SIGSEGV when dragging tabs in DirectUI::ListViewBase::OnDragGesture

[zadjii-msft]

Internal ticket: MSFT-44200802

This crash occurs because OnDragGesture schedules a callback to run when the drag operation ends but fails to check if the DXamlCore instance is already gone (= nullptr). This leads to random crashes when dragging the last remaining tab of a window into a different window, because closing a window means destroying its DXamlCore at some random later point. The crash rate seems to be about ~25%, which is really not good.

The full stack trace:

Windows.UI.Xaml.dll!DirectUI::ListViewBase::OnDragGesture::__l118::<lambda>(Windows::Foundation::IAsyncOperation<enum Windows::ApplicationModel::DataTransfer::DataPackageOperation> * pAsyncOp, ABI::Windows::Foundation::AsyncStatus status) Line 193	C++
Windows.UI.Xaml.dll!Microsoft::WRL::Details::DelegateArgTraits<long (__cdecl Windows::Foundation::IAsyncOperationCompletedHandler_impl<enum Windows::ApplicationModel::DataTransfer::DataPackageOperation>::*)(Windows::Foundation::IAsyncOperation<enum Windows::ApplicationModel::DataTransfer::DataPackageOperation> *,enum ABI::Windows::Foundation::AsyncStatus)>::DelegateInvokeHelper<Windows::Foundation::IAsyncOperationCompletedHandler<enum Windows::ApplicationModel::DataTransfer::DataPackageOperation>,HRESULT <lambda>(Windows::Foundation::IAsyncOperation<enum Windows::ApplicationModel::DataTransfer::DataPackageOperation> *, ABI::Windows::Foundation::AsyncStatus),-1,Windows::Foundation::IAsyncOperation<enum Windows::ApplicationModel::DataTransfer::DataPackageOperation> *,enum ABI::Windows::Foundation::AsyncStatus>::Invoke(Windows::Foundation::IAsyncOperation<enum Windows::ApplicationModel::DataTransfer::DataPackageOperation> * <args_0>, ABI::Windows::Foundation::AsyncStatus <args_1>) Line 354	C++
Windows.UI.Xaml.dll!Microsoft::WRL::AsyncBase<Windows::Foundation::IAsyncOperationCompletedHandler<enum Windows::ApplicationModel::DataTransfer::DataPackageOperation>,Microsoft::WRL::Details::Nil,1,Microsoft::WRL::AsyncOptions<-1,0,&GUID_CAUSALITY_WINDOWS_PLATFORM_ID,2>>::FireCompletion() Line 780	C++
Windows.UI.Xaml.dll!DirectUI::StartDragAsyncOperation::Invoke(Windows::Foundation::IAsyncOperation<enum Windows::ApplicationModel::DataTransfer::DataPackageOperation> * pAsyncOp, ABI::Windows::Foundation::AsyncStatus status) Line 274	C++
rpcrt4.dll!Invoke()
rpcrt4.dll!Ndr64StubWorker()
rpcrt4.dll!NdrStubCall3()
combase.dll!CStdStubBuffer_Invoke(IRpcStubBuffer * This, tagRPCOLEMESSAGE * prpcmsg, IRpcChannelBuffer * pRpcChannelBuffer) Line 1479	C++
[Inline Frame] combase.dll!InvokeStubWithExceptionPolicyAndTracing::__l6::<lambda_c9f3956a20c9da92a64affc24fdd69ec>::operator()() Line 1151	C++
combase.dll!ObjectMethodExceptionHandlingAction<<lambda_c9f3956a20c9da92a64affc24fdd69ec>>(InvokeStubWithExceptionPolicyAndTracing::__l6::<lambda_c9f3956a20c9da92a64affc24fdd69ec> action, ObjectMethodExceptionHandlingInfo * pExceptionHandlingInfo, ExceptionHandlingResult * pExceptionHandlingResult, void *) Line 94	C++
