[Bug 45080] New: Null pointer dereference: possible undocumented nonstandard cppstdlib behaviour in Windows.
https://bugs.winehq.org/show_bug.cgi?id=45080
Bug ID: 45080 Summary: Null pointer dereference: possible undocumented nonstandard cppstdlib behaviour in Windows. Product: Wine Version: 3.6 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: ucrtbase Assignee: wine-bugs@winehq.org Reporter: aphid.mmonly@gmail.com Distribution: ---
Created attachment 61231 --> https://bugs.winehq.org/attachment.cgi?id=61231 Crash: detailed call log on Wine-staging 3.6.
I tried running/debugging the new game Frostpunk under Wine after multiple other users tried to run this application and posted it would not start in a request thread for a Mac/Linux version of this currently windows-only application.
I tried starting it with some debugging options attached and found out it crashed because of a null pointer dereference error.
Crash log on this post is Wine-Staging. I'll retest with regular wine as well (essentially the same error occurs) and add that as a separate attachment.
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #1 from aphid.mmonly@gmail.com --- Created attachment 61232 --> https://bugs.winehq.org/attachment.cgi?id=61232 Crash log and calls for wine-3.7
https://bugs.winehq.org/show_bug.cgi?id=45080
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4@web.de
--- Comment #2 from Fabian Maurer dark.shadow4@web.de --- What brings you to the conclusion that it's "possible undocumented nonstandard cppstdlib behaviour in Windows"? Does it work with native vc runtime? Since the program is not free, I can't test, so if you have more information, can you provide that please? :)
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #3 from aphid.mmonly@gmail.com --- Created attachment 61235 --> https://bugs.winehq.org/attachment.cgi?id=61235 Path followed through wined3d11, assembly
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #4 from Fabian Maurer dark.shadow4@web.de --- I'm sorry, but what exactly does that tell me?
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #5 from aphid.mmonly@gmail.com --- I traced the program through a debugger. It's multithreaded, and the problem happened way earlier in the process. It called out to a d3d11 function. One of the parameters it supplied was a pointer set to null. This pointer is supposed to be changed by d3d11, but wine's implementation did not.
Changing the relevant attributes of this bug to reflect my findings.
Here's where it happens in the application code:
| 0x140337c68 mov qword [rsp + 0x58], 0 | 0x140337c71 mov rax, qword [rbx] | 0x140337c74 lea r8, qword [rsp + 0x58] | 0x140337c79 lea rdx, qword [0x1414a0cd8] | 0x140337c80 mov rcx, rbx | 0x140337c83 call qword [rax]0x00007f9a97b90000 | 0x140337c85 mov rcx, qword [rsp + 0x58] | 0x140337c8a mov rax, qword [rcx]
The call goes out to 0x00007f9a97b9bb71, which is the function offset at 0xbb71 in the D3D11 dll file (the PE), as it was hooked to address 0x00007f9a97b90000. The third attachment goes into more detail what happened in this file.
The program reads out 'rsp + 0x58', possibly some member variable of a class returned. Unfortunately this is null, so when it tries to read it out it fails with a null pointer exception.
