http://bugs.winehq.org/show_bug.cgi?id=22815
Summary: Alt.binz 0.28.5 gives access violation and fails to load settings. Product: Wine Version: 1.2-rc1 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: wine-bugs@mohag.net CC: dmitry@codeweavers.com
Logs stay identical for good and bad builds. See forum post or ask here if you actually want a debugless log...
http://forum.winehq.org/viewtopic.php?t=8495
Regression test result: (was good in 1.1.44, bad in 1.2-rc1) 7d3cb53cf1a5f40094fbc3332524ec98781d3779 is the first bad commit commit 7d3cb53cf1a5f40094fbc3332524ec98781d3779 Author: Dmitry Timoshkov dmitry@codeweavers.com Date: Tue May 18 20:53:18 2010 +0900
gdi32: Do not use VDMX for mapping of negative font heights, based on a test case.
:040000 040000 06c1fd576cfebd3c095713c9ced67c992f890a9d f0dd2f0ff66c09581dc1093700023deb525a133e M dlls
Application errors: On starting: (Settings / queue does not load when it gives this error) Access violation at address 00519D0F in module 'altbinz.exe'. Write of address 02792000.
On exiting: Access violation at address 00677706 in module 'altbinz.exe'. Read of address 00000000.
Wine x86 under Ubuntu 10.04 x86_64.
Last git bisect log: (I failed to save log after my last git bisect good) $ git bisect log git bisect start # good: [91431e0859cec1ff0cfba484a27c084717c83f22] Release 1.1.44. git bisect good 91431e0859cec1ff0cfba484a27c084717c83f22 # bad: [821cd38e1734137e6eab199334ecc182bd605680] Release 1.2-rc1. git bisect bad 821cd38e1734137e6eab199334ecc182bd605680 # good: [4ac898d7cf7a5bf2ad975ea58c2c12bd1a71de59] wordpad: Replaced toolbar.bmp with a Tango compliant tool strip. git bisect good 4ac898d7cf7a5bf2ad975ea58c2c12bd1a71de59 # bad: [abb489b29d73cb13f07103b3d871cdbd84d11b03] d3dx9: Add ps_3_0 instructions parsing to the shader assembler. git bisect bad abb489b29d73cb13f07103b3d871cdbd84d11b03 # good: [6178e86a7415507219e541a2c78b22ed9b3dad71] avifil32: Remove some redundant "not NULL" checks (coccicheck). git bisect good 6178e86a7415507219e541a2c78b22ed9b3dad71 # bad: [bea0daa281dd184c3f3e5fc5ac93a3723b4b3707] shlwapi: Implement SHRegEnumUSValue. git bisect bad bea0daa281dd184c3f3e5fc5ac93a3723b4b3707 # good: [3af7e99ba0bc7509e01edc4ff73aa57260b9e0b8] winealsa: Supply FFFFFFFF for midiOutGetVolume, no garbage. git bisect good 3af7e99ba0bc7509e01edc4ff73aa57260b9e0b8 # good: [7c785581061119e7467baaefb0ccd3ff584c56c2] wmc: Remove 10 year old unmaintained file. git bisect good 7c785581061119e7467baaefb0ccd3ff584c56c2 # bad: [7d3cb53cf1a5f40094fbc3332524ec98781d3779] gdi32: Do not use VDMX for mapping of negative font heights, based on a test case. git bisect bad 7d3cb53cf1a5f40094fbc3332524ec98781d3779
http://bugs.winehq.org/show_bug.cgi?id=22815
Dmitry Timoshkov dmitry@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |regression
--- Comment #1 from Dmitry Timoshkov dmitry@codeweavers.com 2010-05-22 09:27:24 --- Please attach a backtrace here. Is the app downloadable somewhere?
http://bugs.winehq.org/show_bug.cgi?id=22815
--- Comment #2 from Gert van den Berg wine-bugs@mohag.net 2010-05-22 09:59:14 --- Created an attachment (id=28183) --> (http://bugs.winehq.org/attachment.cgi?id=28183) Log with backtrace from 0.25
http://bugs.winehq.org/show_bug.cgi?id=22815
--- Comment #3 from Gert van den Berg wine-bugs@mohag.net 2010-05-22 10:04:00 --- (In reply to comment #1)
Please attach a backtrace here. Is the app downloadable somewhere?
