CsWinRT
CsWinRT copied to clipboard
Published
20 hours ago •
microsoft
microsoft
AV in WinUI 3 apps due to usage to COM object without calling AddRef
Describe the bug
We encountered a weird bug where an AV can happen randomly at PropertyChanged event, where the code is:
this.PropertyChanged(this, new(propertyName));
The full stack trace:
# Child-SP RetAddr Call Site
00 000000bc`645eaa48 00007ffa`771f0a57 0x00007ffa`771f0bea
01 000000bc`645eaa50 00007ffa`c4af4a7f 0x00007ffa`771f0a57
02 000000bc`645eaaf0 00007ffa`c4aef70a Microsoft_UI_Xaml!DirectUI::PropertyProviderPropertyAccess::GetValue+0x3f [C:\__w\1\s\dxaml\xcp\dxaml\lib\PropertyProviderPropertyAccess.cpp @ 103]
03 000000bc`645eab20 00007ffa`c4abc2e9 Microsoft_UI_Xaml!DirectUI::PropertyAccessPathStep::GetValue+0x4a [C:\__w\1\s\dxaml\xcp\dxaml\lib\PropertyAccessPathStep.cpp @ 65]
04 000000bc`645eab50 00007ffa`c4abc4d9 Microsoft_UI_Xaml!DirectUI::PropertyPathListener::ConnectPathStep+0xd5 [C:\__w\1\s\dxaml\xcp\dxaml\lib\PropertyPath.cpp @ 88]
05 000000bc`645eab90 00007ffa`c4aef47a Microsoft_UI_Xaml!DirectUI::PropertyPathListener::PropertyPathStepChanged+0x61 [C:\__w\1\s\dxaml\xcp\dxaml\lib\PropertyPath.cpp @ 188]
06 000000bc`645eabd0 00007ffa`c4af4f36 Microsoft_UI_Xaml!DirectUI::PropertyPathStep::RaiseSourceChanged+0x4e [C:\__w\1\s\dxaml\xcp\dxaml\lib\PropertyPathStep.cpp @ 89]
07 000000bc`645eac10 00007ffa`c4af655c Microsoft_UI_Xaml!DirectUI::PropertyProviderPropertyAccess::OnPropertyChanged+0x16 [C:\__w\1\s\dxaml\xcp\dxaml\lib\PropertyProviderPropertyAccess.cpp @ 208]
08 (Inline Function) --------`-------- Microsoft_UI_Xaml!DirectUI::INPCListenerBase::OnPropertyChangedCallback+0x87 [C:\__w\1\s\dxaml\xcp\dxaml\lib\INPCListenerBase.cpp @ 113]
09 (Inline Function) --------`-------- Microsoft_UI_Xaml!DirectUI::INPCListenerBase::UpdatePropertyChangedHandler::__l23::::operator()+0x8b [C:\__w\1\s\dxaml\xcp\dxaml\lib\INPCListenerBase.cpp @ 56]
0a (Inline Function) --------`-------- Microsoft_UI_Xaml!std::invoke+0x8e [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.41.34120\include\type_traits @ 1714]
0b 000000bc`645eac40 00007ffa`c4840683 Microsoft_UI_Xaml!std::_Func_impl_no_alloc,long,IInspectable *,ABI::Microsoft::UI::Xaml::Data::IPropertyChangedEventArgs *>::_Do_call+0xac [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.41.34120\include\functional @ 876]
0c (Inline Function) --------`-------- Microsoft_UI_Xaml!std::_Func_class::operator()+0x1f [C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\14.41.34120\include\functional @ 920]
0d 000000bc`645eac90 00007ffa`77a57dfd Microsoft_UI_Xaml!ctl::event_handler_base<:windows::foundation::itypedeventhandler>,ABI::Microsoft::UI::Xaml::Controls::ICalendarView,ABI::Microsoft::UI::Xaml::Controls::ICalendarViewSelectedDatesChangedEventArgs,DirectUI::CalendarViewSelectedDatesChangedTraits>::Invoke+0x53 [C:\__w\1\s\dxaml\xcp\components\com\inc\comEventHandler.h @ 35]
