Crash in TerminalControl!TextBuffer::InsertCharacter when resizing horizontal pane under stress

[Treit]

Environment

Windows build number: 10.0.20197.0
Windows Terminal version: 1.2.2381.0

Steps to reproduce

1. Open Windows Terminal
2. Press alt+shift+- (or whatever keybinding is set for this) to open a second horizontal pane
3. Build and run this TerminalStress application in the bottom pane.
4. While the stress test is running, press alt+shift+down arrow key to reduce the size of the pane. Repeat until the pane is reduced to the smallest possible height.
5. Press and hold alt+shift+up arrow key to grow the size of the pane upwards.

Expected behavior

The terminal does not crash.

Actual behavior

The terminal crashes (FAST_FAIL_FATAL_APP_EXIT) in TerminalControl!TextBuffer::InsertCharacter+0x1fc [E:\BA\167\s\src\buffer\out\textBuffer.cpp @ 401]

Call stack

E:\BA\167\s\src\buffer\out\textBuffer.cpp(280)\TerminalControl.dll!00007FFC8EDFBC9C: (caller: 00007FFC8EDFFC97) FailFast(1) tid(a110) 8000FFFF Catastrophic failure
(102c4.a110): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT 

0:000> k
 # Child-SP          RetAddr               Call Site
00 000000b1`318fce90 00007ffc`8eda2179     KERNELBASE!RaiseFailFastException+0x153 [minkernel\kernelbase\xcpt.c @ 1206] 
01 000000b1`318fd470 00007ffc`8eda1f78     TerminalControl!wil::details::WilDynamicLoadRaiseFailFastException+0x49 [E:\BA\167\s\dep\wil\include\wil\result_macros.h @ 1773] 
02 000000b1`318fd4a0 00007ffc`8eda2fed     TerminalControl!wil::details::WilRaiseFailFastException+0x18 [E:\BA\167\s\dep\wil\include\wil\result_macros.h @ 1714] 
03 000000b1`318fd4d0 00007ffc`8eda4f71     TerminalControl!wil::details::WilFailFast+0xdd [E:\BA\167\s\dep\wil\include\wil\result_macros.h @ 3420] 
04 000000b1`318fd5a0 00007ffc`8eda301e     TerminalControl!wil::details::ReportFailure_NoReturn<3>+0x221 [E:\BA\167\s\dep\wil\include\wil\result_macros.h @ 3463] 
05 000000b1`318fea90 00007ffc`8eda304a     TerminalControl!wil::details::ReportFailure_Base<3,0>+0x2e [E:\BA\167\s\dep\wil\include\wil\result_macros.h @ 3488] 
06 000000b1`318feaf0 00007ffc`8eda312b     TerminalControl!wil::details::ReportFailure_Hr<3>+0x2a [E:\BA\167\s\dep\wil\include\wil\result_macros.h @ 3649] 
07 000000b1`318feb50 00007ffc`8edfbc9c     TerminalControl!wil::details::in1diag3::FailFast_Unexpected+0x1b [E:\BA\167\s\dep\wil\include\wil\result_macros.h @ 5187] 
08 (Inline Function) --------`--------     TerminalControl!wil::details::in1diag3::FailFast_If+0x1b8 [E:\BA\167\s\dep\wil\include\wil\result_macros.h @ 5201] 
09 (Inline Function) --------`--------     TerminalControl!TextBuffer::_PrepareForDoubleByteSequence+0x1c9 [E:\BA\167\s\src\buffer\out\textBuffer.cpp @ 280] 
