[gdalsnes] 16829: merge from trunk 16686-16827 - Ros-diffs

28 Jul 2005

merge from trunk 16686-16827
misc stuff
still crash often due to referencing problems/freed message queue
Added: branches/win32k rewrite attempt/win32k/docs/
Added: branches/win32k rewrite attempt/win32k/docs/refs.txt
Modified: branches/win32k rewrite attempt/win32k/eng/event.c
Modified: branches/win32k rewrite attempt/win32k/include/focus.h
Modified: branches/win32k rewrite attempt/win32k/include/mmcopy.h
Modified: branches/win32k rewrite attempt/win32k/include/userfuncs.h
Modified: branches/win32k rewrite attempt/win32k/misc/copy.c
Modified: branches/win32k rewrite attempt/win32k/ntuser/class.c
Modified: branches/win32k rewrite attempt/win32k/ntuser/focus.c
Modified: branches/win32k rewrite attempt/win32k/ntuser/input.c
Modified: branches/win32k rewrite attempt/win32k/ntuser/monitor.c
Modified: branches/win32k rewrite attempt/win32k/ntuser/window.c
Modified: branches/win32k rewrite attempt/win32k/ntuser/winpos.c
Modified: branches/win32k rewrite attempt/win32k/objects/brush.c
Modified: branches/win32k rewrite attempt/win32k/objects/cliprgn.c
Modified: branches/win32k rewrite attempt/win32k/objects/color.c
Modified: branches/win32k rewrite attempt/win32k/objects/coord.c
Modified: branches/win32k rewrite attempt/win32k/objects/dc.c
Modified: branches/win32k rewrite attempt/win32k/objects/dib.c
Modified: branches/win32k rewrite attempt/win32k/objects/fillshap.c
Modified: branches/win32k rewrite attempt/win32k/objects/line.c
Modified: branches/win32k rewrite attempt/win32k/objects/pen.c
Modified: branches/win32k rewrite attempt/win32k/objects/print.c
Modified: branches/win32k rewrite attempt/win32k/objects/rect.c
Modified: branches/win32k rewrite attempt/win32k/objects/region.c
Modified: branches/win32k rewrite attempt/win32k/objects/text.c
Modified: branches/win32k rewrite attempt/win32k/tests/win32k.xml
Modified: branches/win32k rewrite attempt/win32k/win32k.xml
  _____
Added: branches/win32k rewrite attempt/win32k/docs/refs.txt

--- branches/win32k rewrite attempt/win32k/docs/refs.txt
2005-07-28 11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/docs/refs.txt
2005-07-28 13:40:52 UTC (rev 16829)
@@ -0,0 +1,26 @@
+References:
+-----------
+
+window -> desktop
+window -> class
+
+window -> queue/thread_input ?????????
+thread -> queue/thread_input ?????????
+
+thread -> process
+process -> winsta
+thread -> desktop
+desktop -> winsta
+winsta -> session
+
+
+Above references create following dependencies:
+-----------------------------------------------
+
+window -> desktop -> winsta -> session
+window -> class
+
+thread -> process -> winsta -> session
+thread -> desktop -> winsta -> session
+
+process -> winsta -> session
  _____
Modified: branches/win32k rewrite attempt/win32k/eng/event.c
--- branches/win32k rewrite attempt/win32k/eng/event.c	2005-07-28
11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/eng/event.c	2005-07-28
13:40:52 UTC (rev 16829)
@@ -36,7 +36,7 @@
STDCALL
 EngCreateEvent ( OUT PEVENT *Event )
 {
-  (*Event) = ExAllocatePool(NonPagedPool, sizeof(TAG_DRIVER));
+  (*Event) = ExAllocatePool(NonPagedPool, sizeof(KEVENT));
   if ((*Event) == NULL)
     {
       return FALSE;
  _____
Modified: branches/win32k rewrite attempt/win32k/include/focus.h
--- branches/win32k rewrite attempt/win32k/include/focus.h
2005-07-28 11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/include/focus.h
2005-07-28 13:40:52 UTC (rev 16829)
@@ -9,9 +9,8 @@
PWINDOW_OBJECT FASTCALL
 UserGetFocusWindow();
-PWINDOW_OBJECT FASTCALL
-IntGetForegroundWindow(VOID);
+
 /*
  * These functions take the window handles from current thread queue.