0e 000000bc`645eace0 00007ffa`7653e388 WinRT_Runtime!ABI.System.ComponentModel.PropertyChangedEventHandler.NativeDelegateWrapper.Invoke+0x2ad
0f 000000bc`645eae60 00007ffa`77a88f94 0x00007ffa`7653e388
10 000000bc`645eaeb0 00007ffa`77371727 CommunityToolkit_Mvvm!CommunityToolkit.Mvvm.ComponentModel.ObservableObject.SetProperty+0x214
11 000000bc`645eaf10 00007ffa`77317145 Files!Files.App.Data.Models.ColumnsViewModel.set_PathColumn+0x57 [D:\source\repos\Files\src\Files.App\Data\Models\ColumnsViewModel.cs @ 100]
12 000000bc`645eaf60 00007ffa`762ef353 Files!Files.App.Views.Layouts.DetailsLayoutPage.OnNavigatedTo+0x3b5 [D:\source\repos\Files\src\Files.App\Views\Layouts\DetailsLayoutPage.xaml.cs @ 147]
13 000000bc`645eb3e0 00007ffa`c4794079 Microsoft_WinUI!ABI.Microsoft.UI.Xaml.Controls.IPageOverrides.Do_Abi_OnNavigatedTo_1+0x53 [C:\__w\1\s\BuildOutput\obj\x86fre\src\projection\generated\CsWinRT\Microsoft.UI.Xaml.Controls.cs @ 105461]
14 000000bc`645eb440 00007ffa`c4b03a24 Microsoft_UI_Xaml!DirectUI::PageGenerated::OnNavigatedToProtected+0x7d [C:\__w\1\s\dxaml\xcp\dxaml\lib\winrtgeneratedclasses\Page.g.cpp @ 172]
15 000000bc`645eb490 00007ffa`c4b015f4 Microsoft_UI_Xaml!DirectUI::Page::InvokeOnNavigatedTo+0x74 [C:\__w\1\s\dxaml\xcp\dxaml\lib\Page_Partial.cpp @ 290]
16 000000bc`645eb500 00007ffa`c4b00d34 Microsoft_UI_Xaml!DirectUI::Frame::ChangeContent+0x3e8 [C:\__w\1\s\dxaml\xcp\dxaml\lib\Frame_Partial.cpp @ 660]
17 000000bc`645eb5d0 00007ffa`c4b007bc Microsoft_UI_Xaml!DirectUI::Frame::PerformNavigation+0x188 [C:\__w\1\s\dxaml\xcp\dxaml\lib\Frame_Partial.cpp @ 497]
18 000000bc`645eb650 00007ffa`c4b00384 Microsoft_UI_Xaml!DirectUI::Frame::StartNavigation+0x2c [C:\__w\1\s\dxaml\xcp\dxaml\lib\Frame_Partial.cpp @ 415]
19 000000bc`645eb680 00007ffa`c4777c51 Microsoft_UI_Xaml!DirectUI::Frame::GoBackWithTransitionInfoImpl+0xf8 [C:\__w\1\s\dxaml\xcp\dxaml\lib\Frame_Partial.cpp @ 264]
1a (Inline Function) --------`-------- Microsoft_UI_Xaml!DirectUI::Frame::GoBackImpl+0xa [C:\__w\1\s\dxaml\xcp\dxaml\lib\Frame_Partial.cpp @ 230]
1b 000000bc`645eb6b0 00007ffa`782cbaaa Microsoft_UI_Xaml!DirectUI::FrameGenerated::GoBack+0x61 [C:\__w\1\s\dxaml\xcp\dxaml\lib\winrtgeneratedclasses\Frame.g.cpp @ 408]
1c 000000bc`645eb6f0 00007ffa`781ccbf9 Microsoft_WinUI!ABI.Microsoft.UI.Xaml.Controls.IFrameMethods.GoBack+0x7a [C:\__w\1\s\BuildOutput\obj\x86fre\src\projection\generated\CsWinRT\Microsoft.UI.Xaml.Controls.cs @ 83742]
1d 000000bc`645eb7a0 00007ffa`781cca98 Files!Files.App.Views.Shells.BaseShellPage.Back_Click+0x139 [D:\source\repos\Files\src\Files.App\Views\Shells\BaseShellPage.cs @ 574]
1e 000000bc`645eb830 00007ffa`781cc9ea Files!Files.App.Views.Shells.ModernShellPage.Back_Click+0x78 [D:\source\repos\Files\src\Files.App\Views\Shells\ModernShellPage.xaml.cs @ 193]
1f 000000bc`645eb880 00007ffa`779e5f44 Files!Files.App.Actions.NavigateBackAction.ExecuteAsync+0x5a [D:\source\repos\Files\src\Files.App\Actions\Navigation\NavigateBackAction.cs @ 43]
