Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access Violation in TerminalControl!winrt::impl::consume_Windows_UI_Xaml_Controls_Primitives_IRangeBase<winrt::Windows::UI::Xaml::Controls::Primitives::ScrollBar>::Maximum #2947

Closed
Treit opened this issue Sep 28, 2019 · 8 comments · Fixed by #3908
Closed

Access Violation in TerminalControl!winrt::impl::consume_Windows_UI_Xaml_Controls_Primitives_IRangeBase<winrt::Windows::UI::Xaml::Controls::Primitives::ScrollBar>::Maximum #2947

Treit opened this issue Sep 28, 2019 · 8 comments · Fixed by #3908
Labels
Area-TerminalControl Issues pertaining to the terminal control (input, selection, keybindings, mouse interaction, etc.) Issue-Bug It either shouldn't be doing this or needs an investigation. Priority-1 A description (P1) Product-Terminal The new Windows Terminal. Resolution-Fix-Committed Fix is checked in, but it might be 3-4 weeks until a release. Severity-Crash Crashes are real bad news.
Milestone
Terminal v1.0

Comments

@Treit
Copy link

Treit commented Sep 28, 2019

Environment

Windows build number: 10.0.18975.0
Windows Terminal version: 0.5.2622.0

Steps to reproduce

  1. Run wt.exe to start an instance of Windows Terminal
  2. Press Ctrl-t 4 or 5 times to open a few tabs (running PowerShell)
  3. In each tab, run dir c:\ -rec
  4. Wait a few seconds, then click the 'x' on one of the tabs to close it while it is writing text to the console

Expected behavior

The tab closes.

Actual behavior

The terminal crashes with an Access Violation due to a null pointer dereference in TerminalControl!winrt::impl::consume_Windows_UI_Xaml_Controls_Primitives_IRangeBase<winrt::Windows::UI::Xaml::Controls::Primitives::ScrollBar>::Maximum

Notes

I can reproduce this consistently. Let me know if you would like a memory dump.

Here is a link to the feedback issue I opened:
https://aka.ms/AA65up1

Call stack

rax=0000d0e9f60fae3a rbx=00000000000002d6 rcx=0000000000000000
rdx=0000000000000000 rsi=00000000000002d6 rdi=000000000000001c
rip=00007ffd75b073d1 rsp=00000095845ff250 rbp=000001afa9234f70
 r8=0000000010000000  r9=0000000000000000 r10=0000000000000000
r11=0000000000000246 r12=0000000000000000 r13=000000000000001c
r14=00007ffda8394d10 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
TerminalControl!winrt::impl::consume_Windows_UI_Xaml_Controls_Primitives_IRangeBase<winrt::Windows::UI::Xaml::Controls::Primitives::ScrollBar>::Maximum+0x51:
00007ffd`75b073d1 488b01          mov     rax,qword ptr [rcx] ds:00000000`00000000=????????????????

