[Bug 28420] Schrankplaner (german cupboard/furniture planning software) crashes on startup (OSMesa/OpenGL bitmap driver writes past DIB render buffer)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Mar 9 08:59:20 CDT 2014
https://bugs.winehq.org/show_bug.cgi?id=28420
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Summary|Schrankplaner (german |Schrankplaner (german
|cupboard/furniture planning |cupboard/furniture planning
|software) crashes |software) crashes on
| |startup (OSMesa/OpenGL
| |bitmap driver writes past
| |DIB render buffer)
Ever confirmed|0 |1
--- Comment #6 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
revisiting and confirming now.
It seems this is one of the few apps requiring OpenGL bitmap support
(libOSMesa).
Without OpenGL bitmap support enabled Wine you don't get the startup crash.
libOSMesa on my system: mesa-libOSMesa-9.2.4-1.20131128.fc19 (i686 and x86_64)
--- snip ---
$ WINEDEBUG=+tid,+seh,+relay,+opengl wine ./Schrankplaner.exe >>log.txt 2>&1
...
0025:Ret opengl32.wglMakeCurrent() retval=00000001 ret=10042672
0025:Call opengl32.glViewport(00000000,00000000,000005e0,00000359) ret=1004268d
0025:trace:opengl:glViewport (0, 0, 1504, 857)
0025:Ret opengl32.glViewport() retval=7ca85d7c ret=1004268d
0025:Call opengl32.glRenderMode(00001c00) ret=100426e7
0025:trace:opengl:glRenderMode (7168)
0025:Ret opengl32.glRenderMode() retval=00000000 ret=100426e7
0025:Call opengl32.glClear(00000100) ret=100426f7
0025:trace:opengl:glClear (256)
0025:Ret opengl32.glClear() retval=7ca78c40 ret=100426f7
...
0025:Call opengl32.wglMakeCurrent(000202ad,00010001) ret=10038b33
0025:Call opengl32.wglGetPixelFormat(000202ad) ret=7ebf8713
0025:Call gdi32.__wine_get_wgl_driver(000202ad,0000000b) ret=7d3cf675
0025:Ret gdi32.__wine_get_wgl_driver() retval=7ec3b480 ret=7d3cf675
0025:Ret opengl32.wglGetPixelFormat() retval=00000001 ret=7ebf8713
0025:Ret opengl32.wglMakeCurrent() retval=00000001 ret=10038b33
0025:Call opengl32.glViewport(00000000,00000000,000005e0,00000359) ret=10038b4e
0025:trace:opengl:glViewport (0, 0, 1504, 857)
0025:Ret opengl32.glViewport() retval=7ca85d7c ret=10038b4e
0025:Call opengl32.glClearColor(3f800000,3f800000,3f800000,00000000)
ret=10038bb6
0025:trace:opengl:glClearColor (1.000000, 1.000000, 1.000000, 0.000000)
0025:Ret opengl32.glClearColor() retval=7ca78c40 ret=10038bb6
0025:Call opengl32.glClear(00004000) ret=10038bc6
0025:trace:opengl:glClear (16384)
0025:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7b56cf97
ip=7b56cf97 tid=0025
0025:trace:seh:raise_exception info[0]=00000001
0025:trace:seh:raise_exception info[1]=08111000
0025:trace:seh:raise_exception eax=08111004 ebx=7b7e5000 ecx=00000283
edx=00ffffff esi=000005e0 edi=00001780
0025:trace:seh:raise_exception ebp=08111e00 esp=00e0cf50 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210287
0025:trace:seh:call_stack_handlers calling handler at 0x101ce5d6 code=c0000005
flags=0
0025:trace:seh:call_stack_handlers handler at 0x101ce5d6 returned 1
0025:trace:seh:call_stack_handlers calling handler at 0x73dc2e0a code=c0000005
flags=0
0025:trace:seh:call_stack_handlers handler at 0x73dc2e0a returned 1
0025:trace:seh:call_stack_handlers calling handler at 0x101ce470 code=c0000005
flags=0
0025:trace:seh:call_stack_handlers handler at 0x101ce470 returned 1
...
0025:Call user32.MessageBoxA(00010090,04eed9c4 "Zugriffsverletzung bei Adresse
7B56CF97. Schreiben von Adresse 08111000.",072dfb9c "Schrankplaner",00000010)
ret=004895eb
--- snip ---
The crash happens in glClear(GL_ACCUM_BUFFER_BIT)
The call is issued from 'vdpro.ocx' library and the mask is hard coded.