20 000000bc`645eb8d0 00007ffa`779e5d6d Files!Files.App.Data.Commands.ActionCommand.ExecuteAsync+0x74 [D:\source\repos\Files\src\Files.App\Data\Commands\ActionCommand.cs @ 150]
21 000000bc`645eb930 00007ffa`77995aa0 Files!Files.App.Data.Commands.ActionCommand.d__55.MoveNext+0x6d [D:\source\repos\Files\src\Files.App\Data\Commands\ActionCommand.cs @ 140]
22 000000bc`645eb9c0 00007ffa`779e5c82 System_Private_CoreLib!System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start+0x80 [/_/src/libraries/System.Private.CoreLib/src/System/Runtime/CompilerServices/AsyncMethodBuilderCore.cs @ 38]
23 000000bc`645eba20 00007ffa`779e5b2d Files!Files.App.Data.Commands.ActionCommand.Execute+0xd2
24 000000bc`645eba90 00007ffa`c4b6b962 WinRT_Runtime!ABI.System.Windows.Input.ICommand.Vftbl.Do_Abi_Execute_3+0x5d
25 000000bc`645ebaf0 00007ffa`c4b6d0d0 Microsoft_UI_Xaml!DirectUI::ButtonBase::ExecuteCommand+0xca [C:\__w\1\s\dxaml\xcp\dxaml\lib\ButtonBase_Partial.cpp @ 364]
26 000000bc`645ebb40 00007ffa`c4c32c33 Microsoft_UI_Xaml!DirectUI::ButtonBase::OnClick+0xc0 [C:\__w\1\s\dxaml\xcp\dxaml\lib\ButtonBase_Partial.cpp @ 895]
27 000000bc`645ebb90 00007ffa`c4b6ccbe Microsoft_UI_Xaml!DirectUI::Button::OnClick+0xb3 [C:\__w\1\s\dxaml\xcp\dxaml\lib\Button_Partial.cpp @ 83]
28 000000bc`645ebbe0 00007ffa`c4b6cb04 Microsoft_UI_Xaml!DirectUI::ButtonBase::PerformPointerUpAction+0x66 [C:\__w\1\s\dxaml\xcp\dxaml\lib\ButtonBase_Partial.cpp @ 796]
29 000000bc`645ebc20 00007ffa`c4771b96 Microsoft_UI_Xaml!DirectUI::ButtonBase::OnPointerReleased+0x224 [C:\__w\1\s\dxaml\xcp\dxaml\lib\ButtonBase_Partial.cpp @ 776]
2a 000000bc`645ebca0 00007ffa`c4b4d30b Microsoft_UI_Xaml!DirectUI::ControlGenerated::OnPointerReleasedProtected+0xb2 [C:\__w\1\s\dxaml\xcp\dxaml\lib\winrtgeneratedclasses\Control.g.cpp @ 1457]
2b 000000bc`645ebcf0 00007ffa`c4a62f18 Microsoft_UI_Xaml!DirectUI::Control::FireEvent+0x4eb [C:\__w\1\s\dxaml\xcp\dxaml\lib\Control_Partial.cpp @ 248]
2c 000000bc`645ebd60 00007ffa`c4489a33 Microsoft_UI_Xaml!DirectUI::DXamlCore::FireEvent+0x1b0 [C:\__w\1\s\dxaml\xcp\dxaml\lib\DXamlCore.cpp @ 2047]
2d (Inline Function) --------`-------- Microsoft_UI_Xaml!AgCoreCallbacks::FireEvent+0x34 [C:\__w\1\s\dxaml\xcp\dxaml\lib\FxCallbacks.cpp @ 89]
2e (Inline Function) --------`-------- Microsoft_UI_Xaml!FxCallbacks::JoltHelper_FireEvent+0x34 [C:\__w\1\s\dxaml\xcp\dxaml\lib\FxCallbacks.cpp @ 877]
2f 000000bc`645ebe00 00007ffa`c46a270d Microsoft_UI_Xaml!CCoreServices::CLR_FireEvent+0x19f [C:\__w\1\s\dxaml\xcp\core\dll\xcpcore.cpp @ 3181]
30 000000bc`645ebe60 00007ffa`c4da78be Microsoft_UI_Xaml!CommonBrowserHost::CLR_FireEvent+0x1d [C:\__w\1\s\dxaml\xcp\control\common\shared\CommonBrowserHost.hpp @ 680]
31 000000bc`645ebea0 00007ffa`c46dbac9 Microsoft_UI_Xaml!CControlBase::ScriptCallback+0x10e [C:\__w\1\s\dxaml\xcp\control\common\shared\controlbase.cpp @ 213]
