http://bugs.winehq.org/show_bug.cgi?id=33055
Bug #: 33055 Summary: Fishdom 2 crashes during the initial loading stage Product: Wine Version: 1.5.3 Platform: x86 URL: http://www.playrix.com/download/pc/fishdom-2/ OS/Version: Linux Status: NEW Keywords: download, regression Severity: normal Priority: P2 Component: directx-d3d AssignedTo: wine-bugs@winehq.org ReportedBy: gyebro69@gmail.com CC: hverbeet@gmail.com Classification: Unclassified Regression SHA1: 83761d20a8654a616b557ecdb2869436beae7f95
Created attachment 43695 --> http://bugs.winehq.org/attachment.cgi?id=43695 terminal output
This is the game from bug #27733. When you start the game from the launcher, it crashes after the logo screen, just when the 'loading...' screen should appear.
The strange is that if you launch the game with a working Wine version (e.g. 1.4.1), allow it to load to the menu, exit the game, upgrade the wineprefix to a recent version and restart the game, then the crash will no longer occur.
The result of the regression test: 83761d20a8654a616b557ecdb2869436beae7f95 is the first bad commit commit 83761d20a8654a616b557ecdb2869436beae7f95 Author: Henri Verbeet hverbeet@codeweavers.com Date: Wed Apr 18 20:51:26 2012 +0200
d3d8: Get rid of IDirect3DBaseTexture8Impl.
Steps to reproduce the problem with the trial version: 1. download and install the demo. 2. start it with fishdom.exe. In the launcher click on <Play trial version> button, skip the Playrix logo screen by pressing the left mouse button...this is where the game crashes.
Fedora 18 Nvidia 250 / driver 313.18
http://bugs.winehq.org/show_bug.cgi?id=33055
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |austinenglish@gmail.com
--- Comment #1 from Austin English austinenglish@gmail.com 2013-02-25 13:26:27 CST --- I get this as well.
http://bugs.winehq.org/show_bug.cgi?id=33055
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |27733
http://bugs.winehq.org/show_bug.cgi?id=33055
--- Comment #2 from Rico kgbricola@web.de 2013-04-03 08:56:25 CDT --- Created attachment 44074 --> http://bugs.winehq.org/attachment.cgi?id=44074 +d3d8 log
The game sets an already freed texture.
0009:trace:d3d8:d3d8_device_CreateTexture iface 0x147a18, width 174, height 600, levels 1, usage 0, format 0x15, pool 0x1, texture 0x1af137c. 0009:trace:d3d8:device_parent_create_texture_surface device_parent 0x147a1c, container_parent 0x1e1c08, width 174, height 600, format 0x72, usage 0, pool 0x1, sub_resource_idx 0, surface 0x32f37c. 0009:trace:d3d8:d3d8_device_create_surface device 0x147a18, width 174, height 600, format 0x15, lockable 0x1, discard 0, surface 0x32f2cc, usage 0, pool 0x1, multisample_type 0, multisample_quality 0. 0009:trace:d3d8:d3d8_device_AddRef 0x147a18 increasing refcount to 10. 0009:trace:d3d8:d3d8_device_create_surface Created surface 0x1e1d78. 0009:trace:d3d8:d3d8_device_Release 0x147a18 decreasing refcount to 9. 0009:trace:d3d8:d3d8_surface_Release iface 0x1e1d78. 0009:trace:d3d8:d3d8_surface_Release 0x1e1d78 decreasing refcount to 0. 0009:trace:d3d8:d3d8_device_AddRef 0x147a18 increasing refcount to 10. 0009:trace:d3d8:d3d8_device_CreateTexture Created texture 0x1e1c08. ... 0009:trace:d3d8:d3d8_device_SetTexture iface 0x147a18, stage 0, texture 0x1e1c08. ... 0009:trace:d3d8:d3d8_texture_2d_Release 0x1e1c08 decreasing refcount to 0. 0009:trace:d3d8:d3d8_device_Release 0x147a18 decreasing refcount to 26. ... 0009:trace:d3d8:d3d8_device_SetTexture iface 0x147a18, stage 0, texture (nil). ... 0009:trace:d3d8:d3d8_device_SetTexture iface 0x147a18, stage 0, texture 0x1e1c08. ../../../git/dlls/d3d8/texture.c:1160: unsafe_impl_from_IDirect3DBaseTexture8: Assertion `iface->lpVtbl == (const IDirect3DBaseTexture8Vtbl *)&Direct3DTexture8_Vtbl || iface->lpVtbl == (const IDirect3DBaseTexture8Vtbl *)&Direct3DCubeTexture8_Vtbl || iface->lpVtbl == (const IDirect3DBaseTexture8Vtbl *)&Direct3DVolumeTexture8_Vtbl' failed.
