[F12 partial + F55] hold IUnknown for client lifetime + diagnose RegisterEngine2 1722
**F12 partial improvement** (`mxaccess-rpc::IUnknownHolder` + `mxaccess-nmx`):
- New `IUnknownHolder` newtype that owns an MTA-resident COM proxy
with `unsafe impl Send + Sync`. Mirrors the .NET reference's
`ManagedNmxService2Client._activatedComObject` private field
(`cs:15`).
- New `activate_and_marshal_iunknown_objref(prog_id, ctx)` returns
`(Vec<u8>, IUnknownHolder)`. Existing
`marshal_activated_iunknown_objref` retained as a wrapper that
drops the holder (kept for inline-use callers).
- `NmxClient` gains an `activated_com_object: Option<IUnknownHolder>`
field, populated by `Self::create` from the new helper.
`Self::connect` / `Self::from_bound_transport` set it `None` (no
COM activation in those paths).
- Holding the IUnknown for the client's lifetime keeps the
SCM-tracked OXID valid; without it the COM ref count drops to
zero and the SCM may release the activated server-side instance,
making subsequent `ResolveOxid` / `RemQueryInterface` calls
return `RPC_S_SERVER_UNAVAILABLE`.
**F55 (new) — hand-rolled callback exporter rejected by RegisterEngine2**
Five-step instrumentation of `Session::connect_nmx_auto` proves all
six COM-activation / RemQI / final-bind steps succeed. The 1722
fault originates at `RegisterEngine2` itself:
```
from_nmx_client: callback hostname="DESKTOP-6JL3KKO" port=57886 obj_ref_len=162
from_nmx_client: callback obj_ref hex: 4d454f57010000...
from_nmx_client: RegisterEngine2 (31112, mxaccess.31112)
from_nmx_client: RegisterEngine2 FAIL: Transport(Fault { status: 2147944122 })
```
Status `0x800706BA` = `RPC_S_SERVER_UNAVAILABLE` wrapped as Win32
HRESULT.
**Critical finding: the .NET reference's `--probe-register-managed-callback`
(which uses the same hand-rolled `ManagedCallbackExporter` approach
as the Rust port) ALSO fails with the same `0x800706BA` fault.**
Only `--probe-session-write`, which uses
`ComObjRefProvider.MarshalInterfaceObjRef(callback, ...)` to build
the OBJREF via Windows DCOM proxy/stub marshalling, succeeds. So
this is an architectural artifact of the hand-rolled-callback
design, not a Rust port regression.
`design/followups.md` F55 entry documents the three resolution
paths (switch to DCOM-marshalled callback / hybrid / continue
investigating OBJREF rejection at NmxSvc).
F49 stays open with a refined diagnostic — the per-feature live
verification is gated on F55's resolution.
Workspace tests still 824 passing; clippy `-D warnings` clean
across both feature configurations.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Joseph Doherty
@@ -192,6 +192,17 @@ pub fn clsid_from_prog_id(prog_id: &str) -> Result<GUID, ProviderError> {
|
||||
/// the same default `Activator.CreateInstance` picks up via
|
||||
/// `Type.GetTypeFromProgID`.
|
||||
///
|
||||
/// **The activated `IUnknown` is dropped at the end of this call.** For
|
||||
/// most use cases that's a bug — when the COM ref count goes to zero
|
||||
/// the SCM may release the activated server-side instance, which makes
|
||||
/// the marshalled OXID invalid for subsequent RPC. Use
|
||||
/// [`activate_and_marshal_iunknown_objref`] instead and hold the
|
||||
/// returned [`IUnknownHolder`] for the lifetime of the consumer that
|
||||
/// uses the OBJREF (typically the lifetime of the client built from
|
||||
/// it). This function is retained for callers that consume the OBJREF
|
||||
/// inline (e.g. tests / probes that use the bytes immediately and
|
||||
/// don't care about the activated server-side lifetime).
|
||||
///
|
||||
/// # Errors
|
||||
///
|
||||
/// [`ProviderError::UnknownProgId`], [`ProviderError::ActivationFailed`],
|
||||
@@ -200,6 +211,33 @@ pub fn marshal_activated_iunknown_objref(
|
||||
prog_id: &str,
|
||||
destination_context: MarshalContext,
|
||||
) -> Result<Vec<u8>, ProviderError> {
|
||||
activate_and_marshal_iunknown_objref(prog_id, destination_context).map(|(blob, _holder)| blob)
|
||||
}
|
||||
|
||||
/// Activate a COM class by ProgID, marshal its `IUnknown`, and return
|
||||
/// **both** the OBJREF byte stream **and** an [`IUnknownHolder`] that
|
||||
/// keeps the activated server-side instance alive.