32 000000bc`645ebf30 00007ffa`c46db74e Microsoft_UI_Xaml!CXcpDispatcher::OnScriptCallback+0x119 [C:\__w\1\s\dxaml\xcp\win\shared\xcpwindow.cpp @ 1028]
33 000000bc`645ebfe0 00007ffa`c46a3c7f Microsoft_UI_Xaml!CXcpDispatcher::OnWindowMessage+0x1e2 [C:\__w\1\s\dxaml\xcp\win\shared\xcpwindow.cpp @ 874]
34 (Inline Function) --------`-------- Microsoft_UI_Xaml!CXcpDispatcher::SendMessageW+0x10 [C:\__w\1\s\dxaml\xcp\win\shared\xcpwindow.cpp @ 581]
35 000000bc`645ec020 00007ffa`c44a1544 Microsoft_UI_Xaml!CXcpBrowserHost::SyncScriptCallbackRequest+0xcf [C:\__w\1\s\dxaml\xcp\host\win\browserdesktop\WinBrowserHost.cpp @ 742]
36 (Inline Function) --------`-------- Microsoft_UI_Xaml!CEventManager::RaiseControlEvents+0x11a [C:\__w\1\s\dxaml\xcp\core\dll\eventmgr.cpp @ 1170]
37 000000bc`645ec0a0 00007ffa`c44a1c6c Microsoft_UI_Xaml!CEventManager::Raise+0x268 [C:\__w\1\s\dxaml\xcp\core\dll\eventmgr.cpp @ 928]
38 000000bc`645ec1c0 00007ffa`c457bb46 Microsoft_UI_Xaml!CEventManager::RaiseRoutedEventBubbling+0x14c [C:\__w\1\s\dxaml\xcp\core\dll\eventmgr.cpp @ 1368]
39 (Inline Function) --------`-------- Microsoft_UI_Xaml!CEventManager::RaiseRoutedEvent+0x2c [C:\__w\1\s\dxaml\xcp\core\dll\eventmgr.cpp @ 1278]
3a 000000bc`645ec290 00007ffa`c4579e32 Microsoft_UI_Xaml!CInputServices::RaiseDelayedPointerUpEvent+0x146 [C:\__w\1\s\dxaml\xcp\core\input\InputServices.cpp @ 2629]
3b 000000bc`645ec330 00007ffa`c4d63fb3 Microsoft_UI_Xaml!CInputServices::CleanPointerProcessingState+0x1f6 [C:\__w\1\s\dxaml\xcp\core\input\InputServices.cpp @ 1698]
3c 000000bc`645ec3c0 00007ffa`c4578a38 Microsoft_UI_Xaml!ContentRootInput::PointerInputProcessor::ProcessPointerInput+0x147b [C:\__w\1\s\dxaml\xcp\components\ContentRoot\PointerInputProcessor.cpp @ 760]
3d 000000bc`645ec520 00007ffa`c46a4348 Microsoft_UI_Xaml!CInputServices::ProcessInput+0x134 [C:\__w\1\s\dxaml\xcp\core\input\InputServices.cpp @ 855]
3e (Inline Function) --------`-------- Microsoft_UI_Xaml!CCoreServices::ProcessInput+0x34 [C:\__w\1\s\dxaml\xcp\core\dll\xcpcore.cpp @ 1074]
3f 000000bc`645ec590 00007ffa`c4a754e6 Microsoft_UI_Xaml!CXcpBrowserHost::HandleInputMessage+0x2c8 [C:\__w\1\s\dxaml\xcp\host\win\browserdesktop\WinBrowserHost.cpp @ 1078]
40 000000bc`645ec620 00007ffa`c4a5c635 Microsoft_UI_Xaml!CJupiterControl::HandlePointerMessage+0xa6 [C:\__w\1\s\dxaml\xcp\dxaml\lib\JupiterControl.cpp @ 604]
41 000000bc`645ec6e0 00007ffa`c451b87d Microsoft_UI_Xaml!CJupiterWindow::OnIslandPointerMessage+0xc5 [C:\__w\1\s\dxaml\xcp\dxaml\lib\JupiterWindow.cpp @ 1316]
42 000000bc`645ec780 00007ffa`c4521792 Microsoft_UI_Xaml!CXamlIslandRoot::InjectPointerMessage+0xd9 [C:\__w\1\s\dxaml\xcp\core\core\elements\XamlIslandRoot.cpp @ 527]
43 (Inline Function) --------`-------- Microsoft_UI_Xaml!CXamlIslandRoot::OnIslandPointerReleased+0xd [C:\__w\1\s\dxaml\xcp\core\core\elements\XamlIslandRoot.cpp @ 475]
44 (Inline Function) --------`-------- Microsoft_UI_Xaml!CXamlIslandRoot::SubscribeToInputPointerSourceEvents::__l43::::operator()+0x38 [C:\__w\1\s\dxaml\xcp\core\core\elements\XamlIslandRoot.cpp @ 1545]
