EXCEPTION_CONTINUE_EXECUTION in kernel-mode

Hi

" Presumably, if a driver were able to resolve the cause of the exception it might be possible to use EXCEPTION_CONTINUE_EXECUTION, but we have yet to see a case where this is done successfully within a driver. Perhaps one of our loyal readers would like to prove us wrong by sending in a sample!"
http://www.osronline.com/article.cfm?id=58

Also, Programming the Microsoft Windows Driver Model book says:
“You should not return EXCEPTION_CONTINUE_EXECUTION in kernel mode because you have no way to alter the conditions that caused the exception in order to allow a retry to occur”

Why is there a way to alter the conditions in user-mode but not in kernel-mode?

The worst that can happen in user mode on continue is that app dies. In km, you continue and bug check

d

debt from my phone

From: xxxxx@gmail.com
Sent: 7/19/2012 10:38 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] EXCEPTION_CONTINUE_EXECUTION in kernel-mode

Hi

" Presumably, if a driver were able to resolve the cause of the exception it might be possible to use EXCEPTION_CONTINUE_EXECUTION, but we have yet to see a case where this is done successfully within a driver. Perhaps one of our loyal readers would like to prove us wrong by sending in a sample!"
http://www.osronline.com/article.cfm?id=58

Also, Programming the Microsoft Windows Driver Model book says:
“You should not return EXCEPTION_CONTINUE_EXECUTION in kernel mode because you have no way to alter the conditions that caused the exception in order to allow a retry to occur”

Why is there a way to alter the conditions in user-mode but not in kernel-mode?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

On 19-Jul-2012 20:38, xxxxx@gmail.com wrote:

Hi

" Presumably, if a driver were able to resolve the cause of the exception it might be possible to use EXCEPTION_CONTINUE_EXECUTION, but we have yet to see a case where this is done successfully within a driver. Perhaps one of our loyal readers would like to prove us wrong by sending in a sample!"
http://www.osronline.com/article.cfm?id=58

Also, Programming the Microsoft Windows Driver Model book says:
“You should not return EXCEPTION_CONTINUE_EXECUTION in kernel mode because you have no way to alter the conditions that caused the exception in order to allow a retry to occur”

Why is there a way to alter the conditions in user-mode but not in kernel-mode?

Possibility to continue execution depends on the exception nature.
As Doron wrote, handable exceptions in kernel are raised in very limited
situations, and these do not have reasonable ways to resume.
(though one can, of course, invent some artificial example - like
“fixing” AV).

Enjoy your studies,
– pa

Also, this may be interesting to you:
http://www.codeproject.com/Articles/22801/Drivers-Exceptions-and-C

– pa

On 19-Jul-2012 21:44, Pavel A wrote:

On 19-Jul-2012 20:38, xxxxx@gmail.com wrote:
> Hi
>
> " Presumably, if a driver were able to resolve the cause of the
> exception it might be possible to use EXCEPTION_CONTINUE_EXECUTION,
> but we have yet to see a case where this is done successfully within a
> driver. Perhaps one of our loyal readers would like to prove us wrong
> by sending in a sample!"
> http://www.osronline.com/article.cfm?id=58
>
> Also, Programming the Microsoft Windows Driver Model book says:
> “You should not return EXCEPTION_CONTINUE_EXECUTION in kernel mode
> because you have no way to alter the conditions that caused the
> exception in order to allow a retry to occur”
>
> Why is there a way to alter the conditions in user-mode but not in
> kernel-mode?
>

Possibility to continue execution depends on the exception nature.
As Doron wrote, handable exceptions in kernel are raised in very limited
situations, and these do not have reasonable ways to resume.
(though one can, of course, invent some artificial example - like
“fixing” AV).

Enjoy your studies,
– pa

Thanks friends

I would say that the presumption in user mode is that you can actually see
the code that raised the exception and can, at the appropriate place after
the RaiseException, put code that “fixes” the problem so you can tey
again. But when some low-level function in the kernel finally raises an
exception, it almost certainly has no recovery code following the
RaiseException, so continuing at that point makes no sense.

Back in the 1970s, when we were beginning to deal with the complexity of
what was then called “programming in the large”, several important ideas
emerged. One was the [in]famous “goto” controversy; sadly, far too much
Microsoft code uses gotos when there are cleaner ways to deal with the
problem. Then there was the “global variables considered harmful” paper,
which resulted in concepts like keeping state inside objects. One that
never quite made it was the consequences of using exceptions as control
structures. It is hard enough to comprehend a piece of code, but when
something that code calls can throw an exception, you usually end up with
an unmaintainable mess. Not because exceptions are harmful, per se, but
because poor use of them and poor documentation can result in really nasty
surprises.

For a period of ten years I worked in languages that had exceptions as a
formal syntactic structure in the language. Of all the languages I worked
in, the one with continuable exceptions, which, alas, many programers
thought was “cool”, resulted in the most incomprehensible,
least-cost-effective, totally unmaintainable messes it has ever been my
misfortune to have to debug. Usually, the first thing I did was find all
the places where that language’s EXCEPTION_CONTINUE_EXECUTION occurred,
and carefully rip out all that code and the “recovery” code, and that was
often faster than finding the actual bug (it did take me a couple years to
get management to recognize this was the only valid approach).

