Discussion:
[ros-bugs] [jira] (CORE-14402) CSRSS deadlock: holding lock while sending window message
Thomas Faber (JIRA)
2018-02-25 09:27:00 UTC
Permalink
Thomas Faber created CORE-14402:
-----------------------------------

Summary: CSRSS deadlock: holding lock while sending window message
Key: CORE-14402
URL: https://jira.reactos.org/browse/CORE-14402
Project: Core ReactOS
Issue Type: Bug
Reporter: Thomas Faber


Running the following batch script in a console window:
{noformat}
:a
start notepad.exe
taskkill /im notepad.exe
goto a
{noformat}

After a short time, the system hangs, after the critical section timeout period it breaks into the debugger:
{noformat}
ERROR: RtlpWaitForCriticalSection at ..\sdk\lib\rtl\critical.c:172
Deadlock: 0x0022B0F4
Break instruction exception - code 80000003 (first chance)
001b:7c9307d2 cc int 3
kd> !process
PROCESS b5534020 SessionId: 0 Cid: 0084 Peb: 7ffaf000 ParentCid: 0054
DirBase: 7c879000 ObjectTable: e158cb48 HandleCount: 142.
Image: csrss.exe
VadRoot b552d410 Vads 177 Clone 0 Private 378. Modified 0. Locked 0.
DeviceMap b57b9080
Token e158c3a8
ElapsedTime 00:06:57.676
UserTime 00:00:00.029
KernelTime 00:00:01.229
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (3780608, 0, 300) (15122432KB, 0KB, 1200KB)
PeakWorkingSetSize 3796992
VirtualSize 25 Mb
PeakVirtualSize 25 Mb
PageFaultCount 0
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 98

THREAD b551b250 Cid 0084.008c Teb: 7ffde000 Win32Thread: b5519008 WAIT: (UserRequest) KernelMode Alertable
805f4d30 NotificationEvent
b55a85e8 NotificationTimer
b551c634 NotificationEvent
b551b5c4 NotificationEvent

THREAD b551bdb0 Cid 0084.0090 Teb: 7ffdd000 Win32Thread: b5519e18 WAIT: (UserRequest) UserMode Non-Alertable
b5519e00 SynchronizationEvent

THREAD b551b700 Cid 0084.0094 Teb: 7ffdc000 Win32Thread: b5507ba8 WAIT: (WrLpcReceive) UserMode Non-Alertable
b551bc18 Semaphore Limit 0x7fffffff

THREAD b55199a0 Cid 0084.0098 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
b5519c60 Semaphore Limit 0x7fffffff

THREAD b5513590 Cid 0084.00a4 Teb: 7ffdf000 Win32Thread: b550a9f0 WAIT: (UserRequest) UserMode Non-Alertable
e1504748 NotificationEvent
b550fbf8 SynchronizationEvent
b539a0d8 Thread

THREAD b539a0d8 Cid 0084.03c8 Teb: 7ffda000 Win32Thread: b53e66a0 RUNNING on processor 0
THREAD b54e58e8 Cid 0084.046c Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
b551bc18 Semaphore Limit 0x7fffffff


kd> ?? Console->Lock
struct _CRITICAL_SECTION
+0x000 DebugInfo : 0x7c9a8b78 _CRITICAL_SECTION_DEBUG
+0x004 LockCount : 0n1
+0x008 RecursionCount : 0n1
+0x00c OwningThread : 0x000000a4 Void
+0x010 LockSemaphore : 0x000006a8 Void
+0x014 SpinCount : 0
kd> !thread
THREAD b539a0d8 Cid 0084.03c8 Teb: 7ffda000 Win32Thread: b53e66a0 RUNNING on processor 0
Not impersonating
Owning Process b5534020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 28779 Ticks: 0
Context Switch Count 833 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:01.109
Start Address winsrv!GuiConsoleInputThread (0x7a8a62b0)
Stack Init f7071880 Current f7071408 Base f7072000 Limit f706d000 Call f7071888
Priority 13 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
00f6fc10 7c93eb90 00f6fd4c 01cccccc cccccccc ntdll!DbgBreakPoint (FPO: [0,0,0])
00f6fc7c 7c93e351 0022b0f4 000003c8 00f6fc98 ntdll!RtlpWaitForCriticalSection+0x110 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\sdk\lib\rtl\critical.c @ 172]
00f6fc8c 7a89e596 0022b0f4 00f6fccc 7a8a995e ntdll!RtlEnterCriticalSection+0x51 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\sdk\lib\rtl\critical.c @ 520]
00f6fc98 7a8a995e 0022b008 00000001 00000001 winsrv!ConDrvValidateConsoleUnsafe+0x26 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\winsrv\consrv\condrv\console.c @ 137]
00f6fccc 7a8a8721 0022e9f0 00000000 00f6fe2c winsrv!OnFocus+0x3e (FPO: [Non-Fpo]) (CONV: cdecl) [c:\ros\reactos\win32ss\user\winsrv\consrv\frontends\gui\conwnd.c @ 698]
00f6fd4c 7c5617fa 000a0106 00000008 00000000 winsrv!ConWndProc+0x5d1 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\winsrv\consrv\frontends\gui\conwnd.c @ 2427]
00f6fd7c 7c55093f 7a8a8150 000a0106 00000008 user32!CALL_EXTERN_WNDPROC+0x1a (FPO: [0,0,0])
00f6fe44 7c55614e 00b249c0 000a0106 00000008 user32!IntCallWindowProcW+0x54f (FPO: [Non-Fpo]) (CONV: fastcall) [c:\ros\reactos\win32ss\user\user32\windows\message.c @ 1522]
00f6fed0 7c930111 00f6fee8 00000020 ffffffff user32!User32CallWindowProcFromKernel+0x24e (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\user32\windows\message.c @ 2967]
00f6ff24 7a8a637a 00f6ffa4 00000000 00000000 ntdll!KiUserCallbackDispatcher+0x2e
00f6fff4 00000000 00225728 00000000 00000000 winsrv!GuiConsoleInputThread+0xca (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\winsrv\consrv\frontends\gui\guiterm.c @ 143]

