[Bug 7054] Pure Pinball game crashes trying to access freed texture objects

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Feb 26 07:19:19 CST 2012 

http://bugs.winehq.org/show_bug.cgi?id=7054

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |focht at gmx.net
          Component|-unknown                    |directx-d3d
            Summary|Pure Pinball fails to start |Pure Pinball game crashes
                   |                            |trying to access freed
                   |                            |texture objects

--- Comment #11 from Anastasius Focht <focht at gmx.net> 2012-02-26 07:19:19 CST ---
Hello,

--- snip ---
...
0024:trace:d3d8:IDirect3DDevice8Impl_SetPixelShader iface 0x154280, shader 0.
0024:Call wined3d.wined3d_mutex_lock() ret=7e7d2ccf
0024:Ret  wined3d.wined3d_mutex_lock() retval=00000000 ret=7e7d2ccf
0024:Call wined3d.wined3d_device_set_pixel_shader(00183140,00000000)
ret=7e7d2ceb
0024:Ret  wined3d.wined3d_device_set_pixel_shader() retval=00000000
ret=7e7d2ceb
0024:Call wined3d.wined3d_mutex_unlock() ret=7e7d2cf3
0024:Ret  wined3d.wined3d_mutex_unlock() retval=00000000 ret=7e7d2cf3
0024:trace:d3d8:IDirect3DDevice8Impl_SetStreamSource iface 0x154280, stream_idx
0, buffer (nil), stride 0.
0024:Call wined3d.wined3d_mutex_lock() ret=7e7d3680
0024:Ret  wined3d.wined3d_mutex_lock() retval=00000000 ret=7e7d3680
0024:Call
wined3d.wined3d_device_set_stream_source(00183140,00000000,00000000,00000000,00000000)
ret=7e7d36bb
0024:Ret  wined3d.wined3d_device_set_stream_source() retval=00000000
ret=7e7d36bb
0024:Call wined3d.wined3d_mutex_unlock() ret=7e7d36c3
0024:Ret  wined3d.wined3d_mutex_unlock() retval=00000000 ret=7e7d36c3
0024:trace:seh:raise_exception code=c0000005 flags=0 addr=0x428c5a ip=00428c5a
tid=0024
0024:trace:seh:raise_exception  info[0]=00000000
0024:trace:seh:raise_exception  info[1]=feeefef6
0024:trace:seh:raise_exception  eax=feeefeee ebx=03254560 ecx=00123bb8
edx=00000000 esi=00000113 edi=0033fcc8
0024:trace:seh:raise_exception  ebp=0033fa90 esp=0033fa80 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210206
0024:trace:seh:call_stack_handlers calling handler at 0x45bd96 code=c0000005
flags=0 
...
0024:Call user32.MessageBoxA(000100a0,08277008 "Access violation at address
00428C5A in module 'Pure Pinball Demo.exe'. Read of address FEEEFEF6.",08277078
"Pure pinball demo",00000010) ret=0045a0cb 
--- snip --- 

Sometimes the page fault address changes.

Using +heap you get more reliable results (in conjunction with +relay,+snoop).

Code around crash, annotated through debugging:

--- snip ---
...
00428C35  call    dword ptr [edx+14Ch] ;
IDirect3DDevice8Impl_SetStreamSource(iface=0x1309e8, StreamNumber=0,
pStreamData=(nil), Stride=0)
00428C3B  xor     ecx, ecx
00428C3D  mov     [ebp+var_4], ecx
00428C40  mov     eax, [ebp+var_4]
00428C43  cmp     dword_C43FD0[eax*4], 0 ; texture obj table
00428C4B  jz      short loc_428C7D
00428C4D  mov     edx, [ebp+var_4]
00428C50  mov     ecx, dword_C43FD0[edx*4] ; texture obj table
00428C57  push    ecx
00428C58  mov     eax, [ecx]        ; deref to Direct3DTexture8_Vtbl
00428C5A  call    dword ptr [eax+8] ; *boom*
--- snip ---

The game creates some textures from files and stores the pointers globally.

Using "ecx" from exception frame -> 0x00123bb8 as hint you search the trace log
from beginning again .. and find:

Creation of texture:

