none
Crash in comctl32.dll in TV_GetItemRect function RRS feed

  • Question

  • Hi,

    I have an MFC based application written in C++ developed with Visual Studio Pro 2013. On some systems sometimes we get (on customer computers) crashes in comctl32.dll library. Here is what I can say about the crashes:

    - all the time the crash is in the same place of comctl32.dll, it's in TV_GetItemRect function

    - the crash happens in both 32bit and 64bit versions of the DLL

    - the crash happens on various windows systems: Windows 10, Win2008 Server or Windows 8.2

    - the crash is in these versions of comctl32.dll: 6.10.10586.0, 6.10.10240.16384, 6.10.9200.16384, 6.10.7601.18837. May happen in other versions, these are the versions we got from our customers where they got the crash

    - our application is MFC based, from the crash dumps we got from customers I see in the stack backtrace that only standard (system + MFC) code is involved, our code is not there.

    Here are two cases of the crash with stack dump for the 32bit and 64bit:

    ==========================================================

    64bit:

    Operating System: Windows NT (6.2.9200 ) Windows 8 (Pro) 6.2
    Architecture: amd64
    Crash reason: EXCEPTION_ACCESS_VIOLATION
    Crash address: 0x873f6e4b5c

    0x000007fec9410000 - 0x000007fec9678fff  comctl32.dll (6.10.9200.16384)

    Stack:

    Not Flagged > 9728 0 Main Thread Main Thread comctl32.dll!TV_GetItemRect Normal
                comctl32.dll!TV_GetItemRect(struct _TREE *,struct _TREEITEM *,struct tagRECT *,unsigned int) 
                comctl32.dll!TV_InvalidateItem(struct _TREE *,struct _TREEITEM *,unsigned int) 
                comctl32.dll!TV_OnMouseMove(struct _TREE *,unsigned long,unsigned __int64) 
                comctl32.dll!TV_WndProc(struct HWND__ *,unsigned int,unsigned __int64,__int64) 
                user32.dll!UserCallWinProcCheckWow() 
                user32.dll!CallWindowProcW() 
                mfc120u.dll!CWnd::DefWindowProcW(unsigned int nMsg, unsigned __int64 wParam, __int64 lParam) Line 1117 
                mfc120u.dll!CWnd::WindowProc(unsigned int message, unsigned __int64 wParam, __int64 lParam) Line 2095 
                mfc120u.dll!AfxCallWndProc(CWnd * pWnd, HWND__ * hWnd, unsigned int nMsg, unsigned __int64 wParam, __int64 lParam) Line 282 
                mfc120u.dll!AfxWndProc(HWND__ * hWnd, unsigned int nMsg, unsigned __int64 wParam, __int64 lParam) Line 434 
                mfc120u.dll!AfxWndProcBase(HWND__ * hWnd, unsigned int nMsg, unsigned __int64 wParam, __int64 lParam) Line 299 
                user32.dll!UserCallWinProcCheckWow() 
                user32.dll!DispatchMessageWorker() 
                mfc120u.dll!AfxInternalPumpMessage() Line 183 
                mfc120u.dll!CWinThread::Run() Line 634 
                mfc120u.dll!AfxWinMain(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, wchar_t * lpCmdLine, int nCmdShow) Line 47 
                LANrev Admin.exe!__tmainCRTStartup() Line 618 
                kernel32.dll!BaseThreadInitThunk() 
                ntdll.dll!RtlUserThreadStart() 


    Disassembly:

    TV_GetItemRect:
    000007FEC9458350  mov         qword ptr [rsp+8],rbx 
    000007FEC9458355  mov         qword ptr [rsp+10h],rbp 
    000007FEC945835A  mov         qword ptr [rsp+18h],rsi 
    000007FEC945835F  push        rdi 
    000007FEC9458360  push        r14 
    000007FEC9458362  push        r15 
    000007FEC9458364  sub         rsp,20h 
    000007FEC9458368  xor         edi,edi 
    000007FEC945836A  mov         r15d,r9d 
    000007FEC945836D  mov         rsi,r8 
    000007FEC9458370  mov         rbp,rdx 
    000007FEC9458373  mov         rbx,rcx 
    000007FEC9458376  test        rdx,rdx 
    000007FEC9458379  je          TV_GetItemRect+3A0h (07FEC94586F0h) 
    000007FEC945837F  mov         r14d,dword ptr [rdx+3Ch]    <--------------- crash here
    000007FEC9458383  cmp         r14d,0FFFFFFFFh 
    000007FEC9458387  je          TV_GetItemRect+3A0h (07FEC94586F0h) 
    000007FEC945838D  mov         rax,qword ptr [rcx+178h] 
    000007FEC9458394  sub         r14d,dword ptr [rax+3Ch] 