Hi,
It doesn't crash, it opens, gives the error and then continues as if it wasn't configured.
0.25, which has a download, crashes. I'm not sure if its crash and access-violation have the same cause. Will attach log now.
http://bugs.winehq.org/show_bug.cgi?id=22815
--- Comment #4 from Dmitry Timoshkov dmitry@codeweavers.com 2010-05-22 10:04:57 --- Does reverting the patch help?
http://bugs.winehq.org/show_bug.cgi?id=22815
--- Comment #5 from Gert van den Berg wine-bugs@mohag.net 2010-05-22 10:27:45 --- A revert helps for both 0.28.5 and 0.25.
http://bugs.winehq.org/show_bug.cgi?id=22815
--- Comment #6 from Dmitry Timoshkov dmitry@codeweavers.com 2010-05-24 03:56:23 --- Created an attachment (id=28227) --> (http://bugs.winehq.org/attachment.cgi?id=28227) Use the whole allocated DIB memory as an image size
I think it's a bug in the application. Previously it was hidden by larger bitmap allocation based on a larger reported font height. The application accesses last byte in the DIB image, and the DIB fault handler doesn't detect that, because it doesn't find the fault address inside the DIB section. But actually that byte *is* inside of the allocated DIB region because DIB memory is allocated using 64k granularity.
Moreever, DIB fault handler does have a check that the address is behind the image size, and supposed to issue a warning in that case, but that check is unreachable for some reason, probably the code was changed at some point.
Attached patch makes the application work.
http://bugs.winehq.org/show_bug.cgi?id=22815
Dmitry Timoshkov dmitry@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever Confirmed|0 |1
--- Comment #7 from Dmitry Timoshkov dmitry@codeweavers.com 2010-05-24 03:56:46 --- Confirming.
http://bugs.winehq.org/show_bug.cgi?id=22815
--- Comment #8 from Dmitry Timoshkov dmitry@codeweavers.com 2010-05-24 07:25:32 --- Created an attachment (id=28232) --> (http://bugs.winehq.org/attachment.cgi?id=28232) Align the DIB image size on a DWORD boundary
Attached patch works for me as well. Looks like the application accesses the DIB in DWORds without boundary checks.
http://bugs.winehq.org/show_bug.cgi?id=22815
--- Comment #9 from Gert van den Berg wine-bugs@mohag.net 2010-05-24 13:41:52 --- Created an attachment (id=28244) --> (http://bugs.winehq.org/attachment.cgi?id=28244) Log with first patch on latest git (0.25)
Latest git with first patch still crashes for me. Log attached. (Second patch as well, will attach log soon...)
http://bugs.winehq.org/show_bug.cgi?id=22815
--- Comment #10 from Gert van den Berg wine-bugs@mohag.net 2010-05-24 13:45:10 --- Created an attachment (id=28245) --> (http://bugs.winehq.org/attachment.cgi?id=28245) Log with second patch (0.25) on latest git
Still crashes. Second patch only.
http://bugs.winehq.org/show_bug.cgi?id=22815
--- Comment #11 from Gert van den Berg wine-bugs@mohag.net 2010-05-24 13:54:12 --- Patches seem to conflict, unable to test with both.
git reset --hard HEAD was used to unpatch.
Similar result on 1.2-rc1 checkout with second patch.
http://bugs.winehq.org/show_bug.cgi?id=22815
--- Comment #12 from Gert van den Berg wine-bugs@mohag.net 2010-05-24 13:56:32 --- Created an attachment (id=28246) --> (http://bugs.winehq.org/attachment.cgi?id=28246) Log with second patch (0.25) on 1.2-rc1
Also crashes...
http://bugs.winehq.org/show_bug.cgi?id=22815
Dmitry Timoshkov dmitry@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #28232|0 |1 is obsolete| |
http://bugs.winehq.org/show_bug.cgi?id=22815
--- Comment #13 from Dmitry Timoshkov dmitry@codeweavers.com 2010-05-27 00:12:20 --- Looks like I had some other change in my tree that made that work. The first patch should work though, but it's a hack/workaround.
