No memory.dmp mystery II

Tony:

In terms of ‘Try replacing your “_asm int 1” with “DbgBreakPoint()” and see
if this changes its behavior.’ …

I did. It still crashes (BSODs). Unfortunately, I can’t tell you where or
why because - again! - no memory.dmp is produced.

I do know that the cause is that interrupts are disabled … I just don’t
know if the cause is that __try{}/__except{} block.

This time, it happens over and over. At this point I’m tempted to video
tape the whole debugging cycle just to prove to the world that I’m not
insane.

I’ve been trying to get a memory.dmp for almost two days. Grr.

Ralph Shnelvar

On Thu, 10 Feb 2005 07:18:15 -0500, you wrote:

Personally, I’ve never used this “int 1” trick (I always use
DbgBreakPoint which invokes “int 3”) so I’ve never bothered to walk the
code. But since I’ve now seen this a couple of times in the past two
weeks, I went and looked - and the two paths are surprisingly VERY
different. I can see enabling and disabling interrupts in this routine,
but I must admit there is sufficient complexity in this code path that I
can’t say I know interrupts will be enabled when this execution is
finished.

I *can* say that it does not use the standard exception handling scheme

  • which is used by KiTrap03 (reporting back STATUS_BREAKPOINT as the
    exception). So, my suspicion is that this is some interesting
    interaction in the implementation of structured exception handling and
    this particular kernel trap function.

Try replacing your “_asm int 1” with “DbgBreakPoint()” and see if this
changes its behavior.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Thursday, February 10, 2005 6:27 AM
To: ntdev redirect
Subject: [ntdev] IRQL = 0xFF mystery IV

Dear All:

The mystery has been partially resolved. Only partially.

Upon DriverEntry, interrupts are enabled. The following code, though,
disables interrupts on this particular machine under XP Home SP2.

=============
// Interrupts enabled here. (Determined programmatically.)

{ __try { __asm int 1 } __except(EXCEPTION_EXECUTE_HANDLER) {}}

// Interrupts disabled here. (Crash dump confirms interrupt flag (IF)
is 0)

Does this make any sense at all?

Ralph Shnelvar


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

OK, this is getting a bit tedious, but I have to ask: you do have a debugger
attached to the system that is loading this driver, and the system is
booting in debug mode, right?

Try/except does nothing with respect to interrupt execution levels.

=====================
Mark Roddy
Windows .NET/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
Sent: Friday, February 11, 2005 11:40 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] No memory.dmp mystery II

Tony:

In terms of ‘Try replacing your “_asm int 1” with
“DbgBreakPoint()” and see if this changes its behavior.’ …

I did. It still crashes (BSODs). Unfortunately, I can’t
tell you where or why because - again! - no memory.dmp is produced.

I do know that the cause is that interrupts are disabled …
I just don’t know if the cause is that __try{}/__except{} block.

This time, it happens over and over. At this point I’m
tempted to video tape the whole debugging cycle just to prove
to the world that I’m not insane.

I’ve been trying to get a memory.dmp for almost two days. Grr.

Ralph Shnelvar

On Thu, 10 Feb 2005 07:18:15 -0500, you wrote:

>Personally, I’ve never used this “int 1” trick (I always use
>DbgBreakPoint which invokes “int 3”) so I’ve never bothered
to walk the
>code. But since I’ve now seen this a couple of times in the
past two
>weeks, I went and looked - and the two paths are surprisingly VERY
>different. I can see enabling and disabling interrupts in this
>routine, but I must admit there is sufficient complexity in
this code
>path that I can’t say I know interrupts will be enabled when this
>execution is finished.
>
>I *can* say that it does not use the standard exception
handling scheme
>- which is used by KiTrap03 (reporting back STATUS_BREAKPOINT as the
>exception). So, my suspicion is that this is some interesting
>interaction in the implementation of structured exception
handling and
>this particular kernel trap function.
>
>Try replacing your “_asm int 1” with “DbgBreakPoint()” and
see if this
>changes its behavior.
>
>Regards,
>
>Tony
>
>Tony Mason
>Consulting Partner
>OSR Open Systems Resources, Inc.
>http://www.osr.com
>
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
>Sent: Thursday, February 10, 2005 6:27 AM
>To: ntdev redirect
>Subject: [ntdev] IRQL = 0xFF mystery IV
>
>Dear All:
>
>The mystery has been partially resolved. Only partially.
>
>
>Upon DriverEntry, interrupts are enabled. The following
code, though,
>disables interrupts on this particular machine under XP Home SP2.
>
>=============
>// Interrupts enabled here. (Determined programmatically.)
>
>{ __try { __asm int 1 } __except(EXCEPTION_EXECUTE_HANDLER) {}}
>
>// Interrupts disabled here. (Crash dump confirms interrupt
flag (IF)
>is 0) =============
>
>
>
>Does this make any sense at all?
>
>Ralph Shnelvar
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: xxxxx@osr.com To
unsubscribe
>send a blank email to xxxxx@lists.osr.com
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: unknown lmsubst
tag argument: ‘’
>To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@hollistech.com To unsubscribe send a blank email to
xxxxx@lists.osr.com

Mark:

On Fri, 11 Feb 2005 13:21:18 -0500, you wrote:

OK, this is getting a bit tedious,

Hey, try getting a crash dump all day. Now that’s tedious. :slight_smile:

but I have to ask: you do have a debugger
attached to the system that is loading this driver,

No, I do not have a debugger attached.

and the system is
booting in debug mode, right?

It is not booting in debug mode.

Try/except does nothing with respect to interrupt execution levels.

That, sir, is entirely the point. It shouldn’t but it does.

More to the point, I’m trying to track down why it does.

I need to be a bit more acurate: It appears that on this particular machine
that the Interrupt Flag (IF) is being cleared under the condition when it is
*not* running with the debugger enabled and the following code is executed:
{ __try { DbgBreakPoint() } __except(EXCEPTION_EXECUTE_HANDLER) {}}

[Yes, Peter, I replaced the
__asm int 0x1
with a DbgBreakPoint()

I can also say with absolute certainty that IF is not cleared when I run
with the debugger enabled and WinDbg is attached.