https://bugs.winehq.org/show_bug.cgi?id=45080
aphid.mmonly@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|ucrtbase |directx-d3dx11 Summary|Null pointer dereference: |Null pointer dereference in |possible undocumented |member function of D3D11 |nonstandard cppstdlib |device |behaviour in Windows. |
https://bugs.winehq.org/show_bug.cgi?id=45080
Toni eldrad@autistici.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |eldrad@autistici.org
--- Comment #6 from Toni eldrad@autistici.org --- you could run the program with apitrace to see a detailed log of all d3d11 calls and return values
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #7 from Toni eldrad@autistici.org --- You can try as follows:
download https://github.com/apitrace/apitrace (you can try mingw version, but if you have problems try msvc version, binaries at https://people.freedesktop.org/~jrfonseca/apitrace/)
at least with the msvc version you can just place the bin/ and lib/ folder next to your .exe binary in the game folder
run
bin/apitrace.exe trace -a dxgi yourbinary.exe
then run
bin/apitrace.exe dump yourbinary.trace
that might give you an idea otherwise you can post the trace dump here as txt
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #8 from Toni eldrad@autistici.org --- forgot to say so, but you must run the commands above with wine (guess it's obvious but just in case)
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #9 from aphid.mmonly@gmail.com --- Here is what the msft apitrace tool reports:
env WINEPREFIX=/hdd/games_wine/steam/ wine /hdd/games_wine/steam/drive_c/Programs/apitrace-msvc/x64/bin/apitrace.exe dump Frostpunk.trace // process.name = "C:\steam\steamapps\common\Frostpunk\Frostpunk.exe" 0 D3D11CreateDevice(pAdapter = NULL, DriverType = D3D_DRIVER_TYPE_HARDWARE, Software = NULL, Flags = D3D11_CREATE_DEVICE_BGRA_SUPPORT, pFeatureLevels = {D3D_FEATURE_LEVEL_11_0, D3D_FEATURE_LEVEL_10_1, D3D_FEATURE_LEVEL_10_0, D3D_FEATURE_LEVEL_9_3, D3D_FEATURE_LEVEL_9_2, D3D_FEATURE_LEVEL_9_1}, FeatureLevels = 6, SDKVersion = 7, ppDevice = &0x252f100, pFeatureLevel = &D3D_FEATURE_LEVEL_11_0, ppImmediateContext = &0x252f130) = S_OK 1 ID3D11Device::AddRef(this = 0x252f100) = 3 2 ID3D11Device::QueryInterface(this = 0x252f100, riid = IID_IDXGIDevice2, ppvObj = ?) = E_NOINTERFACE
I've also tried to load debugging symbols for wine debugger and tried to use other debuggers, but to no avail; I can't manage to get the symbols loaded, so I can't help you with getting something more readable than assembler.
There just isn't any good resources available on how to properly debug wine dlls in 64-bit mode, e.g. attach unmangled names to function addresses.
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #10 from Nikolay Sivov bunglehead@gmail.com --- IDXGIDevice2 is currently not implemented. If you enable +dxgi,+d3d11 wine debug channels you'll get corresponding warning.
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #11 from Toni eldrad@autistici.org --- Yep by the apitrace it looks like it's getting a null IDXGIDevice2 and that might be the reason of a crash if the app is using the pointer blindly after that. You can try returning IDXGIDevice1 instead on that query and see what happens. If you get lucky IDXGIDevice2 specific methods won't be really used, otherwise you would have to implement the interface more or less properly (something like bug 41063), or more interfaces might be needed after that.
It might be smth else, but if that's the whole apitrace it doesn't seem to be much more going on.
About using the debugger I can't help you but I'm sure there must be a way, although by your previous info and the apitrace it already seems to be pointing somewhere.
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #12 from Toni eldrad@autistici.org --- In case it's not clear you can try editing dlls/dxgi/device.c, around line 42 (depends on the wine source you're editing), where you have the line "|| IsEqualGUID(riid, &IID_IDXGIDevice1)", add another line with "|| IsEqualGUID(riid, &IID_IDXGIDevice2)" instead just below that. That will make it return an incomplete IDXGIDevice2 interface that might or might not work.
Try that and then see if you get to the same point or hit some new problem.
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #13 from Nikolay Sivov bunglehead@gmail.com --- (In reply to Toni from comment #12)
In case it's not clear you can try editing dlls/dxgi/device.c, around line 42 (depends on the wine source you're editing), where you have the line "|| IsEqualGUID(riid, &IID_IDXGIDevice1)", add another line with "|| IsEqualGUID(riid, &IID_IDXGIDevice2)" instead just below that. That will make it return an incomplete IDXGIDevice2 interface that might or might not work.
Try that and then see if you get to the same point or hit some new problem.
I don't think it's useful. If you're going to edit it, you should be adding new methods too so you don't have to guess later why it failed.
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #14 from Toni eldrad@autistici.org --- (In reply to Nikolay Sivov from comment #13)
I don't think it's useful. If you're going to edit it, you should be adding new methods too so you don't have to guess later why it failed.
Well, it's the easiest thing to try first, then of course the new methods need to be added but that will require more work, and my suggestion is to just try and add -that one line- and see what happens. Also, looking at the new methods in IDXGIDevice2 they don't even look that useful for a game, so who knows. If the app fails afterwards in an undeclared IDXGIDevice2 method it will be really obvious in apitrace since it will be the last line, akin to what happened in bug 41063.