  */
  _____
Modified: branches/win32k rewrite attempt/win32k/include/mmcopy.h
--- branches/win32k rewrite attempt/win32k/include/mmcopy.h
2005-07-28 11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/include/mmcopy.h
2005-07-28 13:40:52 UTC (rev 16829)
@@ -4,8 +4,9 @@
#include <pseh/pseh.h>
NTSTATUS _MmCopyFromCaller( PVOID Target, PVOID Source, UINT Bytes );
+NTSTATUS _MmCopyToCaller( PVOID Target, PVOID Source, UINT Bytes );
#define MmCopyFromCaller(x,y,z)
_MmCopyFromCaller((PCHAR)(x),(PCHAR)(y),(UINT)(z))
-#define MmCopyToCaller(x,y,z) MmCopyFromCaller(x,y,z)
+#define MmCopyToCaller(x,y,z)
_MmCopyToCaller((PCHAR)(x),(PCHAR)(y),(UINT)(z))
#endif/*NDK_MMCOPY_H*/
  _____
Modified: branches/win32k rewrite attempt/win32k/include/userfuncs.h
--- branches/win32k rewrite attempt/win32k/include/userfuncs.h
2005-07-28 11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/include/userfuncs.h
2005-07-28 13:40:52 UTC (rev 16829)
@@ -38,8 +38,12 @@
NTSTATUS FASTCALL 
 UserAcquireOrReleaseInputOwnership(BOOLEAN Release);
-/* focus.c */
+/******************** FOCUS.C ********************************/
+
 PWINDOW_OBJECT FASTCALL
+UserGetForegroundWindow(VOID);
+
+PWINDOW_OBJECT FASTCALL
 UserSetFocus(PWINDOW_OBJECT Wnd OPTIONAL);
@@ -96,7 +100,8 @@
 UserCreateMenuObject(HANDLE* h);
-/* caret.c */
+/************************* CARET.C ****************************/
+
 BOOL FASTCALL
 UserShowCaret(PWINDOW_OBJECT Wnd);
@@ -106,12 +111,14 @@
 BOOL FASTCALL
 UserHideCaret(PWINDOW_OBJECT Wnd);
-/* winpos.c */
+/************************* WINPOS.C ****************************/
+
 BOOL FASTCALL
 UserGetClientOrigin(PWINDOW_OBJECT hWnd, LPPOINT Point);
-/* scrollbar.c */
+/************************* SCROLLBAR.C ****************************/
+
 DWORD FASTCALL
 UserShowScrollBar(PWINDOW_OBJECT Wnd, int wBar, DWORD bShow);
@@ -144,7 +151,7 @@
 ClassReferenceClass(PWNDCLASS_OBJECT Class);
VOID FASTCALL
-ClassDereferenceClass(PWNDCLASS_OBJECT Class);
+UserDereferenceClass(PWNDCLASS_OBJECT Class);
PWNDCLASS_OBJECT FASTCALL 
 ClassCreateClass(DWORD bytes);
  _____
Modified: branches/win32k rewrite attempt/win32k/misc/copy.c
--- branches/win32k rewrite attempt/win32k/misc/copy.c	2005-07-28
11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/misc/copy.c	2005-07-28
13:40:52 UTC (rev 16829)
@@ -2,9 +2,23 @@
NTSTATUS _MmCopyFromCaller( PVOID Target, PVOID Source, UINT Bytes ) {
     NTSTATUS Status = STATUS_SUCCESS;
+    
+    _SEH_TRY {
+        ProbeForRead(Source,Bytes,1);
+        RtlCopyMemory(Target,Source,Bytes);
+    } _SEH_HANDLE {
+	Status = _SEH_GetExceptionCode();
+    } _SEH_END;
+    return Status;
+}
+
+NTSTATUS _MmCopyToCaller( PVOID Target, PVOID Source, UINT Bytes ) {
+    NTSTATUS Status = STATUS_SUCCESS;
+    
     _SEH_TRY {
-	RtlCopyMemory(Target,Source,Bytes);
+        ProbeForWrite(Target,Bytes,1);
+        RtlCopyMemory(Target,Source,Bytes);
     } _SEH_HANDLE {
    Status = _SEH_GetExceptionCode();
     } _SEH_END;
  _____
Modified: branches/win32k rewrite attempt/win32k/ntuser/class.c
--- branches/win32k rewrite attempt/win32k/ntuser/class.c
2005-07-28 11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/ntuser/class.c
2005-07-28 13:40:52 UTC (rev 16829)
@@ -54,7 +54,7 @@
}
VOID FASTCALL
-ClassDereferenceClass(PWNDCLASS_OBJECT Class)
+UserDereferenceClass(PWNDCLASS_OBJECT Class)
 {
    //if (--Class->RefCount == 0)
    //{
@@ -319,7 +319,7 @@
          if (ClassObject->hInstance == lpwcx->hInstance)
          {
             SetLastWin32Error(ERROR_CLASS_ALREADY_EXISTS);
-            ClassDereferenceClass(ClassObject);
+            UserDereferenceClass(ClassObject);
             return(NULL);
          }
       }
@@ -739,7 +739,7 @@
if (Class->hInstance && Class->hInstance != hInstance)
    {
-      ClassDereferenceClass(Class);
+      UserDereferenceClass(Class);
       SetLastWin32Error(ERROR_CLASS_DOES_NOT_EXIST);
       RETURN(FALSE);
    }
@@ -747,20 +747,20 @@
    if (!IsListEmpty(&Class->ClassWindowsListHead))
    {
       /* Dereference the ClassReferenceClassByNameOrAtom() call */
-      ClassDereferenceClass(Class);
+      UserDereferenceClass(Class);
       SetLastWin32Error(ERROR_CLASS_HAS_WINDOWS);
       RETURN(FALSE);
    }
/* Dereference the ClassReferenceClassByNameOrAtom() call */
-   ClassDereferenceClass(Class);
+   UserDereferenceClass(Class);