I believe this to be the ultimate Heisenbug. And truly frightening.

Ralph Shnelvar

=====================
Mark Roddy
Windows .NET/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com

Ralph Shnelvar

> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
> Sent: Friday, February 11, 2005 11:40 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] No memory.dmp mystery II
>
> Tony:
>
> In terms of ‘Try replacing your “_asm int 1” with
> “DbgBreakPoint()” and see if this changes its behavior.’ …
>
> I did. It still crashes (BSODs). Unfortunately, I can’t
> tell you where or why because - again! - no memory.dmp is produced.
>
> I do know that the cause is that interrupts are disabled …
> I just don’t know if the cause is that __try{}/__except{} block.
>
> This time, it happens over and over. At this point I’m
> tempted to video tape the whole debugging cycle just to prove
> to the world that I’m not insane.
>
> I’ve been trying to get a memory.dmp for almost two days. Grr.
>
> Ralph Shnelvar
>
>
> On Thu, 10 Feb 2005 07:18:15 -0500, you wrote:
>
> >Personally, I’ve never used this “int 1” trick (I always use
> >DbgBreakPoint which invokes “int 3”) so I’ve never bothered
> to walk the
> >code. But since I’ve now seen this a couple of times in the
> past two
> >weeks, I went and looked - and the two paths are surprisingly VERY
> >different. I can see enabling and disabling interrupts in this
> >routine, but I must admit there is sufficient complexity in
> this code
> >path that I can’t say I know interrupts will be enabled when this
> >execution is finished.
> >
> >I *can* say that it does not use the standard exception
> handling scheme
> >- which is used by KiTrap03 (reporting back STATUS_BREAKPOINT as the
> >exception). So, my suspicion is that this is some interesting
> >interaction in the implementation of structured exception
> handling and
> >this particular kernel trap function.
> >
> >Try replacing your “_asm int 1” with “DbgBreakPoint()” and
> see if this
> >changes its behavior.
> >
> >Regards,
> >
> >Tony
> >
> >Tony Mason
> >Consulting Partner
> >OSR Open Systems Resources, Inc.
> >http://www.osr.com
> >
> >
> >-----Original Message-----
> >From: xxxxx@lists.osr.com
> >[mailto:xxxxx@lists.osr.com] On Behalf Of Ralph Shnelvar
> >Sent: Thursday, February 10, 2005 6:27 AM
> >To: ntdev redirect
> >Subject: [ntdev] IRQL = 0xFF mystery IV
> >
> >Dear All:
> >
> >The mystery has been partially resolved. Only partially.
> >
> >
> >Upon DriverEntry, interrupts are enabled. The following
> code, though,
> >disables interrupts on this particular machine under XP Home SP2.
> >
> >=============
> >// Interrupts enabled here. (Determined programmatically.)
> >
> >{ __try { __asm int 1 } __except(EXCEPTION_EXECUTE_HANDLER) {}}
> >
> >// Interrupts disabled here. (Crash dump confirms interrupt
> flag (IF)
> >is 0) =============
> >
> >
> >
> >Does this make any sense at all?
> >
> >Ralph Shnelvar
> >
> >—
> >Questions? First check the Kernel Driver FAQ at
> >http://www.osronline.com/article.cfm?id=256
> >
> >You are currently subscribed to ntdev as: xxxxx@osr.com To
> unsubscribe
> >send a blank email to xxxxx@lists.osr.com
> >
> >—
> >Questions? First check the Kernel Driver FAQ at
> >http://www.osronline.com/article.cfm?id=256
> >
> >You are currently subscribed to ntdev as: unknown lmsubst
> tag argument: ‘’
> >To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@hollistech.com To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@dos32.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Ralph Shnelvar[SMTP:xxxxx@dos32.com]
Reply To: Windows System Software Devs Interest List
Sent: Saturday, February 12, 2005 12:20 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] No memory.dmp mystery II

It is not booting in debug mode.

Are you quite sure? Could you post appropriate boot.ini entry or check if there isn’t anything related to debugger (/debug etc.).

I can also say with absolute certainty that IF is not cleared when I run
with the debugger enabled and WinDbg is attached.

How it behaves if you boot with debugger enabled and none attached?

I believe this to be the ultimate Heisenbug. And truly frightening.

Don’t want to see real Heisenbug :wink:

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

I have done some reading. Intel says that when it processes an exception for
int 1 and int 3, it bumps the IP to the next instruction. I suspect the
solution is to replace EXCEPTION_EXECUTE_HANDLER with
EXCEPTION_CONTINUE_EXECUTION. Since IP has been bumped execution should just
continue on.

I suspect the int 1 and int 3 handlers are being called with interrupts
disabled because they are the debugger interrupts. I am going to write some
code smippets to see what happens.

Jamey

----- Original Message -----
From: “Michal Vodicka”
To: “Windows System Software Devs Interest List”
Sent: Friday, February 11, 2005 3:26 PM
Subject: RE: [ntdev] No memory.dmp mystery II

>> ----------
>> From:
>> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
>> on behalf of Ralph Shnelvar[SMTP:xxxxx@dos32.com]
>> Reply To: Windows System Software Devs Interest List
>> Sent: Saturday, February 12, 2005 12:20 AM
>> To: Windows System Software Devs Interest List
>> Subject: Re: [ntdev] No memory.dmp mystery II
>>
>> It is not booting in debug mode.
>>
> Are you quite sure? Could you post appropriate boot.ini entry or check if
> there isn’t anything related to debugger (/debug etc.).
>
>> I can also say with absolute certainty that IF is not cleared when I run
>> with the debugger enabled and WinDbg is attached.
>>
> How it behaves if you boot with debugger enabled and none attached?
>
>> I believe this to be the ultimate Heisenbug. And truly frightening.
>>
> Don’t want to see real Heisenbug :wink:
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

A quick check with SoftICE shows that while int 0x2, 0x8 and
0x12 are serviced by Task Gates, the rest of the IDT entries
between 0x01 and 0xff, with a few exceptions, are Interrupt
Gates. If you read the Intel Pentium book, you’ll find out that
ISRs that are serviced by Interrupt Gates get control with the
Interrupt Flag cleared. So, the Windows interrupt routines which
get control before the Driver’s ISR have the choice of turning
interrupts on or leaving them off.

