Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Side By Side Assemblies" Bring DLL Hell 2.0

Posted by kdawson on from the long-nightmare-is-not-over dept.

neutrino38 writes "This is an alert for all developers using Microsoft Visual Studio 2005. At the beginning of January, Microsoft issued a security fix for Visual Studio 2005 forcing the use of new dynamic libraries (DLLs) by all applications compiled with this IDE. Basically, applications compiled with Visual Studio 2005 will not work anymore on an ordinary (non-dev) PC unless the newer DLLs are installed. And we found out that this is true on fully updated PCs. I just posted some details and some suggested fixes." Read below for some more background on Microsoft's so-called "side by side assemblies."

For those unfamiliar with the Microsoft world, native microsoft applications written in C++ rely on dynamic libraries. Two of them are infamous: MSVCRT.DLL and MFCxx.dll. Because of software evolution and security fixes, multiple versions of these DLLs were often present in the system, causing application instability. Where Linux implemented a simple suffix notation on the dynamic libraries, Microsoft created a new beast in 2001: the Side By Side assembly. These are basically DLLs with a companion XML file that identifies them. The XML file contains a digital signature and when the system binds these DLLs dynamically to an application, it checks that the signature of the DLL matches the DLL itself. When everythings runs well, this is pretty transparent. But when issues arise, it becomes excruciatingly difficult to troubleshoot and fix. DLL hell is not over.

6 of 433 comments (clear)

  1. Re:Why don't apps just use their own copy of the . by Anonymous Coward · · Score: 5, Informative

    That defeats the whole purpose of a DLL anyway. The thought was that you wouldn't have to "reinvent the wheel" and you could reuse code. However, Microsoft's failure to document their operating system's API thoroughly in a public manner led to developers relying on undocumented features that were later changed. Then, those applications needed older versions of those libraries and would install them over the newer versions. This, of course, crashed the newer applications. Ugh.

  2. Re:Speaking as a user by Timothy+Brownawell · · Score: 5, Informative

    That's great until some common library needs to be updated for a security hole, and you have download 20 updates from different vendors (assuming they even provide updates...) rather than 1 item in Windows Update.

  3. Re:Also... by SigILL · · Score: 5, Informative

    The real problem is C version Y not being backward compatible to C version X, leading to this idiocy of piling more and more complexity on top of a totally rotten mechanism.

    It might surprise you, but Microsoft isn't actually to blame here. Rather, the legions of incompetent programmers that wrote DLLs such as C are to blame. We'd call them idiots, but Microsoft calls them paying customers. Thus prompting them to design SxS and incorporate it in WinXP.

    Also, SxS is what made the restyling of the UI (through common controls version 6) technically possible.

    Microsoft takes backwards compatibility very seriously.

    --
    Error: password can't contain reverse spelling of ancient Chinese emperor
  4. Re:Non-issue for actual msdn coders like myself by Anonymous Coward · · Score: 5, Informative

    Oh jesus christ I can't stand how fucking idiotic everything in this discussion is.

    What happened: In August, they released a patch to the IDE that required a new version of the shared libraries. Binaries built with this patched version of the IDE/compiler/toolchain will by default require a version of DLLs that aren't installed by default on many systems.

    What would have prevented this asshat's blog post: Write a fucking installer that includes the DLLs you use. Thus, when your compiler changes, and your new packages rely on some stuff, magically that 'some stuff' is bundled along with your binary, and everything _still works_. Relying on OTHER packages to have good installers that properly put stuff in to SxS is just idiotic. "Wah, I rely on stuff that I'm specifically told I can't rely on, Microsoft sucks, and SxS is evil!"

    No. SxS has been SAVING your ass from updates like this since Windows XP. Surprisingly, you can now NOT recompile your project, and have it still work, even though there's a newer version of DLLs you depend on, because the backwards compatibility problem of these DLLs is just gone. The version YOU want and need and depend on is still there, still usable. Something else on the system that wants the newer version gets it, and all its patched glory. This is actually a security hole, and in THAT case, the DLL you depend on WILL change to fix the security problem. Nothing in the August 2009 update to VS 2005 seems to indicate that this happened, it's only for newly compiled binaries.