[Inline Frame] combase.dll!InvokeStubWithExceptionPolicyAndTracing(IRpcStubBuffer * pMsg, tagRPCOLEMESSAGE *) Line 1149	C++
combase.dll!DefaultStubInvoke(bool bIsAsyncBeginMethod, IServerCall * pServerCall, IRpcChannelBuffer * pChannel, IRpcStubBuffer * pStub, unsigned long * pdwFault) Line 1218	C++
combase.dll!SyncServerCall::StubInvoke(IRpcChannelBuffer * pChannel, IRpcStubBuffer * pStub, unsigned long * pdwFault) Line 791	C++
[Inline Frame] combase.dll!StubInvoke(tagRPCOLEMESSAGE * pMsg, const _GUID &) Line 1483	C++
combase.dll!ServerCall::ContextInvoke(tagIPIDEntry * ipidEntry) Line 1421	C++
[Inline Frame] combase.dll!DefaultInvokeInApartment(ServerCall *) Line 3257	C++
combase.dll!ReentrantSTAInvokeInApartment(ServerCall * serverCall, tagIPIDEntry * ipidEntry) Line 110	C++
combase.dll!ComInvokeWithLockAndIPID(ServerCall * pServerCall, tagIPIDEntry * pIPIDEntry) Line 2152	C++
combase.dll!ThreadDispatch(ServerCall * pServerCall) Line 1637	C++
combase.dll!ThreadWndProc(HWND__ * window, unsigned int message, unsigned __int64 wparam, __int64 params) Line 720	C++
user32.dll!UserCallWinProcCheckWow()
user32.dll!DispatchMessageWorker()
[Inline Frame] combase.dll!CCliModalLoop::MyDispatchMessage(tagMSG *) Line 2959	C++
combase.dll!CCliModalLoop::PeekRPCAndDDEMessage() Line 2563	C++
combase.dll!CCliModalLoop::BlockFn(void * * ahEvent, unsigned long cEvents, unsigned long * lpdwSignaled) Line 2055	C++
combase.dll!ModalLoop(CSyncClientCall * pClientCall) Line 169	C++
combase.dll!ClassicSTAThreadDispatchCrossApartmentCall(tagRPCOLEMESSAGE * pMessage, OXIDEntry * pOXIDEntry, CSyncClientCall * pClientCall) Line 357	C++
[Inline Frame] combase.dll!CSyncClientCall::SwitchAptAndDispatchCall(tagRPCOLEMESSAGE * pMessage) Line 5691	C++
combase.dll!CSyncClientCall::SendReceive2(tagRPCOLEMESSAGE * pMessage, unsigned long * pstatus) Line 5297	C++
combase.dll!SyncClientCallRetryContext::SendReceiveWithRetry(tagRPCOLEMESSAGE * pMsg, unsigned long * pulStatus, ClientCall * pClientCall, bool * pbIsAutoRetry) Line 1502	C++
combase.dll!CSyncClientCall::SendReceiveInRetryContext(SyncClientCallRetryContext * pRetryContext, tagRPCOLEMESSAGE * pMsg, unsigned long * pulStatus) Line 582	C++
combase.dll!ClassicSTAThreadSendReceive(CSyncClientCall * pClientCall, tagRPCOLEMESSAGE * pMsg, unsigned long * pulStatus) Line 564	C++
combase.dll!CSyncClientCall::SendReceive(tagRPCOLEMESSAGE * pMessage, unsigned long * pulStatus) Line 730	C++
combase.dll!CClientChannel::SendReceive(tagRPCOLEMESSAGE * pMessage, unsigned long * pulStatus) Line 659	C++
combase.dll!NdrExtpProxySendReceive(void * pThis, _MIDL_STUB_MESSAGE * pStubMsg) Line 1989	C++
rpcrt4.dll!NdrpClientCall3()
combase.dll!ObjectStublessClient(void * ParamAddress, __int64 * FloatRegisters, long Method) Line 366	C++
combase.dll!ObjectStubless() Line 176
combase.dll!CObjectContext::InternalContextCallback(HRESULT(*)(void *) pfnCallback, void * pParam, const _GUID & riid, int iMethod, IUnknown * pUnk) Line 4329	C++