Alberto.

----- Original Message -----
From: “Jamey Kirby”
To: “Windows System Software Devs Interest List”

Sent: Saturday, February 12, 2005 5:05 PM
Subject: Re: [ntdev] No memory.dmp mystery II

>I have done some reading. Intel says that when it processes an
>exception for int 1 and int 3, it bumps the IP to the next
>instruction. I suspect the solution is to replace
>EXCEPTION_EXECUTE_HANDLER with EXCEPTION_CONTINUE_EXECUTION.
>Since IP has been bumped execution should just continue on.
>
> I suspect the int 1 and int 3 handlers are being called with
> interrupts disabled because they are the debugger interrupts.
> I am going to write some code smippets to see what happens.
>
> Jamey
>
> ----- Original Message -----
> From: “Michal Vodicka”
> To: “Windows System Software Devs Interest List”
>
> Sent: Friday, February 11, 2005 3:26 PM
> Subject: RE: [ntdev] No memory.dmp mystery II
>
>
>>> ----------
>>> From:
>>> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
>>> on behalf of Ralph Shnelvar[SMTP:xxxxx@dos32.com]
>>> Reply To: Windows System Software Devs Interest List
>>> Sent: Saturday, February 12, 2005 12:20 AM
>>> To: Windows System Software Devs Interest List
>>> Subject: Re: [ntdev] No memory.dmp mystery II
>>>
>>> It is not booting in debug mode.
>>>
>> Are you quite sure? Could you post appropriate boot.ini entry
>> or check if there isn’t anything related to debugger (/debug
>> etc.).
>>
>>> I can also say with absolute certainty that IF is not
>>> cleared when I run
>>> with the debugger enabled and WinDbg is attached.
>>>
>> How it behaves if you boot with debugger enabled and none
>> attached?
>>
>>> I believe this to be the ultimate Heisenbug. And truly
>>> frightening.
>>>
>> Don’t want to see real Heisenbug :wink:
>>
>> Best regards,
>>
>> Michal Vodicka
>> UPEK, Inc.
>> [xxxxx@upek.com, http://www.upek.com]
>>
>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: unknown lmsubst tag
>> argument: ‘’
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

This is what I have read too :slight_smile:

Jamey
----- Original Message -----
From: “Alberto Moreira”
To: “Windows System Software Devs Interest List”
Sent: Saturday, February 12, 2005 2:30 PM
Subject: Re: [ntdev] No memory.dmp mystery II

>A quick check with SoftICE shows that while int 0x2, 0x8 and 0x12 are
>serviced by Task Gates, the rest of the IDT entries between 0x01 and 0xff,
>with a few exceptions, are Interrupt Gates. If you read the Intel Pentium
>book, you’ll find out that ISRs that are serviced by Interrupt Gates get
>control with the Interrupt Flag cleared. So, the Windows interrupt routines
>which get control before the Driver’s ISR have the choice of turning
>interrupts on or leaving them off.
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Jamey Kirby”
> To: “Windows System Software Devs Interest List”
> Sent: Saturday, February 12, 2005 5:05 PM
> Subject: Re: [ntdev] No memory.dmp mystery II
>
>
>>I have done some reading. Intel says that when it processes an exception
>>for int 1 and int 3, it bumps the IP to the next instruction. I suspect
>>the solution is to replace EXCEPTION_EXECUTE_HANDLER with
>>EXCEPTION_CONTINUE_EXECUTION. Since IP has been bumped execution should
>>just continue on.
>>
>> I suspect the int 1 and int 3 handlers are being called with interrupts
>> disabled because they are the debugger interrupts. I am going to write
>> some code smippets to see what happens.
>>
>> Jamey
>>
>> ----- Original Message -----
>> From: “Michal Vodicka”
>> To: “Windows System Software Devs Interest List”
>> Sent: Friday, February 11, 2005 3:26 PM
>> Subject: RE: [ntdev] No memory.dmp mystery II
>>
>>
>>>> ----------
>>>> From:
>>>> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
>>>> on behalf of Ralph Shnelvar[SMTP:xxxxx@dos32.com]
>>>> Reply To: Windows System Software Devs Interest List
>>>> Sent: Saturday, February 12, 2005 12:20 AM
>>>> To: Windows System Software Devs Interest List
>>>> Subject: Re: [ntdev] No memory.dmp mystery II
>>>>
>>>> It is not booting in debug mode.
>>>>
>>> Are you quite sure? Could you post appropriate boot.ini entry or check
>>> if there isn’t anything related to debugger (/debug etc.).
>>>
>>>> I can also say with absolute certainty that IF is not cleared when I
>>>> run
>>>> with the debugger enabled and WinDbg is attached.
>>>>
>>> How it behaves if you boot with debugger enabled and none attached?
>>>
>>>> I believe this to be the ultimate Heisenbug. And truly frightening.
>>>>
>>> Don’t want to see real Heisenbug :wink:
>>>
>>> Best regards,
>>>
>>> Michal Vodicka
>>> UPEK, Inc.
>>> [xxxxx@upek.com, http://www.upek.com]
>>>
>>>
>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: unknown lmsubst tag argument:
>>> ‘’
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@tfb.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

One question that arises is, why the Task Gates ? The vectors
are NMI, Double Fault and Machine Check. The other point is, one
would have expected that the IRQL design might be better served
with Trap Gates, although of course that makes it harder to
program the ISRs. Another question is, vectors 0x20 to 0x29 are
reported as “reserved”, and the ISR offset is set to zero. I
wonder why ?

Alberto.

