[Bug 39078] Visual Pinball 8.x, 9.x, 10.x crash on exit after creating a new table, needs support for VBScript IActiveScriptDebug
wine-bugs at winehq.org
wine-bugs at winehq.org
Sat May 13 04:23:25 CDT 2017
https://bugs.winehq.org/show_bug.cgi?id=39078
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Visual Pinball 9.9.1 |Visual Pinball 8.x, 9.x,
|crashes on exit after |10.x crash on exit after
|creating a new table |creating a new table, needs
| |support for VBScript
| |IActiveScriptDebug
CC| |focht at gmx.net
--- Comment #8 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Visual Pinball
$ WINEDEBUG=+tid,+seh,+relay,+vbscript,+ole,+variant wine ./VPinballX.exe
>>log.txt 2>&1
...
0036:trace:vbscript:VBScript_SetScriptState (0x1ba958)->(3)
0036:fixme:vbscript:VBScript_SetScriptState unimplemented state 3
0036:trace:vbscript:VBScript_SetScriptState (0x1ba958)->(4)
0036:fixme:vbscript:VBScript_SetScriptState unimplemented state 4
0036:trace:vbscript:VBScript_Release (0x1ba958) ref=1
0036:trace:vbscript:VBScript_Release (0x1ba958) ref=0
0036:trace:vbscript:DispatchEx_AddRef (0x17d290) ref=2
0036:trace:vbscript:DispatchEx_Release (0x17d290) ref=1
0036:trace:vbscript:DispatchEx_AddRef (0x17d328) ref=2
0036:trace:vbscript:DispatchEx_Release (0x17d328) ref=1
0036:trace:vbscript:DispatchEx_Release (0x17d328) ref=0
...
0036:trace:vbscript:DispatchEx_Release (0x17d290) ref=0
...
0036:trace:vbscript:ScriptDisp_Release (0x1a7e00) ref=0
...
0036:trace:seh:raise_exception code=c0000005 flags=0 addr=0x4499d4 ip=004499d4
tid=0036
0036:trace:seh:raise_exception info[0]=00000000
0036:trace:seh:raise_exception info[1]=00000000
0036:trace:seh:raise_exception eax=00000000 ebx=001af7a0 ecx=0033e980
edx=00110064 esi=001b0bf0 edi=00000010
0036:trace:seh:raise_exception ebp=00190f30 esp=0033e980 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210216
0036:trace:seh:call_stack_handlers calling handler at 0x528470 code=c0000005
flags=0
...
wine: Unhandled page fault on read access to 0x00000000 at address 0x4499d4
(thread 0036), starting debugger...
...
Backtrace:
=>0 0x00000018 (0xe8f18b56)
0x00000018: -- no code accessible --
Modules:
Module Address Debug info Name (157 modules)
PE 400000- 149f000 Export vpinballx
PE 14a0000- 1a1b000 Deferred freeimage
PE 1c40000- 1cd0000 Deferred scilexervp
PE 10000000-10050000 Deferred bass
ELF 7a800000-7a942000 Deferred opengl32<elf>
\-PE 7a840000-7a942000 \ opengl32
ELF 7b400000-7b7f0000 Deferred kernel32<elf>
\-PE 7b420000-7b7f0000 \ kernel32
ELF 7bc00000-7bd0a000 Deferred ntdll<elf>
\-PE 7bc30000-7bd0a000 \ ntdll
ELF 7c000000-7c004000 Deferred <wine-loader>
...
Threads:
process tid prio (all id:s are in hex)
...