combase.dll!CAgileReferenceMarshaled::~CAgileReferenceMarshaled() Line 1935	C++
combase.dll!CAgileReferenceMarshaled::`scalar deleting destructor'(unsigned int)	C++
combase.dll!Microsoft::WRL::Details::RuntimeClassImpl<Microsoft::WRL::RuntimeClassFlags<2>,1,0,0,IAgileReference,Microsoft::WRL::FtmBase>::Release() Line 1629	C++
DataExchange.dll!DragDropManager::`scalar deleting destructor'()
DataExchange.dll!DragDropManager::Release(void)
combase.dll!CStdIdentity::ReleaseCtrlUnk::__l5::<lambda>() Line 1408	C++
combase.dll!ObjectMethodExceptionHandlingAction<void <lambda>(void)>(CStdIdentity::ReleaseCtrlUnk::__l5::void <lambda>(void) action, ObjectMethodExceptionHandlingInfo * pExceptionHandlingInfo, ExceptionHandlingResult * pExceptionHandlingResult, void * __formal) Line 135	C++
[Inline Frame] combase.dll!CStdIdentity::ReleaseCtrlUnk(unsigned long) Line 1379	C++
combase.dll!CStdMarshal::DisconnectWorker_ReleasesLock(unsigned long dwType, bool logEventIsActive, CObjectContext * explicitServerContext, bool performCallback) Line 4777	C++
combase.dll!CStdMarshal::Disconnect(unsigned long dwType) Line 4452	C++
combase.dll!CStdIdentity::DecStrongCnt(int fKeepAlive) Line 1183	C++
combase.dll!CStdMarshal::DecStrongAndNotifyAct(tagIPIDEntry * pEntry, unsigned long mshlflags) Line 7786	C++
combase.dll!CStdMarshal::DecSrvIPIDCnt(tagIPIDEntry * pEntry, unsigned long cRefs, unsigned long cPrivateRefs, tagSECURITYBINDING * pName, unsigned long mshlflags) Line 7431	C++
combase.dll!CStdMarshal::ReleaseMarshalObjRef(tagOBJREF & objref) Line 4016	C++
[Inline Frame] combase.dll!ReleaseObjRefSwitch(void *) Line 3840	C++
combase.dll!ReleaseMarshalObjRef(tagOBJREF & objref, EffectiveUnmarshalingPolicy policy) Line 3924	C++
combase.dll!CoReleaseMarshalData(IStream * pStm) Line 2132	C++
twinapi.appcore.dll!RemoveServiceFromMapping(struct IViewServiceIdentity *,struct _GUID const &,enum LifetimeManagerNotificationOptions)
twinapi.appcore.dll!UnregisterAllViewServices(struct IViewServiceIdentity *,enum LifetimeManagerNotificationOptions)
twinapi.appcore.dll!CoreUnregisterAllWindowServices()
twinapi.appcore.dll!CWindowViewServicesLifetimeManager::Rundown(struct IViewServiceIdentity *)
twinapi.appcore.dll!RemoveServiceFromMapping(struct IViewServiceIdentity *,struct _GUID const &,enum LifetimeManagerNotificationOptions)
twinapi.appcore.dll!CoreUnregisterWindowService()
user32.dll!CallWindowServiceCallback(struct HWND__ *)
user32.dll!RealDefWindowProcWorker()
user32.dll!DefWindowProcW()
Windows.UI.dll!Windows::UI::Core::WindowServer::WndProc(struct HWND__ *,unsigned int,unsigned __int64,__int64)
user32.dll!UserCallWinProcCheckWow()
user32.dll!DispatchClientMessage()
user32.dll!__fnDWORD()
ntdll.dll!KiUserCallbackDispatcherContinue()
win32u.dll!NtUserDestroyWindow()
Windows.UI.dll!Windows::UI::Core::WindowServer::Uninitialize(void)
twinapi.appcore.dll!Windows::ApplicationModel::Core::CoreApplicationView::Uninitialize(void)
