html
http://bugs.winehq.org/show_bug.cgi?id=10503
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net
--- Comment #8 from Anastasius Focht focht@gmx.net 2007-11-19 14:24:41 --- Hello,
--- snip --- This sounds like something that could generate a segmentation fault? --- snip ---
sure. That initial posting in the link you provided pretty summed it up.
That game code is "abusing" ESP while writing to DIB region, resulting in access violation exception. Wine detects the stack pointer being outside of thread stack range and hence the warning. Actually wine kills itself (double fault) when building the stack frame for the raise function by relying on that invalid ESP from signal context (despite the warning).
--- quote --- So, what I'm wondering is if anyone who has experiance with the exception handling code has any thoughts on how this problem can be fixed. --- quote ---
Well, general rule: do not rely on faulting context ESP while setting up exception handling stuff Wine has no knowledge at this point that the faulting thread is actually abusing ESP. There might be cases where the abused "counter" ESP has coincidentally a "good" value (within thread stack limits) but wine cannot make safe assumptions at this point (only print diagnostics).
A solution would be to generally use an alternate stack to build the raise frame. Maybe a specially reserved area, a stack page between TEB stack guard and NtCurrentTeb()->Tib.StackLimit to safely build the frame. This would prevent wine from accidentally damaging/overwriting parts of the faulting thread stack with the raise frame, causing double faults.
Regards
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #9 from Anastasius Focht focht@gmx.net 2007-11-19 17:31:59 --- Hello again,
well I thought about this problem further. Although an alternate stack for the raise frame would let the vectored X11DRV_DIB_FaultHandler execute successfully to handle the DIB reads/writes, wine wouldn't be able to recover later. When returning from raise handler, wine needs to restore faulting threads full register set from saved context.
The typical sequence goes as follows (excerpt from __wine_call_from_32_restore_regs):
--- snip --- .. push dword ptr [ecx+0C8h] ; CONTEXTOFFSET(SegSs) pop ss mov esp, [ecx+0C4h] ; CONTEXTOFFSET(Esp) push dword ptr [ecx+0C0h] ; CONTEXTOFFSET(EFlags) *boom* push dword ptr [ecx+0BCh] ; CONTEXTOFFSET(SegCs) push dword ptr [ecx+0B8h] ; CONTEXTOFFSET(Eip) push dword ptr [ecx+98h] ; CONTEXTOFFSET(SegDs) mov ecx, [ecx+0ACh] ; CONTEXTOFFSET(Ecx) pop ds iret --- snip ---
Well, as soon as the abused ESP is reloaded from faulting thread context any further restore will fail (likely causing another access violation). I'm not aware of a wine-compatible method (user mode only code) to emulate iret *and* swap stacks.
Interestingly this piece of game code was produced by Microsoft Visual C++ 5.0 compiler ... Who else could produce such brain damaged code ... ok, I've seen several gcc brain damage as well ;-)
There are 24 occurrences of this abusive (DIB) code. Whatever optimization was done ... the compiler simply ran out 8 GP registers and resorted to use ESP/EBP in favor of stack vars - leaving wine's DIB handling mechanism in distress.
I would vote for WONTFIX (until someone decides to change the way DIBs are handled) ;-)
Regards
http://bugs.winehq.org/show_bug.cgi?id=10503
Jesse Allen the3dfxdude@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever Confirmed|0 |1
--- Comment #10 from Jesse Allen the3dfxdude@gmail.com 2007-11-20 14:18:14 --- (In reply to comment #9)
Interestingly this piece of game code was produced by Microsoft Visual C++ 5.0 compiler ... Who else could produce such brain damaged code ... ok, I've seen several gcc brain damage as well ;-)
Well, the game actually has parts of the drawing code written in asm to speed the game up. This is how it achieved the "3d" voxels with ancient hardware :) It was probably good at the time, but we are suffering from it now. Whether this has anything to do with the problem it is a good chance. I don't think MSVC is at fault here.
There are 24 occurrences of this abusive (DIB) code. Whatever optimization was done ... the compiler simply ran out 8 GP registers and resorted to use ESP/EBP in favor of stack vars - leaving wine's DIB handling mechanism in distress.
