{"id":107848,"date":"2023-02-20T07:00:00","date_gmt":"2023-02-20T15:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=107848"},"modified":"2023-02-19T17:20:08","modified_gmt":"2023-02-20T01:20:08","slug":"20230220-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20230220-00\/?p=107848","title":{"rendered":"The case of the mysterious "out of bounds" error from CreateUri<\/CODE> and memmove<\/CODE>"},"content":{"rendered":"

A customer was trying to understand why their program was crashing with an E_BOUNDS<\/code> error in what appears to be a call to CreateUri<\/code>.<\/p>\n

combase!RoOriginateErrorW+0x50\r\nwincorlib!Platform::Details::ReCreateFromException+0x40\r\ncontoso!`__abi_translateCurrentException'::`1'::catch$0+0x10\r\ncontoso!memmove+0x217f4\r\ncontoso!Windows::Foundation::IUriRuntimeClassFactory::CreateUri+0x44\r\ncontoso!Contoso::DashboardView::DashboardView_obj1_Bindings::Update_ViewModel_Layout_Groups+0x50\r\ncontoso!Contoso::DashboardView::DashboardView_obj1_Bindings::Update_ViewModel_Layout+0xe4\r\ncontoso!Contoso::DashboardView::DashboardView_obj1_Bindings::PropertyChanged+0x1134\r\ncontoso!XamlBindingInfo::XamlBindingTrackingBase::PropertyChanged+0x30\r\n<\/pre>\n
From the stack, it looks like memmove<\/code> threw a E_BOUNDS<\/code> C++\/CX exception, which doesn’t make sense. Even more mysteriously, the memmove<\/code> was called from CreateUri<\/code>, but their DashboardView doesn’t manipulate URIs in any obvious way. It’s just a stack trace of nonsense.<\/p>\n
Let’s try to unwind the nonsense.<\/p>\n
As for the mysterious memmove<\/code>, notice that the offset is 0x217f4<\/code>. It’s unlikely that the memmove<\/code> function is over 100KB in size. Let’s see what’s really going on there. This is just some code that has probably been shunted into a rarely-used code page far, far away from the rest of the code, and the nearest symbol to it happens to be memmove<\/code>.<\/p>\n
    xor     ecx,ecx\r\n    call    contoso!__abi_translateCurrentException\r\n    int     3       ; memmove+0x217f4\r\n<\/pre>\n
Yup, this is an exception rethrow. Since exceptions are rare, profile-guided optimization puts all the exception-handling nonsense into faraway pages so that they don’t consume valuable space in the hot code pages.<\/p>\n
So why is CreateUri throwing an “out of bounds” exception?<\/p>\n
Well, are you sure it’s really CreateUri<\/code>?<\/p>\n
I looked a frame higher on the stack. “Why is data binding calling CreateUri<\/code>?”<\/p>\n
The data binding code is autogenerated by the XAML compiler; it’s not checked into the source tree. Instead of trying to figure out how to build their project (so I can extract the autogenerated file), maybe I can infer what’s going on from the source.<\/p>\n
One basic assumption that you make about code in general is that people who write code are doing the best they can, rather than being sadists. This means that function names will generally be descriptive of what they do, variable names will generally be descriptive of what they represent, and so on. So when I see a class called DashboardView_obj1_Bindings<\/code>, I’m going to assume that this class is for dealing with the bindings of some object in DashboardView, and since it has a method called Update_ViewModel_Layout_Groups<\/code>, it probably has something to do with updating the binding of something whose names involve the words ViewModel<\/code>, Layout<\/code>, and Groups<\/code>.<\/p>\n
I looked at DashboardView.xaml<\/code> and searched for the word ViewModel<\/code> in elements that appeared to be involved with binding.<\/p>\n
<ContentControl\r\n    Grid.Row=\"0\"\r\n    x:Name=\"TogglesGroup\"\r\n    IsTabStop=\"False\"\r\n    Width=\"360\"\r\n    Content=\"{x:Bind ViewModel.Layout.Groups[0], Mode=OneWay}\"\r\n    ContentTemplateSelector=\"{StaticResource DashboardGroupTemplateSelector}\"\/>\r\n<\/pre>\n
Now, this wasn’t the first use of x:Bind<\/code> in the XAML markup, so that doesn’t line up with obj1<\/code>, but the other parts do line up (the Layout<\/code> and Groups<\/code>), so I chalked this up to “Maybe the XAML compiler generates bindings in some order other than the order they appear in the markup.”<\/p>\n
How could this binding raise an “out of bounds” exception? Well, there’s a subscript operation, so maybe the Groups<\/code> collection is empty.<\/p>\n
I looked at the Update_ViewModel_Layout_Groups<\/code> method to see if that theory lined up.<\/p>\n
Update_ViewModel_Layout_Groups:\r\n    test    rdx,rdx\r\n    je      ...\r\n    mov     qword ptr [rsp+8],rbx\r\n    mov     qword ptr [rsp+18h],rbp\r\n\r\n    push    rsi\r\n    push    rdi\r\n    push    r14\r\n    sub     rsp,20h\r\n    mov     rbp,rdx\r\n    mov     rsi,rcx\r\n    test    r8d,0C0000001h\r\n    je      ...\r\n\r\n    xor     edx,edx\r\n    mov     rcx,rbp\r\n    call    contoso!Windows::Foundation::IUriRuntimeClassFactory::CreateUri\r\n<\/pre>\n
The function starts with a shrink-wrapped early-out if the first parameter is zero. (This is a C++ method, so rcx<\/code> contains this<\/code> and rdx<\/code> contains the first formal parameter.) I don’t know how binding works, but presumably this is just a binding thing.<\/p>\n
If the parameter is nonzero, then we build a proper stack frame, test some bits in the third parameter, and if they’re set, we call, um, Create\u00adUri<\/code> with nullptr<\/code>? That makes no sense. The XAML isn’t asking for a URI, and why is this code trying to create a URI from an empty string?<\/p>\n
But then you realize that you’ve been faked out by COMDAT folding. The this<\/code> parameter for the call to Create\u00adUri<\/code> is supposed to be the IUri\u00adRuntime\u00adClass\u00adFactory<\/code>, but that’s not what we’re passing; we’re passing the first formal parameter.<\/p>\n
Really, this is a call to IVector::GetAt<\/code>, and the parameter is zero, indicating that we want the object at index zero. The functions IVector::GetAt<\/code> and Create\u00adUri<\/code> were folded because they happen to be byte-for-byte identical. They are both “Call the method at index 6 in the vtable with one parameter.” For IUri\u00adRuntime\u00adClass\u00adFactory<\/code>, that method is Create\u00adUri<\/code> and the parameter is a string. For IVector<\/code> that method is Get\u00adAt<\/code> and the parameter is an index.<\/p>\n
With this explanation, the customer realized that they did have an outstanding bug that said, “If our settings file is corrupted, we end up with no groups,” and this bug is likely an alternate manifestation of that bug.<\/p>\n","protected":false},"excerpt":{"rendered":"
Unfolding some COMDATs.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-107848","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
Unfolding some COMDATs.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/107848","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=107848"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/107848\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=107848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=107848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=107848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}