View Issue Details

IDProjectCategoryView StatusLast Update
0002320Ham Radio DeluxeBugpublic2018-04-09 14:37
ReporterPD9FER 
Assigned ToK7ZCZ 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version 
Target VersionFixed in Version6.4.0.806 
Summary0002320: DM780 crashes when selecting pulldown
DescriptionUsing the dem-o-matic radio (or any other for that matter) DM-780 will crash when selecting any radio control pulldown item if that item appears in the 7th position or later of the selections.
Steps To Reproduceconnect to the dem-o-matic, select DM780, connect to the radio, select the 'Main Mode' pulldown and choose CW-R or anything further down the list.
Additional InformationTicket #409001
I have a Minidump for Roger
TagsNo tags attached.
ModuleDM780
Sub-ModuleRig Control
Testing Beta Successful

Relationships

related to 0002226 closedKB3NPH FT-991 - DM-780 Crash when changing radio modes 

Activities

K7ZCZ

2018-03-02 15:43

manager   ~0004349

Call stack is here:

  *** Stack trace for last set context - .thread/.cxr resets it
 # ChildEBP RetAddr
00 0027eb74 00b15cdb Digital_Master!CPaneRadio::OnDropdownOption(unsigned int nID = 0x10fbd098)+0x143 [c:\ham radio\digital master\digital master\paneradio.cpp @ 1673]
01 0027eb88 00b15b01 Digital_Master!_AfxDispatchCmdMsg(class CCmdTarget * pTarget = 0x089a2408, unsigned int nID = 0x15e6, int nCode = 0n0, <function> * pfn = 0x009e9b20, void * pExtra = 0x00000000, unsigned int nSig = 0x3c, struct AFX_CMDHANDLERINFO * pHandlerInfo = 0x00000000)+0x55 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp @ 92]
02 0027ebb8 00b251c7 Digital_Master!CCmdTarget::OnCmdMsg(unsigned int nID = 0x15e6, int nCode = 0n0, void * pExtra = 0x00000000, struct AFX_CMDHANDLERINFO * pHandlerInfo = 0x00000000)+0x120 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp @ 373]
03 0027ebdc 00b0d17e Digital_Master!CPropertySheet::OnCmdMsg(unsigned int nID = 0x15e6, int nCode = 0n0, void * pExtra = 0x00000000, struct AFX_CMDHANDLERINFO * pHandlerInfo = 0x00000000)+0x1b [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgprop.cpp @ 816]
04 0027ec2c 00b0dda1 Digital_Master!CWnd::OnCommand(unsigned int wParam = 0x15e6, long lParam = 0n0)+0x89 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2784]
05 0027ece4 0092e876 Digital_Master!CWnd::OnWndMsg(unsigned int message = 0x111, unsigned int wParam = 0x15e6, long lParam = 0n0, long * pResult = 0x0027ed1c)+0x3c [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2108]
06 0027ed00 00b0f5ad Digital_Master!CXTPDialogBase<CXTPResizeDialog>::OnWndMsg(unsigned int message = 0x111, unsigned int wParam = 0x15e6, long lParam = 0n0, long * pResult = 0x0027ed1c)+0x46 [c:\ham radio\codejock software\mfc\xtreme toolkitpro v15.0.2\source\commandbars\xtpdialogbase.h @ 194]
07 0027ed20 00b0ac01 Digital_Master!CWnd::WindowProc(unsigned int message = 0x111, unsigned int wParam = 0x15e6, long lParam = 0n0)+0x22 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2094]
08 0027ed90 00b0b3bf Digital_Master!AfxCallWndProc(class CWnd * pWnd = 0x089a2408 {hWnd={...}}, struct HWND__ * hWnd = 0x0001121c, unsigned int nMsg = 0x111, unsigned int wParam = 0x15e6, long lParam = 0n0)+0xb0 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 285]
