[Bug 31580] New: Create Your Own Model Railway - Unhandled exception: page fault on read access
http://bugs.winehq.org/show_bug.cgi?id=31580
Bug #: 31580 Summary: Create Your Own Model Railway - Unhandled exception: page fault on read access Product: Wine Version: 1.5.11 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: dj.shaw@btconnect.com Classification: Unclassified
Created attachment 41527 --> http://bugs.winehq.org/attachment.cgi?id=41527 Debugging output
Create Your Own Model Railway fails to run with an 'Unhandled exception: page fault on read access' error.
Installation works OK, but to get to the main menu requires the installation of mpg123 and setting the program to run in an 800 x 600 desktop. Clicking on 'Start game' switches to a load progress screen, which gets to about 50% then fails. The only terminal output is the 'Unhandled exception: page fault on read access' error.
The AppDB only shows one previous test result, with Wine 1.0.0, also rated Garbage.
Arch Linux x86
http://bugs.winehq.org/show_bug.cgi?id=31580
--- Comment #1 from Chris2305 cdaisey@talktalk.net 2013-05-12 00:47:00 CDT --- Created attachment 44447 --> http://bugs.winehq.org/attachment.cgi?id=44447 text file
http://bugs.winehq.org/show_bug.cgi?id=31580
--- Comment #2 from Bruno Jesus 00cpxxx@gmail.com 2013-06-07 19:26:30 CDT --- Please try again in the latest development version of wine (currently 1.6-rc1). If the problem persists attach a new log: http://wiki.winehq.org/FAQ#get_log
http://bugs.winehq.org/show_bug.cgi?id=31580
--- Comment #3 from David Shaw dj.shaw@btconnect.com 2013-06-13 11:01:16 CDT --- Created attachment 44789 --> http://bugs.winehq.org/attachment.cgi?id=44789 Terminal output + backtrace
http://bugs.winehq.org/show_bug.cgi?id=31580
--- Comment #4 from David Shaw dj.shaw@btconnect.com 2013-06-13 11:01:51 CDT --- Problem persists with 1.6-rc1. Terminal output uploaded.
http://bugs.winehq.org/show_bug.cgi?id=31580
Bruno Jesus 00cpxxx@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #44789|CyoMR crash log |CyoMR crash log.txt filename| | Attachment #44789|application/octet-stream |text/plain mime type| |
https://bugs.winehq.org/show_bug.cgi?id=31580
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW CC| |focht@gmx.net Summary|Create Your Own Model |'Create Your Own Model |Railway - Unhandled |Railway' crashes at 65% |exception: page fault on |preparation after clicking |read access |'Start Game' Ever confirmed|0 |1
--- Comment #5 from Anastasius Focht focht@gmx.net --- Hello folks,
I found a distributed "backup", confirming.
It crashes at ~65% after clicking 'Start Game' while loading/processing some animated X file.
--- snip --- $ WINEDEBUG=+tid,+seh,+relay,+d3dx,+d3d8,+d3dxof,+d3dxof_parsing wine ./cyomr.exe >>log.txt 2>&1 ... 002e:trace:d3dxof:IDirectXFileEnumObjectImpl_GetNextDataObject (0x3880078/0x3880078)->(0x33f6d4) 002e:trace:d3dxof:IDirectXFileDataImpl_Create (0x33f624) ... 002e:trace:d3dxof_parsing:is_name Found name Scene_Root 002e:trace:d3dxof_parsing:dump_TOKEN TOKEN_NAME 002e:trace:d3dxof_parsing:dump_TOKEN TOKEN_OBRACE 002e:trace:d3dxof_parsing:is_name Found name FrameTransformMatrix 002e:trace:d3dxof_parsing:dump_TOKEN TOKEN_NAME 002e:trace:d3dxof_parsing:parse_object_parts Enter optional FrameTransformMatrix 002e:trace:d3dxof_parsing:dump_TOKEN TOKEN_OBRACE 002e:trace:d3dxof_parsing:is_float Found float 1.000000 - 1.000000 002e:trace:d3dxof_parsing:dump_TOKEN TOKEN_FLOAT ... 002e:trace:d3dxof_parsing:is_string Found string C:\1\scenes\trains\lamprefi.dds 002e:trace:d3dxof_parsing:dump_TOKEN TOKEN_LPSTR 002e:trace:d3dxof_parsing:parse_object_members_list Elements to consider: 1 002e:trace:d3dxof_parsing:parse_object_members_list filename = C:\1\scenes\trains\lamprefi.dds ... 002e:trace:d3dxof:IDirectXFileDataImpl_Create (0x33f5f4) 002e:Call ntdll.RtlAllocateHeap(00110000,00000008,0000001c) ret=7e89265b 002e:Ret ntdll.RtlAllocateHeap() retval=038aab10 ret=7e89265b 002e:trace:d3dxof:IDirectXFileDataImpl_QueryInterface (0x38aab10/0x38aab10)->({3d82ab44-62da-11cf-ab39-0020af71e433},0x33f650) 002e:trace:d3dxof:IDirectXFileDataImpl_AddRef (0x38aab10/0x38aab10)->(): new ref 2 002e:trace:d3dxof:IDirectXFileDataImpl_GetType (0x38aab10/0x38aab10)->(0x33f5f0) 002e:trace:d3dxof:IDirectXFileDataImpl_GetData (0x38aab10/0x38aab10)->((null),0x33f5dc,0x33f5e0) 002e:trace:d3dxof:IDirectXFileDataImpl_Release (0x38aab10/0x38aab10)->(): new ref 1 002e:trace:d3dxof:IDirectXFileDataImpl_Release (0x38aab10/0x38aab10)->(): new ref 0 ... 002e:trace:d3dxof:IDirectXFileDataImpl_GetNextObject (0x38aac58/0x38aac58)->(0x33f398) 002e:trace:d3dxof:IDirectXFileDataImpl_Release (0x38aac58/0x38aac58)->(): new ref 1 002e:trace:d3dxof:IDirectXFileDataImpl_Release (0x38aac58/0x38aac58)->(): new ref 0 002e:Call ntdll.RtlFreeHeap(00110000,00000000,038aac58) ret=7e892b1f 002e:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e892b1f 002e:trace:d3dxof:IDirectXFileDataImpl_GetNextObject (0x38aac30/0x38aac30)->(0x33f390) 002e:trace:d3d8:d3d8_device_AddRef 0x142978 increasing refcount to 457. 002e:trace:d3d8:d3d8_device_GetDirect3D iface 0x142978, d3d8 0xde1a00. 002e:trace:d3d8:d3d8_QueryInterface iface 0x143e98, riid {1dd9e8da-1c77-4d40-b0cf-98fefdff9512}, out 0xde1a00. 002e:trace:d3d8:d3d8_AddRef 0x143e98 increasing refcount to 145. 002e:trace:d3d8:d3d8_device_CreateIndexBuffer iface 0x142978, size 6282, usage 0, format 0x65, pool 0x2, buffer 0x33f1b4. ... 002e:trace:d3d8:d3d8_device_AddRef 0x142978 increasing refcount to 458. 002e:trace:d3d8:d3d8_device_CreateIndexBuffer Created index buffer 0x38aac58. ... 002e:trace:d3d8:d3d8_device_CreateVertexBuffer iface 0x142978, size 36000, usage 0, fvf 0x112, pool 0x2, buffer 0x33f1b0. ... 02e:trace:d3d8:d3d8_device_GetDeviceCaps iface 0x142978, caps 0x33f2d8. ... 002e:trace:d3d8:d3d8_device_GetCreationParameters iface 0x142978, parameters ... 002e:trace:d3d8:d3d8_device_Release 0x142978 decreasing refcount to 457. 002e:trace:d3d8:d3d8_indexbuffer_Release 0x38aac58 decreasing refcount to 0. 002e:Call wined3d.wined3d_mutex_lock() ret=7e85b9df 002e:Ret wined3d.wined3d_mutex_lock() retval=00000000 ret=7e85b9df 002e:Call wined3d.wined3d_buffer_decref(038aac80) ret=7e85b9ed ... 002e:Ret wined3d.wined3d_buffer_decref() retval=00000000 ret=7e85b9ed 002e:Call wined3d.wined3d_mutex_unlock() ret=7e85b9f2 002e:Ret wined3d.wined3d_mutex_unlock() retval=00000000 ret=7e85b9f2 002e:trace:d3d8:d3d8_device_Release 0x142978 decreasing refcount to 456. 002e:Call ntdll.RtlFreeHeap(00c70000,00000000,04b9b830) ret=004d407d 002e:Ret ntdll.RtlFreeHeap() retval=00000001 ret=004d407d 002e:trace:seh:raise_exception code=c0000005 flags=0 addr=0x74dee0e1 ip=74dee0e1 tid=002e 002e:trace:seh:raise_exception info[0]=00000000 002e:trace:seh:raise_exception info[1]=74dee0e1 002e:trace:seh:raise_exception eax=00c71c74 ebx=7b8bc000 ecx=00de19c0 edx=00de19c0 esi=00000000 edi=00000000 002e:trace:seh:raise_exception ebp=0033f4cc esp=0033f44c cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210a92 002e:trace:seh:call_stack_handlers calling handler at 0x4f5e3f code=c0000005 flags=0 002e:trace:seh:call_stack_handlers handler at 0x4f5e3f returned 1 ... Unhandled exception: page fault on read access to 0x74dee0e1 in 32-bit code (0x74dee0e1). Register dump: CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b EIP:74dee0e1 ESP:0033f44c EBP:0033f4cc EFLAGS:00210a92( R- --O I S -A- - ) EAX:00c71c74 