RemoveEntryList(&Class->ListEntry);
RtlDeleteAtomFromAtomTable(WinStaObject->AtomTable, Class->Atom);
/* Free the object */
-   ClassDereferenceClass(Class);
+   UserDereferenceClass(Class);
RETURN(TRUE);
_____
Modified: branches/win32k rewrite attempt/win32k/ntuser/focus.c
--- branches/win32k rewrite attempt/win32k/ntuser/focus.c
2005-07-28 11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/ntuser/focus.c
2005-07-28 13:40:52 UTC (rev 16829)
@@ -91,7 +91,7 @@
/* FIXME: IntIsWindow */
-      IntPostOrSendMessage(hWnd, WM_NCACTIVATE, (WPARAM)(Window ==
IntGetForegroundWindow()), 0);
+      IntPostOrSendMessage(hWnd, WM_NCACTIVATE, (WPARAM)(Window ==
UserGetForegroundWindow()), 0);
       /* FIXME: WA_CLICKACTIVE */
       IntPostOrSendMessage(hWnd, WM_ACTIVATE,
                            MAKEWPARAM(MouseActivate ? WA_CLICKACTIVE :
WA_ACTIVE,
@@ -340,8 +340,9 @@
    DPRINT("Enter NtUserGetForegroundWindow\n");
    UserEnterExclusive();
-   PUSER_MESSAGE_QUEUE ForegroundQueue = UserGetFocusMessageQueue();
-   RETURN(ForegroundQueue != NULL ? ForegroundQueue->ActiveWindow : 0);
+   //PUSER_MESSAGE_QUEUE ForegroundQueue = UserGetFocusMessageQueue();
+   //RETURN(ForegroundQueue != NULL ? ForegroundQueue->ActiveWindow :
0);
+   RETURN(GetHwnd(UserGetForegroundWindow()));
CLEANUP:
    DPRINT("Leave NtUserGetForegroundWindow, ret=%i\n",_ret_);
@@ -352,7 +353,7 @@
PWINDOW_OBJECT FASTCALL
-IntGetForegroundWindow(VOID)
+UserGetForegroundWindow(VOID)
 {
    PUSER_MESSAGE_QUEUE ForegroundQueue = UserGetFocusMessageQueue();
_____
Modified: branches/win32k rewrite attempt/win32k/ntuser/input.c
--- branches/win32k rewrite attempt/win32k/ntuser/input.c
2005-07-28 11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/ntuser/input.c
2005-07-28 13:40:52 UTC (rev 16829)
@@ -379,13 +379,11 @@
MSG Mesg;
   NTSTATUS Status;
-//  Status =
ObmReferenceObjectByHandle(InputWindowStation->HandleTable,
-//
InputWindowStation->ShellWindow,
-//				      otWindow,
-//				      (PVOID *)&Window);
-
-  Window = IntGetWindowObject( InputWindowStation->ShellWindow);
-
+  Window = UserGetObject(
+      &InputWindowStation->HandleTable, 
+      InputWindowStation->ShellWindow, 
+      USER_WINDOW);
+      
   if (!NT_SUCCESS(Status))
     {
       DPRINT1("Couldn't find window to send Windows key message!\n");
@@ -399,8 +397,6 @@
/* The QS_HOTKEY is just a guess */
   MsqPostMessage(Window->MessageQueue, &Mesg, FALSE, QS_HOTKEY);
-
-//  ObmDereferenceObject(Window);
 }
STATIC VOID STDCALL
@@ -930,7 +926,6 @@
   SwapButtons = CurInfo->SwapButtons;
   DoMove = FALSE;
-//  ExAcquireFastMutex(&CurInfo->CursorMutex);
   UserGetCursorLocation(WinSta, &MousePos);
   OrgPos.x = MousePos.x;
   OrgPos.y = MousePos.y;
@@ -948,17 +943,18 @@
       MousePos.y += mi->dy;
     }
-//    Status = ObmReferenceObjectByHandle(WinSta->HandleTable,
-//      WinSta->ActiveDesktop->DesktopWindow, otWindow,
(PVOID*)&DesktopWindow);
-
-   DesktopWindow = UserGetDesktopWindow();
+   //FIXME: make typename like HACCEL, HWND -> USER_WND, USER_ACCEL
+   DesktopWindow = UserGetObject(
+      &WinSta->HandleTable, 
+      WinSta->ActiveDesktop->DesktopWindow, 
+      USER_WINDOW);
+   
     if (DesktopWindow)
     {
       if(MousePos.x >= DesktopWindow->ClientRect.right)
         MousePos.x = DesktopWindow->ClientRect.right - 1;
       if(MousePos.y >= DesktopWindow->ClientRect.bottom)
         MousePos.y = DesktopWindow->ClientRect.bottom - 1;
-//      ObmDereferenceObject(DesktopWindow);
     }
if(MousePos.x < 0)
@@ -983,7 +979,6 @@
     DoMove = (MousePos.x != OrgPos.x || MousePos.y != OrgPos.y);
   }
-//  ExReleaseFastMutex(&CurInfo->CursorMutex);
if (DoMove)
   {
@@ -1000,9 +995,9 @@
IntEngMovePointer(SurfObj, MousePos.x, MousePos.y,
&(GDIDEV(SurfObj)->Pointer.Exclude));
         /* Only now, update the info in the GDIDEVICE, so
EngMovePointer can
-	 * use the old values to move the pointer image */
-	GDIDEV(SurfObj)->Pointer.Pos.x = MousePos.x;
-	GDIDEV(SurfObj)->Pointer.Pos.y = MousePos.y;
+         * use the old values to move the pointer image */
+        GDIDEV(SurfObj)->Pointer.Pos.x = MousePos.x;
+        GDIDEV(SurfObj)->Pointer.Pos.y = MousePos.y;
BITMAPOBJ_UnlockBitmap(BitmapObj);
       }
@@ -1019,7 +1014,7 @@
   if(DoMove)
   {
     Msg.message = WM_MOUSEMOVE;
-    //FIXME: uhm... Msg is built on stack...
