Igor R.
2010-01-25 18:39:34 UTC
Hello,
In my application I use to "post" a pointer to a dynamically allocated
boost::function (I guess it could be tr1::function as well) to a
hidden window in the following manner (WinXP, MSVC9.0):
typedef boost::function<void(void)> Functor;
#define AM_FUNCTOR (WM_USER+79)
// called from some "worker" thread
void MyObject::post(const Functor &func)
{
Functor *f = new Functor(func);
PostMessage(hWind_, AM_FUNCTOR, 0, reinterpret_cast<LPARAM>(f));
}
// Window procedure, called from the window thread
LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM
lParam)
{
switch(msg)
{
case AM_FUNCTOR:
{
Functor *f = reinterpret_cast<Functor *>(lParam);
(*f)();
delete f;
}
//....
}
MyObject::post() is called several times per second. The Functor
always contains a result of bind() with smart pointers only.
Sometimes - but *very* rarely - the line "delete f" causes a crash
(Access violation reading location 0xfeeefef6).
The application is compiled with /Ox /GL, linked with /LTCG.
What could be wrong with this code? Do I miss something obvious?
The assembly code around the crash looks like this:
100134C9 mov esi,dword ptr [esi+0Ch]
100134CC test esi,esi
100134CE je
boost::detail::function::functor_manager_common::manage_small+9Eh
100134D0 mov eax,dword ptr [esi]
100134D2 mov ecx,dword ptr [eax+8] // CRASHES HERE, as eax ==
0xfeeefeee
100134D5 push esi
100134D6 call ecx
I understand that feeefeee means that the block was already freed, but
I can't realize how it's possible. Afterall, the same message cannot
be processed twice!
In my application I use to "post" a pointer to a dynamically allocated
boost::function (I guess it could be tr1::function as well) to a
hidden window in the following manner (WinXP, MSVC9.0):
typedef boost::function<void(void)> Functor;
#define AM_FUNCTOR (WM_USER+79)
// called from some "worker" thread
void MyObject::post(const Functor &func)
{
Functor *f = new Functor(func);
PostMessage(hWind_, AM_FUNCTOR, 0, reinterpret_cast<LPARAM>(f));
}
// Window procedure, called from the window thread
LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM
lParam)
{
switch(msg)
{
case AM_FUNCTOR:
{
Functor *f = reinterpret_cast<Functor *>(lParam);
(*f)();
delete f;
}
//....
}
MyObject::post() is called several times per second. The Functor
always contains a result of bind() with smart pointers only.
Sometimes - but *very* rarely - the line "delete f" causes a crash
(Access violation reading location 0xfeeefef6).
The application is compiled with /Ox /GL, linked with /LTCG.
What could be wrong with this code? Do I miss something obvious?
The assembly code around the crash looks like this:
100134C9 mov esi,dword ptr [esi+0Ch]
100134CC test esi,esi
100134CE je
boost::detail::function::functor_manager_common::manage_small+9Eh
100134D0 mov eax,dword ptr [esi]
100134D2 mov ecx,dword ptr [eax+8] // CRASHES HERE, as eax ==
0xfeeefeee
100134D5 push esi
100134D6 call ecx
I understand that feeefeee means that the block was already freed, but
I can't realize how it's possible. Afterall, the same message cannot
be processed twice!