|
||||
///
|
||||
/// This is the .NET-reference-faithful path: `ManagedNmxService2Client`
|
||||
/// (`cs:15`) holds the activated COM object as a private field for the
|
||||
/// client's lifetime via `_activatedComObject`. The Rust port previously
|
||||
/// dropped the IUnknown right after marshalling, which let the SCM
|
||||
/// release the server-side instance and made subsequent
|
||||
/// `ResolveOxid`/`RemQueryInterface` calls return
|
||||
/// `RPC_S_SERVER_UNAVAILABLE` (1722). Holding the
|
||||
/// [`IUnknownHolder`] for the client's lifetime fixes that.
|
||||
///
|
||||
/// The OBJREF blob and the IUnknown both refer to the same activated
|
||||
/// server-side instance; keep them paired.
|
||||
///
|
||||
/// # Errors
|
||||
///
|
||||
/// [`ProviderError::UnknownProgId`], [`ProviderError::ActivationFailed`],
|
||||
/// [`ProviderError::MarshalFailed`], [`ProviderError::GlobalLockFailed`].
|
||||
pub fn activate_and_marshal_iunknown_objref(
|
||||
prog_id: &str,
|
||||
destination_context: MarshalContext,
|
||||
) -> Result<(Vec<u8>, IUnknownHolder), ProviderError> {
|
||||
ensure_apartment()?;
|
||||
let clsid = clsid_from_prog_id(prog_id)?;
|
||||
let activation_flags = CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER;
|
||||
@@ -213,9 +251,39 @@ pub fn marshal_activated_iunknown_objref(
|
||||
hr: e.code().0 as u32,
|
||||
}
|
||||
})?;
|
||||
marshal_iunknown_objref(&unknown, destination_context)
|
||||
let blob = marshal_iunknown_objref(&unknown, destination_context)?;
|
||||
Ok((blob, IUnknownHolder { inner: unknown }))
|
||||
}
|
||||
|
||||
/// Owns a live `IUnknown` reference to a COM-activated server-side
|
||||
/// instance. Drop releases the reference (the COM proxy's `Release`
|
||||
/// runs, which decrements the server-side ref count and may trigger
|
||||
/// instance teardown when no other holders remain).
|
||||
///
|
||||
/// `Send + Sync` because the underlying COM proxy is registered in the
|
||||
/// MTA (`COINIT_MULTITHREADED` per [`ensure_apartment`]) and is
|
||||
/// therefore safe to invoke from any thread. SAFETY of the unsafe impls
|
||||
/// rests on this MTA invariant — callers must not transition the
|
||||
/// process apartment to STA after activating an [`IUnknownHolder`].
|
||||
pub struct IUnknownHolder {
|
||||
#[allow(dead_code)]
|
||||
inner: IUnknown,
|
||||
}
|
||||
|
||||
impl std::fmt::Debug for IUnknownHolder {
|
||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||
f.debug_struct("IUnknownHolder").finish_non_exhaustive()
|
||||
}
|
||||
}
|
||||
|
||||
// SAFETY: `IUnknownHolder` only ever wraps an MTA-resident COM proxy
|
||||
// (see `ensure_apartment` initialising `COINIT_MULTITHREADED`). MTA
|
||||
// proxies are thread-neutral by COM contract — calls can originate
|
||||
// from any thread without marshalling.
|
||||
unsafe impl Send for IUnknownHolder {}
|
||||
// SAFETY: same MTA-invariant rationale as `Send`.
|
||||
unsafe impl Sync for IUnknownHolder {}
|
||||
|
||||
/// Marshal an arbitrary `IUnknown` to an OBJREF byte stream. Mirrors
|
||||
/// `MarshalIUnknownObjRef` (`cs:32-35`), passing IID `IID_IUnknown`
|
||||
/// (`{00000000-0000-0000-C000-000000000046}`).
|
||||
|
||||
Reference in New Issue
Block a user