利用压力测试来保证软件的质量(三) 窗口链混乱问题
2010-09-10 21:14 王克伟 阅读(613) 评论(0) 编辑 收藏 举报窗口链混乱问题
dumpsource pimg.exe发现代码在:\private\apps\pimg
2.但是我们发现异常抛\private\shellw\gserver\pimgdll\camera\frame.cpp函数WndProc L52处,看来是在调用pimgdll.dll中的Camera相关函数时出现问题。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | PIMGDLL!WndProc(HWND__ * 0x700ee5a0, unsigned int 0x0000c007, unsigned int 0x00000003, long 0x00000000) frame.cpp line 52 + 5 bytes GWES!WindowProcCallback(void * 0x0cff588e, long (HWND__ *, unsigned int, unsigned int, long)* 0x41e9ea5d, CWindow * 0x700ee5a0, unsigned int 0x0000c007, unsigned int 0x00000003, long 0x00000000, bool * 0xd986edcf) wbase.cpp line 3198 + 18 bytes GWES!CWindow::CallWindowProcW_I(CePtr_t<long (__cdecl*)(HWND__ *,unsigned int,unsigned int,long)> {...}, HWND__ * 0x41e9ea5d, unsigned int 0x0000c007, unsigned int 0x00000003, long 0x00000000, SendMsgEntry_t * 0x00000000) wbase.cpp line 3403 + 21 bytes GWES!MsgQueue::DispatchMessageW_I(const tagMSG * 0x0002eca8) msgque.cpp line 4967 + 32 bytes GWES!PixelDoubled_t::DispatchMessageW_I(const tagMSG * 0x0002eca8) pixeldouble.cpp line 2083 + 9 bytes COREDLL!DispatchMessageW(const tagMSG * 0x0002eca8) twinuser.cpp line 2947 + 9 bytes PIMGDLL!CMainWnd::Run() frame.cpp line 365 + 9 bytes PIMGDLL!CCamera::Run(HWND__ * 0x700a9ec0, CConfig * 0x003ae620) cameraui.cpp line 997 PIMGDLL!StartCameraUI(HWND__ * 0x700a9ec0, wchar_t * 0x00031d00, int 0x00000104, int 0x00000000) cameraui.cpp line 143 //▲这里 FBROWSER!CFilePicker::OnCmdSelectCamera(_ITEMIDLIST * 0x003a9d00) fpicker.cpp line 1024 FBROWSER!CFilePicker::OnCommand(unsigned int 0x00000fab, long 0x003a9d00) fpicker.cpp line 1139 FBROWSER!CPicturePicker::OnCommand(unsigned int 0x00000fab, long 0x003a9d00) picturepicker.cpp line 280 + 13 bytes FBROWSER!CCoreBrowser::WndProc(HWND__ * 0x700a9ec0, unsigned int 0x00000111, unsigned int 0x00000fab, long 0x003a9d00) core.cpp line 649 + 13 bytes ... FBROWSER!StartFilePicker(tagOPENFILENAMEEX * 0x0002fb04, int 0x00000002, int 0x00000001) picturepicker.cpp line 609 + 19 bytes PIMG!WinMain(HINSTANCE__ * 0x0cff588e, HINSTANCE__ * 0x0cff588e, wchar_t * 0x0002fc70, HINSTANCE__ * 0x0cff588e) pimg.cpp line 46 + 13 bytes |
StartCameraUI先初始化Camera,然后让Camera Run起来:
CCamera::Initialize(hwnd,g_hInstRes, pcfg, TRUE);
CState* pState= CCamera::GetCamera()->GetState();
4.出现问题时PIMGDLL!WndProc收到的消息是0x0000c007,这是什么消息?看一下RegisterWindowMessage API发现:
0xC000 through 0xFFFF的消息是为了需要跨应用唯一标识的消息用的,否则可以使用WM_USER through 0x7FFF的消息作为私用消息用,那么0x0000c007这个消息是谁发过来的?
