search

microsoft / CsWinRT

C# language projection for the Windows Runtime
MIT License
555 stars 107 forks source link

AV in WinUI 3 apps due to usage to COM object without calling AddRef #1834

Open hez2010 opened 1 month ago

hez2010 commented 1 month ago

Describe the bug

We encountered a weird bug where an AV can happen randomly at PropertyChanged event, where the code is:

this.PropertyChanged(this, new(propertyName));

The full stack trace:

 # Child-SP          RetAddr               Call Site
00 000000bc`645eaa48 00007ffa`771f0a57     0x00007ffa`771f0bea
01 000000bc`645eaa50 00007ffa`c4af4a7f     0x00007ffa`771f0a57
02 000000bc`645eaaf0 00007ffa`c4aef70a     Microsoft_UI_Xaml!DirectUI::PropertyProviderPropertyAccess::GetValue+0x3f [C:\__w\1\s\dxaml\xcp\dxaml\lib\PropertyProviderPropertyAccess.cpp @ 103] 
03 000000bc`645eab20 00007ffa`c4abc2e9     Microsoft_UI_Xaml!DirectUI::PropertyAccessPathStep::GetValue+0x4a [C:\__w\1\s\dxaml\xcp\dxaml\lib\PropertyAccessPathStep.cpp @ 65] 
04 000000bc`645eab50 00007ffa`c4abc4d9     Microsoft_UI_Xaml!DirectUI::PropertyPathListener::ConnectPathStep+0xd5 [C:\__w\1\s\dxaml\xcp\dxaml\lib\PropertyPath.cpp @ 88] 
05 000000bc`645eab90 00007ffa`c4aef47a     Microsoft_UI_Xaml!DirectUI::PropertyPathListener::PropertyPathStepChanged+0x61 [C:\__w\1\s\dxaml\xcp\dxaml\lib\PropertyPath.cpp @ 188] 
06 000000bc`645eabd0 00007ffa`c4af4f36     Microsoft_UI_Xaml!DirectUI::PropertyPathStep::RaiseSourceChanged+0x4e [C:\__w\1\s\dxaml\xcp\dxaml\lib\PropertyPathStep.cpp @ 89] 
07 000000bc`645eac10 00007ffa`c4af655c     Microsoft_UI_Xaml!DirectUI::PropertyProviderPropertyAccess::OnPropertyChanged+0x16 [C:\__w\1\s\dxaml\xcp\dxaml\lib\PropertyProviderPropertyAccess.cpp @ 208] 
08 (Inline Function) --------`--------     Microsoft_UI_Xaml!DirectUI::INPCListenerBase::OnPropertyChangedCallback+0x87 [C:\__w\1\s\dxaml\xcp\dxaml\lib\INPCListenerBase.cpp @ 113] 
09 (Inline Function) --------`--------     Microsoft_UI_Xaml!DirectUI::INPCListenerBase::UpdatePropertyChangedHandler::__l23::::operator()+0x8b [C:\__w\1\s\dxaml\xcp\dxaml\lib\INPCListenerBase.cpp @ 56] 
0a (Inline Function) --------`--------     Microsoft_UI_Xaml!std::invoke+0x8e [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.41.34120\include\type_traits @ 1714] 
0b 000000bc`645eac40 00007ffa`c4840683     Microsoft_UI_Xaml!std::_Func_impl_no_alloc<`DirectUI::INPCListenerBase::UpdatePropertyChangedHandler'::`23'::,long,IInspectable *,ABI::Microsoft::UI::Xaml::Data::IPropertyChangedEventArgs *>::_Do_call+0xac [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.41.34120\include\functional @ 876] 
0c (Inline Function) --------`--------     Microsoft_UI_Xaml!std::_Func_class::operator()+0x1f [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.41.34120\include\functional @ 920] 
0d 000000bc`645eac90 00007ffa`77a57dfd     Microsoft_UI_Xaml!ctl::event_handler_base,ABI::Microsoft::UI::Xaml::Controls::ICalendarView,ABI::Microsoft::UI::Xaml::Controls::ICalendarViewSelectedDatesChangedEventArgs,DirectUI::CalendarViewSelectedDatesChangedTraits>::Invoke+0x53 [C:\__w\1\s\dxaml\xcp\components\com\inc\comEventHandler.h @ 35] 