--- snip ---
...
0024:CALL d3dx8bor.D3DXCreateTextureFromFileExA(<unknown, check
return>(0x110000,70000062,00000040): returning 0x2111b0
) ret=004290e3
0024:Call KERNEL32.CreateFileA(004917f5
"data\\menu\\logo_iridon.jpg",80000000,00000001,00000000,00000003,10000000,00000000)
ret=1002cb3f 
...
0024:trace:d3d8:IDirect3DDevice8Impl_CreateTexture iface 0x154280, width 1024,
height 1024, levels 1, usage 0, format 0x16, pool 0x1, texture 0x33f9e8.
0024:Call ntdll.RtlAllocateHeap(00110000,00000008,00000010) ret=7e7cd3b1
0024:trace:heap:RtlAllocateHeap (0x110000,7000006a,00000010): returning
0x123bb8
0024:Ret  ntdll.RtlAllocateHeap() retval=00123bb8 ret=7e7cd3b1
0024:Call wined3d.wined3d_mutex_lock() ret=7e7d9260
0024:Ret  wined3d.wined3d_mutex_lock() retval=00000000 ret=7e7d9260
0024:Call
wined3d.wined3d_texture_create_2d(00183140,00000400,00000400,00000001,00000000,00000073,00000001,00123bb8,7e7e946c,00123bc0)
ret=7e7d92c3 
...
0024:trace:d3d8:IDirect3DDevice8Impl_CreateTexture Created texture 0x123bb8. 
0024:trace:d3d8:IDirect3DTexture8Impl_GetSurfaceLevel iface 0x123bb8, level 0,
surface 0x33f9ec.
0024:Call wined3d.wined3d_mutex_lock() ret=7e7d8eaa
0024:Ret  wined3d.wined3d_mutex_lock() retval=00000000 ret=7e7d8eaa
0024:Call wined3d.wined3d_texture_get_sub_resource(002115a0,00000000)
ret=7e7d8ebf
0024:Ret  wined3d.wined3d_texture_get_sub_resource() retval=002116e8
ret=7e7d8ebf
0024:Call wined3d.wined3d_resource_get_parent(002116e8) ret=7e7d8edf
0024:Ret  wined3d.wined3d_resource_get_parent() retval=0012e870 ret=7e7d8edf
0024:trace:d3d8:IDirect3DSurface8Impl_AddRef iface 0x12e870.
0024:trace:d3d8:IDirect3DSurface8Impl_AddRef (0x12e870) : Forwarding to
0x123bb8
0024:trace:d3d8:IDirect3DTexture8Impl_AddRef 0x123bb8 increasing refcount to 2.
...
0024:trace:d3d8:IDirect3DSurface8Impl_Release iface 0x12e870.
0024:trace:d3d8:IDirect3DSurface8Impl_Release (0x12e870) : Forwarding to
0x123bb8
0024:trace:d3d8:IDirect3DTexture8Impl_Release 0x123bb8 decreasing refcount to
1.
0024:Call ntdll.RtlFreeHeap(02f26000,00000000,08455020) ret=10001ed3
0024:trace:heap:RtlFreeHeap (0xffa10000,70000061,0xffa19fc0): returning TRUE
0024:trace:heap:RtlFreeHeap (0x2f26000,70000062,0x8455020): returning TRUE
0024:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=10001ed3
0024:Call KERNEL32.UnmapViewOfFile(00390000) ret=1002cbad 
...
0024:RET 
d3dx8bor.D3DXCreateTextureFromFileExA(00154280,004917f5,ffffffff,ffffffff,00000001,00000000,00000000,00000001,00000003,00000003,00000000,00000000,00000000,00c3fb6c)
retval=00000000 ret=004290e3 
--- snip --- 

Usage and freeing:

--- snip ---
0024:trace:d3d8:IDirect3DDevice8Impl_DrawPrimitiveUP iface 0x154280,
primitive_type 0x6, primitive_count 2, data 0x33f92c, stride 28. 
...
0024:trace:d3d8:IDirect3DDevice8Impl_SetTexture iface 0x154280, stage 0,
texture 0x123bb8. 
...
0024:trace:d3d8:IDirect3DDevice8Impl_SetTexture iface 0x154280, stage 0,
texture 0x123bb8. 
...
0024:trace:d3d8:IDirect3DDevice8Impl_Release 0x154280 decreasing refcount to 3.
0024:trace:d3d8:IDirect3DTexture8Impl_Release 0x123bb8 decreasing refcount to
0. 
...
0024:Call ntdll.RtlFreeHeap(00110000,00000000,00123bb8) ret=7e7d9228
0024:trace:heap:RtlFreeHeap (0x110000,70000062,0x123bb8): returning TRUE 
...
0024:Call wined3d.wined3d_texture_decref(002115a0) ret=7e7d8565 
...
0024:trace:d3d8:IDirect3DDevice8Impl_Release 0x154280 decreasing refcount to 2.
0024:CALL
d3dx8bor.D3DXCreateTexture(00154280,00000320,00000258,00000001,00000000,00000016,00000000,00c3fb64)
ret=0042c735
0024:trace:d3d8:IDirect3DDevice8Impl_GetDirect3D iface 0x154280, d3d8 0x33fa3c.
0024:trace:d3d8:IDirect3D8Impl_QueryInterface iface 0x134270, riid
{1dd9e8da-1c77-4d40-b0cf-98fefdff9512}, object 0x33fa3c.
0024:trace:d3d8:IDirect3D8Impl_AddRef 0x134270 increasing refcount to 3.
0024:trace:d3d8:IDirect3DDevice8Impl_GetDeviceCaps iface 0x154280, caps
0x33f918.
0024:Call ntdll.RtlAllocateHeap(00110000,00000008,00000180) ret=7e7cc235
0024:trace:heap:RtlAllocateHeap (0x110000,7000006a,00000180): returning
0x21f8a8 
--- snip ---

I'm not sure if d3d8 is at fault here (reference counting?).

It could also be a bug in the game itself that is hidden due to different heap
management in Windows (freed memory block contents not erased/reused).
I've seen many broken apps that "worked" due to this "feature".

For testing I disabled freeing these textures (dlls/d3d8/texture.c ->
IDirect3DTexture8Impl_Release) and the crash was gone.

The menu animation was shown but I was unable to make any input (mouse cursor
also hidden).

You can start the game in windowed mode using "-win" parameter.

$ sha1sum PurePinballDemo_English.exe 
1a513e5817591bbd86acfb779f1bd7bd8a98658b  PurePinballDemo_English.exe

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list