Case of the Word Scroll Hangs in Citrix

A simple one page document was causing Word to freeze on opening, and if it ever did open, attempting to use scroll bar caused some parts of a background image to appear intermittently.

3 dump files were collected using Task Manger. We see the following stacks. Example 2 & 3 were from same instance of the process.

Example #1

Process Uptime: 0 days 0:00:52.000

0:000:x86> !runaway
User Mode Time
  Thread       Time
   0:1ab4      0 days 0:00:44.468
   6:1ae4      0 days 0:00:00.015
  13:19fc      0 days 0:00:00.000
  12:2d0       0 days 0:00:00.000
  11:2510      0 days 0:00:00.000
  10:1fdc      0 days 0:00:00.000
   9:192c      0 days 0:00:00.000
   8:1220      0 days 0:00:00.000
   7:1e80      0 days 0:00:00.000
   5:2590      0 days 0:00:00.000
   4:15d8      0 days 0:00:00.000
   3:2448      0 days 0:00:00.000
   2:31c       0 days 0:00:00.000
   1:2418      0 days 0:00:00.000
0:000:x86> k
ChildEBP RetAddr 
001f546c 063f41dc GdiPlus!FLOOR+0x9
001f5478 063f41f6 GdiPlus!FPUStateSaver::Round+0x1d
001f5484 064dc28c GdiPlus!GpRound+0x11
001f54b4 064dcc34 GdiPlus!GpRecolorObject::TransformColor5x5+0x199
001f54c8 064dd03e GdiPlus!GpRecolorObject::ComputeColorTwist+0x91
001f54ec 06421894 GdiPlus!GpRecolorObject::ColorAdjust+0xfa
001f54fc 064e12e1 GdiPlus!GpRecolor::ColorAdjust+0x1e
001f5510 064e0d81 GdiPlus!GpRecolorOp::Run+0x18
001f5534 064ebe7d GdiPlus!GpBitmapOps::ReleasePixelDataBuffer+0x8a
001f55ec 064dd31e GdiPlus!GpWicDecoder::Decode+0x169
001f5600 064dda0f GdiPlus!GpDecodedImage::InternalPushIntoSink+0x2d
001f5618 064de571 GdiPlus!GpDecodedImage::PushIntoSink+0x3c
001f568c 06434fc6 GdiPlus!GpMemoryBitmap::InitImageBitmap+0x15f
001f56e0 06436c63 GdiPlus!CopyOnWriteBitmap::PipeLockBitsFromDecoder+0xa5
001f57bc 06436e69 GdiPlus!CopyOnWriteBitmap::PipeLockBits+0x56b
001f57d4 06441df8 GdiPlus!GpBitmap::PipeLockBits+0x50
001f5c68 06444718 GdiPlus!GpGraphics::DrvDrawImage+0x1eff
001f5d60 0644487d GdiPlus!GpGraphics::DrawImage+0x386
001f5dc4 0640e8da GdiPlus!GpGraphics::DrawImage+0x66
001f5e38 64d1f230 GdiPlus!GdipDrawImagePointsRect+0x1e5
WARNING: Stack unwind information not available. Following frames may be wrong.
001f5ea8 64d1f58b MSO!Ordinal1458+0x20b
001f619c 64d1ef43 MSO!Ordinal1458+0x566
001f61f8 64d1ee85 MSO!Ordinal8926+0x115
001f6248 64d1bcbf MSO!Ordinal8926+0x57
001f69c4 64d1e666 MSO!Ordinal6882+0x6a3
001f6a00 64d1e5b8 MSO!Ordinal3379+0x214
001f6c4c 64d196fc MSO!Ordinal3379+0x166
001f6c74 64d1eeb6 MSO!Ordinal1075+0x2a5d
001f6c98 64d1968e MSO!Ordinal8926+0x88
001f6ca8 64d194ff MSO!Ordinal1075+0x29ef
001f79a4 64d19363 MSO!Ordinal1075+0x2860
001f79cc 64d171e8 MSO!Ordinal1075+0x26c4
001f7ad8 64cfb39b MSO!Ordinal1075+0x549
001f7b44 313ce150 MSO!Ordinal423+0x155
001f7c3c 312351a0 WWLIB!DllGetLCID+0x1b20da
001f7c80 31235169 WWLIB!DllGetLCID+0x1912a
001f7fb8 310cfdee WWLIB!DllGetLCID+0x190f3
001f80a8 310c50b4 WWLIB!GetAllocCounters+0xa9996
001f80d8 310e980e WWLIB!GetAllocCounters+0x9ec5c
001f8130 3108050c WWLIB!GetAllocCounters+0xc33b6
001f81b0 310247b5 WWLIB!GetAllocCounters+0x5a0b4
001f81f0 766462fa WWLIB!DllGetClassObject+0xf161