0e 000000bc`645eace0 00007ffa`7653e388     WinRT_Runtime!ABI.System.ComponentModel.PropertyChangedEventHandler.NativeDelegateWrapper.Invoke+0x2ad
0f 000000bc`645eae60 00007ffa`77a88f94     0x00007ffa`7653e388
10 000000bc`645eaeb0 00007ffa`77371727     CommunityToolkit_Mvvm!CommunityToolkit.Mvvm.ComponentModel.ObservableObject.SetProperty+0x214
11 000000bc`645eaf10 00007ffa`77317145     Files!Files.App.Data.Models.ColumnsViewModel.set_PathColumn+0x57 [D:\source\repos\Files\src\Files.App\Data\Models\ColumnsViewModel.cs @ 100] 
12 000000bc`645eaf60 00007ffa`762ef353     Files!Files.App.Views.Layouts.DetailsLayoutPage.OnNavigatedTo+0x3b5 [D:\source\repos\Files\src\Files.App\Views\Layouts\DetailsLayoutPage.xaml.cs @ 147] 
13 000000bc`645eb3e0 00007ffa`c4794079     Microsoft_WinUI!ABI.Microsoft.UI.Xaml.Controls.IPageOverrides.Do_Abi_OnNavigatedTo_1+0x53 [C:\__w\1\s\BuildOutput\obj\x86fre\src\projection\generated\CsWinRT\Microsoft.UI.Xaml.Controls.cs @ 105461] 
14 000000bc`645eb440 00007ffa`c4b03a24     Microsoft_UI_Xaml!DirectUI::PageGenerated::OnNavigatedToProtected+0x7d [C:\__w\1\s\dxaml\xcp\dxaml\lib\winrtgeneratedclasses\Page.g.cpp @ 172] 
15 000000bc`645eb490 00007ffa`c4b015f4     Microsoft_UI_Xaml!DirectUI::Page::InvokeOnNavigatedTo+0x74 [C:\__w\1\s\dxaml\xcp\dxaml\lib\Page_Partial.cpp @ 290] 
16 000000bc`645eb500 00007ffa`c4b00d34     Microsoft_UI_Xaml!DirectUI::Frame::ChangeContent+0x3e8 [C:\__w\1\s\dxaml\xcp\dxaml\lib\Frame_Partial.cpp @ 660] 
17 000000bc`645eb5d0 00007ffa`c4b007bc     Microsoft_UI_Xaml!DirectUI::Frame::PerformNavigation+0x188 [C:\__w\1\s\dxaml\xcp\dxaml\lib\Frame_Partial.cpp @ 497] 
18 000000bc`645eb650 00007ffa`c4b00384     Microsoft_UI_Xaml!DirectUI::Frame::StartNavigation+0x2c [C:\__w\1\s\dxaml\xcp\dxaml\lib\Frame_Partial.cpp @ 415] 
19 000000bc`645eb680 00007ffa`c4777c51     Microsoft_UI_Xaml!DirectUI::Frame::GoBackWithTransitionInfoImpl+0xf8 [C:\__w\1\s\dxaml\xcp\dxaml\lib\Frame_Partial.cpp @ 264] 
1a (Inline Function) --------`--------     Microsoft_UI_Xaml!DirectUI::Frame::GoBackImpl+0xa [C:\__w\1\s\dxaml\xcp\dxaml\lib\Frame_Partial.cpp @ 230] 
1b 000000bc`645eb6b0 00007ffa`782cbaaa     Microsoft_UI_Xaml!DirectUI::FrameGenerated::GoBack+0x61 [C:\__w\1\s\dxaml\xcp\dxaml\lib\winrtgeneratedclasses\Frame.g.cpp @ 408] 
1c 000000bc`645eb6f0 00007ffa`781ccbf9     Microsoft_WinUI!ABI.Microsoft.UI.Xaml.Controls.IFrameMethods.GoBack+0x7a [C:\__w\1\s\BuildOutput\obj\x86fre\src\projection\generated\CsWinRT\Microsoft.UI.Xaml.Controls.cs @ 83742] 
1d 000000bc`645eb7a0 00007ffa`781cca98     Files!Files.App.Views.Shells.BaseShellPage.Back_Click+0x139 [D:\source\repos\Files\src\Files.App\Views\Shells\BaseShellPage.cs @ 574] 
1e 000000bc`645eb830 00007ffa`781cc9ea     Files!Files.App.Views.Shells.ModernShellPage.Back_Click+0x78 [D:\source\repos\Files\src\Files.App\Views\Shells\ModernShellPage.xaml.cs @ 193] 
1f 000000bc`645eb880 00007ffa`779e5f44     Files!Files.App.Actions.NavigateBackAction.ExecuteAsync+0x5a [D:\source\repos\Files\src\Files.App\Actions\Navigation\NavigateBackAction.cs @ 43] 
20 000000bc`645eb8d0 00007ffa`779e5d6d     Files!Files.App.Data.Commands.ActionCommand.ExecuteAsync+0x74 [D:\source\repos\Files\src\Files.App\Data\Commands\ActionCommand.cs @ 150] 
