Microsoft KB Archive/304212

= Message Queuing Access Violation Occurs and Event 2077 Is Logged =

Article ID: 304212

Article Last Modified on 10/29/2007

-

APPLIES TO


 * Microsoft Message Queue Server 1.0

-



This article was previously published under Q304212



SYMPTOMS
Message Queuing Event 2077 is logged to the Application log in Event Viewer that is followed by an access violation of the Message Queuing service.



CAUSE
When a dependent client calls the MQCloseQueue function twice, this may cause the supporting server to fail.

This problem occurs when a multi-threaded client makes the following call sequence from two separate threads: MQBeginTransaction MQOpenQueue MQSendMessae MQCloseQueue pTransaction->Commit MQCloseQueue The access violation occurs on the server when the calls of the two threads overlap because both the queue handle and the CTransaction object are RPC context handles in the interface between the runtime and the queue manager.



RESOLUTION
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows NT 4.0 Service Pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix should have the following file attributes or later:

Date       Time Version      Size  File name - 23-Sep-2002 08:51         11,163   Crdbsp7.sql 23-Sep-2002 08:50         19,968   Mq2ndnd.exe 02-Jul-2003 08:02 1.0.0.337   61,584   Mqac.sys 23-Sep-2002 08:27 1.0.0.336   34,064   Mqcertui.dll 02-Jul-2003 08:02 1.0.0.337   34,064   Mqdbmgr.dll 02-Jul-2003 08:02 1.0.0.337   59,152   Mqdscli.dll 02-Jul-2003 08:02 1.0.0.337   56,592   Mqdssrv.dll 02-Jul-2003 08:02 1.0.0.337  227,088   Mqis.dll 02-Jul-2003 08:02 1.0.0.337   16,144   Mqkeyhlp.dll 02-Jul-2003 08:02 1.0.0.337  142,096   Mqoa.dll 02-Jul-2003 08:02 1.0.0.337    8,464   Mqperf.dll 02-Jul-2003 08:02 1.0.0.337  509,200   Mqqm.dll 02-Jul-2003 08:02 1.0.0.337  110,352   Mqrt.dll 23-Sep-2002 08:45 1.0.0.336 1,831,320  Mqsetup.dll 02-Jul-2003 08:02 1.0.0.337   14,096   Mqsvc.exe 02-Jul-2003 08:02 1.0.0.337  106,768   Mqutil.dll 23-Sep-2002 08:27 1.0.0.336   62,224   Msmq.cpl The hotfix package for this article will actually contain the fix for the following article in the Microsoft Knowledge Base:

822835 MSMQ: Event ID 2085 &quot;Unable to create message file ...&quot;



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



Detailed Explanation
 Thread A calls MQCloseQueue and when it is returned, the runtime deletes the handle structure. A thread switch occurs and thread B calls MQBeginTransaction. This allocates a structure in memory and calls the supporting server that allocates the CTransaction object and returns it as an RPC context handle. A thread switch occurs and thread A calls MQCloseQueue again. The queue handle is just a memory point and this memory was deleted in step 1, but then in step 2 it is reallocated as a different object. MQCloseQueue calls the supporting server by using what is now known as the CTransaction context handle. On the server side, NtClose is called with an incorrect handle, which:  Returns an error.</li> Does not cause an access violation.</li> Deletes the context.</li></ul>

This behavior causes the object to be deleted without calling its destructor.</li> The pointer to the deleted CTransaction object is still kept in the active list, which occurs because the destructor was not called, and then a checkpoint is issued. During the checkpoint, this object, whose pointer is no longer valid, fails to be written to the log file which causes Event 2077 to be logged and the access violation to occur.</li></ol>

In this hotfix, a signature is now used for the queue handle structure that allows a Close method to validate the queue handle. If the object pointer is not a queue handle, the Close method is ignored and it does not delete the object.

Additional query words: AV

Keywords: kbproductlink kbhotfixserver kbqfe kbfix kbprb kbqfe KB304212

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.