|
|
|
Memory corruption is a common driver problem. Driver errors can result in crashes long after they are made. The most common of these errors are accessing memory that has already been freed, and allocating n bytes and then accessing n+1.
When the Special Memory Pool action is used on graphics drivers, memory allocated by the EngAllocMem routine will be taken from a special pool. Driver Verifier will monitor that pool for any incorrect usage.
Two alignments of the special pool are available. The Verify End alignment is better at detecting access overruns, and the Verify Start alignment is better at detecting access underruns. (Note that the vast majority of memory corruptions are due to overruns, not underruns.)
When Special Memory Pool is active and Verify End has been selected, each memory allocation requested by the driver is placed on a separate page. The highest possible address that allows the allocation to fit on the page is returned, so that the memory is aligned with the end of the page. The previous portion of the page is written with special patterns. The previous page and the next page are marked inaccessible.
If the driver attempts to access memory after the end of the allocation, Driver Verifier will detect this immediately, and issue bug check 0xCD. If the driver writes in the memory prior to the beginning of the buffer, this will (presumably) alter the patterns. When the buffer is freed, Driver Verifier will detect the alteration and issue bug check 0xC1.
If the driver reads or writes to the buffer after freeing it, Driver Verifier will issue bug check 0xCC.
When Verify Start is selected, the memory buffer is aligned with the beginning of the page. With this setting, underruns cause an immediate bug check and overruns cause a bug check when the memory is freed. This option is otherwise identical to the Verify End option.
Verify End is the default alignment, as overrun errors are much more common in drivers than underrun errors.
There are two other ways to use the special pool: it can be used for all allocations that are marked with a specific pool tag, or for all allocations whose size is within a specific size range. These uses of special pool are controlled through the Global Flags utility, not Driver Verifier. For details, see Using the Global Flags Utility.
It is permissible to request special pools though Driver Verifier and the Global Flags utility at the same time. In this case, Windows will attempt to use the special pool for all allocations indicated by Driver Verifier and all allocations indicated by the Global Flags utility.
Each allocation from the special pool uses one page of nonpageable memory and two pages of virtual address space. If the pool is exhausted, memory is allocated in the standard way until the special pool becomes available again. Thus it is not recommended that multiple drivers be verified at the same time if Special Memory Pool is in effect.
A single driver that makes a large number of small memory requests can also deplete this pool. If this is occurring, it may be preferable to assign pool tags to the driver's memory allocations and dedicate the special pool to one pool tag at a time.
The size of the special pool increases with the amount of physical memory on the system; ideally this should be at least 1 GB. On x86 machines, booting without the /3GB switch is also preferred, as virtual (in addition to physical) space is consumed. Increasing the pagefile minimum/maximum quantities (by a factor of two or three) is also a good idea.
To be sure that all of a driver's allocations are being tested, stressing the driver over long periods of time is recommended.
The Special Memory Pool option can be activated for one or more drivers by using the Driver Verifier Manager graphical interface or the verifier.exe command line. This activation will take effect after the next boot. See Selecting Driver Verifier Options for details.
This option can also be turned on and off without an intervening reboot. See Using Volatile Settings for details.
Activating the Special Memory Pool by pool tag or allocation size is done by using the Global Flags utility. This utility is also used to set the Verify Start and Verify End alignments — these alignment settings apply to all special pool allocations.
See Special Memory Pool for details on how this option affects other kernel-mode drivers.