0a 000000b1`318feba0 00007ffc`8edffc97     TerminalControl!TextBuffer::InsertCharacter+0x1fc [E:\BA\167\s\src\buffer\out\textBuffer.cpp @ 401] 
0b 000000b1`318fec40 00007ffc`8ee1e25e     TerminalControl!TextBuffer::Reflow+0x327 [E:\BA\167\s\src\buffer\out\textBuffer.cpp @ 2048] 
0c 000000b1`318fed50 00007ffc`8edb9962     TerminalControl!Microsoft::Terminal::Core::Terminal::UserResize+0x26e [E:\BA\167\s\src\cascadia\TerminalCore\Terminal.cpp @ 224] 
0d 000000b1`318feec0 00007ffc`8edea019     TerminalControl!winrt::Microsoft::Terminal::TerminalControl::implementation::TermControl::_DoResizeUnderLock+0x222 [E:\BA\167\s\src\cascadia\TerminalControl\TermControl.cpp @ 2056] 
0e (Inline Function) --------`--------     TerminalControl!winrt::Microsoft::Terminal::TerminalControl::implementation::TermControl::_SwapChainSizeChanged+0xe3 [E:\BA\167\s\src\cascadia\TerminalControl\TermControl.cpp @ 1892] 
0f 000000b1`318fef50 00007ffc`8edebb66     TerminalControl!<lambda_edee66ccb3a90405ff9481f66788b815>::operator()+0x149 [E:\BA\167\s\src\cascadia\TerminalControl\Generated Files\TermControl.xaml.g.hpp @ 214] 
10 000000b1`318fefc0 00007ffc`bf7cbe18     TerminalControl!winrt::impl::delegate<winrt::Windows::UI::Xaml::SizeChangedEventHandler,<lambda_edee66ccb3a90405ff9481f66788b815> >::Invoke+0x26 [E:\BA\167\s\src\cascadia\TerminalControl\Generated Files\winrt\Windows.UI.Xaml.h @ 4681] 
11 000000b1`318ff000 00007ffc`bf7cb08a     Windows_UI_Xaml!DirectUI::CRoutedEventSourceBase<DirectUI::IUntypedEventSource,Windows::UI::Xaml::ISizeChangedEventHandler,IInspectable,Windows::UI::Xaml::ISizeChangedEventArgs>::Raise+0xf0 [onecoreuap\windows\dxaml\xcp\dxaml\lib\JoltClasses.h @ 1041] 
12 000000b1`318ff0a0 00007ffc`bf7cad2c     Windows_UI_Xaml!DirectUI::FrameworkElement::OnSizeChanged+0x3a [onecoreuap\windows\dxaml\xcp\dxaml\lib\frameworkelement_partial.cpp @ 1096] 
13 000000b1`318ff0d0 00007ffc`bfa33c81     Windows_UI_Xaml!DirectUI::DXamlCore::RaiseEvent+0x1ac [onecoreuap\windows\dxaml\xcp\dxaml\lib\dxamlcore.cpp @ 2032] 
14 (Inline Function) --------`--------     Windows_UI_Xaml!AgCoreCallbacks::RaiseEvent+0x22 [onecoreuap\windows\dxaml\xcp\dxaml\lib\fxcallbacks.cpp @ 100] 
15 (Inline Function) --------`--------     Windows_UI_Xaml!CFxCallbacks::JoltHelper_RaiseEvent+0x22 [onecoreuap\windows\dxaml\xcp\dxaml\lib\fxcallbacks.cpp @ 1018] 
16 000000b1`318ff170 00007ffc`bf839df6     Windows_UI_Xaml!CLayoutManager::RaiseSizeChangedEvents+0x1c9 [onecoreuap\windows\dxaml\xcp\core\layout\layoutmanager.cpp @ 472] 
17 000000b1`318ff380 00007ffc`bf838eb8     Windows_UI_Xaml!CLayoutManager::UpdateLayout+0x296 [onecoreuap\windows\dxaml\xcp\core\layout\layoutmanager.cpp @ 338] 