 Child-SP          RetAddr           Call Site
00 00000095`845ff250 00007ffd`75b1812c TerminalControl!winrt::impl::consume_Windows_UI_Xaml_Controls_Primitives_IRangeBase<winrt::Windows::UI::Xaml::Controls::Primitives::ScrollBar>::Maximum+0x51 [E:\BA\35\s\src\cascadia\TerminalControl\Generated Files\winrt\Windows.UI.Xaml.Controls.Primitives.h @ 2838] 
01 (Inline Function) --------`-------- TerminalControl!winrt::Microsoft::Terminal::TerminalControl::implementation::TermControl::_ScrollbarUpdater+0x14 [E:\BA\35\s\src\cascadia\TerminalControl\TermControl.cpp @ 1373] 
02 (Inline Function) --------`-------- TerminalControl!winrt::Microsoft::Terminal::TerminalControl::implementation::TermControl::_TerminalScrollPositionChanged::__l2::<lambda_d4673cfb40ab3bbddd63d78386fc20ac>::operator()+0x43 [E:\BA\35\s\src\cascadia\TerminalControl\TermControl.cpp @ 1396] 
03 00000095`845ff2c0 00007ffd`9f91c471 TerminalControl!winrt::impl::delegate<winrt::Windows::UI::Core::DispatchedHandler,<lambda_d4673cfb40ab3bbddd63d78386fc20ac> >::Invoke+0x5c [E:\BA\35\s\src\cascadia\TerminalControl\Generated Files\winrt\windows.ui.core.h @ 1275] 
04 (Inline Function) --------`-------- Windows_UI!Windows::UI::Core::CDispatcher::EnqueueAsyncWork::__l16::<lambda_59517943c03487243f9bea31c6c1a784>::operator()+0x67 [onecoreuap\windows\advcore\winrt\onecoreiwindow\corewindow\common\dispatcher.cpp @ 908] 
05 00000095`845ff310 00007ffd`a8394d26 Windows_UI!Microsoft::WRL::Details::DelegateArgTraits<long (__cdecl Windows::System::IDispatcherQueueHandler::*)(void)>::DelegateInvokeHelper<Microsoft::WRL::Implements<Microsoft::WRL::RuntimeClassFlags<2>,Windows::System::IDispatcherQueueHandler,Microsoft::WRL::FtmBase>,<lambda_59517943c03487243f9bea31c6c1a784>,-1>::Invoke+0x71 [onecore\external\sdk\inc\wrl\event.h @ 245] 
06 00000095`845ff340 00007ffd`a836423b CoreMessaging!Windows::System::DispatcherQueue::DeferInvokeCallback+0x16 [mincore\coreui\dev\dispatcherqueue\WrtDispatcherQueue.cpp @ 893] 
07 00000095`845ff370 00007ffd`a8361d64 CoreMessaging!Microsoft__CoreUI__Dispatch__TimeoutHandler$CallbackThunk+0x11b [temp\42829c929effddb13f17f63c5ec49c58\Common__DllInterop.cpp @ 505] 
08 (Inline Function) --------`-------- CoreMessaging!System::Action::Invoke+0x1a [mincore\cn\cnruntime\lib\fullstr\fre\objfre\amd64\CnRuntime\Common__Delegate.cpp @ 91] 
09 00000095`845ff3f0 00007ffd`a83616fe CoreMessaging!Microsoft::CoreUI::Dispatch::DeferredCall::Callback_Dispatch+0x2c4 [mincore\CoreUI\Dev\System\Dispatch\DeferredCall.cs @ 62] 
0a 00000095`845ff4b0 00007ffd`a8368d1a CoreMessaging!Microsoft::CoreUI::Dispatch::DeferredCallDispatcher::Callback_OnDispatch+0x15e [mincore\CoreUI\Dev\System\Dispatch\DeferredCallDispatcher.cs @ 337] 
0b (Inline Function) --------`-------- CoreMessaging!Microsoft::CoreUI::Dispatch::Dispatcher::DispatchNextItem+0x685 [mincore\CoreUI\Dev\System\Dispatch\Dispatcher.cs @ 892] 