00000035 (D) C:\Visual Pinball\VPinballX.exe
0000003b 0
0000003a 0
00000039 15
00000038 15
00000037 0
00000036 0 <==
--- snip ---
Application code call site:
--- snip ---
00449990 PUSH ESI
00449991 MOV ESI,DWORD PTR SS:[ESP+8]
00449995 MOV ECX,DWORD PTR DS:[ESI+104]
0044999B TEST ECX,ECX
0044999D JE SHORT VPinball.004499D9
0044999F MOV EAX,DWORD PTR DS:[ECX]
004499A1 PUSH 3
004499A3 PUSH ECX
004499A4 CALL DWORD PTR DS:[EAX+14] ; vbscript.VBScript_SetScriptState
004499A7 MOV EAX,DWORD PTR DS:[ESI+104]
004499AD PUSH 4
004499AF PUSH EAX
004499B0 MOV ECX,DWORD PTR DS:[EAX]
004499B2 CALL DWORD PTR DS:[ECX+14] ; vbscript.VBScript_SetScriptState
004499B5 MOV EAX,DWORD PTR DS:[ESI+104]
004499BB PUSH EAX
004499BC MOV ECX,DWORD PTR DS:[EAX]
004499BE CALL DWORD PTR DS:[ECX+8] ; vbscript.VBScript_Release
004499C1 MOV EAX,DWORD PTR DS:[ESI+11C]
004499C7 PUSH EAX
004499C8 MOV ECX,DWORD PTR DS:[EAX]
004499CA CALL DWORD PTR DS:[ECX+8] ; vbscript.VBScriptParse_Release
004499CD MOV EAX,DWORD PTR DS:[ESI+120]
004499D3 PUSH EAX
004499D4 MOV ECX,DWORD PTR DS:[EAX] ; *boom*
004499D6 CALL DWORD PTR DS:[ECX+8]
004499D9 XOR EAX,EAX
004499DB POP ESI
004499DC RETN 4
--- snip ---
The game tries to release an interface/instance which is not present.
Using the referenced memory locations on heap, one can find the
game code that QI/stores the interface pointers (hw bp).
Another way is to go back in time, looking for any vbscript QI failures in
trace log.
--- snip ---
...
0036:trace:vbscript:VBScriptFactory_CreateInstance ((nil)
{bb1a2ae2-a4f9-11cf-8f20-00805f2cd064} 0x33f2fc)
...
0036:trace:vbscript:VBScript_QueryInterface (0x1ba958)->(IID_IActiveScriptParse
0x33f2fc)
0036:trace:vbscript:VBScript_AddRef (0x1ba958) ref=2
0036:trace:vbscript:VBScript_Release (0x1ba958) ref=1
0036:trace:vbscript:ClassFactory_Release (0xf298e440)
0036:Ret ole32.CoCreateInstance() retval=00000000 ret=004498f4
0036:trace:vbscript:VBScript_QueryInterface (0x1ba958)->(IID_IActiveScript
0x1b0cf4)
0036:trace:vbscript:VBScript_AddRef (0x1ba958) ref=2
0036:fixme:vbscript:VBScript_QueryInterface
(0x1ba958)->({51973c10-cb0c-11d0-b5c9-00a0244a0e7a} 0x1b0d10)
0036:trace:vbscript:VBScriptParse_InitNew (0x1ba958)
...
--- snip ---
It's the only QI failure present for that component and indeed the culprit
here.
51973c10-cb0c-11d0-b5c9-00a0244a0e7a = IID_IActiveScriptDebug(32)
https://source.winehq.org/git/wine.git/blob/4eaaf06ce4e5d7424eec2cf303c8256610544b39:/include/activdbg.idl#l106
--- snip ---
106 /************************************************************
107 * interface IActiveScriptDebug32
108 */
109 [
110 object,
111 uuid(51973c10-cb0c-11d0-b5c9-00a0244a0e7a),
112 pointer_default(unique)
113 ]
114 interface IActiveScriptDebug32 : IUnknown
115 {
116 HRESULT GetScriptTextAttributes(
117 [in, size_is(uNumCodeChars)] LPCOLESTR pstrCode,
118 [in] ULONG uNumCodeChars,
119 [in] LPCOLESTR pstrDelimiter,
120 [in] DWORD dwFlags,
121 [in, out, size_is(uNumCodeChars)] SOURCE_TEXT_ATTR *pattr);
122
123 HRESULT GetScriptletTextAttributes(
124 [in, size_is(uNumCodeChars)] LPCOLESTR pstrCode,
125 [in] ULONG uNumCodeChars,
126 [in] LPCOLESTR pstrDelimiter,
127 [in] DWORD dwFlags,
128 [in, out, size_is(uNumCodeChars)] SOURCE_TEXT_ATTR *pattr);
129
130 HRESULT EnumCodeContextsOfPosition(
131 [in] DWORD dwSourceContext,
132 [in] ULONG uCharacterOffset,
133 [in] ULONG uNumChars,
134 [out] IEnumDebugCodeContexts **ppescc);
