Class pointervariable value getting currpted aftercalling CreatePreAllocatedWdfMemory

NTDEV
1

Hi,

I have a pointer variable whose memory is allocated at the time of the class constructor and freed when the device is removed, i.e in destructor.

I am facing a typical problem were in when i call CreatePreAllocatedWdfMemory() function, the contents of the memory to which the pointer was pointing gets corrupted.

Is there any restriction of the device preallocated memory [preallocated memory size]?
So can u tell me why this happens??

Basically i am using the call CreatePreAllocatedWdfMemory to create the memory object which will be used for creating the request and sending it to lower driver.

2

Please post the code. No, there are no limitations no the size for a pre allocated buffer.

D

-----Original Message-----
From: “xxxxx@gmail.com
To: “Windows System Software Devs Interest List”
Sent: 07/26/07 9:56 PM
Subject: [ntdev] Class pointervariable value getting currpted aftercalling CreatePreAllocatedWdfMemory

Hi,

I have a pointer variable whose memory is allocated at the time of the class constructor and freed when the device is removed, i.e in destructor.

I am facing a typical problem were in when i call CreatePreAllocatedWdfMemory() function, the contents of the memory to which the pointer was pointing gets corrupted.

Is there any restriction of the device preallocated memory [preallocated memory size]?
So can u tell me why this happens??

Basically i am using the call CreatePreAllocatedWdfMemory to create the memory object which will be used for creating the request and sending it to lower driver.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

Hi Doron ,

The code snip ate is as below, its bit detailed i guess …i think will give u clear picture of how i am using the API’s

i have a class
class CNfcFunRtdReg
{
private :
PCNfcFunctionDevice parentdevptr;
phFriNfc_NdefReg_t *NdefReg;
static PCNfcFunRtdReg ptRtdReg;
CNfcFunRtdReg();
public:

virtual ~CNfcFunRtdReg(VOID);
static HRESULT GetInstance(PCNfcFunRtdReg *RtdReg);
void SetDevicePointer(PCNfcFunctionDevice device);
NFCSTATUS phNfc4Win_AddRTD (NFC_RTD_INFORMATION RTD);

};
the strcuture looks like this
typedef struct phFriNfc_NdefReg
{
phFriNfc_NdefReg_Cb_t *NdefTypeList; /**< \internal List of Callback Structures (Listeners). */
uint8_t *NdefData; /**< \internal Data to process. */
uint32_t NdefDataLength; /**< \internal Length of the NDEF data. */


}phFriNfc_NdefReg_t;

and in the add function

CNfcFunRtdReg::phNfc4Win_AddRTD( NFC_RTD_INFORMATION RTD )
{
NFCSTATUS Result = NFCSTATUS_INVALID_PARAMETER;
phFriNfc_NdefReg_Cb_t *LocalCb = NULL;

uint8_t RTDPresent = 0;
LocalCb = (phFriNfc_NdefReg_Cb_t*)malloc(10*sizeof(phFriNfc_NdefReg_Cb_t));

if (0 == RTDPresent && (LocalCb != NULL))
{
/* Set the callback structure variable */
LocalCb = (phFriNfc_NdefReg_Cb_t*)malloc(10*sizeof(phFriNfc_NdefReg_Cb_t));
LocalCb->NdefType[0] = RTD.Type;
LocalCb->NdeftypeLength[0] = RTD.TypeLength;
LocalCb->Tnf[0] = RTD.Tnf;
LocalCb->NumberOfRTDs = 1;
LocalCb->NdefCallback = (pphFriNfc_NdefReg_Cb_t)(phNfc4Win_Callback);
/* Add to the list */
Result = phFriNfc_NdefReg_AddCb(NdefReg, LocalCb);
}
else
{
/* RTD already registered */
}
return Result;
}
the function phFriNfc_NdefReg_AddCb(NdefReg, LocalCb) assigns the pointer value to the defined structure
NdefReg->NdefTypeList = LocalCb;

Till this point the content is proper , but latter when i start processing the next call,

