"HCK Test Issues : Fuzz Misc API test"

NTDEV
1

Hello,

I have been testing a USB driver which does generic read/write operations
with some simple internal logic. It is more like a VCP driver. But have
some vendor specific tweaks.

I came across DF - Fuzz Misc API test (Certification). There the test just
hangs. The test computer just waits, i assume infinitely.

I need to debug this thing and I would be glad if someone point me out the
best way to debug an issue like this. Is it through Windbd? or anything
else?

I read that this test uses ZwReadFile / ZwWriteFile APIs for the test. Is
there any special way that we need to handle these in the driver or is it
the same as EvtIoRead and EvtIoWrite?

Thank you

-Pradeepa

2

WinDbg is your best bet, you can either debug this via a live kernel debug
connection or by generating a kernel or full memory dump after the hang
(http://msdn.microsoft.com/en-us/library/windows/hardware/ff545499(v=vs.85).aspx)

Once you have the ability to look at the kernel state during the hang, first
thing to do is check the WDF Log for your driver with !wdflogdump. You can
also look at whatever the test processes are with !process and see if there
are any I/Os outstanding.

No, you don’t need to do anything special in the driver. Either your device
is hanging or you have a bug in your code.

-scott
OSR
@OSRDrivers

“Pradeepa Senanayake” wrote in message
news:xxxxx@ntdev…
Hello,

I have been testing a USB driver which does generic read/write operations
with some simple internal logic. It is more like a VCP driver. But have some
vendor specific tweaks.

I came across DF - Fuzz Misc API test (Certification). There the test just
hangs. The test computer just waits, i assume infinitely.

I need to debug this thing and I would be glad if someone point me out the
best way to debug an issue like this. Is it through Windbd? or anything
else?

I read that this test uses ZwReadFile / ZwWriteFile APIs for the test. Is
there any special way that we need to handle these in the driver or is it
the same as EvtIoRead and EvtIoWrite?

Thank you

-Pradeepa

3

Pradeepa Senanayake wrote:

I have been testing a USB driver which does generic read/write
operations with some simple internal logic. It is more like a VCP
driver. But have some vendor specific tweaks.

Is this a KMDF driver or a WDM driver?

I came across DF - Fuzz Misc API test (Certification). There the test
just hangs. The test computer just waits, i assume infinitely.

The “fuzz” tests send various random requests, in an attempt to find
vulnerabilities in your driver. Do you have any paths where you keep a
request somewhere that it cannot be canceled?

I need to debug this thing and I would be glad if someone point me out
the best way to debug an issue like this. Is it through Windbd? or
anything else?

I read that this test uses ZwReadFile / ZwWriteFile APIs for the test.
Is there any special way that we need to handle these in the driver or
is it the same as EvtIoRead and EvtIoWrite?

Have you look at any traces at all to see what is being submitted?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

4

Reply is inline.

Pradeepa Senanayake wrote:
>
> I have been testing a USB driver which does generic read/write
> operations with some simple internal logic. It is more like a VCP
> driver. But have some vendor specific tweaks.

Is this a KMDF driver or a WDM driver?

The driver is a KMDF driver.

> I came across DF - Fuzz Misc API test (Certification). There the test
> just hangs. The test computer just waits, i assume infinitely.

The “fuzz” tests send various random requests, in an attempt to find
vulnerabilities in your driver. Do you have any paths where you keep a
request somewhere that it cannot be canceled?

I have reviewed my code again. I still did not find such logic issues. I
will go through it again and see.

> I need to debug this thing and I would be glad if someone point me out
> the best way to debug an issue like this. Is it through Windbd? or
> anything else?
>
> I read that this test uses ZwReadFile / ZwWriteFile APIs for the test.
> Is there any special way that we need to handle these in the driver or
> is it the same as EvtIoRead and EvtIoWrite?

Have you look at any traces at all to see what is being submitted?

This is what I want to do. I want to know how. I want to see what is in the
stack to see what are the functions being called. I installed WinDbg on the
Test-PC. When the test hangs still the PC is responsive. Can I break into
the kernel and see what is happening at this point?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

5

Reply is inline.

WinDbg is your best bet, you can either debug this via a live kernel debug

connection or by generating a kernel or full memory dump after the hang (
http://msdn.microsoft.com/en-us/library/windows/hardware/
ff545499(v=vs.85).aspx)

Once you have the ability to look at the kernel state during the hang,
first thing to do is check the WDF Log for your driver with !wdflogdump.
You can also look at whatever the test processes are with !process and see
if there are any I/Os outstanding.

If I force the system to goto a bug-check I need to have another PC
connected to connect using WinDbg i think. Instead of that can’t I use
Local Kernel-Mode debugging (
http://msdn.microsoft.com/en-us/library/windows/hardware/ff553382(v=vs.85).aspx)
to tackle the issue?

No, you don’t need to do anything special in the driver. Either your
device is hanging or you have a bug in your code.

I’m checking my code again for any issues. Thanks.

-scott
OSR
@OSRDrivers

“Pradeepa Senanayake” wrote in message
> news:xxxxx@ntdev…
>
> Hello,
>
> I have been testing a USB driver which does generic read/write operations
> with some simple internal logic. It is more like a VCP driver. But have
> some vendor specific tweaks.
>
> I came across DF - Fuzz Misc API test (Certification). There the test just
> hangs. The test computer just waits, i assume infinitely.
>
> I need to debug this thing and I would be glad if someone point me out the
> best way to debug an issue like this. Is it through Windbd? or anything
> else?
>
> I read that this test uses ZwReadFile / ZwWriteFile APIs for the test. Is
> there any special way that we need to handle these in the driver or is it
> the same as EvtIoRead and EvtIoWrite?
>
> Thank you
>
> -Pradeepa
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

6

Hello,

I ran “Diagnosability - Tracing Jobs - WDTF - Start WDTF trace collection”
test to collect the traces. But when I format it using the "Diagnosability

  • Tracing Jobs - WDTF - Format collected WDTF traces" I get some garbage
    data. It looks like the symbols are missing.

