Hi,
When using a tool such as inspect to look at IE (in order to design some automation scenario) or while using an automation tool that uses MSAA/UIA to activate IE, every once in a while the user will see IE crashing with the following:
Attempt to execute non-executable address 00000000
PROCESS_NAME: iexplore.exe
OVERLAPPED_MODULE: Address regions for 'ieapfltr' and 'deploy.dll' overlap
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 00000000
WRITE_ADDRESS: 00000000
FOLLOWUP_IP:
Flash32_13_0_0_182!AdobeCPGetAPI+0
0a54d7b0 b8502fa40a mov eax,offset Flash32_13_0_0_182!AdobeCPGetAPI+0x4f57a0 (0aa42f50)
FAILED_INSTRUCTION_ADDRESS:
+0
00000000 ?? ???
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
APP: iexplore.exe
LAST_CONTROL_TRANSFER: from 00000000 to 6f86a156
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [OLE32_SUSPECT_OBJ_PTR] from Frame:[1] on thread:[2128] ; Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
FAULTING_THREAD: ffffffff
BUGCHECK_STR: APPLICATION_FAULT_FTH_ACTIVE_DOUBLEFREE_MULTI_BAD_REFCOUNT_FOR_SZSYMBOL_SOFTWARE_NX_FAULT_NULL
PRIMARY_PROBLEM_CLASS: FTH_ACTIVE_DOUBLEFREE_MULTI_NULL
DEFAULT_BUCKET_ID: FTH_ACTIVE_DOUBLEFREE_MULTI_NULL
STACK_TEXT:
00000000 00000000 flash32_13_0_0_182!AdobeCPGetAPI+0x0
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: flash32_13_0_0_182!AdobeCPGetAPI+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Flash32_13_0_0_182
IMAGE_NAME: Flash32_13_0_0_182.ocx
DEBUG_FLR_IMAGE_TIMESTAMP: 533390a3
STACK_COMMAND: .ecxr ; kb ; .ecxr ; ~~[2128] ; .frame 1 ; ** Pseudo Context ** ; kb
FAILURE_BUCKET_ID: FTH_ACTIVE_DOUBLEFREE_MULTI_NULL_c0000005_Flash32_13_0_0_182.ocx!AdobeCPGetAPI
BUCKET_ID: APPLICATION_FAULT_FTH_ACTIVE_DOUBLEFREE_MULTI_BAD_REFCOUNT_FOR_SZSYMBOL_SOFTWARE_NX_FAULT_NULL_NULL_IP_flash32_13_0_0_182!AdobeCPGetAPI+0
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/iexplore_exe/9_0_8112_16540/5309896b/unknown/0_0_0_0/bbbbbbb4/c...
Followup: MachineOwner
---------
0:005> lmvm Flash32_13_0_0_182
start end module name
09d70000 0ae13000 Flash32_13_0_0_182 (export symbols) Flash32_13_0_0_182.ocx
Loaded symbol image file: Flash32_13_0_0_182.ocx
Image path: C:\Windows\SysWOW64\Macromed\Flash\Flash32_13_0_0_182.ocx
Image name: Flash32_13_0_0_182.ocx
Timestamp: Thu Mar 27 04:44:51 2014 (533390A3)
CheckSum: 00FB3435
ImageSize: 010A3000
File version: 13.0.0.182
Product version: 13.0.0.182
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Adobe Systems, Inc.