http://bugs.winehq.org/show_bug.cgi?id=33055
--- Comment #3 from Rico kgbricola@web.de 2013-04-03 09:30:43 CDT --- Created attachment 44075 --> http://bugs.winehq.org/attachment.cgi?id=44075 dirty workaround
It seems you are allowed to pass junk to SetTexture, as long as you don't draw all seems to be fine. Well, that of course needs a test. The game goes further if you disable the assert and return NULL. (log part is not from the same run a previous log)
// use the freed texture, but don't use it, why would anyone do this? 0009:trace:d3d8:d3d8_device_SetTexture iface 0x147a18, stage 0, texture 0x1e1c08. 0009:fixme:d3d8:unsafe_impl_from_IDirect3DBaseTexture8 stupid app 0009:trace:d3d8:d3d8_device_GetTransform iface 0x147a18, state 0x100, matrix 0x32f390. 0009:trace:d3d8:d3d8_device_MultiplyTransform iface 0x147a18, state 0x100, matrix 0x32f38c. 0009:trace:d3d8:d3d8_device_MultiplyTransform iface 0x147a18, state 0x100, matrix 0x32f398. // set a new one 0009:trace:d3d8:d3d8_device_SetTexture iface 0x147a18, stage 0, texture 0x81a1730.
http://bugs.winehq.org/show_bug.cgi?id=33055
--- Comment #4 from Henri Verbeet hverbeet@gmail.com 2013-04-04 06:31:19 CDT --- Created attachment 44088 --> http://bugs.winehq.org/attachment.cgi?id=44088 patch
I propose the attached.
http://bugs.winehq.org/show_bug.cgi?id=33055
--- Comment #5 from Rico kgbricola@web.de 2013-04-04 09:20:49 CDT --- No, if we pass garbage to wined3d_device_set_texture it will crash there - this is where texture_impl->wined3d_texture points to, that's why I think we have to use NULL. The texture variable contains freed memory, which could be already overwritten. The game also crashes with your patch.
Unhandled exception: divide by zero in 32-bit code (0x7e265420). =>0 0x7e265420 wined3d_buffer_preload+0x2e0(buffer=<couldn't compute location>) [/mnt/raid0/software/wine/build/dlls/wined3d/../../../git/dlls/wined3d/buffer.c:884] in wined3d (0x0033f0d8) 1 0x7e2674f5 wined3d_buffer_unmap+0xb4(buffer=0x1e1bd8) [/mnt/raid0/software/wine/build/dlls/wined3d/../../../git/dlls/wined3d/buffer.c:1173] in wined3d (0x0033f158) 2 0x7e381521 d3d8_device_DrawPrimitiveUP+0x150(iface=0x147650, primitive_type=D3DPT_TRIANGLESTRIP, primitive_count=0x2, data=0x33f1e4, stride=0x18) [/mnt/raid0/software/wine/build/dlls/d3d8/../../../git/dlls/d3d8/device.c:1969] in d3d8 (0x0033f1c4) 3 0x0059c3de in game.run (+0x19c3dd) (0x0033f244)
Passing freed memory around doesn't seem to be a good idea...
Maybe I missed something while testing?
This happens only on the first start. If you started the app once sucessfully, you have to reinstall it to trigger the bug.
http://bugs.winehq.org/show_bug.cgi?id=33055
--- Comment #6 from Henri Verbeet hverbeet@gmail.com 2013-04-04 09:47:59 CDT --- (In reply to comment #5)
No, if we pass garbage to wined3d_device_set_texture it will crash there - this is where texture_impl->wined3d_texture points to, that's why I think we have to use NULL. The texture variable contains freed memory, which could be already overwritten. The game also crashes with your patch.
The idea was to keep GetTexture() working as well, but that's not going to work anyway because of the AddRef() in there, so NULL is probably the right thing to return. It's a bit curious that it would work before 83761d20a8654a616b557ecdb2869436beae7f95 though, since it would pass the same uninitialized memory to wined3d_device_set_texture() in that case.
http://bugs.winehq.org/show_bug.cgi?id=33055
Rico kgbricola@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aeikum@codeweavers.com
--- Comment #7 from Rico kgbricola@web.de 2013-04-07 09:49:23 CDT --- Removing the assert and using only the warning (http://bugs.winehq.org/attachment.cgi?id=44088) or reverting to the old behavior will work till patch:
2c6087457b97e815ee094e7ed75ca79317a5d14a is the first bad commit commit 2c6087457b97e815ee094e7ed75ca79317a5d14a Author: Andrew Eikum aeikum@codeweavers.com Date: Mon May 14 12:31:01 2012 -0500
dsound: Remove minlen, since we always mix full chunks anyway.
:040000 040000 52dc0b21b6cd59b8407f39442fb156e3d6112091 32eb1f192f1ec78aafee2cec32e739e78f874a17 M dlls
After that using the dirty workaround is needed!
