[9.10x64RC1] Crash when F6 F2 to SMB share

ZoSTeR · Post by *ZoSTeR » 2017-10-11, 16:36 UTC

Got this several times now.

I try to move a file via the queue to an SMB share (F6,F2).

I've noticed there's a background window just with the top row of buttons, guess this is related to the previous unpacking dialog bug.

Stack:
ntoskrnl.exe!KeSynchronizeExecution+0x3f46
ntoskrnl.exe!KeWaitForSingleObject+0xfda
ntoskrnl.exe!KeWaitForSingleObject+0x9a1
ntoskrnl.exe!KeWaitForSingleObject+0x2b8
ntoskrnl.exe!KeCheckProcessorGroupAffinity+0xb64
ntoskrnl.exe!KeWaitForSingleObject+0x2a3e
ntoskrnl.exe!KeWaitForSingleObject+0x11a7
ntoskrnl.exe!KeWaitForSingleObject+0x9a1
ntoskrnl.exe!KeWaitForSingleObject+0x2b8
win32kfull.sys!xxxWindowEvent+0xa28
win32kfull.sys!NtUserPostMessage+0x3e8d
win32kfull.sys!NtUserCallNextHookEx+0x667
win32kfull.sys!NtUserMessageCall+0xba4
win32kfull.sys!NtUserMessageCall+0xfa
ntoskrnl.exe!setjmpex+0x3b63
win32u.dll!NtUserMessageCall+0x14
USER32.dll!SendMessageW+0x291
USER32.dll!SendMessageA+0x55
TOTALCMD64.EXE+0x4b0bcc

Post by *ghisler(Author) » 2017-10-11, 21:36 UTC

Not confirmed. Which Windows version?

ZoSTeR · Post by *ZoSTeR » 2017-10-12, 05:59 UTC

Microsoft Windows Version 10.0.15063. TC as Admin.

The path length seems to be a factor.

Got this from VS:

Code: Select all


00007FFDD015C125  call        RtlUnicodeToMultiByteSize (07FFDD013FD10h)  
00007FFDD015C12A  test        eax,eax  
00007FFDD015C12C  js          wcstombs+68h (07FFDD015C138h)  
00007FFDD015C12E  mov         rax,qword ptr [rsp+40h]  
00007FFDD015C133  dec         rax  
00007FFDD015C136  jmp         wcstombs+77h (07FFDD015C147h)  
00007FFDD015C138  call        _errno (07FFDD0148B10h)  
00007FFDD015C13D  mov         dword ptr [rax],2Ah  
00007FFDD015C143  or          rax,0FFFFFFFFFFFFFFFFh  
00007FFDD015C147  add         rsp,30h  
00007FFDD015C14B  pop         rdi  
00007FFDD015C14C  ret  
00007FFDD015C14D  int         3  
00007FFDD015C14E  int         3  
00007FFDD015C14F  int         3  
__GSHandlerCheck:
00007FFDD015C150  sub         rsp,28h  
00007FFDD015C154  mov         r8,qword ptr [r9+38h]  
00007FFDD015C158  mov         rcx,rdx  
00007FFDD015C15B  mov         rdx,r9  
00007FFDD015C15E  call        __GSHandlerCheckCommon (07FFDD015C170h)  
00007FFDD015C163  mov         eax,1  
00007FFDD015C168  add         rsp,28h  
00007FFDD015C16C  ret  
00007FFDD015C16D  int         3  
00007FFDD015C16E  int         3  
00007FFDD015C16F  int         3  
__GSHandlerCheckCommon:
00007FFDD015C170  push        rbx  
00007FFDD015C172  mov         r11d,dword ptr [r8]  
00007FFDD015C175  mov         rbx,rdx  
00007FFDD015C178  and         r11d,0FFFFFFF8h  
00007FFDD015C17C  mov         r9,rcx  
00007FFDD015C17F  test        byte ptr [r8],4  
00007FFDD015C183  mov         r10,rcx  
00007FFDD015C186  je          __GSHandlerCheckCommon+2Bh (07FFDD015C19Bh)  
00007FFDD015C188  mov         eax,dword ptr [r8+8]  
00007FFDD015C18C  movsxd      r10,dword ptr [r8+4]  
00007FFDD015C190  neg         eax

00007FFDD015C163 as current position.

On continue I get:
Ausnahmefehler bei 0x00007FFDCDB89E53 (user32.dll) in TOTALCMD64.EXE: 0xC0000005: Zugriffsverletzung beim Lesen an Position 0xFFFFFFFFC28758B0

Post by *ghisler(Author) » 2017-10-12, 10:37 UTC

The path length seems to be a factor.

So can you give me a problematic path name, please?

ZoSTeR · Post by *ZoSTeR » 2017-10-12, 16:15 UTC

I could provoke it two times with this path right after TC starts. After that it worked for about 20 times. I can't tell if it's really relevant.

Code: Select all

"e:\JDownloads\Some.Random.Pathname.withn.9010.+5.1-234.345-test\windows.rar"

If there's any debugger or other technique to help it narrow down please tell me.

Post by *ghisler(Author) » 2017-10-12, 16:41 UTC

How did you switch there to get the crash? Did you double click on windows.rar while in Some.Random.Pathname.withn.9010.+5.1-234.345-test? Or did you use a button or similar to go directly to the RAR?

ZoSTeR · Post by *ZoSTeR » 2017-10-12, 17:18 UTC

I'm not copying/moving from within in the Rar file if that's what you're asking. It could be "windows.txt" aswell. I'm navigating to the file by normal means, keyboard most of the time.

I'll be running TC with procdump in the background.

Code: Select all

procdump64.exe -e 1 -f "" -x c:\dumps "C:\Totalcmd\TOTALCMD64.EXE"

Hopefully I'll get crash-dump tonight.

Post by *ghisler(Author) » 2017-10-13, 10:04 UTC

I have analyzed the stack trace now - TC just calls SendMessage with WM_COMMAND message and lparam set to a pointer to the target path. The message is sent to the background copy window. There is absolutely NO reason why this would crash or hang, so I cannot do anything about this crash, sorry.

Post by *ghisler(Author) » 2017-10-15, 07:28 UTC

I'm still trying to find out why this is happening.

You wrote:

I've noticed there's a background window just with the top row of buttons

Could you please:
1. Check in wincmd.ini in the section for your screen resolution (e.g. [1920x1080... ) for the line btmDY= what value does it show?
2. Try menu Commands - Background transfer manager: Can you resize the window so it shows more than the title?
3. Can you now add the rar to it with F5 - F2 without causing a crash?

Thanks!

ZoSTeR · Post by *ZoSTeR » 2017-10-15, 11:12 UTC

I only got that window after a crash so I can't interact with it. The BTM window looks normal when it doesn't crash.

btmDY was not set.

I've been running TC with ProcDump the last couple of days but could not reproduce the error.

ZoSTeR · Post by *ZoSTeR » 2017-10-17, 17:43 UTC

I think we can close this for now.
I've had no problems with RC2 so far.