Codejock Forums Homepage
Forum Home Forum Home > Codejock Products > Visual C++ MFC > Docking Pane
  New Posts New Posts RSS Feed - [SOLVED] CJ is accessing deleted panes
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

[SOLVED] CJ is accessing deleted panes

 Post Reply Post Reply
Author
Message
rdhd View Drop Down
Senior Member
Senior Member
Avatar

Joined: 13 August 2007
Location: United States
Status: Offline
Points: 891
Post Options Post Options   Thanks (0) Thanks(0)   Quote rdhd Quote  Post ReplyReply Direct Link To This Post Topic: [SOLVED] CJ is accessing deleted panes
    Posted: 05 September 2023 at 12:46pm
We have had a number of customers send us dump files where we have determined that for some reason, it appears CJ is accessing bad memory in docking pane code. We could not tell if it is due to some memory overwrite on our part or some other issue.

Today, I happened to figure out what is going on. When we have a floating docking pane, and the layout gets reloaded, this sequence of events occurs:

CXTPDockingPaneLayout::SetLayout is called.
CXTPDockingPaneLayout::Copy is called.
CXTPDockingPaneLayout::Free is called.
CXTPDockingPane::DeletePane is called. This pane is in a floating docking pane. The pane is in a CXTPDockingPaneTabbedContainer, which is in turn in a CXTPDockingPaneMiniWnd.

As the Free method continues to execute ...

CXTPDockingPaneTabbedContainer::DeletePane is called. This PANE CONTAINS THE BACK POINTER TO THE PREVIOUSLY DELETED PANE.

OnFinalRelase calls DestroyWindow. That in turn causes the docking pane miniwnd to get a call to paint itself, including an OnEraseBkgnd call.

Unfortunately for us, we handle that call and we call GetSelectedPane.

CXTPDockingPaneMiniWnd::GetSelectedPane calls FindPane(xtpPaneTypeTabbedContainer). You can see where this is going :(

CXTPDockingPaneMiniWnd::FindPane still has the m_pTopContainer pointer set. This tabbed container has yet to be deleted.

The tabbed container in turn calls FindPane. This is in the CXTPDockingPaneBaseContainer code. There it calls GetType and its type matches the request for a tabbed container type. So, it calls:

CXTPDockingPaneBaseContainer::IsEmpty(). That object has its own m_lstPanes list. And that list has the pointer to the deleted pane. The result is that the c++ vtable is accessed. KABOOM.

This is "random" in that there is no telling where that memory points to.

Right now, I don't see an easy fix for this. On first glance, it would seem that the way to go about deleting panes should be a top down approach. Delete the mini windows. Delete the tabbed containers. Delete the panes. But, I'm betting this bevy of non add reffed pointers CJ stores means the back pointers to containers will just trigger more of the same.

The pointer checks in CJ code are in place, but the timing is wrong.

Codejock should be able to easily duplicate this issue. Just modify CXTPDockingPaneMiniWnd to implement OnEraseBkgnd. Then, in that method, call GetSelectedPane.
Back to Top
agontarenko View Drop Down
Admin Group
Admin Group


Joined: 25 March 2016
Status: Offline
Points: 299
Post Options Post Options   Thanks (0) Thanks(0)   Quote agontarenko Quote  Post ReplyReply Direct Link To This Post Posted: 18 September 2023 at 3:42am
Hello,

I'm glad to inform you that the issue has been addressed and fixed. The fix will be available in the next beta or final release.

Regards,
Artem Gontarenko
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.04
Copyright ©2001-2021 Web Wiz Ltd.

This page was generated in 0.094 seconds.