[MS] The case of the crash on a null pointer even though we checked it for null - devamazonaws.blogspot.com

A colleague was investigating a crash. The stack at the point of the crash looks like this:

contoso!winrt::impl::consume_Windows_Foundation_Collections_IVectorView<
            winrt::Windows::Foundation::Collections::IVectorView<int>,
            int>::Size+0x30
contoso!winrt::Contoso::implementation::Widget::
            InitializeNodesAsync$_ResumeCoro$1+0x2bc
contoso!wil::details::coro::apartment_resumer::resume_apartment_callback+0x28
combase!CRemoteUnknown::DoCallback+0x34
combase!CRemoteUnknown::DoNonreentrantCallback+0x48
rpcrt4!Invoke+0x64
rpcrt4!InvokeHelper+0x130
rpcrt4!Ndr64StubWorker+0x6cc
rpcrt4!NdrStubCall3+0xdc
combase!CStdStubBuffer_Invoke+0x6c
combase!ObjectMethodExceptionHandlingAction<⟦...⟧>+0x48
combase!DefaultStubInvoke+0x2b8
combase!SyncServerCall::StubInvoke+0x40
combase!StubInvoke+0x170
combase!ServerCall::ContextInvoke+0x3c4
combase!ReentrantSTAInvokeInApartment+0x1fc
combase!ComInvokeWithLockAndIPID+0xcc4
combase!ThreadDispatch+0x514
combase!ThreadWndProc+0x1b4
user32!UserCallWinProcCheckWow+0x180
user32!DispatchMessageWorker+0x130

If we look at the point of the fault:

0:001>  r
Last set context:
 x0=0000000000000000   x1=00000053af4fdf78   x2=0000017b4f7e6380   x3=0000000000000000
 x4=6597e92abf947185   x5=857194bf2ae99765   x6=857194bf2ae99765   x7=0000017b4f700000
 x8=00007ff85b11ce40   x9=0000000000000001  x10=0000006700000000  x11=0000000000000000
x12=fffffffffff00000  x13=0000000000000000  x14=0000000000000000  x15=000000000000000b
x16=00007ff8d4fd44a0  x17=ffff68553f08a1c6  x18=00007ff8d0bc0000  x19=0000017b4c834de0
x20=0000000000000000  x21=00007ff8d45cd188  x22=00007ff8d45cd188  x23=00007ff8d45cd150
x24=0000017b31196930  x25=00000053af4fdfa0  x26=00000053af4fe580  x27=0000000000000010
x28=0000000000000000   fp=00000053af4fdf90   lr=00007ff85af448cc   sp=00000053af4fdf60
 pc=00007ff85af448f0  psr=80001040 N--- EL0
contoso!winrt::impl::consume_Windows_Foundation_Collections_IVectorView<
    winrt::Windows::Foundation::Collections::IVectorView<int>,
    int>::Size+0x30:
00007ff8`5af448f0 f9400008 ldr         x8,[x0]

we see that we are crashing on a null pointer (x0).

The function is a C++/WinRT consume_, which is just a projection of the underlying COM call. The COM call is performed by reading the vtable pointer from the object, reading the function pointer from the vtable, and then calling the function.

The fact that we are reading from x0 (the inbound and outbound parameter slot) means that this is almost certainly reading the vtable pointer from the object: We want the COM pointer in x0 for the outbound call, so the obvious thing to do is to leave it there while you read the vtable pointer from it.

We can confirm this by reading the disassembly.

0:001> u .-30 .
contoso!winrt::impl::consume_Windows_Foundation_Collections_IVectorView<
    winrt::Windows::Foundation::Collections::IVectorView<int>,
    int>::Size+0x30:
00007ff8`5af448c0 stp         fp,lr,[sp,#-0x10]!   ; build stack frame
00007ff8`5af448c4 mov         fp,sp
00007ff8`5af448c8 bl          contoso!__security_push_cookie (00007ff8`5ab91050)
00007ff8`5af448cc sub         sp,sp,#0x20
00007ff8`5af448d0 mov         w8,#0x1E4
00007ff8`5af448d4 ldr         x0,[x0]              ; fetch the COM pointer
00007ff8`5af448d8 str         wzr,[sp,#0x18]
00007ff8`5af448dc str         w8,[sp]
00007ff8`5af448e0 adrp        x8,contoso!`string'+0x10 (00007ff8`5b11c000)
00007ff8`5af448e4 add         x8,x8,#0xE40
00007ff8`5af448e8 stp         x8,xzr,[sp,#8]
00007ff8`5af448ec add         x1,sp,#0x18
00007ff8`5af448f0 ldr         x8,[x0]              ; read the vtable

(The other code is recording the line number and file name for diagnostic purposes.)