Ex:

Unknown( 10): GUID=e7bdcccc-93fe-4473-e61b-156c0ff8a62c (No Format
Information found).
Unknown( 10): GUID=f30e6168-3301-596a-f698-d496b7810335 (No Format
Information found).
Unknown( 14): GUID=1d2208dc-70c5-aa58-c0f9-888bc11fadd2 (No Format
Information found).
Unknown( 15): GUID=1d2208dc-70c5-aa58-c0f9-888bc11fadd2 (No Format
Information found).
Unknown( 11): GUID=f30e6168-3301-596a-f698-d496b7810335 (No Format
Information found).

I don’t know how to fix it. My test PC does not have internet connectivity
too.

-Pradeepa

On Tue, Sep 23, 2014 at 10:43 AM, Pradeepa Senanayake <
xxxxx@gmail.com> wrote:

Reply is inline.

WinDbg is your best bet, you can either debug this via a live kernel debug
> connection or by generating a kernel or full memory dump after the hang (
> http://msdn.microsoft.com/en-us/library/windows/hardware/
> ff545499(v=vs.85).aspx)
>
> Once you have the ability to look at the kernel state during the hang,
> first thing to do is check the WDF Log for your driver with !wdflogdump.
> You can also look at whatever the test processes are with !process and see
> if there are any I/Os outstanding.
>
>
If I force the system to goto a bug-check I need to have another PC
connected to connect using WinDbg i think. Instead of that can’t I use
Local Kernel-Mode debugging (
http://msdn.microsoft.com/en-us/library/windows/hardware/ff553382(v=vs.85).aspx)
to tackle the issue?

> [quote]
> I read that this test uses ZwReadFile / ZwWriteFile APIs for the test. Is
> there any special way that we need to handle these in the driver or is it
> the same as EvtIoRead and EvtIoWrite?
> [/quote]
>
> No, you don’t need to do anything special in the driver. Either your
> device is hanging or you have a bug in your code.
>
>
I’m checking my code again for any issues. Thanks.

> -scott
> OSR
> @OSRDrivers
>
>
> “Pradeepa Senanayake” wrote in message
>> news:xxxxx@ntdev…
>>
>> Hello,
>>
>> I have been testing a USB driver which does generic read/write operations
>> with some simple internal logic. It is more like a VCP driver. But have
>> some vendor specific tweaks.
>>
>> I came across DF - Fuzz Misc API test (Certification). There the test
>> just hangs. The test computer just waits, i assume infinitely.
>>
>> I need to debug this thing and I would be glad if someone point me out
>> the best way to debug an issue like this. Is it through Windbd? or anything
>> else?
>>
>> I read that this test uses ZwReadFile / ZwWriteFile APIs for the test. Is
>> there any special way that we need to handle these in the driver or is it
>> the same as EvtIoRead and EvtIoWrite?
>>
>> Thank you
>>
>> -Pradeepa
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>

7

I?ve found local kernel debugging mostly worthless.

You are debugging a system hang, right, you will not be able to even access a local kernel debugger on a hung system. You absolutely require two systems, connected by a supported transport.

Jan

On Sep 22, 2014, at 10:13 PM, Pradeepa Senanayake > wrote:

Reply is inline.

WinDbg is your best bet, you can either debug this via a live kernel debug connection or by generating a kernel or full memory dump after the hang (http://msdn.microsoft.com/en-us/library/windows/hardware/ff545499(v=vs.85).aspx)

Once you have the ability to look at the kernel state during the hang, first thing to do is check the WDF Log for your driver with !wdflogdump. You can also look at whatever the test processes are with !process and see if there are any I/Os outstanding.

If I force the system to goto a bug-check I need to have another PC connected to connect using WinDbg i think. Instead of that can’t I use Local Kernel-Mode debugging (http://msdn.microsoft.com/en-us/library/windows/hardware/ff553382(v=vs.85).aspx) to tackle the issue?



No, you don’t need to do anything special in the driver. Either your device is hanging or you have a bug in your code.

I’m checking my code again for any issues. Thanks.

-scott
OSR
@OSRDrivers

“Pradeepa Senanayake” > wrote in message news:xxxxx@ntdev…

Hello,

I have been testing a USB driver which does generic read/write operations with some simple internal logic. It is more like a VCP driver. But have some vendor specific tweaks.

I came across DF - Fuzz Misc API test (Certification). There the test just hangs. The test computer just waits, i assume infinitely.

I need to debug this thing and I would be glad if someone point me out the best way to debug an issue like this. Is it through Windbd? or anything else?

I read that this test uses ZwReadFile / ZwWriteFile APIs for the test. Is there any special way that we need to handle these in the driver or is it the same as EvtIoRead and EvtIoWrite?

Thank you

-Pradeepa


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

8

It’s not a system hang. The test just stays there without proceeding. The
system is responsive.

-Pradeepa

On Tue, Sep 23, 2014 at 12:39 PM, Jan Bottorff
wrote:

> I’ve found local kernel debugging mostly worthless.
>
> You are debugging a system hang, right, you will not be able to even
> access a local kernel debugger on a hung system. You absolutely require two
> systems, connected by a supported transport.
>
> Jan
>
> On Sep 22, 2014, at 10:13 PM, Pradeepa Senanayake <
> xxxxx@gmail.com> wrote:
>
> Reply is inline.
>
> WinDbg is your best bet, you can either debug this via a live kernel
>> debug connection or by generating a kernel or full memory dump after the
>> hang (http://msdn.microsoft.com/en-us/library/windows/hardware/
>> ff545499(v=vs.85).aspx)
>>
>> Once you have the ability to look at the kernel state during the hang,
>> first thing to do is check the WDF Log for your driver with !wdflogdump.
>> You can also look at whatever the test processes are with !process and see
>> if there are any I/Os outstanding.
>>
>>
> If I force the system to goto a bug-check I need to have another PC
> connected to connect using WinDbg i think. Instead of that can’t I use
> Local Kernel-Mode debugging (
> http://msdn.microsoft.com/en-us/library/windows/hardware/ff553382(v=vs.85).aspx)
> to tackle the issue?
>
>
>
>>


