Message Queuing Access Violation Occurs and Event 2077 Is Logged (304212)


The information in this article applies to:

  • Microsoft Message Queue Server (MSMQ) 1.0
This article was previously published under Q304212

SYMPTOMS

Message Queuing Event 2077 is logged to the Application log in Event Viewer that is followed by an access violation of the Message Queuing service.

CAUSE

When a dependent client calls the MQCloseQueue function twice, this may cause the supporting server to fail.

This problem occurs when a multi-threaded client makes the following call sequence from two separate threads: 
MQBeginTransaction
MQOpenQueue
MQSendMessae
MQCloseQueue
pTransaction->Commit
MQCloseQueue
The access violation occurs on the server when the calls of the two threads overlap because both the queue handle and the CTransaction object are RPC context handles in the interface between the runtime and the queue manager.

RESOLUTION

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows NT 4.0 Service Pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The typical support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix should have the following file attributes or later:
Date 	    Time Version      Size 	File name 
-----------------------------------------------------
23-Sep-2002 08:51 	       11,163 	Crdbsp7.sql 
23-Sep-2002 08:50 	       19,968 	Mq2ndnd.exe 
02-Jul-2003 08:02 1.0.0.337    61,584 	Mqac.sys 
23-Sep-2002 08:27 1.0.0.336    34,064 	Mqcertui.dll 
02-Jul-2003 08:02 1.0.0.337    34,064 	Mqdbmgr.dll 
02-Jul-2003 08:02 1.0.0.337    59,152 	Mqdscli.dll 
02-Jul-2003 08:02 1.0.0.337    56,592 	Mqdssrv.dll 
02-Jul-2003 08:02 1.0.0.337   227,088 	Mqis.dll 
02-Jul-2003 08:02 1.0.0.337    16,144 	Mqkeyhlp.dll 
02-Jul-2003 08:02 1.0.0.337   142,096 	Mqoa.dll 
02-Jul-2003 08:02 1.0.0.337     8,464 	Mqperf.dll 
02-Jul-2003 08:02 1.0.0.337   509,200 	Mqqm.dll 
02-Jul-2003 08:02 1.0.0.337   110,352 	Mqrt.dll 
23-Sep-2002 08:45 1.0.0.336 1,831,320 	Mqsetup.dll 
02-Jul-2003 08:02 1.0.0.337    14,096 	Mqsvc.exe 
02-Jul-2003 08:02 1.0.0.337   106,768 	Mqutil.dll 
23-Sep-2002 08:27 1.0.0.336    62,224 	Msmq.cpl
The hotfix package for this article will actually contain the fix for the following article in the Microsoft Knowledge Base:

822835 MSMQ: Event ID 2085 "Unable to create message file ..."

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

Detailed Explanation

  1. Thread A calls MQCloseQueue and when it is returned, the runtime deletes the handle structure.
  2. A thread switch occurs and thread B calls MQBeginTransaction. This allocates a structure in memory and calls the supporting server that allocates the CTransaction object and returns it as an RPC context handle.
  3. A thread switch occurs and thread A calls MQCloseQueue again. The queue handle is just a memory point and this memory was deleted in step 1, but then in step 2 it is reallocated as a different object. MQCloseQueue calls the supporting server by using what is now known as the CTransaction context handle.
  4. On the server side, NtClose is called with an incorrect handle, which:
    • Returns an error.
    • Does not cause an access violation.
    • Deletes the context.
    This behavior causes the object to be deleted without calling its destructor.
  5. The pointer to the deleted CTransaction object is still kept in the active list, which occurs because the destructor was not called, and then a checkpoint is issued. During the checkpoint, this object, whose pointer is no longer valid, fails to be written to the log file which causes Event 2077 to be logged and the access violation to occur.
In this hotfix, a signature is now used for the queue handle structure that allows a Close method to validate the queue handle. If the object pointer is not a queue handle, the Close method is ignored and it does not delete the object.
Modification Type:MinorLast Reviewed:10/6/2005
Keywords:kbHotfixServer kbQFE kbfix kbprb kbQFE KB304212
©2004 Microsoft Corporation. All rights reserved.