+    /* Msg is built on stack but MsqInsertSystemMessage copies it, so
its ok */
     MsqInsertSystemMessage(&Msg);
   }
_____
Modified: branches/win32k rewrite attempt/win32k/ntuser/monitor.c
--- branches/win32k rewrite attempt/win32k/ntuser/monitor.c
2005-07-28 11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/ntuser/monitor.c
2005-07-28 13:40:52 UTC (rev 16829)
@@ -111,7 +111,6 @@
HANDLE Handle;
   PMONITOR_OBJECT Monitor;
-//  Monitor =
ObmCreateObject(PsGetWin32Thread()->Desktop->WindowStation->HandleTable,
&Handle, otMonitor, sizeof (MONITOR_OBJECT));
   Monitor = UserCreateMonitorObject(&Handle); 
   if (Monitor == NULL)
     {
@@ -174,10 +173,7 @@
 IntGetMonitorObject(IN HMONITOR hMonitor)
 {
   PMONITOR_OBJECT Monitor;
-//  NTSTATUS Status;
-//  Status =
ObmReferenceObjectByHandle(PsGetWin32Thread()->Desktop->WindowStation->H
andleTable, hMonitor, otMonitor, (PVOID *)&Monitor);
-
   Monitor = UserGetMonitorObject(hMonitor); 
   if (!Monitor)
     {
  _____
Modified: branches/win32k rewrite attempt/win32k/ntuser/window.c
--- branches/win32k rewrite attempt/win32k/ntuser/window.c
2005-07-28 11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/ntuser/window.c
2005-07-28 13:40:52 UTC (rev 16829)
@@ -428,7 +428,7 @@
RemoveEntryList(&Window->ClassListEntry);
/* dereference the class */
-  ClassDereferenceClass(Window->Class);
+  UserDereferenceClass(Window->Class);
   Window->Class = NULL;
if(Window->WindowRegion)
@@ -495,7 +495,7 @@
   pwi->rcClient = WindowObject->ClientRect;
   pwi->dwStyle = WindowObject->Style;
   pwi->dwExStyle = WindowObject->ExStyle;
-  pwi->dwWindowStatus = (IntGetForegroundWindow() == WindowObject); /*
WS_ACTIVECAPTION */
+  pwi->dwWindowStatus = (UserGetForegroundWindow() == WindowObject); /*
WS_ACTIVECAPTION */
   IntGetWindowBorderMeasures(WindowObject, &pwi->cxWindowBorders,
&pwi->cyWindowBorders);
   pwi->atomWindowType = (WindowObject->Class ?
