IE crash due to Flash32_11_8_800_94.ocx

Hi,

I just want to know if you have a fix for this one. I'm getting lots of crashes due to Flash32_11_8_800_94.ocx

Debugging the issue turns out that the above mentioned module is calling to UnDllModule hence freeing virtual memory that actually contains an active critical section thereby our crash.

I have also verified the issue by enabling the lock checks (basic) using application verifier while attaching the debugger to the process.

APPLICATION_VERIFIER_LOCKS_LOCK_IN_FREED_VMEM (212)

=====================================================

0:011> kv

ChildEBP RetAddr  Args to Child             

0b1abe94 70af3b68 7b10f5eb 70ac60c8 6a1c4fd0 ntdll!DbgBreakPoint (FPO: [0,0,0])

0b1ac09c 70abc55e 70ac60c8 00000212 5c026dac vrfcore!VerifierStopMessageEx+0x4d1 (FPO: [Non-Fpo])

0b1ac0d0 70ab6e4c 00000001 5c020000 00007000 vfbasics!AVrfpFreeMemLockChecks+0xd0 (FPO: [Non-Fpo])

0b1ac0f4 70ac2a7f 00000001 5c020000 00007000 vfbasics!AVrfpFreeMemNotify+0x2b (FPO: [Non-Fpo])

0b1ac138 70ac2b46 00000001 00000001 5c020000 vfbasics!AVrfpFreeVirtualMemNotify+0x171 (FPO: [Non-Fpo])

0b1ac164 7696ee3d ffffffff 0b1ac190 00000000 vfbasics!AVrfpNtFreeVirtualMemory+0x96 (FPO: [Non-Fpo])

0b1ac184 7696ef4e ffffffff 5c020000 00000000 KERNELBASE!VirtualFreeEx+0x3a (FPO: [Non-Fpo])

0b1ac19c 70ac27ff 5c020000 00000000 00008000 KERNELBASE!VirtualFree+0x15 (FPO: [Non-Fpo])

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SysWOW64\Macromed\Flash\Flash32_11_8_800_94.ocx -

0b1ac1e4 65833a82 5c020000 00000000 00008000 vfbasics!AVrfpVirtualFree+0x82 (FPO: [Non-Fpo])

WARNING: Stack unwind information not available. Following frames may be wrong.

0b1ac1f4 65829d58 5c020000 00200000 6582a0e0 Flash32_11_8_800_94!IAEModule_IAEKernel_UnloadModule+0x743e2 

0b1ac200 6582a0e0 5c020000 00200000 661529c0 Flash32_11_8_800_94!IAEModule_IAEKernel_UnloadModule+0x6a6b8

0b1ac210 6582a5b0 00000000 74ee1484 661529c0 Flash32_11_8_800_94!IAEModule_IAEKernel_UnloadModule+0x6aa40

0b1ac22c 6582c3b4 74ee1484 6ca51000 0b1ac2c4 Flash32_11_8_800_94!IAEModule_IAEKernel_UnloadModule+0x6af10

00000000 00000000 00000000 00000000 00000000 Flash32_11_8_800_94!IAEModule_IAEKernel_UnloadModule+0x6cd14

0:039> !cs -s 5c026dac
-----------------------------------------
Critical section   = 0x5c026dac (+0x5C026DAC)
DebugInfo          = 0x2707afe0
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000

Stack trace for DebugInfo = 0x2707afe0:

0x76ed486d: ntdll!RtlInitializeCriticalSectionEx+0xB3
0x76ed2621: ntdll!RtlInitializeCriticalSectionAndSpinCount+0x19
0x70abbc36: vfbasics!AVrfpInitializeCriticalSectionCommon+0xD8
0x70abbd6f: vfbasics!AVrfpRtlInitializeCriticalSection+0x11
0x6529708a: Flash32_11_8_800_94+0x708A
0x654ec772: Flash32_11_8_800_94!DllUnregisterServer+0x868B4

//

!cx 5c026dac

dt ntdll!_RTL_CRITICAL_SECTION  0x5c026dac
   +0x000 DebugInfo        : 0x2707afe0 _RTL_CRITICAL_SECTION_DEBUG
   +0x004 LockCount        : 0n-1
   +0x008 RecursionCount   : 0n0
   +0x00c OwningThread     : (null)
   +0x010 LockSemaphore    : (null)
   +0x014 SpinCount        : 0

dt ntdll!_RTL_CRITICAL_SECTION_DEBUG  0x2707afe0
   +0x000 Type             : 0
   +0x002 CreatorBackTraceIndex : 0x1031
   +0x004 CriticalSection  : 0x5c026dac _RTL_CRITICAL_SECTION
   +0x008 ProcessLocksList : _LIST_ENTRY [ 0x4a972fe8 - 0x56311fe8 ]
   +0x010 EntryCount       : 0
   +0x014 ContentionCount  : 0
   +0x018 Flags            : 0
   +0x01c CreatorBackTraceIndexHigh : 0
   +0x01e SpareUSHORT      : 0xc0c0

   Critical Section is NOT locked

Owner Thread:
       NO Owner Thread.

0:011> kv = 0492D234
ChildEBP RetAddr  Args to Child             
0b1abe94 70af3b68 7b10f5eb 70ac60c8 6a1c4fd0 ntdll!DbgBreakPoint (FPO: [0,0,0])
0b1ac09c 70abc55e 70ac60c8 00000212 5c026dac vrfcore!VerifierStopMessageEx+0x4d1 (FPO: [Non-Fpo])
0b1ac0d0 70ab6e4c 00000001 5c020000 00007000 vfbasics!AVrfpFreeMemLockChecks+0xd0 (FPO: [Non-Fpo])
0b1ac0f4 70ac2a7f 00000001 5c020000 00007000 vfbasics!AVrfpFreeMemNotify+0x2b (FPO: [Non-Fpo])
0b1ac138 70ac2b46 00000001 00000001 5c020000 vfbasics!AVrfpFreeVirtualMemNotify+0x171 (FPO: [Non-Fpo])
0b1ac164 7696ee3d ffffffff 0b1ac190 00000000 vfbasics!AVrfpNtFreeVirtualMemory+0x96 (FPO: [Non-Fpo])
0b1ac184 7696ef4e ffffffff 5c020000 00000000 KERNELBASE!VirtualFreeEx+0x3a (FPO: [Non-Fpo])
0b1ac19c 70ac27ff 5c020000 00000000 00008000 KERNELBASE!VirtualFree+0x15 (FPO: [Non-Fpo])
0b1ac1e4 65833a82 5c020000 00000000 00008000 vfbasics!AVrfpVirtualFree+0x82 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
0b1ac1f4 65829d58 5c020000 00200000 6582a0e0 Flash32_11_8_800_94!IAEModule_IAEKernel_UnloadModule+0x743e2
0b1ac200 6582a0e0 5c020000 00200000 661529c0 Flash32_11_8_800_94!IAEModule_IAEKernel_UnloadModule+0x6a6b8
0b1ac210 6582a5b0 00000000 74ee1484 661529c0 Flash32_11_8_800_94!IAEModule_IAEKernel_UnloadModule+0x6aa40
0b1ac22c 6582c3b4 74ee1484 6ca51000 0b1ac2c4 Flash32_11_8_800_94!IAEModule_IAEKernel_UnloadModule+0x6af10
00000000 00000000 00000000 00000000 00000000 Flash32_11_8_800_94!IAEModule_IAEKernel_UnloadModule+0x6cd14

/Friendley debug ninja from Microsoft