http://bugs.winehq.org/show_bug.cgi?id=22815
--- Comment #14 from Gert van den Berg wine-bugs@mohag.net 2010-05-27 14:53:04 --- Retested with first patch. 0.25 still crashes. backtrace seem unchanged from this: http://bugs2.winehq.org/attachment.cgi?id=28244 (EBX changed to 01e09014) and the top few numbers under services.exe and winedevice.exe changed. Haven't compared exact addresses.
mohag@mohagpc:~/wine-git$ git status # On branch master # Changed but not updated: # (use "git add <file>..." to update what will be committed) # (use "git checkout -- <file>..." to discard changes in working directory) # # modified: dlls/winex11.drv/dib.c #
http://bugs.winehq.org/show_bug.cgi?id=22815
lars.langhans@gmx.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |lars.langhans@gmx.de
http://bugs.winehq.org/show_bug.cgi?id=22815
Henri Verbeet hverbeet@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Regression SHA1| |7d3cb53cf1a5f40094fbc333252 | |4ec98781d3779
http://bugs.winehq.org/show_bug.cgi?id=22815
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |http://proxy.nsanedown.com/ | |proxy.php?file=altbinz0285. | |zip CC| |focht@gmx.net Summary|Alt.binz 0.28.5 gives |Alt.binz 0.28.5 gives |access violation and fails |access violation and fails |to load settings. |to load settings at default | |96 dpi setting (needs at | |least 101 dpi)
--- Comment #15 from Anastasius Focht focht@gmx.net 2012-01-17 17:23:21 CST --- Hello,
confirming, still present.
--- snip --- ... 0024:Call gdi32.CreateDIBSection(00000000,009ecc80,00000000,009eccac,00000000,00000000) ret=0051cbac 0024:Ret gdi32.CreateDIBSection() retval=000096a4 ret=0051cbac 0024:Call gdi32.CreateCompatibleDC(00000000) ret=0051cbd8 0024:Ret gdi32.CreateCompatibleDC() retval=000096a8 ret=0051cbd8 0024:Call gdi32.SelectObject(000096a8,000096a4) ret=0051cc35 0024:Ret gdi32.SelectObject() retval=0000006c ret=0051cc35 0024:trace:seh:raise_exception code=c0000005 flags=0 addr=0x519d0f ip=00519d0f tid=0024 0024:trace:seh:raise_exception info[0]=00000001 0024:trace:seh:raise_exception info[1]=02732000 0024:trace:seh:raise_exception eax=ff9ebef5 ebx=009ecc40 ecx=00000034 edx=00000062 esi=009f3284 edi=02732000 0024:trace:seh:raise_exception ebp=00f5be9e esp=0032fadc cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210202 0024:trace:seh:call_stack_handlers calling handler at 0x619a60 code=c0000005 flags=0 0024:trace:seh:call_stack_handlers handler at 0x619a60 returned 1 0024:trace:seh:call_stack_handlers calling handler at 0x61dbdf code=c0000005 flags=0 0024:trace:seh:call_stack_handlers handler at 0x61dbdf returned 1 0024:trace:seh:call_stack_handlers calling handler at 0x469085 code=c0000005 flags=0 ... 0024:Call user32.MessageBoxA(000100a0,01c3cfb4 "Access violation at address 00519D0F in module 'altbinz.exe'. Write of address 02732000.",009d2af8 "Alt.Binz 0.28.5",00000010) ret=004707b3 --- snip ---
From another run using debugger:
32bpp BI_RGB DIB section, top-down (negative height)
--- snip --- 0033FA84 /00000000 ; |hDC = NULL 0033FA88 |009ECE24 ; |pBitmapInfo ! 009ECE24 -> BITMAPINFO {Size=40., Width=100., Height=-20., Planes=1, BitCount=32., Compression=BI_RGB, SizeImage=0, XPelsPerMeter=0, YPelsPerMeter=0, ColorsUsed=0, ColorsImportant=0} 0033FA8C |00000000 ; |Usage = DIB_RGB_COLORS 0033FA90 |009ECE50 ; |ppBits = 009ECE50 -> NULL 0033FA94 |00000000 ; |hSection = NULL 0033FA98 |00000000 ; \Offset = 0 --- snip ---
*ppBits -> 02720000
100*20*4 -> 8000 (8K rounded -> 0x2000)
Memory view:
--- snip --- ... 026E0000 00001000 unrar PE header Img R RWE Copy 026E1000 00023000 unrar .text Code Img R E RWE Copy 02704000 0000E000 unrar .data Data Img RW Copy>RWE Copy 02712000 00001000 unrar .tls Img RW Copy>RWE Copy 02713000 00001000 unrar .idata Imports Img R RWE Copy 02714000 00001000 unrar .edata Exports Img R RWE Copy 02715000 00001000 unrar .rsrc Resources Img R RWE Copy 02716000 00002000 unrar .reloc Relocations Img R RWE Copy 02720000 00002000 Priv RW RW 02820000 00001000 Priv RW RW 02830000 00001000 Priv RW RW ... --- snip ---
You can verify the reported font height vs. DIB allocation size by changing default 96 dpi to larger values. At 101 dpi the app stops crashing at startup and works fine.
