Uploaded image for project: 'Core ReactOS'
  1. Core ReactOS
  2. CORE-14402

CSRSS deadlock: holding lock while sending window message

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: Win32SS
    • Labels:
      None

      Description

      Running the following batch script in a console window:

      :a
      start notepad.exe
      taskkill /im notepad.exe
      goto a

      After a short time, the system hangs, after the critical section timeout period it breaks into the debugger:

      ERROR:  RtlpWaitForCriticalSection at ..\sdk\lib\rtl\critical.c:172 
      Deadlock: 0x0022B0F4
      Break instruction exception - code 80000003 (first chance)
      001b:7c9307d2 cc              int     3
      kd> !process
      PROCESS b5534020  SessionId: 0  Cid: 0084    Peb: 7ffaf000  ParentCid: 0054
          DirBase: 7c879000  ObjectTable: e158cb48  HandleCount: 142.
          Image: csrss.exe
          VadRoot b552d410 Vads 177 Clone 0 Private 378. Modified 0. Locked 0.
          DeviceMap b57b9080
          Token                             e158c3a8
          ElapsedTime                       00:06:57.676
          UserTime                          00:00:00.029
          KernelTime                        00:00:01.229
          QuotaPoolUsage[PagedPool]         0
          QuotaPoolUsage[NonPagedPool]      0
          Working Set Sizes (now,min,max)  (3780608, 0, 300) (15122432KB, 0KB, 1200KB)
          PeakWorkingSetSize                3796992
          VirtualSize                       25 Mb
          PeakVirtualSize                   25 Mb
          PageFaultCount                    0
          MemoryPriority                    BACKGROUND
          BasePriority                      13
          CommitCharge                      98
       
              THREAD b551b250  Cid 0084.008c  Teb: 7ffde000 Win32Thread: b5519008 WAIT: (UserRequest) KernelMode Alertable
                  805f4d30  NotificationEvent
                  b55a85e8  NotificationTimer
                  b551c634  NotificationEvent
                  b551b5c4  NotificationEvent
       
              THREAD b551bdb0  Cid 0084.0090  Teb: 7ffdd000 Win32Thread: b5519e18 WAIT: (UserRequest) UserMode Non-Alertable
                  b5519e00  SynchronizationEvent
       
              THREAD b551b700  Cid 0084.0094  Teb: 7ffdc000 Win32Thread: b5507ba8 WAIT: (WrLpcReceive) UserMode Non-Alertable
                  b551bc18  Semaphore Limit 0x7fffffff
       
              THREAD b55199a0  Cid 0084.0098  Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
                  b5519c60  Semaphore Limit 0x7fffffff
       
              THREAD b5513590  Cid 0084.00a4  Teb: 7ffdf000 Win32Thread: b550a9f0 WAIT: (UserRequest) UserMode Non-Alertable
                  e1504748  NotificationEvent
                  b550fbf8  SynchronizationEvent
                  b539a0d8  Thread
       
              THREAD b539a0d8  Cid 0084.03c8  Teb: 7ffda000 Win32Thread: b53e66a0 RUNNING on processor 0
              THREAD b54e58e8  Cid 0084.046c  Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
                  b551bc18  Semaphore Limit 0x7fffffff
       