001f821c 76647316 user32!InternalCallWinProc+0x23
001f8294 76646de8 user32!UserCallWinProcCheckWow+0xd8
001f82f0 76646e44 user32!DispatchClientMessage+0xe0
001f832c 7753010a user32!__fnDWORD+0x2b
001f8374 310794a3 ntdll_77520000!KiUserCallbackDispatcher+0x2e
001f8394 3107935a WWLIB!GetAllocCounters+0x5304b
001f83d8 3107f72b WWLIB!GetAllocCounters+0x52f02
001f83e4 3107f63e WWLIB!GetAllocCounters+0x592d3
001f8410 649e18c6 WWLIB!GetAllocCounters+0x591e6
001f843c 649e1682 MSO!Ordinal10331+0x399
001f844c 649e161d MSO!Ordinal10331+0x155
001f8460 31078dd8 MSO!Ordinal10331+0xf0
001f84b8 310252b7 WWLIB!GetAllocCounters+0x52980
001faa0c 310247b5 WWLIB!DllGetClassObject+0xfc63
001faa4c 766462fa WWLIB!DllGetClassObject+0xf161
001faa78 76646d3a user32!InternalCallWinProc+0x23
001faaf0 76650d27 user32!UserCallWinProcCheckWow+0x109
001fab28 76650d4d user32!CallWindowProcAorW+0xab
001fab48 70ebf443 user32!CallWindowProcW+0x1b
001fab64 70ebf5ee comctl32_70e90000!CallOriginalWndProc+0x1a
001fabc8 70ebf5a2 comctl32_70e90000!CallNextSubclassProc+0x3d
001fabec 6494e298 comctl32_70e90000!DefSubclassProc+0x46
001fac34 6494def5 MSO!Ordinal4894+0x74f
001fac60 70ebf5ee MSO!Ordinal4894+0x3ac
001facc4 70ebf490 comctl32_70e90000!CallNextSubclassProc+0x3d
001fad24 766462fa comctl32_70e90000!MasterSubclassProc+0x54
001fad50 76646d3a user32!InternalCallWinProc+0x23
001fadc8 766490c9 user32!UserCallWinProcCheckWow+0x109
001fae58 76646a8c user32!RealDefWindowProcWorker+0x622
001fae78 6d360b64 user32!RealDefWindowProcW+0x4a
001faed4 6d360b96 uxtheme!_ThemeDefWindowProc+0x197
001faef0 7664729a uxtheme!ThemeDefWindowProcW+0x18
001faf38 310249b5 user32!DefWindowProcW+0x68
001fd490 310247b5 WWLIB!DllGetClassObject+0xf361
001fd4d0 766462fa WWLIB!DllGetClassObject+0xf161
001fd4fc 76646d3a user32!InternalCallWinProc+0x23
001fd574 76650d27 user32!UserCallWinProcCheckWow+0x109
001fd5ac 76650d4d user32!CallWindowProcAorW+0xab
001fd5cc 70ebf443 user32!CallWindowProcW+0x1b
001fd5e8 70ebf5ee comctl32_70e90000!CallOriginalWndProc+0x1a
001fd64c 70ebf5a2 comctl32_70e90000!CallNextSubclassProc+0x3d
001fd670 6494e298 comctl32_70e90000!DefSubclassProc+0x46
001fd6b8 6494def5 MSO!Ordinal4894+0x74f
001fd6e4 70ebf5ee MSO!Ordinal4894+0x3ac
001fd748 70ebf490 comctl32_70e90000!CallNextSubclassProc+0x3d
001fd7a8 766462fa comctl32_70e90000!MasterSubclassProc+0x54
001fd7d4 76647316 user32!InternalCallWinProc+0x23
001fd84c 76646de8 user32!UserCallWinProcCheckWow+0xd8
001fd8a8 76648fa7 user32!DispatchClientMessage+0xe0
001fd8e4 7753010a user32!__fnINLPWINDOWPOS+0x2c
001fd988 649aa323 ntdll_77520000!KiUserCallbackDispatcher+0x2e
001fd9b8 3107553b MSO!Ordinal2880+0x2e
001fd9d4 310754eb WWLIB!GetAllocCounters+0x4f0e3
001fd9f8 310754c5 WWLIB!GetAllocCounters+0x4f093
001fda3c 3107476f WWLIB!GetAllocCounters+0x4f06d
001fda78 310746d9 WWLIB!GetAllocCounters+0x4e317
001ffbe8 2fa31625 WWLIB!GetAllocCounters+0x4e281
001ffc0c 2fa315aa WINWORD+0x1625
001ffc9c 769e336a WINWORD+0x15aa
001ffca8 77559f72 kernel32!BaseThreadInitThunk+0xe
001ffce8 77559f45 ntdll_77520000!__RtlUserThreadStart+0x70
001ffd00 00000000 ntdll_77520000!_RtlUserThreadStart+0x1b

