Hello,
I use TraceLogging framework in my driver (based on KMDF and NetAdapterCx). When running HLK tests, many of them fail (for example DF - PNP Surprise Remove Device Test (Reliability)
) with the same error:
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
Arg1: 00000000000000dc, Incorrect RegHandle value specified as parameter for EtwUnregister.
I call TraceLoggingRegister
in DriverEntry
and TraceLoggingUnregister
in EvtDriverUnload
:
_Use_decl_annotations_
VOID
EvtDriverUnload(_In_ WDFDRIVER driver)
{
UNREFERENCED_PARAMETER(driver);
TraceLoggingUnregister(OvpnTraceProvider);
}
NTSTATUS
DriverEntry(_In_ PDRIVER_OBJECT driverObject, _In_ PUNICODE_STRING registryPath)
{
NTSTATUS status;
BOOLEAN traceLoggingRegistered = FALSE;
GOTO_IF_NOT_NT_SUCCESS(done, status, TraceLoggingRegister(OvpnTraceProvider));
traceLoggingRegistered = TRUE;
WDF_DRIVER_CONFIG driverConfig;
WDF_DRIVER_CONFIG_INIT(&driverConfig, EvtDeviceAdd);
driverConfig.EvtDriverUnload = EvtDriverUnload;
GOTO_IF_NOT_NT_SUCCESS(done, status, WdfDriverCreate(driverObject, registryPath, &driverAttrs, &driverConfig, WDF_NO_HANDLE));
Stack trace doesn’t reveal much - it looks like framework calls driver’s Unload
callback which calls TraceLoggingUnregister
which triggers verifier error:
2: kd> kn
# Child-SP RetAddr Call Site
00 fffffd8e`db110568 fffff807`68e66eb4 nt!KeBugCheckEx
01 fffffd8e`db110570 fffff807`68e6cc81 nt!VerifierBugCheckIfAppropriate+0xe0
02 fffffd8e`db1105b0 fffff807`68e7c713 nt!VfTargetEtwUnregister+0xb1
03 fffffd8e`db110600 fffff807`69ab6719 nt!VerifierEtwUnregister+0x13
04 (Inline Function) --------`-------- Wdf01000!FxDriverUnload::Invoke+0xc [minkernel\wdf\framework\shared\inc\private\common\FxDriverCallbacks.hpp @ 97]
05 fffffd8e`db110630 fffff80c`30268792 Wdf01000!FxDriver::Unload+0x285a9 [minkernel\wdf\framework\shared\core\fxdriver.cpp @ 189]
06 fffffd8e`db110680 ffffd389`ce291f30 ovpn_dco+0x8792
07 fffffd8e`db110688 ffffd389`ce291f30 0xffffd389`ce291f30
08 fffffd8e`db110690 ffffd389`ce291f10 0xffffd389`ce291f30
09 fffffd8e`db110698 00000000`00000000 0xffffd389`ce291f10
FxDriverUnload
looks like this:
//
// Invoke the driver if they specified an unload routine.
//
if (pDriver->m_DriverUnload.Method) {
pDriver->m_DriverUnload.Invoke(pDriver->GetHandle());
DoTraceLevelMessage(pFxDriverGlobals, TRACE_LEVEL_VERBOSE, TRACINGDRIVER,
"Driver unload routine Exit WDFDRIVER %p, PDRIVER_OBJECT_UM %p",
pDriver->GetHandle(), DriverObject);
}
m_DriverUnload
is set to EvtDriverUnload
in the same fxdriver.cpp
file:
m_DriverUnload.Method = Config->EvtDriverUnload;
And now the interesting part - this error doesn’t happen when testing debug version of the driver, it happens only with release one. Also it doesn’t happen when TraceLoggingRegister
and TraceLoggingUnregister
calls are commented out, but this is expected.
I’ve spent some time trying to reproduce this outside of HLK tests but haven’t got any luck. Has anybody experienced this with TraceLogging framework? Any ideas why this happens with release only? Are there some easy ways to simulate “PNP Surprise Remove Device Test” manually, outside of HLK?