----- Original Message -----
From: “Jamey Kirby”
To: “Windows System Software Devs Interest List”

Sent: Saturday, February 12, 2005 8:25 PM
Subject: Re: [ntdev] No memory.dmp mystery II

> This is what I have read too :slight_smile:
>
> Jamey
> ----- Original Message -----
> From: “Alberto Moreira”
> To: “Windows System Software Devs Interest List”
>
> Sent: Saturday, February 12, 2005 2:30 PM
> Subject: Re: [ntdev] No memory.dmp mystery II
>
>
>>A quick check with SoftICE shows that while int 0x2, 0x8 and
>>0x12 are serviced by Task Gates, the rest of the IDT entries
>>between 0x01 and 0xff, with a few exceptions, are Interrupt
>>Gates. If you read the Intel Pentium book, you’ll find out
>>that ISRs that are serviced by Interrupt Gates get control
>>with the Interrupt Flag cleared. So, the Windows interrupt
>>routines which get control before the Driver’s ISR have the
>>choice of turning interrupts on or leaving them off.
>>
>> Alberto.
>>
>>
>> ----- Original Message -----
>> From: “Jamey Kirby”
>> To: “Windows System Software Devs Interest List”
>>
>> Sent: Saturday, February 12, 2005 5:05 PM
>> Subject: Re: [ntdev] No memory.dmp mystery II
>>
>>
>>>I have done some reading. Intel says that when it processes
>>>an exception for int 1 and int 3, it bumps the IP to the next
>>>instruction. I suspect the solution is to replace
>>>EXCEPTION_EXECUTE_HANDLER with EXCEPTION_CONTINUE_EXECUTION.
>>>Since IP has been bumped execution should just continue on.
>>>
>>> I suspect the int 1 and int 3 handlers are being called with
>>> interrupts disabled because they are the debugger
>>> interrupts. I am going to write some code smippets to see
>>> what happens.
>>>
>>> Jamey
>>>
>>> ----- Original Message -----
>>> From: “Michal Vodicka”
>>> To: “Windows System Software Devs Interest List”
>>>
>>> Sent: Friday, February 11, 2005 3:26 PM
>>> Subject: RE: [ntdev] No memory.dmp mystery II
>>>
>>>
>>>>> ----------
>>>>> From:
>>>>> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
>>>>> on behalf of Ralph Shnelvar[SMTP:xxxxx@dos32.com]
>>>>> Reply To: Windows System Software Devs Interest List
>>>>> Sent: Saturday, February 12, 2005 12:20 AM
>>>>> To: Windows System Software Devs Interest List
>>>>> Subject: Re: [ntdev] No memory.dmp mystery II
>>>>>
>>>>> It is not booting in debug mode.
>>>>>
>>>> Are you quite sure? Could you post appropriate boot.ini
>>>> entry or check if there isn’t anything related to debugger
>>>> (/debug etc.).
>>>>
>>>>> I can also say with absolute certainty that IF is not
>>>>> cleared when I run
>>>>> with the debugger enabled and WinDbg is attached.
>>>>>
>>>> How it behaves if you boot with debugger enabled and none
>>>> attached?
>>>>
>>>>> I believe this to be the ultimate Heisenbug. And truly
>>>>> frightening.
>>>>>
>>>> Don’t want to see real Heisenbug :wink:
>>>>
>>>> Best regards,
>>>>
>>>> Michal Vodicka
>>>> UPEK, Inc.
>>>> [xxxxx@upek.com, http://www.upek.com]
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> —
>>>> Questions? First check the Kernel Driver FAQ at
>>>> http://www.osronline.com/article.cfm?id=256
>>>>
>>>> You are currently subscribed to ntdev as: unknown lmsubst
>>>> tag argument: ‘’
>>>> To unsubscribe send a blank email to
>>>> xxxxx@lists.osr.com
>>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>>> To unsubscribe send a blank email to
>>> xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@tfb.com
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

In the case of the double fault, the task gate is used to achieve the
necessary stack switch (think “kernel stack overflow”). Since the stack
switch can be encoded in the task gate, it represents a convenient
mechanism for doing so.

Also, note that none of the task gates return - it is always a one way
trip.

Regard,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alberto Moreira
Sent: Sunday, February 13, 2005 9:11 AM
To: ntdev redirect
Subject: Re: [ntdev] No memory.dmp mystery II

One question that arises is, why the Task Gates ? The vectors
are NMI, Double Fault and Machine Check. The other point is, one
would have expected that the IRQL design might be better served
with Trap Gates, although of course that makes it harder to
program the ISRs. Another question is, vectors 0x20 to 0x29 are
reported as “reserved”, and the ISR offset is set to zero. I
wonder why ?

Alberto.

----- Original Message -----
From: “Jamey Kirby”
To: “Windows System Software Devs Interest List”

Sent: Saturday, February 12, 2005 8:25 PM
Subject: Re: [ntdev] No memory.dmp mystery II