I would vote for WONTFIX (until someone decides to change the way DIBs are handled) ;-)
Regards
Well since the report and since I have the game and I have not tried this game with wine for a while, I pulled the game out to try an experiment. Yes I can reproduce the bug, so I'll confirm it. Now I rebased my dib driver to current wine see what happens. And well, the city popup works now without crashing. Unfortunately my dib driver does not have the font support the game requires, so there is no text anywhere to be found ;)
This bug can be fixed with the dib engine, if we don't want to rework the fault handler. See my code at http://repo.or.cz/w/wine/dibdrv.git
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #11 from Anastasius Focht focht@gmx.net 2007-11-20 15:50:57 --- Hello,
--- quote --- Well, the game actually has parts of the drawing code written in asm to speed the game up. This is how it achieved the "3d" voxels with ancient hardware :) It was probably good at the time, but we are suffering from it now. Whether this has anything to do with the problem it is a good chance. I don't think MSVC is at fault here. --- quote ---
Well that code chunks abusing ESP are actually part of very large functions with many branches and subroutine calls. These functions have ~2000 "flat" lines of code (without subs) and ~50 variables. That *really* doesn't look like hand optimized assembler code. Would be a nightmare to manage.
--- quote --- This bug can be fixed with the dib engine, if we don't want to rework the fault handler. See my code at http://repo.or.cz/w/wine/dibdrv.git --- quote ---
Very nice! I wasn't aware of that project. Looking forward to the day when your DIB driver gets included in official wine tree (getting rid of trouble making DIB fault handler) ;-)
Regards
http://bugs.winehq.org/show_bug.cgi?id=10503
Jesse Allen the3dfxdude@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |epimetreus@fastmail.fm
--- Comment #12 from Jesse Allen the3dfxdude@gmail.com 2007-11-20 16:34:07 --- *** Bug 10517 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=10503
Jared Spurbeck jspurbeck@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jspurbeck@gmail.com
--- Comment #13 from Jared Spurbeck jspurbeck@gmail.com 2007-12-12 16:51:56 ---
This bug can be fixed with the dib engine, if we don't want to rework the fault handler. See my code at http://repo.or.cz/w/wine/dibdrv.git
Most of this discussion went right over my head, I think I picked up the gist of it. Interestingly enough, if you go to the Cedega wiki they report this exact same thing: Alpha Centauri works under Cedega, but there are no fonts!
1. What needs to be done to install this interesting package of code? I've only been using Linux for half a year so I'm not sure. >.<
2. What needs to be done to enable support for Alpha Centauri's fonts? Is it something I could look up information that would allow me to help with it? I haven't coded in years, but I almost wouldn't mind giving it a shot if no one else is working on it!
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #14 from Jesse Allen the3dfxdude@gmail.com 2007-12-12 18:41:52 --- Well the fonts are only "disabled" by my description because I have no written support in my dib engine. This has no relation to cedega, and in fact that sounds like a really old wine bug. In vanilla wine now, the fonts do work in this game.
I can possibly try to enable support but be patient, I'm in finals. :)
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #15 from Michael Mc Donnell michael@mcdonnell.dk 2008-02-15 15:14:19 --- Ok inspired by Jesse Allens DIB engine I tried to mess around with the font code. I tried stubbing out X11DRV_SelectFont in winex11.drv/xfont.c with:
FIXME("stub\n"); return 0;
This "fixed" the problem. The game doesn't segfault, but now all the text is missing. Could this behavior be caused by an unknown bug in the font code?
http://bugs.winehq.org/show_bug.cgi?id=10503
UA=42 jordanstudios2934@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jordanstudios2934@gmail.com
--- Comment #16 from UA=42 jordanstudios2934@gmail.com 2008-02-25 13:58:27 --- Hmmm, last error message before the segfault for me is fixme:font:CreateScalableFontResourceA (0,"arialn.fot","arialn.ttf","Z:\media\ExtHD\Sid Meier's Alpha Centauri"): stub Segmentation fault (core dumped)
version 9.55 of wine
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #17 from Austin English austinenglish@gmail.com 2008-06-04 14:23:25 --- (In reply to comment #16)
Hmmm, last error message before the segfault for me is fixme:font:CreateScalableFontResourceA (0,"arialn.fot","arialn.ttf","Z:\media\ExtHD\Sid Meier's Alpha Centauri"): stub Segmentation fault (core dumped)
version 9.55 of wine
Did you install this in wine or are you running from a windows install.
