FltReleaseContext confusion

Under WDK “Releasing Contexts”

“If the context is successfully set for the instance, FltSetInstanceContext
adds its own reference to the instance context.”

Then should the reference count added by FltSetInstanceContext not be
decremented by calling FltReleaseContext?

in the WDK ctx sample: in the InstanceTeardownComplete routine
FltReleaseContext is called only once which is actualy for
FltGetInstanceContext.
what about the 1 added by FltSetInstanceContext in the InstanceSetup
routine. Who is going to decrement that reference count?

i do understand that for successul call of FltSetInstanceContext, there must
be a call to FltReleaseContext
in the InstanceSetup routine and that it is to decrement the reference for
FltAllocateContext.

so should a successful call to FltSetInstanceContext in InstanceSetup
routine be matched by FltReleaseContext in
InstanceTeardownComplete routine.

IMO the documentation for the instance is badly phrased - it tries to tell
you what you should do, not what the calls do. This confused the heck out
of me when I started looking at it and appears to have done the same of many
others.

Me, I like to think about this in terms of a reference count and who “owns”
each count (actually when I write my own referenced objects I express that
in code and have multiple reference counts so when I lose a count I know
which path didn’t clear up behind itself).

When you call FltAllocateContext you get back a context with a reference of

1. You (the caller) own that count.

When you call FltReferenceContext you add another reference (which you own).

When you call FltSetXxxContext one of two things will happen. If the
“attach” works, then the reference count is incremented, but that reference
count is “owned” by the data structure you are attached to (FsContext for
StreamContexts, FsContext2 for StreamHandleContext, and so forth). If the
“attach” failed then no reference count is added, but you still own any
reference counts you had when the function was called.

Time will pass and eventuall the data structure which owns that extra
reference count we added via FltSetXxxContext will go away. As it goes away
it will drop its reference count.

So after calling FltSetXxxContext you only need to down the count once (for
the count you added when you created the context). If the attach worked
then the context is still referenced, if not it will just go away.

Where the confusion starts is when you try to set a context, but one exists
and you asked to get that back. In this case the context you passed in will
not have the ref added for the backing structure (but you still need to
dereference it), but also you will get back the context that really backs
that data structure. FltSetXxxContext will give you that one back, but it
will reference it for you first. Similar logic holds if you are asking to
replace a context.

The most confusing calls for some people are the FltDeleteXXX and
FltReleaseXXX calls. The former detaches the data structure from the
context and deferences it (it may well drop your reference as well - the
documentation infers that it does but I’ve not checked). The latter just
drops your reference on the structure. You will very very rarely need to
call the former.

There *should* be a useful windbg extension to help you with all this, but
it requires symbols which are not exported (I’m not sure which is the most
frustrating, not having a tool, or knowing that there is a tool but you
have been denied access to it). For the purposes of experiementation, it
appears that the reference count is the first ULONG in front of the context.

The docs say, right away:
“After calling FltSetInstanceContext, the caller must call FltReleaseContext to
decrement the reference count on NewContext, even if the call to
FltSetInstanceContext was unsuccessful.”
So, YES, you must call FltReleaseContext after FltSetxxxContext.

Mani wrote:

Under WDK “Releasing Contexts”

“If the context is successfully set for the instance, FltSetInstanceContext
adds its own reference to the instance context.”

Then should the reference count added by FltSetInstanceContext not be
decremented by calling FltReleaseContext?

in the WDK ctx sample: in the InstanceTeardownComplete routine
FltReleaseContext is called only once which is actualy for
FltGetInstanceContext.
what about the 1 added by FltSetInstanceContext in the InstanceSetup
routine. Who is going to decrement that reference count?

i do understand that for successul call of FltSetInstanceContext, there must
be a call to FltReleaseContext
in the InstanceSetup routine and that it is to decrement the reference for
FltAllocateContext.

so should a successful call to FltSetInstanceContext in InstanceSetup
routine be matched by FltReleaseContext in
InstanceTeardownComplete routine.

---

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

Very nice explanation Rod.

just to confirm following is the brief pseudocode:

InstanceSetupRoutine()
{
FltAllocateContext(…);
//assume FltAllocateContext succeeds
FltSetInstanceContext(FLT_SET_CONTEXT_REPLACE_IF_EXISTS);
//OldContext is NULL
//assume FltSetInstanceContext succeeds

FltReleaseContext(); //this is for FltAllocateContext and not for
FltSetInstanceContext
}

InstanceTearDownComplete()
{
FltGetInstanceContext(…);
//assume FltGetContext succeeds
…Some code on the instance context…

FltReleaseContext(); //this is for above FltGetInstanceContext and
not for FltSetInstanceContext which had incremented the reference count in
InstanceSetupRoutine
}

conclusion==>
so there is no need to call FltReleaseContext for FltSetInstanceContext
(called in InstanceSetupRoutine).
The reference count incremented by FltSetInstanceContext will be decremented
by system and not by us.