Using gdb proxy mode I gathered the following infos
--- snip ---
$ winedbg --gdb ./Schrankplaner.exe
...
Wine-gdb> handle SIGSEGV
Signal Stop Print Pass to program Description
SIGSEGV Yes Yes Yes Segmentation fault
Wine-gdb> c
Continuing.
fixme:ole:RemUnknown_QueryInterface No interface for iid
{00000019-0000-0000-c000-000000000046}
Program received signal SIGSEGV, Segmentation fault.
0x7b56cf97 in clear_rgba_buffer (colorMask=0x7ce00e14 '\377' <repeats 32
times>, "\004\004", rb=0x7cca7b40, ctx=0x7ce00008)
at ../../src/mesa/swrast/s_clear.c:147
147 SIMPLE_TYPE_CLEAR(GLuint);
Wine-gdb> bt
#0 0x7b56cf97 in clear_rgba_buffer (colorMask=0x7ce00e14 '\377' <repeats 32
times>, "\004\004", rb=0x7cca7b40, ctx=0x7ce00008)
at ../../src/mesa/swrast/s_clear.c:147
#1 clear_color_buffers (ctx=<optimized out>) at
../../src/mesa/swrast/s_clear.c:190
#2 _swrast_Clear (ctx=0x7ce00008, buffers=1) at
../../src/mesa/swrast/s_clear.c:230
#3 0x7b4525d7 in _mesa_Clear (mask=<optimized out>) at
../../src/mesa/main/clear.c:202
#4 0x7b6584f6 in glClear (mask=16384) at
../../../src/mapi/glapi/glapi_mapi_tmp.h:2823
#5 0x7d30774a in glClear (mask=16384) at
/home/focht/projects/wine/wine.repo/src/dlls/opengl32/opengl_norm.c:110
#6 0x10038bc6 in ?? ()
Wine-gdb> info locals
row = <optimized out>
pixel = 16777215
pixelMask = 2095054856
height = 857
width = 1504
pixelSize = 4
j = <optimized out>
x = <optimized out>
map = 0x6680680 "\377\377\377"
rowStride = 6016
y = <optimized out>
doMasking = <optimized out>
clearColor = <optimized out>
mapMode = <optimized out>
i = 643
Wine-gdb> disas
...
0x7b56cf3f <+2191>: call 0x7b493330 <_mesa_pack_float_rgba_row>
...
0x7b56cf90 <+2272>: mov 0x60(%esp),%edx
0x7b56cf94 <+2276>: lea 0x4(%eax),%eax
=> 0x7b56cf97 <+2279>: mov %edx,-0x4(%eax)
Wine-gdb> p $eax-4
0x6681000
--- snip ---
--- snip ---
$ cat /proc/32502/maps | grep 06681000
062d0000-06681000 rwxp 00000000 00:00 0
06681000-06690000 ---p 00000000 00:00 0
--- snip ---
Source code:
http://cgit.freedesktop.org/mesa/mesa/tree/src/mesa/swrast/s_clear.c?id=mesa-9.2.4#n147
http://cgit.freedesktop.org/mesa/mesa/tree/src/mesa/swrast/s_clear.c?id=mesa-9.2.4#n67
--- snip ---
/* for 1, 2, 4-byte clearing */
#define SIMPLE_TYPE_CLEAR(TYPE) \
do { \
TYPE pixel, pixelMask; \
_mesa_pack_float_rgba_row(rb->Format, 1, clearColor, &pixel); \
if (doMasking) { \
_mesa_pack_colormask(rb->Format, colorMask, &pixelMask); \
pixel &= pixelMask; \
pixelMask = ~pixelMask; \
} \
for (i = 0; i < height; i++) { \
TYPE *row = (TYPE *) map; \
if (doMasking) { \
for (j = 0; j < width; j++) { \
row[j] = (row[j] & pixelMask) | pixel; \
} \
} \
else { \
for (j = 0; j < width; j++) { \
row[j] = pixel; \
} \
} \
map += rowStride; \
} \
} while (0)
--- snip ---
>From a quick calculation it seems the crash is caused by OSMesa code writing
past the end of render buffer so it seems Wine's gdi/dib driver allocates to
small?
map (render buffer) = 0x062d0000 (range: 062d0000-06681000)
height = 857
rowStride = 6016 (w=1504*bpp=4)
$ sha1sum schrankplaner_setup.exe
1ba6e22ba4f8e5be409337daff8a2d57db5d8723 schrankplaner_setup.exe
$ du -sh schrankplaner_setup.exe
36M schrankplaner_setup.exe
$ wine --version
wine-1.7.14
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list