The location where the previous crash happened now looks like this:
--- snip --- ... 0024:Call gdi32.CreateDIBSection(00000000,01c55814,00000000,01c55840,00000000,00000000) ret=0051cbac 0024:Ret gdi32.CreateDIBSection() retval=0000a288 ret=0051cbac 0024:Call gdi32.CreateCompatibleDC(00000000) ret=0051cbd8 0024:Ret gdi32.CreateCompatibleDC() retval=0000a28c ret=0051cbd8 0024:Call gdi32.SelectObject(0000a28c,0000a288) ret=0051cc35 0024:Ret gdi32.SelectObject() retval=0000006c ret=0051cc35 0024:Call gdi32.SelectObject(0000a28c,000079c0) ret=0051e87f 0024:Ret gdi32.SelectObject() retval=0000007c ret=0051e87f 0024:Call gdi32.SetTextColor(0000a28c,00000000) ret=0051e897 0024:Ret gdi32.SetTextColor() retval=00000000 ret=0051e897 0024:Call gdi32.SetBkMode(0000a28c,00000001) ret=0051e8a5 0024:Ret gdi32.SetBkMode() retval=00000002 ret=0051e8a5 0024:Call user32.DrawTextA(0000a28c,01c5eca0 "0.00 MB",00000007,0032fac8,00008025) ret=0051e965 0024:Ret user32.DrawTextA() retval=00000010 ret=0051e965 0024:Call comctl32.InitCommonControlsEx(0032f984) ret=004311e5 0024:Ret comctl32.InitCommonControlsEx() retval=00000001 ret=004311e5 0024:Call user32.LoadCursorA(00000000,00007f00) ret=00452da2 0024:Ret user32.LoadCursorA() retval=0002002c ret=00452da2 0024:Call user32.GetClassInfoA(00400000,0032fa34 "TMyStatusbar",0032f9c0) ret=00452ec5 0024:Ret user32.GetClassInfoA() retval=0000c06e ret=00452ec5 0024:Call user32.CreateWindowExA(00010000,0032fa34 "TMyStatusbar",009925dc "",46000100,00000000,00000225,00000318,00000018,000100b0,00000000,00400000,00000000) ret=004085ec 0024:trace:win:WIN_CreateWindowEx "" L"TMyStatusbar" ex=00010000 style=46000100 0,549 792x24 parent=0x100b0 menu=(nil) inst=0x400000 params=(nil) 0024:trace:win:dump_window_styles style: WS_CHILD WS_CLIPSIBLINGS WS_CLIPCHILDREN 00000100 0024:trace:win:dump_window_styles exstyle: WS_EX_CONTROLPARENT 0024:trace:win:WIN_SetWindowLong 0x102a2 -12 0 W 0024:Call hook proc 0x57d724 (id=WH_CBT,code=3,wp=000102a2,lp=0032f538) 0024:Call user32.CallNextHookEx(000100be,00000003,000102a2,0032ef78) ret=0057d7d1 0024:Ret user32.CallNextHookEx() retval=00000000 ret=0057d7d1 0024:Ret hook proc 0x57d724 (id=WH_CBT,code=3,wp=000102a2,lp=0032f538) retval=00000000 0024:trace:win:GetWindowRect hwnd 0x102a2 (64,630)-(856,654) 0024:trace:win:invalidate_dce 0x102a2 scope hwnd = 0x100b0 (64,630)-(856,654) ((64,81)-(64,81)) 0 ... 0024:Call gdi32.SelectObject(0000a28c,0000007c) ret=0051e847 0024:Ret gdi32.SelectObject() retval=000079c0 ret=0051e847 0024:Call gdi32.DeleteDC(0000a28c) ret=0051cb3b 0024:Ret gdi32.DeleteDC() retval=00000001 ret=0051cb3b 0024:Call gdi32.DeleteObject(0000a288) ret=0051cb56 0024:Ret gdi32.DeleteObject() retval=00000001 ret=0051cb56 --- snip ---
That string "0.00 MB" ought to be drawn in a status bar strip. If you place a breakpoint in gdi32.CreateDIBSection() entry you can see the regions painted individually (make sure you don't overlap the client area with terminal).