kd> !thread b5513590
THREAD b5513590 Cid 0084.00a4 Teb: 7ffdf000 Win32Thread: b550a9f0 WAIT: (UserRequest) UserMode Non-Alertable
e1504748 NotificationEvent
b550fbf8 SynchronizationEvent
b539a0d8 Thread
Not impersonating
Owning Process b5534020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 8771 Ticks: 20008 (0:00:05:00.023)
Context Switch Count 1361 NoStackSwap LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.134
LPC Server thread working on message Id 9fc
Start Address 0x000009fc
Stack Init f7479000 Current f747885c Base f7479000 Limit f7475000 Call 0
Priority 14 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f74788b0 804ae2ba f7478a0c f7478980 00000001 nt!KiSwapContext+0x19
f7478958 f75e35a3 00000003 f74789b4 00000001 nt!KeWaitForMultipleObjects+0x77a (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\ntoskrnl\ke\wait.c @ 842]
f7478a0c f75d6b36 000000ae 00000008 00000000 win32k!co_MsqSendMessage+0x6b3 (FPO: [Non-Fpo]) (CONV: fastcall) [c:\ros\reactos\win32ss\user\ntuser\msgqueue.c @ 1242]
f7478a9c f75d6484 00000008 00000000 00000000 win32k!co_IntSendMessageTimeoutSingle+0x576 (FPO: [Non-Fpo]) (CONV: fastcall) [c:\ros\reactos\win32ss\user\ntuser\message.c @ 1452]
f7478ad4 f75d6354 00000008 00000000 00000000 win32k!co_IntSendMessageTimeout+0x54 (FPO: [Non-Fpo]) (CONV: fastcall) [c:\ros\reactos\win32ss\user\ntuser\message.c @ 1507]
f7478b04 f75d6231 00000008 00000000 f7478cd0 win32k!co_IntSendMessage+0x44 (FPO: [Non-Fpo]) (CONV: fastcall) [c:\ros\reactos\win32ss\user\ntuser\message.c @ 1298]
f7478b84 f75d8a17 00000008 00000000 00000000 win32k!co_IntDoSendMessage+0x141 (FPO: [Non-Fpo]) (CONV: fastcall) [c:\ros\reactos\win32ss\user\ntuser\message.c @ 1846]
f7478ce8 80541bdb 000a0106 000000ae 00000008 win32k!NtUserMessageCall+0xc97 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\ntuser\message.c @ 2732]
f7478d14 8053fb1b f75d7d80 00b1fc5c 0000001c nt!KiSystemCallTrampoline+0x1b (FPO: [Non-Fpo]) (CONV: cdecl) [c:\ros\reactos\ntoskrnl\include\internal\i386\ke.h @ 748]
f7478d5c 80403e23 00b1fcdc 7c9301be badb0d00 nt!KiSystemServiceHandler+0x24b (FPO: [Non-Fpo]) (CONV: fastcall) [c:\ros\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1813]
f7478d5c 7c9301be 00b1fcdc 7c9301be badb0d00 nt!KiFastCallEntry+0x8c (FPO: [0,0] TrapFrame @ f7478d64)
00b1fc50 7c5657fd 7c555a84 000a0106 000000ae ntdll!KiFastSystemCallRet (FPO: [0,0,0])
00b1fc54 7c555a84 000a0106 000000ae 00000008 user32!ZwUserMessageCall+0xc (FPO: [0,0,0])
00b1fcdc 7c538a01 000a0106 000000ae 00000008 user32!SendMessageW+0x184 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\user32\windows\message.c @ 2395]
00b1fd10 7c53767c 00b249c0 00000008 00b1ffdc user32!UserPaintCaption+0x91 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\ros\reactos\win32ss\user\user32\windows\defwnd.c @ 278]
00b1fd90 7aa1384c 000a0106 0000000c 00000000 user32!RealDefWindowProcW+0x33c (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\user32\windows\defwnd.c @ 1110]
00b1fdb0 7c53651d 000a0106 0000000c 00000000 uxtheme!ThemeDefWindowProcW+0x5c (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\dll\win32\uxtheme\themehooks.c @ 279]
00b1fe00 7c55e72b 000a0106 0000000c 00000000 user32!DefWindowProcW+0xbd (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\user32\windows\defwnd.c @ 1255]
00b1fe24 7a8a5a82 000a0106 0023fb48 0022e9f0 user32!SetWindowTextW+0x4b (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\user32\windows\window.c @ 1703]
00b1fe38 7a898e97 0022b010 00b1fe74 0000005e winsrv!GuiChangeTitle+0x32 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\winsrv\consrv\frontends\gui\guiterm.c @ 877]
00b1fe64 100022e3 00b1fed8 00b1ffb4 00000005 winsrv!SrvSetConsoleTitle+0x217 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\win32ss\user\winsrv\consrv\console.c @ 1376]
00b1fff4 00000000 00000000 e10100e0 00000000 csrsrv!CsrApiRequestThread+0xc63 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\ros\reactos\subsystems\win32\csrsrv\api.c @ 811]
{noformat}