18 000000b1`318ff410 00007ffc`bf8072a7     Windows_UI_Xaml!CCoreServices::NWDrawTree+0x248 [onecoreuap\windows\dxaml\xcp\core\dll\xcpcore.cpp @ 6292] 
19 000000b1`318ff520 00007ffc`bf807131     Windows_UI_Xaml!CCoreServices::NWDrawMainTree+0xb7 [onecoreuap\windows\dxaml\xcp\core\dll\xcpcore.cpp @ 6082] 
1a 000000b1`318ff580 00007ffc`bf806ca0     Windows_UI_Xaml!CWindowRenderTarget::Draw+0x71 [onecoreuap\windows\dxaml\xcp\core\compositor\windowrendertarget.cpp @ 136] 
1b 000000b1`318ff5c0 00007ffc`bf8df761     Windows_UI_Xaml!CXcpBrowserHost::OnTick+0xa0 [onecoreuap\windows\dxaml\xcp\host\win\browserdesktop\winbrowserhost.cpp @ 545] 
1c 000000b1`318ff620 00007ffc`bf8df644     Windows_UI_Xaml!CXcpDispatcher::Tick+0xa1 [onecoreuap\windows\dxaml\xcp\win\shared\xcpwindow.cpp @ 1449] 
1d 000000b1`318ff660 00007ffc`bf890a9c     Windows_UI_Xaml!CXcpDispatcher::OnReentrancyProtectedWindowMessage+0x44 [onecoreuap\windows\dxaml\xcp\win\shared\xcpwindow.cpp @ 1048] 
1e 000000b1`318ff690 00007ffc`bf890930     Windows_UI_Xaml!CXcpDispatcher::ProcessMessage+0xdc [onecoreuap\windows\dxaml\xcp\win\shared\xcpwindow.cpp @ 893] 
1f 000000b1`318ff6d0 00007ffc`bf806e55     Windows_UI_Xaml!CXcpDispatcher::WindowProc+0x90 [onecoreuap\windows\dxaml\xcp\win\shared\xcpwindow.cpp @ 839] 
20 000000b1`318ff740 00007ffc`bf806d4c     Windows_UI_Xaml!CDeferredInvoke::DispatchQueuedMessage+0xc5 [onecoreuap\windows\dxaml\xcp\win\shared\xcpwindow.cpp @ 301] 
21 (Inline Function) --------`--------     Windows_UI_Xaml!CXcpDispatcher::MessageTimerCallback+0x13 [onecoreuap\windows\dxaml\xcp\win\shared\xcpwindow.cpp @ 1534] 
22 000000b1`318ff790 00007ffc`c19d9ab0     Windows_UI_Xaml!CXcpDispatcher::MessageTimerCallbackStatic+0x1c [onecoreuap\windows\dxaml\xcp\win\shared\xcpwindow.cpp @ 1526] 
23 (Inline Function) --------`--------     CoreMessaging!Microsoft::CoreUI::Dispatch::TimeoutHandler::ImportAdapter$::__l2::<lambda_654db17c35df07198786f0867aa10de6>::operator()+0x1f [mincore\CoreUI\Dev\System\Dispatch\TimeoutHandler.cs @ 16] 
24 000000b1`318ff7c0 00007ffc`c19d9a01     CoreMessaging!CFlat::SehSafe::Execute<<lambda_654db17c35df07198786f0867aa10de6> >+0x2c [CFlatCorlib\1.0.200610008\CFlatCorlib\SehSafe.inl @ 11] 
25 000000b1`318ff7f0 00007ffc`c1a03eae     CoreMessaging!Microsoft::CoreUI::Dispatch::TimeoutHandler::ImportAdapter$+0xb1 [mincore\CoreUI\Dev\System\Dispatch\TimeoutHandler.cs @ 16] 
26 (Inline Function) --------`--------     CoreMessaging!CFlat::DelegateImpl<Microsoft::CoreUI::Dispatch::TimeoutHandler,0,void __cdecl(void),long __cdecl(void *),0>::Invoke+0x22 [CFlatCorlib\1.0.200610008\CFlatCorlib\Delegate.h @ 334] 
27 000000b1`318ff840 00007ffc`c1a003e8     CoreMessaging!Microsoft::CoreUI::Dispatch::TimeoutManager::Callback_OnDispatch+0x26e [mincore\CoreUI\Dev\System\Dispatch\TimeoutManager.cs @ 369] 