45 000000bc`645ec810 00007ffa`ca007bf7 Microsoft_UI_Xaml!Microsoft::WRL::Details::DelegateArgTraits,ABI::Windows::Foundation::Internal::AggregateType<:microsoft::ui::input::pointereventargs> >::*)(ABI::Microsoft::UI::Input::IInputPointerSource *,ABI::Microsoft::UI::Input::IPointerEventArgs *)>::DelegateInvokeHelper<:wrl::implements>,ABI::Windows::Foundation::ITypedEventHandler<:microsoft::ui::input::inputpointersource>,Microsoft::WRL::FtmBase>,`CXamlIslandRoot::SubscribeToInputPointerSourceEvents'::`43':: &,1,ABI::Microsoft::UI::Input::IInputPointerSource *,ABI::Microsoft::UI::Input::IPointerEventArgs *>::Invoke+0x42 [C:\__w\1\s\packages\Microsoft.Windows.SDK.cpp.10.0.22621.755\c\Include\10.0.22621.0\winrt\wrl\event.h @ 354]
46 000000bc`645ec840 00007ffa`c9fef5ed Microsoft_UI_Input!Microsoft::WRL::Details::DelegateArgTraits,Windows::Foundation::Internal::AggregateType<:ui::input::pointereventargs __ptr64> >::*)(Microsoft::UI::Input::IInputPointerSource * __ptr64,Microsoft::UI::Input::IPointerEventArgs * __ptr64) __ptr64>::DelegateInvokeHelper<:wrl::implements>,Windows::Foundation::ITypedEventHandler<:ui::input::inputpointersource __ptr64>,Microsoft::WRL::FtmBase>,`Microsoft::WRL::Details::CreateAgileHelper<:foundation::itypedeventhandler __ptr64> >'::`2'::,-1,Microsoft::UI::Input::IInputPointerSource * __ptr64,Microsoft::UI::Input::IPointerEventArgs * __ptr64>::Invoke+0x87
47 000000bc`645ec880 00007ffa`c9fffa03 Microsoft_UI_Input!Microsoft::WRL::InvokeTraits::InvokeDelegates,Windows::Foundation::ITypedEventHandler<:ui::content::contentislandenvironment __ptr64> >+0x95
48 000000bc`645ec930 00007ffa`ca005259 Microsoft_UI_Input!Microsoft::WRL::EventSource<:foundation::itypedeventhandler __ptr64>,Microsoft::WRL::InvokeModeOptions >::InvokeAll<:ui::content::icontentsite __ptr64>+0x9f
49 000000bc`645ec990 00007ffa`ca002a5e Microsoft_UI_Input!`PointerInputObserverWinRT::InvokeEventDirectlyHelper_Callback'::`9'::::operator()+0x15d
4a 000000bc`645ec9c0 00007ffa`ca007e6a Microsoft_UI_Input!Microsoft::WRL2::ContextSession::LeaveSession_Callback >+0x4a
4b 000000bc`645eca00 00007ffa`ca008120 Microsoft_UI_Input!PointerInputObserverWinRT::InvokeEventDirectlyHelper_Callback+0x15e
4c 000000bc`645eca90 00007ffa`ca0069bc Microsoft_UI_Input!PointerInputObserverWinRT::InvokePointerEventsForInput_Callback+0x160
4d 000000bc`645ecc50 00007ffa`ca006881 Microsoft_UI_Input!PointerInputObserverWinRT::DeliverInputMessageImpl_Callback+0xec
4e 000000bc`645ecc80 00007ffa`ca00b5d6 Microsoft_UI_Input!PointerInputObserverWinRT::DeliverInputMessage+0x291
4f 000000bc`645ecf20 00007ffb`7a17b282 Microsoft_UI_Input!IIndependentInputTargetPrincipal_Receive<:bamoindependentinputtargetprincipalimpl>::Thunk_DeliverInputMessage_17+0xd6
50 000000bc`645ecfc0 00007ffa`ca00887f CoreMessagingXP!CoreUICallReceive+0xa2
51 000000bc`645ed1d0 00007ffa`ca09da13 Microsoft_UI_Input!BamoImpl::BamoIndependentInputTargetPrincipalImpl::OnMessage+0x3f
