Duane Clark wrote:
I am trying to track down a crash when exiting an application. Here is what I think are relevant parts of the trace. Does it appear that I am in the right area? Any hints on how to proceed would be appreciated.
I think the problem comes down to this. The application explicitly destroys the imagelist that belongs to a listview:
08073208:Call comctl32.ImageList_Destroy(41691ba0) ret=005027f5 ...
That area is then freed. When freed, COMCTL32_Free writes prev and next entries into himl.
trace:commctrl:COMCTL32_Free (0x41691ba0) trace:heap:RtlFreeHeap (0x41690000,00000002,41691ba0): returning TRUE 08073208:Ret comctl32.ImageList_Destroy() retval=00000001 ret=005027f5 ...
Then LISTVIEW_NCDestroy is called.
trace:listview:LISTVIEW_NCDestroy () trace:listview:LISTVIEW_DeleteAllItems () trace:commctrl:DPA_DeleteAllPtrs (0x41690d98) ... trace:listview:notify_hdr <= 0 trace:listview:LISTVIEW_NCDestroy Start destroying data structures. ...
The listview does not know that the imagelist was already destroyed, so it again calls ImageList_Destroy.
trace:listview:LISTVIEW_NCDestroy Start destroying image lists. 08073208:Call gdi32.DeleteObject(aaaaaaaa) ret=409fcadd 08073208:Ret gdi32.DeleteObject() retval=00000000 ret=409fcadd 08073208:Call gdi32.DeleteObject(aaaaaaaa) ret=409fcaea 08073208:Ret gdi32.DeleteObject() retval=00000000 ret=409fcaea 08073208:Call gdi32.DeleteObject(aaaaaaaa) ret=409fcaf7 08073208:Ret gdi32.DeleteObject() retval=00000000 ret=409fcaf7 08073208:Call gdi32.DeleteObject(aaaaaaaa) ret=409fcb04 08073208:Ret gdi32.DeleteObject() retval=00000000 ret=409fcb04
At the end of ImageList_Destroy, there is a call to ZeroMemory, which obliterates the prev and next pointers which had been written there. Then another COMCTL32_Free call detects the error. At least I assume it is an error.
trace:commctrl:COMCTL32_Free (0x41691ba0) err:heap:HEAP_ValidateFreeArena Heap 41690000: bad next ptr 00000000 for arena 41691b98