21 000000bc`645eb930 00007ffa`77995aa0     Files!Files.App.Data.Commands.ActionCommand.d__55.MoveNext+0x6d [D:\source\repos\Files\src\Files.App\Data\Commands\ActionCommand.cs @ 140] 
22 000000bc`645eb9c0 00007ffa`779e5c82     System_Private_CoreLib!System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start+0x80 [/_/src/libraries/System.Private.CoreLib/src/System/Runtime/CompilerServices/AsyncMethodBuilderCore.cs @ 38] 
23 000000bc`645eba20 00007ffa`779e5b2d     Files!Files.App.Data.Commands.ActionCommand.Execute+0xd2
24 000000bc`645eba90 00007ffa`c4b6b962     WinRT_Runtime!ABI.System.Windows.Input.ICommand.Vftbl.Do_Abi_Execute_3+0x5d
25 000000bc`645ebaf0 00007ffa`c4b6d0d0     Microsoft_UI_Xaml!DirectUI::ButtonBase::ExecuteCommand+0xca [C:\__w\1\s\dxaml\xcp\dxaml\lib\ButtonBase_Partial.cpp @ 364] 
26 000000bc`645ebb40 00007ffa`c4c32c33     Microsoft_UI_Xaml!DirectUI::ButtonBase::OnClick+0xc0 [C:\__w\1\s\dxaml\xcp\dxaml\lib\ButtonBase_Partial.cpp @ 895] 
27 000000bc`645ebb90 00007ffa`c4b6ccbe     Microsoft_UI_Xaml!DirectUI::Button::OnClick+0xb3 [C:\__w\1\s\dxaml\xcp\dxaml\lib\Button_Partial.cpp @ 83] 
28 000000bc`645ebbe0 00007ffa`c4b6cb04     Microsoft_UI_Xaml!DirectUI::ButtonBase::PerformPointerUpAction+0x66 [C:\__w\1\s\dxaml\xcp\dxaml\lib\ButtonBase_Partial.cpp @ 796] 
29 000000bc`645ebc20 00007ffa`c4771b96     Microsoft_UI_Xaml!DirectUI::ButtonBase::OnPointerReleased+0x224 [C:\__w\1\s\dxaml\xcp\dxaml\lib\ButtonBase_Partial.cpp @ 776] 
2a 000000bc`645ebca0 00007ffa`c4b4d30b     Microsoft_UI_Xaml!DirectUI::ControlGenerated::OnPointerReleasedProtected+0xb2 [C:\__w\1\s\dxaml\xcp\dxaml\lib\winrtgeneratedclasses\Control.g.cpp @ 1457] 
2b 000000bc`645ebcf0 00007ffa`c4a62f18     Microsoft_UI_Xaml!DirectUI::Control::FireEvent+0x4eb [C:\__w\1\s\dxaml\xcp\dxaml\lib\Control_Partial.cpp @ 248] 
2c 000000bc`645ebd60 00007ffa`c4489a33     Microsoft_UI_Xaml!DirectUI::DXamlCore::FireEvent+0x1b0 [C:\__w\1\s\dxaml\xcp\dxaml\lib\DXamlCore.cpp @ 2047] 
2d (Inline Function) --------`--------     Microsoft_UI_Xaml!AgCoreCallbacks::FireEvent+0x34 [C:\__w\1\s\dxaml\xcp\dxaml\lib\FxCallbacks.cpp @ 89] 
2e (Inline Function) --------`--------     Microsoft_UI_Xaml!FxCallbacks::JoltHelper_FireEvent+0x34 [C:\__w\1\s\dxaml\xcp\dxaml\lib\FxCallbacks.cpp @ 877] 
2f 000000bc`645ebe00 00007ffa`c46a270d     Microsoft_UI_Xaml!CCoreServices::CLR_FireEvent+0x19f [C:\__w\1\s\dxaml\xcp\core\dll\xcpcore.cpp @ 3181] 
30 000000bc`645ebe60 00007ffa`c4da78be     Microsoft_UI_Xaml!CommonBrowserHost::CLR_FireEvent+0x1d [C:\__w\1\s\dxaml\xcp\control\common\shared\CommonBrowserHost.hpp @ 680] 
31 000000bc`645ebea0 00007ffa`c46dbac9     Microsoft_UI_Xaml!CControlBase::ScriptCallback+0x10e [C:\__w\1\s\dxaml\xcp\control\common\shared\controlbase.cpp @ 213] 
32 000000bc`645ebf30 00007ffa`c46db74e     Microsoft_UI_Xaml!CXcpDispatcher::OnScriptCallback+0x119 [C:\__w\1\s\dxaml\xcp\win\shared\xcpwindow.cpp @ 1028] 
33 000000bc`645ebfe0 00007ffa`c46a3c7f     Microsoft_UI_Xaml!CXcpDispatcher::OnWindowMessage+0x1e2 [C:\__w\1\s\dxaml\xcp\win\shared\xcpwindow.cpp @ 874] 
34 (Inline Function) --------`--------     Microsoft_UI_Xaml!CXcpDispatcher::SendMessageW+0x10 [C:\__w\1\s\dxaml\xcp\win\shared\xcpwindow.cpp @ 581] 
