[Bug 31580] 'Create Your Own Model Railway' crashes at 65% preparation after clicking 'Start Game'
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Jul 6 12:16:14 CDT 2014
https://bugs.winehq.org/show_bug.cgi?id=31580
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
CC| |focht at gmx.net
Summary|Create Your Own Model |'Create Your Own Model
|Railway - Unhandled |Railway' crashes at 65%
|exception: page fault on |preparation after clicking
|read access |'Start Game'
Ever confirmed|0 |1
--- Comment #5 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
I found a distributed "backup", confirming.
It crashes at ~65% after clicking 'Start Game' while loading/processing some
animated X file.
--- snip ---
$ WINEDEBUG=+tid,+seh,+relay,+d3dx,+d3d8,+d3dxof,+d3dxof_parsing wine
./cyomr.exe >>log.txt 2>&1
...
002e:trace:d3dxof:IDirectXFileEnumObjectImpl_GetNextDataObject
(0x3880078/0x3880078)->(0x33f6d4)
002e:trace:d3dxof:IDirectXFileDataImpl_Create (0x33f624)
...
002e:trace:d3dxof_parsing:is_name Found name Scene_Root
002e:trace:d3dxof_parsing:dump_TOKEN TOKEN_NAME
002e:trace:d3dxof_parsing:dump_TOKEN TOKEN_OBRACE
002e:trace:d3dxof_parsing:is_name Found name FrameTransformMatrix
002e:trace:d3dxof_parsing:dump_TOKEN TOKEN_NAME
002e:trace:d3dxof_parsing:parse_object_parts Enter optional
FrameTransformMatrix
002e:trace:d3dxof_parsing:dump_TOKEN TOKEN_OBRACE
002e:trace:d3dxof_parsing:is_float Found float 1.000000 - 1.000000
002e:trace:d3dxof_parsing:dump_TOKEN TOKEN_FLOAT
...
002e:trace:d3dxof_parsing:is_string Found string
C:\\1\\scenes\\trains\\lamprefi.dds
002e:trace:d3dxof_parsing:dump_TOKEN TOKEN_LPSTR
002e:trace:d3dxof_parsing:parse_object_members_list Elements to consider: 1
002e:trace:d3dxof_parsing:parse_object_members_list filename =
C:\\1\\scenes\\trains\\lamprefi.dds
...
002e:trace:d3dxof:IDirectXFileDataImpl_Create (0x33f5f4)
002e:Call ntdll.RtlAllocateHeap(00110000,00000008,0000001c) ret=7e89265b
002e:Ret ntdll.RtlAllocateHeap() retval=038aab10 ret=7e89265b
002e:trace:d3dxof:IDirectXFileDataImpl_QueryInterface
(0x38aab10/0x38aab10)->({3d82ab44-62da-11cf-ab39-0020af71e433},0x33f650)
002e:trace:d3dxof:IDirectXFileDataImpl_AddRef (0x38aab10/0x38aab10)->(): new
ref 2
002e:trace:d3dxof:IDirectXFileDataImpl_GetType
(0x38aab10/0x38aab10)->(0x33f5f0)
002e:trace:d3dxof:IDirectXFileDataImpl_GetData
(0x38aab10/0x38aab10)->((null),0x33f5dc,0x33f5e0)
002e:trace:d3dxof:IDirectXFileDataImpl_Release (0x38aab10/0x38aab10)->(): new
ref 1
002e:trace:d3dxof:IDirectXFileDataImpl_Release (0x38aab10/0x38aab10)->(): new
ref 0
...
002e:trace:d3dxof:IDirectXFileDataImpl_GetNextObject
(0x38aac58/0x38aac58)->(0x33f398)
002e:trace:d3dxof:IDirectXFileDataImpl_Release (0x38aac58/0x38aac58)->(): new
ref 1
002e:trace:d3dxof:IDirectXFileDataImpl_Release (0x38aac58/0x38aac58)->(): new
ref 0
002e:Call ntdll.RtlFreeHeap(00110000,00000000,038aac58) ret=7e892b1f
002e:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7e892b1f
002e:trace:d3dxof:IDirectXFileDataImpl_GetNextObject
(0x38aac30/0x38aac30)->(0x33f390)
002e:trace:d3d8:d3d8_device_AddRef 0x142978 increasing refcount to 457.
002e:trace:d3d8:d3d8_device_GetDirect3D iface 0x142978, d3d8 0xde1a00.
002e:trace:d3d8:d3d8_QueryInterface iface 0x143e98, riid
{1dd9e8da-1c77-4d40-b0cf-98fefdff9512}, out 0xde1a00.
002e:trace:d3d8:d3d8_AddRef 0x143e98 increasing refcount to 145.
002e:trace:d3d8:d3d8_device_CreateIndexBuffer iface 0x142978, size 6282, usage
0, format 0x65, pool 0x2, buffer 0x33f1b4.
...
002e:trace:d3d8:d3d8_device_AddRef 0x142978 increasing refcount to 458.
002e:trace:d3d8:d3d8_device_CreateIndexBuffer Created index buffer 0x38aac58.
...
002e:trace:d3d8:d3d8_device_CreateVertexBuffer iface 0x142978, size 36000,
usage 0, fvf 0x112, pool 0x2, buffer 0x33f1b0.
...
02e:trace:d3d8:d3d8_device_GetDeviceCaps iface 0x142978, caps 0x33f2d8.
...
002e:trace:d3d8:d3d8_device_GetCreationParameters iface 0x142978, parameters
...