>>
>> No, you don’t need to do anything special in the driver. Either your
>> device is hanging or you have a bug in your code.
>>
>>
> I’m checking my code again for any issues. Thanks.
>
>
>> -scott
>> OSR
>> @OSRDrivers
>>
>>
>> “Pradeepa Senanayake” wrote in message
>> news:xxxxx@ntdev…
>>
>> Hello,
>>
>> I have been testing a USB driver which does generic read/write operations
>> with some simple internal logic. It is more like a VCP driver. But have
>> some vendor specific tweaks.
>>
>> I came across DF - Fuzz Misc API test (Certification). There the test
>> just hangs. The test computer just waits, i assume infinitely.
>>
>> I need to debug this thing and I would be glad if someone point me out
>> the best way to debug an issue like this. Is it through Windbd? or anything
>> else?
>>
>> I read that this test uses ZwReadFile / ZwWriteFile APIs for the test. Is
>> there any special way that we need to handle these in the driver or is it
>> the same as EvtIoRead and EvtIoWrite?
>>
>> Thank you
>>
>> -Pradeepa
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

9

You need to format the trace data using Trace Message Format (TMF) files.
I’ve never personally used these traces, but there are some instructions on
MSDN:

http://msdn.microsoft.com/en-us/library/windows/hardware/dn293726.aspx

-scott
OSR
@OSRDrivers

“Pradeepa Senanayake” wrote in message
news:xxxxx@ntdev…
Hello,

I ran “Diagnosability - Tracing Jobs - WDTF - Start WDTF trace collection”
test to collect the traces. But when I format it using the “Diagnosability -
Tracing Jobs - WDTF - Format collected WDTF traces” I get some garbage data.
It looks like the symbols are missing.

Ex:

Unknown( 10): GUID=e7bdcccc-93fe-4473-e61b-156c0ff8a62c (No Format
Information found).
Unknown( 10): GUID=f30e6168-3301-596a-f698-d496b7810335 (No Format
Information found).
Unknown( 14): GUID=1d2208dc-70c5-aa58-c0f9-888bc11fadd2 (No Format
Information found).
Unknown( 15): GUID=1d2208dc-70c5-aa58-c0f9-888bc11fadd2 (No Format
Information found).
Unknown( 11): GUID=f30e6168-3301-596a-f698-d496b7810335 (No Format
Information found).

I don’t know how to fix it. My test PC does not have internet connectivity
too.

-Pradeepa

On Tue, Sep 23, 2014 at 10:43 AM, Pradeepa Senanayake
wrote:

Reply is inline.

WinDbg is your best bet, you can either debug this via a live kernel debug
connection or by generating a kernel or full memory dump after the hang
(http://msdn.microsoft.com/en-us/library/windows/hardware/ff545499(v=vs.85).aspx)

Once you have the ability to look at the kernel state during the hang, first
thing to do is check the WDF Log for your driver with !wdflogdump. You can
also look at whatever the test processes are with !process and see if there
are any I/Os outstanding.

If I force the system to goto a bug-check I need to have another PC
connected to connect using WinDbg i think. Instead of that can’t I use Local
Kernel-Mode debugging
(http://msdn.microsoft.com/en-us/library/windows/hardware/ff553382(v=vs.85).aspx)
to tackle the issue?



No, you don’t need to do anything special in the driver. Either your device
is hanging or you have a bug in your code.

I’m checking my code again for any issues. Thanks.

-scott
OSR
@OSRDrivers

“Pradeepa Senanayake” wrote in message
news:xxxxx@ntdev…

Hello,

I have been testing a USB driver which does generic read/write operations
with some simple internal logic. It is more like a VCP driver. But have some
vendor specific tweaks.

I came across DF - Fuzz Misc API test (Certification). There the test just
hangs. The test computer just waits, i assume infinitely.

I need to debug this thing and I would be glad if someone point me out the
best way to debug an issue like this. Is it through Windbd? or anything
else?

I read that this test uses ZwReadFile / ZwWriteFile APIs for the test. Is
there any special way that we need to handle these in the driver or is it
the same as EvtIoRead and EvtIoWrite?

Thank you

-Pradeepa


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

10

LiveKD is a bit more useful than Local KD, you might be able to diagnose the
hang with it:

http://technet.microsoft.com/en-us/sysinternals/bb897415.aspx

Best bet is always a two machine kernel debug session though.

-scott
OSR
@OSRDrivers

“Pradeepa Senanayake” wrote in message
news:xxxxx@ntdev…
It’s not a system hang. The test just stays there without proceeding. The
system is responsive.

-Pradeepa

On Tue, Sep 23, 2014 at 12:39 PM, Jan Bottorff
wrote:

I’ve found local kernel debugging mostly worthless.

You are debugging a system hang, right, you will not be able to even access
a local kernel debugger on a hung system. You absolutely require two
systems, connected by a supported transport.

Jan

On Sep 22, 2014, at 10:13 PM, Pradeepa Senanayake
wrote:

Reply is inline.

WinDbg is your best bet, you can either debug this via a live kernel debug
connection or by generating a kernel or full memory dump after the hang
(http://msdn.microsoft.com/en-us/library/windows/hardware/ff545499(v=vs.85).aspx)

Once you have the ability to look at the kernel state during the hang, first
thing to do is check the WDF Log for your driver with !wdflogdump. You can
also look at whatever the test processes are with !process and see if there
are any I/Os outstanding.

If I force the system to goto a bug-check I need to have another PC
connected to connect using WinDbg i think. Instead of that can’t I use Local
Kernel-Mode debugging
(http://msdn.microsoft.com/en-us/library/windows/hardware/ff553382(v=vs.85).aspx)
to tackle the issue?



No, you don’t need to do anything special in the driver. Either your device
is hanging or you have a bug in your code.

I’m checking my code again for any issues. Thanks.

-scott
OSR
@OSRDrivers

“Pradeepa Senanayake” wrote in message
news:xxxxx@ntdev…

Hello,

I have been testing a USB driver which does generic read/write operations
with some simple internal logic. It is more like a VCP driver. But have some
vendor specific tweaks.

I came across DF - Fuzz Misc API test (Certification). There the test just
hangs. The test computer just waits, i assume infinitely.

I need to debug this thing and I would be glad if someone point me out the
best way to debug an issue like this. Is it through Windbd? or anything
else?