但实际上CCamera已经跟着窗口 A一起销毁了,这时调用已经销毁了的CCamera对象的成员触发AV异常。(窗口A的消息循环的标志位s_fRunMessageLoop在窗口销毁时并没有被置成FALSE,
(1).\private\shellw\gserver\pimgdll\camera\cameraui.cpp L695 位置我们首先new个CMainWnd对象:
s_pCamera->m_pMWnd = new CMainWnd(hInstance,parent);
然后在L740 位置创建窗口并指定父窗口:
(2). CCamera的类定义中我们看到:
// parent window. this window may not the same as passing one
// if the camera/video window is active
HWND m_hParent;
1 2 3 4 | hWnd value 0x700ee5a0. the memory is valid and member value: m_hprcCreater: 0x0cff588e(pimg.exe) m_hprcDestroyer: 0x0a4c0282(iexplorer.exe) m_fBeginDestroyed = 1; |
1 2 3 4 5 6 7 8 9 10 | Follow callstack is a thread(0x8f211b6) of iexplorer(0x0a4c0282): ie process destroy pimg process's camera window. 0xd98cf618 K.COREDLL!xxx_WaitForSingleObject(0x0d680dab, 0xffffffff) line 418 0xd98cf690 GWES!MsgQueue::GetEvent(0x80000001, 0x00000000, 0x00000000, 0x00000000, 0xd98cf6b8) line 3746 + 10 bytes 0xd98cf700 GWES!MsgQueue::SendMessageWithOptions(0x700ee5a0, 0x00000002, 0x00000000, 0x00000000, 0x00000000) line 4171 0xd98cf728 GWES!CWindow::SendDestroyMessages1() line 1200 + 11 bytes 0xd98cf748 GWES!CWindow::DestroyWindow_I(0x700ee5a0) line 1434 =====> 0x700ee5a0 is pimg camera window handle value. 0xd98cf764 GWES!CWindow::DestroyWindow_I(0x700c4c20) line 1346 0x009efa4c BROWSUI!DialogBase::Run(0x700ae240, 0x009efa5c) line 293 + 6 bytes 0x009efa60 BROWSUI!BrowserOptions::Run(0x700ae240) line 123 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | - {,,coredll.dll}(CWindow*)0x700ee5a0 0x700ee5a0 + m_ParentChild1 {...} s_sigValid 0x574e4457 m_sig 0x574e4457 + m_pcwndOwner 0x00000000 + m_pcwndOwned 0x00000000 + m_pcwndNextOwned 0x700d7980 //这个是由iexplorer.exe创建,那么这个成员作何用? + m_pcwndRestore 0x00000000 + m_rc {...} + m_rcClient {...} + m_pgdiwnd {...} + m_pgdiwndClient {...} + m_pgdiwndClientUpdate {...} + m_rcRestore {...} + m_ptblProperties 0x00000000 m_dwState 0x00000000 m_psbii 0x00000000 m_pGestureStateManager 0x00000000 + m_pszName 0x700ee6a0 " //字符串的值为 FE 56 47 72 8C 54 C6 89 91 98 00 00 + m_pmsgq 0x700883e0 m_himc 0x00032360 m_hprcHimcOwner 0x0cff588e m_grfStyle 0x80000000 m_grfExStyle 0x80000000 + m_pwc 0x700ee544 m_lID 0x00000000 m_lUserData 0x00000000 m_hprcCreator 0x0cff588e //pimg.exe m_hthdCreator 0x0d08607e - m_WindowProcPtr {...} - CePtrBase_t {...} m_hProc 0x0cff588e //窗口回调函数在pimg.exe中 m_Ptr 0x41e9ea5d WndProc(HWND__ *, unsigned int, unsigned int, long) m_PtrLong 0x41e9ea5d m_PtrUnsignedLong 0x41e9ea5d + m_hrgnWindowRgn 0x00000000 + m_hrgnVisible 0x039a16f1 + m_hrgnUpdate 0x033e1e6b + m_hrgnClientVisible 0x009e0fb0 + m_hrgnClientUpdate 0x00000000 m_pBackBuffer 0x00000000 + m_BlendFunction {...} m_crKey 0x00000000 + mLayeredWindowFlags {...} + m_hmenu 0x0a4c0282 m_hprcDestroyer 0x0a4c0282 //iexplorer.exe + m {...} m_grfBitFields 0x000044d0 m_ullGuardGestureFlags 0x0000000000000000 m_rgdwExtraBytes 0x700ee680 |
1 2 3 4 5 6 7 | // Handle parent-child-owner issues if ( grfStyle & WS_POPUP ) { grfStyle &= ~WS_CHILD; // Make sure we don't have both WS_POPUP and WS_CHILD. // If popup, owner was passed in as parent parameter. pcwndOwner = (CWindow*)hwndParent; |
1 | hwndParent = NULL; // Make the new window a top level window. |