       
      kd> ?? Console->Lock
      struct _CRITICAL_SECTION
         +0x000 DebugInfo        : 0x7c9a8b78 _CRITICAL_SECTION_DEBUG
         +0x004 LockCount        : 0n1
         +0x008 RecursionCount   : 0n1
         +0x00c OwningThread     : 0x000000a4 Void
         +0x010 LockSemaphore    : 0x000006a8 Void
         +0x014 SpinCount        : 0
      kd> !thread
      THREAD b539a0d8  Cid 0084.03c8  Teb: 7ffda000 Win32Thread: b53e66a0 RUNNING on processor 0
      Not impersonating
      Owning Process            b5534020       Image:         csrss.exe
      Attached Process          N/A            Image:         N/A
      Wait Start TickCount      28779          Ticks: 0
      Context Switch Count      833                 LargeStack
      UserTime                  00:00:00.000
      KernelTime                00:00:01.109
      Start Address winsrv!GuiConsoleInputThread (0x7a8a62b0)
      Stack Init f7071880 Current f7071408 Base f7072000 Limit f706d000 Call f7071888
      Priority 13 BasePriority 13 PriorityDecrement 0
      ChildEBP RetAddr  Args to Child              
      00f6fc10 7c93eb90 00f6fd4c 01cccccc cccccccc ntdll!DbgBreakPoint (FPO: [0,0,0])
      00f6fc7c 7c93e351 0022b0f4 000003c8 00f6fc98 ntdll!RtlpWaitForCriticalSection+0x110 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\sdk\lib\rtl\critical.c @ 172]
      00f6fc8c 7a89e596 0022b0f4 00f6fccc 7a8a995e ntdll!RtlEnterCriticalSection+0x51 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\sdk\lib\rtl\critical.c @ 520]
      00f6fc98 7a8a995e 0022b008 00000001 00000001 winsrv!ConDrvValidateConsoleUnsafe+0x26 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\winsrv\consrv\condrv\console.c @ 137]
      00f6fccc 7a8a8721 0022e9f0 00000000 00f6fe2c winsrv!OnFocus+0x3e (FPO: [Non-Fpo]) (CONV: cdecl) [c:\ros\reactos\win32ss\user\winsrv\consrv\frontends\gui\conwnd.c @ 698]
      00f6fd4c 7c5617fa 000a0106 00000008 00000000 winsrv!ConWndProc+0x5d1 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\winsrv\consrv\frontends\gui\conwnd.c @ 2427]
      00f6fd7c 7c55093f 7a8a8150 000a0106 00000008 user32!CALL_EXTERN_WNDPROC+0x1a (FPO: [0,0,0])
      00f6fe44 7c55614e 00b249c0 000a0106 00000008 user32!IntCallWindowProcW+0x54f (FPO: [Non-Fpo]) (CONV: fastcall) [c:\ros\reactos\win32ss\user\user32\windows\message.c @ 1522]
      00f6fed0 7c930111 00f6fee8 00000020 ffffffff user32!User32CallWindowProcFromKernel+0x24e (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\user32\windows\message.c @ 2967]
      00f6ff24 7a8a637a 00f6ffa4 00000000 00000000 ntdll!KiUserCallbackDispatcher+0x2e
      00f6fff4 00000000 00225728 00000000 00000000 winsrv!GuiConsoleInputThread+0xca (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\winsrv\consrv\frontends\gui\guiterm.c @ 143]
       
