IE7 crash, urlmon crash

I'm not sure if this is the correct place but I caught an IE7 crash in windbg
as I was debugging another issue. I think this issue is unrelated to what I
was working on. I received the following stack trace while running IE7 on
vista x64, multicore, in a VMWare VM. I had two tabs open, each with an
activex control in them constantly redrawing the page.

(9bc.a38): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=f0f0f0f0 ebx=00000000 ecx=085e6e30 edx=00000000 esi=085e6e30 edi=00000000
eip=754dfbad esp=073a985c ebp=073a987c iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
urlmon!CList<DebugLogElement *,DebugLogElement *>::RemoveAll+0xc:
754dfbad 8b00 mov eax,dword ptr [eax]
ds:002b:f0f0f0f0=????????

0:004> kb
ChildEBP RetAddr Args to Child
073a9860 7554d055 073e0290 085e6e30 073a9bbc urlmon!CList<DebugLogElement
*,DebugLogElement *>::RemoveAll+0xc
073a987c 7554d56b 085e6e30 7554d585 00000000 urlmon!CDLDebugLog::Clear+0x37
073a9884 7554d585 00000000 073a9b54 7554d680
urlmon!CDLDebugLog::~CDLDebugLog+0xa
073a9890 7554d680 00000001 7553914c 754d70d4 urlmon!CDLDebugLog::`scalar
deleting destructor'+0xd
073a9898 7553914c 754d70d4 00000000 073a9bbc urlmon!CDLDebugLog::Release+0x15
073a9b54 755392d2 00000000 073a9bbc 0317b370 urlmon!AsyncGetClassBits2Ex+0x85f
073a9b88 7553961c 07591b88 073a9bbc 0317b370 urlmon!AsyncGetClassBitsEx+0x81
073aac5c 7080df14 07591b88 00000000 00000000
urlmon!CoGetClassObjectFromURL+0x246
073aad00 7080e2e9 705bc124 073aae24 00000000
mshtml!CCodeLoad::BindToObject+0x464
073aad20 708070a4 087a1c88 073aae24 70812684 mshtml!CCodeLoad::Init+0x296
073aadd4 708125aa 073aae24 07455d60 031a8768
mshtml!COleSite::CreateObject+0x5a5
073aee80 707fb0e6 7054fe99 0741eb90 00000000
mshtml!CObjectElement::CreateObject+0x6a6
073aee84 7054fe99 0741eb90 00000000 00000000
mshtml!CHtmObjectParseCtx::Execute+0x8
073aeed4 7055fc00 07455d60 00000000 0741eb90 mshtml!CHtmParse::Execute+0x43
073aeeec 7056595f 7056597d 07506050 06e983d0 mshtml!CHtmPost::Broadcast+0x11
073aefa8 70591e1f ffffffff 0740b544 0740b4c8 mshtml!CHtmPost::Exec+0x40d
073aeff0 705a2dff 00000000 0740b4c8 08766158 mshtml!CHtmLoad::Init+0x2e2
073af014 705a2d14 08766158 00000001 00000000 mshtml!CDwnInfo::SetLoad+0x10c
073af038 7057607b 00000001 073af088 00000000 mshtml!CDwnCtx::SetLoad+0x76
073af054 705763dc 00000001 073af088 00000000 mshtml!CHtmCtx::SetLoad+0x18

The object it was trying to access was already freed, with the following
stack trace:

0:004> dds 02179eec
02179eec 00000000
02179ef0 0000f802
02179ef4 00201401 iexplore!__dyn_tls_init_callback <PERF> (iexplore+0x91401)
02179ef8 77145180 ntdll!RtlpFreeHeap+0x5f
02179efc 7712f285 ntdll!RtlFreeHeap+0x14e
02179f00 75a73593 kernel32!HeapFree+0x14
02179f04 76b4dc2c ole32!CRetailMalloc_Free+0x1c
02179f08 76b4dc53 ole32!CoTaskMemFree+0x13
02179f0c 754d3006 urlmon!operator delete+0x14
02179f10 7554d591 urlmon!CDLDebugLog::`scalar deleting destructor'+0x19
02179f14 7554d680 urlmon!CDLDebugLog::Release+0x15
02179f18 7080df14 mshtml!CCodeLoad::BindToObject+0x464
02179f1c 7080e2e9 mshtml!CCodeLoad::Init+0x296
02179f20 708070a4 mshtml!COleSite::CreateObject+0x5a5
02179f24 708125aa mshtml!CObjectElement::CreateObject+0x6a6
02179f28 707fb0e6 mshtml!CHtmObjectParseCtx::Execute+0x8
02179f2c 7055fc00 mshtml!CHtmPost::Broadcast+0x11
02179f30 7056595f mshtml!CHtmPost::Exec+0x40d
02179f34 70591e1f mshtml!CHtmLoad::Init+0x2e2
02179f38 705a2dff mshtml!CDwnInfo::SetLoad+0x10c
02179f3c 705a2d14 mshtml!CDwnCtx::SetLoad+0x76
02179f40 7057607b mshtml!CHtmCtx::SetLoad+0x18
02179f44 705763dc mshtml!CMarkup::Load+0x15f
02179f48 70590cec mshtml!CMarkup::Load+0xe8
02179f4c 7058ee38 mshtml!CDoc::ParseGlobal+0xee
02179f50 7058ea71 mshtml!HandleHTMLInjection+0x9f
02179f54 7058e9b5 mshtml!HandleHTMLInjection+0x50
02179f58 7058e8e0 mshtml!CElement::Inject+0x2ee
02179f5c 705bab57 mshtml!CElement:ut_innerHTML+0x4d
02179f60 706051bc mshtml!GS_PropEnum+0x84
02179f64 705d7236 mshtml!CBase::ContextInvokeEx+0x4ef
02179f68 705f426e mshtml!CElement::ContextInvokeEx+0x70

I have a minidump available if anyone is interested.

"jcopenha" wrote:

> I'm not sure if this is the correct place but I caught an IE7 crash in windbg
> as I was debugging another issue. I think this issue is unrelated to what I
> was working on. I received the following stack trace while running IE7 on
> vista x64, multicore, in a VMWare VM. I had two tabs open, each with an
> activex control in them constantly redrawing the page.
>
> (9bc.a38): Access violation - code c0000005 (first chance)
> First chance exceptions are reported before any exception handling.
> This exception may be expected and handled.
> eax=f0f0f0f0 ebx=00000000 ecx=085e6e30 edx=00000000 esi=085e6e30 edi=00000000
> eip=754dfbad esp=073a985c ebp=073a987c iopl=0 nv up ei ng nz na pe nc
> cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
> urlmon!CList<DebugLogElement *,DebugLogElement *>::RemoveAll+0xc:
> 754dfbad 8b00 mov eax,dword ptr [eax]
> ds:002b:f0f0f0f0=????????
>
> 0:004> kb
> ChildEBP RetAddr Args to Child
> 073a9860 7554d055 073e0290 085e6e30 073a9bbc urlmon!CList<DebugLogElement
> *,DebugLogElement *>::RemoveAll+0xc
> 073a987c 7554d56b 085e6e30 7554d585 00000000 urlmon!CDLDebugLog::Clear+0x37
> 073a9884 7554d585 00000000 073a9b54 7554d680
> urlmon!CDLDebugLog::~CDLDebugLog+0xa
> 073a9890 7554d680 00000001 7553914c 754d70d4 urlmon!CDLDebugLog::`scalar
> deleting destructor'+0xd
> 073a9898 7553914c 754d70d4 00000000 073a9bbc urlmon!CDLDebugLog::Release+0x15
> 073a9b54 755392d2 00000000 073a9bbc 0317b370 urlmon!AsyncGetClassBits2Ex+0x85f
> 073a9b88 7553961c 07591b88 073a9bbc 0317b370 urlmon!AsyncGetClassBitsEx+0x81
> 073aac5c 7080df14 07591b88 00000000 00000000
> urlmon!CoGetClassObjectFromURL+0x246
> 073aad00 7080e2e9 705bc124 073aae24 00000000
> mshtml!CCodeLoad::BindToObject+0x464
> 073aad20 708070a4 087a1c88 073aae24 70812684 mshtml!CCodeLoad::Init+0x296
> 073aadd4 708125aa 073aae24 07455d60 031a8768
> mshtml!COleSite::CreateObject+0x5a5
> 073aee80 707fb0e6 7054fe99 0741eb90 00000000
> mshtml!CObjectElement::CreateObject+0x6a6
> 073aee84 7054fe99 0741eb90 00000000 00000000
> mshtml!CHtmObjectParseCtx::Execute+0x8
> 073aeed4 7055fc00 07455d60 00000000 0741eb90 mshtml!CHtmParse::Execute+0x43
> 073aeeec 7056595f 7056597d 07506050 06e983d0 mshtml!CHtmPost::Broadcast+0x11
> 073aefa8 70591e1f ffffffff 0740b544 0740b4c8 mshtml!CHtmPost::Exec+0x40d
> 073aeff0 705a2dff 00000000 0740b4c8 08766158 mshtml!CHtmLoad::Init+0x2e2
> 073af014 705a2d14 08766158 00000001 00000000 mshtml!CDwnInfo::SetLoad+0x10c
> 073af038 7057607b 00000001 073af088 00000000 mshtml!CDwnCtx::SetLoad+0x76
> 073af054 705763dc 00000001 073af088 00000000 mshtml!CHtmCtx::SetLoad+0x18
>
> The object it was trying to access was already freed, with the following
> stack trace:
>
> 0:004> dds 02179eec
> 02179eec 00000000
> 02179ef0 0000f802
> 02179ef4 00201401 iexplore!__dyn_tls_init_callback <PERF> (iexplore+0x91401)
> 02179ef8 77145180 ntdll!RtlpFreeHeap+0x5f
> 02179efc 7712f285 ntdll!RtlFreeHeap+0x14e
> 02179f00 75a73593 kernel32!HeapFree+0x14
> 02179f04 76b4dc2c ole32!CRetailMalloc_Free+0x1c
> 02179f08 76b4dc53 ole32!CoTaskMemFree+0x13
> 02179f0c 754d3006 urlmon!operator delete+0x14
> 02179f10 7554d591 urlmon!CDLDebugLog::`scalar deleting destructor'+0x19
> 02179f14 7554d680 urlmon!CDLDebugLog::Release+0x15
> 02179f18 7080df14 mshtml!CCodeLoad::BindToObject+0x464
> 02179f1c 7080e2e9 mshtml!CCodeLoad::Init+0x296
> 02179f20 708070a4 mshtml!COleSite::CreateObject+0x5a5
> 02179f24 708125aa mshtml!CObjectElement::CreateObject+0x6a6
> 02179f28 707fb0e6 mshtml!CHtmObjectParseCtx::Execute+0x8
> 02179f2c 7055fc00 mshtml!CHtmPost::Broadcast+0x11
> 02179f30 7056595f mshtml!CHtmPost::Exec+0x40d
> 02179f34 70591e1f mshtml!CHtmLoad::Init+0x2e2
> 02179f38 705a2dff mshtml!CDwnInfo::SetLoad+0x10c
> 02179f3c 705a2d14 mshtml!CDwnCtx::SetLoad+0x76
> 02179f40 7057607b mshtml!CHtmCtx::SetLoad+0x18
> 02179f44 705763dc mshtml!CMarkup::Load+0x15f
> 02179f48 70590cec mshtml!CMarkup::Load+0xe8
> 02179f4c 7058ee38 mshtml!CDoc::ParseGlobal+0xee
> 02179f50 7058ea71 mshtml!HandleHTMLInjection+0x9f
> 02179f54 7058e9b5 mshtml!HandleHTMLInjection+0x50
> 02179f58 7058e8e0 mshtml!CElement::Inject+0x2ee
> 02179f5c 705bab57 mshtml!CElement:ut_innerHTML+0x4d
> 02179f60 706051bc mshtml!GS_PropEnum+0x84
> 02179f64 705d7236 mshtml!CBase::ContextInvokeEx+0x4ef
> 02179f68 705f426e mshtml!CElement::ContextInvokeEx+0x70
>
> I have a minidump available if anyone is interested.