I read that this test uses ZwReadFile / ZwWriteFile APIs for the test. Is
there any special way that we need to handle these in the driver or is it
the same as EvtIoRead and EvtIoWrite?

Thank you

-Pradeepa


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at:
http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other
seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

11

Pradeepa Senanayake [xxxxx@gmail.com] wrote:

>Have you look at any traces at all to see what is being submitted?

This is what I want to do. I want to know how. I want to see what is in the stack to see what are the functions being called. I installed WinDbg on the Test-PC. When the test hangs still the PC is responsive. Can I break into the kernel and see what is happening at this point?

How? You do it like this:
KdPrint(( FUNCTION " was called.\n" ));

Then you watch the results, either in dbgview or with the local KD.

Tim Roberts, xxxxx@probo.commailto:xxxxx
Providenza & Boekelheide, Inc.</mailto:xxxxx>

12

Hello,

I have installed the DbgView tool and checked the traces. But not that
useful. In my ‘EvtIoRead’ function I pass the Request to the lower level
using Asynchronous method with a completion callback. I did two tests there,

Test 1:

Without doing anything in the driver, as soon as I got the request to the
‘EvtIoRead’ function I completed it.
Then the DF - Fuzz Misc API test was successful.
So I concluded that the Read-Completion-Callback is the one which does
something which corrupts the Request.

Test 2:

I added the ‘WdfRequestCompleteWithInformation(Request, status, 0)’
function call to the start of the Read-Completion-Callback and avoided all
the logic in the driver. I ran the test once and it was successful. Then I
ran it again just to be sure. The second time it hung half way through, but
it went further than the original driver.

I noticed when the test is running the test computer says,

Running Miscellaneous Test on surface \DosDevices\usb#vid …
…and another number in curly bracket (like a guid).

The test hangs as soon as the final number changed. I don’t know what that
is. Is it some kind of a device path?

The device is sending a zero length packet if it does not have any data to
when it receives the USB IN token. So as soon as the driver submit the
request the Completion callback will be called. I’m using a
Sequential-Queue for read requests. There is no big check just the whole
system freezes now. I’m still checking the issue.

If anyone have any suggestion please let me know.

Thank you.

-Pradeepa

On Wed, Sep 24, 2014 at 3:13 AM, Tim Roberts wrote:

> Pradeepa Senanayake [xxxxx@gmail.com] wrote:
>
> >>Have you look at any traces at all to see what is being submitted?
>
> This is what I want to do. I want to know how. I want to see what is in
> the stack to see what are the functions being called. I installed WinDbg on
> the Test-PC. When the test hangs still the PC is responsive. Can I break
> into the kernel and see what is happening at this point?
>
> How? You do it like this:
> KdPrint(( FUNCTION" was called.\n" ));
>
> Then you watch the results, either in dbgview or with the local KD.
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

13

Pradeepa Senanayake wrote:

I added the ‘WdfRequestCompleteWithInformation(Request, status, 0)’
function call to the start of the Read-Completion-Callback and avoided
all the logic in the driver. I ran the test once and it was
successful. Then I ran it again just to be sure. The second time it
hung half way through, but it went further than the original driver.

I noticed when the test is running the test computer says,

Running Miscellaneous Test on surface \DosDevices\usb#vid …
> …and another number in curly bracket (like a guid).
>
> The test hangs as soon as the final number changed. I don’t know what
> that is. Is it some kind of a device path?

The GUID is one of the device interfaces you support. That string is
exactly the path you pass to CreateFile to open a handle to the device
for sending requests. Can you post the entire string? I assume your
VID and PID are not secret.

What kind of device is this? Is it one of the standard device classes?
Do you support several device interfaces? Do you handle several apps
with open instances at once?

> The device is sending a zero length packet if it does not have any
> data to when it receives the USB IN token. So as soon as the driver
> submit the request the Completion callback will be called.

It’s certainly not immediate. You have to get scheduled into a frame,
then you have to wait until the frame is finished. It’ll take a
millisecond.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

14

>

> I added the ‘WdfRequestCompleteWithInformation(Request, status, 0)’
> function call to the start of the Read-Completion-Callback and avoided
> all the logic in the driver. I ran the test once and it was
> successful. Then I ran it again just to be sure. The second time it
> hung half way through, but it went further than the original driver.
>
> I noticed when the test is running the test computer says,
>
> Running Miscellaneous Test on surface \DosDevices\usb#vid …
> > …and another number in curly bracket (like a guid).
> >
> > The test hangs as soon as the final number changed. I don’t know what
> > that is. Is it some kind of a device path?
>
> The GUID is one of the device interfaces you support. That string is
> exactly the path you pass to CreateFile to open a handle to the device
> for sending requests. Can you post the entire string? I assume your
> VID and PID are not secret.
>
> What kind of device is this? Is it one of the standard device classes?
> Do you support several device interfaces?

The device is a Scanner. It has a vendor specific USB descriptor. It only
has one interfaces.

> Do you handle several apps with open instances at once?

I have not done anything to handle this situation. I have called the
function “WdfDeviceInitSetExclusive(DeviceInit, TRUE)” hoping that it would
prevent such accesses.

>
> > The device is sending a zero length packet if it does not have any
> > data to when it receives the USB IN token. So as soon as the driver
> > submit the request the Completion callback will be called.
>
> It’s certainly not immediate. You have to get scheduled into a frame,
> then you have to wait until the frame is finished. It’ll take a
> millisecond.

Yes this is true.

The driver with total logic runs into the following bugcheck over and over
again. I took some information also.

