Recently, I got a crash issue. It happened when application calls CoUninitialize interface at the end of application. Finally, I had found the root cause, below is key steps for my debug and analysis.
First Run
0:000> kb
ChildEBP RetAddr Args to Child
0031eec8 77174070 76fae2c9 0031ef80 00000000 ntdll!DbgBreakPoint
0031eef8 76ad01e5 0031f0a4 0031f0c0 00000000 ntdll!RtlReportException+0x51
0031ef18 76ad0261 0031ef80 0031ef3c 76ad06fd ole32!SilentlyReportExceptions+0x79
0031ef24 76ad06fd 0031ef80 00000000 00000000 ole32!ServerExceptionFilter+0x24
0031ef3c 76a9c82f 0031ef80 043a23a0 76a71514 ole32!AppInvokeExceptionFilterWithMethodAddress+0x11
0031ef58 76e4513f 00000000 0031f410 76a57328 ole32!CStdMarshal::DisconnectSrvIPIDs+0xf0
0031ef6c 76e450cf 00000000 00000000 00000000 msvcrt!_EH4_CallFilterFunc+0x12
0031ef98 76a8be49 76b3f420 76a69411 0031f0a4 msvcrt!_except_handler4_common+0x8e
0031efb8 77145fb9 0031f0a4 0031f400 0031f0c0 ole32!_except_handler4+0x20
0031efdc 77145f8b 0031f0a4 0031f400 0031f0c0 ntdll!ExecuteHandler2+0x26
0031f08c 77145e17 0031f0a4 0031f0c0 0031f0a4 ntdll!ExecuteHandler+0x24
0031f08c 76a572da 0031f0a4 0031f0c0 0031f0a4 ntdll!KiUserExceptionDispatcher+0xf
0031f410 76a57216 00000008 0020547c 0031f464 ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf
0031f444 76a4156d 00000008 00000000 76b41898 ole32!CStdMarshal::Disconnect+0x1b2
0031f458 76a4154e 0031f464 0020547c 00000008 ole32!DisconnectSwitch+0x16
0031f470 76a415db 00000008 00131030 fffffffe ole32!CStdMarshal::DisconnectAndRelease+0x44
0031f620 76a68d27 b3fd0faa 00131030 00000080 ole32!COIDTable::ThreadCleanup+0xcb
0031f664 76a68c68 00000000 0031f6b4 76b4164c ole32!FinishShutdown+0x9d
0031f684 76a68255 00000000 00000000 00131030 ole32!ApartmentUninitialize+0x96
0031f69c 76a6832b 0031f6b4 00000000 00136a40 ole32!wCoUninitialize+0x88
0031f6b8 76b63644 0013bb58 00131030 76b63a3a ole32!CoUninitialize+0x72
0031f6c4 76b63a3a 0031f6e8 76a6e737 0013bb58 IMM32!CtfImmCoUninitialize+0x34
0031f6cc 76a6e737 0013bb58 00000001 00131030 IMM32!ISPY_PostUninitialize+0x51
0031f6e8 76a6d2d4 00000000 00000000 00000000 ole32!NotifyInitializeSpies+0x6a
0031f70c 00b4dae3 00b67080 00000001 0031fcf0 ole32!CoUninitialize+0x99
WARNING: Stack unwind information not available. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 APPEXE+0xdae3
0:000> .exr 0031f0a4
ExceptionAddress: 76a572da (ole32!CStdMarshal::DisconnectSrvIPIDs+0x000000bf)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 6eb67b2c
Attempt to read from address 6eb67b2c
0:000> ln 6eb67b2c
(6eb67b2c) <Unloaded_AppDllA.dll>+0x7f00
0: 000> uf ole32!CStdMarshal::DisconnectSrvIPIDs
……………
ole32!CStdMarshal::DisconnectSrvIPIDs+0xb6:
76fb72d1 895dfc mov dword ptr [ebp-4],ebx
76fb72d4 8b4610 mov eax,dword ptr [esi+10h]
76fb72d7 8b08 mov ecx,dword ptr [eax]
76fb72d9 50 push eax
76fb72da ff5108 call dword ptr [ecx+8]
76fb72dd c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
76fb72e4 8b4614 mov eax,dword ptr [esi+14h]
76fb72e7 8b08 mov ecx,dword ptr [eax]
76fb72e9 50 push eax
76fb72ea ff5110 call dword ptr [ecx+10h]
………………..
- From above, we know access violation happened when application reads memory 6eb67b2c. It seems application reads unload module memory address caused this issue.
- From address 76fb72da, we know ole32 wants to call a virtual function.
Second Run
- To check which code are there on AppDllA+0x7f00.
- To set breakpoint on ole32!CStdMarshal::DisconnectSrvIPIDs+0x000000bf and to check which functions have been called at that pointer.
I use windbg to attach the running application and set breakpoint on ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf
0:011> lmm ole32
start end module name
76f70000 770b5000 ole32 (deferred)
0: 011> bp 76fb72da "kbL; ln poi(ecx+8);r;g"
0: 011> bl
0 e 76fb72da 0001 (0001) 0:**** ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf "kbL; ln poi(ecx+8);r;g"
I set breakpoint when application loads AppDllA module and get AppDllA+0x7f00 address information.
0:000> lmm AppDllA
start end module name
6cbe0000 6cbef000 AppDllA (deferred)
0:000> ln 6cbe0000 +7ef8
(6cbe7ef8) AppDllA!ATL::CComObject<ComInterfaceA>::`vftable’ | (6cbe7f14) AppDllA!_entries
Exact matches:
0:000> dds 6cbe7ef8 La
6cbe7ef8 6cbe5175 AppDllA!ATL::CComObject<ComInterfaceA>::QueryInterface
6cbe7efc 6cbe511c AppDllA!ATL::CComObject<ComInterfaceA>::AddRef
6cbe7f00 6cbe5129 AppDllA!ATL::CComObject<ComInterfaceA>::Release
6cbe7f04 6cbe3fc5 AppDllA!ComInterfaceA::StartDocument
6cbe7f08 6cbe3fe0 AppDllA!ComInterfaceA::AddPage
6cbe7f0c 6cbe3ffb AppDllA!ComInterfaceA::EndDocument
6cbe7f10 6cbe518e AppDllA!ATL::CComObject<ComInterfaceA>::`scalar deleting destructor’
6cbe7f14 6cbe7f2c AppDllA!_GUID_8095ddce_ca6e_43f2_ae62_16f32c88fac9
6cbe7f18 00000000
6cbe7f1c 00000001
From above information, we know ole32!CStdMarshal::DisconnectSrvIPIDs+0x000000bf is call a com object’s Release interface to decrease 1 com object reference-counting.
From first run crash log, this action still call AppDllA’s com object even if AppDllA was unloaded from memory. It means com object reference-counting errors when we use this com object. It caused com object doesn’t decrease to 0 when application unload this module. So let’s see which code has called com object’s AddRef and Release interface.
0:000> bp 6cbe511c "kbL;r;g"; bp 6cbe5129 "kbL;r;g";
0:000> bl
0 e 76fb72da 0001 (0001) 0:**** ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf "kbL; ln poi(ecx+8);r;g"
1 e 6cbe511c 0001 (0001) 0:**** AppDllA!ATL::CComObject<ComInterfaceA>::AddRef "kbL;r;g"
2k e 6cbe5129 0001 (0001) 0:**** AppDllA!ATL::CComObject<ComInterfaceA>::Release "kbL;r;g"
0:000> g
ChildEBP RetAddr Args to Child
0024e5c8 6cbe4f9e 01c4f7d8 00000000 01c4f7d8 AppDllA!ATL::CComObject<ComInterfaceA>::AddRef
0024e5e0 6cbe518b 01c4f7d8 00000000 6cbe722c AppDllA!ATL::AtlInternalQueryInterface+0x40
0024e5f4 6cbe541c 01c4f7d8 6cbe722c 0024e684 AppDllA!ATL::CComObject<ComInterfaceA>::QueryInterface+0x16
0024e630 6cbe555f 00000000 6cbe722c 0024e684 AppDllA!ATL::CComCreator<ATL::CComObject<ComInterfaceA> >::CreateInstance+0x72
……………………..
0024e820 6cbe1725 6cbe728c 00000000 00000001 ole32!CoCreateInstance+0x37
0024e84c 5ad8f10d 6cbec490 04188df0 00000000 AppDllA!XXXCapture::DllAFuncA+0xba
…………………………
eax=6cbe7ef8 ebx=0024e684 ecx=6cbe722c edx=f31662ae esi=01c4f7d8 edi=00000001
eip=6cbe511c esp=0024e5cc ebp=0024e5e0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
AppDllA!ATL::CComObject<ComInterfaceA>::AddRef:
6cbe511c 8b442404 mov eax,dword ptr [esp+4] ss:0023:0024e5d0=01c4f7d8
ChildEBP RetAddr Args to Child
0024e1f0 6cbe4f9e 01c4f7d8 00000000 01c4f7d8 AppDllA!ATL::CComObject<ComInterfaceA>::AddRef
0024e208 6cbe518b 01c4f7d8 6cbe7f14 76fd1514 AppDllA!ATL::AtlInternalQueryInterface+0x40
…………..
0024e84c 5ad8f10d 6cbec490 04188df0 00000000 AppDllA!XXXCapture::DllAFuncA+0xd4
…………………
eax=6cbe7ef8 ebx=0024e234 ecx=0024e234 edx=8095ddce esi=01c4f7d8 edi=00000000
eip=6cbe511c esp=0024e1f4 ebp=0024e208 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
AppDllA!ATL::CComObject<ComInterfaceA>::AddRef:
6cbe511c 8b442404 mov eax,dword ptr [esp+4] ss:0023:0024e1f8=01c4f7d8
ChildEBP RetAddr Args to Child
0024e170 76faa8a5 01c4f7d8 00000000 004b0fd8 AppDllA!ATL::CComObject<ComInterfaceA>::AddRef
0024e1b8 76f9ab2e 00000000 000014b4 00000000 ole32!CStdIdentity::CStdIdentity+0x172
………………….
0024e828 6cbe173f 03aee6dc 01c4f7d8 6cbec4a0 RPCRT4!ObjectStubless+0xf
0024e84c 5ad8f10d 6cbec490 04188df0 00000000 AppDllA!XXXCapture::DllAFuncA+0xd4
WARNING: Stack unwind information not available. Following frames may be wrong.
0024ec9c 6c431313 00000001 a6c8d6a3 04188df0 AppDllC+0xf10d
0024eed0 6c43143d 04188ed0 04188ed0 00500052 AppDllB!CXXXRPContainer::InitRPComponent+0x88
0024f0ec 5ad92c04 04188df0 00000008 000000ac AppDllB!RPCallBack+0xb9
…………………………..
eax=01c4f7d8 ebx=03ac5d40 ecx=6cbe7ef8 edx=00000000 esi=76fc96b0 edi=00000000
eip=6cbe511c esp=0024e174 ebp=0024e1b8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
AppDllA!ATL::CComObject<ComInterfaceA>::AddRef:
6cbe511c 8b442404 mov eax,dword ptr [esp+4] ss:0023:0024e178=01c4f7d8
ChildEBP RetAddr Args to Child
0024e21c 76f9aa55 01c4f7d8 00000000 00000000 AppDllA!ATL::CComObject<ComInterfaceA>::Release
0024e238 76f9aef9 004b0fd8 000014b4 00421938 ole32!ObtainStdIDFromUnk+0xc2
………………..
0024e84c 5ad8f10d 6cbec490 04188df0 00000000 AppDllA!XXXCapture::DllAFuncA+0xd4
………………
eax=01c4f7d8 ebx=00000000 ecx=6cbe7ef8 edx=00000001 esi=00000001 edi=770a1898
eip=6cbe5129 esp=0024e220 ebp=0024e238 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
AppDllA!ATL::CComObject<ComInterfaceA>::Release:
6cbe5129 8b4c2404 mov ecx,dword ptr [esp+4] ss:0023:0024e224=01c4f7d8
ChildEBP RetAddr Args to Child
00234a80 6cbe4f9e 04181138 00000000 04181138 AppDllA!ATL::CComObject<ComInterfaceA>::AddRef
00234a98 6cbe518b 04181138 6cbe7f14 76fd1514 AppDllA!ATL::AtlInternalQueryInterface+0x40
00234aac 76f9a9cf 04181138 76fd1514 00234ac4 AppDllA!ATL::CComObject<ComInterfaceA>::QueryInterface+0x16
00234ac8 76f9aef9 04181138 000014b4 00421938 ole32!ObtainStdIDFromUnk+0x30
………..
002350e0 5ad8f10d 6cbec490 04188df0 00000000 AppDllA!XXXCapture::DllAFuncA+0xd4
WARNING: Stack unwind information not available. Following frames may be wrong.
00235530 6c424937 00000001 a6cf630b 6c870f28 AppDllC+0xf10d
00235960 6c42bf88 6c870f28 00000001 01c4a2a8 AppDllB!DllBClassA::SetXXXValue+0x161
00235970 6c85a706 6c870f28 00000001 a6c617ac AppDllB!DllBGFuncA+0x62
00235ba4 6c84e226 6c870f28 00000001 01c4a21c AppDllD!DllDClassA::SetXXXValue+0xc6
00235bb4 00ab3676 00000008 00000001 aa79a53f AppDllD!DllDClassB::DllDClassBFuncA+0x26
…………………..
eax=6cbe7ef8 ebx=00234ac4 ecx=00234ac4 edx=8095ddce esi=04181138 edi=00000000
eip=6cbe511c esp=00234a84 ebp=00234a98 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
AppDllA!ATL::CComObject<ComInterfaceA>::AddRef:
6cbe511c 8b442404 mov eax,dword ptr [esp+4] ss:0023:00234a88=04181138
ChildEBP RetAddr Args to Child
00234a00 76faa8a5 04181138 00000000 004b1298 AppDllA!ATL::CComObject<ComInterfaceA>::AddRef
00234a48 76f9ab2e 00000000 000014b4 00000000 ole32!CStdIdentity::CStdIdentity+0x172
…………….
002350e0 5ad8f10d 6cbec490 04188df0 00000000 AppDllA!XXXCapture::DllAFuncA+0xd4
WARNING: Stack unwind information not available. Following frames may be wrong.
00235530 6c424937 00000001 a6cf630b 6c870f28 AppDllC+0xf10d
00235960 6c42bf88 6c870f28 00000001 01c4a2a8 AppDllB!DllBClassA::SetXXXValue+0x161
00235970 6c85a706 6c870f28 00000001 a6c617ac AppDllB!DllBGFuncA+0x62
00235ba4 6c84e226 6c870f28 00000001 01c4a21c AppDllD!DllDClassA::SetXXXValue+0xc6
00235bb4 00ab3676 00000008 00000001 aa79a53f AppDllD!DllDClassB::DllDClassBFuncA+0x26
0024f000 00ab69f5 00000008 00000001 00000001 APPEXE!CAppDllDMgr::AppExeClassAFuncA+0x186
0024f21c 00ab6c6e 00000008 00000001 0024f2b0 APPEXE!AppExeClassA::AppExeClassAFuncA+0xd5
0024f234 77dafd72 00270134 000002b1 00000008 APPEXE!AppExeClassA:: AppExeClassAFuncAB+0x2e
……………….
eax=04181138 ebx=03ac55c0 ecx=6cbe7ef8 edx=00000000 esi=76fc96b0 edi=00000000
eip=6cbe511c esp=00234a04 ebp=00234a48 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
AppDllA!ATL::CComObject<ComInterfaceA>::AddRef:
6cbe511c 8b442404 mov eax,dword ptr [esp+4] ss:0023:00234a08=04181138
ChildEBP RetAddr Args to Child
00234aac 76f9aa55 04181168 00000000 00000000 AppDllA!ATL::CComObject<ComInterfaceA>::Release
00234ac8 76f9aef9 004b1138 000014b4 00421938 ole32!ObtainStdIDFromUnk+0xc2
……………
002350bc 6cbe173f 03ad2204 04181168 6cbec4a0 RPCRT4!ObjectStubless+0xf
002350e0 5ad8f10d 6cbec490 04188df0 00000000 AppDllA!XXXCapture::DllAFuncA+0xd4
WARNING: Stack unwind information not available. Following frames may be wrong.
00235530 6c424937 00000001 a6cf630b 6c870f28 AppDllC+0xf10d
00235960 6c42bf88 6c870f28 00000001 01c4a2a8 AppDllB!DllBClassA::SetXXXValue+0x161
00235970 6c85a706 6c870f28 00000001 a6c617ac AppDllB!DllBGFuncA+0x62
00235ba4 6c84e226 6c870f28 00000001 01c4a21c AppDllD!DllDClassA::SetXXXValue+0xc6
00235bb4 00ab3676 00000007 00000001 aa79a53f AppDllD!DllDClassB::DllDClassBFuncA+0x26
0024f000 00ab69f5 00000007 00000001 00000001 APPEXE!CAppDllDMgr::AppExeClassAFuncA+0x186
0024f21c 00ab6c6e 00000007 00000001 0024f2b0 APPEXE!AppExeClassA::AppExeClassAFuncA+0xd5
0024f234 77dafd72 00270134 000002b1 00000007 APPEXE!AppExeClassA::WtsWndProc+0x2e
0024f260 77dafe4a 00ab6c40 00270134 000002b1 USER32!InternalCallWinProc+0x23
……………………
eax=04181168 ebx=00000000 ecx=6cbe7ef8 edx=00000001 esi=00000001 edi=770a1898
eip=6cbe5129 esp=00234ab0 ebp=00234ac8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
AppDllA!ATL::CComObject<ComInterfaceA>::Release:
6cbe5129 8b4c2404 mov ecx,dword ptr [esp+4] ss:0023:00234ab4=04181168
ChildEBP RetAddr Args to Child
0024d8c0 76fb7216 00000001 00000000 03ac55c4 ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf
0024d8f4 76f9dae4 00000001 00000000 0024d954 ole32!CStdMarshal::Disconnect+0x1b2
…………………..
0024ea3c 6cbe1646 03ad248c 003b68d4 009b6a78 RPCRT4!ObjectStubless+0xf
0024ea50 6cbe2ca8 19c5a7a2 009b6a78 744c3607 AppDllA!XXXCapture::DllAFuncA+0x3e
0024ea78 6cbe5cee 6cbe6f0f 00000000 00000000 AppDllA!XXXCapture::~XXXCapture+0x20
…………..
0024ec0c 5ad8f5dd 6cbe0000 04188e80 5adaaad8 kernel32!FreeLibrary+0x76
…………..
(6cbe5129) AppDllA!ATL::CComObject<ComInterfaceA>::Release | (6cbe5147) AppDllA!ComInterfaceA::_InternalQueryInterface
Exact matches:
AppDllA!ATL::CComObject<ComInterfaceA>::Release (void)
eax=04181138 ebx=00000000 ecx=6cbe7ef8 edx=f31662ae esi=0024d85c edi=03ac55c4
eip=76fb72da esp=0024d83c ebp=0024d8c0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf:
76fb72da ff5108 call dword ptr [ecx+8] ds:0023:6cbe7f00={AppDllA!ATL::CComObject<ComInterfaceA>::Release (6cbe5129)}
ChildEBP RetAddr Args to Child
0024d834 76fb72dd 04181138 00000004 00000000 AppDllA!ATL::CComObject<ComInterfaceA>::Release
0024d8c0 76fb7216 00000001 00000000 03ac55c4 ole32!CStdMarshal::DisconnectSrvIPIDs+0xc2
………………….
0024ea50 6cbe2ca8 19c5a7a2 009b6a78 744c3607 AppDllA!XXXCapture::DllAFuncA+0x3e
0024ea78 6cbe5cee 6cbe6f0f 00000000 00000000 AppDllA!XXXCapture::~XXXCapture+0x20
……………
0024ec0c 5ad8f5dd 6cbe0000 04188e80 5adaaad8 kernel32!FreeLibrary+0x76
……………..
eax=04181138 ebx=00000000 ecx=6cbe7ef8 edx=f31662ae esi=0024d85c edi=03ac55c4
eip=6cbe5129 esp=0024d838 ebp=0024d8c0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
AppDllA!ATL::CComObject<ComInterfaceA>::Release:
6cbe5129 8b4c2404 mov ecx,dword ptr [esp+4] ss:0023:0024d83c=04181138
Unable to remove breakpoint 3 at 6cbe5129, Win32 error 0n487
"Attempt to access invalid address."
The breakpoint was set with BP. If you want breakpoints
to track module load/unload state you must use BU.
Unable to remove breakpoint 2 at 6cbe511c, Win32 error 0n487
"Attempt to access invalid address."
The breakpoint was set with BP. If you want breakpoints
to track module load/unload state you must use BU.
eax=7ffd4000 ebx=00000000 ecx=00000000 edx=77c5cacc esi=00000000 edi=00000000
eip=77c18aee esp=044efaf8 ebp=044efb24 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
77c18aee cc int 3
0:012> bl
0 e 76fb72da 0001 (0001) 0:**** ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf "kbL; ln poi(ecx+8);r;g"
1 d 6cbe511c 0001 (0001) 0:**** <Unloaded_atgpcdec.dll>+0x1511c "kbL;r;g"
2 d 6cbe5129 0001 (0001) 0:**** <Unloaded_atgpcdec.dll>+0x15129 "kbL;r;g"
0:012> g
ChildEBP RetAddr Args to Child
0024f2a4 76fb7216 00000008 03ac5d44 0024f2f8 ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf
0024f2d8 76fa156d 00000008 00000000 770a1898 ole32!CStdMarshal::Disconnect+0x1b2
0024f2ec 76fa154e 0024f2f8 03ac5d44 00000008 ole32!DisconnectSwitch+0x16
0024f304 76fa15db 00000008 00421030 fffffffe ole32!CStdMarshal::DisconnectAndRelease+0x44
0024f4b4 76fc8d27 aa79052e 00421030 00000080 ole32!COIDTable::ThreadCleanup+0xcb
0024f4f8 76fc8c68 00000000 0024f548 770a164c ole32!FinishShutdown+0x9d
0024f518 76fc8255 00000000 00000000 00421030 ole32!ApartmentUninitialize+0x96
0024f530 76fc832b 0024f548 00000000 00491610 ole32!wCoUninitialize+0x88
0024f54c 77d73644 0042bcc8 00421030 77d73a3a ole32!CoUninitialize+0x72
0024f558 77d73a3a 0024f57c 76fce737 0042bcc8 IMM32!CtfImmCoUninitialize+0x34
0024f560 76fce737 0042bcc8 00000001 00421030 IMM32!ISPY_PostUninitialize+0x51
0024f57c 76fcd2d4 00000000 00000000 00000000 ole32!NotifyInitializeSpies+0x6a
0024f5a0 00aadae3 00ac7080 00000001 0024fb84 ole32!CoUninitialize+0x99
0024faf0 00ab8ddc 00aa0000 00000000 004022ac APPEXE!wWinMain+0x343
0024fb84 76aad0e9 7ffd5000 0024fbd0 77c11963 APPEXE!__tmainCRTStartup+0x150
0024fb90 77c11963 7ffd5000 76ff38b3 00000000 kernel32!BaseThreadInitThunk+0xe
0024fbd0 77c11936 00ab8faa 7ffd5000 00000000 ntdll!__RtlUserThreadStart+0x23
0024fbe8 00000000 00ab8faa 7ffd5000 00000000 ntdll!_RtlUserThreadStart+0x1b
Memory access error at ‘);r;g’
eax=01c4f7d8 ebx=00000000 ecx=6cbe7ef8 edx=00000002 esi=0024f23c edi=03ac5d44
eip=76fb72da esp=0024f21c ebp=0024f2a4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
ole32!CStdMarshal::DisconnectSrvIPIDs+0xbf:
76fb72da ff5108 call dword ptr [ecx+8] ds:0023:6cbe7f00=????????
From above log, we know AppDllA!ATL::CComObject<ComInterfaceA>::AddRef calls 5 times, but AppDllA!ATL::CComObject<ComInterfaceA>::Release only calls 3 times during AppExe loads AppDllA and unloads AppDllA. I find 2 of AddRef are not needed after check every AddRef call stack and read code logic, so I notify another team to fix it.
Written By opqit(opqit@hotmail.com) 08/12/2010