 

Example #2

Process Uptime: 0 days 0:02:01.000

0:000:x86> !runaway
User Mode Time
  Thread       Time
   0:2100      0 days 0:01:52.640
   6:1624      0 days 0:00:00.046
   3:2510      0 days 0:00:00.015
  12:21bc      0 days 0:00:00.000
  11:1e4c      0 days 0:00:00.000
  10:15b8      0 days 0:00:00.000
   9:1628      0 days 0:00:00.000
   8:1a90      0 days 0:00:00.000
   7:1060      0 days 0:00:00.000
   5:2664      0 days 0:00:00.000
   4:440       0 days 0:00:00.000
   2:2488      0 days 0:00:00.000
   1:147c      0 days 0:00:00.000
0:000:x86> k
ChildEBP RetAddr 
0040a300 663c0ee0 GdiPlus!DpOutputSpanStretch<1>::OutputSpan+0x361
0040a334 663e9b58 GdiPlus!EpAntialiasedFiller::OutputSpan+0x31
0040a358 663c10ed GdiPlus!DpClipRegion::OutputSpan+0x51
0040a378 663c1e3a GdiPlus!EpAntialiasedFiller::GenerateOutputAndClearCoverage+0x64
0040a3a0 663c0dda GdiPlus!EpAntialiasedFiller::FillEdgesAlternate+0x104
0040a3b8 663c2474 GdiPlus!RasterizeEdges+0xa9
0040ae70 663cb0f6 GdiPlus!RasterizePath+0x2d0
0040b05c 66392054 GdiPlus!DpDriver::DrawImage+0x240
0040b50c 66394718 GdiPlus!GpGraphics::DrvDrawImage+0x215b
0040b604 6639487d GdiPlus!GpGraphics::DrawImage+0x386
0040b668 6635e8da GdiPlus!GpGraphics::DrawImage+0x66
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for MSO.DLL –
0040b6dc 64d1f230 GdiPlus!GdipDrawImagePointsRect+0x1e5
WARNING: Stack unwind information not available. Following frames may be wrong.
0040b74c 64d1f58b MSO!Ordinal1458+0x20b
0040ba40 64d1ef43 MSO!Ordinal1458+0x566
0040ba9c 64d1ee85 MSO!Ordinal8926+0x115
0040baec 64d1bcbf MSO!Ordinal8926+0x57
0040c268 64d1e666 MSO!Ordinal6882+0x6a3
0040c2a4 64d1e5b8 MSO!Ordinal3379+0x214
0040c4f0 64d196fc MSO!Ordinal3379+0x166
0040c518 64d1eeb6 MSO!Ordinal1075+0x2a5d
0040c53c 64d1968e MSO!Ordinal8926+0x88
0040c54c 64d194ff MSO!Ordinal1075+0x29ef
0040d248 64d19363 MSO!Ordinal1075+0x2860
0040d270 64d171e8 MSO!Ordinal1075+0x26c4
0040d37c 64cfb39b MSO!Ordinal1075+0x549
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for WWLIB.DLL –
0040d3e8 50f9e150 MSO!Ordinal423+0x155
0040d4e0 50e051a0 WWLIB!DllGetLCID+0x1b20da
0040d524 50e05169 WWLIB!DllGetLCID+0x1912a
0040d85c 50c9fdee WWLIB!DllGetLCID+0x190f3
0040d94c 50c950b4 WWLIB!GetAllocCounters+0xa9996
0040d97c 50cb980e WWLIB!GetAllocCounters+0x9ec5c
0040d9d4 50c5050c WWLIB!GetAllocCounters+0xc33b6
0040da54 50bf47b5 WWLIB!GetAllocCounters+0x5a0b4
0040da94 766462fa WWLIB!DllGetClassObject+0xf161
0040dac0 76647316 user32!InternalCallWinProc+0x23
0040db38 76646de8 user32!UserCallWinProcCheckWow+0xd8
0040db94 76646e44 user32!DispatchClientMessage+0xe0
0040dbd0 7753010a user32!__fnDWORD+0x2b
0040dc5c 50c463ce ntdll_77520000!KiUserCallbackDispatcher+0x2e
0040dc6c 50e44725 WWLIB!GetAllocCounters+0x4ff76
0040dc84 50c45cad WWLIB!DllGetLCID+0x586af
0040dcac 50c446d9 WWLIB!GetAllocCounters+0x4f855
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for WINWORD.EXE –
0040fe1c 2fe71625 WWLIB!GetAllocCounters+0x4e281
0040fe40 2fe715aa WINWORD+0x1625
0040fed0 769e336a WINWORD+0x15aa
0040fedc 77559f72 kernel32!BaseThreadInitThunk+0xe
0040ff1c 77559f45 ntdll_77520000!__RtlUserThreadStart+0x70
0040ff34 00000000 ntdll_77520000!_RtlUserThreadStart+0x1b