2: kd> !analyze -v



 Bugcheck Analysis

Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------

PROCESS_NAME: System

FAULTING_IP:
nt!DbgBreakPoint+0
fffff80002e86f40 cc int 3<br><br>EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)<br>ExceptionAddress: fffff80002e86f40 (nt!DbgBreakPoint)<br> ExceptionCode: 80000003 (Break instruction exception)<br> ExceptionFlags: 00000000<br>NumberParameters: 1<br> Parameter[0]: 0000000000000000<br><br>ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint<br>has been reached.<br><br>EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments<br>are invalid<br><br>EXCEPTION_PARAMETER1: 0000000000000000<br><br>DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT<br><br>BUGCHECK_STR: 0x0<br><br>CURRENT_IRQL: 0<br><br>LAST_CONTROL_TRANSFER: from fffff88000f2ea81 to fffff80002e86f40<br><br>STACK_TEXT:<br>fffff880031afa58 fffff88000f2ea81 : 0000000000000000 fffff98008e42fd0<br>fffff98008e42fd0 fffff88000f56f40 : nt!DbgBreakPoint<br>fffff880031afa60 fffff88000f03e75 : fffff9800958ae30 fffff80003032500<br>fffff9800943ef00 0000000000000000 :<br>Wdf01000!FxTagTracker::UpdateTagHistory+0x19d<br>fffff880031afab0 fffff88000f315f0 : fffff9800958ae30 fffff9800943ef00<br>fffff9800943ef00 fffff9800943ef00 : Wdf01000!FxRequest::Release+0x3d<br>fffff880031afaf0 fffff88000f0db36 : fffff9800958ae30 fffff80003032500<br>fffff9800943efd8 fffff88000f3029c :<br>Wdf01000!FxObject::PerformDisposingDisposeChildrenLocked+0xe4<br>fffff880031afb60 fffff88000f0dbd6 : fffff9800943ef70 fffff800030325f8<br>fffff9800943ef70 fffff9800943ef70 :<br>Wdf01000!FxDisposeList::DrainListLocked+0x17e<br>fffff880031afbe0 fffff88000f08eda : 0000000000000000 fffff98002a32f40<br>fffff800030325f8 0000000000000000 :<br>Wdf01000!FxDisposeList::_WorkItemThunk+0x46<br>fffff880031afc10 fffff80003188527 : fffffa800755bc30 fffff980094e0f00<br>fffffa8006726680 fffffa8006726680 :<br>Wdf01000!FxSystemWorkItem::_WorkItemThunk+0xba<br>fffff880031afc40 fffff80002e9c161 : fffff80003032500 fffff80003188504<br>fffffa8006726680 0000000000000000 : nt!IopProcessWorkItem+0x23<br>fffff880031afc70 fffff80003132166 : 00000101001f01ff fffffa8006726680<br>0000000000000080 fffffa80066a8b30 : nt!ExpWorkerThread+0x111<br>fffff880031afd00 fffff80002e6d486 : fffff88002f64180 fffffa8006726680<br>fffff88002f6efc0 0000000300480002 : nt!PspSystemThreadStartup+0x5a<br>fffff880031afd40 0000000000000000 : fffff880031b0000 fffff880031aa000<br>fffff880031af9b0 0000000000000000 : nt!KxStartSystemThread+0x16<br><br>STACK_COMMAND: kb<br><br>FOLLOWUP_IP:<br>Wdf01000!FxTagTracker::UpdateTagHistory+19d<br>fffff88000f2ea81 eb16 jmp
Wdf01000!FxTagTracker::UpdateTagHistory+0x1b5 (fffff880`00f2ea99)

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: Wdf01000!FxTagTracker::UpdateTagHistory+19d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Wdf01000

IMAGE_NAME: Wdf01000.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc19f

FAILURE_BUCKET_ID: X64_0x0_VRF_Wdf01000!FxTagTracker::UpdateTagHistory+19d

BUCKET_ID: X64_0x0_VRF_Wdf01000!FxTagTracker::UpdateTagHistory+19d

Followup: MachineOwner
---------

2: kd> !wdfkd.wdfdriverinfo ustp2
----------------------------------
*** ERROR: Module load completed but symbols could not be loaded for
ustp2.sys
Default driver image name: ustp2
WDF library image name: Wdf01000
FxDriverGlobals 0xfffff98003544e70
WdfBindInfo 0xfffff8800523d110
Version v1.9 build(7600)
----------------------------------
WDFDRIVER: 0x0000067ff53fd188

!WDFDEVICE 0x0000067ff537b418 (FDO)
Pnp/Power State: WdfDevStatePnpStarted, WdfDevStatePowerD0,
WdfDevStatePwrPolStarted
context: dt 0xfffff9800ac84f50 DEVICE_CONTEXT (size is 0xb0 bytes)


context: dt 0xfffff9800addef50 VF_WDFDEVICECREATE_CONTEXT (size is
0x90 bytes)


----------------------------------

2: kd> !WDFDEVICE 0x0000067ff537b418

Dumping WDFDEVICE 0x0000067ff537b418
=================================

WDM PDEVICE_OBJECTs: self fffffa8009384c40, attached fffffa8009621040, pdo
fffffa800931e060

Pnp state: 119 ( WdfDevStatePnpStarted )
Power state: 307 ( WdfDevStatePowerD0 )
Power Pol state: 565 ( WdfDevStatePwrPolStarted )

Default WDFIOTARGET: 0000067ff5313168

No pended pnp or power irps
Device is the power policy owner for the stack
2: kd> !wdffindobjects 0xfffff98003544e70
Address Value Object
------------------ ------------------ ------------------
0xfffff98003544e70 0xfffff98007ac6e70
0xfffff98003544e78 0xfffff88000f4f540
0xfffff98003544e80 0xfffffffffffffff8
0xfffff98003544e88 0x70747375ffffffff
0xfffff98003544e90 0xfffff9800ac02e70 !WDFDRIVER 0x0000067ff53fd188
0xfffff98003544e98 0xfffff98002ad6e40
0xfffff98003544ea0 0xfffff88000f4f360
0xfffff98003544ea8 0x0000000000000000
0xfffff98003544eb0 0xfffffa8007515000
0xfffff98003544eb8 0x0000000000000000
0xfffff98003544ec0 0xfffff9800ac4cbb0
0xfffff98003544ec8 0xfffff9800f21ef80
0xfffff98003544ed0 0x0000000000000001
0xfffff98003544ed8 0x0000000000000000
0xfffff98003544ee0 0x0000000000000000
0xfffff98003544ee8 0x0000000000060001
2: kd> !WDFDEVICE 0x0000067ff537b418

Dumping WDFDEVICE 0x0000067ff537b418
=================================

WDM PDEVICE_OBJECTs: self fffffa8009384c40, attached fffffa8009621040, pdo
fffffa800931e060

