Endless Stream of wm_mousemove messages - or Crash

[raleeper]

If I trap wm_mousemove (with windbg) I get a seemingly endless stream of them.  If I do not trap them, the program crashes with eip = 19004015 (which means nothing to me, except that it's evidently not allocated to my thread).

The guilty code is probably something in the mouse code below.  I think the problem must be something in WPROC, the windows procedure, either the mouse code or the message loop.

I would be grateful if anyone can suggest what might be going on'.

Thanks,

Robert

{later}  Evidently the whole body of code is too big to post.
The full code is at
http://www.raleeper.com/lfw.asm


Mouse

   .DATA
msjtbl   DD   mmov
   DD   mseb
   DD   mseu
   .CODE

;;   MSEFN   MouSE FuNctions

;   msefn:   eax~<203 => WP_cmdq      jmp [eax+msjtbl-200]

msefn:
   cmp   eax, 203
     jnc   WP_cmdq

     jmp   [eax+msjtbl-200]
;;   MSEB   MouSE left Button down

;   mseb:   SF1 s,f         eax,[mpos]  ecx   call gmspos

mseb:
   or   BY [flgs+1],80

   mov   eax, ecx
   mov   [mpos], ecx

   call   gmspos
;      [mposs]  dx      QF e10,e12,w0,w1 => _eiom

   mov   [mposs], dx

   test   BY [flge+2], 5
     jnz   mseb_eiom
   test   BY [flgw], 3
     jnz   mseb_eiom
;   _end:   call gmfao      call eewc

mseb_end:
   call   gmfao

   call   eewc
;   _exit:   jmp WP_inv

mseb_exit:
     jmp   WP_inv

;   _eiom:   sf1 e,f         jmp _exit

mseb_eiom:
   or   BY [flge+1], 80

     jmp   mseb_exit

;;   GMSPOS   Get Mouse Screen POSition

;   gmspos:   dx  ax         shr eax, 10      div BY [cszv]

gmspos:
   mov   dx, ax

   shr   eax, 10

   div   BY [cszv]
;      ax <-> dx      div BY [cszh]      dh  al


   xchg   ax, dx

   div   BY [cszh]

   mov   dh, al
;      retn

   retn

;;   GMFAO   Get Mouse File And Offset

;   gmfao:   ecx,ebx  dl      eax  [smcap]

gmfao:
   movzx   ecx, dl
   mov   ebx, ecx

   mov   eax, [smcap]
;      edi  ecx*4+smpad   add eax, 140      edi~<eax=> _brt

   lea   edi, [ecx*4+smpad]

   add   eax, 140

   cmp   edi, eax
     jnc   gmfao_brt
;   _lp:   esi  [edi]      esi<>0 => _1

gmfao_lp:
   mov   esi, [edi]

   or   esi, esi
     jnz   gmfao_1
;      sub edi, 4      loop _lp

   sub   edi, 4

   loop   gmfao_lp
;   _1:      sub ebx, ecx      eax  [sszh]      mul bl

gmfao_1:
   sub   ebx, ecx

   mov   eax, [sszh]

   mul   bl
;      dx  dh         add dx, ax

   movzx   dx, dh

   add   dx, ax
;   _end:   [msfil]  esi      [msfof]  dx      retn

gmfao_end:
   mov   [msfil], esi

   mov   [msfof], dx

   retn
;   _brt:   edx,esi  -1      jmp _end

gmfao_brt:
   xor   edx, edx
   dec   edx
   mov   esi, edx

     jmp   gmfao_end

;;   EEWC   Enter Edit With Cursor at mouse point

;   eewc:   ax  8000      ax~<[msfof] => @F   retn

eewc:
   mov   ax, 8000

   cmp   ax, [msfof]
     jnc   @F

   retn
;   @@:      dx  [mposs]      call ldf      [curpht]  dh

@@:
   mov   dx, [mposs]

   call   ldf

   mov   [curpht], dh
;      SF1 e1d,e1e      retn

   or   BY [flge+3], 60

   retn

;;   MSEU   MouSE left button Up

;   mseu:   ~btr s,f => WP_end

mseu:
   btr   [flgs], 0F
     jnc   WP_end
;   _0:      eax  ecx      call gmspos

mseu_0:
   mov   eax, ecx

   call   gmspos
;      eax  [msfil]      bx  [msfof]      push eax,ebx

   mov   eax, [msfil]

   mov   bx, [msfof]

   push   eax
   push   ebx
;      call gmfao      pop ebx,eax      esi<>eax => _br

   call   gmfao

   pop   ebx
   pop   eax

   cmp   esi, eax
     jnz   mseu_br
;      sub dx, bx      jna => _br      [selst]  bx