Example #3

Process Uptime: 0 days 0:03:04.000

0:000:x86> Process Uptime: 0 days 0:03:04.000!runaway
User Mode Time
  Thread       Time
   0:2100      0 days 0:02:46.406
   5:1624      0 days 0:00:00.046
   3:2510      0 days 0:00:00.015
  11:2780      0 days 0:00:00.000
  10:21bc      0 days 0:00:00.000
   9:1e4c      0 days 0:00:00.000
   8:15b8      0 days 0:00:00.000
   7:1628      0 days 0:00:00.000
   6:1a90      0 days 0:00:00.000
   4:440       0 days 0:00:00.000
   2:2488      0 days 0:00:00.000
   1:147c      0 days 0:00:00.000
0:000:x86> k
ChildEBP RetAddr 
0040ad1c 663441f6 GdiPlus!FPUStateSaver::Round+0x18
0040ad28 6642c28c GdiPlus!GpRound+0x11
0040ad58 6642cc34 GdiPlus!GpRecolorObject::TransformColor5x5+0x199
0040ad6c 6642d03e GdiPlus!GpRecolorObject::ComputeColorTwist+0x91
0040ad90 66371894 GdiPlus!GpRecolorObject::ColorAdjust+0xfa
0040ada0 664312e1 GdiPlus!GpRecolor::ColorAdjust+0x1e
0040adb4 66430d81 GdiPlus!GpRecolorOp::Run+0x18
0040add8 6643be7d GdiPlus!GpBitmapOps::ReleasePixelDataBuffer+0x8a
0040ae90 6642d31e GdiPlus!GpWicDecoder::Decode+0x169
0040aea4 6642da0f GdiPlus!GpDecodedImage::InternalPushIntoSink+0x2d
0040aebc 6642e571 GdiPlus!GpDecodedImage::PushIntoSink+0x3c
0040af30 66384fc6 GdiPlus!GpMemoryBitmap::InitImageBitmap+0x15f
0040af84 66386c63 GdiPlus!CopyOnWriteBitmap::PipeLockBitsFromDecoder+0xa5
0040b060 66386e69 GdiPlus!CopyOnWriteBitmap::PipeLockBits+0x56b
0040b078 66391df8 GdiPlus!GpBitmap::PipeLockBits+0x50
0040b50c 66394718 GdiPlus!GpGraphics::DrvDrawImage+0x1eff
0040b604 6639487d GdiPlus!GpGraphics::DrawImage+0x386
0040b668 6635e8da GdiPlus!GpGraphics::DrawImage+0x66
0040b6dc 64d1f230 GdiPlus!GdipDrawImagePointsRect+0x1e5
WARNING: Stack unwind information not available. Following frames may be wrong.
0040b74c 64d1f58b MSO!Ordinal1458+0x20b
0040ba40 64d1ef43 MSO!Ordinal1458+0x566
0040ba9c 64d1ee85 MSO!Ordinal8926+0x115
0040baec 64d1bcbf MSO!Ordinal8926+0x57
0040c268 64d1e666 MSO!Ordinal6882+0x6a3
0040c2a4 64d1e5b8 MSO!Ordinal3379+0x214
0040c4f0 64d196fc MSO!Ordinal3379+0x166
0040c518 64d1eeb6 MSO!Ordinal1075+0x2a5d
0040c53c 64d1968e MSO!Ordinal8926+0x88
0040c54c 64d194ff MSO!Ordinal1075+0x29ef
0040d248 64d19363 MSO!Ordinal1075+0x2860
0040d270 64d171e8 MSO!Ordinal1075+0x26c4
0040d37c 64cfb39b MSO!Ordinal1075+0x549
0040d3e8 50f9e150 MSO!Ordinal423+0x155
0040d4e0 50e051a0 WWLIB!DllGetLCID+0x1b20da
0040d524 50e05169 WWLIB!DllGetLCID+0x1912a
0040d85c 50c9fdee WWLIB!DllGetLCID+0x190f3
0040d94c 50c950b4 WWLIB!GetAllocCounters+0xa9996
0040d97c 50cb980e WWLIB!GetAllocCounters+0x9ec5c
0040d9d4 50c5050c WWLIB!GetAllocCounters+0xc33b6
0040da54 50bf47b5 WWLIB!GetAllocCounters+0x5a0b4
0040da94 766462fa WWLIB!DllGetClassObject+0xf161
0040dac0 76647316 user32!InternalCallWinProc+0x23
0040db38 76646de8 user32!UserCallWinProcCheckWow+0xd8
0040db94 76646e44 user32!DispatchClientMessage+0xe0
0040dbd0 7753010a user32!__fnDWORD+0x2b
0040dc5c 50c463ce ntdll_77520000!KiUserCallbackDispatcher+0x2e
0040dc6c 50e44725 WWLIB!GetAllocCounters+0x4ff76
0040dc84 50c45cad WWLIB!DllGetLCID+0x586af
0040dcac 50c446d9 WWLIB!GetAllocCounters+0x4f855
0040fe1c 2fe71625 WWLIB!GetAllocCounters+0x4e281
0040fe40 2fe715aa WINWORD+0x1625
0040fed0 769e336a WINWORD+0x15aa
0040fedc 77559f72 kernel32!BaseThreadInitThunk+0xe
0040ff1c 77559f45 ntdll_77520000!__RtlUserThreadStart+0x70
0040ff34 00000000 ntdll_77520000!_RtlUserThreadStart+0x1b