Apparently it's holding the console critical section while calling SetWindowText, and message processing in the target thread (for WM_FOCUS) tries to acquire the same critical section.

[~hbelusca], any thoughts?



--
This message was sent by Atlassian JIRA
(v7.3.2#73013)
Thomas Faber (JIRA)
2018-02-25 09:30:00 UTC
Permalink
[ https://jira.reactos.org/browse/CORE-14402?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thomas Faber updated CORE-14402:
--------------------------------
Status: Open (was: Untriaged)
Post by Thomas Faber (JIRA)
CSRSS deadlock: holding lock while sending window message
---------------------------------------------------------
Key: CORE-14402
URL: https://jira.reactos.org/browse/CORE-14402
Project: Core ReactOS
Issue Type: Bug
Reporter: Thomas Faber
{noformat}
:a
start notepad.exe
taskkill /im notepad.exe
goto a
{noformat}
{noformat}
ERROR: RtlpWaitForCriticalSection at ..\sdk\lib\rtl\critical.c:172
Deadlock: 0x0022B0F4
Break instruction exception - code 80000003 (first chance)
001b:7c9307d2 cc int 3
kd> !process
PROCESS b5534020 SessionId: 0 Cid: 0084 Peb: 7ffaf000 ParentCid: 0054
DirBase: 7c879000 ObjectTable: e158cb48 HandleCount: 142.
Image: csrss.exe
VadRoot b552d410 Vads 177 Clone 0 Private 378. Modified 0. Locked 0.
DeviceMap b57b9080
Token e158c3a8
ElapsedTime 00:06:57.676
UserTime 00:00:00.029
KernelTime 00:00:01.229
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (3780608, 0, 300) (15122432KB, 0KB, 1200KB)
PeakWorkingSetSize 3796992
VirtualSize 25 Mb
PeakVirtualSize 25 Mb
PageFaultCount 0
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 98
THREAD b551b250 Cid 0084.008c Teb: 7ffde000 Win32Thread: b5519008 WAIT: (UserRequest) KernelMode Alertable
805f4d30 NotificationEvent
b55a85e8 NotificationTimer
b551c634 NotificationEvent
b551b5c4 NotificationEvent
THREAD b551bdb0 Cid 0084.0090 Teb: 7ffdd000 Win32Thread: b5519e18 WAIT: (UserRequest) UserMode Non-Alertable
b5519e00 SynchronizationEvent
THREAD b551b700 Cid 0084.0094 Teb: 7ffdc000 Win32Thread: b5507ba8 WAIT: (WrLpcReceive) UserMode Non-Alertable
b551bc18 Semaphore Limit 0x7fffffff
THREAD b55199a0 Cid 0084.0098 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
b5519c60 Semaphore Limit 0x7fffffff
THREAD b5513590 Cid 0084.00a4 Teb: 7ffdf000 Win32Thread: b550a9f0 WAIT: (UserRequest) UserMode Non-Alertable
e1504748 NotificationEvent
b550fbf8 SynchronizationEvent
b539a0d8 Thread
THREAD b539a0d8 Cid 0084.03c8 Teb: 7ffda000 Win32Thread: b53e66a0 RUNNING on processor 0
THREAD b54e58e8 Cid 0084.046c Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
b551bc18 Semaphore Limit 0x7fffffff
kd> ?? Console->Lock
struct _CRITICAL_SECTION
+0x000 DebugInfo : 0x7c9a8b78 _CRITICAL_SECTION_DEBUG
+0x004 LockCount : 0n1
+0x008 RecursionCount : 0n1
+0x00c OwningThread : 0x000000a4 Void
+0x010 LockSemaphore : 0x000006a8 Void
+0x014 SpinCount : 0
kd> !thread
THREAD b539a0d8 Cid 0084.03c8 Teb: 7ffda000 Win32Thread: b53e66a0 RUNNING on processor 0
Not impersonating
Owning Process b5534020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 28779 Ticks: 0
Context Switch Count 833 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:01.109
Start Address winsrv!GuiConsoleInputThread (0x7a8a62b0)
Stack Init f7071880 Current f7071408 Base f7072000 Limit f706d000 Call f7071888
Priority 13 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
00f6fc10 7c93eb90 00f6fd4c 01cccccc cccccccc ntdll!DbgBreakPoint (FPO: [0,0,0])
00f6fd7c 7c55093f 7a8a8150 000a0106 00000008 user32!CALL_EXTERN_WNDPROC+0x1a (FPO: [0,0,0])
00f6ff24 7a8a637a 00f6ffa4 00000000 00000000 ntdll!KiUserCallbackDispatcher+0x2e
kd> !thread b5513590
THREAD b5513590 Cid 0084.00a4 Teb: 7ffdf000 Win32Thread: b550a9f0 WAIT: (UserRequest) UserMode Non-Alertable
e1504748 NotificationEvent
b550fbf8 SynchronizationEvent
b539a0d8 Thread
Not impersonating
Owning Process b5534020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 8771 Ticks: 20008 (0:00:05:00.023)
Context Switch Count 1361 NoStackSwap LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.134
LPC Server thread working on message Id 9fc
Start Address 0x000009fc
Stack Init f7479000 Current f747885c Base f7479000 Limit f7475000 Call 0
Priority 14 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f74788b0 804ae2ba f7478a0c f7478980 00000001 nt!KiSwapContext+0x19
00b1fc50 7c5657fd 7c555a84 000a0106 000000ae ntdll!KiFastSystemCallRet (FPO: [0,0,0])
00b1fc54 7c555a84 000a0106 000000ae 00000008 user32!ZwUserMessageCall+0xc (FPO: [0,0,0])
{noformat}
Apparently it's holding the console critical section while calling SetWindowText, and message processing in the target thread (for WM_FOCUS) tries to acquire the same critical section.
[~hbelusca], any thoughts?
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)
HBelusca (JIRA)
2018-02-25 14:19:00 UTC
Permalink
[ https://jira.reactos.org/browse/CORE-14402?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=102273#comment-102273 ]

