Hasty Briefsbeta

Bilingual

DLL that was not present in memory despite not being formally unloaded

4 days ago
  • #Debugging
  • #Stack Overflow
  • #Memory Corruption
  • A bug reported that shell32.dll was causing crashes in a third-party program, but investigation revealed shell32 was a victim.
  • Crash dumps showed a stack overflow due to a recursive exception handling death spiral, starting from an access violation in combase!CoTaskMemFree.
  • Analysis found that combase.dll had been forcibly unloaded from memory (likely via VirtualFree), not by FreeLibrary, causing subsequent calls to fail.
  • Shell32 was blamed as it was the first to call into the unloaded combase.dll during process termination, triggering the crash loop.
  • Reviewing 100 recent crashes showed 46% were due to similar rogue DLL force-unloads, with different DLLs affected, indicating a bucket spray issue.
  • The root cause is unknown, but theories point to memory corruption or uninitialized variables in the third-party program or other components.
  • Wil comments suggest avoiding static object destruction during shutdown and note existing shutdown-aware types in Microsoft code.