0c (Inline Function) --------`-------- CoreMessaging!Microsoft::CoreUI::Dispatch::Dispatcher::Callback_DispatchLoop+0x7d7 [mincore\CoreUI\Dev\System\Dispatch\Dispatcher.cs @ 465] 
0d 00000095`845ff520 00007ffd`a8367df6 CoreMessaging!Microsoft::CoreUI::Dispatch::EventLoop::Callback_RunCoreLoop+0xada [mincore\CoreUI\Dev\System\Dispatch\EventLoop.cs @ 779] 
0e (Inline Function) --------`-------- CoreMessaging!Microsoft::CoreUI::Dispatch::UserAdapterBase::DrainCoreMessagingQueue+0x143 [mincore\CoreUI\Dev\System\Dispatch\UserAdapterBase.cs @ 674] 
0f 00000095`845ff640 00007ffd`a83668d1 CoreMessaging!Microsoft::CoreUI::Dispatch::UserAdapter::OnUserDispatch+0x1d6 [mincore\CoreUI\Dev\System\Dispatch\minwin\UserAdapter.cs @ 224] 
10 (Inline Function) --------`-------- CoreMessaging!Microsoft::CoreUI::Dispatch::UserAdapter::OnUserDispatchRaw+0x9c [mincore\CoreUI\Dev\System\Dispatch\minwin\UserAdapter.cs @ 153] 
11 00000095`845ff730 00007ffd`a83666f3 CoreMessaging!Microsoft::CoreUI::Dispatch::UserAdapter_DoWork+0xf1 [mincore\CoreUI\Dev\System\Dispatch\minwin\UserAdapterN.cpp @ 424] 
12 00000095`845ff810 00007ffd`ac99f903 CoreMessaging!Microsoft::CoreUI::Dispatch::UserAdapter_WindowProc+0xa3 [mincore\CoreUI\Dev\System\Dispatch\minwin\UserAdapterN.cpp @ 659] 
13 00000095`845ff890 00007ffd`ac99f2ac USER32!UserCallWinProcCheckWow+0x4e3 [clientcore\windows\core\ntuser\client\clmsg.cxx @ 279] 
14 00000095`845ffa20 00007ffd`ac9b4543 USER32!DispatchClientMessage+0x9c [clientcore\windows\core\ntuser\client\daytona\objfre\amd64\client.cxx @ 3444] 
15 00000095`845ffa80 00007ffd`add30664 USER32!__fnDWORD+0x33 [onecoreuap\internal\windows\inc\ntuser\inc\ntcb.h @ 1214] 
16 00000095`845ffae0 00007ffd`abc01104 ntdll!KiUserCallbackDispatcherContinue [minkernel\ntos\rtl\amd64\trampoln.asm @ 601] 
17 00000095`845ffb68 00007ffd`ac9b54ee win32u!ZwUserGetMessage+0x14 [onecoreuap\windows\core\umode\moderncore\objfre\amd64\usrstubs.asm @ 190] 
18 00000095`845ffb70 00007ff7`3bbe46c6 USER32!GetMessageW+0x2e [onecoreuap\internal\windows\inc\private\core\ntuser\client\ntcftxt.h @ 538] 
19 00000095`845ffbd0 00007ff7`3bbecc42 WindowsTerminal!wWinMain+0x1c6 [E:\BA\35\s\src\cascadia\WindowsTerminal\main.cpp @ 150] 
1a (Inline Function) --------`-------- WindowsTerminal!invoke_main+0x21 [d:\agent\_work\3\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 118] 
1b 00000095`845ffce0 00007ffd`aced7034 WindowsTerminal!__scrt_common_main_seh+0x106 [d:\agent\_work\3\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 
1c 00000095`845ffd20 00007ffd`adcfb1b1 KERNEL32!BaseThreadInitThunk+0x14 [clientcore\base\win32\client\thread.c @ 64] 
1d 00000095`845ffd50 00000000`00000000 ntdll!RtlUserThreadStart+0x21 [minkernel\ntdll\rtlstrt.c @ 1153]
@ghost ghost added Needs-Triage It's a new issue that the core contributor team needs to triage at the next triage meeting Needs-Tag-Fix Doesn't match tag requirements labels Sep 28, 2019
@zadjii-msft zadjii-msft mentioned this issue Sep 30, 2019
Closed
@zadjii-msft
Copy link
Member