HBelusca commented on CORE-14402:
---------------------------------

The OnFocus() function:
https://git.reactos.org/?p=reactos.git;a=blob;f=win32ss/user/winsrv/consrv/frontends/gui/conwnd.c;h=860244f6c5bf550ff26490306c4a9d2090cadcb4;hb=HEAD#l692
acquires the console lock to set some properties of the console, as well as writing stuff in the input buffer of the console. Then the lock is released.

In parallel, the SrvSetConsoleTitle (called from "SetConsoleTitle" API):
https://git.reactos.org/?p=reactos.git;a=blob;f=win32ss/user/winsrv/consrv/console.c;hb=a0d412b77a2818ba2292772c8e8410b2b90ce215#l1306
locks the console because it'll also modify some internal Console data, then calls the "TermChangeTitle" macro which (in our case) just calls GuiChangeTitle. GuiChangeTitle calls in turn SetWindowTextW(GuiData->hWindow, GuiData->Console->Title.Buffer); .

Because this function reads directly the contents of Console->Title then the console has been locked (and is expected to have its locked released afterwards). But it appears according to your tests that during this SetWindowText call the console window proc has been also called separately with the WM_FOCUS message...

I would actually like to have nice ideas how to solve this conundrum.
Post by Thomas Faber (JIRA)
CSRSS deadlock: holding lock while sending window message
---------------------------------------------------------
Key: CORE-14402
URL: https://jira.reactos.org/browse/CORE-14402
Project: Core ReactOS
Issue Type: Bug
Components: Win32SS
Reporter: Thomas Faber
{noformat}
:a
start notepad.exe
taskkill /im notepad.exe
goto a
{noformat}
{noformat}
ERROR: RtlpWaitForCriticalSection at ..\sdk\lib\rtl\critical.c:172
Deadlock: 0x0022B0F4
Break instruction exception - code 80000003 (first chance)
001b:7c9307d2 cc int 3
kd> !process
PROCESS b5534020 SessionId: 0 Cid: 0084 Peb: 7ffaf000 ParentCid: 0054
DirBase: 7c879000 ObjectTable: e158cb48 HandleCount: 142.
Image: csrss.exe
VadRoot b552d410 Vads 177 Clone 0 Private 378. Modified 0. Locked 0.
DeviceMap b57b9080
Token e158c3a8
ElapsedTime 00:06:57.676
UserTime 00:00:00.029
KernelTime 00:00:01.229
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (3780608, 0, 300) (15122432KB, 0KB, 1200KB)
PeakWorkingSetSize 3796992
VirtualSize 25 Mb
PeakVirtualSize 25 Mb
PageFaultCount 0
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 98
THREAD b551b250 Cid 0084.008c Teb: 7ffde000 Win32Thread: b5519008 WAIT: (UserRequest) KernelMode Alertable
805f4d30 NotificationEvent
b55a85e8 NotificationTimer
b551c634 NotificationEvent
b551b5c4 NotificationEvent
THREAD b551bdb0 Cid 0084.0090 Teb: 7ffdd000 Win32Thread: b5519e18 WAIT: (UserRequest) UserMode Non-Alertable
b5519e00 SynchronizationEvent
THREAD b551b700 Cid 0084.0094 Teb: 7ffdc000 Win32Thread: b5507ba8 WAIT: (WrLpcReceive) UserMode Non-Alertable