WindowObject->Class->Atom : 0);
   pwi->wCreatorVersion = 0x400; /* FIXME - return a real version number
*/
@@ -510,13 +510,19 @@
 {
   PMENU_OBJECT OldMenuObject, NewMenuObject = NULL;
+  if ((WindowObject->Style & (WS_CHILD | WS_POPUP)) == WS_CHILD)
+    {
+      SetLastWin32Error(ERROR_INVALID_WINDOW_HANDLE);
+      return FALSE;
+    }
+
   *Changed = (WindowObject->IDMenu != (UINT) Menu);
   if (! *Changed)
     {
       return TRUE;
     }
-  if (0 != WindowObject->IDMenu)
+  if (WindowObject->IDMenu)
     {
       OldMenuObject = UserGetMenuObject((HMENU) WindowObject->IDMenu);
       ASSERT(NULL == OldMenuObject || OldMenuObject->MenuInfo.Wnd ==
WindowObject->Self);
@@ -574,12 +580,24 @@
 DestroyThreadWindows(struct _ETHREAD *Thread)
 {
   PLIST_ENTRY Current;
-  PW32PROCESS Win32Process;
+//  PW32PROCESS Win32Process;
   PW32THREAD Win32Thread;
-  PWINDOW_OBJECT *List, *pWnd;
-  ULONG Cnt = 0;
+//  PWINDOW_OBJECT *List, *pWnd, Wnd;
+   PWINDOW_OBJECT Wnd;
+//  ULONG Cnt = 0;
Win32Thread = Thread->Tcb.Win32Thread;
+  
+  while (!IsListEmpty(&Win32Thread->WindowListHead))
+  {
+     Current = RemoveHeadList(&Win32Thread->WindowListHead);
+     Wnd = CONTAINING_RECORD(Current, WINDOW_OBJECT, ThreadListEntry);
+     /* window removes itself from the list */
+     UserDestroyWindow(Wnd);
+  }
+
+#if 0
+
   Win32Process = (PW32PROCESS)Thread->ThreadsProcess->Win32Process;
Current = Win32Thread->WindowListHead.Flink;
@@ -615,7 +633,7 @@
     ExFreePool(List);
     return;
   }
-
+#endif
 }
@@ -1494,10 +1512,12 @@
   /* Check the window station. */
   if (PsGetWin32Thread()->Desktop == NULL)
     {
-      ClassDereferenceClass(ClassObject);
+      UserDereferenceClass(ClassObject);
       DPRINT("Thread is not attached to a desktop! Cannot create
window!\n");
       return (HWND)0;
     }
+    
+   //FIXME: DO NOT REFERENCE WINSTA! Reference desktop instead!!
   WinStaObject = UserGetCurrentWinSta();
   ObReferenceObjectByPointer(WinStaObject, KernelMode,
ExWindowStationObjectType, 0);
@@ -1513,7 +1533,7 @@
   if (!WindowObject)
     {
       ObDereferenceObject(WinStaObject);
-      ClassDereferenceClass(ClassObject);
+      UserDereferenceClass(ClassObject);
       SetLastNtError(STATUS_INSUFFICIENT_RESOURCES);
       return (HWND)0;
     }
@@ -1529,6 +1549,8 @@
    * Fill out the structure describing it.
    */
   WindowObject->Class = ClassObject;
+  
+  //er dette n°dvendig?
   InsertTailList(&ClassObject->ClassWindowsListHead,
&WindowObject->ClassListEntry);
WindowObject->ExStyle = dwExStyle;
@@ -1551,8 +1573,11 @@
WindowObject->MessageQueue = UserGetCurrentQueue();
+  ASSERT(WindowObject->MessageQueue);
+  
   DPRINT1("Set 0x%x's parent to 0x%x\n",WindowObject, ParentWindow);
   WindowObject->ParentWnd = ParentWindow;
+
   if((OwnerWindow = IntGetWindowObject(OwnerWindowHandle)))
   {
     WindowObject->Owner = OwnerWindowHandle;
@@ -1604,7 +1629,7 @@
TAG_STRING);
       if (NULL == WindowObject->WindowName.Buffer)
         {
-          ClassDereferenceClass(ClassObject);
+          UserDereferenceClass(ClassObject);
           DPRINT1("Failed to allocate mem for window name\n");
           SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
           return NULL;
@@ -1691,7 +1716,7 @@
       /* FIXME - Delete window object and remove it from the thread
windows list */
       /* FIXME - delete allocated DCE */
-      ClassDereferenceClass(ClassObject);
+      UserDereferenceClass(ClassObject);
       DPRINT1("CBT-hook returned !0\n");
       return (HWND) NULL;
     }
@@ -1894,7 +1919,7 @@
   if (Result == (LRESULT)-1)
     {
       /* FIXME: Cleanup. */
-      ClassDereferenceClass(ClassObject);
+      UserDereferenceClass(ClassObject);
       DPRINT("IntCreateWindowEx(): send CREATE message failed.\n");
