Description
Backtrace for the dereference after the object has already been destroyed:
kd> kp
|
ChildEBP RetAddr
|
f70aac4c 8054e786 nt!DbgUserBreakPoint
|
f70aac54 f75d8ce0 nt!RtlAssert(void * FailedAssertion = 0xf76cc84c, void * FileName = 0xf76cc828, unsigned long LineNumber = 0x250, char * Message = 0x00000000 "")+0x46 [c:\ros\reactos-clean\reactos\lib\rtl\assert.c @ 119]
|
f70aaca4 f7591db2 win32k!UserDereferenceObject(void * Object = 0xbc659d28)+0x80 [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\object.c @ 592]
|
f70aacc8 f75bba42 win32k!IntUnhookWindowsHook(int HookId = 5, <function> * pfnFilterProc = 0x0047f070)+0xb2 [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\hook.c @ 1303]
|
f70aacf8 8053f7b9 win32k!NtUserCallTwoParam(unsigned long Param1 = 5, unsigned long Param2 = 0x47f070, unsigned long Routine = 0x70)+0x2d2 [c:\ros\reactos-clean\reactos\win32ss\user\ntuser\simplecall.c @ 465]
|
f70aad14 8053f2cd nt!KiSystemCallTrampoline(void * Handler = 0xf75bb770, void * Arguments = 0x0012fd70, unsigned long StackBytes = 0xc)+0x19 [c:\ros\reactos-clean\reactos\ntoskrnl\include\internal\i386\ke.h @ 725]
|
f70aad5c 80403e03 nt!KiSystemServiceHandler(struct _KTRAP_FRAME * TrapFrame = 0xf70aad64, void * Arguments = 0x0012fd70)+0x23d [c:\ros\reactos-clean\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1707]
|
f70aad5c 7c92fb9e nt!KiFastCallEntry+0x8c
|
0012fd64 77a9d1ec ntdll!KiFastSystemCallRet
|
0012fd68 77a6cef4 user32!ZwUserCallTwoParam+0xc
|
0012fd7c 77a6bd22 user32!NtUserxUnhookWindowsHook(int nCode = 5, <function> * pfnFilterProc = 0x0047f070)+0x14 [c:\ros\reactos-clean\reactos\win32ss\user\user32\include\ntwrapper.h @ 697]
|
0012fd8c 0047ef86 user32!UnhookWindowsHook(int nCode = 5, <function> * pfnFilterProc = 0x0047f070)+0x12 [c:\ros\reactos-clean\reactos\win32ss\user\user32\windows\hook.c @ 323]
|
0012fda8 004694f2 comctl32_winetest!test_create(void)+0x236 [c:\ros\reactos-clean\reactos\modules\rostests\winetests\comctl32\toolbar.c @ 1834]
|
0012fe24 00494334 comctl32_winetest!func_toolbar(void)+0x132 [c:\ros\reactos-clean\reactos\modules\rostests\winetests\comctl32\toolbar.c @ 1966]
|
0012fe40 004941c8 comctl32_winetest!run_test(char * name = 0x00133e58 "toolbar")+0xa4 [c:\ros\reactos-clean\reactos\include\reactos\wine\test.h @ 615]
|
0012fedc 0049517c comctl32_winetest!main(int argc = 2, char ** argv = 0x00134278)+0x188 [c:\ros\reactos-clean\reactos\include\reactos\wine\test.h @ 671]
|
0012ffb4 00494eb6 comctl32_winetest!__tmainCRTStartup(void)+0x2ac [c:\ros\reactos-clean\reactos\lib\sdk\crt\startup\crtexe.c @ 310]
|
0012ffc0 77d93909 comctl32_winetest!mainCRTStartup(void)+0x26 [c:\ros\reactos-clean\reactos\lib\sdk\crt\startup\crtexe.c @ 196]
|
0012fff0 00000000 kernel32!CreateProcessInternalW(void * hUserToken = 0x00494e90, wchar_t * lpApplicationName = 0x00000000 "", unsigned short * lpCommandLine = 0xec0100ed, struct _SECURITY_ATTRIBUTES * lpProcessAttributes = 0x00000000, struct _SECURITY_ATTRIBUTES * lpThreadAttributes = 0xffeeffee, int bInheritHandles = 0, unsigned long dwCreationFlags = 0, void * lpEnvironment = 0x00000000, wchar_t * lpCurrentDirectory = 0x00130000 "í???", struct _STARTUPINFOW * lpStartupInfo = 0x00130000, struct _PROCESS_INFORMATION * lpProcessInformation = 0x00000100, void ** hNewToken = 0x00130768)+0x2e09 [p:\trunk_slave\x86_msvc\build\dll\win32\kernel32\client\proc.c @ 4139]
|
kd> ?? ObjHead->cLockObj
|
unsigned long 0xbc6501cc
|
kd> ?? ObjHead
|
struct _HEAD * 0xbc659d28
|
+0x000 h : 0xbc65a490 Void
|
+0x004 cLockObj : 0xbc6501cc
|
kd> ln f75d7a6e
|
c:\ros\reactos-clean\reactos\win32ss\user\ntuser\object.c(70)+0xd
|
(f75d79d0) win32k!AllocDeskThreadObject+0x9e | (f75d7b20) win32k!FreeDeskThreadObject
|
kd> .echo size is 0x48
|
size is 0x48
|
Attachments
Issue Links
- relates to
-
CORE-8703 Window object use after free when running user32_wintest:msg
-
- Resolved
-