On Wed Feb 5 10:38:24 2025 +0000, Jinoh Kang wrote:
In patch 4/5[^1], `add_module_dependency` detects existing reference and decrements[^d] LoadCount back to the previous value. This is true for both static and dynamic dependencies. In fact static ref is what prompted the need for the deduplication in the first place. Kernel32/kernelbase together has about a hundred export forwarders to ntdll, and not deduplicating them would result in not *just* extra LoadCount but also allocation of extra LDR_DEPENDENCY edges, a nontrivial memory bloat. So, in a sense, `add_module_dependency` holds the final authority over whether we want to actually increase LoadCount or not. For duplicate references, LoadCount is incremented (AddRef'd) by either `load_dll` or the else branch, and then decremented back (Release'd) on dupe detection, resulting in a net delta of 0. In case `add_module_dependency` is not called because it forwards to ntdll or kernel32, `wm` is simply released[^p] at the end of the function anyway, also a net delta of 0. [^1]: "ntdll: Don't re-add a module dependency if it already exists." [^d]: Indirectly via `LdrUnloadDll`. [^p]: kernel32 and ntdll are effectively pinned DLLs, so we don't keep their incoming edges. This is consistent with the rest of the loader logic.
Besides, extra refcounts would have resulted in test failure, because the test calls GetProcAddress() twice.