https://bugs.winehq.org/show_bug.cgi?id=37907

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Component|-unknown |user32 Summary|The Incredible Adventures |The Incredible Adventures |of Van Helsing (64-bit, |of Van Helsing (64-bit, |Steam) crashes on startup |Steam) crashes on startup | |(loading of frames from | |.ani cursors causes heap | |corruption) Ever confirmed|0 |1

--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,

confirming.

The game suffers from a nasty heap corruption which later manifests in crashes in unrelated areas/APIs.

Unfortunately debugging hides the crash. The game is multi-threaded and any change of timing due to stepping/breakins results in different heap usage from multiple threads, preventing the combination where the block corruption hits DCE lists.

(registry settings for relay exclude removed to show internal calls before the crash)

--- snip --- ... 0023:trace:d3d:wined3d_init Initializing adapters. 0023:trace:d3d:wined3d_adapter_init adapter 0xadc30, ordinal 0. 0023:Call user32.GetDC(00000000) ret=7f076d69983c 0023:trace:win:GetDCEx hwnd 0x10020, hrgnClip (nil), flags 00000003 0023:Call ntdll.RtlEnterCriticalSection(7f076cfa8040) ret=7f076cd08298 0023:Ret ntdll.RtlEnterCriticalSection() retval=00000000 ret=7f076cd08298 0023:Call ntdll.RtlLeaveCriticalSection(7f076cfa8040) ret=7f076cd082ae 0023:Ret ntdll.RtlLeaveCriticalSection() retval=00000000 ret=7f076cd082ae 0023:Call ntdll.RtlEnterCriticalSection(7f076cfa8040) ret=7f076cd08298 0023:Ret ntdll.RtlEnterCriticalSection() retval=00000000 ret=7f076cd08298 0023:Call ntdll.RtlLeaveCriticalSection(7f076cfa8040) ret=7f076cd082ae 0023:Ret ntdll.RtlLeaveCriticalSection() retval=00000000 ret=7f076cd082ae 0023:Call ntdll.RtlEnterCriticalSection(7f076cfa8040) ret=7f076cd08298 0023:Ret ntdll.RtlEnterCriticalSection() retval=00000000 ret=7f076cd08298 0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7f076ccea1fc ip=7f076ccea1fc tid=0023 0023:trace:seh:raise_exception rax=0001004000000000 rbx=000000000023f7b0 rcx=00007f0774652a9b rdx=0001004000000000 0023:trace:seh:raise_exception rsi=00007f0774652a94 rdi=00007f0774652a50 rbp=000000000023d160 rsp=000000000023d010 0023:trace:seh:raise_exception r8=0000003071e48cfd r9=0000000000000021 r10=0000000000000000 r11=0000003071f811c0 0023:trace:seh:raise_exception r12=0000000000000008 r13=000000000023f7b0 r14=0000000000000320 r15=0000000000000000 --- snip ---

Corruption in DCE list causes the crash.

Debugger session:

--- snip --- ... Wine-dbg>info process pid threads executable (all id:s are in hex)

00000022 4 'VanHelsing_x64.exe'

00000020 2 'explorer.exe' 0000000e 6 'services.exe' 00000019 3 _ 'plugplay.exe' 00000012 4 _ 'winedevice.exe'

Wine-dbg>info threads process tid prio (all id:s are in hex) ... 00000020 explorer.exe 00000024 0 00000021 0 00000022 (D) C:\The Incredible Adventures of Van Helsing\VanHelsing_x64.exe 00000027 0 00000026 0 00000025 0 00000023 1 <==

...

Wine-dbg>bt Backtrace: =>0 0x00007ff9da7e4d3a map_fileW+0xf6(name="C:\The Incredible Adventures of Van Helsing\UI\Cursors\magic.ani", filesize=0x23f320) [/home/focht/projects/wine/wine.repo/src/dlls/user32/cursoricon.c:314] in user32 (0x000000000023f2c0) 1 0x00007ff9da7e7d48 CURSORICON_LoadFromFile+0x9a(filename="C:\The Incredible Adventures of Van Helsing\UI\Cursors\magic.ani", width=0x20, height=0x20, depth=0x20, fCursor=0x1, loadflags=0x50) [/home/focht/projects/wine/wine.repo/src/dlls/user32/cursoricon.c:1351] in user32 (0x000000000023f360) 2 0x00007ff9da7e8063 CURSORICON_Load+0x113(hInstance=0x140000000, name="C:\The Incredible Adventures of Van Helsing\UI\Cursors\magic.ani", width=0x20, height=0x20, depth=0x20, fCursor=0x1, loadflags=0x50) [/home/focht/projects/wine/wine.repo/src/dlls/user32/cursoricon.c:1413] in user32 (0x000000000023f440) 3 0x00007ff9da7eca1e LoadImageW+0x1b2(hinst=0x140000000, name="C:\The Incredible Adventures of Van Helsing\UI\Cursors\magic.ani", type=0x2, desiredx=0x20, desiredy=0x20, loadflags=0x50) [/home/focht/projects/wine/wine.repo/src/dlls/user32/cursoricon.c:2669] in user32 (0x000000000023f540) 4 0x00000001405a342b in vanhelsing_x64 (+0x5a342a) (0x000000000023f650) 5 0x00000001405a3835 in vanhelsing_x64 (+0x5a3834) (0x000000000023f7d0) 6 0x0000000140602f6b in vanhelsing_x64 (+0x602f6a) (0x000000000023f7d0) 7 0x00000001409a8a64 in vanhelsing_x64 (+0x9a8a63) (0x000000000023fd20)

...