1 2 3 4 | pcwnd->m_pcwndOwner = pcwndOwner; // Insert into owner's owned list. pcwnd->m_pcwndNextOwned = pcwndOwner->m_pcwndOwned; pcwndOwner->m_pcwndOwned = pcwnd; |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | /* CWindow::Initialize Initializes a window. */ BOOL CWindow:: Initialize( CWindow *pcwndParent, UINT32 cy, UINT32 cx, INT32 y, INT32 x, UINT32 grfStyle, const WCHAR *szName, UINT32 grfExStyle, MsgQueue *pmsgq, CWindowClass *pwc, LONG lID ) { BOOL Ret = FALSE; const WCHAR *szCopy = NULL; DWORD ProcessVersion; AssertInUserOnce(); // These will be filled in below. NULL them here for finally clause. Parent(pcwndParent); //将pcwndParent作为m_ParentChild1.m_pParent m_rc.left = x; m_rc.top = y; if ( Parent() ) { m_rc.left += Parent() -> m_rcClient.left; m_rc.top += Parent() -> m_rcClient.top ; } |
PIMGDLL!StartCameraUI(HWND__ * 0x700a9ec0, wchar_t * 0x00031d00, int 0x00000104, int 0x00000000) )
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 | - {,,coredll.dll}(CWindow*)0x700525c0 0x700525c0 - m_ParentChild1 {...} + m_pNextSiblingBehind 0x70051880 + m_pNextSiblingInFront 0x70051c00 + m_pParent 0x700302a0 //NK.EXE的窗口 + m_pFirstChildFront 0x70052720 + m_pFirstChildBack 0x70052b80 s_sigValid 0x574e4457 m_sig 0x574e4457 s_sigValid 0x574e4457 m_sig 0x574e4457 + m_pcwndOwner 0x70042b00 //pimg.exe的窗口 + m_pcwndOwned 0x70051c00 //pimg.exe的窗口 + m_pcwndNextOwned 0x70050260 //pimg.exe的窗口 + m_pcwndRestore 0x00000000 + m_rc {...} + m_rcClient {...} + m_pgdiwnd {...} + m_pgdiwndClient {...} + m_pgdiwndClientUpdate {...} + m_rcRestore {...} + m_ptblProperties 0x00000000 m_dwState 0x00000000 m_psbii 0x00000000 m_pGestureStateManager 0x00000000 + m_pszName 0x700526c0 "Pictures & Videos" + m_pmsgq 0x70045600 m_himc 0x000322e0 m_hprcHimcOwner 0x0bd704c6 m_grfStyle 0x90000000 m_grfExStyle 0x80000000 + m_pwc 0x70052304 m_lID 0x00000000 m_lUserData 0x00000000 m_hprcCreator 0x0bd704c6 //pimg.exe m_hthdCreator 0x0bd804c6 + m_WindowProcPtr {...} + m_hrgnWindowRgn 0x00000000 + m_hrgnVisible 0x004a091f + m_hrgnUpdate 0x00800971 + m_hrgnClientVisible 0x004a093d + m_hrgnClientUpdate 0x00000000 m_pBackBuffer 0x00000000 + m_BlendFunction {...} m_crKey 0x00000000 + mLayeredWindowFlags {...} + m_hmenu 0x00000000 m_hprcDestroyer 0x00000000 + m {...} m_grfBitFields 0x00004447 m_ullGuardGestureFlags 0x0000000000000000 m_rgdwExtraBytes 0x700526a0 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | //*************************************************************************** // Function name : CMainWnd::Create // Description : create main window // Return type : BOOL //*************************************************************************** BOOL CMainWnd::Create( HWND hParent) { BOOL fSuccess = TRUE; WNDCLASS wc; wc.style = CS_VREDRAW | CS_HREDRAW; // Window style wc.lpfnWndProc = WndProc; // Callback function wc.cbClsExtra = 0; // Extra class data wc.cbWndExtra = 0; // Extra window data wc.hInstance = m_hInst; // Owner handle wc.hIcon = NULL, // Application icon wc.hCursor = LoadCursor(NULL, IDC_ARROW); // Default cursor wc.hbrBackground = GetBrush(); wc.lpszMenuName = NULL; // Menu name wc.lpszClassName = CCamera::GetAppClassName(); // Window class name RegisterClass (&wc); // Create main window. int iMenuBarHeight = SHGetMetric(SHUI_MENUHEIGHT); RECT rc; SystemParametersInfo(SPI_GETWORKAREA, 0, &rc, 0); if (hParent) { m_hParent = hParent; } DWORD Style = WS_POPUP | WS_VISIBLE; m_hWnd = CreateWindowEx(WS_EX_CAPTIONOKBTN, CCamera::GetAppClassName(), CCamera::GetCamera()->GetAppName(), Style, rc.left, rc.top, RECTWIDTH(rc), RECTHEIGHT(rc) - iMenuBarHeight, m_hParent, 0, m_hInst, 0); // parameters if (!IsWindow (m_hWnd)) { fSuccess = FALSE; goto Error; } |