We can see we are dealing with graphics library.

0:000:x86> lmvm gdiplus
start             end                 module name
66320000 664b0000   GdiPlus    (pdb symbols)          c:\symbols\MicrosoftWindowsGdiPlus-1.1.7601.17514-gdiplus.pdb\999409491C874F1DAA3DBBD44C54AC201\MicrosoftWindowsGdiPlus-1.1.7601.17514-gdiplus.pdb
    Loaded symbol image file: GdiPlus.dll
    Image path: C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
    Image name: GdiPlus.dll
    Timestamp:        Sat Nov 20 22:55:00 2010 (4CE7B714)
    CheckSum:         00191664
    ImageSize:        00190000
    File version:     6.1.7601.17514
    Product version:  6.1.7601.17514
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     gdiplus
    OriginalFilename: gdiplus
    ProductVersion:   6.1.7601.17514
    FileVersion:      6.1.7601.17514 (win7sp1_rtm.101119-1850)
    FileDescription:  Microsoft GDI+
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

 

The issue is reported as image is not always showing correctly and there is some kind of image processing going on. Let’s see if we can extract the image from the DMP file.

We’ll start and check if any JPEGs are loaded, to do this we will search process memory for the JPEG file header which is bytes FF D8 FF E0 00 10 4A 46 49 46:

0:000:x86> s 0 L?80000000 FF D8 FF E0 00 10 4A 46 49 46
06950000  ff d8 ff e0 00 10 4a 46-49 46 00 01 02 01 04 b0  ……JFIF……

Now we need to find the JPEG “end of file” marker is which is bytes FF D9

0:000:x86> s -[sn1]b 06950000 L?80000000 FF D9
06d756dd  ff d9 00 00 00 00 00 00-00 00 00 00 00 00 00 00  …………….
                                             ^ Overflow error in ‘s -[sn1]b 06950000 l?80000000 FF D9’

The overflow error is expected, because we used sn1 to return a single result. Now we just need to add 2 to 06d756dd to have our ending address. Now we just need to write out the file

0:000:x86> .writemem c:\support\jpg1.jpg 6950000 L?(06d756dd+2-06950000)
Writing 4256df bytes

We need to use L? in this case due the range being greater than 1 MB in size.

The image extracts fine, and we look at properties can see it is very high resolution image 9,922 x 14,032 pixels.

image

Reducing the image size in document fixed the issue.

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Citrix, Office, WinDbg and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s