Discussion:
Posting a functor to a window - strange rare crash.
(too old to reply)
Igor R.
2010-01-25 18:39:34 UTC
Permalink
Hello,

In my application I use to "post" a pointer to a dynamically allocated
boost::function (I guess it could be tr1::function as well) to a
hidden window in the following manner (WinXP, MSVC9.0):

typedef boost::function<void(void)> Functor;
#define AM_FUNCTOR (WM_USER+79)

// called from some "worker" thread
void MyObject::post(const Functor &func)
{
Functor *f = new Functor(func);
PostMessage(hWind_, AM_FUNCTOR, 0, reinterpret_cast<LPARAM>(f));
}

// Window procedure, called from the window thread
LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM
lParam)
{
switch(msg)
{
case AM_FUNCTOR:
{
Functor *f = reinterpret_cast<Functor *>(lParam);
(*f)();
delete f;
}
//....
}

MyObject::post() is called several times per second. The Functor
always contains a result of bind() with smart pointers only.
Sometimes - but *very* rarely - the line "delete f" causes a crash
(Access violation reading location 0xfeeefef6).
The application is compiled with /Ox /GL, linked with /LTCG.

What could be wrong with this code? Do I miss something obvious?

The assembly code around the crash looks like this:

100134C9 mov esi,dword ptr [esi+0Ch]
100134CC test esi,esi
100134CE je
boost::detail::function::functor_manager_common::manage_small+9Eh
100134D0 mov eax,dword ptr [esi]
100134D2 mov ecx,dword ptr [eax+8] // CRASHES HERE, as eax ==
0xfeeefeee
100134D5 push esi
100134D6 call ecx

I understand that feeefeee means that the block was already freed, but
I can't realize how it's possible. Afterall, the same message cannot
be processed twice!
Igor R.
2010-01-26 10:25:40 UTC
Permalink
The issue has been solved.

Just for the record: it arose due the "internals" of my functor (a
CComPtr was bound to the functor, and a race-condition occured between
its copies, because it wasn't set-up to be thread-safe).

Sorry for the noise.

Loading...