   sub   dx, bx

     jna   mseu_br
;      [selln]  dx      SF1 e,15      jmp WP_inv

   mov   [selst], bx
   mov   [selln], dx

   or   BY [flge+2],20

     jmp   WP_inv

;   _br:   [msfil]  eax      [msfof]  bx      jmp WP_end

mseu_br:
   mov   [msfil], eax
   mov   [msfof], bx

     jmp   WP_end
;;   MMOV   Mouse MOVe

;   mmov:   ~QF s,f => WP_end   jmp mseu_0

mmov:
   test   BY [flgs+1],80
   xor   eax, eax
     jz   WP_end

     jmp   mseu_0

-----------------------------------------------

;;;   WProc - msglp, Key, Mouse

;;   WProc - msglp

WProc proc wp_hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM

;      pushad         eax,[hWnd]  [wp_hWnd]

   pushad

   mov   eax, [wp_hWnd]
   mov   [hWnd], eax
;      [esp0]  esp      [@inv]  WP_inv

   mov   [esp0], esp

   mov   [@inv], OF WP_inv
;   msglp   eax  [uMsg]      eax<>_DESTROY => _charq

   mov   eax, [uMsg]

   cmp   eax, WM_DESTROY
     jnz   WP_charq
;      !PostQuitMessage   jmp _end

   invoke   PostQuitMessage,NULL

     jmp   WP_end
;   _charq:   edx  [wParam]      ecx  [lParam]

WP_charq:
   mov   edx, [wParam]

   mov   ecx, [lParam]
;      eax=_PAINT => _pai   =KEYD => key      ~<200 => msefn

   cmp   eax, WM_PAINT
     jz   WP_pai

   cmp   eax, KEYD
     jz   key

   cmp   eax, 200
     jnc   msefn
;   _cmdq:   =wmCMD => _cmd      =SYSKEYD => key_s

WP_cmdq:
   cmp   eax, WM_COMMAND
     jz   WP_cmd

   cmp   eax, WM_SYSKEYDOWN
     jz   key_s

;   _def:   popad         !defwindowproc      ret

WP_def:
   popad   ;=\

   invoke   DefWindowProc,hWnd,uMsg,wParam,lParam

   ret
;   _inv:   !invalidaterect      ZRF s,3

WP_inv:
   invoke InvalidateRect, hWnd,0,0
      ;,,lpRect; 0 = entire rect   ,,,bErase;0= no bkgr erase

   and   BY [flgs],0F7
;   _end:   popad         eax  0         ret

WP_end:
   popad

   xor    eax,eax

   ret

;   _cmd:   push OF WP_inv      edx  dl

WP_cmd:
   push   OF WP_inv

   movzx   edx, dl
;      jmp [cmtbl+edx*4]

     jmp   DP [cmtbl+edx*4]

;   _pai_:   call dspl      test e,1d => eren   jmp _end

WP_pai:
   call   dspl

   test   BY [flge+3],20
     jnz   eren

     jmp   WP_end

[donkey]

If I trap wm_mousemove (with windbg) I get a seemingly endless stream of them.  If I do not trap them, the program crashes with eip = 19004015 (which means nothing to me, except that it's evidently not allocated to my thread).

The guilty code is probably something in the mouse code below.  I think the problem must be something in WPROC, the windows procedure, either the mouse code or the message loop.

I would be grateful if anyone can suggest what might be going on'.

Thanks,

Robert

You should use code tags to encapsulate posted code [code]

The EIP you have is a weird one, it is not a system DLL which are generally loaded at an address of 0x7xxxxxxx (beyond the 2GB user memory space) so I would suspect it is a user DLL or in your code section, though with ASLR its not as obvious as it used to be. The WndProc looks OK though it is hard to follow since you're using jumps that look like they've been generated with a disassembler rather than coded by hand (ie JNC rather than JAE) and it is incredibly convoluted since you have the program jumping all over the place. I gave up trying to follow your mouse processing algorithm (msefn) and can't figure out why you would just send all messages over 200 to it since WM_MOUSEMOVE is 200h not 200 decimal.

Edgar

[raleeper]

1.  Thank you for trying to help.  Really!

2.  I apologize for my ideosyncratic and poorly documented code.  I am trying to do better.

3.  I have rewritten to eliminate the mouse function jump table. (All my source code is radix 16, so the mouse functions I am trying to use are 200-202 - but as I said, I have eliminated this.)