Pnp state: 119 ( WdfDevStatePnpStarted )
Power state: 307 ( WdfDevStatePowerD0 )
Power Pol state: 565 ( WdfDevStatePwrPolStarted )

Default WDFIOTARGET: 0000067ff5313168

No pended pnp or power irps
Device is the power policy owner for the stack
2: kd> !wdfkd.wdfiotarget 0000067ff5313168

WDFIOTARGET 0000067ff5313168
=========================
WDFDEVICE: 0x0000067ff537b418
Target Device: !devobj 0xfffffa8009621040
Target PDO: !devobj 0xfffffa800931e060

Type: Instack target
State: WdfIoTargetStarted

Requests pending: 0

Requests sent: 0

Requests sent with ignore-target-state: 0

2: kd> !wdfkd.wdfdevicequeues 0x0000067ff537b418

Dumping queues of WDFDEVICE 0x0000067ff537b418
=====================================
Number of queues: 3
----------------------------------
Queue: 1 (!wdfqueue 0x0000067ff53d73a8)
Manual, Not power-managed, PowerOn, Can accept, Can dispatch,
ExecutionLevelInvalid, SynchronizationScopeInvalid
Number of driver owned requests: 0
Number of waiting requests: 0

This is WDF internal queue for create requests.
----------------------------------
Queue: 2 (!wdfqueue 0x0000067ff53b93a8)
Sequential, Auto, Power-managed, PowerOn, Can accept, Can dispatch,
ExecutionLevelDispatch, SynchronizationScopeNone
Number of driver owned requests: 0
Number of waiting requests: 0

EvtIoRead: (0xfffff88000f5bbb8) Wdf01000!VfEvtIoRead
----------------------------------
Queue: 3 (!wdfqueue 0x0000067ff524d3a8)
Parallel, Default, Power-managed, PowerOn, Can accept, Can dispatch,
ExecutionLevelDispatch, SynchronizationScopeNone
Number of driver owned requests: 0
Number of waiting requests: 0

EvtIoWrite: (0xfffff88000f5bca8) Wdf01000!VfEvtIoWrite
EvtIoDeviceControl: (0xfffff88000f5bd98) Wdf01000!VfEvtIoDeviceControl
2: kd> !wdfqueue 0x0000067ff53b93a8

Dumping WDFQUEUE 0x0000067ff53b93a8
=========================
Sequential, Auto, Power-managed, PowerOn, Can accept, Can dispatch,
ExecutionLevelDispatch, SynchronizationScopeNone
Number of driver owned requests: 0
Number of waiting requests: 0

- Pradeepa

15

Pradeepa Senanayake wrote:

What kind of device is this? Is it one of the standard device
classes?
Do you support several device interfaces?

The device is a Scanner. It has a vendor specific USB descriptor. It
only has one interfaces.

I meant device interface, as in WdfDeviceCreateDeviceInterface.

The driver with total logic runs into the following bugcheck over and
over again. I took some information also.

2: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A
breakpoint has been reached.

You hit an assertion failure in KMDF. You dumped a bunch of KMDF stuff,
but not the in-flight recorder log that should tell you what the
assertion was.

So, do:
!wdftmffile \your-ddk-path\tools\tracing\amd64\wdf01009.tmf
!wdflogdump ustp2


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

16

Tim Roberts wrote:

>
> I meant device interface, as in WdfDeviceCreateDeviceInterface.
>
>
Yes this function is used to register only one device interface. The driver
also uses “WdfDeviceCreateSymbolicLink” function to create symbolic link
too. It needs to communicate with some legacy applications.

> You hit an assertion failure in KMDF. You dumped a bunch of KMDF stuff,
> but not the in-flight recorder log that should tell you what the assertion
> was.
>
> So, do:
> !wdftmffile \your-ddk-path\tools\tracing\amd64\wdf01009.tmf
> !wdflogdump ustp2
>

This is the output I got,

3: kd> !wdflogdump ustp2
Trace searchpath is:

Trace format prefix is: %7!u!: %!FUNC! -
TMF file used for formatting log is:
C:\WinDDK\7600.16385.1\Tools\tracing\amd64\Wdf01009.tmf
Log at fffffa80093cc000
Gather log: Please wait, this may take a moment (reading 4024 bytes).
% read so far … 10, 20, 30, 40, 100
There are 36 log entries
— start of log —
1: FxVerifierLock::InitializeLockOrder - Object Type 0x1036 does not have a
lock order defined in fx\inc\FxVerifierLock.hpp
2: FxVerifierLock::InitializeLockOrder - Object Type 0x1036 does not have a
lock order defined in fx\inc\FxVerifierLock.hpp
3: FxPkgPnp::PnpEnterNewState - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410 entering PnP State WdfDevStatePnpInit from
WdfDevStatePnpObjectCreated
4: FxPkgPnp::Dispatch - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410, IRP_MJ_PNP, 0x00000000(IRP_MN_START_DEVICE) IRP
0xFFFFF980031D8B40
5: FxPkgPnp::PnpEnterNewState - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410 entering PnP State WdfDevStatePnpInitStarting from
WdfDevStatePnpInit
6: FxPkgPnp::PnpEnterNewState - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410 entering PnP State WdfDevStatePnpHardwareAvailable from
WdfDevStatePnpInitStarting
7: FxVerifierLock::InitializeLockOrder - Object Type 0x1204 does not have a
lock order defined in fx\inc\FxVerifierLock.hpp
8: FxIoTarget::SubmitLocked - ignoring WDFIOTARGET 0000067FFCE6D1E8 state,
sending WDFREQUEST FFFFF880031CADD0, state WdfIoTargetStarted
9: FxPkgPnp::PowerPolicyEnterNewState - WDFDEVICE 0x0000067FFCF43418
!devobj 0xFFFFFA80093C5410 entering power policy state
WdfDevStatePwrPolStarting from WdfDevStatePwrPolObjectCreated
10: FxPowerIdleMachine::ProcessEventLocked - WDFDEVICE 0x0000067FFCF43418
!devobj 0xFFFFFA80093C5410 entering power idle state FxIdleStarted from
FxIdleStopped
11: FxPkgPnp::PowerEnterNewState - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410 entering Power State
WdfDevStatePowerStartingCheckDeviceType from WdfDevStatePowerObjectCreated
12: FxPkgPnp::PowerEnterNewState - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410 entering Power State WdfDevStatePowerD0Starting from
WdfDevStatePowerStartingCheckDeviceType
13: FxPkgPnp::PowerEnterNewState - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410 entering Power State
WdfDevStatePowerD0StartingConnectInterrupt from WdfDevStatePowerD0Starting
14: FxPkgPnp::PowerEnterNewState - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410 entering Power State WdfDevStatePowerD0StartingDmaEnable
from WdfDevStatePowerD0StartingConnectInterrupt
15: FxPkgPnp::PowerEnterNewState - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410 entering Power State
WdfDevStatePowerD0StartingStartSelfManagedIo from
WdfDevStatePowerD0StartingDmaEnable
16: FxPkgIo::ResumeProcessingForPower - Power resume all queues of
WDFDEVICE 0x0000067FFCF43418
17: FxPowerIdleMachine::ProcessEventLocked - WDFDEVICE 0x0000067FFCF43418
!devobj 0xFFFFFA80093C5410 entering power idle state FxIdleStartedPowerUp
from FxIdleStarted
18: FxPowerIdleMachine::ProcessEventLocked - WDFDEVICE 0x0000067FFCF43418
!devobj 0xFFFFFA80093C5410 entering power idle state FxIdleDisabled from
FxIdleStartedPowerUp
19: FxPkgPnp::PowerEnterNewState - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410 entering Power State WdfDevStatePowerDecideD0State from
WdfDevStatePowerD0StartingStartSelfManagedIo
20: FxPkgPnp::PowerEnterNewState - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410 entering Power State WdfDevStatePowerD0 from
WdfDevStatePowerDecideD0State
21: FxPkgPnp::PowerPolicyEnterNewState - WDFDEVICE 0x0000067FFCF43418
!devobj 0xFFFFFA80093C5410 entering power policy state
WdfDevStatePwrPolStartingSucceeded from WdfDevStatePwrPolStarting
22: FxPkgPnp::PowerPolicyEnterNewState - WDFDEVICE 0x0000067FFCF43418
!devobj 0xFFFFFA80093C5410 entering power policy state
WdfDevStatePwrPolStartingDecideS0Wake from
WdfDevStatePwrPolStartingSucceeded
23: FxPkgPnp::PowerPolicyEnterNewState - WDFDEVICE 0x0000067FFCF43418
!devobj 0xFFFFFA80093C5410 entering power policy state
WdfDevStatePwrPolStarted from WdfDevStatePwrPolStartingDecideS0Wake
24: FxPowerIdleMachine::ProcessEventLocked - WDFDEVICE 0x0000067FFCF43418
!devobj 0xFFFFFA80093C5410 entering power idle state FxIdleDisabled from
FxIdleDisabled
25: FxPkgPnp::PnpEnterNewState - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410 entering PnP State WdfDevStatePnpEnableInterfaces from
WdfDevStatePnpHardwareAvailable
26: FxPkgPnp::PnpEnterNewState - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410 entering PnP State WdfDevStatePnpStarted from
WdfDevStatePnpEnableInterfaces
27: FxPkgPnp::Dispatch - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410, IRP_MJ_PNP, 0x00000014(IRP_MN_QUERY_PNP_DEVICE_STATE)
IRP 0xFFFFF980031DCB40
28: FxPkgFdo::HandleQueryPnpDeviceStateCompletion - WDFDEVICE
0x0000067FFCF43418 !devobj 0xFFFFFA80093C5410 returning PNP_DEVICE_STATE
0x0 IRP 0xFFFFF980031DCB40
29: FxPkgPnp::Dispatch - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410, IRP_MJ_PNP, 0x00000007(IRP_MN_QUERY_DEVICE_RELATIONS)
type 0xFFFFFFFF IRP 0xFFFFF980030B8B40
30: FxPkgPnp::Dispatch - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410, IRP_MJ_PNP, 0x00000007(IRP_MN_QUERY_DEVICE_RELATIONS)
type 0xFFFFFFFF IRP 0xFFFFF98002338B40
31: FxPkgPnp::Dispatch - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410, IRP_MJ_PNP, 0x00000007(IRP_MN_QUERY_DEVICE_RELATIONS)
type TargetDeviceRelation IRP 0xFFFFF98002822B40
32: FxPkgPnp::Dispatch - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410, IRP_MJ_PNP, 0x00000007(IRP_MN_QUERY_DEVICE_RELATIONS)
type BusRelations IRP 0xFFFFF98003082B40
33: FxPkgPnp::Dispatch - WDFDEVICE 0x0000067FFCF43418 !devobj
0xFFFFFA80093C5410, IRP_MJ_PNP, 0x00000007(IRP_MN_QUERY_DEVICE_RELATIONS)
type BusRelations IRP 0xFFFFF980030D4B40
34: FxIoQueue::CancelForQueue - WDFREQUEST 0x0000067FFAB271C8 was cancelled
while on WDFQUEUE 0x0000067FFCF2D3A8
35: FxIoQueue::CancelForQueue - WDFREQUEST 0x0000067FFAA631C8 was cancelled
while on WDFQUEUE 0x0000067FFCF2D3A8
36: FxTagTracker::UpdateTagHistory - releasing tag 0000000000000000 on
object FFFFF98009CF2E30 that was not acquired, !wdftagtracker
FFFFF98009CF4BD0
---- end of log ----

I cannot quite understand what is happening here.

17

Pradeepa Senanayake wrote:

Tim Roberts > wrote:
>
>
> You hit an assertion failure in KMDF. You dumped a bunch of KMDF
> stuff, but not the in-flight recorder log that should tell you
> what the assertion was.
>
> So, do:
> !wdftmffile \your-ddk-path\tools\tracing\amd64\wdf01009.tmf
> !wdflogdump ustp2
>
>
>
> This is the output I got,
>
> 3: kd> !wdflogdump ustp2
> Trace searchpath is:
> …
> 34: FxIoQueue::CancelForQueue - WDFREQUEST 0x0000067FFAB271C8 was
> cancelled while on WDFQUEUE 0x0000067FFCF2D3A8
> 35: FxIoQueue::CancelForQueue - WDFREQUEST 0x0000067FFAA631C8 was
> cancelled while on WDFQUEUE 0x0000067FFCF2D3A8
> 36: FxTagTracker::UpdateTagHistory - releasing tag 0000000000000000 on
> object FFFFF98009CF2E30 that was not acquired, !wdftagtracker
> FFFFF98009CF4BD0
> ---- end of log ----
>
> I cannot quite understand what is happening here.