52 000000bc`645ed220 00007ffb`7a12fb68 Microsoft_UI_Input!Microsoft::BamoImpl::ConnectionIndirector::OnItemMessage+0xb3
53 000000bc`645ed270 00007ffb`7a12fe5f CoreMessagingXP!CFlat::SehSafe::Execute >+0x4c
54 000000bc`645ed2c0 00007ffb`7a1248eb CoreMessagingXP!Microsoft::CoreUI::ICallbackMessageConversationHost::Interface$::ImportDispatcher::OnItemMessage+0xbf
55 000000bc`645ed340 00007ffb`7a125890 CoreMessagingXP!Microsoft::CoreUI::ICallbackMessageConversationHost::OnItemMessage<:interfaceptr> >+0x5f
56 000000bc`645ed390 00007ffb`7a171f46 CoreMessagingXP!Microsoft::CoreUI::Conversations::Conversation::Callback_OnItemMessage+0x130
57 000000bc`645ed420 00007ffb`7a11b330 CoreMessagingXP!Microsoft::CoreUI::Conversations::ItemMessageDispatcher::Callback_OnMessageCore+0x36
58 000000bc`645ed470 00007ffb`7a1120ba CoreMessagingXP!Microsoft::CoreUI::Messaging::MessageEndpoint::Callback_OnMessage+0x80
59 000000bc`645ed520 00007ffb`7a112279 CoreMessagingXP!Microsoft::CoreUI::Messaging::MessageSession::Callback_DeliverMessage+0x2be
5a 000000bc`645ed600 00007ffb`7a13ef90 CoreMessagingXP!Microsoft::CoreUI::Messaging::MessageSession::Callback_DeliverMessageBatch+0x109
5b 000000bc`645ed6d0 00007ffb`7a103e0d CoreMessagingXP!Microsoft::CoreUI::Messaging::InterconnectMessageAdapter::InterfaceImplementation$::_Cn_Threading_IInterconnectBufferHandler::Dispatcher::Callback_ReceiveBuffer+0xf0
5c 000000bc`645ed7d0 00007ffb`7a157840 CoreMessagingXP!Cn::Threading::InterconnectQueue::Callback_ProcessNextItem+0x1d1
5d 000000bc`645ed870 00007ffb`7a1483ce CoreMessagingXP!Microsoft::CoreUI::Messaging::InterconnectMessageAdapter::Callback_OnReceive+0x4c
5e 000000bc`645ed8b0 00007ffb`7a10c880 CoreMessagingXP!Microsoft::CoreUI::Dispatch::OffThreadReceiver::Callback_OnDispatch+0x2be
5f 000000bc`645ed950 00007ffb`7a10c5ed CoreMessagingXP!Microsoft::CoreUI::Dispatch::Dispatcher::Callback_DispatchNextItem+0x1bc
60 000000bc`645ed9f0 00007ffb`7a0ffd7c CoreMessagingXP!Microsoft::CoreUI::Dispatch::Dispatcher::Callback_DispatchLoop+0x1b9
61 000000bc`645edab0 00007ffb`7a102c66 CoreMessagingXP!Microsoft::CoreUI::Dispatch::EventLoop::Callback_RunCoreLoop+0x164
62 000000bc`645edb10 00007ffb`7a102fdc CoreMessagingXP!Microsoft::CoreUI::Dispatch::UserAdapter::DrainCoreMessagingQueue+0x15a
63 000000bc`645edbd0 00007ffb`7a1436a3 CoreMessagingXP!Microsoft::CoreUI::Dispatch::UserAdapter::OnUserDispatch+0x98
64 000000bc`645edc20 00007ffb`7a143836 CoreMessagingXP!Microsoft::CoreUI::Dispatch::UserAdapter::DoWork+0xa7
65 000000bc`645edc80 00007ffb`7a143dae CoreMessagingXP!Microsoft::CoreUI::Dispatch::UserAdapter::HandleDispatchNotifyMessage+0x132
66 000000bc`645edce0 00007ffc`a9d45801 CoreMessagingXP!Microsoft::CoreUI::Dispatch::UserAdapter::WindowProc+0x5e
67 000000bc`645edd10 00007ffc`a9d4509c USER32!UserCallWinProcCheckWow+0x341
68 000000bc`645ede70 00007ffc`a9d762c3 USER32!DispatchClientMessage+0x9c
