In the course of trying to marshall MSI for bug #18070 I ran into a crash trying to marshall an interface pointer, caused by a double free. I traced the superfluous frees back to dlls/rpcrt4/ndr_ole.c:
/*********************************************************************** * NdrInterfacePointerFree [RPCRT4.@] */ void WINAPI NdrInterfacePointerFree(PMIDL_STUB_MESSAGE pStubMsg, unsigned char *pMemory, PFORMAT_STRING pFormat) { LPUNKNOWN pUnk = (LPUNKNOWN)pMemory; TRACE("(%p,%p,%p)\n", pStubMsg, pMemory, pFormat); if (pUnk) IUnknown_Release(pUnk); }
Could anyone shed light on what the purpose of this call is? It doesn't seem to correspond with any AddRef() or QueryInterface() call anywhere else. Presumably it would correspond with NdrInterfacePointerMarshall(), which calls CoMarshalInterface(), but the latter only causes references to be grabbed by the stub manager, and those (as far as I can tell by skimming) are released when SendReceive() is called.