What Version of Vista you are using ( I mean Vista 32 Bit or 64 Bit?)
Did you tried to start IE7 with Add-Ons disbaled?
Try it and see if that will help!
Open a run command and type in:
regsvr32 urlmon.dll click [OK]
Reboot your machine and see if the error will occur again!

Do you have an admin account and also do you have other accounts on this
machine to test on them, you may be having a corrupt profile or you operating
in a limited user account?
Also make sure to run a thorough scan for malware and viruses on your machine.
HTH,
nass
---
http://www.nasstec.co.uk

I'm using Vista 64-bit, IE7 32-bit, no Add-ons, all the latest windows
updates installed. urlmon.dll is already registered as it is loaded and IN
the stack trace. It was not running as Administrator at the time, I have UAC
turned off. It's a clean virtual machine so no malware, etc.

"nass" wrote:

> What Version of Vista you are using ( I mean Vista 32 Bit or 64 Bit?)
> Did you tried to start IE7 with Add-Ons disbaled?
> Try it and see if that will help!
> Open a run command and type in:
> regsvr32 urlmon.dll click [OK]
> Reboot your machine and see if the error will occur again!
>
> Do you have an admin account and also do you have other accounts on this
> machine to test on them, you may be having a corrupt profile or you operating
> in a limited user account?
> Also make sure to run a thorough scan for malware and viruses on your machine.
> HTH,
> nass
> ---
> http://www.nasstec.co.uk
>