XADM: Information Store Access Violates When Freeing Memory for a Property Tag That Was Never Initialized

ID: Q192053


The information in this article applies to:


SYMPTOMS

During normal operation the Microsoft Exchange Information Store may terminate unexpectedly with an access violation. If the correct Windows NT and Exchange Server symbols are installed the resulting Dr. Watson log may have a stack dump similar to the following:


   function: RtlEnterCriticalSection
   77f67410 648b0d18000000   move   cx,fs:[00000018]
    fs:00000018=????????
   77f67417 8b542404         mov    edx,[esp+0x4]
    ss:35cfdd07=????????
   FAULT:
   77f6741b 837a1400         cmp    dword ptr [edx+0x14],0x0
    ds:21531e85=????????
   77f6741f 754f             jnz    RtlEnterCriticalSection+0x60
    (77f67470)
   77f67421 f0ff4204         lock   inc dword ptr [edx+0x4]
    ds:21531e86=????????
   77f67425 7519             jnz    RtlEnterCriticalSection+0x30
    (77f67440)
   77f67427 8b4124           mov    eax,[ecx+0x24]
    ds:80e7ca06=????????
   77f6742a 89420c           mov    [edx+0xc],eax
    ds:21531e85=????????
   77f6742d c7420801000000   mov    dword ptr [edx+0x8],0x1
    ds:21531e85=????????
   77f67434 33c0             xor    eax,eax
   77f67436 c20400           ret    0x4
   77f67439 2e8bc0           mov    eax,cs:eax
   77f6743c 2e8bc0           mov    eax,cs:eax
   77f6743f 90               nop

*----> Stack Back Trace <----*

   FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
   34ddf2fc 10002bb3 2061347f ffffffff 000002c1 00403648
    ntdll!RtlEnterCriticalSection
   34ddf38c 100016ae 20613437 00000000 34ddf410 34ddf3e8
    exchmem!_NULL_IMPORT_DESCRIPTOR
   34ddf3a0 00403b04 34ddf414 34ddf634 2c0f0c9c 00000000
    exchmem!MpHeapValidate
   34ddf3b8 005b5d33 34ddf540 2c0f0c9c 020e0e7c 00000002 store!FreePrv
   34ddf42c 005b7538 00000002 34ddf62c 34ddf470 34ddf46c
    store!EcGetCategPrv
   34ddf4ec 005b7ef2 2d790ff8 00000000 00000000 00000002
    store!EcBuildHeaderList
   34ddf5b4 005b88a8 2c0f0c9c 2d790ff8 00000000 00000000
    store!EcModifyMidFromCateg
   34ddf69c 004c7c45 2cfe0c9c 020e0e74 00000000 020e0e7c
    store!EcCategorizeMessage
   34ddf6d8 0040d89c 020e0e74 020e0e7c 00000000 2ddd0fc8
    store!EcProcessCategMessageEvent_1128ool_7571e
   34ddf6fc 0044cf9f 020e0e74 020e0e7c 00000000 2ddd0fc8
    store!EcSearchMessageEvent
   34ddf79c 0044c599 00000000 00000000 34ddf7d0 00000000
    store!RTFHTML::ScPopRTFToken
   34ddf80c 0056a3ce 00000000 00000061 00000000 00000000
    store!OMSG::EcSaveChanges
   34ddf878 005a2b0f 0f0e0f54 020e0e3c 07750e3c 00000001
    store!EcResolveMsgConflict
   34ddf924 005a2e79 34ddf944 07750e75 00004000 07750e3c
    store!OMSG::EcICSConflictCheck
   34ddf94c 004e6687 34ddf97c 34ddf978 00000000 00000021
    store!OMSG::EcUpdateICSProps
   34ddf9b0 0045b747 00000004 00000061 00000000 00000000
    store!OMSG::EcSaveChanges_9910gs_22p_14862091e
   34ddf9dc 0045b634 00000000 00000000 00000021 34ddfa1c
    store!EcSaveChangesMessageOp
   34ddfa20 004044ce 00000021 00000000 00000006 0021970a
    store!EcSaveChanges
   00000006 00000000 00000000 00000000 00000000 00000000 store!EcRpc
    [omap] 


CAUSE

A message saved into a public folder replica does not contain a value for a specific property tag. When a user opens the message, modifies it, and tries to save it in the public folder, the call to get the value of this property tag fails so that no memory is allocated. However, the information store erroneously tries to free this block of memory, resulting in the access violation and termination of the Store.exe process.


RESOLUTION

To resolve this problem, obtain the latest service pack for Exchange Server version 5.5. For more information, please see the following article in the Microsoft Knowledge Base:

Q191014 XGEN: How to Obtain the Latest Exchange Server 5.5 Service Pack



STATUS

Microsoft has confirmed this to be a problem in Microsoft Exchange Server versions 5.0 and 5.5.

A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next service pack that contains this fix. Contact Microsoft Technical Support for more information.


Additional query words: crash hang GPF


Keywords          : exc55sp2fix 
Version           : WinNT:5.0,5.5
Platform          : winnt 
Issue type        : kbbug 

Last Reviewed: April 15, 1999