IUnknown_Release_Proxy leading to exception

This is the final debug output when I run ICQ:

wine: Unhandled exception (thread 0023), starting debugger... fixme:console:SetConsoleCtrlHandler (0x405fbab0,1) - no error checking or testing yet WineDbg starting on pid 0x24 Unhandled exception: page fault on read access to 0x00000000 in 32-bit code (0x40ab8695). In 32 bit mode. q0x40ab8695 IUnknown_Release_Proxy [/home/truiken/wine/dlls/rpcrt4/cproxy.c:330] in rpcrt4: movl 0x0(%eax),%edx 330 return IUnknown_Release(This->pUnkOuter); 330 return IUnknown_Release(This->pUnkOuter); Wine-dbg>l syntax error Wine-dbg>list 330 return IUnknown_Release(This->pUnkOuter); 331 #endif 332 } 333

in reading the comments, the interface refcounting is commented out and object refcounting is what is being used. i added a refCount variable to cproxy.c and did refCount++ and refCount-- in IUnknown_Release_Proxy and IUnknown_AddRef_Proxy with additional trace statements that show the value of refCount. right before the exception, a trace shows refCount to be -1. This is the log of trace+relay,ole:

045:Call kernel32.InterlockedDecrement(41277154) ret=00405614 0045:Ret kernel32.InterlockedDecrement() retval=0000000b ret=00405614 0045:Call kernel32.InterlockedDecrement(00637d80) ret=0040561b 0045:Ret kernel32.InterlockedDecrement() retval=00000042 ret=0040561b trace:ole:ObjectStubless (0x4311b3c4)->(5)([4 bytes]) ret=143db323 fixme:ole:RPCRT4_NdrClientCall2 (pStubDec == ^0x2476aa98,pFormat = ^0x2476a626,...): stub 0045:Call rpcrt4.IUnknown_Release_Proxy(4311b3c4) ret=00484779 trace:ole:IUnknown_Release_Proxy refCount: -1 trace:ole:IUnknown_Release_Proxy (0x4311b3c0)->Release() MIBDBCovnert 0045:Call kernel32.UnhandledExceptionFilter(406cdd6c) ret=4090f2b8

Any thoughts?