002e:trace:d3d8:d3d8_device_Release 0x142978 decreasing refcount to 457.
002e:trace:d3d8:d3d8_indexbuffer_Release 0x38aac58 decreasing refcount to 0.
002e:Call wined3d.wined3d_mutex_lock() ret=7e85b9df
002e:Ret wined3d.wined3d_mutex_lock() retval=00000000 ret=7e85b9df
002e:Call wined3d.wined3d_buffer_decref(038aac80) ret=7e85b9ed
...
002e:Ret wined3d.wined3d_buffer_decref() retval=00000000 ret=7e85b9ed
002e:Call wined3d.wined3d_mutex_unlock() ret=7e85b9f2
002e:Ret wined3d.wined3d_mutex_unlock() retval=00000000 ret=7e85b9f2
002e:trace:d3d8:d3d8_device_Release 0x142978 decreasing refcount to 456.
002e:Call ntdll.RtlFreeHeap(00c70000,00000000,04b9b830) ret=004d407d
002e:Ret ntdll.RtlFreeHeap() retval=00000001 ret=004d407d
002e:trace:seh:raise_exception code=c0000005 flags=0 addr=0x74dee0e1
ip=74dee0e1 tid=002e
002e:trace:seh:raise_exception info[0]=00000000
002e:trace:seh:raise_exception info[1]=74dee0e1
002e:trace:seh:raise_exception eax=00c71c74 ebx=7b8bc000 ecx=00de19c0
edx=00de19c0 esi=00000000 edi=00000000
002e:trace:seh:raise_exception ebp=0033f4cc esp=0033f44c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210a92
002e:trace:seh:call_stack_handlers calling handler at 0x4f5e3f code=c0000005
flags=0
002e:trace:seh:call_stack_handlers handler at 0x4f5e3f returned 1
...
Unhandled exception: page fault on read access to 0x74dee0e1 in 32-bit code
(0x74dee0e1).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
EIP:74dee0e1 ESP:0033f44c EBP:0033f4cc EFLAGS:00210a92( R- --O I S -A- - )
EAX:00c71c74 EBX:7b8bc000 ECX:00de19c0 EDX:00de19c0
ESI:00000000 EDI:00000000
Stack dump:
0x0033f44c: 00de19c5 00407e83 00de19c0 00000000
0x0033f45c: 00000000 00de1910 00de1910 04b9a668
0x0033f46c: 00de1910 00de1910 0033f4f0 0033f4a0
0x0033f47c: 00000053 7ffd8000 7e8a7000 0033f4b0
0x0033f48c: 00000051 00de1910 00de1910 7e8a7000
0x0033f49c: 7e892fda 00142978 00de1110 88760b57
000c: sel=0067 base=00000000 limit=00000000 16-bit --x
Backtrace:
=>0 0x74dee0e1 (0x0033f4cc)
1 0x00407f4e in cyomr (+0x7f4d) (0x0033f530)
2 0x004081b1 in cyomr (+0x81b0) (0x0033f59c)
3 0x004081b1 in cyomr (+0x81b0) (0x0033f608)
4 0x004081b1 in cyomr (+0x81b0) (0x0033f674)
5 0x004084bb in cyomr (+0x84ba) (0x0033f700)
6 0x004052f4 in cyomr (+0x52f3) (0x0033f71c)
7 0x0045357b in cyomr (+0x5357a) (0x0033fb94)
8 0x00456d44 in cyomr (+0x56d43) (0x0033fbc4)
9 0x0048b447 in cyomr (+0x8b446) (0x0033fbcc)
10 0x0048b01b in cyomr (+0x8b01a) (0x0033fd5c)
11 0x0048b3d5 in cyomr (+0x8b3d4) (0x0033fd64)
12 0x00468213 in cyomr (+0x68212) (0x0033fd94)
13 0x004d540b in cyomr (+0xd540a) (0x0033fe20)
14 0x7b86404c call_process_entry+0xb() in kernel32 (0x0033fe38)
...
0x74dee0e1: addb %al,0x0(%eax)
Modules:
Module Address Debug info Name (106 modules)
PE 400000- 839000 Export cyomr
PE 840000- 932000 Deferred vorbis
PE 10000000-1000d000 Deferred ogg
ELF 4e99a000-4e9a3000 Deferred librt.so.1
...
Threads:
process tid prio (all id:s are in hex)
...
0000002d (D) C:\Program Files\Focus Multimedia Limited\Create your own Model
Railway\cyomr.exe
00000031 15
00000030 0
0000002f 0
0000002e 0 <==
--- snip ---
There is a call to 'd3d8.d3d8_device_GetCreationParameters' before the crash.
Debugging that code yields that it checks the 'creation_parameters.flag' field
for:
0x50 -> WINED3DCREATE_HARDWARE_VERTEXPROCESSING | WINED3DCREATE_PUREDEVICE
0x80 -> WINED3DCREATE_MIXED_VERTEXPROCESSING
'flags' for the device is set to 0x80 -> WINED3DCREATE_MIXED_VERTEXPROCESSING
There is some other condition I couldn't identify yet, which finally results in
code 0x88760B57 -> 'D3DXERR_SKINNINGNOTSUPPORTED' internally set and propagated
through some code paths.
'd3d8_device_Release' after that could indicate it hits some cleanup path.
In the end the crash results from some (stale?) address being interpreted as
vtable pointer.
'winetricks -q d3dxof' didn't help.
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list