I just ran across this document that explains the changes present in Vista’s driver verifier. Verifier is one of the Best Things Ever.
Thanks to Dan Mihai from Microsoft for pointing this out on the newsgroups.
Archive for October, 2006
Vista driver verifier enhancements
Tuesday, October 31st, 2006Keeping ExInterlocked* operations interlocked
Tuesday, October 31st, 2006To continue on yesterday’s discussion of interlocked lists, let’s explore the nature of the interlocking done by the ExInterlocked* APIs. The ExInterlockedRemoveHeadList documentation says the following about its spin lock argument:
You must use this spin lock only with the ExInterlockedXxxList routines.
The documentation page provides a hint as to why this is the case:
The ExInterlockedRemoveHeadList routine can be called at any IRQL.
The reason that this function can be called from any IRQL is that the function acquires the spin lock at the highest IRQL in the system. To understand why this is important, we have to examine another kind of race condition - priority inversion deadlocks.
Recall that the kernel operates on a prioritization scheme implemented using IRQLs. Normal tasks run as PASSIVE_LEVEL, drivers run at some higher IRQL (called DIRQL), and other tasks happen at various points in between. (See the DDK or any introductory driver book for more information on this.) Drivers typically acquire spin locks at DISPATCH_LEVEL, which is below all DIRQLs.
A priority inversion deadlock can happen if a driver acquires a spin lock at DISPATCH_LEVEL, and while holding that lock, is interrupted by hardware. An interrupt service routine is invoked on behalf of the hardware, and runs at DIRQL. If the ISR tries to acquire that same lock, a deadlock will occur: the ISR will spin forever, waiting for the driver to release the lock, but the driver is stuck suspended until the ISR returns.
With that in mind, let’s come back to the ExInterlocked* functions. Suppose you try to acquire the spin lock at DISPATCH_LEVEL (with KeAcquireSpinLock), perhaps for the purpose of removing an entry from the list. Suppose that your hardware interrupts in the middle of your operation, and your ISR lands on the same CPU you were just operating on. If you then call something like ExInterlockedInsertHeadList, you’ll deadlock. The lower-priority routine will own the lock, and the higher-priority routine will wait forever trying to acquire it.
The solution is to follow the documentation’s advice and always use that spin lock exclusively with ExInterlocked* routines. When you use ExInterlockedInsertHeadList from any routine (not just an ISR), it raises the IRQL to the highest IRQL possible on that CPU, which masks out everything else in your driver - even ISRs. This prevents the priority inversion.
For what it’s worth, the documentation used to say something like ExInterlocked routines are only interlocked with respect to each other
. The new wording says less but is much clearer in my opinion.
UPDATE: clarified wording to prevent deliberate mis-interpretation.
Get ready for more random crash bugs
Tuesday, October 31st, 2006For better or worse, Ars is reporting that Gateway will start selling factory-overclocked computers. They’re only overclocking the highest-end systems, and (surprisingly) they seem to be offering a full factory warranty.
Someone asked on one of the newsgroups the other day why overclocking matters. When you run a CPU out of spec, it can fail in various creative ways. There is a bucket for crashes of this type within Microsoft, and !analyze buckets obvious crashes as hardware errors as well. Raymond discusses this a bit more from Microsoft’s perspective.
As a driver guy, I am pretty opposed to this practice. It means that I’m going to wind up getting more crash dumps with difficult-to-debug problems. I put a lot of pressure on my team to not close bugs as INVALID or WORKSFORME, even if the bug is hard to repro or track down. This is obviously going to undermine that effort.
But, it was inevitable, and I’m sure Gateway will be rewarded for their innovation. 
Why is there no ExInterlockedRemoveEntryList?
Monday, October 30th, 2006A long time ago, I promised an entry on why there is no ExInterlockedRemoveEntryList function. If you search the NTDEV archives (or if you got to hear Peter Viscarola from OSR discuss it at one of the Driver DevCons a while back), you know that Microsoft left the function out intentionally due to its potential for misuse.
To understand why this is, consider one of the nice properties of a doubly-linked list: constant-time removal of an item from the middle, if you already know the item’s address. The list entries look something like this:
typedef struct _LIST_ENTRY
{
struct _LIST_ENTRY *Flink;
struct _LIST_ENTRY *Blink;
}
LIST_ENTRY, *PLIST_ENTRY;
To do a remove operation, you would simply point the next item (Flink) to the previous item (Blink) and vice-versa. No need to walk a long list of items. There’s even a macro to do this for you: RemoveEntryList.
This process is subject to an obvious race condition and another less obvious one. The obvious race is that two different threads could try to mutate the list simultaneously. The naïve solution is to wrap the removal in locks:
LockList(); // Spin lock, mutex, whatever... RemoveEntryList(item); UnlockList();
That does indeed prevent two threads from making simultaneous updates, but it misses another important problem: What if the entry you’re trying to remove is no longer on the list? What if another thread has just finished removing the same item, right before your call to LockList above? You certainly have no idea if the item’s neighbors are still valid after the item has been removed from the list, so you could easily trash the list.
The only safe way to do this is to ensure that the item is still a part of the list at the time you remove it. And the only safe way to do that is to walk the list from a point that you know will always be on the list, namely, from the head.
There are, of course, situations in which you can be sure, due to other semantics of the program in question, that your item really is still on the list. In those cases, the pattern above is safe.