…I HOPE I HAVE GOT IT RIGHT…

“Rod Widdowson” wrote in message
news:xxxxx@ntfsd…
> IMO the documentation for the instance is badly phrased - it tries to tell
> you what you should do, not what the calls do. This confused the heck out
> of me when I started looking at it and appears to have done the same of
> many others.
>
> Me, I like to think about this in terms of a reference count and who
> “owns” each count (actually when I write my own referenced objects I
> express that in code and have multiple reference counts so when I lose a
> count I know which path didn’t clear up behind itself).
>
> When you call FltAllocateContext you get back a context with a reference
> of 1. You (the caller) own that count.
>
> When you call FltReferenceContext you add another reference (which you
> own).
>
> When you call FltSetXxxContext one of two things will happen. If the
> “attach” works, then the reference count is incremented, but that
> reference count is “owned” by the data structure you are attached to
> (FsContext for StreamContexts, FsContext2 for StreamHandleContext, and so
> forth). If the “attach” failed then no reference count is added, but you
> still own any reference counts you had when the function was called.
>
> Time will pass and eventuall the data structure which owns that extra
> reference count we added via FltSetXxxContext will go away. As it goes
> away it will drop its reference count.
>
> So after calling FltSetXxxContext you only need to down the count once
> (for the count you added when you created the context). If the attach
> worked then the context is still referenced, if not it will just go away.
>
> Where the confusion starts is when you try to set a context, but one
> exists and you asked to get that back. In this case the context you
> passed in will not have the ref added for the backing structure (but you
> still need to dereference it), but also you will get back the context that
> really backs that data structure. FltSetXxxContext will give you that one
> back, but it will reference it for you first. Similar logic holds if you
> are asking to replace a context.
>
> The most confusing calls for some people are the FltDeleteXXX and
> FltReleaseXXX calls. The former detaches the data structure from the
> context and deferences it (it may well drop your reference as well - the
> documentation infers that it does but I’ve not checked). The latter just
> drops your reference on the structure. You will very very rarely need to
> call the former.
>
> There should be a useful windbg extension to help you with all this, but
> it requires symbols which are not exported (I’m not sure which is the most
> frustrating, not having a tool, or knowing that there is a tool but you
> have been denied access to it). For the purposes of experiementation, it
> appears that the reference count is the first ULONG in front of the
> context.
>
>

but if you read it carefully under “Releasing Contexts” you will understand
that the
FltReleaseContext is for FltAllocateContext (which was called before
FltSetInstanceContext)

i.e. even if FltSetInstanceContext fails we have to decrement the ref cnt
incremented by FltAllocateContext.
if FltSetInstanceContext succeeds then also we have to decrement the ref cnt
incremented by FltAllocateContext.

“Dejan Maksimovic” wrote in message news:xxxxx@ntfsd…
>
> The docs say, right away:
> “After calling FltSetInstanceContext, the caller must call
> FltReleaseContext to
> decrement the reference count on NewContext, even if the call to
> FltSetInstanceContext was unsuccessful.”
> So, YES, you must call FltReleaseContext after FltSetxxxContext.
>
> Mani wrote:
>
>> Under WDK “Releasing Contexts”
>>
>> “If the context is successfully set for the instance,
>> FltSetInstanceContext
>> adds its own reference to the instance context.”
>>
>> Then should the reference count added by FltSetInstanceContext not be
>> decremented by calling FltReleaseContext?
>>
>> in the WDK ctx sample: in the InstanceTeardownComplete routine
>> FltReleaseContext is called only once which is actualy for
>> FltGetInstanceContext.
>> what about the 1 added by FltSetInstanceContext in the InstanceSetup
>> routine. Who is going to decrement that reference count?
>>
>> i do understand that for successul call of FltSetInstanceContext, there
>> must
>> be a call to FltReleaseContext
>> in the InstanceSetup routine and that it is to decrement the reference
>> for
>> FltAllocateContext.
>>
>> so should a successful call to FltSetInstanceContext in InstanceSetup
>> routine be matched by FltReleaseContext in
>> InstanceTeardownComplete routine.
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule debugging and file system seminars
>> (including our new fs mini-filter seminar) visit:
>> http://www.osr.com/seminars
>>
>> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> –
> Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
> http://www.alfasp.com
> File system audit, security and encryption kits.
>
>
>

> The reference count incremented by FltSetInstanceContext will be

decremented by system and not by us.