twinapi.appcore.dll!Windows::ApplicationModel::Core::CoreApplicationViewAgileContainer::CloseNonImmersiveView(void)
twinapi.appcore.dll!Windows::ApplicationModel::Core::CoreApplicationView::CloseNonImmersiveView(void)
Windows.UI.Xaml.dll!DirectUI::WindowsXamlManager::XamlCore::Close() Line 361	C++
[Inline Frame] Windows.UI.Xaml.dll!DirectUI::WindowsXamlManager::EnqueueClose::__l2::<lambda_be02aa0cfe4a665338a4012f1e039571>::operator()() Line 298	C++
Windows.UI.Xaml.dll!Microsoft::WRL::Details::DelegateArgTraits<long (__cdecl Windows::System::IDispatcherQueueHandler::*)(void)>::DelegateInvokeHelper<Microsoft::WRL::Implements<Microsoft::WRL::RuntimeClassFlags<2>,Windows::System::IDispatcherQueueHandler,Microsoft::WRL::FtmBase>,<lambda_be02aa0cfe4a665338a4012f1e039571> &,-1>::Invoke() Line 354	C++
CoreMessaging.dll!Windows::System::DispatcherQueue::DeferInvokeCallback()
CoreMessaging.dll!CFlat::SehSafe::Execute<<lambda_a81ff790741c2a62f2197c2561f5fe49>>()
CoreMessaging.dll!Microsoft::CoreUI::ActionCallback::ImportAdapter$()
CoreMessaging.dll!Microsoft::CoreUI::Dispatch::DeferredCall::Callback_Dispatch()
CoreMessaging.dll!Microsoft::CoreUI::Dispatch::DeferredCallDispatcher::Callback_OnDispatch()
CoreMessaging.dll!Microsoft::CoreUI::Dispatch::EventLoop::Callback_RunCoreLoop()
CoreMessaging.dll!Microsoft::CoreUI::Dispatch::UserAdapter::OnUserDispatch()
CoreMessaging.dll!Microsoft::CoreUI::Dispatch::UserAdapter::DoWork()
CoreMessaging.dll!Microsoft::CoreUI::Dispatch::UserAdapter::WindowProc(struct HWND__ *,unsigned int,unsigned __int64,__int64)
user32.dll!UserCallWinProcCheckWow()
user32.dll!DispatchClientMessage()
user32.dll!__fnDWORD()
ntdll.dll!KiUserCallbackDispatcherContinue()
win32u.dll!NtUserPeekMessage()
user32.dll!_PeekMessage()
user32.dll!PeekMessageW()
WindowsTerminal.exe!WindowThread::RundownForExit() Line 56	C++
WindowsTerminal.exe!WindowEmperor::_createNewWindowThread::__l2::<lambda_1>::operator()() Line 167	C++
WindowsTerminal.exe!std::invoke<`WindowEmperor::_createNewWindowThread'::`2'::<lambda_1>>(WindowEmperor::_createNewWindowThread::__l2::<lambda_1> && _Obj) Line 1577	C++
WindowsTerminal.exe!std::thread::_Invoke<std::tuple<`WindowEmperor::_createNewWindowThread'::`2'::<lambda_1>>,0>(void * _RawVals) Line 56	C++
ucrtbased.dll!thread_start<unsigned int (__cdecl*)(void *),1>(void * const parameter) Line 97	C++
kernel32.dll!BaseThreadInitThunk()
ntdll.dll!RtlUserThreadStart()

Originally posted by @lhecker in #15231 (comment)

[zadjii-msft]

@lhecker Since this is an OS bug I'm taking it out of 1.18. If they come back with a workaround, we can move this back in, but I think we're just gonna have to deal with this one.

[zadjii-msft]

This was fixed internally. We'll see if we can get a backport to Windows 10.

[zadjii-msft]

It doesn't look like there's enough hits in 1.18 Preview (actually, doesn't look like there's any), so I doubt this will get serviced. We can re-evaluate if this comes up when 1.18 hits stable.