      kd> !thread b5513590
      THREAD b5513590  Cid 0084.00a4  Teb: 7ffdf000 Win32Thread: b550a9f0 WAIT: (UserRequest) UserMode Non-Alertable
          e1504748  NotificationEvent
          b550fbf8  SynchronizationEvent
          b539a0d8  Thread
      Not impersonating
      Owning Process            b5534020       Image:         csrss.exe
      Attached Process          N/A            Image:         N/A
      Wait Start TickCount      8771           Ticks: 20008 (0:00:05:00.023)
      Context Switch Count      1361  NoStackSwap    LargeStack
      UserTime                  00:00:00.000
      KernelTime                00:00:00.134
      LPC Server thread working on message Id 9fc
      Start Address 0x000009fc
      Stack Init f7479000 Current f747885c Base f7479000 Limit f7475000 Call 0
      Priority 14 BasePriority 13 PriorityDecrement 0
      ChildEBP RetAddr  Args to Child              
      f74788b0 804ae2ba f7478a0c f7478980 00000001 nt!KiSwapContext+0x19
      f7478958 f75e35a3 00000003 f74789b4 00000001 nt!KeWaitForMultipleObjects+0x77a (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\ntoskrnl\ke\wait.c @ 842]
      f7478a0c f75d6b36 000000ae 00000008 00000000 win32k!co_MsqSendMessage+0x6b3 (FPO: [Non-Fpo]) (CONV: fastcall) [c:\ros\reactos\win32ss\user\ntuser\msgqueue.c @ 1242]
      f7478a9c f75d6484 00000008 00000000 00000000 win32k!co_IntSendMessageTimeoutSingle+0x576 (FPO: [Non-Fpo]) (CONV: fastcall) [c:\ros\reactos\win32ss\user\ntuser\message.c @ 1452]
      f7478ad4 f75d6354 00000008 00000000 00000000 win32k!co_IntSendMessageTimeout+0x54 (FPO: [Non-Fpo]) (CONV: fastcall) [c:\ros\reactos\win32ss\user\ntuser\message.c @ 1507]
      f7478b04 f75d6231 00000008 00000000 f7478cd0 win32k!co_IntSendMessage+0x44 (FPO: [Non-Fpo]) (CONV: fastcall) [c:\ros\reactos\win32ss\user\ntuser\message.c @ 1298]
      f7478b84 f75d8a17 00000008 00000000 00000000 win32k!co_IntDoSendMessage+0x141 (FPO: [Non-Fpo]) (CONV: fastcall) [c:\ros\reactos\win32ss\user\ntuser\message.c @ 1846]
      f7478ce8 80541bdb 000a0106 000000ae 00000008 win32k!NtUserMessageCall+0xc97 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\ntuser\message.c @ 2732]
      f7478d14 8053fb1b f75d7d80 00b1fc5c 0000001c nt!KiSystemCallTrampoline+0x1b (FPO: [Non-Fpo]) (CONV: cdecl) [c:\ros\reactos\ntoskrnl\include\internal\i386\ke.h @ 748]
      f7478d5c 80403e23 00b1fcdc 7c9301be badb0d00 nt!KiSystemServiceHandler+0x24b (FPO: [Non-Fpo]) (CONV: fastcall) [c:\ros\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1813]
      f7478d5c 7c9301be 00b1fcdc 7c9301be badb0d00 nt!KiFastCallEntry+0x8c (FPO: [0,0] TrapFrame @ f7478d64)
      00b1fc50 7c5657fd 7c555a84 000a0106 000000ae ntdll!KiFastSystemCallRet (FPO: [0,0,0])
      00b1fc54 7c555a84 000a0106 000000ae 00000008 user32!ZwUserMessageCall+0xc (FPO: [0,0,0])
      00b1fcdc 7c538a01 000a0106 000000ae 00000008 user32!SendMessageW+0x184 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\user32\windows\message.c @ 2395]
      00b1fd10 7c53767c 00b249c0 00000008 00b1ffdc user32!UserPaintCaption+0x91 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\ros\reactos\win32ss\user\user32\windows\defwnd.c @ 278]
      00b1fd90 7aa1384c 000a0106 0000000c 00000000 user32!RealDefWindowProcW+0x33c (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\user32\windows\defwnd.c @ 1110]
      00b1fdb0 7c53651d 000a0106 0000000c 00000000 uxtheme!ThemeDefWindowProcW+0x5c (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\dll\win32\uxtheme\themehooks.c @ 279]
      00b1fe00 7c55e72b 000a0106 0000000c 00000000 user32!DefWindowProcW+0xbd (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\user32\windows\defwnd.c @ 1255]
      00b1fe24 7a8a5a82 000a0106 0023fb48 0022e9f0 user32!SetWindowTextW+0x4b (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\user32\windows\window.c @ 1703]
      00b1fe38 7a898e97 0022b010 00b1fe74 0000005e winsrv!GuiChangeTitle+0x32 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\winsrv\consrv\frontends\gui\guiterm.c @ 877]
      00b1fe64 100022e3 00b1fed8 00b1ffb4 00000005 winsrv!SrvSetConsoleTitle+0x217 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\winsrv\consrv\console.c @ 1376]
      00b1fff4 00000000 00000000 e10100e0 00000000 csrsrv!CsrApiRequestThread+0xc63 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\subsystems\win32\csrsrv\api.c @ 811]

      Apparently it's holding the console critical section while calling SetWindowText, and message processing in the target thread (for WM_FOCUS) tries to acquire the same critical section.

      hbelusca, any thoughts?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                hbelusca hbelusca
                Reporter:
                ThFabba ThFabba
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: