Psychic debugging: IP on heap

re: Psychic debugging: IP on heap

Bryan — Wed, 14 Nov 2007 18:45:06 GMT

Here's to looking forward to your next installment of this series.

re: Psychic debugging: IP on heap

Greg D — Wed, 14 Nov 2007 18:58:09 GMT

This is the kind of stuff that they never taught you in school. . .

I like to think that I'd have reached the same conclusion, but I imagine it would have taken me somewhat longer to do so.

re: Psychic debugging: IP on heap

RUF — Wed, 14 Nov 2007 19:18:02 GMT

For the next episode i would like to know your opinion about that kind of hacks in the code

re: Psychic debugging: IP on heap

JS Bangs — Wed, 14 Nov 2007 19:20:13 GMT

This is one of those posts that I initially read with total bewilderment, having no idea what DEP and IP_ON_HEAP meant. I was about to move on to something else when my brain suddenly connected DEP to Data Execution Prevention... which means that IP_ON_HEAP must be Instruction Pointer On Heap. And now the whole article makes sense.

Maybe this will help someone else who doesn't use those abbreviations on a regular basis.

re: Psychic debugging: IP on heap

Skywing — Wed, 14 Nov 2007 19:29:50 GMT

Hmm - it's my understanding that by default, there is emulation support for old style atlthunks enabled ( http://msdn2.microsoft.com/en-us/library/bb736299.aspx ). I do recall something about it being inadvertently disabled in Vista RTM, though.

Did this predate the atlthunk emulation hack, or was the system booted with /noexecute=alwayson ?

re: Psychic debugging: IP on heap

Keithius — Wed, 14 Nov 2007 19:33:52 GMT

-> JS Bangs

Yes, that does help. I was similarly mystified until you made the connection from DEP to Data Execution Prevention. Thank you!

re: Psychic debugging: IP on heap

Erik — Wed, 14 Nov 2007 19:40:40 GMT

"You should be able to determine the cause instantly."

OK, smartypants. I realize this is a Win32 blog and therefore covers many topics beyond my knowledge as a .NET programmer. However, statements like that turn me off. I like to read your blog to learn about the inner workings of the Windows platform. I could do without the cockiness.

[I think knowing the reasons for IP being on the heap is one of the basic things you need to know when you're doing any unmanaged programming (not just Win32). You need to know how the CPU works because in the unmanaged world, there's nobody between you and the CPU. -Raymond]

re: Psychic debugging: IP on heap

codekaizen — Wed, 14 Nov 2007 19:53:24 GMT

Whoa, Erik -

Consider dialing back the edginess a bit. When we only get text, the usual side-band channels of information, like tone, facial-expression and shared setting, are missing. You have to fill them in. I've found it more pleasant to imagine these in a way which conduces to my continual learning and improvement.

I, for one, enjoy a good didactic tone when the subject is obviously mastered by the author. It's just a rhetorical device, and to me it communicates an encouraging poke to wake up and think. When mixed with the right amount of caffeine, it does a fair bit to shift me into high gear in the morning. I started only knowing .Net, too, but after a few years of interpreting Raymond as expecting me to know more, I now do, and am better for it.

re: Psychic debugging: IP on heap

brian — Wed, 14 Nov 2007 20:05:55 GMT

"I, for one, enjoy a good didactic tone when the subject is obviously mastered by the author. It's just a rhetorical device, and to me it communicates an encouraging poke to wake up and think."

I second that. As a .net programmer that only briefly has to touch win32, I read the blog to learn. When Raymond says "It Should Be obvious" it's a challenge. It says to me The Answer is on the page and i ask myself "Can I find it?"

re: Psychic debugging: IP on heap

Matt Green — Wed, 14 Nov 2007 20:09:48 GMT

It's a damn shame that we need to resort to hacks like this in order to properly wrap Win32. Thankfully, almost all of the newer APIs have a context parameter that can be associated with objects.

How does ATL8 fix this, anyway?

re: Psychic debugging: IP on heap

Tim Smith — Wed, 14 Nov 2007 20:33:33 GMT

ALT8 fixes the problem by using PAGE_EXECUTE_READWRITE when allocating the thunk block with VirtualAlloc.

re: Psychic debugging: IP on heap

AsmGuru62 — Wed, 14 Nov 2007 20:44:44 GMT

There is no need to wrap WndProc - can be done perfectly with GetWindowLong() and then calling virtual message routing method.

re: Psychic debugging: IP on heap

Matt Green — Wed, 14 Nov 2007 21:40:08 GMT

I'm fairly certain that some messages are missed with that method, AsmGuru62. Specifically, the pre-create messages.

[Windows doesn't have any "pre-create" messages. How could it? How can you deliver a message to a window that doesn't exist yet? Maybe you're thinking of something else. -Raymond]

re: Psychic debugging: IP on heap

Ugh — Wed, 14 Nov 2007 22:13:20 GMT

"ALT8 fixes the problem by using PAGE_EXECUTE_READWRITE when allocating the thunk block with VirtualAlloc."

Eeeek. Does that mean a heap overwrite or buffer overflow into the thunk block could result in "remote code execution"? Which is what DEP is supposed to protect against?

re: Psychic debugging: IP on heap

name required — Wed, 14 Nov 2007 22:28:13 GMT

"There is no need to wrap WndProc - can be done perfectly with GetWindowLong() and then calling virtual message routing method."

Except when you need to wrap the window which is based on existing class, using GetWindowLong slots already.

[Isn't that why C++ has derived classes? If you're talking about Win32 subclassing, then there's GetProp. -Raymond]

re: Psychic debugging: IP on heap

Erik Madsen — Wed, 14 Nov 2007 22:41:20 GMT

"Consider dialing back the edginess a bit."

Mine was simply a comment on tone. The statement "This was totally obvious to me, but the person who asked the question met it with stunned amazement" seemed gratuitous to me. It serves only to show Raymond's superiority over his colleague. Why do I need to know this? Whereas I do need to know the reasons for IP being on the heap, as Raymond pointed out in his response.

All things considered, I do enjoy reading this blog. I feel I learn something each morning.

[It really should be obvious to an experienced programmer. And I'm assuming an audience of experienced programmers. It says right there what the problem is: IP_ON_HEAP. And it's clear that it was on purpose rather than accidental once you look at the stack trace. -Raymond]

re: Psychic debugging: IP on heap

Evan — Wed, 14 Nov 2007 23:06:55 GMT

I got to the point reading "This was totally obvious to me, but the person who asked the question met it with stunned amazement," and thought for sure that it was going to continue with the asking person getting all indignant that you figured out what they were using, that you were reverse engineering their program and intellectual property, etc.

(I've never done any ATL programming, and didn't know what IP_ON_HEAP meant until this sentence "The fault is IP_ON_HEAP which is precisely what DEP protects against.")

re: Psychic debugging: IP on heap

mh — Wed, 14 Nov 2007 23:18:18 GMT

I see no issue. I didn't know it either, Raymond felt that I should, so now I do.

Result.

re: Psychic debugging: IP on heap

Andy — Wed, 14 Nov 2007 23:23:42 GMT

It's posts like this that are why I love to read this blog so much. Bits of info that you could get no where else in an almost tutorial like form but with more personality than a regular tutorial. I can hardly wait for the second half.

re: Psychic debugging: IP on heap

name required — Wed, 14 Nov 2007 23:25:32 GMT

I was referring to Win32 class, and to AsmGuru62's suggestion to use GetWindowLong to avoid thunking.

re: Psychic debugging: IP on heap

movl — Thu, 15 Nov 2007 00:09:45 GMT

Evan: seconded, that's what gave it all away. But especially the registers dump is pretty baffling.

re: Psychic debugging: IP on heap

Neil — Thu, 15 Nov 2007 01:02:23 GMT

[Windows doesn't have any "pre-create" messages.]

I think he's referring to those messages sent before CreateWindow returns, which won't get subclassed if you SetWindowLongPtr afterwards.

Presumably the thunks avoid having to store pThis as window words or properties?

re: Psychic debugging: IP on heap

Worf — Thu, 15 Nov 2007 09:17:20 GMT

Amazingly, I guessed what the issue was, and was half-right (I figured DEP easily enough - Windows CE's x86 Emulator is incompatible with DEP on a multiprocessor system (but OK on single processor). IP_ON_HEAP had me scratching my head (IP address? Wha?), until I realized it meant "Instruction Pointer" (to which I usually call PC - program counter).

Alas, I do not know ATL, so that baffled me.

All you .NET developers - I'm on the other side of the fence. I know Win32, but the C stuff only. ATL, MFC, COM, OLE, etc baffle me as well. (Last time I coded a GUI, it was all done using CreateWindow - no resource files, no resource editor or other fancy goodies.)

But I enjoy this blog, for it appeals to me - the low-level stuff of Windows. And, no matter how far away you go, sometimes you end up in the muck (like this ATL example - it helps to understand what's really happening behind that pretty face).

re: Psychic debugging: IP on heap

Frederik Slijkerman — Thu, 15 Nov 2007 11:19:15 GMT

By the way, is a thunk much faster than retrieving the 'this' pointer with GetWindowLongPtr(hwnd, GWLP_USERDATA) ? (Assuming that you have stored that previously.)

Or are there other benefits? Because the GWLP method seems to be much easier to me...

re: Psychic debugging: IP on heap

Jonathan — Thu, 15 Nov 2007 11:24:35 GMT

I, too, thought about IP address, and expected a pshychic "0x0100a8c0 = 192.168.0.1" or something.

BTW, identification of this could've been easily added to the debugger - "if IP_ON_HEAP and the stack looks like X then say something about ATL". That would've moved this class of incidents from "psychic debugging by gurus" to a simple "read the helpful debugger output". I think Application Verifier had somehting like that.

re: Psychic debugging: IP on heap

Roman Werpachowski — Thu, 15 Nov 2007 12:40:59 GMT

OP: "Since C++ functions have a hidden this parameter"

Umm, not all of them. Just the class methods.

[I bet you miss the nitpicker's corner. -Raymond]

re: Psychic debugging: IP on heap

Dean Harding — Thu, 15 Nov 2007 13:53:22 GMT

Roman Werpachowski: You must be new here...

No wait, it's probably me that's new here, if I didn't expect a comment like that...

re: Psychic debugging: IP on heap

Name required — Thu, 15 Nov 2007 14:36:54 GMT

Well you know what, in a dozen years of C++ Windows programming the total number of times I've needed to know the reasons for IP being on the heap is exactly:

[Wow, you've never invoked a virtual method on an object that has already been deleted. I wish I were as awesome as you. -Raymond]

re: Psychic debugging: IP on heap

ace — Thu, 15 Nov 2007 17:35:58 GMT

I know how CPU and messages in Windows work, but I'd still be grateful if somebody can explain: why is the thunking in ATL necessary -- which problem is actually solved by it, that can't be solved otherwise?

Interesting Finds: November 15, 2007

Jason Haley — Thu, 15 Nov 2007 17:47:43 GMT

Is DEP on or off on Windows XP Service Pack 2?

The Old New Thing — Thu, 15 Nov 2007 18:10:44 GMT

Why did that IP_ON_HEAP problem show up all of a sudden?

re: Psychic debugging: IP on heap

nick — Thu, 15 Nov 2007 18:23:55 GMT

guys, consider the performance.

of course, you can store the "this" pointer in window user data. but that end up with calling GetWindowLong() repeatedly. don't forget the thousands of message a window proc would process.

there's a wonderful article on this topic in codeproject, but I forget where it is.

raymond, could you tell more about thunk emulation in the next post of the series?

I have ever come across a bug.

the program is based on ATL3. it does run in a DEP enabled PC, the main window shows up. but when calling a function in a dll which creates a new window, the program crashes at that moment.

the main window created successfully is because, i suppose, the thunk emulation. what confused me is why the window created in DLL is out of luck? or did i miss anything?

re: Psychic debugging: IP on heap

AsmGuru62 — Thu, 15 Nov 2007 20:45:51 GMT

GetWindowLong() should be rather quick - it is just an accessing the data via offset, of course HWND must be also verified... still it should be OK to call it every time WndProc is entered. I have it in my library for a lot of years and I did not see any slowdowns.

re: Psychic debugging: IP on heap

Matt Green — Thu, 15 Nov 2007 22:40:58 GMT

Yeah I was thinking of WM_NCCREATE (I always think of it as the "pre-WM_CREATE" message), and I don't think the GetWindowLong() method works for those. Of course, you don't need to use WM_NCCREATE too often.

[Naturally, the first message does the SetWindowLong. Somebody has to do the Set after all. -Raymond]

Psychic debugging...

Eric Gunnerson's C# Compendium — Fri, 16 Nov 2007 00:46:13 GMT

Ray wrote a post entitled " Psychic Debuggin: IP on heap ", where he talks about somebody being amazed

re: Psychic debugging: IP on heap

Amateur — Fri, 16 Nov 2007 00:49:59 GMT

Can someone make a summary what ATL is? I'm not a programmer, but encounter this very often.

[Don't be helpless. Live Search. Google. Yahoo. All of them answer your question on the first page of results. I write for an advanced audience. (Whether I actually have an advanced audience is open to debate.) If you're a beginner, you may want to unsubscribe and switch to a blog that's more suited to your experience. Don't worry. When you become an advanced programmer, this article will still be here for you. -Raymond]

re: Psychic debugging: IP on heap

AsmGuru62 — Fri, 16 Nov 2007 03:25:37 GMT

I pass 'this' with WM_CREATE (lParam points to it in its first DWORD). Not sure what can be done with WM_NCCREATE, which cannot be done with WM_CREATE...

re: Psychic debugging: IP on heap

olde farthe — Fri, 16 Nov 2007 11:08:06 GMT

"Whether I actually have an advanced audience is open to debate."

I wish I was as famous as Raymond, so that I could have a blog, insult my readers, and get away with it.

re: Psychic debugging: IP on heap

Dave — Fri, 16 Nov 2007 21:02:43 GMT

Personally, I love the tone here. This blog makes me smile almost every day, and that's worth the price of admission by itself.

Sarcasm and snarky comments wake up my brain and make the post memorable, improving my chances of remembering the technical details as well.

re: Psychic debugging: IP on heap

MadQ — Sun, 18 Nov 2007 15:23:19 GMT

@Matt Green, AsmGuru62: for overlapped windows, the very first message is actually WM_GETMINMAXINFO. Actually, I think it might be for all windows that don't have the WS_CHILD style, but I'm too lazy right now to write something to find out for sure.

re: Psychic debugging: IP on heap

Name required — Mon, 19 Nov 2007 11:50:21 GMT

"I wish I were as awesome as you"

Don't clap, just throw money.

re: Psychic debugging: IP on heap

Sidebar Willy — Wed, 21 Nov 2007 10:06:27 GMT

"I pass 'this' with WM_CREATE (lParam points to it in its first DWORD). Not sure what can be done with WM_NCCREATE, which cannot be done with WM_CREATE..."

The old Scratch program uses WM_NCCREATE: http://blogs.msdn.com/oldnewthing/archive/2005/04/22/410773.aspx

DEP, NXCOMPAT, .NET 2.0 SP1

All Your Base Are Belong To Us — Fri, 21 Dec 2007 23:38:25 GMT

Yesterday I had an interesting case that I thought of sharing, even though there's nothing very new