35 000000bc`645ec020 00007ffa`c44a1544     Microsoft_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest+0xcf [C:\__w\1\s\dxaml\xcp\host\win\browserdesktop\WinBrowserHost.cpp @ 742] 
36 (Inline Function) --------`--------     Microsoft_UI_Xaml!CEventManager::RaiseControlEvents+0x11a [C:\__w\1\s\dxaml\xcp\core\dll\eventmgr.cpp @ 1170] 
37 000000bc`645ec0a0 00007ffa`c44a1c6c     Microsoft_UI_Xaml!CEventManager::Raise+0x268 [C:\__w\1\s\dxaml\xcp\core\dll\eventmgr.cpp @ 928] 
38 000000bc`645ec1c0 00007ffa`c457bb46     Microsoft_UI_Xaml!CEventManager::RaiseRoutedEventBubbling+0x14c [C:\__w\1\s\dxaml\xcp\core\dll\eventmgr.cpp @ 1368] 
39 (Inline Function) --------`--------     Microsoft_UI_Xaml!CEventManager::RaiseRoutedEvent+0x2c [C:\__w\1\s\dxaml\xcp\core\dll\eventmgr.cpp @ 1278] 
3a 000000bc`645ec290 00007ffa`c4579e32     Microsoft_UI_Xaml!CInputServices::RaiseDelayedPointerUpEvent+0x146 [C:\__w\1\s\dxaml\xcp\core\input\InputServices.cpp @ 2629] 
3b 000000bc`645ec330 00007ffa`c4d63fb3     Microsoft_UI_Xaml!CInputServices::CleanPointerProcessingState+0x1f6 [C:\__w\1\s\dxaml\xcp\core\input\InputServices.cpp @ 1698] 
3c 000000bc`645ec3c0 00007ffa`c4578a38     Microsoft_UI_Xaml!ContentRootInput::PointerInputProcessor::ProcessPointerInput+0x147b [C:\__w\1\s\dxaml\xcp\components\ContentRoot\PointerInputProcessor.cpp @ 760] 
3d 000000bc`645ec520 00007ffa`c46a4348     Microsoft_UI_Xaml!CInputServices::ProcessInput+0x134 [C:\__w\1\s\dxaml\xcp\core\input\InputServices.cpp @ 855] 
3e (Inline Function) --------`--------     Microsoft_UI_Xaml!CCoreServices::ProcessInput+0x34 [C:\__w\1\s\dxaml\xcp\core\dll\xcpcore.cpp @ 1074] 
3f 000000bc`645ec590 00007ffa`c4a754e6     Microsoft_UI_Xaml!CXcpBrowserHost::HandleInputMessage+0x2c8 [C:\__w\1\s\dxaml\xcp\host\win\browserdesktop\WinBrowserHost.cpp @ 1078] 
40 000000bc`645ec620 00007ffa`c4a5c635     Microsoft_UI_Xaml!CJupiterControl::HandlePointerMessage+0xa6 [C:\__w\1\s\dxaml\xcp\dxaml\lib\JupiterControl.cpp @ 604] 
41 000000bc`645ec6e0 00007ffa`c451b87d     Microsoft_UI_Xaml!CJupiterWindow::OnIslandPointerMessage+0xc5 [C:\__w\1\s\dxaml\xcp\dxaml\lib\JupiterWindow.cpp @ 1316] 
42 000000bc`645ec780 00007ffa`c4521792     Microsoft_UI_Xaml!CXamlIslandRoot::InjectPointerMessage+0xd9 [C:\__w\1\s\dxaml\xcp\core\core\elements\XamlIslandRoot.cpp @ 527] 
43 (Inline Function) --------`--------     Microsoft_UI_Xaml!CXamlIslandRoot::OnIslandPointerReleased+0xd [C:\__w\1\s\dxaml\xcp\core\core\elements\XamlIslandRoot.cpp @ 475] 
44 (Inline Function) --------`--------     Microsoft_UI_Xaml!CXamlIslandRoot::SubscribeToInputPointerSourceEvents::__l43::::operator()+0x38 [C:\__w\1\s\dxaml\xcp\core\core\elements\XamlIslandRoot.cpp @ 1545] 
45 000000bc`645ec810 00007ffa`ca007bf7     Microsoft_UI_Xaml!Microsoft::WRL::Details::DelegateArgTraits,ABI::Windows::Foundation::Internal::AggregateType >::*)(ABI::Microsoft::UI::Input::IInputPointerSource *,ABI::Microsoft::UI::Input::IPointerEventArgs *)>::DelegateInvokeHelper,ABI::Windows::Foundation::ITypedEventHandler,Microsoft::WRL::FtmBase>,`CXamlIslandRoot::SubscribeToInputPointerSourceEvents'::`43':: &,1,ABI::Microsoft::UI::Input::IInputPointerSource *,ABI::Microsoft::UI::Input::IPointerEventArgs *>::Invoke+0x42 [C:\__w\1\s\packages\Microsoft.Windows.SDK.cpp.10.0.22621.755\c\Include\10.0.22621.0\winrt\wrl\event.h @ 354] 