private\winceos\coreos\gwe\inc\window.hpp GWE里面CWindow的具体实现。
1 2 3 4 5 6 7 | m_pcwndOwner 0x00000000 m_pcwndOwned 0x00000000 m_pcwndNextOwned 0x700d7980 //这个是由iexplorer.exe创建 m_hprcCreator 0x0cff588e //pimg.exe m_pszName 0x700ee6a0 " //字符串的值为 FE 56 47 72 8C 54 C6 89 91 98 00 00 m_hProc 0x0cff588e //窗口回调函数在pimg.exe中 m_hprcDestroyer 0x0a4c0282 //iexplorer.exe |
1 2 3 4 5 6 | m_ParentChild1.m_pParent 0x700302a0 //NK.EXE的窗口 m_pcwndOwner 0x70042b00 //pimg.exe的窗口 m_pcwndOwned 0x70051c00 //pimg.exe的窗口 m_pcwndNextOwned 0x70050260 //pimg.exe的窗口 m_pszName 0x700526c0 "Pictures & Videos" m_hprcCreator 0x0bd704c6 //pimg.exe |
但实际上CCamera已经跟着窗口 A一起销毁了,这时调用已经销毁了的CCamera对象的成员触发AV异常。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | Windows CE>!proc 0x0AA1007E +========================================= | test.exe | | Process Handle : 0x0aa1007e +========================================= Cmdline : Process ptr : 0x8c719354 Size : 0x00003000 Base ptr : 0x00010000 Lowest free VM : 0x000e0000 Time stamp : 0xef74579d File type : Object Store hTok : 0x00000002 ASID : 0x00 State : (0) normal Rsrc mod ptr : 0x00000000 Module VM range Ref cnt Module ptr -------------------------------------------------------------------------- aygshell.dll 0x41310000 - 0x41397000 9 0x84d2d404 ceperf.dll 0x43cb0000 - 0x43cbc000 9 0x8535d2a4 commctrl.dll 0x41f20000 - 0x41fb1000 9 0x8535d024 commctrl.dll.0409.mui 0x43ca0000 - 0x43ca2000 10 0x8535d15c compime.dll 0x41160000 - 0x41193000 3 0x850274b4 coredll.dll 0x40030000 - 0x400f2000 19 0x8ffa9594 coredll.dll.0409.mui 0x43ba0000 - 0x43bb5000 19 0x8fadf540 lpcrt.dll 0x42170000 - 0x42175000 13 0x84bc0f30 ole32.dll 0x41d70000 - 0x41df3000 13 0x84bc0cc0 oleaut32.dll 0x41a90000 - 0x41ac9000 12 0x851a11e4 ossvcs.dll 0x41c30000 - 0x41c8f000 10 0x850d592c rpcrt4.dll 0x420b0000 - 0x42112000 13 0x84bc0df8 shellres.dll 0x43d10000 - 0x43d23000 5 0x85027688 shellres.dll.0409.mui 0x43d30000 - 0x43d60000 6 0x85027724 shutil.dll 0x41800000 - 0x41807000 4 0x861a2a24 pThread hThread Priority User Time Run Death Current Proc Thread Name curr:base State State ---------------------------------------------------------------------------------------------------------- 0x875e09c4 0x0aa4009a 251 : 251 367 ms Blocked Healthy NK.EXE WinMainCRTStartup |
并且使用!win all命令查看到我启动2个Test.exe的窗口:
1 2 3 4 5 6 7 8 9 10 11 | "TryWindowName" hwnd=0x70047700 Class=TryClassName parent=0x700302a0 hThread=0x0ab200de hProcess=0x0aaf00de x=0 y=36 width=480 height=764 Style=WS_VISIBLE WS_POPUP exstyle=WS_CAPTIONOKBTN "TryWindowName" hwnd=0x70051560 Class=TryClassName parent=0x700302a0 hThread=0x0aa4009a hProcess=0x0aa1007e x=0 y=0 width=0 height=0 Style=WS_VISIBLE WS_POPUP exstyle=WS_CAPTIONOKBTN |
很可能是double free window handle问题。
iexplorer.exe PSL into shell32.exe. If shell32.exe create window during this PSL call. the window creator process will be shell32.exe, but the window create thread will be iexplorer.exe.
