One Reference to WDFDEVICE

Hi
I am running HLK Test on my blue tooth profile driver.

OS andHLK version:10586
Test Name: DF Surprise Remove Device Test(Reliability)

Error:
Error: WDTF_PNP : Result: Failed to receive IRP_MN_REMOVE_DEVICE after receiving IRP_MN_SURPRISE_REMOVAL.
Ensure that there are no open handles or references to the test device (in user mode or in kernel mode) preventing IRP_MN_REMOVE_DEVICE from being sent.
You may need to terminate any processes or services that may have open user mode handles to this device. ( 80004005 ).

I could see the following functions called

  1. “EvtDeviceSurpriseRemoval”
  2. “EvtDeviceSelfManagedIoSuspend”
  3. ““EvtDeviceD0Exit””

But “EvtDeviceSelfManagedIoCleanup” or “EvtCleanupCallback” of my WDFDRIVER object is not called. Is that the root cause?

(Note : I did not register “EvtCleanupCallback” for my WDFDEVICE).

I have enabled KMDF verifier and done the efollowing analysis

  1. !wdfkd.wdfopenhandles 0x0000307f4dad3568 ( 0x0000307f4dad3568 is my WDFDEVICE*)

Dumping open handles on WDFDEVICE 0x0000307f4dad3568

Number of open handles : 1

No WDFFILEOBJECT created. The driver may not have set any fileobject configuration.
SyncronizationScope is WdfSynchronizationScopeInheritFromParent
ExecutionLevel is WdfExecutionLevelInheritFromParent

  1. !wdfkd.wdfhandle 0x0000307f`4dad3568

Dumping WDFHANDLE 0x0000307f4dad3568

Handle type is WDFDEVICETreating handle as a KMDF handle!
Handle type is WDFDEVICE
Refcount: 1
Contexts:
context: dt 0xffffcf80b252cd80 MyA2DPSink!MYECHOSAMPLE_SERVER_CONTEXT (size is 0x280 bytes)


Parent: !wdfhandle 0x0000307f4db81198, type is WDFDRIVER, type is WDFDRIVER
Owning device:
Owning device:
Owning device:
Owning device: !wdfdevice 0x0000307f4dad3568!wdfdevice 0x0000307f4dad3568!wdfdevice 0x0000307f4dad3568!wdfdevice 0x0000307f4dad3568

!wdftagtracker 0xffffcf80b23fab00!wdftagtracker 0xffffcf80b23fab00!wdftagtracker 0xffffcf80b23fab00!wdftagtracker 0xffffcf80b23fab00

State history:

State history:
[0] FxObjectStateCreated (0x1)

!wdfobject 0xffffcf80b252ca90!wdfobject 0xffffcf80b252ca90!wdfobject 0xffffcf80b252ca90!wdfobject 0xffffcf80b252ca90

I did not have any clue about this object whose pointer is 0xffffcf80b252ca90. so I typed the following command

3. kd> !wdfkd.wdfobject ffffcf80b252ca90

The type for object 0xffffcf80b252ca90 is FxDevice
State: FxObjectStateCreated (0x1)
!wdfhandle 0x0000307f4dad3568!wdfhandle 0x0000307f4dad3568!wdfhandle 0x0000307f4dad3568!wdfhandle 0x0000307f4dad3568

dt FxDevice 0xffffcf80b252ca90dt FxDevice 0xffffcf80b252ca90dt FxDevice 0xffffcf80b252ca90dt FxDevice 0xffffcf80b252ca90

Contexts:
context: dt 0xffffcf80b252cd80 BthA2DPSink!BTHECHOSAMPLE_SERVER_CONTEXT (size is 0x280 bytes)


Object debug extension 0xffffcf80b252ca70

!wdftagtracker 0xffffcf80b23fab00!wdftagtracker 0xffffcf80b23fab00!wdftagtracker 0xffffcf80b23fab00!wdftagtracker 0xffffcf80b23fab00
Verifier lock 0xffffcf80b2292f50

State history:

Verifier lock 0xffffcf80b2292f50

[0] FxObjectStateCreated (0x1)
Parent: !wdfobject 0xffffcf80b247ee60!wdfobject 0xffffcf80b247ee60!wdfobject 0xffffcf80b247ee60!wdfobject 0xffffcf80b247ee60, , , , !wdfhandle 0x0000307f4db81198!wdfhandle 0x0000307f4db81198!wdfhandle 0x0000307f4db81198!wdfhandle 0x0000307f4db81198, type is WDFDRIVER
Owning device: , type is WDFDRIVER
Owning device: , type is WDFDRIVER
Owning device: , type is WDFDRIVER
Owning device: !wdfdevice 0x0000307f4dad3568!wdfdevice 0x0000307f4dad3568!wdfdevice 0x0000307f4dad3568!wdfdevice 0x0000307f4dad3568

4. kd> !wdfkd.wdftagtracker 0xffffcf80b23fab00 3
Owning Owning Owning Owning !wdfobject ffffcf80b252ca90!wdfobject ffffcf80b252ca90!wdfobject ffffcf80b252ca90!wdfobject ffffcf80b252ca90

Reference and Release History:
(showing most recent first; refcount is approximate in multi-threaded scenarios)
================================================================================

0 entries, history depth is 25

Reference and Release History:
(showing most recent first; refcount is approximate in multi-threaded scenarios)
================================================================================

0 entries, history depth is 25

Reference and Release History:
(showing most recent first; refcount is approximate in multi-threaded scenarios)
================================================================================

0 entries, history depth is 25

Reference and Release History:
(showing most recent first; refcount is approximate in multi-threaded scenarios)
================================================================================

0 entries, history depth is 25

1 outstanding reference:
================================================================================

(++) Initial Tag ‘…’ at Time 0x13e8 ticks

1 outstanding reference:
================================================================================

(++) Initial Tag ‘…’ at Time 0x13e8 ticks

1 outstanding reference:
================================================================================

(++) Initial Tag ‘…’ at Time 0x13e8 ticks

1 outstanding reference:
================================================================================

(++) Initial Tag ‘…’ at Time 0x13e8 ticks

Can anybody tell me how to proceed??? Thanks in advance

!wdfkd.wdfhandle does not dump information about an open handle, it just dumps generic info about any WDF handle *type*. There are no !wdfkd commands that will show you who has the handle open.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Tuesday, November 24, 2015 6:58 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] One Reference to WDFDEVICE

Hi
I am running HLK Test on my blue tooth profile driver.

OS andHLK version:10586
Test Name: DF Surprise Remove Device Test(Reliability)

Error:
Error: WDTF_PNP : Result: Failed to receive IRP_MN_REMOVE_DEVICE after receiving IRP_MN_SURPRISE_REMOVAL.
Ensure that there are no open handles or references to the test device (in user mode or in kernel mode) preventing IRP_MN_REMOVE_DEVICE from being sent.
You may need to terminate any processes or services that may have open user mode handles to this device. ( 80004005 ).

I could see the following functions called
1. “EvtDeviceSurpriseRemoval”
2. “EvtDeviceSelfManagedIoSuspend”
3. ““EvtDeviceD0Exit””

But “EvtDeviceSelfManagedIoCleanup” or “EvtCleanupCallback” of my WDFDRIVER object is not called. Is that the root cause?

(Note : I did not register “EvtCleanupCallback” for my WDFDEVICE).

I have enabled KMDF verifier and done the efollowing analysis

1. !wdfkd.wdfopenhandles 0x0000307f4dad3568 ( 0x0000307f4dad3568 is my WDFDEVICE*)

Dumping open handles on WDFDEVICE 0x0000307f4dad3568
============================================
Number of open handles : 1

No WDFFILEOBJECT created. The driver may not have set any fileobject configuration.
SyncronizationScope is WdfSynchronizationScopeInheritFromParent
ExecutionLevel is WdfExecutionLevelInheritFromParent

2. !wdfkd.wdfhandle 0x0000307f`4dad3568

Dumping WDFHANDLE 0x0000307f4dad3568
=============================
Handle type is WDFDEVICETreating handle as a KMDF handle!
Handle type is WDFDEVICE
Refcount: 1
Contexts:
context: dt 0xffffcf80b252cd80 MyA2DPSink!MYECHOSAMPLE_SERVER_CONTEXT (size is 0x280 bytes)


Parent: !wdfhandle 0x0000307f4db81198, type is WDFDRIVER, type is WDFDRIVER
Owning device:
Owning device:
Owning device:
Owning device: !wdfdevice 0x0000307f4dad3568!wdfdevice 0x0000307f4dad3568!wdfdevice 0x0000307f4dad3568!wdfdevice 0x0000307f4dad3568

