The new wil library for C++ code in drivers

The wil:: library has improved techniques for easy and fail safe freeing of resources. This is one of the big headaches of writing drivers is all the messy and error prone cleanup code. I like these new constructs much better than spaghetti of goto statements and I think if one posted a side by side comparison of the rat’s nest ndis code it would grow on people. Kind of like comparing the look of the mass of hand wiring on the back of very ancient mainframes compared to the neat and tidy look of land patterns on a brand new motherboard. And if you balk at all these auto free constructs then I better never see an automatic variable in your c code, anywhere, any kind. Because guess what? Automatic variables are freed automatically behind the scenes for you when they go out of scope–oh the horror!

On the topic of error checking & logging, I did a lot of very similar stuff using WPP macros in my previous workplace. Is it the direction you’re locking for? Every place I’ve worked in defined “logging” differently.

wil’s logging is configurable. The full story is documented here. The TL;DR is that you set some #defines to control whether errors get printed to DbgPrint, TraceLogging, or nowhere. You’d presumably have the noisy mode enabled for debug builds, and lower the verbosity for retail.

I would have liked to see WPP in there – I’m a fan of WPP. But WPP is not particuarly friendly to being included in someone else’s macro; it wants to own the top-level macro. So I’m doubtful that it’s technically possible to squeeze WPP into the wil error-handling framework. Well, at least without changing it so much it becomes some sort of WPP 2.0… :wink:

Keep in mind, though, that we haven’t done the work to hook up wil’s error-handling macros for kernel code yet, so this discussion is only immediately relevent for us in the context of UMDF. The big technical challenge for us is that, while wil’s error-handling accepts a variety of types of error codes, it internally converts everything to HRESULT, and its guts use HRESULT exclusively. Obviously that’s a non-starter for kernel code; we would need to find a way to plumb NDIS_STATUS, er, I mean NTSTATUS through there. Anything’s posisble with enough #defines, but the implementation of wil’s error macros is already teetering on the brink of over-abstracted unreadability; adding another dimension of abstraction might cause the moon to fall out of the sky.

since you’ve been under a rock

Ad hominem attacks & reddit-style hyperbole have no place in a community of professional engineers. We discuss the merits of ideas, not people. In this case, Dejan has expressed a very valid point, and considering that wil has basically no public documentation right now, it’s perfectly reasonable to ask if wil runs afoul of these concerns about invisible memory allocation.

This is one of the big headaches of writing drivers is all the messy and error prone cleanup code

Well, you don’t necessarily have to use “the tricks of cleanup masters” from MSFT SDK/WDK samples, do you…

…these new constructs much better than spaghetti of goto statements

Actually, “goto” statements don’t necessarily have to result in spaghetti code as long as you use them properly (if you need some practical examples you can check Linux and Illumos sources ). OTOH, if you decide to make your code jump all over the place like Mr.Ballmer in a "Monkey Boy " video shown on another thread, “goto” may, indeed, be quite useful for the purpose…

The wil:: library has improved techniques for easy and fail safe freeing of resources.

I don’t know about the other people, but I wold rather prefer to see the cleanup code in the same function where the target resources have been allocated. This is not just the question of writing the code, but mainly of maintenance. Certainly, this is just the question of taste.

Anton Bassov

>> std:array/list/map and even unique_ptr sound exactly like the kind of

> stuff that would be the problem, without the user realizing it,

std::array does NOT allocate anything behind the scenes, ever. Neither does
std::unique_ptr. Neither does anything in the original post about the wil
library. No one is talking about lists and maps and behind the scenes
allocations in the kernel except you babbling to yourself in error. So maybe
before you post you can try to actually understand something about the new
library or c++ and then try to make an intelligent comment. And by the way
since you’ve been under a rock note that std::array is now approaching 10
years old and runs circles around c arrays and is a perfect fit for kernel
usage. That’s why they made it.

Easy… I did not say they made it, I said if it were to be made, it
should take a lot of caution. And array is just one of the 3 I

Ad hominem attacks & reddit-style hyperbole have no place in a community of professional engineers

Too right.

Mr. Rourke… I’m now officially cautioning you. I don’t like your attitude, in general. And now, you have embarrassed me by your behavior in my house, to the point where another one of my valued guests has had to remind you of your manners.

Come correct, now. Lose the attitude, and decrease the stridency of your replies, immediately. Or go play elsewhere. Please. Thank you.