69 000000bc`645eded0 00007ffc`ab703654 USER32!_fnDWORD+0x33
6a 000000bc`645edf30 00007ffc`a8a11314 ntdll!KiUserCallbackDispatcherContinue
6b 000000bc`645edfb8 00007ffc`a9d68ff2 win32u!NtUserGetMessage+0x14
6c 000000bc`645edfc0 00007ffa`c4a4fadf USER32!GetMessageW+0x22
6d 000000bc`645ee020 00007ffa`c4a4d9e2 Microsoft_UI_Xaml!DirectUI::FrameworkApplication::RunDesktopWindowMessageLoop+0xab [C:\__w\1\s\dxaml\xcp\dxaml\lib\FrameworkApplication_Partial.cpp @ 1321]
6e 000000bc`645ee0a0 00007ffa`c46ff1b8 Microsoft_UI_Xaml!DirectUI::FrameworkApplication::StartDesktop+0x3c2 [C:\__w\1\s\dxaml\xcp\dxaml\lib\FrameworkApplication_Partial.cpp @ 242]
6f (Inline Function) --------`-------- Microsoft_UI_Xaml!DirectUI::FrameworkApplicationFactory::StartImpl+0xbd [C:\__w\1\s\dxaml\xcp\dxaml\lib\FrameworkApplication_Partial.cpp @ 183]
70 000000bc`645ee140 00007ffa`75de10a5 Microsoft_UI_Xaml!DirectUI::FrameworkApplicationFactory::Start+0x108 [C:\__w\1\s\dxaml\xcp\dxaml\lib\winrtgeneratedclasses\FrameworkApplication.g.cpp @ 843]
71 000000bc`645ee190 00007ffa`75de0e1c Microsoft_WinUI!ABI.Microsoft.UI.Xaml.IApplicationStaticsMethods.Start+0x145 [C:\__w\1\s\BuildOutput\obj\x86fre\src\projection\generated\CsWinRT\Microsoft.UI.Xaml.cs @ 14496]
72 000000bc`645ee2e0 00007ffa`74fcae74 Microsoft_WinUI!Microsoft.UI.Xaml.Application.Start+0x2c [C:\__w\1\s\BuildOutput\obj\x86fre\src\projection\generated\CsWinRT\Microsoft.UI.Xaml.cs @ 318]
73 000000bc`645ee320 00007ffa`d4b0d9c3 Files!Files.App.Program.Main+0x1314 [D:\source\repos\Files\src\Files.App\Program.cs @ 204]
74 000000bc`645ee860 00007ffa`d4a5eef1 coreclr!CallDescrWorkerInternal+0x83 [D:\a\_work\1\s\src\coreclr\vm\amd64\CallDescrWorkerAMD64.asm @ 100]
75 (Inline Function) --------`-------- coreclr!CallDescrWorkerWithHandler+0x5a [D:\a\_work\1\s\src\coreclr\vm\callhelpers.cpp @ 67]
76 000000bc`645ee8a0 00007ffa`d4aa2384 coreclr!MethodDescCallSite::CallTargetWorker+0x249 [D:\a\_work\1\s\src\coreclr\vm\callhelpers.cpp @ 570]
77 (Inline Function) --------`-------- coreclr!MethodDescCallSite::Call+0xb [D:\a\_work\1\s\src\coreclr\vm\callhelpers.h @ 458]
78 000000bc`645ee9e0 00007ffa`d4aa20b2 coreclr!RunMainInternal+0x11c [D:\a\_work\1\s\src\coreclr\vm\assembly.cpp @ 1304]
79 000000bc`645eeb00 00007ffa`d4aa1c4e coreclr!RunMain+0xd2 [D:\a\_work\1\s\src\coreclr\vm\assembly.cpp @ 1375]
7a 000000bc`645eebb0 00007ffa`d4aa1057 coreclr!Assembly::ExecuteMainMethod+0x1ca [D:\a\_work\1\s\src\coreclr\vm\assembly.cpp @ 1504]
7b 000000bc`645eee80 00007ffa`d4ae9878 coreclr!CorHost2::ExecuteAssembly+0x267 [D:\a\_work\1\s\src\coreclr\vm\corhost.cpp @ 349]
7c 000000bc`645eef80 00007ffc`4597269f coreclr!coreclr_execute_assembly+0xd8 [D:\a\_work\1\s\src\coreclr\dlls\mscoree\exports.cpp @ 504]
7d (Inline Function) --------`-------- hostpolicy!coreclr_t::execute_assembly+0x29 [D:\a\_work\1\s\src\native\corehost\hostpolicy\coreclr.cpp @ 109]