!wdftagtracker 0xffffcf80b23fab00!wdftagtracker 0xffffcf80b23fab00!wdftagtracker 0xffffcf80b23fab00!wdftagtracker 0xffffcf80b23fab00

State history:

State history:
[0] FxObjectStateCreated (0x1)

!wdfobject 0xffffcf80b252ca90!wdfobject 0xffffcf80b252ca90!wdfobject 0xffffcf80b252ca90!wdfobject 0xffffcf80b252ca90

I did not have any clue about this object whose pointer is 0xffffcf80b252ca90. so I typed the following command

3. kd> !wdfkd.wdfobject ffffcf80b252ca90

The type for object 0xffffcf80b252ca90 is FxDevice
State: FxObjectStateCreated (0x1)
!wdfhandle 0x0000307f4dad3568!wdfhandle 0x0000307f4dad3568!wdfhandle 0x0000307f4dad3568!wdfhandle 0x0000307f4dad3568

dt FxDevice 0xffffcf80b252ca90dt FxDevice 0xffffcf80b252ca90dt FxDevice 0xffffcf80b252ca90dt FxDevice 0xffffcf80b252ca90

Contexts:
context: dt 0xffffcf80b252cd80 BthA2DPSink!BTHECHOSAMPLE_SERVER_CONTEXT (size is 0x280 bytes)


Object debug extension 0xffffcf80b252ca70

!wdftagtracker 0xffffcf80b23fab00!wdftagtracker 0xffffcf80b23fab00!wdftagtracker 0xffffcf80b23fab00!wdftagtracker 0xffffcf80b23fab00
Verifier lock 0xffffcf80b2292f50

State history:

Verifier lock 0xffffcf80b2292f50

[0] FxObjectStateCreated (0x1)
Parent: !wdfobject 0xffffcf80b247ee60!wdfobject 0xffffcf80b247ee60!wdfobject 0xffffcf80b247ee60!wdfobject 0xffffcf80b247ee60, , , , !wdfhandle 0x0000307f4db81198!wdfhandle 0x0000307f4db81198!wdfhandle 0x0000307f4db81198!wdfhandle 0x0000307f4db81198, type is WDFDRIVER
Owning device: , type is WDFDRIVER
Owning device: , type is WDFDRIVER
Owning device: , type is WDFDRIVER
Owning device: !wdfdevice 0x0000307f4dad3568!wdfdevice 0x0000307f4dad3568!wdfdevice 0x0000307f4dad3568!wdfdevice 0x0000307f4dad3568

4. kd> !wdfkd.wdftagtracker 0xffffcf80b23fab00 3
Owning Owning Owning Owning !wdfobject ffffcf80b252ca90!wdfobject ffffcf80b252ca90!wdfobject ffffcf80b252ca90!wdfobject ffffcf80b252ca90

Reference and Release History:
(showing most recent first; refcount is approximate in multi-threaded scenarios)
================================================================================

0 entries, history depth is 25

Reference and Release History:
(showing most recent first; refcount is approximate in multi-threaded scenarios)
================================================================================

0 entries, history depth is 25

Reference and Release History:
(showing most recent first; refcount is approximate in multi-threaded scenarios)
================================================================================

0 entries, history depth is 25

Reference and Release History:
(showing most recent first; refcount is approximate in multi-threaded scenarios)
================================================================================

0 entries, history depth is 25

1 outstanding reference:
================================================================================

(++) Initial Tag ‘…’ at Time 0x13e8 ticks

1 outstanding reference:
================================================================================

(++) Initial Tag ‘…’ at Time 0x13e8 ticks

1 outstanding reference:
================================================================================

(++) Initial Tag ‘…’ at Time 0x13e8 ticks

1 outstanding reference:
================================================================================

(++) Initial Tag ‘…’ at Time 0x13e8 ticks

Can anybody tell me how to proceed??? Thanks in advance


NTDEV is sponsored by OSR

Visit the list at: https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.com%2Fshowlists.cfm%3Flist%3Dntdev&data=01|01|Doron.Holan%40microsoft.com|29816d39e83746e7a5c808d2f4df99e6|72f988bf86f141af91ab2d7cd011db47|1&sdata=nUYKH1LwCryyQMLX1mNwlHAb9I%2FNHEtfgpJKprS1LW0%3D