46 000000bc`645ec840 00007ffa`c9fef5ed     Microsoft_UI_Input!Microsoft::WRL::Details::DelegateArgTraits,Windows::Foundation::Internal::AggregateType >::*)(Microsoft::UI::Input::IInputPointerSource * __ptr64,Microsoft::UI::Input::IPointerEventArgs * __ptr64) __ptr64>::DelegateInvokeHelper,Windows::Foundation::ITypedEventHandler,Microsoft::WRL::FtmBase>,`Microsoft::WRL::Details::CreateAgileHelper >'::`2'::,-1,Microsoft::UI::Input::IInputPointerSource * __ptr64,Microsoft::UI::Input::IPointerEventArgs * __ptr64>::Invoke+0x87
47 000000bc`645ec880 00007ffa`c9fffa03     Microsoft_UI_Input!Microsoft::WRL::InvokeTraits<-2>::InvokeDelegates<,Windows::Foundation::ITypedEventHandler >+0x95
48 000000bc`645ec930 00007ffa`ca005259     Microsoft_UI_Input!Microsoft::WRL::EventSource,Microsoft::WRL::InvokeModeOptions<-2> >::InvokeAll+0x9f
49 000000bc`645ec990 00007ffa`ca002a5e     Microsoft_UI_Input!`PointerInputObserverWinRT::InvokeEventDirectlyHelper_Callback'::`9'::::operator()+0x15d
4a 000000bc`645ec9c0 00007ffa`ca007e6a     Microsoft_UI_Input!Microsoft::WRL2::ContextSession::LeaveSession_Callback<`PointerInputObserverWinRT::InvokeEventDirectlyHelper_Callback'::`9':: >+0x4a
4b 000000bc`645eca00 00007ffa`ca008120     Microsoft_UI_Input!PointerInputObserverWinRT::InvokeEventDirectlyHelper_Callback+0x15e
4c 000000bc`645eca90 00007ffa`ca0069bc     Microsoft_UI_Input!PointerInputObserverWinRT::InvokePointerEventsForInput_Callback+0x160
4d 000000bc`645ecc50 00007ffa`ca006881     Microsoft_UI_Input!PointerInputObserverWinRT::DeliverInputMessageImpl_Callback+0xec
4e 000000bc`645ecc80 00007ffa`ca00b5d6     Microsoft_UI_Input!PointerInputObserverWinRT::DeliverInputMessage+0x291
4f 000000bc`645ecf20 00007ffb`7a17b282     Microsoft_UI_Input!IIndependentInputTargetPrincipal_Receive::Thunk_DeliverInputMessage_17+0xd6
50 000000bc`645ecfc0 00007ffa`ca00887f     CoreMessagingXP!CoreUICallReceive+0xa2
51 000000bc`645ed1d0 00007ffa`ca09da13     Microsoft_UI_Input!BamoImpl::BamoIndependentInputTargetPrincipalImpl::OnMessage+0x3f
52 000000bc`645ed220 00007ffb`7a12fb68     Microsoft_UI_Input!Microsoft::BamoImpl::ConnectionIndirector::OnItemMessage+0xb3
53 000000bc`645ed270 00007ffb`7a12fe5f     CoreMessagingXP!CFlat::SehSafe::Execute< >+0x4c
54 000000bc`645ed2c0 00007ffb`7a1248eb     CoreMessagingXP!Microsoft::CoreUI::ICallbackMessageConversationHost::Interface$::ImportDispatcher::OnItemMessage+0xbf
55 000000bc`645ed340 00007ffb`7a125890     CoreMessagingXP!Microsoft::CoreUI::ICallbackMessageConversationHost::OnItemMessage >+0x5f
56 000000bc`645ed390 00007ffb`7a171f46     CoreMessagingXP!Microsoft::CoreUI::Conversations::Conversation::Callback_OnItemMessage+0x130
57 000000bc`645ed420 00007ffb`7a11b330     CoreMessagingXP!Microsoft::CoreUI::Conversations::ItemMessageDispatcher::Callback_OnMessageCore+0x36
58 000000bc`645ed470 00007ffb`7a1120ba     CoreMessagingXP!Microsoft::CoreUI::Messaging::MessageEndpoint::Callback_OnMessage+0x80
59 000000bc`645ed520 00007ffb`7a112279     CoreMessagingXP!Microsoft::CoreUI::Messaging::MessageSession::Callback_DeliverMessage+0x2be