b551bc18 Semaphore Limit 0x7fffffff
THREAD b55199a0 Cid 0084.0098 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
b5519c60 Semaphore Limit 0x7fffffff
THREAD b5513590 Cid 0084.00a4 Teb: 7ffdf000 Win32Thread: b550a9f0 WAIT: (UserRequest) UserMode Non-Alertable
e1504748 NotificationEvent
b550fbf8 SynchronizationEvent
b539a0d8 Thread
THREAD b539a0d8 Cid 0084.03c8 Teb: 7ffda000 Win32Thread: b53e66a0 RUNNING on processor 0
THREAD b54e58e8 Cid 0084.046c Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
b551bc18 Semaphore Limit 0x7fffffff
kd> ?? Console->Lock
struct _CRITICAL_SECTION
+0x000 DebugInfo : 0x7c9a8b78 _CRITICAL_SECTION_DEBUG
+0x004 LockCount : 0n1
+0x008 RecursionCount : 0n1
+0x00c OwningThread : 0x000000a4 Void
+0x010 LockSemaphore : 0x000006a8 Void
+0x014 SpinCount : 0
kd> !thread
THREAD b539a0d8 Cid 0084.03c8 Teb: 7ffda000 Win32Thread: b53e66a0 RUNNING on processor 0
Not impersonating
Owning Process b5534020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 28779 Ticks: 0
Context Switch Count 833 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:01.109
Start Address winsrv!GuiConsoleInputThread (0x7a8a62b0)
Stack Init f7071880 Current f7071408 Base f7072000 Limit f706d000 Call f7071888
Priority 13 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
00f6fc10 7c93eb90 00f6fd4c 01cccccc cccccccc ntdll!DbgBreakPoint (FPO: [0,0,0])
00f6fd7c 7c55093f 7a8a8150 000a0106 00000008 user32!CALL_EXTERN_WNDPROC+0x1a (FPO: [0,0,0])
00f6ff24 7a8a637a 00f6ffa4 00000000 00000000 ntdll!KiUserCallbackDispatcher+0x2e
kd> !thread b5513590
THREAD b5513590 Cid 0084.00a4 Teb: 7ffdf000 Win32Thread: b550a9f0 WAIT: (UserRequest) UserMode Non-Alertable
e1504748 NotificationEvent
b550fbf8 SynchronizationEvent
b539a0d8 Thread
Not impersonating
Owning Process b5534020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 8771 Ticks: 20008 (0:00:05:00.023)
Context Switch Count 1361 NoStackSwap LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.134
LPC Server thread working on message Id 9fc
Start Address 0x000009fc
Stack Init f7479000 Current f747885c Base f7479000 Limit f7475000 Call 0
Priority 14 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f74788b0 804ae2ba f7478a0c f7478980 00000001 nt!KiSwapContext+0x19
00b1fc50 7c5657fd 7c555a84 000a0106 000000ae ntdll!KiFastSystemCallRet (FPO: [0,0,0])
00b1fc54 7c555a84 000a0106 000000ae 00000008 user32!ZwUserMessageCall+0xc (FPO: [0,0,0])
{noformat}
Apparently it's holding the console critical section while calling SetWindowText, and message processing in the target thread (for WM_FOCUS) tries to acquire the same critical section.
[~hbelusca], any thoughts?
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)
HBelusca (JIRA)
2018-02-25 14:19:00 UTC
Permalink
[ https://jira.reactos.org/browse/CORE-14402?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