135 }
--- snip ---
https://source.winehq.org/git/wine.git/blob/4eaaf06ce4e5d7424eec2cf303c8256610544b39:/dlls/vbscript/vbscript.c#l228
--- snip ---
228 static HRESULT WINAPI VBScript_QueryInterface(IActiveScript *iface, REFIID
riid, void **ppv)
229 {
230 VBScript *This = impl_from_IActiveScript(iface);
231
232 if(IsEqualGUID(riid, &IID_IUnknown)) {
233 TRACE("(%p)->(IID_IUnknown %p)\n", This, ppv);
234 *ppv = &This->IActiveScript_iface;
235 }else if(IsEqualGUID(riid, &IID_IActiveScript)) {
236 TRACE("(%p)->(IID_IActiveScript %p)\n", This, ppv);
237 *ppv = &This->IActiveScript_iface;
238 }else if(IsEqualGUID(riid, &IID_IActiveScriptParse)) {
239 TRACE("(%p)->(IID_IActiveScriptParse %p)\n", This, ppv);
240 *ppv = &This->IActiveScriptParse_iface;
241 }else if(IsEqualGUID(riid, &IID_IActiveScriptParseProcedure2)) {
242 TRACE("(%p)->(IID_IActiveScriptParseProcedure2 %p)\n", This, ppv);
243 *ppv = &This->IActiveScriptParseProcedure2_iface;
244 }else if(IsEqualGUID(riid, &IID_IObjectSafety)) {
245 TRACE("(%p)->(IID_IObjectSafety %p)\n", This, ppv);
246 *ppv = &This->IObjectSafety_iface;
247 }else {
248 FIXME("(%p)->(%s %p)\n", This, debugstr_guid(riid), ppv);
249 *ppv = NULL;
250 return E_NOINTERFACE;
251 }
252
253 IUnknown_AddRef((IUnknown*)*ppv);
254 return S_OK;
255 }
--- snip ---
ProtectionID scan for completeness:
--- snip ---
-=[ ProtectionID v0.6.8.5 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/16-13:09:21
Ready...
Scanning -> C:\Visual Pinball\VPinballX.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 5188096 (04F2A00h)
Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x585C1547 -> Thu 22nd Dec 2016 18:02:47 (GMT)
[TimeStamp] 0x585C1547 -> Thu 22nd Dec 2016 18:02:47 (GMT) | PE Header | - |
Offset: 0x00000160 | VA: 0x00400160 | -
[File Heuristics] -> Flag #1 : 00000000000000001100001000100011 (0x0000C223)
[Entrypoint Section Entropy] : 7.90 (section #1) "UPX1 " | Size : 0x4B6200
(4940288) byte(s)
[DllCharacteristics] -> Flag : (0x8100) -> DEP | TSA
[SectionCount] 3 (0x3) | ImageSize 0x109F000 (17428480) byte(s)
[VersionInfo] Product Name : Visual Pinball
[VersionInfo] Product Version : 10. 2. 0. 0
[VersionInfo] File Description : Visual Pinball 10.2.0
[VersionInfo] File Version : 10. 2. 0. 0
[VersionInfo] Original FileName : VPinballX.exe
[VersionInfo] Internal Name : Visual Pinball
[VersionInfo] Legal Copyrights : Copyright 2000-2016
[ModuleReport] [IAT] Modules -> KERNEL32.DLL | ADVAPI32.dll | bass.dll |
COMCTL32.dll | COMDLG32.dll | d3d9.dll | d3dx9_43.dll | dbghelp.dll |
DINPUT.dll | DSOUND.dll | FreeImage.dll | GDI32.dll | HID.DLL | ole32.dll |
OLEAUT32.dll | SETUPAPI.dll | USER32.dll | WINMM.dll
[!] UPX 3.07 compressed !
upx internal version : 013 / compression method : 08 (M_NRV2E_LE32) - Level :
09
decompressed adler32 : 0x7740E8F9 / compressed adler32 : 0x2B703B89
uncompressed size : 0x0105ED5C (017165660) / compressed size : 0x004B5F22
(04939554)
original file size : 0x01053C00 (017120256) / filter : 0x026 / ct0 0x15 /
linkchecksum : 0x0D4
- Scan Took : 0.979 Second(s) [0000003D3h (979) tick(s)] [506 of 580 scan(s)
done]
--- snip ---
$ sha1sum VPX2setup.zip
e862530f81c1305c9cc2c2f1e2789df901fdf4d6 VPX2setup.zip
$ sha1sum VPX2setup.exe
74795af49709b0d13f33bd41342f60fcc7a4eb06 VPX2setup.exe
$ du -sh VPX2setup.exe
36M VPX2setup.exe
$ wine --version
wine-2.8
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list