But in other situations, you have to walk the entire list. This can be expensive, and has to be done under the protection of whatever lock you’re using. For a list with thousands of entries on it, you would want to avoid this whenever possible, and you should probably try to set up whatever extra bookkeeping you need to take advantage of O(1) removal. But, you don’t get that bookkeeping automatically, so that’s why there’s no ExInterlockedRemoveEntryList.
Downlevel support for Winsock Kernel
Monday, October 30th, 2006David Powell from the provided me with some insight about the possibility of downlevel support for WSK, now that TDI is being deprecated. He tells me that the WSK team has been getting lots of requests for Windows XP/2003 support lately, and that it’s high on our list of things to do as soon as we get Vista out
the door.
As for Windows 2000 support, my impression is that it is pretty unlikely. If this really matters to you, I’d encourage you to follow the link in my previous post to send the WSK team feedback. Such feedback has been effective before.
Back to the salt mines
Sunday, October 29th, 2006After a great week at Microsoft’s Redmond campus, it’s back to the Real World™ to do some actual work. Everyone at Microsoft was really helpful, and I owe thanks to lots of people for their help in making our trip as successful as it was.
First off, the compatibility lab was great. The team that runs the lab did a wonderful job of having everything there and together, and our access to technical resources was amazing. Highly worthwhile, if you’re considering it for yourself.
We got to spend some time hanging out with Eric Sassman, who is the MVP lead for both Ken and me, and we also spent a really fascinating lunch with Doron Holan and Eliyas Yakub, who were kind enough to let me pick their brains on software team management. We finished off by getting into a discussion about non-blocking algorithms and data structures in the kernel. I plan on writing more on both topics soon.
And finally, we got to spend some quality time with some of the guys from Leviathan Security Group and Metasploit. Lots to discuss there as well, as soon as I get time to do some writing.
I had a great time getting to know a lot of new people and catching up with old friends, and I learned a ton. Can’t wait for the next Driver DevCon!
Saturday night culture blogging
Saturday, October 28th, 2006It’s been a long time since I’ve written anything (this) irrelevant :-), and since today is Daylight Savings day in the US, I thought I’d use the extra hour to no good end.
I have probably over-blogged my addiction to Beethoven at this point, but my wife just pointed out this trailer for a movie entitled Copying Beethoven that looks fantastic. It doesn’t hurt that the background music in the trailer includes some of the best moments from the 9th Symphony, of course, but from what little I can tell from the trailer, it looks like they basically got the story right.
This is, for my money, one of the greatest stories ever told - depressed deaf composer writes what may be the greatest symphonic work in history to a triumphant reception, etc. - Hollywood could never come up with something this good. There are tons of little details in Beethoven’s life that make for a gripping story. Here’s hoping the movie is as good as the preview looks.
Speaking of movies, I’ve seen three good ones in a row, in the space of about a month. I had been in a major cinematic drought for a very long time (years?) with only a couple of exceptions (Gosh!), so this has been a refreshing month. In particular, I loved Marie Antoinette, who also lived an amazing life, both good and bad. This film has apparently gotten mixed reviews (I don’t spend much time reading film critics…), and it had its obvious problems, but I loved it. Worthwhile if you have any interest in the history of the French Revolution.
And, finally, we saw The Queen this evening. It deals with the life of Queen Elizabeth around the period of the death of Princess Diana. This one seems to be getting a better critical reception, but regardless, I also liked it quite a lot. I’m really curious to know how true it is - they’re going out on quite a limb in a few places by depicting what must have been undocumented private moments inside the Royal Family and the early Blair government. There is quite a slant to this move; I’m curious to know how it’s received in Britain and around the world. It also raises some very interesting Social Contract issues, but that’s a conversation for another day.
Microsoft differentiates Visual C++Standard from Express
Saturday, October 28th, 2006I’ve blogged a few times about how good of a value I think Visual C++ Express Edition is. Just last week, I was telling someone that there just aren’t that many compelling differences between Express and Standard (or really even Professional, for my taste), until you get to the Team System stuff (about which I know very little). In fact, he went with Standard just because of ATL, which has been removed from the Vista PSDK. (sigh…)
It turns out that Microsoft has finally added some differentiated features in the form of a new Visual Studio PowerToys pack. There are some great things in there: a source code outliner, support for inserting code snippets, indexed find (great idea!), and more. The only catch is that they don’t work on Express - you have to have Standard, Professional, or Team System.
This seems like a totally reasonable way to differentiate your build tools. My compliments to the product team. This beats the hell out of differentiating on important code security features.
TechCrunch on CarsDirect
Saturday, October 28th, 2006Mike Arrington confirms something I’ve always suspected: CarsDirect is a pretty good way to buy a new car. I’ve never gotten to use them because they haven’t had dealers in my area for the car I’ve wanted.
Joe Duffy on concurrency
Thursday, October 26th, 2006Joe Duffy, a PM on the CLR team, has a great article up about concurrency and reusable libraries. He’s been posting concurrency- and scalability-related articles for a while now. The article (and his blog in general) are worth checking out if you’re interested in that sort of thing.
In particular, he opens up with predictions of >100 core chips within 4 years, which will necessitate a major re-think in the way software is designed. I’ve been getting into arguments along these lines with everyone I meet this week, and I think I have almost convinced some of them. Anyway, more on that later.