@“Jeffrey_Tippet_[MSFT]” said:

On the topic of error checking & logging, I did a lot of very similar stuff using WPP macros in my previous workplace. Is it the direction you’re locking for? Every place I’ve worked in defined “logging” differently.

wil’s logging is configurable. The full story is documented here. The TL;DR is that you set some #defines to control whether errors get printed to DbgPrint, TraceLogging, or nowhere. You’d presumably have the noisy mode enabled for debug builds, and lower the verbosity for retail.

I would have liked to see WPP in there – I’m a fan of WPP. But WPP is not particuarly friendly to being included in someone else’s macro; it wants to own the top-level macro. So I’m doubtful that it’s technically possible to squeeze WPP into the wil error-handling framework. Well, at least without changing it so much it becomes some sort of WPP 2.0… :wink:

Oh wow, I’ve only dived in to the code some hours after replying, and only then saw the scope. Indeed, it could take more than a single weekend to add WPP support :wink:

I imagined WPP would be the standard for kernel due to performance and security (erm, obfuscation) considerations, so it could be on by default when deployed. If I’m missing some obfuscation ability in TraceLogging I’ll be delighted to get a push in the right direction.

In any case, this is great work. I’m excited to see modern C++ idioms in Kernel space.

Nobody (at this point, at least) is really pushing wil outside of Microsoft, but there’s some hazy dream of a future where every win32 developer just knows these macros and types, and it would look weird to manually spell out the error-checking or handle-closing.

For me it looks like a nightmare. Marcos which influence code flow (contain return or goto) are IMO plain evil. They make code shorter but less readable and in turn less robust/reliable. Call me dinosaur but I prefer when the code is readable as a book and code flow is explicitly expressed. Here you’re trying to express it in the macro name which is an interesting idea but it leads to longer macro names and makes this problem worse:

I think the RETURN_IF_NTSTATUS_FAIL creates too much noise and emphasis on the error path. I’d rather see the main function not buried in an argument, and a go to.

I’ve seen too much code plagued by REQUIRE-like macros and it is far less readable than longer version which handles errors explicitly. For this reason. You see just a chain of REQUIREs and what is code really doing is hard to decipher.

You’re one of my favorite dinosaurs :slight_smile:


Creating fossils museum? :wink:

Ad hominem attacks & reddit-style hyperbole have no place in a community of professional engineers.

Totally agree and I would never do that. A bigger problem I see is people who carelessly post false or misleading information in a forum dedicated to professionals helping each other. Faulty content has no place here and should be called into question for the benefit of the poster than made it and even more for others that read it. There is nothing personal about setting the record straight.


My first reaction when i saw this is it’s extremely ugly and breaks a lot of rules and no way I would ever want to see that in code. But thinking about it some more this is really just a poor man’s exception. Almost a throw statement if you will. If you look at it in that light it then becomes a thinking point on how it might be useful.

But thinking about it some more this is really just a poor man’s exception. Almost a throw statement if you will.

Well, a throw() statement is just a language construct that one may use or misuse the way they wish. Let’s say we have a function that may throw an exception, and this function may allocate resources and/or lock semaphores before doing so. As I have said already, I would personally prefer to make all the cleanup in the same function in case of a failure. The use of throw() statement does not preclude me from doing so in any possible way, does it - my callee can make its “internal” cleanup before throwing the exception, and let the caller do its “external” one in a catch() block.

However, RETURN_IF_NTSTATUS_FAILED() does not seem to offer me any possibilities to structure my code this way, does it.
Therefore, it does not really look like a throw() statement, at least from my perspective. OTOH, someone who would prefer to handle all the cleanup in a caller’s catch() block may, indeed, think of it as just of some kind of a throw() statement.

In other words, this is, again, just the question of personal taste and preferences…


Anton Bassov

Totally agree and I would never do that.

Bullshit. Just so we’re clear, regardless of what you think, if I think you do it one more time, I will put you on moderation.

Are we clear, Mr. Rourke?


(two weeks later…)

Anybody spent time looking at this from a driver perspective?

I’m about to start a new project, and I wandered over to GitHub to look into this a bit. You know, “no time like the present” to play around with some cool new stuff.