    So, in summary: The blog poster is an idiot, he hates his user, he's too lazy to write a real installer, he has incompetent developers that don't care about the security of their product, and he asked for help and got 4 completely idiotic responses. Now everyone on slashdot who knows nothing about SxS and the actual problems it causes (and yes there are some) think that it's the same problem we've always had, but worse.

    Note: I'm not a Windows developer (Linux developer), and I've not used Windows in well over a year (Mac user). But I've been bitten by SxS in my last job and dealing with VB.Net, back when I didn't know I had to make a real installer for my stuff. I somehow managed to learn to not be an idiot, and the blog poster should too.

  5. Re:Time to question if DLLs are still needed by Jahava · · Score: 5, Informative
    It's not just a matter of disk / process size. DLLs (and dynamically-linked libraries, in general) are also an important buffer between API and ABI differences that exist between OSes (Windows 7, Vista, XP, etc.) and OS versions (SP1, SP2, and even minor updates...). Dynamically-linked Libraries act as a buffer between the API / ABI layer and the application layer, allowing the OS to fundamentally change how it works (e.g., add a field to the Create a Window system call structure), update the associated DLL(s) (e.g., rewrite the "CreateWindow" function in core.dll), and have all of the applications installed on the system still work perfectly without needing a single update.

    Additionally, DLLs can enhance security. If there's a bug in MSVCRT.DLL, Microsoft can patch it and release it as an update. In a static world, every application that had that buggy code compiled into it would have to be rebuilt and redistributed.

    In a statically-linked world, every application would need to be rebuilt (on Windows, redistributed) every time an API / ABI change was released, as well as every time a bug was fixed. Furthermore, download sites would either have to release binaries for every API / ABI combination (that's a ton of releases per version) and deal with users downloading the wrong one, or do the open-source model and release the source, forcing the users to build the application on their system and rebuild every API / ABI update. And somehow I don't think the latter solution would fly with the Windows community.

    Like other posters have said, Microsoft's solution is actually not a bad one. Allowing multiple DLLs to be loaded simultaneously is not a pretty solution, but it's not a pretty problem that they have to solve, either. Advance with backwards-compatibility in mind as much as it makes sense to, and use SxS DLLs when it doesn't.

  6. Re:And by all developers you mean by Anonymous Coward · · Score: 5, Informative
    I'm not sure what the authors of these posts were trying to accomplish, but there's some serious misinformation here. I've written a bunch of C++ apps on Windows using Visual Studio 2005, none of which rely on MFCxx.dll - that's only required when your application uses the MFC libraries. Also, the need for the redistributables for the C++ runtime has been around for a lot longer than this patch released in January (plus, it is now October), not exactly "news". There's a reason the redistributables come with Visual Studio from the get go, they aren't there for show. New redistributables are required for each version of Visual Studio, and even for each service pack (the alternative is to statically compile the runtime into the application which many people do). The requirement isn't because of the implementation of side by side assemblies, it's because changes have occurred in the C++ runtime which are not binary compatible. If developers who use Visual Studio 2005 for commercial products still aren't aware of this and need this sensationalist story on Slashdot to warn them, they have bigger problems.

    But when issues arise, it becomes excruciatingly difficult to troubleshoot and fix.

    The version information is written in plain text in the manifest. The files have names based on the version information in the WinSxS folder. If you get the error and notice the files aren't there, its fairly trivial to troubleshoot and fix.

    I'm not a fan of side by side assemblies, I just hate to see issues like this blown out of proportion as it obscures some of the real issues that developers face when developing for Windows (such as just about every bug filed on Microsoft Connect being closed as "by design" instead of being worked on or at the very least closed as "can't fix, compatibility issues", for example).