代码改变世界

利用压力测试来保证软件的质量(五) 窗口消息问题

2010-09-10 21:07  王克伟  阅读(422)  评论(0编辑  收藏  举报

2010.6.28/6.29
今天遇到个问题:
cprog模块没有处理好WM_CLOSE消息重入问题,造成double free。

Cause:
The heap 0x002d8200 was double freed,
because the object of CCameraDevice was deleted twice,
caused by WM_CLOSE message processed twice by CCoreBrowser::WndProc.

The root cause is that while CCoreBrowser::WndProc processing WM_CLOSE,
ForceWindowClose is called by AYGSHELL due to CPROG's SwitchView,
it makes the WM_CLOSE sending to CCoreBrowser again. 

COREDLL!RHeapFreeWithCaller(_RHEAP * 0x00060020, unsigned long 0x00000000, void * 0x002d8200, unsigned long 0x41f2bc38)  line 2611 + 19 bytes 
COREDLL!DoFree(void * 0x002d8200, void * 0x41f2bc38)  line 62 + 25 bytes 
COREDLL!delete2_tag(void * 0x002d8200)  line 78 + 11 bytes 
PIMGDLL!CCameraDevice::`scalar deleting destructor'() + 25 bytes 
PIMGDLL!DeleteCameraDevices(CCameraDevice * * 0x0005c728)  line 45 + 7 bytes 
FBROWSER!CFilePicker::OnClose()  line 1870 + 9 bytes 
FBROWSER!CCoreBrowser::WndProc(HWND__ * 0x700eb620, unsigned int 0x00000010, unsigned int 0x00000000, long 0x00000000)  line 672 
... 
AYGSHELL!ForceWindowClose(HWND__ * 0x70043300, HWND__ * 0x00000000, unsigned int 0x00000000, long 0x00000000)  line 201 + 28 bytes 
AYGSHELL!SHForceBaseStateEx(_BASESTATEINFO * 0x0005cd10)  line 329 + 13 bytes 
AYGSHELL!SHForceBaseState(HWND__ * 0x70043300, long 0x00000000)  line 246 + 23 bytes 
CPROG!CProgressCommon::SwitchViewInternal(tagPH_VIEW PH_VIEW_INCOMING, unsigned long 0x00000000)  line 714 + 15 bytes 
CPROG!CProgressCommon::DoVerbSwitchView(const CProgVerbStruct * 0x0005cd94, long 0x0000000a)  line 2349 + 6 bytes 
CPROG!CProgressCommon::DoVerb(const CProgVerbStruct * 0x0005cd94)  line 2884 
... 
AYGSHELL!CChangeWatcher::ShutdownWatchThread()  line 274 + 9 bytes 
AYGSHELL!CChangeWatcher::RemoveWatch(HWND__ * 0x700eb620)  line 1050 
AYGSHELL!SHChangeNotifyDeregister(HWND__ * 0x700eb620)  line 1126 + 8 bytes 
FBROWSER!CFileExplorer::Delete()  line 249 + 8 bytes 
FBROWSER!CCoreBrowser::WndProc(HWND__ * 0x700eb620, unsigned int 0x00000010, unsigned int 0x00000000, long 0x00000000)  line 672 
...

Solution:
After DeleteCameraDevices we set the value of pCameraDeviceChain in window property list to NULL.

 

在处理WM_DESTROY消息时收到其它消息。

WM_CLOSE/WM_DESTROY/WM_QUIT是什么关系?