Yup.

You have to call it exactly ONCE after FltSetxxxContext, regardless. Others
have explained it quite nicely, more than my “quote the quote”

Mani wrote:

but if you read it carefully under “Releasing Contexts” you will understand
that the
FltReleaseContext is for FltAllocateContext (which was called before
FltSetInstanceContext)

i.e. even if FltSetInstanceContext fails we have to decrement the ref cnt
incremented by FltAllocateContext.
if FltSetInstanceContext succeeds then also we have to decrement the ref cnt
incremented by FltAllocateContext.

“Dejan Maksimovic” wrote in message news:xxxxx@ntfsd…
> >
> > The docs say, right away:
> > “After calling FltSetInstanceContext, the caller must call
> > FltReleaseContext to
> > decrement the reference count on NewContext, even if the call to
> > FltSetInstanceContext was unsuccessful.”
> > So, YES, you must call FltReleaseContext after FltSetxxxContext.
> >
> > Mani wrote:
> >
> >> Under WDK “Releasing Contexts”
> >>
> >> “If the context is successfully set for the instance,
> >> FltSetInstanceContext
> >> adds its own reference to the instance context.”
> >>
> >> Then should the reference count added by FltSetInstanceContext not be
> >> decremented by calling FltReleaseContext?
> >>
> >> in the WDK ctx sample: in the InstanceTeardownComplete routine
> >> FltReleaseContext is called only once which is actualy for
> >> FltGetInstanceContext.
> >> what about the 1 added by FltSetInstanceContext in the InstanceSetup
> >> routine. Who is going to decrement that reference count?
> >>
> >> i do understand that for successul call of FltSetInstanceContext, there
> >> must
> >> be a call to FltReleaseContext
> >> in the InstanceSetup routine and that it is to decrement the reference
> >> for
> >> FltAllocateContext.
> >>
> >> so should a successful call to FltSetInstanceContext in InstanceSetup
> >> routine be matched by FltReleaseContext in
> >> InstanceTeardownComplete routine.
> >>
> >> —
> >> NTFSD is sponsored by OSR
> >>
> >> For our schedule debugging and file system seminars
> >> (including our new fs mini-filter seminar) visit:
> >> http://www.osr.com/seminars
> >>
> >> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> >> To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> > –
> > Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
> > http://www.alfasp.com
> > File system audit, security and encryption kits.
> >
> >
> >
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

–
Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

In my application it seams to be that the context is newer released.
When I call FltGetStreamContext after several hours I get a context.

After how long time should it takes until the system is decrement the reference count and freeing the context? Is it minutes, hours or days?

Thanks
Mattias Bergkvist

>In my application it seams to be that the context is newer released.

When I call FltGetStreamContext after several hours I get a context.

After how long time should it takes until the system is decrement the reference count and freeing the context? Is it minutes, hours or days?

Has IRP_MJ_CLOSE come for that particular FILE_OBJECT?

Additionally, since this is a StreamContext, this is common to all FILE_OBJECTS representing that stream (file in your case).
So, if that file is opened again before the context is freed, it will have additional reference on it. And after that even if the original FILE_OBJECT is closed in this case, the Streamcontext will not be freed since there is one more reference to it because of the second FILE_OBJECT.

Regards,
Ayush Gupta

> After how long time should it takes until the system is decrement the

reference count and freeing the context? Is it minutes, hours or days?

Days, Weeks, Years ? As long as the system considers it useful to hold on
to the associate file object (assuming that you don’t have a reference leak
somewhere).

Think caching…

–
Rod Widdowson

Consulting Partner,
Steading System Software LLP
xxxxx@steadingsoftware.com
+44 1368 850787
+1 508 915 4790

Unloading your minifilter reveals misused context references. I make
unload/reload testing part of my standard regression tests for every change
I make.

On Jan 12, 2008 4:14 AM, Rod Widdowson wrote:

> > After how long time should it takes until the system is decrement the
> > reference count and freeing the context? Is it minutes, hours or days?
>
> Days, Weeks, Years ? As long as the system considers it useful to hold on
> to the associate file object (assuming that you don’t have a reference
> leak
> somewhere).
>
> Think caching…
>
>
> –
> Rod Widdowson
>
> Consulting Partner,
> Steading System Software LLP
> xxxxx@steadingsoftware.com
> +44 1368 850787
> +1 508 915 4790
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@hollistech.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

–
Mark Roddy