CNfcFunStateMgr::phNfc4Win_Discovery( PVOID reqdata,
PVOID inbuf,
SIZE_T insize,
PVOID outbuf,
SIZE_T outsize,
SIZE_T *Information)
{

if(insize < sizeof(_NFC_REMOTE_DEVICE_DISCOVERY))
{
hr =HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER);
}
else
{
status = NFCSTATUS_INVALID_CMD_REQUEST;
#if DEBUG
if( DevAbscent == tmpstate.DevState)
{
prmdevinfo = ((NFC_REMOTE_DEVICE_DISCOVERY *)inbuf);
//ndefrtd = (NFC_RTD_INFORMATION *)malloc(sizeof(NFC_RTD_INFORMATION));
ndefrtd.Tnf = prmdevinfo->asocinfo.Tnf;
memcpy(ndefrtd.Type, prmdevinfo->asocinfo.Type,prmdevinfo->asocinfo.TypeLength);
ndefrtd.TypeLength = prmdevinfo->asocinfo.TypeLength;

this->ParentDevice->SetRmDiscInfo(prmdevinfo);
this->ParentDevice->GetDiscoveryMask(&holdmask);
holdmask = (holdmask | prmdevinfo->Discoverytype);
this->ParentDevice->SetDiscoveryMask(&holdmask);
pholdnrbio->phNfc4Win_NfcDrvCreateRequest( reqdata,
NFC_WIN_START_AUTO_DISCOVERY,
inbuf,
insize);
hr = pholdnrbio->phNfc4Win_NfcDrvSubmitrequest ( this->ParentDevice->GetFxDevice(),
this->ParentDevice->GetFileObject(),
reqdata);
if(SUCCEEDED(hr))
{
status = NFCSTATUS_SUCCESSFUL;
}
else
{
status = Nrb->status;
}
if(prmdevinfo->Discoverytype == NDEFRtdDiscType)
{
if(!this->ParentDevice->m_RtdReg->phNfc4Win_AddRTD(ndefrtd))
{
status = NFCSTATUS_SUCCESSFUL;
}
}
}
}
}

After the call to pholdnrbio->phNfc4Win_NfcDrvSubmitrequest is made were in the request is created by creating the memory object.
So when i call

hr = this->holdDevice->m_Driver->CreatePreallocatedWdfMemory( (BYTE *)Reqdata,
sizeof(Reqdata),
NULL, //pCallbackInterface
NULL, //pParetObject
&m_SendMem );

function the value of the NdefReg->NdefTypeList gets corrupted…

So can you please tell me what might be the reason behind it.

4

Sorry but I don’t have the time to decipher all of your code, it is a
bit complicated and hard for me to read. I would recommend that you set
a memory breakpoint on the memory that you think is being corrupted by
UMDF (in this case the offset of NdefTypeList in NdefReg. In windbg
you would use the following

ba w4



you can find the offset by using the dt command on the NdefReg variable.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Saturday, July 28, 2007 12:12 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Class pointervariable value getting currpted
aftercalling CreatePreAllocatedWdfMemory

Hi Doron ,

The code snip ate is as below, its bit detailed i guess ...i think will
give u clear picture of how i am using the API's

i have a class
class CNfcFunRtdReg
{
private :
PCNfcFunctionDevice parentdevptr;
phFriNfc_NdefReg_t *NdefReg;
static PCNfcFunRtdReg ptRtdReg;
CNfcFunRtdReg();
public:

virtual ~CNfcFunRtdReg(VOID);
static HRESULT GetInstance(PCNfcFunRtdReg *RtdReg);
void SetDevicePointer(PCNfcFunctionDevice device);
NFCSTATUS phNfc4Win_AddRTD (NFC_RTD_INFORMATION
RTD);

};
the strcuture looks like this
typedef struct phFriNfc_NdefReg
{
phFriNfc_NdefReg_Cb_t *NdefTypeList; /**< \internal List of
Callback Structures (Listeners). */
uint8_t *NdefData; /**< \internal Data to
process. */
uint32_t NdefDataLength; /**< \internal Length
of the NDEF data. */
......
......
}phFriNfc_NdefReg_t;

and in the add function

CNfcFunRtdReg::phNfc4Win_AddRTD( NFC_RTD_INFORMATION RTD )
{
NFCSTATUS Result =
NFCSTATUS_INVALID_PARAMETER;
phFriNfc_NdefReg_Cb_t *LocalCb = NULL;

uint8_t RTDPresent = 0;
LocalCb =
(phFriNfc_NdefReg_Cb_t*)malloc(10*sizeof(phFriNfc_NdefReg_Cb_t));