09 0027edb0 756062fa Digital_Master!AfxWndProc(struct HWND__ * hWnd = 0x0001121c, unsigned int nMsg = 0x111, unsigned int wParam = 0x15e6, long lParam = 0n0)+0x34 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 434]
0a 0027eddc 75606d3a user32!InternalCallWinProc+0x23
0b 0027ee54 7560965e user32!UserCallWinProcCheckWow+0x109
0c 0027ee98 756096c5 user32!SendMessageWorker+0x581
0d 0027eebc 00ca3af1 user32!SendMessageW+0x7f
0e 0027eef8 00cb04ae Digital_Master!CXTPControl::OnExecute(void)+0x191 [c:\hrdbranch\ham radio\codejock software\mfc\xtreme toolkitpro v15.0.2\source\commandbars\xtpcontrol.cpp @ 914]
0f 0027ef00 00c9c244 Digital_Master!CXTPControlButton::OnLButtonUp(class CPoint __formal = {x=138 y=13222416})+0x2e [c:\hrdbranch\ham radio\codejock software\mfc\xtreme toolkitpro v15.0.2\source\commandbars\xtpcontrolbutton.cpp @ 52]
10 0027ef14 00b0e268 Digital_Master!CXTPCommandBar::OnLButtonUp(unsigned int nFlags = 0, class CPoint point = {x=77 y=138})+0x34 [c:\hrdbranch\ham radio\codejock software\mfc\xtreme toolkitpro v15.0.2\source\commandbars\xtpcommandbar.cpp @ 460]
11 0027efd0 00c9cb9b Digital_Master!CWnd::OnWndMsg(unsigned int message = <Value unavailable error>, unsigned int wParam = 0, long lParam = 0n9044045, long * pResult = 0x0027f008)+0x503 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2473]
12 0027efec 00b0f5ad Digital_Master!CXTPCommandBar::OnWndMsg(unsigned int message = 0x202, unsigned int wParam = 0, long lParam = 0n9044045, long * pResult = 0x0027f008)+0x2b [c:\hrdbranch\ham radio\codejock software\mfc\xtreme toolkitpro v15.0.2\source\commandbars\xtpcommandbar.cpp @ 2416]
13 0027f00c 00b0ac01 Digital_Master!CWnd::WindowProc(unsigned int message = 0x202, unsigned int wParam = 0, long lParam = 0n9044045)+0x22 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2094]
14 0027f07c 00b0b3bf Digital_Master!AfxCallWndProc(class CWnd * pWnd = 0x107b0f20 {hWnd={...}}, struct HWND__ * hWnd = 0x000d17dc, unsigned int nMsg = 0x202, unsigned int wParam = 0, long lParam = 0n9044045)+0xb0 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 285]
15 0027f09c 756062fa Digital_Master!AfxWndProc(struct HWND__ * hWnd = 0x000d17dc, unsigned int nMsg = 0x202, unsigned int wParam = 0, long lParam = 0n9044045)+0x34 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 434]
16 0027f0c8 75606d3a user32!InternalCallWinProc+0x23
17 0027f140 75610d3f user32!UserCallWinProcCheckWow+0x109
18 0027f178 75610d65 user32!CallWindowProcAorW+0xab
19 0027f198 00ce7e7c user32!CallWindowProcW+0x1b
1a 0027f1e0 756062fa Digital_Master!CXTPHookManager::HookWndProc(struct HWND__ * hWnd = 0x00b0b38b, unsigned int message = 0x202, unsigned int wParam = 0, long lParam = 0n9044045)+0xac [c:\hrdbranch\ham radio\codejock software\mfc\xtreme toolkitpro v15.0.2\source\common\xtphookmanager.cpp @ 267]
1b 0027f20c 75606d3a user32!InternalCallWinProc+0x23
1c 0027f284 756077c4 user32!UserCallWinProcCheckWow+0x109
1d 0027f2e4 7560788a user32!DispatchMessageWorker+0x3b5
1e 0027f2f4 00c6adf9 user32!DispatchMessageW+0xf
1f 0027f328 00c6c316 Digital_Master!CXTPPopupBar::PumpMessage(void)+0xa9 [c:\hrdbranch\ham radio\codejock software\mfc\xtreme toolkitpro v15.0.2\source\commandbars\xtpcommandbars.cpp @ 1486]