Normally, creator process and thread will be consistent, but if in PSL the thing will change.
所以尝试在private\winceos\COREOS\gwe\winmgr\wmbase\wbase.cpp L1400判断m_hprcCreator与m_hprcDestroyer是否一样,如果不一样则Break一下。
\private\winceos\COREOS\gwe\winmgr\wmbase\wmbase.cpp L860:
1 2 3 4 | pcwnd->m_pcwndOwner = pcwndOwner; // Insert into owner's owned list. pcwnd->m_pcwndNextOwned = pcwndOwner->m_pcwndOwned; pcwndOwner->m_pcwndOwned = pcwnd; |
a.在\private\winceos\coreos\gwe\winmgr\wmbase\wbase.cpp L1303行添加如下代码:
1 2 3 4 5 6 7 8 9 | //Trace double free window handle problem if (This.m_hprcDestroyer != This.m_hprcCreator) { HTHREAD hthdDestroyer = (HTHREAD)GetCurrentThreadId(); if (hthdDestroyer != This.m_hthdCreator) { DebugBreak(); } } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | - {,,coredll.dll}(CWindow*)0x70083e20 0x70083e20 + m_pcwndOwner 0x00000000 + m_pcwndOwned 0x00000000 + m_pcwndNextOwned 0x70083440 + m_pcwndRestore 0x00000000 + m_pszName 0x70083f40 "Transcriber" + m_pmsgq 0x7006e060 m_himc 0x00000000 m_hprcHimcOwner 0x00000000 m_grfStyle 0x80000a04 m_grfExStyle 0x84090000 + m_pwc 0x7006eea4 m_lID 0x00000000 m_lUserData 0x00000000 m_hprcCreator 0x00d60776 //transcriber.exe m_hthdCreator 0x03ba29f6 //transcriber.exe的线程 m_hprcDestroyer 0x01ce0066 //cprog.exe |
这个窗口被销毁之后,有可能不会有任何问题,但也可能造成transcriber.exe进程的AV异常,就像之前的Hopper Bug:2609、2652、2665。
\private\winceos\COREOS\gwe\winmgr\wmbase\wmbase.cpp L860添加如下代码:
1 2 3 4 5 6 7 8 | //Trace double free window handle problem if (pcwnd.m_hprcCreator != pcwndOwner.m_hprcCreator) { if (pcwnd.m_hthdCreator != pcwndOwner.hthdCreator) { DebugBreak(); } } |
1 2 3 4 5 6 7 8 9 | //Trace double free window handle problem if (0 != lstrcmp(pcwnd->m_pszName, L "Transcriber" ) && pcwnd->m_hprcCreator != pcwndOwner->m_hprcCreator) { if (pcwnd->m_hthdCreator != pcwndOwner->m_hthdCreator) { DebugBreak(); } } |
1 2 3 | HWND hwnd = GetForegroundWindow(); ... MessageBox(hwnd, szMsgStr, CGR_APP_TITLE, uiType|MB_SETFOREGROUND); |
1 2 3 4 5 6 7 | GWES!CWindowManager::CreateWindowExW_I(unsigned int 0x80000000, const wchar_t * 0x41f21468, const wchar_t * 0x42d60808, unsigned int 0x90000000, int 0x00000000, int 0x00000024, unsigned int 0x000001e0, unsigned int 0x000002b8, HWND__ * 0x00000000, HMENU__ * 0x00000000, HINSTANCE__ * 0x84aaeb08, void * 0x00000000, tagCREATESTRUCTW * 0x0002e9f4) wmbase.cpp line 865 GWES!PixelDoubled_t::CreateWindowExW_I(unsigned int 0x80000000, const wchar_t * 0x41f21468, const wchar_t * 0x42d60808, unsigned int 0x90000000, int 0x00000000, int 0x00000024, unsigned int 0x000001e0, unsigned int 0x000002b8, HWND__ * 0x7007d0c0, HMENU__ * 0x00000000, HINSTANCE__ * 0x84aaeb08, void * 0x00000000, tagCREATESTRUCTW * 0x0002e9f4) pixeldouble.cpp line 1299 + 41 bytes COREDLL!CreateWindowExW(unsigned long 0x80000000, const wchar_t * 0x41f21468, const wchar_t * 0x42d60808, unsigned