Okay, so we are calling IVectorView<T>::Size on a null pointer.

Let's see whose idea that is.

Here's the caller:

winrt::IAsyncAction Widget::InitializeNodesAsync()
{
    auto lifetime = get_strong();
    std::optional<winrt::IVectorView<int32_t>> numbers;
    co_await winrt::resume_background();
    CallWithRetry([&] {
        numbers = GetMagicNumbers();
    });

    if (numbers == nullptr)
    {
        co_return;
    }

    co_await winrt::resume_foreground(m_uithread);

    std::vector<winrt::Node> nodes;
    nodes.reserve((*numbers).Size()); // ← CRASH HERE

The crash inside consume_ tells us that (*numbers) is null. Let's see if we can confirm that in the debugger.

First, we have to find numbers.

0:001> dv /V
@x19              @x19        __coro_frame_ptr = 0x0000017b`4c834de0
00000000`00000088 @x25+0x0590         lifetime = struct winrt::com_ptr<
                                                     winrt::Contoso::implementation::Widget>
00000000`000000e8 @x25+0x0590            nodes = class std::vector<int>
00000000`000000d8 @x25+0x0590          numbers = class std::optional<winrt::Windows::Foundation::
                                                     Collections::IVectorView<int> >
⟦ ... ⟧

The debugger says that numbers is at @x25+0x0590, and that this calculates out to 00000000`000000d8, which is nonsense. So we can't really trust that calculation.

Let's see what the code uses. We disassemble backward from the return address.

0:001> k2
Child-SP          RetAddr           Call Site
00000053`af4fdf60 00007ff8`5b059c8c contoso!winrt::impl::consume_Windows_Foundation_Collections_IVectorView<
                                        winrt::Windows::Foundation::Collections::IVectorView<int>,
                                        int>::Size+0x30
00000053`af4fdfa0 00007ff8`5abc5108 contoso!winrt::Contoso::implementation::Widget::
                                        InitializeNodesAsync$_ResumeCoro$1+0x2bc

We read the return address from the function one deeper on the stack, giving us 00007ff8`5b059c8c.

00007ff8`5b059c84 add  x0,x19,#0xD8 // ← setting up the call to consume_
00007ff8`5b059c88 bl   contoso!winrt::impl::consume_Windows_Foundation_Collections_IVectorView<
                           winrt::Windows::Foundation::Collections::IVectorView<int>,
                           int>::Size
00007ff8`5b059c8c uxtw x1,w0

From the disassembly, we see that the compiler stored the IVector part of the numbers at offset 0xD8 from the coroutine frame, which is in x19.

We can pluck the coroutine frame from the dv output, or we can ask the debugger to restore the nonvolatile registers for us (which includes x19):

0:001> .frame /c 2
0:001> dps @x19+0xd8
0000017b4c834eb8  0000000000000000 // <<<<< the stored IVector 0000017b4c834ec0 0000017b4ff78400

We can ask the debugger for the layout of the std::optional so we can see the full numbers.

I copied the type name from the earlier dv output.

0:001> dt contoso!std::optional<winrt::Windows::Foundation::Collections::IVectorView<int> >
   +0x000 _Dummy           : std::_Nontrivial_dummy_type
   +0x000 _Value           : winrt::Windows::Foundation::Collections::IVectorView<int>
   +0x008 _Has_value       : Bool

Okay, so the value is kept at offset zero, and the _Has_value is at offset 8.

We can eyeball from the earlier dps command that the _Value is nullptr, and the _Has_value is false. (Little-endian means that the single bool is in the least significant byte of the 8-byte value.)

Or we can ask the debugger to interpret it for us.

0:001> dt contoso!std::optional<winrt::Windows::Foundation::Collections::IVectorView<int> > @x19+0xd8
   +0x000 _Dummy           : std::_Nontrivial_dummy_type
   +0x000 _Value           : winrt::Windows::Foundation::Collections::IVectorView<int>
   +0x008 _Has_value       : 0

Okay, so the numbers has no value.

But wait, our code checked for that!

        if (numbers == nullptr)
        {
            co_return;
        }

Why didn't that work?

Because that's not how std::optional works.

The std::optional is a sum type of T with a special value called std::nullopt. If you compare a std::optional against anything that isn't std::nullopt, then you are checking if the std::optional has a value that matches the value you are comparing against.

std::optional holds compared with
std::nullopt Y
std::nullopt true false
X false X == Y

For the purposes of comparison, an empty std::optional is treated as if it had the value std::nullopt, which is a value distinct from the value values of T.