EBX:7b8bc000 ECX:00de19c0 EDX:00de19c0 ESI:00000000 EDI:00000000 Stack dump: 0x0033f44c: 00de19c5 00407e83 00de19c0 00000000 0x0033f45c: 00000000 00de1910 00de1910 04b9a668 0x0033f46c: 00de1910 00de1910 0033f4f0 0033f4a0 0x0033f47c: 00000053 7ffd8000 7e8a7000 0033f4b0 0x0033f48c: 00000051 00de1910 00de1910 7e8a7000 0x0033f49c: 7e892fda 00142978 00de1110 88760b57 000c: sel=0067 base=00000000 limit=00000000 16-bit --x Backtrace: =>0 0x74dee0e1 (0x0033f4cc) 1 0x00407f4e in cyomr (+0x7f4d) (0x0033f530) 2 0x004081b1 in cyomr (+0x81b0) (0x0033f59c) 3 0x004081b1 in cyomr (+0x81b0) (0x0033f608) 4 0x004081b1 in cyomr (+0x81b0) (0x0033f674) 5 0x004084bb in cyomr (+0x84ba) (0x0033f700) 6 0x004052f4 in cyomr (+0x52f3) (0x0033f71c) 7 0x0045357b in cyomr (+0x5357a) (0x0033fb94) 8 0x00456d44 in cyomr (+0x56d43) (0x0033fbc4) 9 0x0048b447 in cyomr (+0x8b446) (0x0033fbcc) 10 0x0048b01b in cyomr (+0x8b01a) (0x0033fd5c) 11 0x0048b3d5 in cyomr (+0x8b3d4) (0x0033fd64) 12 0x00468213 in cyomr (+0x68212) (0x0033fd94) 13 0x004d540b in cyomr (+0xd540a) (0x0033fe20) 14 0x7b86404c call_process_entry+0xb() in kernel32 (0x0033fe38) ... 0x74dee0e1: addb %al,0x0(%eax) Modules: Module Address Debug info Name (106 modules) PE 400000- 839000 Export cyomr PE 840000- 932000 Deferred vorbis PE 10000000-1000d000 Deferred ogg ELF 4e99a000-4e9a3000 Deferred librt.so.1 ... Threads: process tid prio (all id:s are in hex) ... 0000002d (D) C:\Program Files\Focus Multimedia Limited\Create your own Model Railway\cyomr.exe 00000031 15 00000030 0 0000002f 0 0000002e 0 <== --- snip ---
There is a call to 'd3d8.d3d8_device_GetCreationParameters' before the crash. Debugging that code yields that it checks the 'creation_parameters.flag' field for:
0x50 -> WINED3DCREATE_HARDWARE_VERTEXPROCESSING | WINED3DCREATE_PUREDEVICE 0x80 -> WINED3DCREATE_MIXED_VERTEXPROCESSING
'flags' for the device is set to 0x80 -> WINED3DCREATE_MIXED_VERTEXPROCESSING
There is some other condition I couldn't identify yet, which finally results in code 0x88760B57 -> 'D3DXERR_SKINNINGNOTSUPPORTED' internally set and propagated through some code paths.
'd3d8_device_Release' after that could indicate it hits some cleanup path. In the end the crash results from some (stale?) address being interpreted as vtable pointer.
'winetricks -q d3dxof' didn't help.
Regards
https://bugs.winehq.org/show_bug.cgi?id=31580
--- Comment #6 from Henri Verbeet hverbeet@gmail.com --- (In reply to Anastasius Focht from comment #5)
There is some other condition I couldn't identify yet, which finally results in code 0x88760B57 -> 'D3DXERR_SKINNINGNOTSUPPORTED' internally set and propagated through some code paths.
D3DCAPS8.MaxVertexBlendMatrices/MaxVertexBlendMatrixIndex perhaps?
https://bugs.winehq.org/show_bug.cgi?id=31580
--- Comment #7 from Austin English austinenglish@gmail.com --- This is your friendly reminder that there has been no bug activity for over a year. Is this still an issue in current (1.7.51 or newer) wine?
https://bugs.winehq.org/show_bug.cgi?id=31580
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |1f680c52fe14ce744f257d89d36 | |60a9e33c0a197 Status|NEW |RESOLVED Component|-unknown |directx-d3d Resolution|--- |FIXED
--- Comment #8 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, this works now. Resolving 'fixed'.
I reverse bisected it to commit https://source.winehq.org/git/wine.git/commitdiff/1f680c52fe14ce744f257d89d3... ("wined3d: Implement vertex blending in glsl_vertex_pipe.")
Thanks Józef
$ wine --version wine-1.7.51-102-ga7e294c
Regards
https://bugs.winehq.org/show_bug.cgi?id=31580
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #9 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 1.7.52.
-
wine-bugs@winehq.org