       return((HWND)0);
     }
@@ -2149,7 +2174,7 @@
           WinPosActivateOtherWindow(Wnd);
         }
     }
-
+//  IntDereferenceMessageQueue(Window->MessageQueue);
   if (Wnd->MessageQueue->ActiveWindow == Wnd->Self)
     Wnd->MessageQueue->ActiveWindow = NULL;
_____
Modified: branches/win32k rewrite attempt/win32k/ntuser/winpos.c
--- branches/win32k rewrite attempt/win32k/ntuser/winpos.c
2005-07-28 11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/ntuser/winpos.c
2005-07-28 13:40:52 UTC (rev 16829)
@@ -114,56 +114,71 @@
WinPosActivateOtherWindow(PWINDOW_OBJECT Window)
 {
   PWINDOW_OBJECT Wnd, Old;
-  int TryTopmost;
+  HWND Fg;
if (!Window || IntIsDesktopWindow(Window))
   {
     IntSetFocusMessageQueue(NULL);
     return;
   }
+
+  /* If this is popup window, try to activate the owner first. */
+  if ((Window->Style & WS_POPUP) && (Wnd = IntGetOwner(Window)))
+  {
+    for(;;)
+    {
+      Old = Wnd;
+      Wnd = Wnd->ParentWnd;//IntGetParentObject(Wnd);
+      if(IntIsDesktopWindow(Wnd))
+      {
+        Wnd = Old;
+        break;
+      }
+    }
+
+    if ((Wnd->Style & (WS_DISABLED | WS_VISIBLE)) == WS_VISIBLE &&
+        (Wnd->Style & (WS_POPUP | WS_CHILD)) != WS_CHILD)
+      goto done;
+
+  }
+
+  /* Pick a next top-level window. */
+  /* FIXME: Search for non-tooltip windows first. */
   Wnd = Window;
-  for(;;)
+  while (Wnd != NULL)
   {
-    HWND *List, *phWnd;
-
     Old = Wnd;
-    Wnd = Wnd->ParentWnd;
-    if(!Wnd)
+    if (Old->NextSibling == NULL)
     {
-      IntSetFocusMessageQueue(NULL);
-      return;
+      Wnd = NULL;
+//((      if (Old != Window)
+//((        IntReleaseWindowObject(Old);
+      break;
     }
+    Wnd = IntGetWindowObject(Old->NextSibling->Self);
+//    IntUnLockRelatives(Old);
+//    if (Old != Window)
+//      IntReleaseWindowObject(Old);
+    if ((Wnd->Style & (WS_DISABLED | WS_VISIBLE)) == WS_VISIBLE &&
+        (Wnd->Style & (WS_POPUP | WS_CHILD)) != WS_CHILD)
+      break;
+  }
-    if((List = IntWinListChildren(Wnd)))
+done:
+//  Fg = NtUserGetForegroundWindow();
+  Fg = GetHwnd(UserGetForegroundWindow());
+  if (Wnd && (!Fg || Window->Self == Fg))
+  {
+    if (IntSetForegroundWindow(Wnd))
     {
-      for(TryTopmost = 0; TryTopmost <= 1; TryTopmost++)
-      {
-        for(phWnd = List; *phWnd; phWnd++)
-        {
-          PWINDOW_OBJECT Child;
-
-          if((*phWnd) == Window->Self)
-          {
-            continue;
-          }
-
-          if((Child = IntGetWindowObject(*phWnd)))
-//          Child =   *phWnd;
-          {
-            if(((! TryTopmost && (0 == (Child->ExStyle &
WS_EX_TOPMOST)))
-                || (TryTopmost && (0 != (Child->ExStyle &
WS_EX_TOPMOST))))
-               && IntSetForegroundWindow(Child))
-            {
-              ExFreePool(List);
-              return;
-            }
-          }
-        }
-      }
-      ExFreePool(List);
+//      IntReleaseWindowObject(Wnd);
+      return;
     }
   }
-
+  if (!IntSetActiveWindow(Wnd))
+    IntSetActiveWindow(0);
+//  if (Wnd)
+//    IntReleaseWindowObject(Wnd);
 }
@@ -733,7 +748,7 @@
//FIXME
-   tmp = IntGetForegroundWindow();
+   tmp = UserGetForegroundWindow();
    if (WinPos->hwnd == (tmp ? tmp->Self : 0))
    {
       WinPos->flags |= SWP_NOACTIVATE;   /* Already active */
  _____
Modified: branches/win32k rewrite attempt/win32k/objects/brush.c
--- branches/win32k rewrite attempt/win32k/objects/brush.c
2005-07-28 11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/objects/brush.c
2005-07-28 13:40:52 UTC (rev 16829)
@@ -563,7 +563,7 @@
CONST VOID *PackedDIB)
 {
    BITMAPINFO *SafeBitmapInfoAndData;
-   NTSTATUS Status;
+   NTSTATUS Status = STATUS_SUCCESS;
    HBRUSH hBrush;