if (0 == RTDPresent && (LocalCb != NULL))
{
/* Set the callback structure variable */
LocalCb =
(phFriNfc_NdefReg_Cb_t*)malloc(10*sizeof(phFriNfc_NdefReg_Cb_t));
LocalCb->NdefType[0] = RTD.Type;
LocalCb->NdeftypeLength[0] = RTD.TypeLength;
LocalCb->Tnf[0] = RTD.Tnf;
LocalCb->NumberOfRTDs = 1;
LocalCb->NdefCallback =
(pphFriNfc_NdefReg_Cb_t)(phNfc4Win_Callback);
/* Add to the list */
Result = phFriNfc_NdefReg_AddCb(NdefReg, LocalCb);

}
else
{
/* RTD already registered */
}
return Result;
}
the function phFriNfc_NdefReg_AddCb(NdefReg, LocalCb) assigns the
pointer value to the defined structure
NdefReg->NdefTypeList = LocalCb;

Till this point the content is proper , but latter when i start
processing the next call,

CNfcFunStateMgr::phNfc4Win_Discovery( PVOID reqdata,
PVOID inbuf,
SIZE_T insize,
PVOID outbuf,
SIZE_T outsize,
SIZE_T *Information)
{

if(insize < sizeof(_NFC_REMOTE_DEVICE_DISCOVERY))
{
hr =HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER);
}
else
{
status = NFCSTATUS_INVALID_CMD_REQUEST;
#if DEBUG
if( DevAbscent == tmpstate.DevState)
{
prmdevinfo = ((NFC_REMOTE_DEVICE_DISCOVERY
*)inbuf);
//ndefrtd = (NFC_RTD_INFORMATION
*)malloc(sizeof(NFC_RTD_INFORMATION));
ndefrtd.Tnf = prmdevinfo->asocinfo.Tnf;
memcpy(ndefrtd.Type,
prmdevinfo->asocinfo.Type,prmdevinfo->asocinfo.TypeLength);
ndefrtd.TypeLength =
prmdevinfo->asocinfo.TypeLength;

this->ParentDevice->SetRmDiscInfo(prmdevinfo);
this->ParentDevice->GetDiscoveryMask(&holdmask);
holdmask = (holdmask |
prmdevinfo->Discoverytype);
this->ParentDevice->SetDiscoveryMask(&holdmask);

pholdnrbio->phNfc4Win_NfcDrvCreateRequest(
reqdata,
NFC_WIN_START_AUTO_DISCOVERY,
inbuf,
insize);
hr = pholdnrbio->phNfc4Win_NfcDrvSubmitrequest (
this->ParentDevice->GetFxDevice(),
this->ParentDevice->GetFileObject(),
reqdata);
if(SUCCEEDED(hr))
{
status = NFCSTATUS_SUCCESSFUL;

}
else
{
status = Nrb->status;

}
if(prmdevinfo->Discoverytype == NDEFRtdDiscType)
{

if(!this->ParentDevice->m_RtdReg->phNfc4Win_AddRTD(ndefrtd))
{
status = NFCSTATUS_SUCCESSFUL;
}
}
}
}
}

After the call to pholdnrbio->phNfc4Win_NfcDrvSubmitrequest is made
were in the request is created by creating the memory object.
So when i call

hr = this->holdDevice->m_Driver->CreatePreallocatedWdfMemory( (BYTE
*)Reqdata,

sizeof(Reqdata),
NULL,
//pCallbackInterface
NULL,
//pParetObject

&m_SendMem );

function the value of the NdefReg->NdefTypeList gets corrupted....

So can you please tell me what might be the reason behind it.

---
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
5

xxxxx@gmail.com wrote:

Hi Doron ,

The code snip ate is as below, its bit detailed i guess …i think will give u clear picture of how i am using the API’s

CNfcFunRtdReg::phNfc4Win_AddRTD( NFC_RTD_INFORMATION RTD )
{
NFCSTATUS Result = NFCSTATUS_INVALID_PARAMETER;
phFriNfc_NdefReg_Cb_t *LocalCb = NULL;

uint8_t RTDPresent = 0;
LocalCb = (phFriNfc_NdefReg_Cb_t*)malloc(10*sizeof(phFriNfc_NdefReg_Cb_t));

This is a bug. You will leak this memory every time. If you take the
“if”, you immediately call malloc again. If not, you exit the routine.
In either case, this memory will never be freed.