Have you ever heard of the COMEFROM statement? Take a language like
BASIC, with line numbers. Remove the GOTO from the language because We
Know Gotos Are Bad. Instead, add a COMEFROM statement. COMEFROM 500
meant that after executing line 500, control would transfer to the
COMEFROM statement. We would have discussions that led to “the computed
COMEFROM”, how to handle multiple COMEFROMs from the same line, and other
fine points of semantics. The best discussions happened only after the
majority of participants had four or five beers.

Recoverable exceptions make programs written using COMEFROM look like
models of clear and lucid programming. Been there, done that. The only
people who think recoverable exceptions make sense are those who never had
to write, debug, and/or maintain such programs

joe

Hi

" Presumably, if a driver were able to resolve the cause of the exception
it might be possible to use EXCEPTION_CONTINUE_EXECUTION, but we have yet
to see a case where this is done successfully within a driver. Perhaps
one of our loyal readers would like to prove us wrong by sending in a
sample!"
http://www.osronline.com/article.cfm?id=58

Also, Programming the Microsoft Windows Driver Model book says:
“You should not return EXCEPTION_CONTINUE_EXECUTION in kernel mode because
you have no way to alter the conditions that caused the exception in order
to allow a retry to occur”

Why is there a way to alter the conditions in user-mode but not in
kernel-mode?

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

I used recoverable exceptions in usermode when I needed to emulate 32 MB of address space with unknown map in times when 64 MB of PC RAM was expensive. To avoid allocation of the whole 32 MB, I reserved that space, and committed the pages only on access violation exceptions, then execution was continuing.

I suspect that part of what made this work well was the fact that you had
only one exception value for your simulated page fault. Also, the
exception record gave the EIP of the offendin instruction. The complexity
goes up, I claim, as a power of the number of different exceptions, except
I’m not sure it is that simple. For example, with 0 exceptions, the
complexity is to the 0th power, pretty simple. But with four different
exception types, it is to-the-fourth-power more complex. A friend
suggested a formula which the number of exception sites times the number
of kinds of exceptions could be the true complexity measure.

Unfortunately, the “software physics” concept of analyzing a program to
determine its complexity pretty much fizzled out (or, as some of us think,
was proven to be as scientific as numerology) by the early 1980s, but
nobody has really come up with a respectable, or respected, complexity
measure since. The goto controversy was essentially one based on the
topology of the flow graph, and the global variables vs. modules was based
on rather simple metrics of connectivity and depedence (you should see the
abominations produced in applications written in C++, which boil down to
"If I manage to include enough header files, in the right order, to get it
to compile, there’s nothing wrong with writing
((MyApp *)AfxGetApp())->isActive = ((MyView
*)GetActiveView())->(CButton *)GetDlgItem(IDC_BUTTON3))->GetCheck() == FALSE;

Other than the fact that just about every token in the above string
represents a design error, there’s nothing wrong with it.

Mostly, the notion of complexity is some exponential function of the
number of potential dependencies between components.
Improper use of exceptions will certainy lead to this. Note that I
indicated there are rarevand exotic exceptions to this guideline, and the
commit-page handler certainly falls into that set of exceptions. But,
alas, most uses are badly designed and implemented, and undocumented.

You haven’t lived until you’ve tried to debug a parser that used
exceptions to resync the parse after a syntax error. No, make that
continuable exceptions, which were what they really used, and do it on a
nested syntax language. It was pitiful to watch the traces, Oe thing we
did discover in rewriting it was the code was so complex and convoluted
that it was, largely, wrong.

joe

I used recoverable exceptions in usermode when I needed to emulate 32 MB
of address space with unknown map in times when 64 MB of PC RAM was
expensive. To avoid allocation of the whole 32 MB, I reserved that
space,
and committed the pages only on access violation exceptions, then
execution was continuing.

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Committing pages on demand doesn’t actually save any physical memory (because physical pages are allocated on first access, not when virtual memory is committed).

It does reduce commit charge which is also nice, but not quite as important as saving real memory. You don’t pay any penalty for extra commit until you actually hit the limit, and the limit can be increased by simply making the pagefile bigger.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@broadcom.com
Sent: Friday, July 20, 2012 7:43 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] EXCEPTION_CONTINUE_EXECUTION in kernel-mode

I used recoverable exceptions in usermode when I needed to emulate 32 MB of address space with unknown map in times when 64 MB of PC RAM was expensive. To avoid allocation of the whole 32 MB, I reserved that space, and committed the pages only on access violation exceptions, then execution was continuing.

>Committing pages on demand doesn’t actually save any physical memory (because
physical pages are allocated on first access, not when virtual memory is
committed).

That was run under Win9x with total 16 MB or so. So even limiting pagefile commit was important.

> Recoverable exceptions make programs written using COMEFROM look like

I agree.

Actually, the only benefits from MS’s SEH in C and of C++ exceptions are:

a) the code is not overburdened with the error handling.
b) they are “on by default”, you cannot forget to handle the return-value-based error.

Nevertheless, without the full state management and rollback in exception path, they do not provide robust error handling magically.

Only exceptions in managed languages do this.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com