> This is what I have read too :slight_smile:
>
> Jamey
> ----- Original Message -----
> From: “Alberto Moreira”
> To: “Windows System Software Devs Interest List”
>
> Sent: Saturday, February 12, 2005 2:30 PM
> Subject: Re: [ntdev] No memory.dmp mystery II
>
>
>>A quick check with SoftICE shows that while int 0x2, 0x8 and
>>0x12 are serviced by Task Gates, the rest of the IDT entries
>>between 0x01 and 0xff, with a few exceptions, are Interrupt
>>Gates. If you read the Intel Pentium book, you’ll find out
>>that ISRs that are serviced by Interrupt Gates get control
>>with the Interrupt Flag cleared. So, the Windows interrupt
>>routines which get control before the Driver’s ISR have the
>>choice of turning interrupts on or leaving them off.
>>
>> Alberto.
>>
>>
>> ----- Original Message -----
>> From: “Jamey Kirby”
>> To: “Windows System Software Devs Interest List”
>>
>> Sent: Saturday, February 12, 2005 5:05 PM
>> Subject: Re: [ntdev] No memory.dmp mystery II
>>
>>
>>>I have done some reading. Intel says that when it processes
>>>an exception for int 1 and int 3, it bumps the IP to the next
>>>instruction. I suspect the solution is to replace
>>>EXCEPTION_EXECUTE_HANDLER with EXCEPTION_CONTINUE_EXECUTION.
>>>Since IP has been bumped execution should just continue on.
>>>
>>> I suspect the int 1 and int 3 handlers are being called with
>>> interrupts disabled because they are the debugger
>>> interrupts. I am going to write some code smippets to see
>>> what happens.
>>>
>>> Jamey
>>>
>>> ----- Original Message -----
>>> From: “Michal Vodicka”
>>> To: “Windows System Software Devs Interest List”
>>>
>>> Sent: Friday, February 11, 2005 3:26 PM
>>> Subject: RE: [ntdev] No memory.dmp mystery II
>>>
>>>
>>>>> ----------
>>>>> From:
>>>>>
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
]
>>>>> on behalf of Ralph Shnelvar[SMTP:xxxxx@dos32.com]
>>>>> Reply To: Windows System Software Devs Interest List
>>>>> Sent: Saturday, February 12, 2005 12:20 AM
>>>>> To: Windows System Software Devs Interest List
>>>>> Subject: Re: [ntdev] No memory.dmp mystery II
>>>>>
>>>>> It is not booting in debug mode.
>>>>>
>>>> Are you quite sure? Could you post appropriate boot.ini
>>>> entry or check if there isn’t anything related to debugger
>>>> (/debug etc.).
>>>>
>>>>> I can also say with absolute certainty that IF is not
>>>>> cleared when I run
>>>>> with the debugger enabled and WinDbg is attached.
>>>>>
>>>> How it behaves if you boot with debugger enabled and none
>>>> attached?
>>>>
>>>>> I believe this to be the ultimate Heisenbug. And truly
>>>>> frightening.
>>>>>
>>>> Don’t want to see real Heisenbug :wink:
>>>>
>>>> Best regards,
>>>>
>>>> Michal Vodicka
>>>> UPEK, Inc.
>>>> [xxxxx@upek.com, http://www.upek.com]
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> —
>>>> Questions? First check the Kernel Driver FAQ at
>>>> http://www.osronline.com/article.cfm?id=256
>>>>
>>>> You are currently subscribed to ntdev as: unknown lmsubst
>>>> tag argument: ‘’
>>>> To unsubscribe send a blank email to
>>>> xxxxx@lists.osr.com
>>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>>> To unsubscribe send a blank email to
>>> xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@tfb.com
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

They are task gates, because the OS needs a clean stack to report the error,
and allow the system to bugcheck. For example a double fault can arise due
to
an kernel stack overflow, so switching through a task gate will ensure a
clean
stack to work with.

I dont agree that IRQL design would be better with trap gates then interrupt
gates. At least there would be not significant advantage.

Dan

----- Original Message -----
From: “Alberto Moreira”
To: “Windows System Software Devs Interest List”
Sent: Sunday, February 13, 2005 4:10 PM
Subject: Re: [ntdev] No memory.dmp mystery II

> One question that arises is, why the Task Gates ? The vectors are NMI,
> Double Fault and Machine Check. The other point is, one would have
> expected that the IRQL design might be better served with Trap Gates,
> although of course that makes it harder to program the ISRs. Another
> question is, vectors 0x20 to 0x29 are reported as “reserved”, and the ISR
> offset is set to zero. I wonder why ?
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Jamey Kirby”
> To: “Windows System Software Devs Interest List”
> Sent: Saturday, February 12, 2005 8:25 PM
> Subject: Re: [ntdev] No memory.dmp mystery II
>
>
>> This is what I have read too :slight_smile:
>>
>> Jamey
>> ----- Original Message -----
>> From: “Alberto Moreira”
>> To: “Windows System Software Devs Interest List”
>> Sent: Saturday, February 12, 2005 2:30 PM
>> Subject: Re: [ntdev] No memory.dmp mystery II
>>
>>
>>>A quick check with SoftICE shows that while int 0x2, 0x8 and 0x12 are
>>>serviced by Task Gates, the rest of the IDT entries between 0x01 and
>>>0xff, with a few exceptions, are Interrupt Gates. If you read the Intel
>>>Pentium book, you’ll find out that ISRs that are serviced by Interrupt
>>>Gates get control with the Interrupt Flag cleared. So, the Windows
>>>interrupt routines which get control before the Driver’s ISR have the
>>>choice of turning interrupts on or leaving them off.
>>>
>>> Alberto.
>>>
>>>
>>> ----- Original Message -----
>>> From: “Jamey Kirby”
>>> To: “Windows System Software Devs Interest List”
>>> Sent: Saturday, February 12, 2005 5:05 PM
>>> Subject: Re: [ntdev] No memory.dmp mystery II
>>>
>>>
>>>>I have done some reading. Intel says that when it processes an exception
>>>>for int 1 and int 3, it bumps the IP to the next instruction. I suspect
>>>>the solution is to replace EXCEPTION_EXECUTE_HANDLER with
>>>>EXCEPTION_CONTINUE_EXECUTION. Since IP has been bumped execution should
>>>>just continue on.
>>>>
>>>> I suspect the int 1 and int 3 handlers are being called with interrupts
>>>> disabled because they are the debugger interrupts. I am going to write
>>>> some code smippets to see what happens.
>>>>
>>>> Jamey
>>>>
>>>> ----- Original Message -----
>>>> From: “Michal Vodicka”
>>>> To: “Windows System Software Devs Interest List”
>>>> Sent: Friday, February 11, 2005 3:26 PM
>>>> Subject: RE: [ntdev] No memory.dmp mystery II
>>>>
>>>>
>>>>>> ----------
>>>>>> From:
>>>>>> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
>>>>>> on behalf of Ralph Shnelvar[SMTP:xxxxx@dos32.com]
>>>>>> Reply To: Windows System Software Devs Interest List
>>>>>> Sent: Saturday, February 12, 2005 12:20 AM
>>>>>> To: Windows System Software Devs Interest List
>>>>>> Subject: Re: [ntdev] No memory.dmp mystery II
>>>>>>
>>>>>> It is not booting in debug mode.
>>>>>>
>>>>> Are you quite sure? Could you post appropriate boot.ini entry or check
>>>>> if there isn’t anything related to debugger (/debug etc.).
>>>>>
>>>>>> I can also say with absolute certainty that IF is not cleared when I
>>>>>> run
>>>>>> with the debugger enabled and WinDbg is attached.
>>>>>>
>>>>> How it behaves if you boot with debugger enabled and none attached?
>>>>>
>>>>>> I believe this to be the ultimate Heisenbug. And truly frightening.
>>>>>>
>>>>> Don’t want to see real Heisenbug :wink:
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Michal Vodicka
>>>>> UPEK, Inc.
>>>>> [xxxxx@upek.com, http://www.upek.com]
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> —
>>>>> Questions? First check the Kernel Driver FAQ at
>>>>> http://www.osronline.com/article.cfm?id=256
>>>>>
>>>>> You are currently subscribed to ntdev as: unknown lmsubst tag
>>>>> argument: ‘’
>>>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>>>
>>>>
>>>>
>>>> —
>>>> Questions? First check the Kernel Driver FAQ at
>>>> http://www.osronline.com/article.cfm?id=256
>>>>
>>>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@tfb.com
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com