    Registry at crash time:

    RAX = 00008D899706F1BA
    RBX = 000000873B389060
    RCX = 000000873B389060
    RDX = 000000873F6E4B20
    RSI = 000000873474F3C0
    RDI = 0000000000000000
    R8  = 000000873474F3C0
    R9  = 0000000000000000
    R10 = 0000000000000000
    R11 = 0000000000000000
    R12 = 0000000000000000
    R13 = 0000000000000200
    R14 = 0000000001990039
    R15 = 0000000000000000
    RIP = 000007FEC945837F
    RSP = 000000873474F360
    RBP = 000000873F6E4B20
    EFL = 00010202

    CS = 0033 DS = 002B ES = 002B SS = 002B FS = 0053 GS = 002B

    ST0 = +0.0000000000000000e+0000  
    ST1 = +0.0000000000000000e+0000  
    ST2 = +0.0000000000000000e+0000  
    ST3 = +0.0000000000000000e+0000  
    ST4 = +0.0000000000000000e+0000  
    ST5 = +0.0000000000000000e+0000  
    ST6 = +0.0000000000000000e+0000  
    ST7 = +0.0000000000000000e+0000  
    CTRL = 027F STAT = 0000 TAGS = 0000 EIP = 00000000 EDO = 00000000

    0x000000003f6e4b5c = 00000000

    =====================================================================

    32bit:

    Operating System: Windows NT (6.1.7601 Service Pack 1)
    Architecture: x86
    CPU: GenuineIntel family 6 model 44 stepping 2  16 CPUs
    Crash reason: EXCEPTION_ACCESS_VIOLATION
    Crash address: 0x968d0ac
    0x74d20000 - 0x74ebdfff  comctl32.dll (6.10.7601.17514

    Stack:
    Not Flagged > 3988 0 Main Thread Main Thread comctl32.dll!TV_GetItemRect Normal
                comctl32.dll!TV_GetItemRect(struct _TREE *,struct _TREEITEM *,struct tagRECT *,unsigned int) 
                comctl32.dll!TV_InvalidateItem(struct _TREE *,struct _TREEITEM *,unsigned int) 
                comctl32.dll!TV_OnMouseMove(struct _TREE *,unsigned long,unsigned int) 
                comctl32.dll!TV_WndProc(struct HWND__ *,unsigned int,unsigned int,long) 
                user32.dll!_InternalCallWinProc 20() 
                user32.dll!_UserCallWinProcCheckWow 32() 
                user32.dll!_CallWindowProcAorW 24() 
                user32.dll!_CallWindowProcW 20() 
                mfc120u.dll!CWnd::DefWindowProcW(unsigned int nMsg, unsigned int wParam, long lParam) Line 1116 
                mfc120u.dll!CWnd::WindowProc(unsigned int message, unsigned int wParam, long lParam) Line 2095 
                mfc120u.dll!AfxCallWndProc(CWnd * pWnd, HWND__ * hWnd, unsigned int nMsg, unsigned int wParam, long lParam) Line 285 
                mfc120u.dll!AfxWndProc(HWND__ * hWnd, unsigned int nMsg, unsigned int wParam, long lParam) Line 434 
                mfc120u.dll!AfxWndProcBase(HWND__ * hWnd, unsigned int nMsg, unsigned int wParam, long lParam) Line 299 
                user32.dll!_InternalCallWinProc 20() 
                user32.dll!_UserCallWinProcCheckWow 32() 
                user32.dll!_DispatchMessageWorker 8() 
                user32.dll!_DispatchMessageW 4() 
                mfc120u.dll!AfxInternalPumpMessage() Line 183 
                mfc120u.dll!AfxWinMain(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, wchar_t * lpCmdLine, int nCmdShow) Line 47 
                kernel32.dll! BaseThreadInitThunk 12() 

