DLL that was not present in memory despite not being formally unloaded
4 days ago
- #Debugging
- #Stack Overflow
- #Memory Corruption
- A bug reported that shell32.dll was causing crashes in a third-party program, but investigation revealed shell32 was a victim.
- Crash dumps showed a stack overflow due to a recursive exception handling death spiral, starting from an access violation in combase!CoTaskMemFree.
- Analysis found that combase.dll had been forcibly unloaded from memory (likely via VirtualFree), not by FreeLibrary, causing subsequent calls to fail.
- Shell32 was blamed as it was the first to call into the unloaded combase.dll during process termination, triggering the crash loop.
- Reviewing 100 recent crashes showed 46% were due to similar rogue DLL force-unloads, with different DLLs affected, indicating a bucket spray issue.
- The root cause is unknown, but theories point to memory corruption or uninitialized variables in the third-party program or other components.
- Wil comments suggest avoiding static object destruction during shutdown and note existing shutdown-aware types in Microsoft code.