Ah! I just read Mr. Penguin Pants’ arguments FOR C and AGAINST C++ in kernel-mode programming.
His arguments were from 2007 and 2004, respectively. So, more than 10 years ago. They SOUND like they were written more than 10 years ago. Ten years ago, I would have agreed with him… which is really saying something, because I didn’t think there was a SINGLE topic that Penguin Pants and I could agree on. Live and learn, huh?
Back in 2004, efficiency in kernel programming was *extremely* important. We were also still in an era when we could count on C Language kernel-mode programmers as being both disciplined and competent. We could assume they knew what they were doing. It was the waning edge of that era, but it was nonetheless still that era.
Welcome to 2018. In my experience, we can no longer assume kernel mode programmers are competent, disciplined or *really* understand what they’re doing, REGARDLESS of the language we force them to use. Whether we like it or not, there are people from the subset of C++ programmers who don’t know what a memory address is and probably don’t truly understand pointers, who WILL write drivers. They just view C as as “poor subset of C++” and carry on.
In other words, restricting the interface to C Language won’t keep the incompetent, careless, or lazy out of the kernel. It won’t stop the people who don’t understands what an operating system is from writing drivers. It won’t prevent people with no concept of how memory management works, or the basics of Windows OS architecture, from cranking kernel-mode code.
As far as I’m concerned, the above is a given.
The four things we need to do about this are:
-
Dramatically decrease the requirement to write drivers in the first place. In case you haven’t noticed, this has been happening for a while. Thank you, WinUSB and class drivers and similar.
-
Dramatically decrease the requirement to write kernel-mode code. Thank you UMDF 2, for as far as it goes. But, until there’s a radio button that selects whether my driver builds in UMDF or KMDF, I do not view that work as being done (or sufficient).
-
Dramatically increase the simplicity or writing basic kernel-mode drivers. Thank you KMDF and Mini-Filter. There is still a lot of work that needs to be done here, but sadly the forward progress of WDF seems to be… ah… stalled at the moment. Which is too bad, because with the right evolution of the Framework, the change from WDF 1.x to WDF 2.x could achieve reliability gains almost on a par with the transition from WDM to WDF 1.x
There’s a corollary of this, by the way: The easier we make it to write kernel-mode drivers, the less knowledgeable individuals need to be to write them. Sadly, this often results in less than rigorous implementations. I see this every day, ESPECIALLY in the land of File System Mini-Filters. People look at the model, quickly grasp it, and think they can therefore write the Mini-Filter of their dreams. Maybe they can, but it depends on what they dream. Often: Surprise! Not so much.
- Make the system code, both kernel-mode and user-mode, dramatically more reliable and safer. This is what I wrote about above.
In summary, back in the day, we threw up enough barriers to entry that we could prevent all but “the worthy” from writing kernel-mode driver code. That no longer works, for a long list of reasons. We’ve got to live with this fact, and continue to address it. We have to make “shooting of feet” harder to accomplish.
Peter
OSR
@OSRDrivers