    Disassembly:
    TV_GetItemRect:
    74DC91BE  mov         edi,edi 
    74DC91C0  push        ebp 
    74DC91C1  mov         ebp,esp 
    74DC91C3  push        ebx 
    74DC91C4  mov         ebx,dword ptr [ebp+0Ch] 
    74DC91C7  test        ebx,ebx 
    74DC91C9  je          TV_GetItemRect+0FFFFB876h (74DC4A34h) 
    74DC91CF  mov         eax,dword ptr [ebx+24h]             <------------ crash is here
    74DC91D2  cmp         eax,0FFFFFFFFh 
    74DC91D5  je          TV_GetItemRect+0FFFFB876h (74DC4A34h) 
    74DC91DB  push        esi 
    74DC91DC  push        edi 
    74DC91DD  mov         edi,dword ptr [ebp+8] 
    74DC91E0  mov         ecx,dword ptr [edi+0E8h] 
    74DC91E6  sub         eax,dword ptr [ecx+24h] 
    74DC91E9  test        byte ptr [ebp+14h],2 
    74DC91ED  mov         dword ptr [ebp+0Ch],eax 
    74DC91F0  jne         TV_GetItemRect+0FFFE3256h (74DAC414h) 
    74DC91F6  mov         esi,dword ptr [ebp+10h] 
    74DC91F9  and         dword ptr [esi],0 
    74DC91FC  movsx       eax,word ptr [edi+0D2h] 
    74DC9203  mov         dword ptr [esi+8],eax 
    74DC9206  test        byte ptr [ebp+14h],1 

    Registry at crash time:
    EAX = 0968D088
    EBX = 0968D088
    ECX = 0032F8BC
    EDX = 00000046
    ESI = 079990D8
    EDI = 00000001
    EIP = 74DC91CF
    ESP = 0032F89C
    EBP = 0032F8A0
    EFL = 00010206

    CS = 0023 DS = 002B ES = 002B SS = 002B FS = 0053 GS = 002B

    ST0 = 1#SNAN                     
    ST1 = 1#SNAN                     
    ST2 = 1#SNAN                     
    ST3 = +9.9999997764825820e-0001  
    ST4 = +9.9999997764825820e-0001  
    ST5 = 1#SNAN                     
    ST6 = +1.6000000000000000e+0001  
    ST7 = +1.6000000000000000e+0001  
    CTRL = 027F STAT = 4020 TAGS = FFFF EIP = 76EC7F6C EDO = 05480A84

    0x0968d0ac = 00000000

    =====================================================

    The crashes are sort of NULL pointer access. I don't think that I have a memory trash there because the crashes (stack dump and place) are same for all cases from the customers (about 7-8 cases). I'm using in our code CTreeCtrl MFC class and I suspect I'm doing something wrong question is what?

    Thanks for your help


    Sturm Dorel

    Tuesday, September 20, 2016 9:20 AM

Answers

  • Hi Sturm Dorel,

    thanks for posting here.

    For your case, I suggest you follow Bordon's suggestion. Use break-points on all GetItemRect function, check the index value if it is valid. Provide us some code may be helpful to find the root cause.

    Here is a document about how to use this function.

    https://msdn.microsoft.com/en-us/library/kt4by313.aspx

    Best Regards,

    Sera Yu


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.


    • Edited by Baron Bi Wednesday, September 21, 2016 1:57 AM
    • Proposed as answer by Baron Bi Friday, September 23, 2016 7:56 AM
    • Marked as answer by Hart WangModerator Wednesday, September 28, 2016 1:37 AM
    Wednesday, September 21, 2016 1:57 AM

All replies

  • I would check your code at all positions using GetItemRect. In your IDE you should be able to find the exact location if you use the call stack. Also you can be 99.99% surwe the problem is located in your code not the DLL.

    Best regards

    Bordon

    Note: Posted code pieces may not have a good programming style and may not perfect. It is also possible that they do not work in all situations. Code pieces are only indended to explain something particualar.

    • Proposed as answer by Baron Bi Friday, September 23, 2016 7:56 AM
    Tuesday, September 20, 2016 9:25 AM
  • Hi Sturm Dorel,

    thanks for posting here.

    For your case, I suggest you follow Bordon's suggestion. Use break-points on all GetItemRect function, check the index value if it is valid. Provide us some code may be helpful to find the root cause.

    Here is a document about how to use this function.

    https://msdn.microsoft.com/en-us/library/kt4by313.aspx

    Best Regards,

    Sera Yu


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.


    • Edited by Baron Bi Wednesday, September 21, 2016 1:57 AM
    • Proposed as answer by Baron Bi Friday, September 23, 2016 7:56 AM
    • Marked as answer by Hart WangModerator Wednesday, September 28, 2016 1:37 AM
    Wednesday, September 21, 2016 1:57 AM