5a 000000bc`645ed600 00007ffb`7a13ef90     CoreMessagingXP!Microsoft::CoreUI::Messaging::MessageSession::Callback_DeliverMessageBatch+0x109
5b 000000bc`645ed6d0 00007ffb`7a103e0d     CoreMessagingXP!Microsoft::CoreUI::Messaging::InterconnectMessageAdapter::InterfaceImplementation$::_Cn_Threading_IInterconnectBufferHandler::Dispatcher::Callback_ReceiveBuffer+0xf0
5c 000000bc`645ed7d0 00007ffb`7a157840     CoreMessagingXP!Cn::Threading::InterconnectQueue::Callback_ProcessNextItem+0x1d1
5d 000000bc`645ed870 00007ffb`7a1483ce     CoreMessagingXP!Microsoft::CoreUI::Messaging::InterconnectMessageAdapter::Callback_OnReceive+0x4c
5e 000000bc`645ed8b0 00007ffb`7a10c880     CoreMessagingXP!Microsoft::CoreUI::Dispatch::OffThreadReceiver::Callback_OnDispatch+0x2be
5f 000000bc`645ed950 00007ffb`7a10c5ed     CoreMessagingXP!Microsoft::CoreUI::Dispatch::Dispatcher::Callback_DispatchNextItem+0x1bc
60 000000bc`645ed9f0 00007ffb`7a0ffd7c     CoreMessagingXP!Microsoft::CoreUI::Dispatch::Dispatcher::Callback_DispatchLoop+0x1b9
61 000000bc`645edab0 00007ffb`7a102c66     CoreMessagingXP!Microsoft::CoreUI::Dispatch::EventLoop::Callback_RunCoreLoop+0x164
62 000000bc`645edb10 00007ffb`7a102fdc     CoreMessagingXP!Microsoft::CoreUI::Dispatch::UserAdapter::DrainCoreMessagingQueue+0x15a
63 000000bc`645edbd0 00007ffb`7a1436a3     CoreMessagingXP!Microsoft::CoreUI::Dispatch::UserAdapter::OnUserDispatch+0x98
64 000000bc`645edc20 00007ffb`7a143836     CoreMessagingXP!Microsoft::CoreUI::Dispatch::UserAdapter::DoWork+0xa7
65 000000bc`645edc80 00007ffb`7a143dae     CoreMessagingXP!Microsoft::CoreUI::Dispatch::UserAdapter::HandleDispatchNotifyMessage+0x132
66 000000bc`645edce0 00007ffc`a9d45801     CoreMessagingXP!Microsoft::CoreUI::Dispatch::UserAdapter::WindowProc+0x5e
67 000000bc`645edd10 00007ffc`a9d4509c     USER32!UserCallWinProcCheckWow+0x341
68 000000bc`645ede70 00007ffc`a9d762c3     USER32!DispatchClientMessage+0x9c
69 000000bc`645eded0 00007ffc`ab703654     USER32!_fnDWORD+0x33
6a 000000bc`645edf30 00007ffc`a8a11314     ntdll!KiUserCallbackDispatcherContinue
6b 000000bc`645edfb8 00007ffc`a9d68ff2     win32u!NtUserGetMessage+0x14
6c 000000bc`645edfc0 00007ffa`c4a4fadf     USER32!GetMessageW+0x22
6d 000000bc`645ee020 00007ffa`c4a4d9e2     Microsoft_UI_Xaml!DirectUI::FrameworkApplication::RunDesktopWindowMessageLoop+0xab [C:\__w\1\s\dxaml\xcp\dxaml\lib\FrameworkApplication_Partial.cpp @ 1321] 
6e 000000bc`645ee0a0 00007ffa`c46ff1b8     Microsoft_UI_Xaml!DirectUI::FrameworkApplication::StartDesktop+0x3c2 [C:\__w\1\s\dxaml\xcp\dxaml\lib\FrameworkApplication_Partial.cpp @ 242] 
6f (Inline Function) --------`--------     Microsoft_UI_Xaml!DirectUI::FrameworkApplicationFactory::StartImpl+0xbd [C:\__w\1\s\dxaml\xcp\dxaml\lib\FrameworkApplication_Partial.cpp @ 183] 
70 000000bc`645ee140 00007ffa`75de10a5     Microsoft_UI_Xaml!DirectUI::FrameworkApplicationFactory::Start+0x108 [C:\__w\1\s\dxaml\xcp\dxaml\lib\winrtgeneratedclasses\FrameworkApplication.g.cpp @ 843] 
71 000000bc`645ee190 00007ffa`75de0e1c     Microsoft_WinUI!ABI.Microsoft.UI.Xaml.IApplicationStaticsMethods.Start+0x145 [C:\__w\1\s\BuildOutput\obj\x86fre\src\projection\generated\CsWinRT\Microsoft.UI.Xaml.cs @ 14496] 