4.  I don't understand any of this: "You should use code tags to encapsulate posted code

Code Select Expand

".  What are code tags and what is it to "encapsulate posted code "? -- OK, I think I begin to see, but I am not able to do this quite yet.

Thank you.

Robert

The new windows procedure message code (without the comments) is:

   mov   eax, [uMsg]
   mov   edx, [wParam]
   mov   ecx, [lParam]

   cmp   eax, WM_DESTROY
     jz   WP_des
   cmp   eax, WM_PAINT
     jz   WP_pai
   cmp   eax, KEYD
     jz   key

   cmp   eax, MSLB
     jz   mseb
   cmp   eax, MSLU
     jz   mseu
   cmp   eax, MSMV
     jz   mmov

   cmp   eax, WM_COMMAND
     jz   WP_cmd
   cmp   eax, WM_SYSKEYDOWN
     jz   key_s

WP_def:
   popad
   invoke   DefWindowProc,hWnd,uMsg,wParam,lParam
   ret

WP_inv:
   invoke InvalidateRect, hWnd,0,0
   and   BY [flgs],0F7      ;flag s,3 (screen valid) <- 0
WP_end:
   popad
   xor    eax,eax
   ret

WP_des:
   invoke   PostQuitMessage,NULL
     jmp   WP_end
WP_cmd:
   push   OF WP_inv
   movzx   edx, dl
     jmp   DP [cmtbl+edx*4]

WP_pai:
   call   dspl
   test   BY [flge+3],20
     jnz   eren
     jmp   WP_end

[raleeper]

After the rewrite it no longer crashes or hangs.

I have wasted your time.  I'm sorry.

Thanks and best wishes,

Robert

[donkey]

I don't understand any of this: "You should use code tags to encapsulate posted code

Hi Robert,

When you post code to the forum do this...

[code] <<<< Add a start of code tag

post code here

[/code] <<<< Add an end of code tag

Or a quick way is to highlight your code in the edit window and press the # button.

Click here to see examples in the forum help section

And as a pointer when posting code, if you use alternate names for Windows messages like MSMV instead of WM_MOUSEMOVE or MSLB for WM_LBUTTONDOWN nobody will understand your code or spend much time trying to answer your question. If you want to have your code analyzed by the members here try to make it as clear as possible, no one will make much of an effort to trace spaghetti code in order to give someone free advice.

Edgar

[dedndave]

for code that size, it is worthwhile ZIP'ing it and attaching it instead of posting

[Slugsnack]

was this code generated by ida pro or something ?

[donkey]

was this code generated by ida pro or something ?

That's what I thought when I saw a JNC instead of a JAE, coding by hand you would not normally use JNC to test to see is a number was greater than another though they are the same instruction with the same opcode some disassemblers use JNC by default. Not to mention the escape characters all over the place. Oh well, its a simple routine that looks like it would be faster to write yourself than to RE it from another program and Robert has never really shown any of that kind of behavior before so I think he should get the benefit of the doubt.

Edgar

[raleeper]

was this code generated by ida pro or something ?

That's what I thought when I saw a JNC instead of a JAE, coding by hand you would not normally use JNC to test to see is a number was greater than another though they are the same instruction with the same opcode some disassemblers use JNC by default. Not to mention the escape characters all over the place. Oh well, its a simple routine that looks like it would be faster to write yourself than to RE it from another program and Robert has never really shown any of that kind of behavior before so I think he should get the benefit of the doubt.

Edgar

JNC is more simple and transparent - or perhaps just closer to the hardware level - than JAE since it tests the Carry flag.  Also, perhaps my perference goes back to Zilog's mnemonics for the Z80 on which I first learned to program.

This is all strictly hand coded.

Edgar: Thanks for explaining code tags.  Also, I appreciate your point about alternate symbol names, and on reflection, I think they are more confusing than useful even to me.

My DOS program that I use to write my programs displays the escape 1Bh as a left arrow - a more compact version of "<<".  I should have converted before posting, or just deleted out the comments. ("eax << ecx" is pseudocode for "copy ecx to eax" or just "mov eax, ecx"; )

Thanks,

Robert

[donkey]

JNC is more simple and transparent - or perhaps just closer to the hardware level - than JAE since it tests the Carry flag.  Also, perhaps my perference goes back to Zilog's mnemonics for the Z80 on which I first learned to program

JNC and JAE are the exact same, same opcode, same instruction, just a different mnemonic.

73 cb     JAE rel8          Jump short if above or equal (CF=0)
73 cb     JNC rel8          Jump short if not carry (CF=0)

Edgar