I am perhaps too stuck in my ways to understand or appreciate this, but… I don’t get it.

a) It’s just not clear to me how much of this applies to Kernel Mode – Yes, I can see that registry, token_helpers, filesystem, and result don’t allow inclusion in kernel-mode code. But… the other stuff is good to go?

b) It’s not even clear to me when stuff actually DOES apply to kernel-mode code, what that GETS me in real life or why on earth I’d want to use it. I’ll take Mr. Tippet’s example above:

NTSTATUS Example()
    wil::unique_wdf_common_buffer my_buffer;
    status = WdfCommonBufferCreate(..., &my_buffer);
    if (STATUS_SUCCESS != status)
         return status;

    if (.  . . something else fails  . . . )
        return STATUS_UNSUCCESSFUL; // no common buffer leak; WdfObjectDelete happens here

    return STATUS_SUCCESS;

Common Buffers are typically long-lived – You allocate them during initialization, you parent them on your WDFDEVICE, they go away because the WDFDEVICE goes away (or, if you explicitly delete them just before your WDFDEVICE is destructed). So… Why would I want a Common Buffer deleted when leaving a function? I’m not picking on Common Buffer… but I see a whole LIST of similar structures: DMA Enabler, DMA Transaction, etc. These structures aren’t simply used within a function and returned… their entire POINT is to be created and used “across time” in your driver.

So… I feel like I must be missing something. Pray tell: What am I missing?


@“Peter_Viscarola_(OSR)” said:
(two weeks later…)
b) It’s not even clear to me when stuff actually DOES apply to kernel-mode code, what that GETS me in real life or why on earth I’d want to use it. I’ll take Mr. Tippet’s example above:

NTSTATUS Example()
    wil::unique_wdf_common_buffer my_buffer;
    status = WdfCommonBufferCreate(..., &my_buffer);
    if (STATUS_SUCCESS != status)
         return status;

    if (.  . . something else fails  . . . )
        return STATUS_UNSUCCESSFUL; // no common buffer leak; WdfObjectDelete happens here

    return STATUS_SUCCESS;

Common Buffers are typically long-lived – You allocate them during initialization, you parent them on your WDFDEVICE, they go away because the WDFDEVICE goes away (or, if you explicitly delete them just before your WDFDEVICE is destructed). So… Why would I want a Common Buffer deleted when leaving a function? I’m not picking on Common Buffer… but I see a whole LIST of similar structures: DMA Enabler, DMA Transaction, etc. These structures aren’t simply used within a function and returned… their entire POINT is to be created and used “across time” in your driver.

So… I feel like I must be missing something. Pray tell: What am I missing?


That may be a contrived example, but there are certainly a lot of things that should apply in kernel mode.

I didn’t spend a lot of time looking at the specifics what already exists, but it’s certainly a direction I think is positive.

In my previous place of work, we relied heavily on RAII wrappers for locks, mutexes and such. We also had C++ std-compatible memory wrappers (unique and shared ptr) and a kstd list, which reduced leaks and assured clear memory ownership. Once most system objects were wrapped behind c++ classes, we could provide usermode implementation and run unit tests on our logic.

If you look at the examples at you can see most objects have kernel as well as user mode implementations, which probably allows running the same logic in usermode too.

I see where you’re coming from regarding the difficulty of loving RETURN_IF_NTSTATUS_FAIL , and it is verbose and unusual.
However, there are certainly functions in my code where the entire function body is a dozen lines such as

status = Function(.....);
if (!NT_STATUS(status))
        goto failed;

status = Function2(.....);
if (!NT_STATUS(status))
        goto failed;
PVOID* ptr = ExAlloc(....)
if (!ptr)
    goto failed;
status = Function3(.....);
if (!NT_STATUS(status))
        goto failed;

and then the failed label has a long list of

if (thing)

if (thing2)

if (ptr)


The use of similar macros, as well as RAII objects could reduce the amount of code spent on error handling, leading to

   PVOID* ptr = ExAlloc(....)

Advantages would be:

  1. No cleanup / failed label. No leaked resources on error exit path.
  2. Code is short and you only see business logic (IDE syntax higlighting helps), and error handling is declarative, and unified

Obviously this style is very much a matter of taste.

Yeah, that example is contrived. Here’s a real-world example from the OS:

The function doesn’t have any explicit cleanup code – everything happens “automatically” because allocations that need to be cleaned up are stored in a wil::unique_wdf_object. So the error handling macros just say if (failed) return statuscode; instead of the C style if (failed) goto Cleanup; That netadapter code is is equivalent to:

NTSTATUS NetTxQueueCreate()
    NTSTATUS Status;
    WDFOBJECT Object = NULL;

    if (STATUS_SUCCESS != (Status = WdfObjectCreate(. . ., &Object)))
        goto Cleanup;

    if (STATUS_SUCCESS != (Status = TxQueueInitialize(. . .)))
        goto Cleanup;

    if (STATUS_SUCCESS != (Status = OtherStuff(. . .)))
        goto Cleanup;

    InitContext.CreatedQueueObject = Object;
    Object = NULL;
    Status = STATUS_SUCCESS;

    if (Object != NULL)
    return Status;

My point is that deleting a WDF object isn’t just a problem invented by C++. Even if you write in C, you might still need to manually delete a WDF object in an error path. Yes, WDF will clean all things up eventually. But if you parent everything to your device object, then the cleanup won’t happen until the device is unloaded, which for some types of devices, is indistinguishable from a permanent memory leak. (If you’re writing a driver for a simple USB gadget, maybe you don’t need to worry about error handling. But if you’re writing hardened OS components, you need to make sure that there’s not some error path that just accumulates an unbounded number of dead WDF objects.)

