A crash report came in, and the offending line of code was the following: <\/p>\n
\nvoid CDeloreanSettings::UpdateFluxModulation(bool sendNotification)\n{\n ComPtr<IFluxModulator> spModulator;\n \/\/ Crash on the next line\n if (SUCCEEDED(m_spFluxCapacitor->GetFluxModulator(&spModulator)))\n {\n ...\n }\n}\n<\/pre>\nSomeone made the initial diagnosis that <\/p>\n
The call is to ReleaseAndGetAddressOf()<\/code> on a ComPtr<\/code> object which is declared right above (which should be initialized to nullptr<\/code>). Am I missing something? <\/p><\/blockquote>\nLet’s look at the disassembly. First, with no annotations. See if you can figure it out yourself. <\/p>\n
\nCDeloreanSettings::UpdateFluxModulation:\nmov qword ptr [rsp+10h],rbx\nmov qword ptr [rsp+18h],rsi\nmov qword ptr [rsp+20h],rdi\npush rbp\npush r14\npush r15\nmov rbp,rsp\nsub rsp,50h\nmov rax,qword ptr [__security_cookie]\nxor rax,rsp\nmov qword ptr [rbp-8],rax\nmov rdi,qword ptr [rcx+18h]\nmov r14,rcx\nlea rcx,[rbp-10h]\nxor esi,esi\nmov r15b,dl\nand qword ptr [rbp-10h],rsi\ncall Microsoft::WRL::ComPtr<IUnrelatedInterface>::InternalRelease\nmov rax,qword ptr [rdi] << crash here\nmov rbx,qword ptr [rax+38h]\nmov rcx,rbx\ncall qword ptr [__guard_check_icall_fptr]\nlea rdx,[rbp-10h]\nmov rcx,rdi\ncall rbx\n<\/pre>\nOkay, here’s the version with my annotations: <\/p>\n
\nCDeloreanSettings::UpdateFluxModulation:\n; Prologue: Save nonvolatile registers<\/a> and build the stack frame.\nmov qword ptr [rsp+10h],rbx\nmov qword ptr [rsp+18h],rsi\nmov qword ptr [rsp+20h],rdi\npush rbp\npush r14\npush r15\nmov rbp,rsp\nsub rsp,50h\nmov rax,qword ptr [__security_cookie]\nxor rax,rsp\nmov qword ptr [rbp-8],rax\n\nmov rdi,qword ptr [rcx+18h] ; rdi = m_spFluxCapacitor\nmov r14,rcx ; save \"this\"\nlea rcx,[rbp-10h] ; prepare spModulator.ReleaseAndGetAddressOf\nxor esi,esi\nmov r15b,dl ; save \"sendNotification\"\nand qword ptr [rbp-10h],rsi ; construct spModulator\n; ReleaseAndGetAddressOf was inlined. Here's the Release part:\ncall Microsoft::WRL::ComPtr<IUnrelatedInterface<\/a>>::InternalRelease\n\n; prepare m_spFluxCapacitor->...\n; Crash here loading vtable from m_spFluxCapacitor\nmov rax,qword ptr [rdi] << crash here\nmov rbx,qword ptr [rax+38h] ; load address of GetFluxModulator\nmov rcx,rbx ; parameter to CFG<\/a> check\ncall qword ptr [__guard_check_icall_fptr] ; check the function pointer\n\n; Here's the GetAddressOf part of ReleaseAndGetAddressOf:\nlea rdx,[rbp-10h] ; spModulator.GetAddressOf\nmov rcx,rdi ; \"this\" for GetFluxModulator\ncall rbx ; _spFluxCapacitor->GetFluxModulator()\n<\/pre>\nThe compiler inlined ReleaseAndGetAddressOf<\/code>, and it interleaved various unrelated operations. In the second block of code, you can see it interleave the construction of the ComPtr<\/code> with the call to InternalRelease<\/code>. In the third block, you can see it peform the control flow guard test before performing the GetAddresssOf<\/code>. <\/p>\nThe conclusion, therefore, is not that the crash occurred in the ReleaseAndGetAddressOf<\/code> The ReleaseAndGetAddressOf<\/code> just finished releasing and is waiting for its turn to do the GetAddresssOf<\/code>. Rather, the crash occurred because m_spFluxCapacitor<\/code> is null, and we crashes trying to read the vtable from a null pointer. <\/p>\nFurther investigation of the issue revealed that UpdateFluxModulation<\/code> is called from an event handler that was registered to be called whenever the modulation changed. Inspection of memory showed that the event registration token was zero, indicating that the event has already been unregistered. The issue is that there was a modulation change in flight when the event handler was unregistered, so the CDeloreanSettings<\/code> received its change notification after it had unregistered. The fix is to have the handler check whether it still has a m_spFluxCapacitor<\/code>, and if not, then ignore the notification, on the assumption that it was a stray notification that was late to arrive. <\/p>\n","protected":false},"excerpt":{"rendered":"Let’s go to the disassembly.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-93525","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
Let’s go to the disassembly.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/93525","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=93525"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/93525\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=93525"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=93525"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=93525"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}