Forcibly paging an allocation.

Is there any way, for debug purposes, to force any pageable part of an
allocation to be paged? I know that there is the PAGED_CODE() macro to
detect when pageable code is being accessed at elevated IRQL. But I
want to test whether or not a buffer (or any part of it) is pageable.

Regards,

gmg.

Turn driver verifier and the force paging option. Why do you want to detect a payable address at runtime?

d

debt from my phone


From: George M. Garner Jr.
Sent: 11/25/2011 9:40 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Forcibly paging an allocation.

Is there any way, for debug purposes, to force any pageable part of an
allocation to be paged? I know that there is the PAGED_CODE() macro to
detect when pageable code is being accessed at elevated IRQL. But I
want to test whether or not a buffer (or any part of it) is pageable.

Regards,

gmg.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thanks for responding, Doron. Unfortunately, I am not seeing a “force
paging” option. I see a “force irql checking” (bit 1). But that is
part of the standard settings and the standard settings are not
detecting what I want to find. An example error would be if you lock
down a buffer in an MDL but miscalculate the size through an arithmetic
error or simple typo. The memory manager locks down pages so a small
allocation will not generate a bugcheck unless it happens to span a
page, which is a matter of chance.

Could you give me a sample command line to force paging?

verifier /volatile /flags ?

Sorry if I am being obtuse.

Regards,

On 11/26/2011 12:47 AM, Doron Holan wrote:

Turn driver verifier and the force paging option. Why do you want to
detect a payable address at runtime?

d

Low resource simulation is what I believe forces IRQL changes to force page out pool and code

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of George M. Garner Jr.
Sent: Friday, November 25, 2011 10:01 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Forcibly paging an allocation.

Thanks for responding, Doron. Unfortunately, I am not seeing a “force
paging” option. I see a “force irql checking” (bit 1). But that is
part of the standard settings and the standard settings are not detecting what I want to find. An example error would be if you lock down a buffer in an MDL but miscalculate the size through an arithmetic error or simple typo. The memory manager locks down pages so a small allocation will not generate a bugcheck unless it happens to span a page, which is a matter of chance.

Could you give me a sample command line to force paging?

verifier /volatile /flags ?

Sorry if I am being obtuse.

Regards,

On 11/26/2011 12:47 AM, Doron Holan wrote:

Turn driver verifier and the force paging option. Why do you want to
detect a payable address at runtime?

d


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

IRQL checking is what you want, but it only trims system pageable memory (e.g. paged pool and pageable code/data).

I’m not following your example about miscalculating MDL size. If MmProbeAndLockPages succeeds it’ll give you a valid MDL. If you then map this MDL and access it through the system mapping and you think the size is bigger than it actually is, you’ll crash or corrupt memory. But I don’t see how trimming the original user VAs would help you catch this sooner.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of George M. Garner Jr.
Sent: Friday, November 25, 2011 8:01 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Forcibly paging an allocation.

Thanks for responding, Doron. Unfortunately, I am not seeing a “force
paging” option. I see a “force irql checking” (bit 1). But that is
part of the standard settings and the standard settings are not detecting what I want to find. An example error would be if you lock down a buffer in an MDL but miscalculate the size through an arithmetic error or simple typo. The memory manager locks down pages so a small allocation will not generate a bugcheck unless it happens to span a page, which is a matter of chance.

Thanks Pavel, but IRQL checking is part of the standard settings which
are not doing what I need. MmProbeAndLockPages gives you a valid MDL
describing the number of bytes which you request plus the VA offset
rounded up to the nearest page. Supposing you what to lock an array of
words with a SizeInWords. If you plug the SizeInWords (erroneously)
into MmProbeAndLockPages you will get an MDL describing half the buffer.
However, the memory manager will lock the entire page containing the
buffer. So the whole buffer get’s locked even if you only requested
half the size required (assuming the requested buffer is < PAGE_SIZE/2).
There is no crash because the entire buffer happens to get locked.
For the same reason there is not memory corruption. The entire buffer
exists. The problem is that the VA offset is added to the bytes
requested to calculate the number of pages that need to be locked. You
only get a crash when VA offset + 2 x SizeInWords crosses a page
boundary. And that may not happen for years.

On 11/26/2011 1:45 AM, Pavel Lebedynskiy wrote:

IRQL checking is what you want, but it only trims system pageable memory (e.g. paged pool and pageable code/data).

I’m not following your example about miscalculating MDL size. If MmProbeAndLockPages succeeds it’ll give you a valid MDL. If you then map this MDL and access it through the system mapping and you think the size is bigger than it actually is, you’ll crash or corrupt memory. But I don’t see how trimming the original user VAs would help you catch this sooner.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of George M. Garner Jr.
Sent: Friday, November 25, 2011 8:01 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Forcibly paging an allocation.

Thanks for responding, Doron. Unfortunately, I am not seeing a “force
paging” option. I see a “force irql checking” (bit 1). But that is
part of the standard settings and the standard settings are not detecting what I want to find. An example error would be if you lock down a buffer in an MDL but miscalculate the size through an arithmetic error or simple typo. The memory manager locks down pages so a small allocation will not generate a bugcheck unless it happens to span a page, which is a matter of chance.

I understand the bug, I just don’t see what verifier could do to help here.

Prefast might be able to detect cases where code maps an MDL and accesses more than Mdl->ByteCount bytes from the mapping.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of George M. Garner Jr.
Sent: Friday, November 25, 2011 9:26 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Forcibly paging an allocation.

Thanks Pavel, but IRQL checking is part of the standard settings which are not doing what I need. MmProbeAndLockPages gives you a valid MDL describing the number of bytes which you request plus the VA offset rounded up to the nearest page. Supposing you what to lock an array of words with a SizeInWords. If you plug the SizeInWords (erroneously) into MmProbeAndLockPages you will get an MDL describing half the buffer.
However, the memory manager will lock the entire page containing the buffer. So the whole buffer get’s locked even if you only requested half the size required (assuming the requested buffer is < PAGE_SIZE/2).
There is no crash because the entire buffer happens to get locked.
For the same reason there is not memory corruption. The entire buffer exists. The problem is that the VA offset is added to the bytes requested to calculate the number of pages that need to be locked. You only get a crash when VA offset + 2 x SizeInWords crosses a page boundary. And that may not happen for years.

On 11/26/2011 1:45 AM, Pavel Lebedynskiy wrote:

IRQL checking is what you want, but it only trims system pageable memory (e.g. paged pool and pageable code/data).

I’m not following your example about miscalculating MDL size. If MmProbeAndLockPages succeeds it’ll give you a valid MDL. If you then map this MDL and access it through the system mapping and you think the size is bigger than it actually is, you’ll crash or corrupt memory. But I don’t see how trimming the original user VAs would help you catch this sooner.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of George M. Garner Jr.
Sent: Friday, November 25, 2011 8:01 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Forcibly paging an allocation.

Thanks for responding, Doron. Unfortunately, I am not seeing a “force
paging” option. I see a “force irql checking” (bit 1). But that is
part of the standard settings and the standard settings are not detecting what I want to find. An example error would be if you lock down a buffer in an MDL but miscalculate the size through an arithmetic error or simple typo. The memory manager locks down pages so a small allocation will not generate a bugcheck unless it happens to span a page, which is a matter of chance.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Doron,

Low resource simulation will only fail memory allocation requests randomly.