SafeBitmapInfoAndData = EngAllocMem(0, BitmapInfoSize, 0);
@@ -573,10 +573,24 @@
       return NULL;
    }
-   Status = MmCopyFromCaller(SafeBitmapInfoAndData, BitmapInfoAndData,
-                             BitmapInfoSize);
+   _SEH_TRY
+   {
+      ProbeForRead(BitmapInfoAndData,
+                   BitmapInfoSize,
+                   1);
+      RtlCopyMemory(SafeBitmapInfoAndData,
+                    BitmapInfoAndData,
+                    BitmapInfoSize);
+   }
+   _SEH_HANDLE
+   {
+      Status = _SEH_GetExceptionCode();
+   }
+   _SEH_END;
+   
    if (!NT_SUCCESS(Status))
    {
+      EngFreeMem(SafeBitmapInfoAndData);
       SetLastNtError(Status);
       return 0;
    }
@@ -632,11 +646,23 @@
if (Point != NULL)
    {
-      NTSTATUS Status;
+      NTSTATUS Status = STATUS_SUCCESS;
       POINT SafePoint;
       SafePoint.x = dc->w.brushOrgX;
       SafePoint.y = dc->w.brushOrgY;
-      Status = MmCopyToCaller(Point, &SafePoint, sizeof(POINT));
+      _SEH_TRY
+      {
+         ProbeForWrite(Point,
+                       sizeof(POINT),
+                       1);
+         *Point = SafePoint;
+      }
+      _SEH_HANDLE
+      {
+         Status = _SEH_GetExceptionCode();
+      }
+      _SEH_END;
+
       if(!NT_SUCCESS(Status))
       {
         DC_UnlockDc(dc);
@@ -661,7 +687,7 @@
    ULONG Reserved)
 {
    PPATRECT rb = NULL;
-   NTSTATUS Status;
+   NTSTATUS Status = STATUS_SUCCESS;
    BOOL Ret;
if (cRects > 0)
@@ -672,7 +698,21 @@
          SetLastWin32Error(ERROR_NOT_ENOUGH_MEMORY);
          return FALSE;
       }
-      Status = MmCopyFromCaller(rb, pRects, sizeof(PATRECT) * cRects);
+      _SEH_TRY
+      {
+         ProbeForRead(pRects,
+                      cRects * sizeof(PATRECT),
+                      1);
+         RtlCopyMemory(rb,
+                       pRects,
+                       cRects * sizeof(PATRECT));
+      }
+      _SEH_HANDLE
+      {
+         Status = _SEH_GetExceptionCode();
+      }
+      _SEH_END;
+
       if (!NT_SUCCESS(Status))
       {
          ExFreePool(rb);
  _____
Modified: branches/win32k rewrite attempt/win32k/objects/cliprgn.c
--- branches/win32k rewrite attempt/win32k/objects/cliprgn.c
2005-07-28 11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/objects/cliprgn.c
2005-07-28 13:40:52 UTC (rev 16829)
@@ -192,7 +192,19 @@
Ret = IntGdiGetClipBox(hDC, &Saferect);
-  Status = MmCopyToCaller(rc, &Saferect, sizeof(RECT));
+  _SEH_TRY
+  {
+    ProbeForWrite(rc,
+                  sizeof(RECT),
+                  1);
+    *rc = Saferect;
+  }
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
+
   if(!NT_SUCCESS(Status))
   {
@@ -341,7 +353,7 @@
 BOOL STDCALL NtGdiRectVisible(HDC  hDC,
                       CONST PRECT  UnsafeRect)
 {
-   NTSTATUS Status;
+   NTSTATUS Status = STATUS_SUCCESS;
    PROSRGNDATA Rgn;
    PDC dc = DC_LockDc(hDC);
    BOOL Result = FALSE;
@@ -353,10 +365,23 @@
       return FALSE;
    }
-   Status = MmCopyFromCaller(&Rect, UnsafeRect, sizeof(RECT));
+   _SEH_TRY
+   {
+      ProbeForRead(UnsafeRect,
+                   sizeof(RECT),
+                   1);
+      Rect = *UnsafeRect;
+   }
+   _SEH_HANDLE
+   {
+      Status = _SEH_GetExceptionCode();
+   }
+   _SEH_END;
+
    if(!NT_SUCCESS(Status))
    {
       DC_UnlockDc(dc);
+      SetLastNtError(Status);
       return FALSE;
    }
_____
Modified: branches/win32k rewrite attempt/win32k/objects/color.c
--- branches/win32k rewrite attempt/win32k/objects/color.c
2005-07-28 11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/objects/color.c
2005-07-28 13:40:52 UTC (rev 16829)
@@ -588,6 +588,13 @@
return old;
 }
+/*
+   Win 2k Graphics API, Black Book. by coriolis.com
+   Page 62, Note that Steps 3, 5, and 6 are not required for Windows
NT(tm)
+   and Windows 2000(tm).