ProductName: Shockwave Flash
InternalName: Adobe Flash Player 13.0
OriginalFilename: Flash.ocx
ProductVersion: 13,0,0,182
FileVersion: 13,0,0,182
FileDescription: Adobe Flash Player 13.0 r0
LegalCopyright: Adobe® Flash® Player. Copyright © 1996 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
LegalTrademarks: Adobe Flash Player
0:005> k
ChildEBP RetAddr
03a5c614 77168567 ntdll!ZwWaitForSingleObject+0x15
03a5c698 77168695 ntdll!RtlReportExceptionEx+0x14b
03a5c6f0 74c18dd8 ntdll!RtlReportException+0x86
03a5c710 74c18edb ole32!SilentlyReportExceptions+0x79
03a5c724 74c194e5 ole32!ServerExceptionFilter+0xbb
03a5c73c 74be35ea ole32!AppInvokeExceptionFilterWithMethodAddress+0x11
03a5c758 74d53f21 ole32!CStdMarshal::DisconnectSrvIPIDs+0xf3
03a5c76c 74d53eae msvcrt!_EH4_CallFilterFunc+0x12
03a5c798 74ba6771 msvcrt!_except_handler4_common+0x8e
03a5c7b8 7711b499 ole32!_except_handler4+0x20
03a5c7dc 7711b46b ntdll!ExecuteHandler2+0x26
03a5c800 7711b40e ntdll!ExecuteHandler+0x24
03a5c88c 770d0133 ntdll!RtlDispatchException+0x127
03a5c88c 00000000 ntdll!KiUserExceptionDispatcher+0xf
WARNING: Frame IP not in any known module. Following frames may be wrong.
03a5cd54 74b7bc27 0x0
03a5ce04 74b7bb5d ole32!CStdMarshal::DisconnectSrvIPIDs+0xc5
03a5ce38 74b64a77 ole32!CStdMarshal::Disconnect+0x1b3
03a5ce4c 74b64a40 ole32!CStdMarshal::HandlePendingDisconnect+0x4d
03a5ce9c 74b648d5 ole32!CRemoteUnknown::RemReleaseWorker+0x1ca
03a5ceb0 7663592c ole32!CRemoteUnknown::RemRelease+0x15
03a5ced0 766b05f1 rpcrt4!Invoke+0x2a
03a5d2d4 74c7d7e6 rpcrt4!NdrStubCall2+0x2ea
03a5d31c 74c7d876 ole32!CStdStubBuffer_Invoke+0xb6
03a5d364 74c7ddd0 ole32!SyncStubInvoke+0x3c
03a5d3b0 74b98a43 ole32!StubInvoke+0xb9
03a5d48c 74b98938 ole32!CCtxComChnl::ContextInvoke+0xfa
03a5d4a8 74b9950a ole32!MTAInvoke+0x1a
03a5d4d4 74c7dccd ole32!STAInvoke+0x46
03a5d508 74c7db41 ole32!AppInvoke+0xab
03a5d5e8 74c7e1fd ole32!ComInvokeWithLockAndIPID+0x372
03a5d610 74b99367 ole32!ComInvoke+0xc5
03a5d624 74b99326 ole32!ThreadDispatch+0x23
03a5d668 748162fa ole32!ThreadWndProc+0x161
03a5d694 74816d3a user32!InternalCallWinProc+0x23
03a5d70c 748177c4 user32!UserCallWinProcCheckWow+0x109
03a5d76c 7481788a user32!DispatchMessageWorker+0x3bc
03a5d77c 61282094 user32!DispatchMessageW+0xf
03a5f8a4 612a1de6 ieframe!CTabWindow::_TabWindowThreadProc+0x722
03a5f960 75072048 ieframe!LCIETab_ThreadProc+0x317
03a5f970 612902bb iertutil!CIsoScope::RegisterThread+0xab
03a5f988 7670336a ieframe!Detour_DefWindowProcA+0x6c
03a5f994 770f9f72 kernel32!BaseThreadInitThunk+0xe
03a5f9d4 770f9f45 ntdll!__RtlUserThreadStart+0x70
03a5f9ec 00000000 ntdll!_RtlUserThreadStart+0x1b
This looks like flash is (for some reason) deleting an object that the underlying MSAA infrastructure still thinks is alive.
This was reproduced in IE9 and IE11 using both flash 12 and 13.
Has anyone encountered this?
EDIT: created a bug: https://bugbase.adobe.com/index.cfm?event=bug&id=3750745
Thanks
AdChoices