72 000000bc`645ee2e0 00007ffa`74fcae74     Microsoft_WinUI!Microsoft.UI.Xaml.Application.Start+0x2c [C:\__w\1\s\BuildOutput\obj\x86fre\src\projection\generated\CsWinRT\Microsoft.UI.Xaml.cs @ 318] 
73 000000bc`645ee320 00007ffa`d4b0d9c3     Files!Files.App.Program.Main+0x1314 [D:\source\repos\Files\src\Files.App\Program.cs @ 204] 
74 000000bc`645ee860 00007ffa`d4a5eef1     coreclr!CallDescrWorkerInternal+0x83 [D:\a\_work\1\s\src\coreclr\vm\amd64\CallDescrWorkerAMD64.asm @ 100] 
75 (Inline Function) --------`--------     coreclr!CallDescrWorkerWithHandler+0x5a [D:\a\_work\1\s\src\coreclr\vm\callhelpers.cpp @ 67] 
76 000000bc`645ee8a0 00007ffa`d4aa2384     coreclr!MethodDescCallSite::CallTargetWorker+0x249 [D:\a\_work\1\s\src\coreclr\vm\callhelpers.cpp @ 570] 
77 (Inline Function) --------`--------     coreclr!MethodDescCallSite::Call+0xb [D:\a\_work\1\s\src\coreclr\vm\callhelpers.h @ 458] 
78 000000bc`645ee9e0 00007ffa`d4aa20b2     coreclr!RunMainInternal+0x11c [D:\a\_work\1\s\src\coreclr\vm\assembly.cpp @ 1304] 
79 000000bc`645eeb00 00007ffa`d4aa1c4e     coreclr!RunMain+0xd2 [D:\a\_work\1\s\src\coreclr\vm\assembly.cpp @ 1375] 
7a 000000bc`645eebb0 00007ffa`d4aa1057     coreclr!Assembly::ExecuteMainMethod+0x1ca [D:\a\_work\1\s\src\coreclr\vm\assembly.cpp @ 1504] 
7b 000000bc`645eee80 00007ffa`d4ae9878     coreclr!CorHost2::ExecuteAssembly+0x267 [D:\a\_work\1\s\src\coreclr\vm\corhost.cpp @ 349] 
7c 000000bc`645eef80 00007ffc`4597269f     coreclr!coreclr_execute_assembly+0xd8 [D:\a\_work\1\s\src\coreclr\dlls\mscoree\exports.cpp @ 504] 
7d (Inline Function) --------`--------     hostpolicy!coreclr_t::execute_assembly+0x29 [D:\a\_work\1\s\src\native\corehost\hostpolicy\coreclr.cpp @ 109] 
7e 000000bc`645ef020 00007ffc`4597297c     hostpolicy!run_app_for_context+0x58f [D:\a\_work\1\s\src\native\corehost\hostpolicy\hostpolicy.cpp @ 256] 
7f 000000bc`645ef140 00007ffc`4597328a     hostpolicy!run_app+0x3c [D:\a\_work\1\s\src\native\corehost\hostpolicy\hostpolicy.cpp @ 285] 
80 000000bc`645ef180 00007ffc`5f51da09     hostpolicy!corehost_main+0x15a [D:\a\_work\1\s\src\native\corehost\hostpolicy\hostpolicy.cpp @ 426] 
81 000000bc`645ef280 00007ffc`5f51ff86     hostfxr!execute_app+0x2e9 [D:\a\_work\1\s\src\native\corehost\fxr\fx_muxer.cpp @ 145] 
82 000000bc`645ef360 00007ffc`5f52207c     hostfxr!`anonymous namespace'::read_config_and_execute+0xa6 [D:\a\_work\1\s\src\native\corehost\fxr\fx_muxer.cpp @ 532] 
83 000000bc`645ef450 00007ffc`5f520553     hostfxr!fx_muxer_t::handle_exec_host_command+0x16c [D:\a\_work\1\s\src\native\corehost\fxr\fx_muxer.cpp @ 1007] 
84 000000bc`645ef500 00007ffc`5f518390     hostfxr!fx_muxer_t::execute+0x483 [D:\a\_work\1\s\src\native\corehost\fxr\fx_muxer.cpp @ 578] 
85 000000bc`645ef640 00007ff6`1f4ff878     hostfxr!hostfxr_main_startupinfo+0xa0 [D:\a\_work\1\s\src\native\corehost\fxr\hostfxr.cpp @ 63] 
86 000000bc`645ef740 00007ff6`1f4ffc86     Files_exe+0xf878
87 000000bc`645ef8f0 00007ff6`1f5011c8     Files_exe+0xfc86
88 000000bc`645ef960 00007ffc`a981dbe7     Files_exe+0x111c8
89 000000bc`645ef9a0 00007ffc`ab625a4c     KERNEL32!BaseThreadInitThunk+0x17
8a 000000bc`645ef9d0 00000000`00000000     ntdll!RtlUserThreadStart+0x2c