+
+   Step 5. UnrealizeObject(hTrackBrush);
+ */
 BOOL STDCALL
 NtGdiUnrealizeObject(HGDIOBJ hgdiobj)
 {
@@ -595,7 +602,6 @@
    GDIOBJHDR * ptr;
    DWORD objectType;
    BOOL Ret = FALSE;
-   UNIMPLEMENTED;
ptr = GDIOBJ_LockObj(hgdiobj, GDI_OBJECT_TYPE_DONTCARE);
    if (ptr == 0)
@@ -606,12 +612,6 @@
    objectType = GDIOBJ_GetObjectType(hgdiobj);
    switch(objectType)
      {
-         case GDI_OBJECT_TYPE_PALETTE:
-           {
-           /* Make sure this is a Palette object!*/
-              DPRINT1("GDI_OBJECT_TYPE_PALETTE\n");
-              break;
-           }
 /*
     msdn.microsoft.com,
     "Windows 2000/XP: If hgdiobj is a brush, UnrealizeObject does
nothing,
@@ -620,7 +620,7 @@
  */
          case GDI_OBJECT_TYPE_BRUSH:
            {
-              DPRINT1("GDI_OBJECT_TYPE_BRUSH\n");
+              DPRINT("GDI_OBJECT_TYPE_BRUSH\n");
               Ret = TRUE;
               break;
            }
  _____
Modified: branches/win32k rewrite attempt/win32k/objects/coord.c
--- branches/win32k rewrite attempt/win32k/objects/coord.c
2005-07-28 11:48:58 UTC (rev 16828)
+++ branches/win32k rewrite attempt/win32k/objects/coord.c
2005-07-28 13:40:52 UTC (rev 16829)
@@ -63,17 +63,29 @@
{
   XFORM  xformTemp;
   XFORM  xform1, xform2;
-  NTSTATUS Status;
+  NTSTATUS Status = STATUS_SUCCESS;
   BOOL Ret;
-
-  Status = MmCopyFromCaller( &xform1, Unsafexform1, sizeof(XFORM) );
-  if(!NT_SUCCESS(Status))
+  _SEH_TRY
   {
-    SetLastNtError(Status);
-    return FALSE;
+    ProbeForWrite(UnsafeXFormResult,
+                  sizeof(XFORM),
+                  1);
+    ProbeForRead(Unsafexform1,
+                 sizeof(XFORM),
+                 1);
+    ProbeForRead(Unsafexform2,
+                 sizeof(XFORM),
+                 1);
+    xform1 = *Unsafexform1;
+    xform2 = *Unsafexform2;
   }
-  Status = MmCopyFromCaller( &xform2, Unsafexform2, sizeof(XFORM) );
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
+
   if(!NT_SUCCESS(Status))
   {
     SetLastNtError(Status);
@@ -83,7 +95,17 @@
   Ret = IntGdiCombineTransform(&xformTemp, &xform1, &xform2);
/* Copy the result to xformResult */
-  Status = MmCopyToCaller(  UnsafeXFormResult, &xformTemp,
sizeof(XFORM) );
+  _SEH_TRY
+  {
+    /* pointer was already probed! */
+    *UnsafeXFormResult = xformTemp;
+  }
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
+
   if(!NT_SUCCESS(Status))
   {
     SetLastNtError(Status);
@@ -131,7 +153,7 @@
       int  Count)
 {
    PDC dc;
-   NTSTATUS Status;
+   NTSTATUS Status = STATUS_SUCCESS;
    LPPOINT Points;
    ULONG Size;
@@ -159,7 +181,21 @@
      return FALSE;
    }
-   Status = MmCopyFromCaller(Points, UnsafePoints, Size);
+   _SEH_TRY
+   {
+      ProbeForWrite(UnsafePoints,
+                    Size,
+                    1);
+      RtlCopyMemory(Points,
+                    UnsafePoints,
+                    Size);
+   }
+   _SEH_HANDLE
+   {
+      Status = _SEH_GetExceptionCode();
+   }
+   _SEH_END;
+   
    if(!NT_SUCCESS(Status))
    {
      DC_UnlockDc(dc);
@@ -170,7 +206,19 @@
IntDPtoLP(dc, Points, Count);
-   Status = MmCopyToCaller(UnsafePoints, Points, Size);
+   _SEH_TRY
+   {
+      /* pointer was already probed! */
+      RtlCopyMemory(UnsafePoints,
+                    Points,
+                    Size);
+   }
+   _SEH_HANDLE
+   {
+      Status = _SEH_GetExceptionCode();
+   }
+   _SEH_END;
+
    if(!NT_SUCCESS(Status))
    {
      DC_UnlockDc(dc);
@@ -218,7 +266,7 @@
                       LPXFORM  XForm)
 {
   PDC  dc;
-  NTSTATUS Status;
+  NTSTATUS Status = STATUS_SUCCESS;
dc = DC_LockDc ( hDC );
   if (!dc)
@@ -233,7 +281,18 @@
     return FALSE;
   }
-  Status = MmCopyToCaller(XForm, &dc->w.xformWorld2Wnd, sizeof(XFORM));
+  _SEH_TRY
+  {
+    ProbeForWrite(XForm,
+                  sizeof(XFORM),
+                  1);
+    *XForm = dc->w.xformWorld2Wnd;
+  }
+  _SEH_HANDLE
+  {
+    Status = _SEH_GetExceptionCode();
+  }
+  _SEH_END;
DC_UnlockDc(dc);
   return NT_SUCCESS(Status);
@@ -280,7 +339,7 @@
 NtGdiLPtoDP ( HDC hDC, LPPOINT UnsafePoints, INT Count )
 {
    PDC dc;
-   NTSTATUS Status;
+   NTSTATUS Status = STATUS_SUCCESS;
    LPPOINT Points;
    ULONG Size;
@@ -308,7 +367,21 @@
[truncated at 1000 lines; 2213 more skipped]

    