HBelusca updated CORE-14402:
----------------------------
Component/s: Win32SS
Module: consrv
Post by Thomas Faber (JIRA)
CSRSS deadlock: holding lock while sending window message
---------------------------------------------------------
Key: CORE-14402
URL: https://jira.reactos.org/browse/CORE-14402
Project: Core ReactOS
Issue Type: Bug
Components: Win32SS
Reporter: Thomas Faber
{noformat}
:a
start notepad.exe
taskkill /im notepad.exe
goto a
{noformat}
{noformat}
ERROR: RtlpWaitForCriticalSection at ..\sdk\lib\rtl\critical.c:172
Deadlock: 0x0022B0F4
Break instruction exception - code 80000003 (first chance)
001b:7c9307d2 cc int 3
kd> !process
PROCESS b5534020 SessionId: 0 Cid: 0084 Peb: 7ffaf000 ParentCid: 0054
DirBase: 7c879000 ObjectTable: e158cb48 HandleCount: 142.
Image: csrss.exe
VadRoot b552d410 Vads 177 Clone 0 Private 378. Modified 0. Locked 0.
DeviceMap b57b9080
Token e158c3a8
ElapsedTime 00:06:57.676
UserTime 00:00:00.029
KernelTime 00:00:01.229
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (3780608, 0, 300) (15122432KB, 0KB, 1200KB)
PeakWorkingSetSize 3796992
VirtualSize 25 Mb
PeakVirtualSize 25 Mb
PageFaultCount 0
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 98
THREAD b551b250 Cid 0084.008c Teb: 7ffde000 Win32Thread: b5519008 WAIT: (UserRequest) KernelMode Alertable
805f4d30 NotificationEvent
b55a85e8 NotificationTimer
b551c634 NotificationEvent
b551b5c4 NotificationEvent
THREAD b551bdb0 Cid 0084.0090 Teb: 7ffdd000 Win32Thread: b5519e18 WAIT: (UserRequest) UserMode Non-Alertable
b5519e00 SynchronizationEvent
THREAD b551b700 Cid 0084.0094 Teb: 7ffdc000 Win32Thread: b5507ba8 WAIT: (WrLpcReceive) UserMode Non-Alertable
b551bc18 Semaphore Limit 0x7fffffff
THREAD b55199a0 Cid 0084.0098 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
b5519c60 Semaphore Limit 0x7fffffff
THREAD b5513590 Cid 0084.00a4 Teb: 7ffdf000 Win32Thread: b550a9f0 WAIT: (UserRequest) UserMode Non-Alertable
e1504748 NotificationEvent
b550fbf8 SynchronizationEvent
b539a0d8 Thread
THREAD b539a0d8 Cid 0084.03c8 Teb: 7ffda000 Win32Thread: b53e66a0 RUNNING on processor 0
THREAD b54e58e8 Cid 0084.046c Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
b551bc18 Semaphore Limit 0x7fffffff
kd> ?? Console->Lock
struct _CRITICAL_SECTION
+0x000 DebugInfo : 0x7c9a8b78 _CRITICAL_SECTION_DEBUG
+0x004 LockCount : 0n1
+0x008 RecursionCount : 0n1
+0x00c OwningThread : 0x000000a4 Void
+0x010 LockSemaphore : 0x000006a8 Void
+0x014 SpinCount : 0
kd> !thread
THREAD b539a0d8 Cid 0084.03c8 Teb: 7ffda000 Win32Thread: b53e66a0 RUNNING on processor 0
Not impersonating
Owning Process b5534020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 28779 Ticks: 0
Context Switch Count 833 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:01.109
Start Address winsrv!GuiConsoleInputThread (0x7a8a62b0)
Stack Init f7071880 Current f7071408 Base f7072000 Limit f706d000 Call f7071888
Priority 13 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
00f6fc10 7c93eb90 00f6fd4c 01cccccc cccccccc ntdll!DbgBreakPoint (FPO: [0,0,0])
00f6fd7c 7c55093f 7a8a8150 000a0106 00000008 user32!CALL_EXTERN_WNDPROC+0x1a (FPO: [0,0,0])
00f6ff24 7a8a637a 00f6ffa4 00000000 00000000 ntdll!KiUserCallbackDispatcher+0x2e
kd> !thread b5513590
THREAD b5513590 Cid 0084.00a4 Teb: 7ffdf000 Win32Thread: b550a9f0 WAIT: (UserRequest) UserMode Non-Alertable
e1504748 NotificationEvent
b550fbf8 SynchronizationEvent
b539a0d8 Thread
Not impersonating
Owning Process b5534020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 8771 Ticks: 20008 (0:00:05:00.023)
Context Switch Count 1361 NoStackSwap LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.134
LPC Server thread working on message Id 9fc
Start Address 0x000009fc
Stack Init f7479000 Current f747885c Base f7479000 Limit f7475000 Call 0
Priority 14 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f74788b0 804ae2ba f7478a0c f7478980 00000001 nt!KiSwapContext+0x19
00b1fc50 7c5657fd 7c555a84 000a0106 000000ae ntdll!KiFastSystemCallRet (FPO: [0,0,0])
00b1fc54 7c555a84 000a0106 000000ae 00000008 user32!ZwUserMessageCall+0xc (FPO: [0,0,0])
{noformat}
Apparently it's holding the console critical section while calling SetWindowText, and message processing in the target thread (for WM_FOCUS) tries to acquire the same critical section.
[~hbelusca], any thoughts?
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)
Thomas Faber (JIRA)
2018-02-25 15:22:00 UTC
Permalink
[ https://jira.reactos.org/browse/CORE-14402?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=102279#comment-102279 ]

