{"id":24523,"date":"2007-11-14T10:00:00","date_gmt":"2007-11-14T10:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2007\/11\/14\/psychic-debugging-ip-on-heap\/"},"modified":"2007-11-14T10:00:00","modified_gmt":"2007-11-14T10:00:00","slug":"psychic-debugging-ip-on-heap","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20071114-00\/?p=24523","title":{"rendered":"Psychic debugging: IP on heap"},"content":{"rendered":"

\nSomebody asked the shell team to look at this crash in a\ncontext menu shell extension.\n<\/p>\n

\nIP_ON_HEAP:  003996d0\nChildEBP RetAddr\n00b2e1d8 68f79ca6 0x3996d0\n00b2e1f4 7713a7bd ATL::CWindowImplBaseT<\n                           ATL::CWindow,ATL::CWinTraits<2147483648,0> >\n                     ::StartWindowProc+0x43\n00b2e220 77134be0 USER32!InternalCallWinProc+0x23\n00b2e298 7713a967 USER32!UserCallWinProcCheckWow+0xe0\n...\neax=68f79c63 ebx=00000000 ecx=00cade10 edx=7770df14 esi=002796d0 edi=000603cc\neip=002796d0 esp=00cade4c ebp=00cade90 iopl=0         nv up ei pl nz na pe nc\ncs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206\n002796d0 c744240444bafb68 mov     dword ptr [esp+4],68fbba44\n<\/pre>\n
\nYou should be able to determine the cause instantly.\n<\/p>\n
\nI replied,\n<\/p>\n
\nThis shell extension is using a non-DEP-aware version of ATL.\nThey need to upgrade to ATL 8 or disable DEP.\n<\/p><\/blockquote>\n
\nThis was totally obvious to me, but the person who asked the\nquestion met it with stunned amazement.\nI guess the person forgot that older versions of\nATL are notorious DEP violators.\nYou see a DEP violation, you see that it’s coming from ATL,\nand bingo, you have your answer.\nWhen DEP was first introduced, the base team sent out mail\nto the entire Windows division saying,\n“Okay, folks, we’re turning it on.\nYou’re going to see a lot of application compatibility problems,\nespecially this ATL one.”\n<\/p>\n
\nPsychic powers sometimes just means having a good memory.\n<\/p>\n
\nEven if you forgot that information, it’s still totally obvious\nonce you look at the scenario and understand what it’s trying to do.\n<\/p>\n
\nThe fault is IP_ON_HEAP<\/code> which is precisely\nwhat DEP protects against.\nThe next question is why IP ended up on the heap.\nWas it a mistake or intentional?\n<\/p>\n
\nLook at the circumstances surrounding the faulting instruction again.\nThe faulting instruction is the window procedure for a window,\nand the action is storing a constant into the stack.\nThe symbols of the caller tell us that it’s some code in ATL,\nand you can even go look up the source code yourself:\n<\/p>\n
\ntemplate <class TBase, class TWinTraits>\nLRESULT CALLBACK CWindowImplBaseT< TBase, TWinTraits >\n  ::StartWindowProc(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam) {\n    CWindowImplBaseT< TBase, TWinTraits >* pThis =\n              (CWindowImplBaseT< TBase, TWinTraits >*)\n                  _AtlWinModule.ExtractCreateWndData();\n    pThis->m_hWnd = hWnd;\n    pThis->m_thunk.Init(pThis->GetWindowProc(), pThis);\n    WNDPROC pProc = pThis->m_thunk.GetWNDPROC();\n    ::SetWindowLongPtr(hWnd, GWLP_WNDPROC, (LONG_PTR)pProc);\n    return pProc(hWnd, uMsg, wParam, lParam);\n}\n<\/pre>\n
\nIs pProc<\/code> corrupted and we’re jumping to a random\naddress on the heap?\nOr was this intentional?<\/p>\n
\nATL is clearly generating code on the fly (the window procedure\nthunk), and it is in execution of the thunk that we encounter\nthe DEP exception.\n<\/p>\n
\nNow, you didn’t need to have the ATL source code to realize that\nthis is what’s going on.\nIt is a very common pattern in framework libraries to put\na C++ wrapper around window procedures.\nSince C++ functions have a hidden this<\/code> parameter,\nthe wrappers need to sneak that parameter in somehow,\nand one common technique is to generate some code on the fly\nthat sets up the hidden this<\/code> parameter before\ncalling the C++ function.\nThe value at [esp+4]<\/code> is the window handle,\nsomething that can be recovered from the this<\/code>\npointer, so it’s a handly thing to replace with this<\/code>\nbefore jumping to the real C++ function.\n<\/p>\n
\nThe address being stored as the this<\/code> parameter is\n68fbba44<\/code>,\nwhich is inside the DLL in question.\n(You can tell this because the return address,\nwhich points to the ATL thunk code, is at\n68f79ca6<\/code> which is in the same neighborhood\nas the mystery pointer.)\nTherefore, this is almost certainly an ATL thunk for a static C++ object.\n<\/p>\n
\nIn other words, this is extremely unlikely be a jump to a random address.\nThe code at the address looks too good.\nIt’s probably jumping there intentionally,\nand the fact that it’s coming from a window procedure thunk\nconfirms it.\n<\/p>\n
\nBut our tale is not over yet.\nThe plot thickens.\nWe’ll continue next time.<\/p>\n","protected":false},"excerpt":{"rendered":"
Somebody asked the shell team to look at this crash in a context menu shell extension. IP_ON_HEAP: 003996d0 ChildEBP RetAddr 00b2e1d8 68f79ca6 0x3996d0 00b2e1f4 7713a7bd ATL::CWindowImplBaseT< ATL::CWindow,ATL::CWinTraits<2147483648,0> > ::StartWindowProc+0x43 00b2e220 77134be0 USER32!InternalCallWinProc+0x23 00b2e298 7713a967 USER32!UserCallWinProcCheckWow+0xe0 … eax=68f79c63 ebx=00000000 ecx=00cade10 edx=7770df14 esi=002796d0 edi=000603cc eip=002796d0 esp=00cade4c ebp=00cade90 iopl=0 nv up ei pl nz na pe nc cs=001b […]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-24523","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"
Somebody asked the shell team to look at this crash in a context menu shell extension. IP_ON_HEAP: 003996d0 ChildEBP RetAddr 00b2e1d8 68f79ca6 0x3996d0 00b2e1f4 7713a7bd ATL::CWindowImplBaseT< ATL::CWindow,ATL::CWinTraits<2147483648,0> > ::StartWindowProc+0x43 00b2e220 77134be0 USER32!InternalCallWinProc+0x23 00b2e298 7713a967 USER32!UserCallWinProcCheckWow+0xe0 … eax=68f79c63 ebx=00000000 ecx=00cade10 edx=7770df14 esi=002796d0 edi=000603cc eip=002796d0 esp=00cade4c ebp=00cade90 iopl=0 nv up ei pl nz na pe nc cs=001b […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/24523","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=24523"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/24523\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=24523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=24523"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=24523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}