I certainly hope I never have to maintain this code, because it reads
like a cat walked randomly over the keyboard. CNfcFunRtdReg?
phNfc4Win_AddRTD? I ought to be able to guess what each function does
just from its name. In this case, I have no clue, and of course there
are no comments. Long identifiers do not cost any more than short
identifiers. Please use whole words in your class and function names,
or at least obvious abbreviations, and some kind of naming convention.
I can’t tell what is a type, what is a local variable, and what is a
member variable. And I wasted a bit of time analyzing this because I
assumed that “phFriNfcNdefReg_Cb_t” was a pointer, since it started with
“p”.

Is this a UMDF driver?

if (0 == RTDPresent && (LocalCb != NULL))
{
/* Set the callback structure variable */
LocalCb = (phFriNfc_NdefReg_Cb_t*)malloc(10*sizeof(phFriNfc_NdefReg_Cb_t));
LocalCb->NdefType[0] = RTD.Type;
LocalCb->NdeftypeLength[0] = RTD.TypeLength;
LocalCb->Tnf[0] = RTD.Tnf;
LocalCb->NumberOfRTDs = 1;
LocalCb->NdefCallback = (pphFriNfc_NdefReg_Cb_t)(phNfc4Win_Callback);
/* Add to the list */
Result = phFriNfc_NdefReg_AddCb(NdefReg, LocalCb);
}

You allocate room for 10 structures, but you only initialize one. The
other 9 will contain garbage. Is there a reason you don’t use “new”
instead of “malloc”?
LocalCb = new phFriNfc_NdefReg_Cb_t[10];

That still doesn’t initialize to zero, but at least it will flag an
error if you use the wrong types.

Till this point the content is proper , but latter when i start processing the next call,

CNfcFunStateMgr::phNfc4Win_Discovery( PVOID reqdata,
PVOID inbuf,
SIZE_T insize,
PVOID outbuf,
SIZE_T outsize,
SIZE_T *Information)
{

if(insize < sizeof(_NFC_REMOTE_DEVICE_DISCOVERY))
{
hr =HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER);
}
else
{
status = NFCSTATUS_INVALID_CMD_REQUEST;
#if DEBUG
if( DevAbscent == tmpstate.DevState)
{
prmdevinfo = ((NFC_REMOTE_DEVICE_DISCOVERY *)inbuf);
//ndefrtd = (NFC_RTD_INFORMATION *)malloc(sizeof(NFC_RTD_INFORMATION));
ndefrtd.Tnf = prmdevinfo->asocinfo.Tnf;
memcpy(ndefrtd.Type, prmdevinfo->asocinfo.Type,prmdevinfo->asocinfo.TypeLength);
ndefrtd.TypeLength = prmdevinfo->asocinfo.TypeLength;

this->ParentDevice->SetRmDiscInfo(prmdevinfo);
this->ParentDevice->GetDiscoveryMask(&holdmask);
holdmask = (holdmask | prmdevinfo->Discoverytype);
this->ParentDevice->SetDiscoveryMask(&holdmask);

Why do you keep saying “this->ParentDevice” instead of just
“ParentDevice”? There are a few circumstances where this-> can make the
code easier to read, but I don’t think this is one of them.

Where does ndefrtd come from? The malloc here (which should probably be
a “new”) is commented out.

pholdnrbio->phNfc4Win_NfcDrvCreateRequest( …
hr = pholdnrbio->phNfc4Win_NfcDrvSubmitrequest ( …
if(prmdevinfo->Discoverytype == NDEFRtdDiscType)
{
if(!this->ParentDevice->m_RtdReg->phNfc4Win_AddRTD(ndefrtd))
{
status = NFCSTATUS_SUCCESSFUL;
}
}
}
}
}

After the call to pholdnrbio->phNfc4Win_NfcDrvSubmitrequest is made were in the request is created by creating the memory object.
So when i call

hr = this->holdDevice->m_Driver->CreatePreallocatedWdfMemory( (BYTE *)Reqdata,
sizeof(Reqdata),
NULL, //pCallbackInterface
NULL, //pParetObject
&m_SendMem );

function the value of the NdefReg->NdefTypeList gets corrupted…

Where do you call that? It’s certainly not shown here. The call to
phNfc4Win_AddRTD happens after the call to create and submit the
request. Are you sure things are in the proper order here?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.