So this is actually a dupe of #2248, but you've given a bunch more detail. I'm gonna move this comment over there. Thanks for the info!

/dup #2248

@ghost
Copy link

ghost commented Sep 30, 2019

Hi! We've identified this issue as a duplicate of another one that already exists on this Issue Tracker. This specific instance is being closed in favor of tracking the concern over on the referenced thread. Thanks for your report!

@ghost ghost closed this as completed Sep 30, 2019
@ghost ghost added Resolution-Duplicate There's another issue on the tracker that's pretty much the same thing. and removed Needs-Triage It's a new issue that the core contributor team needs to triage at the next triage meeting Needs-Tag-Fix Doesn't match tag requirements labels Sep 30, 2019
@mcpiroman mcpiroman mentioned this issue Oct 19, 2019
Merged
5 tasks
@DHowett-MSFT DHowett-MSFT mentioned this issue Oct 29, 2019
Closed
@DHowett-MSFT
Copy link
Contributor

Since we can fix this one separately, I'm going to reopen it.

@DHowett-MSFT DHowett-MSFT reopened this Oct 29, 2019
@DHowett-MSFT DHowett-MSFT added Area-TerminalControl Issues pertaining to the terminal control (input, selection, keybindings, mouse interaction, etc.) Help Wanted We encourage anyone to jump in on these. In-PR This issue has a related PR Issue-Bug It either shouldn't be doing this or needs an investigation. Product-Terminal The new Windows Terminal. Severity-Crash Crashes are real bad news. and removed Resolution-Duplicate There's another issue on the tracker that's pretty much the same thing. labels Oct 29, 2019
@ghost ghost removed the Help Wanted We encourage anyone to jump in on these. label Oct 29, 2019
@DHowett-MSFT DHowett-MSFT mentioned this issue Nov 25, 2019
Closed
@TBBle
Copy link

TBBle commented Dec 3, 2019

There doesn't seem to be a pull-request for this? #3256 specifically excluded this as being fixed.

@zadjii-msft
Copy link
Member

@TBBle good catch. Thanks!

@zadjii-msft zadjii-msft removed the In-PR This issue has a related PR label Dec 3, 2019
@zadjii-msft zadjii-msft added this to the Terminal v1.0 milestone Dec 3, 2019
@zadjii-msft zadjii-msft added the Priority-1 A description (P1) label Dec 3, 2019
@mkitzan
Copy link
Contributor

mkitzan commented Dec 5, 2019
edited
Loading

@zadjii-msft I'm not sure this is a duplicate of #2248 since the call stack indicates this exception is from TermControl, and I'm pretty certain #2248 is from setting the Tab title. However, the crash-after-closing-tab similarity strikes me as the same root problem of de-referencing object past their lifetime like in #2248 and #3776!
Edit: this lambda looks like the source. I'll PR a fix for all lambdas in TermControl this weekend.

@mkitzan
Copy link
Contributor

mkitzan commented Dec 8, 2019
edited
Loading

After fixing the lambdas in TermControl to use winrt::weak_ref these two Stop calls are throwing in the destructor's helper function due to a failing check_hresult. They only throw when TermControl is destructed from a lambda due to it having the last reference. Stop is void return and has no documented exceptions in the WinRT docs. There's no apparent incorrect behavior after commenting them out, since they just get destructed with TermControl. Any concerns about removing these?

@mkitzan mkitzan mentioned this issue Dec 11, 2019
Merged
5 tasks
@ghost ghost added the In-PR This issue has a related PR label Dec 11, 2019
@ghost ghost closed this as completed in #3908 Dec 13, 2019
@ghost ghost added Resolution-Fix-Committed Fix is checked in, but it might be 3-4 weeks until a release. and removed In-PR This issue has a related PR labels Dec 13, 2019
ghost pushed a commit that referenced this issue Dec 13, 2019
@mkitzan
Fixed self capture in TermControl (#3908)
a3f3cc8 
<!-- Enter a brief description/summary of your PR here. What does it fix/what does it change/how was it tested (even manually, if necessary)? -->
## Summary of the Pull Request
An asynchronous event handler capturing raw `this` in `TermControl` was causing an exception to be thrown when a scroll update event occurred after closing the active tab. This PR replaces all non-auto_revoke lambda captures in `TermControl` to capture (and validate) a `winrt::weak_ref` instead of using raw `this`.

<!-- Other than the issue solved, is this relevant to any other issues/existing PRs? --> 
## References

<!-- Please review the items on the PR checklist before submitting-->
## PR Checklist
* [x] Closes #2947
* [x] CLA signed. If not, go over [here](https://cla.opensource.microsoft.com/microsoft/Terminal) and sign the CLA
* [ ] Tests added/passed
* [ ] Requires documentation to be updated
* [x] I've discussed this with core contributors already. If not checked, I'm ready to accept this work might be rejected in favor of a different grand plan. Issue number where discussion took place: #2947

<!-- Provide a more detailed description of the PR, other things fixed or any additional comments/features here -->
## Detailed Description of the Pull Request / Additional comments
`TermControl` is already a WinRT type so no changes were required to enable the `winrt::weak_ref` functionality. There was only one strange change I had to make. In the destructor's helper function `Close`, I had to remove two calls to [`Stop`](https://docs.microsoft.com/en-us/uwp/api/windows.ui.xaml.dispatchertimer.stop#Windows_UI_Xaml_DispatcherTimer_Stop) which were throwing under [some circumstances](#2947 (comment)). Fortunately, these calls don't appear to be critical, but definitely a spot to look into when reviewing this PR.

