crash on startup in OpenConsole!SCREEN_INFORMATION::_makeCursorVisible

[taviso]

Windows Terminal version

1.24.2372.0

Windows build number

10.0.26100.4946

Other Software

N/A

Steps to reproduce

I just updated to Windows Terminal Preview 1.24.2372.0 via winget, I'm occasionally seeing a crash on startup.

It's not obvious what the conditions are, it happens maybe once or twice a day. I had no problems with the previous release.

Expected Behavior

No response

Actual Behavior

$ cdb -z OpenConsole.exe_250906_104835-1.dmp
0:000> .exr -1
ExceptionAddress: 00007ff7bbd54bdb (OpenConsole!SCREEN_INFORMATION::_makeCursorVisible+0x0000000000000004)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
0:000> .ecxr
0:000> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr               Call Site
(Inline Function) --------`--------     OpenConsole!SCREEN_INFORMATION::_makeCursorVisible+0x4
(Inline Function) --------`--------     OpenConsole!SCREEN_INFORMATION::SnapOnOutput::__l2::<lambda_1>::operator()+0x9
(Inline Function) --------`--------     OpenConsole!wil::details::lambda_call<`SCREEN_INFORMATION::SnapOnOutput'::`2'::<lambda_1> >::reset+0x9
(Inline Function) --------`--------     OpenConsole!wil::details::lambda_call<`SCREEN_INFORMATION::SnapOnOutput'::`2'::<lambda_1> >::{dtor}+0x9
00000023`0abff270 00007ff7`bbd54e4a     OpenConsole!WriteCharsVT+0x19b
00000023`0abff310 00007ff7`bbd5546f     OpenConsole!DoWriteConsole+0x1a
00000023`0abff350 00007ff7`bbd93b66     OpenConsole!ApiRoutines::WriteConsoleAImpl+0x60f
00000023`0abff490 00007ff7`bbd918d4     OpenConsole!ApiDispatchers::ServerWriteConsole+0x396
00000023`0abff540 00007ff7`bbd2efd7     OpenConsole!IoSorter::ServiceIoOperation+0x184
00000023`0abff590 00007ffc`4f34e8d7     OpenConsole!ConsoleIoThread+0x1d7
00000023`0abff810 00007ffc`513bc34c     kernel32!BaseThreadInitThunk+0x17
00000023`0abff840 00000000`00000000     ntdll!RtlUserThreadStart+0x2c
0:000> u
OpenConsole!SCREEN_INFORMATION::_makeCursorVisible+0x4 [inlined in OpenConsole!WriteCharsVT+0x19b]:
00007ff7`bbd54bdb 80ba1101000000  cmp     byte ptr [rdx+111h],0
00007ff7`bbd54be2 7413            je      OpenConsole!WriteCharsVT+0x1b7 (00007ff7`bbd54bf7)
00007ff7`bbd54be4 488b9208010000  mov     rdx,qword ptr [rdx+108h]
00007ff7`bbd54beb 488bce          mov     rcx,rsi
00007ff7`bbd54bee e84d3efeff      call    OpenConsole!SCREEN_INFORMATION::MakeCursorVisible (00007ff7`bbd38a40)
00007ff7`bbd54bf3 488b45f0        mov     rax,qword ptr [rbp-10h]
00007ff7`bbd54bf7 4885c0          test    rax,rax
00007ff7`bbd54bfa 7420            je      OpenConsole!WriteCharsVT+0x1dc (00007ff7`bbd54c1c)

Looking at the code, I think rdx+111h is probably _textBuffer->_cursor._fIsVisible, so it's probably this

I don't know what the bug is though.

[j4james]

We had an issue reported last year which was caused by the conpty connection thread being started up before the terminal was fully initialized (see #16749). I'm not positive, but this sounds like it might be a similar situation.

[lhecker]

I found that this is trivially reproducible by simply exiting vim inside WSL (alt buffer destruction?). It's somewhat likely that there's an ordering issue at ConPTY startup but this hints at it being a further reaching issue.

[lhecker]

Oh right, of course, when the alt buffer gets disabled in the VT sequence, it's immediately deallocated in which case the scope-exit lambda refers a stale screenInfo reference… Some dangerous, spooky code we got there. 😄