20 0027f33c 00c6c1b1 Digital_Master!CXTPCommandBars::TrackPopupMenu(class CXTPPopupBar * pPopup = 0x00000001, unsigned int nFlags = 0, int x = 0n7, int y = 0n291, class CWnd * pWnd = 0x089a2408 {hWnd={...}}, struct tagRECT * rcExclude = 0x00000000, class CWnd * pWndOwner = 0x00000000)+0x146 [c:\hrdbranch\ham radio\codejock software\mfc\xtreme toolkitpro v15.0.2\source\commandbars\xtpcommandbars.cpp @ 1568]
21 0027f36c 009e948e Digital_Master!CXTPCommandBars::TrackPopupMenu(class CMenu * pMenu = 0x0027f3a4, unsigned int nFlags = 0, int x = 0n7, int y = 0n291, class CWnd * pWnd = 0x089a2408 {hWnd={...}}, struct tagRECT * rcExclude = 0x00000000, class CWnd * pWndOwner = 0x00000000, class CXTPCommandBars * pCommandBars = 0x00000000)+0x81 [c:\hrdbranch\ham radio\codejock software\mfc\xtreme toolkitpro v15.0.2\source\commandbars\xtpcommandbars.cpp @ 1622]
22 0027f3e8 009e92cc Digital_Master!CPaneRadio::Dropdown(int nIndex = 0n0, unsigned int nID = 0x41e)+0x16e [c:\ham radio\digital master\digital master\paneradio.cpp @ 1414]
23 0027f3f4 00b15cc8 Digital_Master!CPaneRadio::OnDropdown1(void)+0xc [c:\ham radio\digital master\digital master\paneradio.cpp @ 1344]
24 0027f404 00b15b01 Digital_Master!_AfxDispatchCmdMsg(class CCmdTarget * pTarget = 0x089a2408, unsigned int nID = 0x41e, int nCode = 0n0, <function> * pfn = 0x009e92c0, void * pExtra = 0x00000000, unsigned int nSig = 0x3a, struct AFX_CMDHANDLERINFO * pHandlerInfo = 0x00000000)+0x42 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp @ 78]
25 0027f434 00b251c7 Digital_Master!CCmdTarget::OnCmdMsg(unsigned int nID = 0x41e, int nCode = 0n0, void * pExtra = 0x00000000, struct AFX_CMDHANDLERINFO * pHandlerInfo = 0x00000000)+0x120 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp @ 373]
26 0027f458 00b0d17e Digital_Master!CPropertySheet::OnCmdMsg(unsigned int nID = 0x41e, int nCode = 0n0, void * pExtra = 0x00000000, struct AFX_CMDHANDLERINFO * pHandlerInfo = 0x00000000)+0x1b [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgprop.cpp @ 816]
27 0027f4a8 00b0dda1 Digital_Master!CWnd::OnCommand(unsigned int wParam = 0x41e, long lParam = 0n70178)+0x89 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2784]
28 0027f560 0092e876 Digital_Master!CWnd::OnWndMsg(unsigned int message = 0x111, unsigned int wParam = 0x41e, long lParam = 0n70178, long * pResult = 0x0027f598)+0x3c [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2108]
29 0027f57c 00b0f5ad Digital_Master!CXTPDialogBase<CXTPResizeDialog>::OnWndMsg(unsigned int message = 0x111, unsigned int wParam = 0x41e, long lParam = 0n70178, long * pResult = 0x0027f598)+0x46 [c:\ham radio\codejock software\mfc\xtreme toolkitpro v15.0.2\source\commandbars\xtpdialogbase.h @ 194]
2a 0027f59c 00b0ac01 Digital_Master!CWnd::WindowProc(unsigned int message = 0x111, unsigned int wParam = 0x41e, long lParam = 0n70178)+0x22 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 2094]
2b 0027f60c 00b0b3bf Digital_Master!AfxCallWndProc(class CWnd * pWnd = 0x089a2408 {hWnd={...}}, struct HWND__ * hWnd = 0x0001121c, unsigned int nMsg = 0x111, unsigned int wParam = 0x41e, long lParam = 0n70178)+0xb0 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 285]
2c 0027f62c 756062fa Digital_Master!AfxWndProc(struct HWND__ * hWnd = 0x0001121c, unsigned int nMsg = 0x111, unsigned int wParam = 0x41e, long lParam = 0n70178)+0x34 [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 434]
2d 0027f658 75606d3a user32!InternalCallWinProc+0x23
2e 0027f6d0 7560965e user32!UserCallWinProcCheckWow+0x109

