Pass inbound handoff message via heap so it cannot race out of scope by the time it reaches the ConsoleIoThread #10751
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…by the time it reaches the ConsoleIoThread.
…y. push things around a bit to deal with that.
ghost
added
Area-DefApp
Issue-Bug
DHowett
reviewed
Jul 21, 2021
| // free the heap memory when we're done getting the important bits out of it below. | ||
| std::unique_ptr<CONSOLE_API_MSG> capturedMessage{ static_cast<PCONSOLE_API_MSG>(lpParameter) }; | ||
|
|
||
| ReceiveMsg = *capturedMessage.get(); | ||
| ReceiveMsg._pApiRoutines = &globals.api; | ||
| ReceiveMsg._pDeviceComm = globals.pDeviceComm; | ||
| IoSorter::ServiceIoOperation(&ReceiveMsg, &ReplyMsg); |
There was a problem hiding this comment.
Meh, can we just patch capturedMessage directly and hand it off as a pointer instead of copying it?
Suggested change
| IoSorter::ServiceIoOperation(&ReceiveMsg, &ReplyMsg); | |
| IoSorter::ServiceIoOperation(capturedMessage.get(), &ReplyMsg); |
There was a problem hiding this comment.
Having the leftover stack state in ReceiveMsg and ReplyMsg when the dump I was given was hung later on at HRESULT hr = ServiceLocator::LocateGlobals().pDeviceComm->ReadIo(ReplyMsg, &ReceiveMsg); was what lead me to understand this bug to begin with.
As such, I tried to maintain keeping the "most recent message before hang" in the local variables. If I use the heap one directly, it'll disappear to space if I get another similar hang dump and I'll only have the reply to go on. Additionally, the api and devicecomm bits need to be patched up in ReceiveMsg anyway, no matter what, as they're reused message over message.
DHowett
approved these changes
Jul 21, 2021
ianjoneill
approved these changes
Jul 22, 2021
zadjii-msft
approved these changes
Jul 22, 2021
zadjii-msft
added
the
AutoMerge
|
Hello @zadjii-msft! Because this pull request has the p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (
|
ghost
merged commit
Rosefield
pushed a commit
to Rosefield/terminal
that referenced
this pull request
Jul 22, 2021
…by the time it reaches the ConsoleIoThread (microsoft#10751) Pass inbound handoff message via heap so it cannot race out of scope by the time it reaches the ConsoleIoThread ## PR Checklist * [x] Closes microsoft#10251 * [x] I work here. * [x] Manually verified somewhat ## Detailed Description of the Pull Request / Additional comments - `OpenConsole.exe` is started in response to the OS `conhost.exe` request for a handoff and prepares an Out Of Proc Multithreaded COM server. - A COM thread from the pool inside `OpenConsole.exe` picks up the inbound message and allocates some stack space for the `CONSOLE_API_MSG` coming in - That COM thread calls down to set up the I/O thread that will pump the console driver handle and passes a pointer to the stack-allocated `CONSOLE_API_MSG` as the `LPVOID` parameter for starting the thread. Now one of two things happen: 1. The I/O thread is scheduled pretty much immediately (or soon enough that the COM thread hasn't messed with the stack space), picks up the pointer to the COM thread's stack with `CONSOLE_API_MSG`, and processes the initial message correctly. 2. The COM thread continues and finalizes the handoff message to `conhost.exe` declaring success. It then pops stack and "frees" the memory space. If it doesn't manage to overwrite it, we're still good. If it does, then things go crazy. This fix changes it so that the `CONSOLE_API_MSG` is sent into the heap before being passed to the other thread so it's in a known location that won't be freed or overwritten unexpectedly. ## Validation Steps Performed - [x] - Confirmed that many handoffs from the run box seem to work alright on my system after this change. - [x] - Confirmed that many tab creations/splits seem to work alright on my system after this change. - [x] - Would prefer if @ianjoneill could try to F5 this branch to build/deploy it, set it as default, and see if it makes it go away completely... but I'm pretty confident it is this based on the dumps provided either way.
This was referenced Jul 23, 2021
DHowett
pushed a commit
that referenced
this pull request
Aug 25, 2021
…by the time it reaches the ConsoleIoThread (#10751) Pass inbound handoff message via heap so it cannot race out of scope by the time it reaches the ConsoleIoThread ## PR Checklist * [x] Closes #10251 * [x] I work here. * [x] Manually verified somewhat ## Detailed Description of the Pull Request / Additional comments - `OpenConsole.exe` is started in response to the OS `conhost.exe` request for a handoff and prepares an Out Of Proc Multithreaded COM server. - A COM thread from the pool inside `OpenConsole.exe` picks up the inbound message and allocates some stack space for the `CONSOLE_API_MSG` coming in - That COM thread calls down to set up the I/O thread that will pump the console driver handle and passes a pointer to the stack-allocated `CONSOLE_API_MSG` as the `LPVOID` parameter for starting the thread. Now one of two things happen: 1. The I/O thread is scheduled pretty much immediately (or soon enough that the COM thread hasn't messed with the stack space), picks up the pointer to the COM thread's stack with `CONSOLE_API_MSG`, and processes the initial message correctly. 2. The COM thread continues and finalizes the handoff message to `conhost.exe` declaring success. It then pops stack and "frees" the memory space. If it doesn't manage to overwrite it, we're still good. If it does, then things go crazy. This fix changes it so that the `CONSOLE_API_MSG` is sent into the heap before being passed to the other thread so it's in a known location that won't be freed or overwritten unexpectedly. ## Validation Steps Performed - [x] - Confirmed that many handoffs from the run box seem to work alright on my system after this change. - [x] - Confirmed that many tab creations/splits seem to work alright on my system after this change. - [x] - Would prefer if @ianjoneill could try to F5 this branch to build/deploy it, set it as default, and see if it makes it go away completely... but I'm pretty confident it is this based on the dumps provided either way.
|
🎉 Handy links: |
ghost
mentioned this pull request
|
🎉 Handy links: |
This pull request was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pass inbound handoff message via heap so it cannot race out of scope by the time it reaches the ConsoleIoThread
PR Checklist
Detailed Description of the Pull Request / Additional comments
OpenConsole.exeis started in response to the OSconhost.exerequest for a handoff and prepares an Out Of Proc Multithreaded COM server.OpenConsole.exepicks up the inbound message and allocates some stack space for theCONSOLE_API_MSGcoming inCONSOLE_API_MSGas theLPVOIDparameter for starting the thread.Now one of two things happen:
CONSOLE_API_MSG, and processes the initial message correctly.conhost.exedeclaring success. It then pops stack and "frees" the memory space. If it doesn't manage to overwrite it, we're still good. If it does, then things go crazy.This fix changes it so that the
CONSOLE_API_MSGis sent into the heap before being passed to the other thread so it's in a known location that won't be freed or overwritten unexpectedly.Validation Steps Performed