I’m much less familiar with design issues of these interrupt vector
assignment. But what I still recall from my past work/search/findings is
that they were not needed, sort of stubbing. And one can enhance the
functionality ( if desired on an experimental systems) just slapping a
handler. BTW, other oses (Unix family) usually leaves couple slots open like
this if I recall.

-pro
----- Original Message -----
From: “Alberto Moreira”
To: “Windows System Software Devs Interest List”
Sent: Sunday, February 13, 2005 6:10 AM
Subject: Re: [ntdev] No memory.dmp mystery II

> One question that arises is, why the Task Gates ? The vectors
> are NMI, Double Fault and Machine Check. The other point is, one
> would have expected that the IRQL design might be better served
> with Trap Gates, although of course that makes it harder to
> program the ISRs. Another question is, vectors 0x20 to 0x29 are
> reported as “reserved”, and the ISR offset is set to zero. I
> wonder why ?
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Jamey Kirby”
> To: “Windows System Software Devs Interest List”
>
> Sent: Saturday, February 12, 2005 8:25 PM
> Subject: Re: [ntdev] No memory.dmp mystery II
>
>
> > This is what I have read too :slight_smile:
> >
> > Jamey
> > ----- Original Message -----
> > From: “Alberto Moreira”
> > To: “Windows System Software Devs Interest List”
> >
> > Sent: Saturday, February 12, 2005 2:30 PM
> > Subject: Re: [ntdev] No memory.dmp mystery II
> >
> >
> >>A quick check with SoftICE shows that while int 0x2, 0x8 and
> >>0x12 are serviced by Task Gates, the rest of the IDT entries
> >>between 0x01 and 0xff, with a few exceptions, are Interrupt
> >>Gates. If you read the Intel Pentium book, you’ll find out
> >>that ISRs that are serviced by Interrupt Gates get control
> >>with the Interrupt Flag cleared. So, the Windows interrupt
> >>routines which get control before the Driver’s ISR have the
> >>choice of turning interrupts on or leaving them off.
> >>
> >> Alberto.
> >>
> >>
> >> ----- Original Message -----
> >> From: “Jamey Kirby”
> >> To: “Windows System Software Devs Interest List”
> >>
> >> Sent: Saturday, February 12, 2005 5:05 PM
> >> Subject: Re: [ntdev] No memory.dmp mystery II
> >>
> >>
> >>>I have done some reading. Intel says that when it processes
> >>>an exception for int 1 and int 3, it bumps the IP to the next
> >>>instruction. I suspect the solution is to replace
> >>>EXCEPTION_EXECUTE_HANDLER with EXCEPTION_CONTINUE_EXECUTION.
> >>>Since IP has been bumped execution should just continue on.
> >>>
> >>> I suspect the int 1 and int 3 handlers are being called with
> >>> interrupts disabled because they are the debugger
> >>> interrupts. I am going to write some code smippets to see
> >>> what happens.
> >>>
> >>> Jamey
> >>>
> >>> ----- Original Message -----
> >>> From: “Michal Vodicka”
> >>> To: “Windows System Software Devs Interest List”
> >>>
> >>> Sent: Friday, February 11, 2005 3:26 PM
> >>> Subject: RE: [ntdev] No memory.dmp mystery II
> >>>
> >>>
> >>>>> ----------
> >>>>> From:
> >>>>>
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> >>>>> on behalf of Ralph Shnelvar[SMTP:xxxxx@dos32.com]
> >>>>> Reply To: Windows System Software Devs Interest List
> >>>>> Sent: Saturday, February 12, 2005 12:20 AM
> >>>>> To: Windows System Software Devs Interest List
> >>>>> Subject: Re: [ntdev] No memory.dmp mystery II
> >>>>>
> >>>>> It is not booting in debug mode.
> >>>>>
> >>>> Are you quite sure? Could you post appropriate boot.ini
> >>>> entry or check if there isn’t anything related to debugger
> >>>> (/debug etc.).
> >>>>
> >>>>> I can also say with absolute certainty that IF is not
> >>>>> cleared when I run
> >>>>> with the debugger enabled and WinDbg is attached.
> >>>>>
> >>>> How it behaves if you boot with debugger enabled and none
> >>>> attached?
> >>>>
> >>>>> I believe this to be the ultimate Heisenbug. And truly
> >>>>> frightening.
> >>>>>
> >>>> Don’t want to see real Heisenbug :wink:
> >>>>
> >>>> Best regards,
> >>>>
> >>>> Michal Vodicka
> >>>> UPEK, Inc.
> >>>> [xxxxx@upek.com, http://www.upek.com]
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> —
> >>>> Questions? First check the Kernel Driver FAQ at
> >>>> http://www.osronline.com/article.cfm?id=256
> >>>>
> >>>> You are currently subscribed to ntdev as: unknown lmsubst
> >>>> tag argument: ‘’
> >>>> To unsubscribe send a blank email to
> >>>> xxxxx@lists.osr.com
> >>>>
> >>>
> >>>
> >>> —
> >>> Questions? First check the Kernel Driver FAQ at
> >>> http://www.osronline.com/article.cfm?id=256
> >>>
> >>> You are currently subscribed to ntdev as: xxxxx@ieee.org
> >>> To unsubscribe send a blank email to
> >>> xxxxx@lists.osr.com
> >>
> >>
> >> —
> >> Questions? First check the Kernel Driver FAQ at
> >> http://www.osronline.com/article.cfm?id=256
> >>
> >> You are currently subscribed to ntdev as: xxxxx@tfb.com
> >> To unsubscribe send a blank email to
> >> xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@ieee.org
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

After writing some test code and reading the Intel reference manuals, the
issue seems more clear and more confusing.