K7ZCZ

2018-03-02 15:45

manager   ~0004350

Indeed, the code here is walking past the end of an array that has a list of commands in it; looks like there are no boundary checks to prevent that happening.

Three parts to the fix:

1) Figure out why we have more buttons than array entries
2) Maybe add more array entries? Make them dynamic?
3) Defend against overrun -- but have to figure out what's reasonable to do if overrun or underrun occurs.

K7ZCZ

2018-03-17 11:24

manager   ~0004500

The design of this code is not exactly straight-forward.

The Radio pane has six drop-down controls. They're not implemented as drop-down controls; they're actually buttons that cause a pop-up menu to appear, with no parent. When the command on the menu is clicked, the ID for the command falls into a range handled by OnDropdownOption(). The important part of this fix is realizing that the ID passed to the OnDropdownOption() function is the ID of the menu command, and not anything else at all.

The code was written with the mistake that the ID was the ID of the control that caused the dropdown; one of the six buttons. It's not. A constant value was subtracted from the ID passed. The developed index was then used to look up a control ID constant in the global nDropdowns array.

The menu items happen to be anchored by the same constant subtracted from the passed value; so the 7th menu item tries to hit nDropdowns[7], but that array has only six elements. In debug builds, the reported bug doesn't easly reproduce because the read past the end of the array isn't trapped, and seems to somehow result in a valid CWnd pointer.

In release builds, it practically never results in a valid CWnd pointer and that causes the dereference to fail when RequestHRDSendMessage is called; specifically, when the GetDlgItem() call is used to get that CWnd, and its m_hWnd accessor is used.

Oddly, the HWND is cast to a UINT to fit a prototype of the RequestHRDSendMessage() function. That function treats the UINT parameter as a command ID. that is, the necessity of this cast was trying to tell the developer they were doing the wrong thing, but they did the cast and set the stage for this bug.

Remarkably, the RequestHRDSendMessage() call does a bunch of questionable memory re-allocation, queues an entry for a worker thread, and then that thread just posts a message back to the handling application.

The fix is to not perform a cast, don't try to convert the command ID into a CWnd (because no such CWnd exists), and pass only the command ID.

K7ZCZ

2018-03-17 15:52

manager   ~0004505

fixed with this checkin
https://hrdsoftware.visualstudio.com/HRD/_versionControl/changeset/3975

g3ucq

2018-04-03 17:04

viewer   ~0004640

Fixed for me.

vk2byi

2018-04-04 04:05

viewer   ~0004662

All 11 modes on the Mode drop-down can be selected now without crashing. Fixed.

PD9FER

2018-04-04 11:04

viewer   ~0004673

Fixed for me

Issue History

Date Modified Username Field Change
2018-02-16 02:55 PD9FER New Issue
2018-03-01 22:11 K7ZCZ Assigned To => K7ZCZ
2018-03-01 22:11 K7ZCZ Status new => assigned
2018-03-02 15:43 K7ZCZ Note Added: 0004349
2018-03-02 15:45 K7ZCZ Note Added: 0004350
2018-03-13 20:35 K7ZCZ Relationship added related to 0002226
2018-03-17 11:24 K7ZCZ Note Added: 0004500
2018-03-17 15:52 K7ZCZ Status assigned => resolved
2018-03-17 15:52 K7ZCZ Resolution open => fixed
2018-03-17 15:52 K7ZCZ Testing => Not Started
2018-03-17 15:52 K7ZCZ Note Added: 0004505
2018-04-02 10:41 K7ZCZ Project 1 - Backlog => 3 - Current Dev List
2018-04-02 10:42 K7ZCZ Fixed in Version => 6.4.0.798
2018-04-03 17:04 g3ucq Note Added: 0004640
2018-04-04 04:05 vk2byi Note Added: 0004662
2018-04-04 11:04 PD9FER Note Added: 0004673
2018-04-04 14:47 WA9PIE Status resolved => closed
2018-04-04 14:47 WA9PIE Testing Not Started => Beta Successful
2018-04-07 19:23 WA9PIE Project 3 - Current Dev List => Ham Radio Deluxe
2018-04-07 19:25 WA9PIE Fixed in Version 6.4.0.798 => 6.4.0.805
2018-04-09 14:37 WA9PIE Fixed in Version 6.4.0.805 => 6.4.0.806