28 (Inline Function) --------`--------     CoreMessaging!Microsoft::CoreUI::Dispatch::Dispatcher::Callback_DispatchNextItem+0x11f [mincore\CoreUI\Dev\System\Dispatch\Dispatcher.cs @ 896] 
29 (Inline Function) --------`--------     CoreMessaging!Microsoft::CoreUI::Dispatch::Dispatcher::Callback_DispatchLoop+0x1ce [mincore\CoreUI\Dev\System\Dispatch\Dispatcher.cs @ 461] 
2a 000000b1`318ff8e0 00007ffc`c19fedf9     CoreMessaging!Microsoft::CoreUI::Dispatch::EventLoop::Callback_RunCoreLoop+0x2d8 [mincore\CoreUI\Dev\System\Dispatch\EventLoop.cs @ 607] 
2b (Inline Function) --------`--------     CoreMessaging!Microsoft::CoreUI::Dispatch::UserAdapter::DrainCoreMessagingQueue+0x1a1 [mincore\CoreUI\Dev\System\Dispatch\UserAdapter.cs @ 745] 
2c 000000b1`318ff9a0 00007ffc`c19fe968     CoreMessaging!Microsoft::CoreUI::Dispatch::UserAdapter::OnUserDispatch+0x229 [mincore\CoreUI\Dev\System\Dispatch\UserAdapter.cs @ 1080] 
2d (Inline Function) --------`--------     CoreMessaging!Microsoft::CoreUI::Dispatch::UserAdapter::OnUserDispatchRaw+0x6f [mincore\CoreUI\Dev\System\Dispatch\UserAdapter.cs @ 1005] 
2e 000000b1`318ffa40 00007ffc`c19fe6d7     CoreMessaging!Microsoft::CoreUI::Dispatch::UserAdapter::DoWork+0x1e8 [mincore\coreui\dev\system\Dispatch\UserAdapterCommonN.cpp @ 205] 
2f 000000b1`318ffac0 00007ffc`c74405e9     CoreMessaging!Microsoft::CoreUI::Dispatch::UserAdapter::WindowProc+0x87 [mincore\coreui\dev\system\Dispatch\UserAdapterCommonN.cpp @ 137] 
30 000000b1`318ffb30 00007ffc`c743f933     user32!UserCallWinProcCheckWow+0x319 [clientcore\windows\core\ntuser\client\clmsg.cxx @ 280] 
31 000000b1`318ffcc0 00007ff6`5740534b     user32!DispatchMessageWorker+0x273 [clientcore\windows\core\ntuser\client\clmsg.cxx @ 3157] 
32 000000b1`318ffd40 00007ff6`57412a72     WindowsTerminal!wWinMain+0x3fb [E:\BA\167\s\src\cascadia\WindowsTerminal\main.cpp @ 132] 
33 (Inline Function) --------`--------     WindowsTerminal!invoke_main+0x21 [D:\agent\_work\9\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 118] 
34 000000b1`318ffee0 00007ffc`c6a330f4     WindowsTerminal!__scrt_common_main_seh+0x106 [D:\agent\_work\9\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 
35 000000b1`318fff20 00007ffc`c816dd9b     KERNEL32!BaseThreadInitThunk+0x14 [clientcore\base\win32\client\thread.c @ 64] 
36 000000b1`318fff50 00000000`00000000     ntdll!RtlUserThreadStart+0x2b [minkernel\ntdll\rtlstrt.c @ 1153] 

[DHowett]

This seems to be the same as #4907.

[DHowett]

/dup #4907

[ghost]

Hi! We've identified this issue as a duplicate of another one that already exists on this Issue Tracker. This specific instance is being closed in favor of tracking the concern over on the referenced thread. Thanks for your report!