Anyways you seem like the right person to provide an stub implementation of IDXGIDevice2 if you think it's better to start there, I'm still a bit lost with advanced interface stuff, besides adding fake/partial interface declarations for debugging. It astonished me how fast you implemented those stubs for ID3D11Device1 and ID3D11DeviceContext1.
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #15 from Nikolay Sivov bunglehead@gmail.com --- Created attachment 61239 --> https://bugs.winehq.org/attachment.cgi?id=61239 patch
(In reply to Toni from comment #14)
(In reply to Nikolay Sivov from comment #13)
I don't think it's useful. If you're going to edit it, you should be adding new methods too so you don't have to guess later why it failed.
Well, it's the easiest thing to try first, then of course the new methods need to be added but that will require more work, and my suggestion is to just try and add -that one line- and see what happens. Also, looking at the new methods in IDXGIDevice2 they don't even look that useful for a game, so who knows. If the app fails afterwards in an undeclared IDXGIDevice2 method it will be really obvious in apitrace since it will be the last line, akin to what happened in bug 41063.
Thing is we have custom methods right after IDXGIDevice1 ones. I don't know much about apitrace, but I'm assuming it hooks vtables somehow. Advertising IDXGIDevice2 will let it hook custom methods using wrong prototypes.
Completion event method looks like something application could be using. Anyway, attaching a patch.
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #16 from Toni eldrad@autistici.org --- (In reply to Nikolay Sivov from comment #15)
Thing is we have custom methods right after IDXGIDevice1 ones. I don't know much about apitrace, but I'm assuming it hooks vtables somehow. Advertising IDXGIDevice2 will let it hook custom methods using wrong prototypes.
Ok, I wasn't aware about that. Thank you for the information Nikolay! I'll be more careful about that in the future.
Also, thank you again for your quick implementation of the stub interface. Let's see what happens when op can test it on the game. Imo it should work in progressing further in starting it.
https://bugs.winehq.org/show_bug.cgi?id=45080
tokktokk fdsfgs@krutt.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fdsfgs@krutt.org
https://bugs.winehq.org/show_bug.cgi?id=45080
Jack Mitchell winehq@embed.me.uk changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |winehq@embed.me.uk
--- Comment #17 from Jack Mitchell winehq@embed.me.uk --- Created attachment 61266 --> https://bugs.winehq.org/attachment.cgi?id=61266 FrostPunk Graphical Glitches
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #18 from Jack Mitchell winehq@embed.me.uk --- I can confirm that this patch allows the game to sucessfully start. However there are major graphical glitches that render it unplayable. Screenshot attached.
The following log line is constantly repeated.
0070:err:d3d11:d3d11_immediate_context_ClearRenderTargetView Failed to clear view, hr 0x8876086c. 0070:fixme:d3d:wined3d_device_clear_rendertarget_view Layered clears not implemented.
https://bugs.winehq.org/show_bug.cgi?id=45080
--- Comment #19 from Toni eldrad@autistici.org --- Since this bug is about the null pointer dereference/game not starting, it's better to open a new bug about the graphical errors now, so we can keep each bug focused on one problem at a time.
Thank you for testing this!
https://bugs.winehq.org/show_bug.cgi?id=45080
Matteo Bruni matteo.mystral@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|directx-d3dx11 |directx-d3d Summary|Null pointer dereference in |Frostpunk crashes (requires |member function of D3D11 |IDXGIDevice2) |device |
https://bugs.winehq.org/show_bug.cgi?id=45080
Adam Bolte abolte@systemsaviour.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |abolte@systemsaviour.com
https://bugs.winehq.org/show_bug.cgi?id=45080
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/dxgi-IDXGIDevice | |2 Ever confirmed|0 |1 CC| |leslie_alistair@hotmail.com Status|UNCONFIRMED |STAGED
https://bugs.winehq.org/show_bug.cgi?id=45080
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |e4034dcc838b01a8c41de08c63d | |3db4b4906890f Resolution|--- |FIXED Status|STAGED |RESOLVED
--- Comment #20 from Alistair Leslie-Hughes leslie_alistair@hotmail.com --- Fixed by https://source.winehq.org/git/wine.git/?a=commit;h=e4034dcc838b01a8c41de08c6...
https://bugs.winehq.org/show_bug.cgi?id=45080
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #21 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 3.9.
-
wine-bugs@winehq.org