At 101 dpi the DIB height is (-)24 pix. Maybe there is some minimum height expected (app bug) which worked previously because of larger reported font height. It would be interesting to know the height of that status bar strip in Windows (at default 96 dpi).
$ sha1sum altbinz0285.zip 7fa3bb99db1bca0b0ee3e0c00e4f3a016ac14723 altbinz0285.zip
$ wine --version wine-1.3.37-66-g6d391df
Regards
http://bugs.winehq.org/show_bug.cgi?id=22815
--- Comment #16 from Dmitry Timoshkov dmitry@baikal.ru 2012-01-18 23:33:18 CST --- (In reply to comment #15)
That string "0.00 MB" ought to be drawn in a status bar strip. If you place a breakpoint in gdi32.CreateDIBSection() entry you can see the regions painted individually (make sure you don't overlap the client area with terminal).
At 101 dpi the DIB height is (-)24 pix. Maybe there is some minimum height expected (app bug) which worked previously because of larger reported font height. It would be interesting to know the height of that status bar strip in Windows (at default 96 dpi).
Under XP in compatibility mode and turned off theming the height of "TMyStatusbar" child window is 22 pixels, and the app works fine with Windows version set to win2000 (in win9x mode the app eats 100% cpu).
http://bugs.winehq.org/show_bug.cgi?id=22815
--- Comment #17 from Anastasius Focht focht@gmx.net 2012-01-19 02:28:26 CST --- Hello Dmitry,
--- quote --- Under XP in compatibility mode and turned off theming the height of "TMyStatusbar" child window is 22 pixels, and the app works fine with Windows version set to win2000 (in win9x mode the app eats 100% cpu). --- quote ---
With that 22 pixel height:
100*(-)22*4 = 8800 -> resulting DIB allocation is 3*4K pages due to 4K page allocation granularity and aligned at 64K boundaries.
As you already said: it's most likely an app bug that is hidden in Windows due to slightly larger reported font height and resulting in minimum 22 pixels height of status bar. Accessing some DIB bytes beyond the non-rounded buffer size is possible due to page-sized allocation granularity.
I don't think there is something wrong with current Wine DIB allocation/size/alignment. You could write a test case, allocating a DIB with 100*(-20) 32bpp and try to access the third 4K page like the app does. It should crash the same way.
Lying about font height just to have the app calculate the 22 pixel height of status bar doesn't seem feasible.
I opt for WONTFIX (don't lie about font heights) or INVALID (app bug).
Regards
http://bugs.winehq.org/show_bug.cgi?id=22815
Dmitry Timoshkov dmitry@baikal.ru changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX
--- Comment #18 from Dmitry Timoshkov dmitry@baikal.ru 2012-01-19 02:48:03 CST --- Changing screen resolution in XP to "custom 75% (86 dpi)" leads to a similar MessageBox as the one observed under Wine: ---------------------------
Alt.Binz 0.28.5
---------------------------
Access violation at address 00519D0F in module 'altbinz.exe'. Write of address 033B2000.
---------------------------
So yeah, basically an app bug.
http://bugs.winehq.org/show_bug.cgi?id=22815
Dmitry Timoshkov dmitry@baikal.ru changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED Resolution|WONTFIX |INVALID
--- Comment #19 from Dmitry Timoshkov dmitry@baikal.ru 2012-01-19 02:48:54 CST --- Or rather invalid.
-
wine-bugs@winehq.org