So 2c6087457b97e815ee094e7ed75ca79317a5d14a introduces something which really breaks - regardless of the regression by 83761d20a8654a616b557ecdb2869436beae7f95. Maybe the app puts also some garbage values in there? Andrew could you have a look please?
I think using the dirty workaround is still the way to go, but we should take a look not introducing some other problem with 2c6087457b97e815ee094e7ed75ca79317a5d14a.
http://bugs.winehq.org/show_bug.cgi?id=33055
--- Comment #8 from Rico kgbricola@web.de 2013-04-07 14:06:40 CDT --- Using "device->mixpos = writepos + maxq;" instead of "device->mixpos = writepos + frag;" makes the culprit. Thus it does "if (prebuff_left >= device->fraglen)" instead of the else case. After a little bit of trying commenting out "if(DSOUND_PrimaryPlay(device) != DS_OK){" lets the app load fine.
To solve the 2c6087457b97e815ee094e7ed75ca79317a5d14a regression use: WINEDLLOVERRIDES="dsound=" and using the warning patch OR using the dirty workaround
http://bugs.winehq.org/show_bug.cgi?id=33055
--- Comment #9 from Andrew Eikum aeikum@codeweavers.com 2013-04-08 10:29:23 CDT --- (In reply to comment #7)
Removing the assert and using only the warning (http://bugs.winehq.org/attachment.cgi?id=44088) or reverting to the old behavior will work till patch:
It seems to work fine for me with this patch applied. Can you attach a log with the channels from http://wiki.winehq.org/Sound? Maybe we should be ignoring some return value in DSOUND_PrimaryPlay().
http://bugs.winehq.org/show_bug.cgi?id=33055
--- Comment #10 from Rico kgbricola@web.de 2013-04-09 02:01:21 CDT --- Created attachment 44127 --> http://bugs.winehq.org/attachment.cgi?id=44127 +dsound log
WINEDEBUG=+tid,+mmdevapi,+winmm,+driver,+midi,+dsound,+dsound3d,+dmusic,+mci,+oss,+alsa,+coreaudio,+dmime,+dmloader,+dmfile,+dmfileraw,+dmdump,+dmband,+dmcompos,+dmscript,+dmstyle,+dmsynth,+dmusic32,+dswave
wine 1.5.27, with a patch similar to http://bugs.winehq.org/attachment.cgi?id=44088
http://bugs.winehq.org/show_bug.cgi?id=33055
--- Comment #11 from Andrew Eikum aeikum@codeweavers.com 2013-04-09 08:04:33 CDT --- This looks kind of like Bug 29431. That had a crash around RecalcVolPan, too. I think commit 4adfb787f4e8c36 was supposed to fix this problem. Does it help here, too? You could also try building with "-mstackrealign -mincoming-stack-boundary=2" in CFLAGS.
http://bugs.winehq.org/show_bug.cgi?id=33055
--- Comment #12 from Rico kgbricola@web.de 2013-04-09 09:55:09 CDT --- No these CFLAGS don't seem to help. Also wine 1.5.27 has already patch 4adfb787f4e8c36.
Out of curiosity... Gyb and Austin does the the patch http://bugs.winehq.org/attachment.cgi?id=44088 work with wine git for you? Or do you get the same crash as I get? This is just to eliminate that my system configuration is broken.
http://bugs.winehq.org/show_bug.cgi?id=33055
--- Comment #13 from Austin English austinenglish@gmail.com 2013-04-09 12:26:58 CDT --- (In reply to comment #12)
No these CFLAGS don't seem to help. Also wine 1.5.27 has already patch 4adfb787f4e8c36.
Out of curiosity... Gyb and Austin does the the patch http://bugs.winehq.org/attachment.cgi?id=44088 work with wine git for you? Or do you get the same crash as I get? This is just to eliminate that my system configuration is broken.
That patch works fine for me with wine-1.5.27-182-g77ed56c. Without the patch, game still crashes on start.
http://bugs.winehq.org/show_bug.cgi?id=33055
--- Comment #14 from Henri Verbeet hverbeet@gmail.com 2013-04-23 02:20:36 CDT --- Should be fixed by 1486bdd99ff0d0d7fa39042517736d645ce02675.
http://bugs.winehq.org/show_bug.cgi?id=33055
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |1486bdd99ff0d0d7fa390425177 | |36d645ce02675 Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #15 from Austin English austinenglish@gmail.com 2013-04-23 12:26:19 CDT --- (In reply to comment #14)
Should be fixed by 1486bdd99ff0d0d7fa39042517736d645ce02675.
Yep, works fine in wine-1.5.28-141-gf663683, thanks!
http://bugs.winehq.org/show_bug.cgi?id=33055
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #16 from Alexandre Julliard julliard@winehq.org 2013-04-26 13:15:22 CDT --- Closing bugs fixed in 1.5.29.
-
wine-bugs@winehq.org