Interrupts are disabled on the following exceptions: int 1, int 3 and
BOUNDS. There is no reason to assume that your exception handler will
restart interrupts by default; you will need to restart them yourself.

Not quite what the solution is here. Do you simply issue an __asm sti
instruction? Are we sure the interrupts were enabled before the exception
occured? Remember the old trick:

pushf
cli
;; do some stuff
popf

Since we do not knw the state of the flags prior to the exception being
called, I am not sure what to recommend. Can we assume interrupts were
enabled prior to the exception occuring? Int 1 and Int 3 are non-maskable.

Another interesting thing I found using SoftIce (all I tested with so far):
If I execute the following line:

__try {DbgBreakPoint()} __except(EXCEPTION_CONTINUE_SEARCH) {}

I get a BSOD, not a debugger break point like I would have expected.

Jamey

----- Original Message -----
From: “Prokash Sinha”
To: “Windows System Software Devs Interest List”
Sent: Sunday, February 13, 2005 9:00 AM
Subject: Re: [ntdev] No memory.dmp mystery II

> I’m much less familiar with design issues of these interrupt vector
> assignment. But what I still recall from my past work/search/findings is
> that they were not needed, sort of stubbing. And one can enhance the
> functionality ( if desired on an experimental systems) just slapping a
> handler. BTW, other oses (Unix family) usually leaves couple slots open
> like
> this if I recall.
>
> -pro
> ----- Original Message -----
> From: “Alberto Moreira”
> To: “Windows System Software Devs Interest List”
> Sent: Sunday, February 13, 2005 6:10 AM
> Subject: Re: [ntdev] No memory.dmp mystery II
>
>
>> One question that arises is, why the Task Gates ? The vectors
>> are NMI, Double Fault and Machine Check. The other point is, one
>> would have expected that the IRQL design might be better served
>> with Trap Gates, although of course that makes it harder to
>> program the ISRs. Another question is, vectors 0x20 to 0x29 are
>> reported as “reserved”, and the ISR offset is set to zero. I
>> wonder why ?
>>
>> Alberto.
>>
>>
>> ----- Original Message -----
>> From: “Jamey Kirby”
>> To: “Windows System Software Devs Interest List”
>>
>> Sent: Saturday, February 12, 2005 8:25 PM
>> Subject: Re: [ntdev] No memory.dmp mystery II
>>
>>
>> > This is what I have read too :slight_smile:
>> >
>> > Jamey
>> > ----- Original Message -----
>> > From: “Alberto Moreira”
>> > To: “Windows System Software Devs Interest List”
>> >
>> > Sent: Saturday, February 12, 2005 2:30 PM
>> > Subject: Re: [ntdev] No memory.dmp mystery II
>> >
>> >
>> >>A quick check with SoftICE shows that while int 0x2, 0x8 and
>> >>0x12 are serviced by Task Gates, the rest of the IDT entries
>> >>between 0x01 and 0xff, with a few exceptions, are Interrupt
>> >>Gates. If you read the Intel Pentium book, you’ll find out
>> >>that ISRs that are serviced by Interrupt Gates get control
>> >>with the Interrupt Flag cleared. So, the Windows interrupt
>> >>routines which get control before the Driver’s ISR have the
>> >>choice of turning interrupts on or leaving them off.
>> >>
>> >> Alberto.
>> >>
>> >>
>> >> ----- Original Message -----
>> >> From: “Jamey Kirby”
>> >> To: “Windows System Software Devs Interest List”
>> >>
>> >> Sent: Saturday, February 12, 2005 5:05 PM
>> >> Subject: Re: [ntdev] No memory.dmp mystery II
>> >>
>> >>
>> >>>I have done some reading. Intel says that when it processes
>> >>>an exception for int 1 and int 3, it bumps the IP to the next
>> >>>instruction. I suspect the solution is to replace
>> >>>EXCEPTION_EXECUTE_HANDLER with EXCEPTION_CONTINUE_EXECUTION.
>> >>>Since IP has been bumped execution should just continue on.
>> >>>
>> >>> I suspect the int 1 and int 3 handlers are being called with
>> >>> interrupts disabled because they are the debugger
>> >>> interrupts. I am going to write some code smippets to see
>> >>> what happens.
>> >>>
>> >>> Jamey
>> >>>
>> >>> ----- Original Message -----
>> >>> From: “Michal Vodicka”
>> >>> To: “Windows System Software Devs Interest List”
>> >>>
>> >>> Sent: Friday, February 11, 2005 3:26 PM
>> >>> Subject: RE: [ntdev] No memory.dmp mystery II
>> >>>
>> >>>
>> >>>>> ----------
>> >>>>> From:
>> >>>>>
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
>> >>>>> on behalf of Ralph Shnelvar[SMTP:xxxxx@dos32.com]
>> >>>>> Reply To: Windows System Software Devs Interest List
>> >>>>> Sent: Saturday, February 12, 2005 12:20 AM
>> >>>>> To: Windows System Software Devs Interest List
>> >>>>> Subject: Re: [ntdev] No memory.dmp mystery II
>> >>>>>
>> >>>>> It is not booting in debug mode.
>> >>>>>
>> >>>> Are you quite sure? Could you post appropriate boot.ini
>> >>>> entry or check if there isn’t anything related to debugger
>> >>>> (/debug etc.).
>> >>>>
>> >>>>> I can also say with absolute certainty that IF is not
>> >>>>> cleared when I run
>> >>>>> with the debugger enabled and WinDbg is attached.
>> >>>>>
>> >>>> How it behaves if you boot with debugger enabled and none
>> >>>> attached?
>> >>>>
>> >>>>> I believe this to be the ultimate Heisenbug. And truly
>> >>>>> frightening.
>> >>>>>
>> >>>> Don’t want to see real Heisenbug :wink:
>> >>>>
>> >>>> Best regards,
>> >>>>
>> >>>> Michal Vodicka
>> >>>> UPEK, Inc.
>> >>>> [xxxxx@upek.com, http://www.upek.com]
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> —
>> >>>> Questions? First check the Kernel Driver FAQ at
>> >>>> http://www.osronline.com/article.cfm?id=256
>> >>>>
>> >>>> You are currently subscribed to ntdev as: unknown lmsubst
>> >>>> tag argument: ‘’
>> >>>> To unsubscribe send a blank email to
>> >>>> xxxxx@lists.osr.com
>> >>>>
>> >>>
>> >>>
>> >>> —
>> >>> Questions? First check the Kernel Driver FAQ at
>> >>> http://www.osronline.com/article.cfm?id=256
>> >>>
>> >>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>> >>> To unsubscribe send a blank email to
>> >>> xxxxx@lists.osr.com
>> >>
>> >>
>> >> —
>> >> Questions? First check the Kernel Driver FAQ at
>> >> http://www.osronline.com/article.cfm?id=256
>> >>
>> >> You are currently subscribed to ntdev as: xxxxx@tfb.com
>> >> To unsubscribe send a blank email to
>> >> xxxxx@lists.osr.com
>> >
>> >
>> > —
>> > Questions? First check the Kernel Driver FAQ at
>> > http://www.osronline.com/article.cfm?id=256
>> >
>> > You are currently subscribed to ntdev as: xxxxx@ieee.org
>> > To unsubscribe send a blank email to
>> > xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@garlic.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@tfb.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Jamey Kirby wrote:

Interrupts are disabled on the following exceptions: int 1, int 3 and
BOUNDS. There is no reason to assume that your exception handler will
restart interrupts by default; you will need to restart them yourself.

RESTART interrupts yourself? Oh, come on. This is NT, not Win95. I
don’t THINK so.

__try {DbgBreakPoint()} __except(EXCEPTION_CONTINUE_SEARCH) {}

I get a BSOD, not a debugger break point like I would have expected.

At OSR we *very* frequently use things like the following:

__try {DbgBreakPoint();}

__except(EXCEPTION_EXECUTE_HANDLER) {
DbgPrint(“This woulda been a break point.\n”);
}

Works like a charm. And, I’ve never had to re-enable interrupts myself.

I suspect it’s SoftIce that’s mucking about with your results. Just one
more reason to live with the 'bag,

Peter
OSR

I’ve seen too many people are using SoftIce, and most of the driver on debug
mode injects this kind of burried down _int 3 at driverEntry, may be they
dont want to use the ’ be abc!DriverEntry ', and it works.

Jamey, make sure int3_here and int1_here is on. If they are off, it does not
catch, so it is like no debugger is attached and there is int 3 executing
:-).

-pro
----- Original Message -----
From: “Peter Viscarola (OSR)”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Sunday, February 13, 2005 1:55 PM
Subject: Re:[ntdev] No memory.dmp mystery II

> Jamey Kirby wrote:
> >
> > Interrupts are disabled on the following exceptions: int 1, int 3 and
> > BOUNDS. There is no reason to assume that your exception handler will
> > restart interrupts by default; you will need to restart them yourself.
> >
>
> RESTART interrupts yourself? Oh, come on. This is NT, not Win95. I
> don’t THINK so.
>
> >
> > __try {DbgBreakPoint()}__except(EXCEPTION_CONTINUE_SEARCH) {}
> >
> > I get a BSOD, not a debugger break point like I would have expected.
> >
>
> At OSR we very frequently use things like the following:
>
> __try {DbgBreakPoint();}
>
>__except(EXCEPTION_EXECUTE_HANDLER) {
> DbgPrint(“This woulda been a break point.\n”);
> }
>
> Works like a charm. And, I’ve never had to re-enable interrupts myself.
>
> I suspect it’s SoftIce that’s mucking about with your results. Just one
> more reason to live with the 'bag,
>
> Peter
> OSR
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

I3here DRV is enabled by deafult, which means i3 will be catched for
any address falling on kernel address space, but not for user.

Dan

----- Original Message -----
From: “Prokash Sinha”
To: “Windows System Software Devs Interest List”
Sent: Monday, February 14, 2005 12:29 AM
Subject: Re: Re:[ntdev] No memory.dmp mystery II

> I’ve seen too many people are using SoftIce, and most of the driver on
> debug
> mode injects this kind of burried down _int 3 at driverEntry, may be they
> dont want to use the ’ be abc!DriverEntry ', and it works.
>
> Jamey, make sure int3_here and int1_here is on. If they are off, it does
> not
> catch, so it is like no debugger is attached and there is int 3 executing
> :-).
>
> -pro
> ----- Original Message -----
> From: “Peter Viscarola (OSR)”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Sunday, February 13, 2005 1:55 PM
> Subject: Re:[ntdev] No memory.dmp mystery II
>
>
>> Jamey Kirby wrote:
>> >
>> > Interrupts are disabled on the following exceptions: int 1, int 3 and
>> > BOUNDS. There is no reason to assume that your exception handler will
>> > restart interrupts by default; you will need to restart them yourself.
>> >
>>
>> RESTART interrupts yourself? Oh, come on. This is NT, not Win95. I
>> don’t THINK so.
>>
>> >
>> > __try {DbgBreakPoint()}__except(EXCEPTION_CONTINUE_SEARCH) {}
>> >
>> > I get a BSOD, not a debugger break point like I would have expected.
>> >
>>
>> At OSR we very frequently use things like the following:
>>
>> __try {DbgBreakPoint();}
>>
>>__except(EXCEPTION_EXECUTE_HANDLER) {
>> DbgPrint(“This woulda been a break point.\n”);
>> }
>>
>> Works like a charm. And, I’ve never had to re-enable interrupts myself.
>>
>> I suspect it’s SoftIce that’s mucking about with your results. Just one
>> more reason to live with the 'bag,
>>
>> Peter
>> OSR
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@garlic.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com