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #18 from Michael Mc Donnell michael@mcdonnell.dk 2008-06-04 14:39:42 --- (In reply to comment #17)
(In reply to comment #16)
Hmmm, last error message before the segfault for me is fixme:font:CreateScalableFontResourceA (0,"arialn.fot","arialn.ttf","Z:\media\ExtHD\Sid Meier's Alpha Centauri"): stub Segmentation fault (core dumped)
version 9.55 of wine
Did you install this in wine or are you running from a windows install.
It doesn't matter. It also crashes if you install it from scratch in Linux. It's an old bug in the the winex11 code (I think). The code fails in the function X11DRV_SelectFont in xfont.c. I suspect it's because it tries to access a font it hasn't loaded, but I'm not sure of it. It definitely has something to do with the font code because it doesn't segfault if you comment out this code.
It might be related to CreateScalableFont because the scalable fonts aren't created.
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #19 from Michael Mc Donnell michael@mcdonnell.dk 2008-07-26 14:09:09 --- (In reply to comment #18)
(In reply to comment #17)
(In reply to comment #16)
Hmmm, last error message before the segfault for me is fixme:font:CreateScalableFontResourceA (0,"arialn.fot","arialn.ttf","Z:\media\ExtHD\Sid Meier's Alpha Centauri"): stub Segmentation fault (core dumped)
version 9.55 of wine
Did you install this in wine or are you running from a windows install.
It doesn't matter. It also crashes if you install it from scratch in Linux. It's an old bug in the the winex11 code (I think). The code fails in the function X11DRV_SelectFont in xfont.c. I suspect it's because it tries to access a font it hasn't loaded, but I'm not sure of it. It definitely has something to do with the font code because it doesn't segfault if you comment out this code.
It might be related to CreateScalableFont because the scalable fonts aren't created.
I'm a really newbie wine hacker, so could anyone point me to where the problem might be? The following lines are from the trace with tid, seh and relay:
***SNIP*** 0009:Call gdi32.GetStockObject(0000000d) ret=006308d7 0009:Ret gdi32.GetStockObject() retval=0000007c ret=006308d7 0009:Call gdi32.SelectObject(00000484,0000007c) ret=006308e1 0009:Call winex11.drv.GetDeviceCaps(00151b00,00000022) ret=7ec44799 0009:Ret winex11.drv.GetDeviceCaps() retval=000079d7 ret=7ec44799 0009:Call winex11.drv.GetDeviceCaps(00151b00,00000022) ret=7ec44799 0009:Ret winex11.drv.GetDeviceCaps() retval=000079d7 ret=7ec44799 0009:Call winex11.drv.SelectFont(00151b00,0000007c,00134ab0) ret=7ec55dc8 0009:Call gdi32.GetObjectW(0000007c,0000005c,00334d04) ret=7e6766b5 0009:Ret gdi32.GetObjectW() retval=0000005c ret=7e6766b5 0009:Call gdi32.GetObjectW(0000007c,0000005c,00334b88) ret=7e67c5aa 0009:Ret gdi32.GetObjectW() retval=0000005c ret=7e67c5aa 0009:Call gdi32.LPtoDP(00000484,00334af8,00000002) ret=7e64b96d 0009:Ret gdi32.LPtoDP() retval=00000001 ret=7e64b96d 0009:Call gdi32.LPtoDP(00000484,00334af8,00000002) ret=7e64b91d 0009:Ret gdi32.LPtoDP() retval=00000001 ret=7e64b91d 0009:Ret winex11.drv.SelectFont() retval=00000000 ret=7ec55dc8 0009:Ret gdi32.SelectObject() retval=0000955c ret=006308e1 0009:warn:seh:setup_exception exception outside of stack limits in thread 0009 eip 0063600d esp 00017aab stack 0x231000-0x340000 ***SNIP***
Which call causes the exception? Is it the last SelectObject?
http://bugs.winehq.org/show_bug.cgi?id=10503
Mikolaj Zalewski mikolaj.zalewski@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mikolaj.zalewski@gmail.com
--- Comment #20 from Mikolaj Zalewski mikolaj.zalewski@gmail.com 2008-07-27 10:26:06 --- If I understand correctly, the exception is caused because of DIB access. A DIB can be accesses ilike normal memory or using GDI calls. Wine uses the X server for GDI calls - to e.g. draw a line, we upload the content to the server, mark the memory area as protected and make the server draw the line. When the program tries to access this area like memory, this generates an exception, we catch it, download the updated content from the server, unprotect the memory and resume the program. As it was written, the problem is that the program abuses the ESP register while doing DIB operations, what makes the exception not to work.