No, I can’t either. It’s referring to a tag failure on an object, but
the object it’s referring to would be handle 67FF620D1C8, and that is
not mentioned in the log. We may need a KMDF guru to step in here.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

18

Hello Tim,

I ran !wdftagtracker FFFFF98009CF4BD0 command and it pointed to some
FxTimer. There is a timer in my driver which is used to retry requests
periodically. The timers are created in the EvtIoRead function and the
parent was set to the request.

// Initialize the read-timer
WDF_TIMER_CONFIG_INIT(&timerConfig,Usb_EvtTimerFunc);
timerConfig.AutomaticSerialization = TRUE;
timerConfig.Period = 0;

WDF_OBJECT_ATTRIBUTES_INIT(&timerAttributes);
timerAttributes.ParentObject = Request;
status = WdfTimerCreate(&timerConfig, &timerAttributes,
&(deviceContext->timerRead));
if (!NT_SUCCESS (status))
{
DEBUG_PRINT(“WdfTimerCreate failed 0x%x\n”, status);
goto Exit;
}
else
{
DEBUG_PRINT(“WdfTimerCreate Success 0x%x\n”, status);
}

After that in the ReadCompletion callback if i did not get data, I start
this timer with a delay(around 10ms). That will reuse the request and send
it to the device again.

I removed this code which miraculously made the driver working (working
means in the HCK, eventhough the previous implementation failed in the HCK
it was working well with the appications). I cannot understand why and how
that is possible.

Then I moved this timer creation to EvtDriverAdd event. And kept it in the
device context. This way the HCK test is fine but the driver is really
slow. There are many unknowns now. Why didn’t work and why now working.

Is there anything wrong in my approach? The driver read slowing down is a
big concern.

On a side note,

Since I reuse request in the EvtTimerFunc I need to get the handle of the
Request. Since the parent of the ‘Timer’ is the ‘Device’ I can get the
DeviceContext within the EvtTimerFunc function.

In the current code I’m storing the Request handle in the device context
and retrieving it in the EvtTimerFunc. Is there a better way to achieve
this? Also is there an API to check the validity of a Request?

-Pradeepa

On Fri, Oct 3, 2014 at 10:19 PM, Tim Roberts wrote:

> Pradeepa Senanayake wrote:
>
> Tim Roberts wrote:
>
>>
> You hit an assertion failure in KMDF. You dumped a bunch of KMDF stuff,
>> but not the in-flight recorder log that should tell you what the assertion
>> was.
>>
>> So, do:
>> !wdftmffile \your-ddk-path\tools\tracing\amd64\wdf01009.tmf
>> !wdflogdump ustp2
>>
>
>
> This is the output I got,
>
> 3: kd> !wdflogdump ustp2
> Trace searchpath is:
> …
> 34: FxIoQueue::CancelForQueue - WDFREQUEST 0x0000067FFAB271C8 was
> cancelled while on WDFQUEUE 0x0000067FFCF2D3A8
> 35: FxIoQueue::CancelForQueue - WDFREQUEST 0x0000067FFAA631C8 was
> cancelled while on WDFQUEUE 0x0000067FFCF2D3A8
> 36: FxTagTracker::UpdateTagHistory - releasing tag 0000000000000000 on
> object FFFFF98009CF2E30 that was not acquired, !wdftagtracker
> FFFFF98009CF4BD0
> ---- end of log ----
>
> I cannot quite understand what is happening here.
>
>
> No, I can’t either. It’s referring to a tag failure on an object, but the
> object it’s referring to would be handle 67FF620D1C8, and that is not
> mentioned in the log. We may need a KMDF guru to step in here.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

19

Pradeepa Senanayake wrote:

Hello Tim,

I ran !wdftagtracker FFFFF98009CF4BD0 command and it pointed to some
FxTimer. There is a timer in my driver which is used to retry requests
periodically. The timers are created in the EvtIoRead function and the
parent was set to the request.

// Initialize the read-timer
WDF_TIMER_CONFIG_INIT(&timerConfig,Usb_EvtTimerFunc);
timerConfig.AutomaticSerialization = TRUE;
timerConfig.Period = 0;

WDF_OBJECT_ATTRIBUTES_INIT(&timerAttributes);
timerAttributes.ParentObject = Request;

Do you understand what AutomaticSerialization does? KMDF offers many
automatic synchronization techniques that are very easy to use, but
because of that, it’s quite possible to over-synchronize yourself. When
AutomaticSerialization is true, the timer callback grabs a lock that
prevents any other callbacks on the parent object from running.

I’m guessing you don’t really need AutomaticSerialization here.

Then I moved this timer creation to EvtDriverAdd event. And kept it in
the device context. This way the HCK test is fine but the driver is
really slow. There are many unknowns now. Why didn’t work and why now
working.

Is there anything wrong in my approach? The driver read slowing down
is a big concern.

If you moved the timer creating to EvtDeviceAdd, then you probably have
it owned by the device, instead of the request. If you kept
AutomaticSerialization, that means your timer lock will lock out all of
the callbacks for the whole device.

Turn off AutomaticSerialization and just use a lock if you need to
protect something specific.

Since I reuse request in the EvtTimerFunc I need to get the handle of
the Request. Since the parent of the ‘Timer’ is the ‘Device’ I can get
the DeviceContext within the EvtTimerFunc function.

In the current code I’m storing the Request handle in the device
context and retrieving it in the EvtTimerFunc. Is there a better way
to achieve this? Also is there an API to check the validity of a Request?

If there can only be one request outstanding at a time, you can just
shove the request into a manual I/O queue. That way, you gain the huge
benefit that the request can be canceled.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.