long 0x90000000, int 0x00000000, int 0x00000024, int 0x000001e0, int 0x000002b8, HWND__ * 0x7007d0c0▲句柄B, HMENU__ * 0x00000000, HINSTANCE__ * 0x84aaeb08, void * 0x00000000) twinuser.cpp line 474 + 48 bytes PIMGDLL!CMainWnd::Create(HWND__ * 0x7007d0c0▲句柄B) camera_ppc.cpp line 165 PIMGDLL!CCamera::Initialize(HWND__ * 0x700a5e40▲句柄A, HINSTANCE__ * 0x84aaeb08, CConfig * 0x0003c1e0, int 0x00000001) cameraui.cpp line 740 + 40 bytes PIMGDLL!StartCameraUI(HWND__ * 0x700a5e40▲句柄A, wchar_t * 0x00031be0, int 0x00000104, int 0x00000000) cameraui.cpp line 133 + 17 bytes ... |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | - {,,coredll.dll}(CWindow*)0x700a5e40 0x700a5e40 + m_ParentChild1 {...} s_sigValid 0x574e4457 m_sig 0x574e4457 + m_pcwndOwner 0x00000000 //▲ pimg.exe的顶级窗口 + m_pcwndOwned 0x700a69e0 + m_pcwndNextOwned 0x00000000 + m_pcwndRestore 0x700a5e40 + m_rc {...} + m_rcClient {...} + m_pgdiwnd {...} + m_pgdiwndClient {...} + m_pgdiwndClientUpdate {...} + m_rcRestore {...} + m_ptblProperties 0xd9edc320 m_dwState 0x00000000 m_psbii 0x00000000 m_pGestureStateManager 0x00000000 + m_pszName 0x700a5f60 "Pictures & Videos" + m_pmsgq 0x700a5220 m_himc 0x000322e0 m_hprcHimcOwner 0x027b2ac6 m_grfStyle 0x10000000 m_grfExStyle 0x00000000 + m_pwc 0x700a5de4 m_lID 0x00000000 m_lUserData 0x000312e0 m_hprcCreator 0x027b2ac6 //▲ pimg.exe m_hthdCreator 0x02d228be + m_WindowProcPtr {...} + m_hrgnWindowRgn 0x00000000 + m_hrgnVisible 0x00841875 + m_hrgnUpdate 0x00920e3c + m_hrgnClientVisible 0x049e128a + m_hrgnClientUpdate 0x00000000 m_pBackBuffer 0x00000000 + m_BlendFunction {...} m_crKey 0x00000000 + mLayeredWindowFlags {...} + m_hmenu 0x00000000 m_hprcDestroyer 0x00000000 + m {...} m_grfBitFields 0x00000444 m_ullGuardGestureFlags 0x0000000000000000 m_rgdwExtraBytes 0x700a5f20 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | - {,,coredll.dll}(CWindow*)0x7007d0c0 0x7007d0c0 + m_ParentChild1 {...} s_sigValid 0x574e4457 m_sig 0x574e4457 + m_pcwndOwner 0x00000000 //▲clock.exe的顶级窗口 + m_pcwndOwned 0x70087f00 + m_pcwndNextOwned 0x00000000 + m_pcwndRestore 0x70087f00 + m_rc {...} + m_rcClient {...} + m_pgdiwnd {...} + m_pgdiwndClient {...} + m_pgdiwndClientUpdate {...} + m_rcRestore {...} + m_ptblProperties 0x00000000 m_dwState 0x00000000 m_psbii 0x00000000 m_pGestureStateManager 0x00000000 + m_pszName 0x7007d1e0 "Clock & Alarms" + m_pmsgq 0x700725e0 m_himc 0x00031c00 m_hprcHimcOwner 0x07b178b6 m_grfStyle 0x08c00000 m_grfExStyle 0x40000000 + m_pwc 0x70075384 m_lID 0x00000000 m_lUserData 0x00000000 m_hprcCreator 0x07b178b6 //▲clock.exe m_hthdCreator 0x09d4c7fe + m_WindowProcPtr {...} + m_hrgnWindowRgn 0x00000000 + m_hrgnVisible 0x060a0d58 + m_hrgnUpdate 0x05f21d01 + m_hrgnClientVisible 0x05941dac + m_hrgnClientUpdate 0x00000000 m_pBackBuffer 0x00000000 + m_BlendFunction {...} m_crKey 0x00000000 + mLayeredWindowFlags {...