The AV usually happens on page navigation where the properties need to be updated, and the invalid address is accessed at Microsoft.ui.xaml.dll!DirectUI::PropertyProviderPropertyAccess::GetValue(IInspectable * * ppValue=0x0000001b0157a2c0) line 103 : C:\__w\1\s\dxaml\xcp\dxaml\lib\PropertyProviderPropertyAccess.cpp(103) where the code is

_Check_return_ 
HRESULT 
PropertyProviderPropertyAccess::GetValue(_COM_Outptr_result_maybenull_ IInspectable **ppValue)
{
    if (IsConnected())
    {
        IFC_RETURN(m_tpProperty->GetValue(m_tpSource.Get(), ppValue)); // <---
    }
    else
    {
        *ppValue = nullptr;
    }
    return S_OK;
}

Normally, the m_tpProperty here is supposed to be the CCW of ABI.Microsoft.UI.Xaml.Data.ManagedCustomProperty, and the m_tpSource is the CCW of the binding value object.

But running !dumpccw <address of m_tpProperty> with windbg gives:

!dumpccw 0x00000247c2802260
ComWrappers CCW found
Managed object:    000002070d10c320
Ref count:         0

you can see although we are using m_tpProperty, the ref count of it is 0 so that the managed object can be released by someone else and resulting in AV.

This can be observed when the AV happens, where dumping the CCW of m_tpProperty gives:

!dumpccw 0x0000026c0566f4e0
ComWrappers CCW found
Managed object:    0000000000000000
Ref count:         0

This may be the root cause of the long standing WinUI 3 crashing issue on page navigation, and the issue may not be limited to ABI.Microsoft.UI.Xaml.Data.ManagedCustomProperty only. We should call AddRef to make sure the object won't be released while we are still using it.

Jay-o-Way commented 1 month ago

What is an AV?

dongle-the-gadget commented 1 month ago

AccessViolationException

manodasanW commented 1 month ago

The reference count being reported as 0 might be expected. WinUI should be holding onto a tracker reference (see TrackerSupport) on the object which !dumpccw doesn't report. But it seems WinUI must be no longer be seeing the object as referenced in the xaml tree and is not keeping the tracker reference alive during their GC reference walk if the object is going away and is still being accessed. It might also be that if this is happening on the custom property from the previous page being navigated away from, WinUI might need a check to ensure the tracker reference is still alive.

Is this easy to repro?

hez2010 commented 1 month ago

Is this easy to repro?

It requires a lot of times of navigation.

But you can try cloning this branch: https://github.com/files-community/Files/tree/ya/wasdk, and keep navigating between folders. It will crash eventually after a lot of times of navigation.

Better to use WinDBG instead of VS to debug it as the navigation perf is awful with VS debugger attached.

I also have a dump on the AV happens, if you would like I can send it to you.

hez2010 commented 4 weeks ago

@manodasanW This is the dump on access violation: https://1drv.ms/u/s!ApWNk8G_rszRg9AsZlWOwdRZO_cnXg?e=a9UGqu

IanRosenbaum commented 4 weeks ago

We recently converted a large Xamarin app to MAUI and the WinUI3 app appears to be running this bug relatively frequently. After navigating many times back and forth or hiding and showing views many times the app will hard crash with an AccessViolation. Occasionally the crash will say it is from exit code 3221226356 (Heap corruption)

manodasanW commented 1 week ago

I was able to repro this. Looking at collecting traces to figure out what might be happening here. It is a bit tricky due to the number of navigations that are needed.