http://bugs.winehq.org/show_bug.cgi?id=24249
Summary: Firestarter Demo crashes with page fault on read access on start Product: Wine Version: 1.3.1 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: andrew.millington@gmail.com
Created an attachment (id=30527) --> (http://bugs.winehq.org/attachment.cgi?id=30527) The crash of Firestarter on start
Lines that I considered notable but full log is attached.
Backtrace: =>0 0x685e3b48 IWineD3DDeviceImpl_GetSamplerState+0x78(iface=0x160228, Sampler=0, Type=863265637, Value=0x6a40c0) [/home/andrew/wine-git/dlls/wined3d/device.c:3106] in wined3d (0x0032f034) 1 0x720021b3 IDirect3DDevice8Impl_GetTextureStageState+0xa2(iface=0x14c1d0, Stage=0, Type=32, pValue=0x6a40c0) [/home/andrew/wine-git/dlls/d3d8/device.c:1586] in d3d8 (0x006a4460) 0x685e3b48 IWineD3DDeviceImpl_GetSamplerState+0x78 [/home/andrew/wine-git/dlls/wined3d/device.c:3106] in wined3d: movl 0x0(%eax,%ecx,4),%eax 3106 *Value = This->stateBlock->samplerState[Sampler][Type]; Modules:
http://bugs.winehq.org/show_bug.cgi?id=24249
Andrew Millington andrew.millington@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |http://www.gamershell.com/d | |ownload_4489.shtml
--- Comment #1 from Andrew Millington andrew.millington@gmail.com 2010-09-03 02:05:15 CDT --- Fill in some details.
http://bugs.winehq.org/show_bug.cgi?id=24249
--- Comment #2 from Rico kgbricola@web.de 2010-09-03 09:38:54 CDT --- Created an attachment (id=30530) --> (http://bugs.winehq.org/attachment.cgi?id=30530) Add argument check for the type in IDirect3DDevice8Impl_GetTextureStageState.
Does the attached patch help?
The game somehow queries all values for the Type(also not available ones) from 0 to 32 in IDirect3DDevice8::GetTextureStageState(), which seems a bit strange.
The problem is that the tss_lookup table has only 29 entries, which returns random memory (or an access violation) in cases where the index >= table size. The patch prevents this.
There might be another problem when WINED3DTSS_FORCE_DWORD is triggered (e.g. Type == 0). So it could happen that there is also an access violation on read access.
http://bugs.winehq.org/show_bug.cgi?id=24249
--- Comment #3 from Henri Verbeet hverbeet@gmail.com 2010-09-03 10:22:32 CDT --- (In reply to comment #2)
There might be another problem when WINED3DTSS_FORCE_DWORD is triggered (e.g. Type == 0). So it could happen that there is also an access violation on read access.
Yeah, something like the following should work:
if (Type >= sizeof(tss_lookup) / sizeof(*tss_lookup)) Type = 0; l = &tss_lookup[Type]; if (l->state == WINED3DTSS_FORCE_DWORD) { *pValue = 0; return D3D_OK; }
Note that there are some more places with constructions like this, at the very least IDirect3DDevice8Impl_SetTextureStageState(). We probably don't want a test for this though, I think it's accessing beyond the end of the array on native as well, it's just that native probably doesn't have the extra level of indirection.
http://bugs.winehq.org/show_bug.cgi?id=24249
--- Comment #4 from Andrew Millington andrew.millington@gmail.com 2010-09-03 22:12:50 CDT --- After applying http://bugs.winehq.org/attachment.cgi?id=30530 nearly everything works but
*An error appears if you run directly from the the installer after it has finished. *Texture problems in the low levels of the complete benchmark. *The center mirror thing is a bit strange when you move around it. *Slow when you face of certain bad guys. *Crashes when you try and create a multi player server.
I haven't got Windows machine available to confirm or deny but these are good candidates for a separate bug.
http://bugs.winehq.org/show_bug.cgi?id=24249
Wylda wylda@volny.cz changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |wylda@volny.cz
--- Comment #5 from Wylda wylda@volny.cz 2010-09-04 15:14:01 CDT --- (In reply to comment #3)
...We probably don't want a test for this though, I think it's accessing beyond the end of the array on native as well...
Henri, do i understand that correctly, that this is WONTFIX or INVALID? Or should be done something to get this bug into better state?
http://bugs.winehq.org/show_bug.cgi?id=24249
--- Comment #6 from Henri Verbeet hverbeet@gmail.com 2010-09-04 17:27:11 CDT --- (In reply to comment #5)
(In reply to comment #3)
...We probably don't want a test for this though, I think it's accessing beyond the end of the array on native as well...
Henri, do i understand that correctly, that this is WONTFIX or INVALID? Or should be done something to get this bug into better state?
No, we can fix it, I'm just not sure the 0xbaadcafe return value is reliable, or that we should care about it.
http://bugs.winehq.org/show_bug.cgi?id=24249
Andrew Millington andrew.millington@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch
--- Comment #7 from Andrew Millington andrew.millington@gmail.com 2010-09-12 04:58:20 CDT --- After applying these patches Firestarter starts. http://source.winehq.org/patches/data/65989 http://source.winehq.org/patches/data/65990
http://bugs.winehq.org/show_bug.cgi?id=24249
--- Comment #8 from Rico kgbricola@web.de 2010-09-27 12:32:09 CDT --- Should be fixed by commit e6d52c0c8bd7f70fd0046508e0e76c66b525daf5.
http://bugs.winehq.org/show_bug.cgi?id=24249
Wylda wylda@volny.cz changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution| |FIXED
--- Comment #9 from Wylda wylda@volny.cz 2010-09-27 17:53:59 CDT ---
Should be fixed by commit e6d52c0c8bd7f70fd0046508e0e76c66b525daf5.
wine-1.3.1 crashes for me and wine-1.3.3-282-g440cf08 runs, i.e. fixed. Although it crashes on exit, but that looks like something completely different.
http://bugs.winehq.org/show_bug.cgi?id=24249
--- Comment #10 from Wylda wylda@volny.cz 2010-09-27 23:57:14 CDT ---
Although it crashes on exit, but that looks like something completely different.
I filled in bug 24549.
http://bugs.winehq.org/show_bug.cgi?id=24249
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #11 from Alexandre Julliard julliard@winehq.org 2010-10-01 13:57:40 CDT --- Closing bugs fixed in 1.3.4.
-
wine-bugs@winehq.org