Switching to a different error handling idiom warps your brain a bit, and it won’t feel right at first. The only advice I can give there is that, if you’re going to try a new error handling style, commit to it. Don’t try to mix two error handling styles (goto-cleanup and C++ RAII, or whatever.)

One caveat. Since WDF forces you to use its cleanup idiom, you’re going to be forced to mix the WDF ownership model with the cleanup idiom you use for the rest of the code. (The example above demonstrates that: in the success case, the WDFOBJECT will get deleted by WDF when its parent is deleted. In a failure case, the WDFOBJECT is manually deleted by the goto-cleanup idiom. So there’s 2 very different ways this thing can get deleted.)

For a codebase that wants to primarily use C++ RAII, the same problem exists. I use something like this to bridge the gap:

    attributes.EvtDestroyCallback = [](WDFOBJECT obj) { MyGetContext(obj)->~MyContext(); };

which uses a gratuitous lambda, just to annoy people who aren’t already neck-deep in C++ :wink:

Thanks, Mr. Sirotnikov and Mr. Tippet. Much appreciated.

The real-world example was exactly what I needed. I was missing the (key) concept that in this new paradigm, if you want to the object to persist beyond the current scope, you explicitly transfer its ownership. Sort of an important concept, that. It’s effectively the reverse of the “old way”, which is, we assume the object will be retained when we leave the current scope and if we want to return it we need to explicitly do so before we leave.

While I recognize this pattern could potentially reduce some leaks perhaps brought about by sloppy cut/paste, I sadly find myself struggling to get enthused enough about it to foist in on my colleagues.

But if you’re writing hardened OS components, you need to make sure that there’s not some error path that just accumulates an unbounded number of dead WDF objects.)

Yes, yes… sure, obviously. You’re preaching to the converted here Mr. Tippet. I didn’t say, or at least I didn’t intend to say, “parent everything on the WDFDEVICE and you’ll never have to worry about it.” As you said, " deleting a WDF object isn’t just a problem invented by C++" – but outside of WDF Objects that are designed to be “used and discarded” (WDFSTRING comes to mind) it’s reasonably rare to call WdfObjectDelete. If I can’t allocate my WDFCOMMONBUFFER, or my WDFDMAENABLER I’m going to fail to load my driver. I can’t believe any other driver is going to do anything different. If I can’t build a WDFDMATRANSACTION for a given Request, I’m going to fail the Request. That seems eminently reasonable to me.

Anyhow, it seems like this is only really “worth it” if you got the whole way and do:

   PVOID* ptr = ExAlloc(....)

as Mr. Sirotnikov illustrated, and was pleasant enough to note that “this style is very much a matter of taste” – and that is definitely not to my taste. When my eyes scan that code above quickly, all I see is a whole lot of “RETURN_ON_ERROR” AND “RETURN_IF_NULL” … with the actual WORK the code does buried in some arguments somewhere. Ah… this is why variety is the spice of life.

Thank you both for the help. It is now clear that I don’t need to concern myself with “wil” for the present time. Thus, I am now free to return to banging my fucking head against the wall trying to make clang-format (as packaged in VS 2019) actually do what I want it to do. Because, you know, that’s something easy to accomplish.


Personally I think the macros and the c++ objects and wrappers are orthogonal. You can still avoid much of the cleanup code, and the error handling by using RAIII alone, and I found that using OO concepts often helps work with better abstractions and keeping the code readable. The macros, I agree are an issue. It’s not easy for me too, and I haven’t committed to it. At the same time I also don’t like the ~if(error) { … 4 lines of logging and cleanup }~ blocks of error handling that bloat short methods into monsters. So I’m willing to give the macros a shot.

blocks of error handling that bloat short methods into monsters

Hmmmm… but I would argue one wants to see all that code. It’s there, you’re responsible for making it work… might as well have it nice and clear and “in front of your face”, no??


When it has meaningful logic, sure. But plenty of times it’s a routine of log, set error and jump to cleanup, but it adds up. I guess maybe the golden path would be ~status = Func(…) if(status) LOG_AND_RETURN(…)~