Thomas Faber commented on CORE-14402:
-------------------------------------

I'd say, as a rule, don't hold a lock during a SendMessage call. One way to do that would be to copy the title to a stack buffer, release the lock, and pass the buffer to ChangeTitle.
Post by Thomas Faber (JIRA)
CSRSS deadlock: holding lock while sending window message
---------------------------------------------------------
Key: CORE-14402
URL: https://jira.reactos.org/browse/CORE-14402
Project: Core ReactOS
Issue Type: Bug
Components: Win32SS
Reporter: Thomas Faber
{noformat}
:a
start notepad.exe
taskkill /im notepad.exe
goto a
{noformat}
{noformat}
ERROR: RtlpWaitForCriticalSection at ..\sdk\lib\rtl\critical.c:172
Deadlock: 0x0022B0F4
Break instruction exception - code 80000003 (first chance)
001b:7c9307d2 cc int 3
kd> !process
PROCESS b5534020 SessionId: 0 Cid: 0084 Peb: 7ffaf000 ParentCid: 0054
DirBase: 7c879000 ObjectTable: e158cb48 HandleCount: 142.
Image: csrss.exe
VadRoot b552d410 Vads 177 Clone 0 Private 378. Modified 0. Locked 0.
DeviceMap b57b9080
Token e158c3a8
ElapsedTime 00:06:57.676
UserTime 00:00:00.029
KernelTime 00:00:01.229
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (3780608, 0, 300) (15122432KB, 0KB, 1200KB)
PeakWorkingSetSize 3796992
VirtualSize 25 Mb
PeakVirtualSize 25 Mb
PageFaultCount 0
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 98
THREAD b551b250 Cid 0084.008c Teb: 7ffde000 Win32Thread: b5519008 WAIT: (UserRequest) KernelMode Alertable
805f4d30 NotificationEvent
b55a85e8 NotificationTimer
b551c634 NotificationEvent
b551b5c4 NotificationEvent
THREAD b551bdb0 Cid 0084.0090 Teb: 7ffdd000 Win32Thread: b5519e18 WAIT: (UserRequest) UserMode Non-Alertable
b5519e00 SynchronizationEvent
THREAD b551b700 Cid 0084.0094 Teb: 7ffdc000 Win32Thread: b5507ba8 WAIT: (WrLpcReceive) UserMode Non-Alertable
b551bc18 Semaphore Limit 0x7fffffff
THREAD b55199a0 Cid 0084.0098 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
b5519c60 Semaphore Limit 0x7fffffff
THREAD b5513590 Cid 0084.00a4 Teb: 7ffdf000 Win32Thread: b550a9f0 WAIT: (UserRequest) UserMode Non-Alertable
e1504748 NotificationEvent
b550fbf8 SynchronizationEvent
b539a0d8 Thread
THREAD b539a0d8 Cid 0084.03c8 Teb: 7ffda000 Win32Thread: b53e66a0 RUNNING on processor 0
THREAD b54e58e8 Cid 0084.046c Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
b551bc18 Semaphore Limit 0x7fffffff
kd> ?? Console->Lock
struct _CRITICAL_SECTION
+0x000 DebugInfo : 0x7c9a8b78 _CRITICAL_SECTION_DEBUG
+0x004 LockCount : 0n1
+0x008 RecursionCount : 0n1
+0x00c OwningThread : 0x000000a4 Void
+0x010 LockSemaphore : 0x000006a8 Void
+0x014 SpinCount : 0
kd> !thread
THREAD b539a0d8 Cid 0084.03c8 Teb: 7ffda000 Win32Thread: b53e66a0 RUNNING on processor 0
Not impersonating
Owning Process b5534020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 28779 Ticks: 0
Context Switch Count 833 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:01.109
Start Address winsrv!GuiConsoleInputThread (0x7a8a62b0)
Stack Init f7071880 Current f7071408 Base f7072000 Limit f706d000 Call f7071888
Priority 13 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
00f6fc10 7c93eb90 00f6fd4c 01cccccc cccccccc ntdll!DbgBreakPoint (FPO: [0,0,0])
00f6fd7c 7c55093f 7a8a8150 000a0106 00000008 user32!CALL_EXTERN_WNDPROC+0x1a (FPO: [0,0,0])
00f6ff24 7a8a637a 00f6ffa4 00000000 00000000 ntdll!KiUserCallbackDispatcher+0x2e
kd> !thread b5513590
THREAD b5513590 Cid 0084.00a4 Teb: 7ffdf000 Win32Thread: b550a9f0 WAIT: (UserRequest) UserMode Non-Alertable
e1504748 NotificationEvent
b550fbf8 SynchronizationEvent
b539a0d8 Thread
Not impersonating
Owning Process b5534020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 8771 Ticks: 20008 (0:00:05:00.023)
Context Switch Count 1361 NoStackSwap LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.134
LPC Server thread working on message Id 9fc
Start Address 0x000009fc
Stack Init f7479000 Current f747885c Base f7479000 Limit f7475000 Call 0
Priority 14 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f74788b0 804ae2ba f7478a0c f7478980 00000001 nt!KiSwapContext+0x19
00b1fc50 7c5657fd 7c555a84 000a0106 000000ae ntdll!KiFastSystemCallRet (FPO: [0,0,0])
00b1fc54 7c555a84 000a0106 000000ae 00000008 user32!ZwUserMessageCall+0xc (FPO: [0,0,0])
{noformat}
Apparently it's holding the console critical section while calling SetWindowText, and message processing in the target thread (for WM_FOCUS) tries to acquire the same critical section.
[~hbelusca], any thoughts?
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)
HBelusca (JIRA)
2018-05-10 10:37:03 UTC
Permalink
[ https://jira.reactos.org/browse/CORE-14402?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

