Windows reliability telemetry reported that there were a large number of crashes in the Display control panel. Since these crashes are coming via telemetry and the Windows Error Reporting service, there is no information about what steps are required to reproduce the problem. All we have are crash dumps.<\/p>\n
The crash was due to the instruction pointer being in the middle of nowhere. For example, in one dump, it was at address To debug this problem, I had to do some triangulation of the crash dumps to look for a third party component that was common to all (or at least most) of the crashes. Since this was a Display control panel, I focused on the video card information, since video card drivers can provide a custom Display control panel plug-in to show off their driver-specific features.<\/p>\n And I found it.<\/p>\n The custom property sheet that comes with one particular video card has a bug in its Here is the reverse-engineered dialog procedure:<\/p>\n And here is the “real” I suspect this code was originally written as 32-bit code, and the line was<\/p>\n When porting to 64-bit, the But they forgot to upgrade their cast from ffffffff`924bbde0<\/code>. Close study shows that this value is suspiciously similar to 00007fff`924bbde0<\/code>, which is the address of ntdll!ButtonWndProc_A<\/code>. This tells me that somebody subclassed a button, and then tried to restore the original window procedure, but they messed up and truncated the 64-bit pointer value to a 32-bit signed integer. Bonus insult: Their button is ANSI, not Unicode. It’s (checks watch) 2023, get with the program. Not everybody who uses a computer speaks English.<\/p>\nWM_WNDPROC<\/code> to a 32-bit value, causing the upper 32 bits to be lost.<\/p>\nINT_PTR CALLBACK DialogProc(\r\n HWND hdlg, UINT uMsg, WPARAM wParam, LPARAM lParam)\r\n{\r\n if (uMsg == WM_INITDIALOG) {\r\n SetWindowLongPtr(hdlg, GWLP_USERDATA,\r\n ((PROPSHEETPAGE*)lParam)->lParam);\r\n }\r\n MyClass* self = (MyClass*)GetWindowLongPtr(\r\n hdlg, GWLP_USERDATA);\r\n return self ? self->RealDialogProc(hdlg, uMsg, wParam, lParam)\r\n : FALSE;\r\n}\r\n<\/pre>\nDLGPROC<\/code>:<\/p>\nINT_PTR CALLBACK MyClass:RealDialogProc(\r\n HWND hdlg, UINT uMsg, WPARAM wParam, LPARAM lParam)\r\n{\r\n switch (uMsg)\r\n {\r\n ...\r\n case WM_DESTROY:\r\n SetWindowLongPtr(GetDlgItem(m_dlg, IDC_SOME_BUTTON),\r\n GWLP_WNDPROC, (LONG)g_originalWndProc);\r\n ...\r\n }\r\n}\r\n<\/pre>\n SetWindowLong(GetDlgItem(m_dlg, IDC_SOME_BUTTON),\r\n GWL_WNDPROC, (LONG)g_originalWndProc);\r\n<\/pre>\n
Set\u00adWindow\u00adLong<\/code> becomes Set\u00adWindow\u00adLong\u00adPtr<\/code> to expand the value to 64 bits, and the name of the index changes from GWL_GWLP_Get<\/code>\/Set\u00adWindow\u00adLong\u00adPtr<\/code>.<\/p>\n(LONG)<\/code> to (LONG_PTR)<\/code>, so they were accidentally truncating their 64-bit value to a sign-extended 32-bit value as part of the restoration.<\/p>\n