} + m_hmenu 0x00000000 m_hprcDestroyer 0x00000000 + m {...} m_grfBitFields 0x00000544 m_ullGuardGestureFlags 0x0000000000000000 m_rgdwExtraBytes 0x7007d1a0 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | - {,,coredll.dll}(CWindow*)0x700e5d60 0x700e5d60 + m_ParentChild1 {...} s_sigValid 0x574e4457 m_sig 0x574e4457 + m_pcwndOwner 0x7007d0c0 //▲句柄B,应该为句柄A + m_pcwndOwned 0x00000000 + m_pcwndNextOwned 0x70087f00 + m_pcwndRestore 0x00000000 + m_rc {...} + m_rcClient {...} + m_pgdiwnd {...} + m_pgdiwndClient {...} + m_pgdiwndClientUpdate {...} + m_rcRestore {...} + m_ptblProperties 0x00000000 m_dwState 0x00000000 m_psbii 0x00000000 m_pGestureStateManager 0x00000000 + m_pszName 0x700e5c60 "Pictures & Videos" + m_pmsgq 0x700a5220 m_himc 0x000322e0 m_hprcHimcOwner 0x027b2ac6 m_grfStyle 0x80000000 m_grfExStyle 0x80000000 + m_pwc 0x700e5c04 m_lID 0x00000000 m_lUserData 0x00000000 m_hprcCreator 0x027b2ac6 //▲ pimg.exe m_hthdCreator 0x02d228be + m_WindowProcPtr {...} + m_hrgnWindowRgn 0x00000000 + m_hrgnVisible 0x00ea201e + m_hrgnUpdate 0x01be1ff4 + m_hrgnClientVisible 0x019a1ffd + m_hrgnClientUpdate 0x00000000 m_pBackBuffer 0x00000000 + m_BlendFunction {...} m_crKey 0x00000000 + mLayeredWindowFlags {...} + m_hmenu 0x00000000 m_hprcDestroyer 0x00000000 + m {...} m_grfBitFields 0x00000404 m_ullGuardGestureFlags 0x0000000000000000 m_rgdwExtraBytes 0x700e5e40 |
进一步推理到问题可能出在\private\shellw\gserver\pimgdll\camera\cameraui.cpp L708附近代码。
现将\private\shellw\gserver\pimgdll\camera\cameraui.cpp L698的代码改为:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | else { ... //if (!s_pCamera->m_hParent) //{// after close the option dialog, the s_pCamera->m_hParen should have valide value, // // otherwise, we force it equal to the parent passed in. // s_pCamera->m_hParent = parent; //} } if (s_pCamera) { s_pCamera->m_hParent = parent; } |
执行DestroyWindow_I函数时消息WM_DESTROY会被发送给窗口吗?如果不会那么Bug2609里面的 s_fRunMessageLoop没有被置为FALSE会比较合理,如果会那又作何解释呢?
借助Tool help了解进程的信息,比如:
Camera window was destroyed as a owned window by other process.
s_pCamera would cache the Video and Still Option dialog window handle in m_hDlgStill or m_hDlgVideo when open options.
When the dialog exit no one would set those variable to NULL, s_pCamera will cache a invalid window handle or a handle reused by any others.
Once the window handle reused by other process, and when CCamera::Initialize invoke CloseDlgOpt it would find a other process window's parent
and set to s_pCamera->m_hParent. After that we create a window owned by that process.
出处: http://wangkewei.cnblogs.com/
版权声明: 本文的版权归作者与博客园共有。转载时须注明本文的详细链接,否则作者将保留追究其法律责任的权利。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 如何编写易于单元测试的代码
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 10年+ .NET Coder 心语 ── 封装的思维:从隐藏、稳定开始理解其本质意义
· 地球OL攻略 —— 某应届生求职总结
· 提示词工程——AI应用必不可少的技术
· Open-Sora 2.0 重磅开源!
· 周边上新:园子的第一款马克杯温暖上架