7e 000000bc`645ef020 00007ffc`4597297c hostpolicy!run_app_for_context+0x58f [D:\a\_work\1\s\src\native\corehost\hostpolicy\hostpolicy.cpp @ 256]
7f 000000bc`645ef140 00007ffc`4597328a hostpolicy!run_app+0x3c [D:\a\_work\1\s\src\native\corehost\hostpolicy\hostpolicy.cpp @ 285]
80 000000bc`645ef180 00007ffc`5f51da09 hostpolicy!corehost_main+0x15a [D:\a\_work\1\s\src\native\corehost\hostpolicy\hostpolicy.cpp @ 426]
81 000000bc`645ef280 00007ffc`5f51ff86 hostfxr!execute_app+0x2e9 [D:\a\_work\1\s\src\native\corehost\fxr\fx_muxer.cpp @ 145]
82 000000bc`645ef360 00007ffc`5f52207c hostfxr!`anonymous namespace'::read_config_and_execute+0xa6 [D:\a\_work\1\s\src\native\corehost\fxr\fx_muxer.cpp @ 532]
83 000000bc`645ef450 00007ffc`5f520553 hostfxr!fx_muxer_t::handle_exec_host_command+0x16c [D:\a\_work\1\s\src\native\corehost\fxr\fx_muxer.cpp @ 1007]
84 000000bc`645ef500 00007ffc`5f518390 hostfxr!fx_muxer_t::execute+0x483 [D:\a\_work\1\s\src\native\corehost\fxr\fx_muxer.cpp @ 578]
85 000000bc`645ef640 00007ff6`1f4ff878 hostfxr!hostfxr_main_startupinfo+0xa0 [D:\a\_work\1\s\src\native\corehost\fxr\hostfxr.cpp @ 63]
86 000000bc`645ef740 00007ff6`1f4ffc86 Files_exe+0xf878
87 000000bc`645ef8f0 00007ff6`1f5011c8 Files_exe+0xfc86
88 000000bc`645ef960 00007ffc`a981dbe7 Files_exe+0x111c8
89 000000bc`645ef9a0 00007ffc`ab625a4c KERNEL32!BaseThreadInitThunk+0x17
8a 000000bc`645ef9d0 00000000`00000000 ntdll!RtlUserThreadStart+0x2c
The AV usually happens on page navigation where the properties need to be updated, and the invalid address is accessed at Microsoft.ui.xaml.dll!DirectUI::PropertyProviderPropertyAccess::GetValue(IInspectable * * ppValue=0x0000001b0157a2c0) line 103 : C:\__w\1\s\dxaml\xcp\dxaml\lib\PropertyProviderPropertyAccess.cpp(103)
where the code is
_Check_return_
HRESULT
PropertyProviderPropertyAccess::GetValue(_COM_Outptr_result_maybenull_ IInspectable **ppValue)
{
if (IsConnected())
{
IFC_RETURN(m_tpProperty->GetValue(m_tpSource.Get(), ppValue)); // <---
}
else
{
*ppValue = nullptr;
}
return S_OK;
}
Normally, the m_tpProperty here is supposed to be the CCW of ABI.Microsoft.UI.Xaml.Data.ManagedCustomProperty, and the m_tpSource is the CCW of the binding value object.
But running !dumpccw <address of m_tpProperty> with windbg gives:
!dumpccw 0x00000247c2802260
ComWrappers CCW found
Managed object: 000002070d10c320
Ref count: 0
you can see although we are using m_tpProperty, the ref count of it is 0 so that the managed object can be released by someone else and resulting in AV.
This can be observed when the AV happens, where dumping the CCW of m_tpProperty gives:
!dumpccw 0x0000026c0566f4e0
ComWrappers CCW found
Managed object: 0000000000000000
Ref count: 0
This may be the root cause of the long standing WinUI 3 crashing issue on page navigation, and the issue may not be limited to ABI.Microsoft.UI.Xaml.Data.ManagedCustomProperty only. We should call AddRef to make sure the object won't be released while we are still using it.