HBelusca reassigned CORE-14402:
-------------------------------

Assignee: HBelusca
Post by Thomas Faber (JIRA)
CSRSS deadlock: holding lock while sending window message
---------------------------------------------------------
Key: CORE-14402
URL: https://jira.reactos.org/browse/CORE-14402
Project: Core ReactOS
Issue Type: Bug
Components: Win32SS
Reporter: Thomas Faber
Assignee: HBelusca
{noformat}
:a
start notepad.exe
taskkill /im notepad.exe
goto a
{noformat}
{noformat}
ERROR: RtlpWaitForCriticalSection at ..\sdk\lib\rtl\critical.c:172
Deadlock: 0x0022B0F4
Break instruction exception - code 80000003 (first chance)
001b:7c9307d2 cc int 3
kd> !process
PROCESS b5534020 SessionId: 0 Cid: 0084 Peb: 7ffaf000 ParentCid: 0054
DirBase: 7c879000 ObjectTable: e158cb48 HandleCount: 142.
Image: csrss.exe
VadRoot b552d410 Vads 177 Clone 0 Private 378. Modified 0. Locked 0.
DeviceMap b57b9080
Token e158c3a8
ElapsedTime 00:06:57.676
UserTime 00:00:00.029
KernelTime 00:00:01.229
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (3780608, 0, 300) (15122432KB, 0KB, 1200KB)
PeakWorkingSetSize 3796992
VirtualSize 25 Mb
PeakVirtualSize 25 Mb
PageFaultCount 0
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 98
THREAD b551b250 Cid 0084.008c Teb: 7ffde000 Win32Thread: b5519008 WAIT: (UserRequest) KernelMode Alertable
805f4d30 NotificationEvent
b55a85e8 NotificationTimer
b551c634 NotificationEvent
b551b5c4 NotificationEvent
THREAD b551bdb0 Cid 0084.0090 Teb: 7ffdd000 Win32Thread: b5519e18 WAIT: (UserRequest) UserMode Non-Alertable
b5519e00 SynchronizationEvent
THREAD b551b700 Cid 0084.0094 Teb: 7ffdc000 Win32Thread: b5507ba8 WAIT: (WrLpcReceive) UserMode Non-Alertable
b551bc18 Semaphore Limit 0x7fffffff
THREAD b55199a0 Cid 0084.0098 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
b5519c60 Semaphore Limit 0x7fffffff
THREAD b5513590 Cid 0084.00a4 Teb: 7ffdf000 Win32Thread: b550a9f0 WAIT: (UserRequest) UserMode Non-Alertable
e1504748 NotificationEvent
b550fbf8 SynchronizationEvent
b539a0d8 Thread
THREAD b539a0d8 Cid 0084.03c8 Teb: 7ffda000 Win32Thread: b53e66a0 RUNNING on processor 0
THREAD b54e58e8 Cid 0084.046c Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (WrLpcReceive) UserMode Non-Alertable
b551bc18 Semaphore Limit 0x7fffffff
kd> ?? Console->Lock
struct _CRITICAL_SECTION
+0x000 DebugInfo : 0x7c9a8b78 _CRITICAL_SECTION_DEBUG
+0x004 LockCount : 0n1
+0x008 RecursionCount : 0n1
+0x00c OwningThread : 0x000000a4 Void
+0x010 LockSemaphore : 0x000006a8 Void
+0x014 SpinCount : 0
kd> !thread
THREAD b539a0d8 Cid 0084.03c8 Teb: 7ffda000 Win32Thread: b53e66a0 RUNNING on processor 0
Not impersonating
Owning Process b5534020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 28779 Ticks: 0
Context Switch Count 833 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:01.109
Start Address winsrv!GuiConsoleInputThread (0x7a8a62b0)
Stack Init f7071880 Current f7071408 Base f7072000 Limit f706d000 Call f7071888
Priority 13 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
00f6fc10 7c93eb90 00f6fd4c 01cccccc cccccccc ntdll!DbgBreakPoint (FPO: [0,0,0])
00f6fd7c 7c55093f 7a8a8150 000a0106 00000008 user32!CALL_EXTERN_WNDPROC+0x1a (FPO: [0,0,0])
00f6ff24 7a8a637a 00f6ffa4 00000000 00000000 ntdll!KiUserCallbackDispatcher+0x2e
kd> !thread b5513590
THREAD b5513590 Cid 0084.00a4 Teb: 7ffdf000 Win32Thread: b550a9f0 WAIT: (UserRequest) UserMode Non-Alertable
e1504748 NotificationEvent
b550fbf8 SynchronizationEvent
b539a0d8 Thread
Not impersonating
Owning Process b5534020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 8771 Ticks: 20008 (0:00:05:00.023)
Context Switch Count 1361 NoStackSwap LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.134
LPC Server thread working on message Id 9fc
Start Address 0x000009fc
Stack Init f7479000 Current f747885c Base f7479000 Limit f7475000 Call 0
Priority 14 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f74788b0 804ae2ba f7478a0c f7478980 00000001 nt!KiSwapContext+0x19
00b1fc50 7c5657fd 7c555a84 000a0106 000000ae ntdll!KiFastSystemCallRet (FPO: [0,0,0])
00b1fc54 7c555a84 000a0106 000000ae 00000008 user32!ZwUserMessageCall+0xc (FPO: [0,0,0])
{noformat}
Apparently it's holding the console critical section while calling SetWindowText, and message processing in the target thread (for WM_FOCUS) tries to acquire the same critical section.
[~hbelusca], any thoughts?
--
This message was sent by Atlassian JIRA
(v7.3.2#73013)

Loading...