Wine-dbg>n CURSORICON_LoadFromFile () at /home/focht/projects/wine/wine.repo/src/dlls/user32/cursoricon.c:1352 1352 if (!bits)

Wine-dbg>n 1356 if (memcmp( bits, "RIFF", 4 ) == 0)

Wine-dbg>p bits "RIFFóΓ"

Wine-dbg>n 1358 hIcon = CURSORICON_CreateIconFromANI( bits, filesize, width, height, depth, !fCursor, loadflags );

Wine-dbg>s CURSORICON_CreateIconFromANI () at /home/focht/projects/wine/wine.repo/src/dlls/user32/cursoricon.c:1095 1095 {

Wine-dbg>p header {header_size=0x24, num_frames=0xf, num_steps=0xf, width=0x40, height=0x40, bpp=0x20, num_planes=0x1, display_rate=0x5, flags=0x1}

...

Wine-dbg>n 1168 frames = HeapAlloc( GetProcessHeap(), 0, sizeof(DWORD)*header.num_frames );

; 0x3C (0xF*4) -> [3C6C0..3C6FC]

Wine-dbg>x/100x frames 0x000000000003c6c0: 00010170 00000000 00010150 00000000 0x000000000003c6d0: 00000000 00000000 3f800000 00000000 0x000000000003c6e0: 00000000 00000001 7fffffff 7fffffff 0x000000000003c6f0: 80000000 80000000 7c8cbfc8 00000000 0x000000000003c700: 0003c6b8 00000000 00002018 08455355 ; HEAP magic 0x000000000003c710: 00000020 00000000 00000020 00000000 0x000000000003c720: 00000000 00000000 00000000 00000000 ...

Wine-dbg>n 1185 for (i=0; i<header.num_frames; i++)

<end of loop> ... Wine-dbg>x/100x frames 0x000000000003c6c0: 00020056 00000000 0002005a 00000000 0x000000000003c6d0: 00020058 00000000 00020064 00000000 0x000000000003c6e0: 00020062 00000000 00020060 00000000 0x000000000003c6f0: 0002005e 00000000 0002005c 00000000 0x000000000003c700: 00030046 00000000 00020094 00000000 0x000000000003c710: 00020092 00000000 00020090 00000000 0x000000000003c720: 0002008e 00000000 00000000 00000000 0x000000000003c730: 00000000 00000000 00000000 00000000 ... --- snip ---

Source: http://source.winehq.org/git/wine.git/blob/762aef661318cb643ce393af40267f2d8...

--- snip --- 1093 static HCURSOR CURSORICON_CreateIconFromANI( const BYTE *bits, DWORD bits_size, INT width, INT height, 1094 INT depth, BOOL is_icon, UINT loadflags ) 1095 { 1096 struct animated_cursoricon_object *ani_icon_data; 1097 struct cursoricon_object *info; 1098 DWORD *frame_rates = NULL; 1099 DWORD *frame_seq = NULL; 1100 ani_header header = {0}; 1101 BOOL use_seq = FALSE; 1102 HCURSOR cursor = 0; 1103 UINT i; 1104 BOOL error = FALSE; 1105 HICON *frames; ... 1168 frames = HeapAlloc( GetProcessHeap(), 0, sizeof(DWORD)*header.num_frames ); 1169 if (!frames) 1170 { 1171 free_icon_handle( cursor ); 1172 return 0; 1173 } --- snip ---

HICON = HANDLE = 64-bit on 64-bit but the array is allocated with hard-coded 32-bit element size instead using 'sizeof(HICON)'.

With that part fixed the crash is gone and the game runs into next bugs (same as 32-bit version) - already reported.

--- snip --- ... fixme:d3dx:ID3DXFontImpl_DrawTextA iface 0xd1d30, sprite (nil), string "Measuring Hardware Performance", count 30, rect (300,295)-(800,600), format 0, color 0xffffffff stub! fixme:d3dcompiler:compile_shader Compilation target "fx_2_0" not yet supported fixme:d3dx:d3dx9_effect_init Failed to parse effect, hr 0x8876086c. wine: Unhandled page fault on read access to 0x00000000 at address 0x1404845d2 (thread 0023), starting debugger... ... --- snip ---

$ wine --version wine-1.7.34-60-gd6450cf

Regards

https://bugs.winehq.org/show_bug.cgi?id=37907

Alexandre Julliard julliard@winehq.org changed:

What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED

--- Comment #3 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 1.7.35.