Solving it doesn't look like something feasible for a newbie hacker. The best solution would be to have a DIB engine for in-process GDI manipluations. I've heard it is being worked on. This will avoid this DIB sections ping-pong and exceptions being generated. But that's a large piece of code that needs to be integrated properly with the rest of Wine.
Other possible solution would be to check if Windows have some mechanisms to raise exceptions even if ESP is invalid. However I don't think so - the exception handling is closely related to stack unwinding. But maybe vectored handlers are special? We could also have a special stack for DIB exceptions but if that is not a Windows feature that it probably won't be accepted because of being a hack.
http://bugs.winehq.org/show_bug.cgi?id=10503
Michael Mc Donnell michael@mcdonnell.dk changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends on| |421
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #21 from Austin English austinenglish@gmail.com 2009-04-17 12:07:19 --- Is this still an issue in current (1.1.19 or newer) wine?
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #22 from Michael Mc Donnell michael@mcdonnell.dk 2009-04-18 04:55:52 --- (In reply to comment #21)
Is this still an issue in current (1.1.19 or newer) wine?
Yes it's still an issue in 1.1.19. It's depending on the DIB engine(bug 421).
http://bugs.winehq.org/show_bug.cgi?id=10503
Johan Gill johan.gill@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |johan.gill@gmail.com
--- Comment #23 from Johan Gill johan.gill@gmail.com 2009-07-08 18:00:46 --- Confirming that it works with Max's DIB engine enabled.
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #24 from Jared Spurbeck jspurbeck@gmail.com 2009-07-11 10:09:36 --- How does one do that? I've found instructions for patching and building from source, but it seems like the latest files they have there are for 1.1.24, and I don't know how to download source for anything other than 1.1.25. Maybe this isn't the best place to ask for tech support with it, but I'm lost.
Is the revised DIB engine going to make its way into main, does anyone know?
http://bugs.winehq.org/show_bug.cgi?id=10503
sub.mesa@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |sub.mesa@gmail.com
--- Comment #25 from sub.mesa@gmail.com 2009-08-08 09:34:50 --- Confirming this bug fixed with WINEDIB=on (patched wine 1.1.26).
http://bugs.winehq.org/show_bug.cgi?id=10503
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |xerox_xerox2000@yahoo.co.uk
--- Comment #26 from Austin English austinenglish@gmail.com 2010-01-03 13:12:38 --- *** Bug 9742 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=10503
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |htl10@users.sourceforge.net
--- Comment #27 from Austin English austinenglish@gmail.com 2010-07-11 14:20:01 --- *** Bug 20976 has been marked as a duplicate of this bug. ***
http://bugs.winehq.org/show_bug.cgi?id=10503
--- Comment #28 from Michael Mc Donnell michael@mcdonnell.dk 2010-10-01 04:11:52 CDT --- Seems like this did not require a DIB engine! The bug no longer appears in wine-1.3.3
http://bugs.winehq.org/show_bug.cgi?id=10503
Michael Mc Donnell michael@mcdonnell.dk changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends on|421 |
http://bugs.winehq.org/show_bug.cgi?id=10503
Dmitry Timoshkov dmitry@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #29 from Dmitry Timoshkov dmitry@codeweavers.com 2010-10-01 08:35:59 CDT --- Reported fixed.
http://bugs.winehq.org/show_bug.cgi?id=10503
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #30 from Alexandre Julliard julliard@winehq.org 2010-10-01 13:58:09 CDT --- Closing bugs fixed in 1.3.4.
http://bugs.winehq.org/show_bug.cgi?id=10503
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Hardware|Other |x86
-
wine-bugs@winehq.org