Beyond scrolling, any anomalous crash related to the following functionality while closing a tab or WT may be fixed by this PR:
- Settings updating
- Changing background color

<!-- Describe how you validated the behavior. Add automated tests wherever possible, but list manual validation steps taken as well -->
## Validation Steps Performed
Before these changes I was able to consistently repro the issue in #2947. Now, I can no longer repro the issue.
@ghost
Copy link

ghost commented Jan 14, 2020

🎉This issue was addressed in #3908, which has now been successfully released as Windows Terminal Preview v0.8.10091.0.:tada:

Handy links:

@TBBle TBBle mentioned this issue Jan 17, 2020
Closed
donno2048 added a commit to donno2048/terminal that referenced this issue Sep 28, 2020
@donno2048
Fixed self capture in TermControl (#3908)
f2b4e2e 
<!-- Enter a brief description/summary of your PR here. What does it fix/what does it change/how was it tested (even manually, if necessary)? -->
## Summary of the Pull Request
An asynchronous event handler capturing raw `this` in `TermControl` was causing an exception to be thrown when a scroll update event occurred after closing the active tab. This PR replaces all non-auto_revoke lambda captures in `TermControl` to capture (and validate) a `winrt::weak_ref` instead of using raw `this`.

<!-- Other than the issue solved, is this relevant to any other issues/existing PRs? --> 
## References

<!-- Please review the items on the PR checklist before submitting-->
## PR Checklist
* [x] Closes #2947
* [x] CLA signed. If not, go over [here](https://cla.opensource.microsoft.com/microsoft/Terminal) and sign the CLA
* [ ] Tests added/passed
* [ ] Requires documentation to be updated
* [x] I've discussed this with core contributors already. If not checked, I'm ready to accept this work might be rejected in favor of a different grand plan. Issue number where discussion took place: #2947

<!-- Provide a more detailed description of the PR, other things fixed or any additional comments/features here -->
## Detailed Description of the Pull Request / Additional comments
`TermControl` is already a WinRT type so no changes were required to enable the `winrt::weak_ref` functionality. There was only one strange change I had to make. In the destructor's helper function `Close`, I had to remove two calls to [`Stop`](https://docs.microsoft.com/en-us/uwp/api/windows.ui.xaml.dispatchertimer.stop#Windows_UI_Xaml_DispatcherTimer_Stop) which were throwing under [some circumstances](microsoft/terminal#2947 (comment)). Fortunately, these calls don't appear to be critical, but definitely a spot to look into when reviewing this PR.

Beyond scrolling, any anomalous crash related to the following functionality while closing a tab or WT may be fixed by this PR:
- Settings updating
- Changing background color

<!-- Describe how you validated the behavior. Add automated tests wherever possible, but list manual validation steps taken as well -->
## Validation Steps Performed
Before these changes I was able to consistently repro the issue in #2947. Now, I can no longer repro the issue.
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-TerminalControl Issues pertaining to the terminal control (input, selection, keybindings, mouse interaction, etc.) Issue-Bug It either shouldn't be doing this or needs an investigation. Priority-1 A description (P1) Product-Terminal The new Windows Terminal. Resolution-Fix-Committed Fix is checked in, but it might be 3-4 weeks until a release. Severity-Crash Crashes are real bad news.
Projects
None yet
Milestone
Terminal v1.0
Development

Successfully merging a pull request may close this issue.

Fixed self capture in TermControl mkitzan/terminal
5 participants
@TBBle @Treit @DHowett-MSFT @zadjii-msft @mkitzan