A crash destroying imagelists

Duane Clark dclark at akamail.com
Sun Dec 22 13:50:36 CST 2002 

Duane Clark wrote:
> I am trying to track down a crash when exiting an application. Here is 
> what I think are relevant parts of the trace. Does it appear that I am 
> in the right area? Any hints on how to proceed would be appreciated.

I think the problem comes down to this. The application explicitly 
destroys the imagelist that belongs to a listview:

> 08073208:Call comctl32.ImageList_Destroy(41691ba0) ret=005027f5
 > ...

That area is then freed. When freed, COMCTL32_Free writes prev and next 
entries into himl.

> trace:commctrl:COMCTL32_Free (0x41691ba0)
> trace:heap:RtlFreeHeap (0x41690000,00000002,41691ba0): returning TRUE
> 08073208:Ret  comctl32.ImageList_Destroy() retval=00000001 ret=005027f5
 > ...

Then LISTVIEW_NCDestroy is called.

> 
 > trace:listview:LISTVIEW_NCDestroy ()
 > trace:listview:LISTVIEW_DeleteAllItems ()
 > trace:commctrl:DPA_DeleteAllPtrs (0x41690d98)
> ... 
> trace:listview:notify_hdr   <= 0
> trace:listview:LISTVIEW_NCDestroy Start destroying data structures.
> ...

The listview does not know that the imagelist was already destroyed, so 
it again calls ImageList_Destroy.

> trace:listview:LISTVIEW_NCDestroy Start destroying image lists.
> 08073208:Call gdi32.DeleteObject(aaaaaaaa) ret=409fcadd
> 08073208:Ret  gdi32.DeleteObject() retval=00000000 ret=409fcadd
> 08073208:Call gdi32.DeleteObject(aaaaaaaa) ret=409fcaea
> 08073208:Ret  gdi32.DeleteObject() retval=00000000 ret=409fcaea
> 08073208:Call gdi32.DeleteObject(aaaaaaaa) ret=409fcaf7
> 08073208:Ret  gdi32.DeleteObject() retval=00000000 ret=409fcaf7
> 08073208:Call gdi32.DeleteObject(aaaaaaaa) ret=409fcb04
> 08073208:Ret  gdi32.DeleteObject() retval=00000000 ret=409fcb04

At the end of ImageList_Destroy, there is a call to ZeroMemory, which 
obliterates the prev and next pointers which had been written there. 
Then another COMCTL32_Free call detects the error. At least I assume it 
is an error.

> trace:commctrl:COMCTL32_Free (0x41691ba0)
> err:heap:HEAP_ValidateFreeArena Heap 41690000: bad next ptr 00000000 for   arena 41691b98

More information about the wine-devel mailing list