Therefore, writing if (numbers == nullptr) means "if numbers has a value that is equal to nullptr".

But in this case, numbers has no value, so the comparison fails, and we fall through.

Then we dereference the *numbers, which is specified to retrieve the wrapped value, and it is undefined behavior if the numbers has no value.

In our case, the numbers indeed has no value, so we have entered the world of undefined behavior. In practice, what happens is that we read whatever is in _Value, and we saw in the debugger, that _Value holds a null pointer. We then try to call Size() on a null pointer and crash.

One fix is to change the test from if (numbers == nullptr) to if (!numbers.has_value()) to ask whether the numbers is empty.

But this is working too hard.

The use of std::optional*<T> was itself unnecessary. There is already a natural empty value for IVector, namely nullptr. So we can declare numbers as an IVector, which default-initializes to nullptr, and then check whether it is still nullptr after we try (and possibly fail) to get a value.

winrt::IAsyncAction Widget::InitializeNodesAsync()
{
    auto lifetime = get_strong();
    winrt::IVectorView<int32_t> numbers; // remove std::optional
    co_await winrt::resume_background();
    CallWithRetry([&] {
        numbers = GetMagicNumbers();
    });

    if (numbers == nullptr)
    {
        co_return;
    }

    co_await winrt::resume_foreground(m_uithread);

    std::vector<winrt::Node> nodes;
    nodes.reserve(numbers.Size()); // remove the *

    ⟦...⟧

This change also covers the case where GetMagicNumbers succeeds but returns a null pointer.

In practice, GetMagicNumbers never returns a null pointer because it knows that the empty set is not the same as no set at all. The original code was testing against something that never happens.


Post Updated on September 05, 2025 at 03:00PM
Thanks for reading
from devamazonaws.blogspot.com

Comments

Post a Comment

Popular posts from this blog

Scenarios capability now generally available for Amazon Q in QuickSight - devamazonaws.blogspot.com

Today, AWS announces the general availability of the scenarios capability of Amazon Q in QuickSight. Amazon Q guides you through data analysis by uncovering hidden trends, making recommendations for your business, and intelligently suggesting next steps for deeper exploration—all in response to natural language interactions. Now anyone can explore past trends, forecast future scenarios, and model solutions without needing specialized skill, analyst support, or manual manipulation of data in spreadsheets. With its intuitive interface and step-by-step guidance, the scenarios capability of Amazon Q in QuickSight helps users perform complex data analysis up to 10x faster than spreadsheets. Whether you're optimizing marketing budgets, streamlining supply chains, or analyzing investments, Amazon Q makes advanced data analysis accessible so you can make data-driven decisions across your organization. This capability is accessible from any Amazon QuickSight dashboard, so you can move seam...
Read more

Research and Engineering Studio on AWS Version 2024.08 now available - devamazonaws.blogspot.com

Today we’re excited to announce Research and Engineering Studio (RES) on AWS Version 2024.08. This release adds new features such as Amazon S3 bucket mountpoints for Linux, allows creation of custom user roles and permission profiles, and offers the ability to adjust the list of Amazon EC2 instances available to launch as virtual desktops. Amazon S3 mountpoints allow Linux desktops to access S3 buckets as a file system. Amazon S3 buckets are created using the AWS Console or AWS CLI and onboarded to RES by administrators using the S3 Buckets page in the web portal. You can mount buckets in either Read Only or Read/Write mode. Read/Write buckets have an optional setting to restrict data access by project, or both project and user. RES can also mount S3 buckets from other AWS accounts with the proper permissions. Custom permission profiles allow administrators to create unique permissions and assign them to users or groups. Start by modifying the default Project Member and Project Ow...
Read more

Amazon EC2 C6id instances are now available in AWS Europe (Paris) region - devamazonaws.blogspot.com

Starting today, Amazon Elastic Compute Cloud (Amazon EC2) C6id instances are available in Europe (Paris) Region. These instances are powered by 3rd generation Intel Xeon Scalable Ice Lake processors with an all-core turbo frequency of 3.5 GHz and up to 7.6 TB of local NVMe-based SSD block-level storage. C6id instances are built on AWS Nitro System , a combination of dedicated hardware and lightweight hypervisor, which delivers practically all of the compute and memory resources of the host hardware to your instances for better overall performance and security. Customers can take advantage of access to high-speed, low-latency local storage to scale performance of applications such data logging, distributed web-scale in-memory caches, in-memory databases, and real-time big data analytics. These instances are generally available today in the US West (Oregon), US East (Ohio, N. Virginia), Canada (Central), Canada West (Calgary), AWS GovCloud (US-West), Mexico (Central), South America (...
Read more