HN
Today

DLL that was not present in memory despite not being formally unloaded

Raymond Chen dives into a Windows crash where shell32.dll appeared to be the culprit but was merely a victim of a deeper issue. The investigation revealed a 'rogue' memory operation forcibly freeing combase.dll's memory, leading to a complex 'bucket spray' of crashes across various modules. This technical detective story, typical of Chen's 'Old New Thing' blog, illustrates expert-level debugging of obscure system behaviors.

24
Score
2
Comments
#2
Highest Rank
7h
on Front Page
First Seen
Jun 28, 12:00 PM
Last Seen
Jun 28, 6:00 PM
Rank Over Time
23611151820

The Lowdown

Raymond Chen, a Microsoft veteran, recounts a puzzling Windows crash attributed to shell32.dll that turned out to be a classic case of misdirection. What initially appeared as a simple stack overflow stemming from shell32 led to a deeper investigation into a memory corruption mystery. This technical deep dive showcases the complexities of debugging low-level system interactions and memory management.

  • A third-party program reported numerous crashes, many pointing to shell32.dll causing a stack overflow due to a recursive exception handling loop.
  • The initial exception was an access violation in combase!CoTaskMemFree.
  • Debugger analysis revealed combase.dll's memory region was marked MEM_FREE (PAGE_NOACCESS), indicating it had been deallocated.
  • Despite this, the Windows loader still considered combase.dll loaded and 'pinned' (load count 0xFFFFFFFF), suggesting it wasn't formally unloaded.
  • This pointed to a memory corruption bug where an unknown component mistakenly freed combase.dll's memory, causing subsequent calls into it (like from shell32.dll) to crash.
  • Further investigation showed a 'bucket spray' effect: 46% of the program's crashes were similar incidents where various DLLs were victims of this rogue memory deallocation.
  • The shell32 team was cleared, as their DLL was merely the first to call into the forcibly removed combase.dll, but the true culprit behind the memory corruption remains unidentified.

This intricate debugging journey highlights the challenges of diagnosing subtle memory bugs in complex systems and exonerates an innocent DLL, leaving the true culprit to be discovered in a subsequent investigation.