dohertj2/mxaccess
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[F12 partial + F55] hold IUnknown for client lifetime + diagnose RegisterEngine2 1722
rust / build / test / clippy / fmt (push) Has been cancelled
Details
rust / cargo public-api drift check (F41) (push) Has been cancelled
Details

Browse Source 
**F12 partial improvement** (`mxaccess-rpc::IUnknownHolder` + `mxaccess-nmx`):

- New `IUnknownHolder` newtype that owns an MTA-resident COM proxy
  with `unsafe impl Send + Sync`. Mirrors the .NET reference's
  `ManagedNmxService2Client._activatedComObject` private field
  (`cs:15`).
- New `activate_and_marshal_iunknown_objref(prog_id, ctx)` returns
  `(Vec<u8>, IUnknownHolder)`. Existing
  `marshal_activated_iunknown_objref` retained as a wrapper that
  drops the holder (kept for inline-use callers).
- `NmxClient` gains an `activated_com_object: Option<IUnknownHolder>`
  field, populated by `Self::create` from the new helper.
  `Self::connect` / `Self::from_bound_transport` set it `None` (no
  COM activation in those paths).
- Holding the IUnknown for the client's lifetime keeps the
  SCM-tracked OXID valid; without it the COM ref count drops to
  zero and the SCM may release the activated server-side instance,
  making subsequent `ResolveOxid` / `RemQueryInterface` calls
  return `RPC_S_SERVER_UNAVAILABLE`.

**F55 (new) — hand-rolled callback exporter rejected by RegisterEngine2**

Five-step instrumentation of `Session::connect_nmx_auto` proves all
six COM-activation / RemQI / final-bind steps succeed. The 1722
fault originates at `RegisterEngine2` itself:

```
from_nmx_client: callback hostname="DESKTOP-6JL3KKO" port=57886 obj_ref_len=162
from_nmx_client: callback obj_ref hex: 4d454f57010000...
from_nmx_client: RegisterEngine2 (31112, mxaccess.31112)
from_nmx_client: RegisterEngine2 FAIL: Transport(Fault { status: 2147944122 })
```

Status `0x800706BA` = `RPC_S_SERVER_UNAVAILABLE` wrapped as Win32
HRESULT.

**Critical finding: the .NET reference's `--probe-register-managed-callback`
(which uses the same hand-rolled `ManagedCallbackExporter` approach
as the Rust port) ALSO fails with the same `0x800706BA` fault.**
Only `--probe-session-write`, which uses
`ComObjRefProvider.MarshalInterfaceObjRef(callback, ...)` to build
the OBJREF via Windows DCOM proxy/stub marshalling, succeeds. So
this is an architectural artifact of the hand-rolled-callback
design, not a Rust port regression.

`design/followups.md` F55 entry documents the three resolution
paths (switch to DCOM-marshalled callback / hybrid / continue
investigating OBJREF rejection at NmxSvc).

F49 stays open with a refined diagnostic — the per-feature live
verification is gated on F55's resolution.

Workspace tests still 824 passing; clippy `-D warnings` clean
across both feature configurations.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Joseph Doherty
2026-05-06 08:50:30 -04:00
parent e5b31fadb1
commit c5d611d6fa
4 changed files with 143 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rust/crates/mxaccess-nmx/src/client.rs
+32 -4
View File
@@ -169,6 +169,20 @@ pub struct NmxClient {
/// the call to the right per-engine `INmxService2` instance
/// (`ManagedNmxService2Client.cs:74,486-488`).
service_ipid: Guid,
/// Holder for the activated COM `IUnknown` proxy when this client
/// was built via [`Self::create`]. Mirrors the .NET reference's
/// `private readonly object _activatedComObject` field at
/// `ManagedNmxService2Client.cs:15`. Holding the IUnknown for the
/// client's lifetime keeps the SCM-tracked OXID valid; without it,
/// subsequent `ResolveOxid` / `RemQueryInterface` calls hit
/// `RPC_S_SERVER_UNAVAILABLE` (1722) once the server-side
/// activated instance is released. `None` for clients built via
/// [`Self::connect`] / [`Self::from_bound_transport`] — those
/// paths get the OBJREF / IPID out-of-band so they don't own the
/// COM activation lifetime.
#[cfg(all(windows, feature = "windows-com"))]
#[allow(dead_code)] // held only for Drop side-effect (release server-side ref)
activated_com_object: Option<mxaccess_rpc::com_objref_provider::IUnknownHolder>,
}
impl NmxClient {
@@ -198,6 +212,8 @@ impl NmxClient {
Ok(Self {
transport,
service_ipid,
#[cfg(all(windows, feature = "windows-com"))]
activated_com_object: None,
})
}
@@ -248,7 +264,7 @@ impl NmxClient {
mut ntlm_factory: impl FnMut() -> NtlmClientContext,
) -> Result<Self, NmxClientError> {
use mxaccess_rpc::com_objref_provider::{
marshal_activated_iunknown_objref, MarshalContext,
activate_and_marshal_iunknown_objref, MarshalContext,
};
use mxaccess_rpc::object_exporter::PROTSEQ_NCACN_IP_TCP;
use mxaccess_rpc::object_exporter_client::{
@@ -261,7 +277,13 @@ impl NmxClient {
};
// Step 1+2: Activate NmxSvc.NmxService and parse OBJREF.
let blob = marshal_activated_iunknown_objref(
// Hold the IUnknown for the lifetime of the returned client —
// mirrors `ManagedNmxService2Client._activatedComObject`
// (`cs:15`). Without this hold, the COM ref count drops to
// zero, the SCM releases the server-side instance, and the
// ResolveOxid step below returns RPC_S_SERVER_UNAVAILABLE
// (1722). See `IUnknownHolder` doc.
let (blob, activated_holder) = activate_and_marshal_iunknown_objref(
"NmxSvc.NmxService",
MarshalContext::DifferentMachine,
)?;
@@ -367,8 +389,12 @@ impl NmxClient {
// for the same reason — the IRemUnknown bind is single-use.
drop(rem_qi_client);
// Step 6: Final transport bound to INmxService2.
Self::connect(svc_addr, service_ipid, ntlm_factory()).await
// Step 6: Final transport bound to INmxService2. Attach the
// `IUnknownHolder` so the COM ref stays alive for the
// client's lifetime.
let mut client = Self::connect(svc_addr, service_ipid, ntlm_factory()).await?;
client.activated_com_object = Some(activated_holder);
Ok(client)
}
/// Construct from an already-bound transport. Useful when a caller
@@ -379,6 +405,8 @@ impl NmxClient {
Self {
transport,
service_ipid,
#[cfg(all(windows, feature = "windows-com"))]
activated_com_object: None,
}
}