OSR is HIRING!! See https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osr.com%2Fcareers&data=01|01|Doron.Holan%40microsoft.com|29816d39e83746e7a5c808d2f4df99e6|72f988bf86f141af91ab2d7cd011db47|1&sdata=Sipl%2FOWZCqrVkQPrAZ9S8yus4ZtdS6e9GqKDN4UWphc%3D

For our schedule of WDF, WDM, debugging and other seminars visit:
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osr.com%2Fseminars&data=01|01|Doron.Holan%40microsoft.com|29816d39e83746e7a5c808d2f4df99e6|72f988bf86f141af91ab2d7cd011db47|1&sdata=B%2BQdM2yeYOzGOFng3VflZXEGq3JktfzB0Syq%2FMBdk%2Fc%3D

To unsubscribe, visit the List Server section of OSR Online at https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.osronline.com%2Fpage.cfm%3Fname%3DListServer&data=01|01|Doron.Holan%40microsoft.com|29816d39e83746e7a5c808d2f4df99e6|72f988bf86f141af91ab2d7cd011db47|1&sdata=oe8aHRp84NMXCtRXB53Md7hMEX7ey25RiKNFOopzysU%3D

xxxxx@gmail.com wrote:

  1. !wdfkd.wdfhandle 0x0000307f`4dad3568

Dumping WDFHANDLE 0x0000307f4dad3568

Handle type is WDFDEVICETreating handle as a KMDF handle!
Handle type is WDFDEVICE
Refcount: 1
Contexts:
context: dt 0xffffcf80b252cd80 MyA2DPSink!MYECHOSAMPLE_SERVER_CONTEXT (size is 0x280 bytes)

>
> Parent: !wdfhandle 0x0000307f4db81198, type is WDFDRIVER, type is WDFDRIVER
> Owning device: !wdfdevice 0x0000307f4dad3568
> !wdfobject 0xffffcf80b252ca90
>
> I did not have any clue about this object whose pointer is 0xffffcf80b252ca90. so I typed the following command

It is the same thing. A WDF handle is a way to refer to an object in
memory. The address of the object happens to be the negative of the
handle. (Well, almost; handle = 0xFFFFFFFFFFFFFFF8 - object address).
In this case, the WDFDEVICE of 307f4dad3568 refers to the FxDevice
structure at ffffcf80b252ca90.

Every WDF handle works the same way.

Are you, in fact, canceling and completing all outstanding I/O request
as you clean up?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Hello
Thanks you so much for your time. I have done a detailed analisys on the issue.My driver is a Bluetooth Profile driver. When the test script starts execution, we

receive one IOCTL. The IoControlCode is IOCTL_BTH_LOCAL_INFO. At this point, the number of reference to my WDFDEVICE is One (verified using the command
!wdfkd.wdfopenhandles, during live debugging using Windbg). We are able to retreive the OutputBuffer, fill the required data and complete this request with the

STATUS_SUCCESS(using WdfRequestComeplete).

Even after we exited DeviceIoControl Function,we could see that the reference count of our WDFDEVICE is not decremented!!!

After this point, the reference count is incremented/decremeted for each successive ioctl. (For example, when the second IOCTL comes, the reference count is 2. When the

DeviceIoControl Function is exited, the refernce count becomes 1).

We are sure that
1.We don’t have any pending WDFREQUEST in our driver which we received from upper driver.
2.All our WDFQUEUEs are empty
3. We don’t have any WDFREQUEST in our local queue, whose completion is pending

Note:
1.IOCTL_BTH_LOCAL_INFO is the first IOCTL and it is issued only once.
2. We observe one IOCTL (IoControlCode = 223fe4, which we are not handling) issued very frequently. Since we are not handling this request, we complete with status

STATUS_INVALID_DEVICE_REQUEST.

Questions:

  1. When we complete the WDFREQUEST which we received throgh DeviceIOControl Function, the reference count should be decremented (At least, afterour DeviceIOControl Function

is exited ) …IS my understanding correct???

  1. Is ther a way to find out IOCTL name from the IoControlCode (223fe4, ) ???
    I have checked the beloew link
    http://www.ioctls.net/

  2. Could you suggest a way to debug???
    (I am sure that There is no WDFOBJECTREFERENCE/DEREFERENCE mismatch in my driver)