New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Random excel crashes while editing a formula #87
Comments
P.S. I was going through the intellisense source code and noticed that there's only one place where XLCALL32.dll is invoked by the library, and this function mentions access violations if called during shutdown. I was not shutting down in my case. Link to code:
|
Maybe you can switch on a little bit of logging - Say the warning level, and see if that gets anything. Note that "All" (Verbose) is probably overwhelming. |
From the minidump it seems the error that this crashes with is "0xC0000374: A heap has been corrupted". |
@govert this is what I see as well, but I couldn't find anything useful in the crash dump to point me in the right direction. Anytime I was able to get a dump the content proved unusable; a few times I saw seeing a fault in RICHED20.dll, but it's not consistently happening there. It's always happening when editing a formula. Is this a behaviour you have seen before? |
One more today, always while editing a formula Faulting application name: EXCEL.EXE, version: 16.0.13029.20308, time stamp: 0x5f20d490 I'm attaching the WER file generator by windows after the crash; there's nothing else that I have at this point :( |
I have had occasional reports of Excel crashes with IntelliSense, and I don't have any telemetry to tell how widely it is used. Are you running on a Mac inside a Parallels VM? I see some Parallels stuff in the WER log. |
@govert yes i'm running inside Parallels. I've had other reports from customers regarding the same crash; I don't think they're running Parallels. |
OK - yes, I can't think why Parellels would make a difference. In this case it was an Access Violation. I expect to catch those if they are converted to a .NET exception. |
@govert do you have any documentation regarding LPenHelper? I noticed that the memory pointed by the char* pointer you receive is never freed. The function where it is used also has the HandleProcessCorruptedStateExceptions attribute, letting me think the issue is related. We also found articles pointing to memory vulnerabilities in this function here https://www.snort.org/search?query=LPenHelper&submit_search= |
@govert to add context, we are referring to the method |
@gmichaud I do not know of any documentation for the LPenHelper functionm beyond the From the link you give to the 'snort' site I can follow further on to the Microsoft Security Bulletins, but see nothing there related to the LPenHelper part. I can't see how a vulnerability there could somehow be related to remote code execution. So I think those snort advisories are spurious, though they might relate to Excel crashes (like yours) being logging from that function. The char* pointer returned from the LPenHelper call is explicitly called out in the Excel header as "READ ONLY!!!" (with the three exclamation marks), so I understood that as indicating we should not be trying to free it. typedef struct _fmlainfo
{
int wPointMode; // current edit mode. 0 => rest of struct undefined
int cch; // count of characters in formula
char *lpch; // pointer to formula characters. READ ONLY!!!
int ichFirst; // char offset to start of selection
int ichLast; // char offset to end of selection (may be > cch)
int ichCaret; // char offset to blinking caret
} FMLAINFO; |
The other approach I tried for reading the formula while editing was through the accessibility interfaces, but I was not able to make that stable or reliable at all. My suggestion is still to set up some testing framework, but I would need some help with that. |
Setting up such a UI testing framework with real Excel onboard would be a large undertaking... In the meanwhile, during the code review, we noticed three potential issues:
Currently, all our crash reports are isolated to "formula editing" and whatever stack traces we have mention XLCALL32.dll, so I highly suspect that the fix can be scoped to the |
I agree that the |
One option I mention in the scattered TODOs there is to find a way to move the |
I'm able to get it to crash reliably by adding a loop calling LPenHelper in a loop. Behaviour is the same that I experience occasionally at run time, Excel closes without showing any exception in Visual Studio even if it's attached to the process. |
With WinDbg attached, i'm able to catch the following exception details: I know 100M calls is not realistic, but it could simply expose a race condition or threading issue that can happen with very specific timing. Looks a lot like the random exceptions i've seen in the wild with our issue and that also include RICHED20.dll... |
That's useful - I can also get it to crash, and if I reduce to 100k calls I get really weird behaviour in Excel between the in-sheet editing and the formula bar !? It would be good to get this to run somewhere in the main thread and see if that at least does not crash. If it doesn't cause trouble from the main thread, we just need to call it at the right time without interfering with the editing . . . |
@govert I was checking for memory leaks, this is why I made it so high -- I confirm it can be replicated with 100k, even 10k calls. Will try it from the main thread now. |
@govert One of the things I tried is to set a timer to avoid making repeated calls to GetFormulaEditPrefix while the user is still typing -- the crash doesn't happen as quickly but it still happens. Using _syncContextMain instead of _syncContextAuto ultimately seems to be what helps the most, but it slows down keyboard input (that's running on the main UI thread, correct?) Combing a timer with the use of _syncContextMain seems to be the solution: the UI is responsive, and it's no longer crashing (and I still have that loops that repeatedly calls LPenHelper)
|
@govert here's the fix I made on my side which seems to resolve the problem: VelixoSolutions@c877ba9 If you think this makes sense I'll probably give a debug build to the customers that complain the most to see if issue goes away for them. |
@gmichaud Thank you for digging into this! I'll try to have a look at your changes soon - it would make sense if the LPenHelper call must be made on the main thread. As you point out, managing the timing then without interfering with the editing experience is tricky. Some feedback from testing elsewhere would help to confirm that the crashes go away. |
@govert we just shipped an update to a few customers. I'll let you know in a few weeks if the issue is gone. @wh1t3cAt1k also refactored my changes a bit and added cleanup, if it works out fine I'll open a PR. Thank again for your input! |
We have been seeing this randomly from time to time and have just narrowed it down to ExcelDna Intellisense. Heap corruption is reported as Excel crashes.
The following minidump shows the full callstack and error details EXCEL.EXE.1956.dmp.zip
As you can see ExcelDna.IntelliSense is reported in the formula. I'm not able to replicate this issue but it does happen from time to time. I suspect that this won't be enough to help you troubleshoot the issue, is there anything that I could do to help identify and resolve the problem?
The text was updated successfully, but these errors were encountered: