i want to read variable sized strings from registry (REG_SZ).

I use

strSize = sizeof( KEY_VALUE_PARTIAL_INFORMATION ) + 2048;
sbuffer = ExAllocatePoolWithTag( NonPagedPool, strSize, TAG );

if (NULL == sbuffer) {

goto _Exit;
}

RtlInitUnicodeString(&valueName, _FILTER);

status = ZwQueryValueKey( driverRegKey,
&valueName,
KeyValuePartialInformation,
sbuffer,
strSize,
&strresultLength);

The problem is in the first line, where I have to force the size to 2048

I dont want to do it.

but when i use

status = ZwQueryValueKey( driverRegKey,
&valueName,
KeyValuePartialInformation,
NULL,
0,
&strresultLength);

to fetch teh length in strresultLength instead, and then use this size to
compute the strzise, I get 0x10 as the length.

why so?

A P,

Here is something from the microsoft sources. FatInit.C inside IFS kit. Line

408

KeyValueInformation = (PKEY_VALUE_FULL_INFORMATION)Buffer;

while (1) {

Status = ZwQueryValueKey(Handle,
ValueName,
KeyValueFullInformation,
KeyValueInformation,
RequestLength,
&ResultLength);

ASSERT( Status != STATUS_BUFFER_OVERFLOW );

if (Status == STATUS_BUFFER_OVERFLOW) {

//
// Try to get a buffer big enough.
//

if (KeyValueInformation != (PKEY_VALUE_FULL_INFORMATION)Buffer)
{

ExFreePool(KeyValueInformation);
}

RequestLength += 256;

KeyValueInformation = (PKEY_VALUE_FULL_INFORMATION)
ExAllocatePoolWithTag(PagedPool,
RequestLength,
' taF');

if (!KeyValueInformation) {
return STATUS_NO_MEMORY;
}

} else {

break;
}
}

Well, if M$ does it this way, so can you. Well experts, can't we?

Is it me or the assert is contradicted by the if statement under??

–

Edouard

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Tuesday, April 25, 2006 12:56
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] problem

A P,

Here is something from the microsoft sources. FatInit.C inside IFS
kit. Line # 408

KeyValueInformation = (PKEY_VALUE_FULL_INFORMATION)Buffer;

while (1) {

Status = ZwQueryValueKey(Handle,
ValueName,
KeyValueFullInformation,
KeyValueInformation,
RequestLength,
&ResultLength);

ASSERT( Status != STATUS_BUFFER_OVERFLOW );

if (Status == STATUS_BUFFER_OVERFLOW) {

//
// Try to get a buffer big enough.
//

if (KeyValueInformation !=
(PKEY_VALUE_FULL_INFORMATION)Buffer) {

ExFreePool(KeyValueInformation);
}

RequestLength += 256;

KeyValueInformation = (PKEY_VALUE_FULL_INFORMATION)
ExAllocatePoolWithTag(PagedPool,

RequestLength,
’ taF’);

if (!KeyValueInformation) {
return STATUS_NO_MEMORY;
}

} else {

break;
}
}

Well, if M$ does it this way, so can you. Well experts, can’t we?

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Assertion failure warns developer about unexpected situation and following code still handles it. Quite correct solution for kernel code, IMO. I usually write such a code like this (even in user mode):

if (!TVERIFY(condition)) {
// handle unexpected scenario
}

TVERIFY is ASSERT(condition) in checked build and (condition) in free build. ASSERT macro has to expand as an boolean expression for this purpose and I believe the latest DDKs have it like this.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Edouard A.[SMTP:xxxxx@wanadoo.fr]
Reply To: Windows System Software Devs Interest List
Sent: Tuesday, April 25, 2006 8:39 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] problem

Is it me or the assert is contradicted by the if statement under??

–

Edouard

---

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Tuesday, April 25, 2006 12:56
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] problem

A P,

Here is something from the microsoft sources. FatInit.C inside IFS
kit. Line # 408

KeyValueInformation = (PKEY_VALUE_FULL_INFORMATION)Buffer;

while (1) {

Status = ZwQueryValueKey(Handle,
ValueName,
KeyValueFullInformation,
KeyValueInformation,
RequestLength,
&ResultLength);

ASSERT( Status != STATUS_BUFFER_OVERFLOW );

if (Status == STATUS_BUFFER_OVERFLOW) {

//
// Try to get a buffer big enough.
//

if (KeyValueInformation !=
(PKEY_VALUE_FULL_INFORMATION)Buffer) {

ExFreePool(KeyValueInformation);
}

RequestLength += 256;

KeyValueInformation = (PKEY_VALUE_FULL_INFORMATION)
ExAllocatePoolWithTag(PagedPool,

RequestLength,
’ taF’);

if (!KeyValueInformation) {
return STATUS_NO_MEMORY;
}

} else {

break;
}
}

Well, if M$ does it this way, so can you. Well experts, can’t we?

— Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Our philosophy of ASSERT usage is different, it’s more “It’s not an assert
if it may happen”. For example :

for(size_t i = 0; i < 10; i++)
{
// blah blah
}
ASSERT(i == 10);

To me, an assertion is something that should always be true, and if it’s not
the case, something very wrong happened: either you have a bug to fix in
your or the system is going in total panic or the universe constant changed.
I do not consider an unexpected situation to be an assertion fault, if it
is, I remove the assertion and add the appropriate handling code.

–

Edouard

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Tuesday, April 25, 2006 20:57
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] problem

Assertion failure warns developer about unexpected situation
and following code still handles it. Quite correct solution
for kernel code, IMO. I usually write such a code like this
(even in user mode):

if (!TVERIFY(condition)) {
// handle unexpected scenario
}

TVERIFY is ASSERT(condition) in checked build and (condition)
in free build. ASSERT macro has to expand as an boolean
expression for this purpose and I believe the latest DDKs
have it like this.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From:
xxxxx@lists.osr.com[SMTP:xxxxx@lis
ts.osr.com] on behalf of Edouard > A.[SMTP:xxxxx@wanadoo.fr]
> Reply To: Windows System Software Devs Interest List
> Sent: Tuesday, April 25, 2006 8:39 PM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] problem
>
> Is it me or the assert is contradicted by the if statement under??
>
> –
>
> Edouard
>
>
> ________________________________
>
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
> Sent: Tuesday, April 25, 2006 12:56
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] problem
>
>
> A P,
>
> Here is something from the microsoft sources. FatInit.C
inside IFS
> kit. Line # 408
>
>
> KeyValueInformation = (PKEY_VALUE_FULL_INFORMATION)Buffer;
>
> while (1) {
>
> Status = ZwQueryValueKey(Handle,
> ValueName,
> KeyValueFullInformation,
> KeyValueInformation,
> RequestLength,
> &ResultLength);
>
> ASSERT( Status != STATUS_BUFFER_OVERFLOW );
>
> if (Status == STATUS_BUFFER_OVERFLOW) {
>
> //
> // Try to get a buffer big enough.
> //
>
> if (KeyValueInformation !=
> (PKEY_VALUE_FULL_INFORMATION)Buffer) {
>
> ExFreePool(KeyValueInformation);
> }
>
> RequestLength += 256;
>
> KeyValueInformation = (PKEY_VALUE_FULL_INFORMATION)
>
ExAllocatePoolWithTag(PagedPool,
>
> RequestLength,
> ’ taF’);
>
> if (!KeyValueInformation) {
> return STATUS_NO_MEMORY;
> }
>
> } else {
>
> break;
> }
> }
>
>
>
>
>
>
>
> Well, if M$ does it this way, so can you. Well experts,
can’t we?
>
> — Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256 To unsubscribe,
visit the
> List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer

---

Wanadoo vous informe que cet e-mail a ete controle par
l’anti-virus mail.
Aucun virus connu a ce jour par nos services n’a ete detecte.

Given that “ASSERT(i == 10);” is out of the scope of “for (size_t I;
{}”, the ASSERT will only compile if “i” is defined within the scope that
ASSERT exists. If it does compile, the setting of “i” has nothing to do
with the count within the for-loop. Methinks thou didst mean:

size_t I;
for(i = 0; i < 10; i++)
{
// blah blah
}
ASSERT(i == 10);

But, mostly this is personal philosophy. Setting an inline trap to catch
the failing side in an ASSERT simply insures that condition is properly
handled. Not setting an inline time means you are absolutely, positively
sure the failing condition will never ever happen in release code. It’s
simply a matter of how thoroughly you think you need to cover your ass.

Gary G. Little

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Edouard A.
Sent: Wednesday, April 26, 2006 1:01 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] problem

Our philosophy of ASSERT usage is different, it’s more “It’s not an assert
if it may happen”. For example :

for(size_t i = 0; i < 10; i++)
{
// blah blah
}
ASSERT(i == 10);

To me, an assertion is something that should always be true, and if it’s
not
the case, something very wrong happened: either you have a bug to fix in
your or the system is going in total panic or the universe constant
changed.
I do not consider an unexpected situation to be an assertion fault, if it
is, I remove the assertion and add the appropriate handling code.

–

Edouard

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Tuesday, April 25, 2006 20:57
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] problem

Assertion failure warns developer about unexpected situation
and following code still handles it. Quite correct solution
for kernel code, IMO. I usually write such a code like this
(even in user mode):

if (!TVERIFY(condition)) {
// handle unexpected scenario
}

TVERIFY is ASSERT(condition) in checked build and (condition)
in free build. ASSERT macro has to expand as an boolean
expression for this purpose and I believe the latest DDKs
have it like this.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From:
xxxxx@lists.osr.com[SMTP:xxxxx@lis
ts.osr.com] on behalf of Edouard > A.[SMTP:xxxxx@wanadoo.fr]
> Reply To: Windows System Software Devs Interest List
> Sent: Tuesday, April 25, 2006 8:39 PM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] problem
>
> Is it me or the assert is contradicted by the if statement under??
>
> –
>
> Edouard
>
>
> ________________________________
>
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
> Sent: Tuesday, April 25, 2006 12:56
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] problem
>
>
> A P,
>
> Here is something from the microsoft sources. FatInit.C
inside IFS
> kit. Line # 408
>
>
> KeyValueInformation = (PKEY_VALUE_FULL_INFORMATION)Buffer;
>
> while (1) {
>
> Status = ZwQueryValueKey(Handle,
> ValueName,
> KeyValueFullInformation,
> KeyValueInformation,
> RequestLength,
> &ResultLength);
>
> ASSERT( Status != STATUS_BUFFER_OVERFLOW );
>
> if (Status == STATUS_BUFFER_OVERFLOW) {
>
> //
> // Try to get a buffer big enough.
> //
>
> if (KeyValueInformation !=
> (PKEY_VALUE_FULL_INFORMATION)Buffer) {
>
> ExFreePool(KeyValueInformation);
> }
>
> RequestLength += 256;
>
> KeyValueInformation = (PKEY_VALUE_FULL_INFORMATION)
>
ExAllocatePoolWithTag(PagedPool,
>
> RequestLength,
> ’ taF’);
>
> if (!KeyValueInformation) {
> return STATUS_NO_MEMORY;
> }
>
> } else {
>
> break;
> }
> }
>
>
>
>
>
>
>
> Well, if M$ does it this way, so can you. Well experts,
can’t we?
>
> — Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256 To unsubscribe,
visit the
> List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer

---

Wanadoo vous informe que cet e-mail a ete controle par
l’anti-virus mail.
Aucun virus connu a ce jour par nos services n’a ete detecte.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

> -----Original Message-----

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@seagate.com
Sent: Wednesday, April 26, 2006 16:40
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] problem

Given that “ASSERT(i == 10);” is out of the scope of “for
(size_t I; {}”, the ASSERT will only compile if “i” is
defined within the scope that ASSERT exists. If it does
compile, the setting of “i” has nothing to do with the count
within the for-loop. Methinks thou didst mean:

size_t I;
for(i = 0; i < 10; i++)
{
// blah blah
}
ASSERT(i == 10);

Indeed… But did you know that the former compiles as well? Not in vc8,
but in vc7 I think it compiles. I could be pedantic and mention that your
code doesn’t compile because of the capital I. ;p

But, mostly this is personal philosophy. Setting an inline
trap to catch the failing side in an ASSERT simply insures
that condition is properly handled. Not setting an inline
time means you are absolutely, positively sure the failing
condition will never ever happen in release code. It’s simply
a matter of how thoroughly you think you need to cover your ass.

I agree. In general the more in-depth the code is, the more I assert. For
example, I do ASSERT(p != NULL) if I’m the only one passing p, so if it’s
NULL, either I have memory corruption or my code is wrong somewhere. Our
approach is that if an assertion fails in release we should bugcheck the
system because something is obviously wrong. But I understand the “ok we
assert but we are going to handle it anyways” approach, you just need to
know which philosophy is used when you read the code (which is why I asked).

–

Edouard

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Edouard A.[SMTP:xxxxx@wanadoo.fr]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, April 26, 2006 7:27 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] problem

Indeed… But did you know that the former compiles as well? Not in vc8,
but in vc7 I think it compiles. I could be pedantic and mention that your
code doesn’t compile because of the capital I. ;p

It is known bug/feature in the VS compilers. for ( int i = 0;…) defines i for the rest of function. There was a compiler switch how to turn it of in previous versions but it is great they finally made it default in VS8.

> But, mostly this is personal philosophy. Setting an inline
> trap to catch the failing side in an ASSERT simply insures
> that condition is properly handled. Not setting an inline
> time means you are absolutely, positively sure the failing
> condition will never ever happen in release code. It’s simply
> a matter of how thoroughly you think you need to cover your ass.

I agree. In general the more in-depth the code is, the more I assert. For
example, I do ASSERT(p != NULL) if I’m the only one passing p, so if it’s
NULL, either I have memory corruption or my code is wrong somewhere. Our
approach is that if an assertion fails in release we should bugcheck the
system because something is obviously wrong. But I understand the “ok we
assert but we are going to handle it anyways” approach, you just need to
know which philosophy is used when you read the code (which is why I asked).

I meant it as Gary wrote and I agree this is personal philosophy. Also experience. Failed assertion informs developer some of his expectation wasn’t met. It can be because of a bug, because the expectation is wrong or because of an unexpected external problem. Or because somebody else used the code written several years before and changed some conditions. So developer is informed about possible problem but why not handle it if it is possible or at least fail gracefully?

Before I had similar approach as yours. Later I realized it is pretty arrogant. Take it from user’s perspective. S/he uses computer to make some work and doesn’t care about drivers at all. Now one of them detects some of its developer’s expectation wasn’t met and causes bugcheck. All the unsaved work is lost and in the worst case data or FS structures are corrupted. Just because one of many drivers decided something isn’t as expected. It can fail current action, stop work, commit suicide but why the hell it should kill whole system? IMO bugcheck is the last resort solution and usually only OS itself can make such decision.

Next thing what changed my mind was embedded development. There is no BSOD in embedded devices because usually there is no screen at all. When connected to computer, they can be taken as a black box which works or doesn’t work. The firmware should make its best to handle anything and be able to report at least something. Total failure because of failed assertion is the worst possibility.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> Indeed… But did you know that the former compiles as well? Not in

vc8,
but in vc7 I think it compiles. I could be pedantic and mention that your
code doesn’t compile because of the capital I. ;p

Fortunately Microsoft have made effort to become more language standards
compliant with vc8. Unfortunately there is a lot of slop code which needs to
be upgraded and this is viewed as not more than a burden by a lot of
business managers.

I agree. In general the more in-depth the code is, the more I assert. For
example, I do ASSERT(p != NULL) if I’m the only one passing p, so if it’s
NULL, either I have memory corruption or my code is wrong somewhere. Our
approach is that if an assertion fails in release we should bugcheck the
system because something is obviously wrong. But I understand the “ok we
assert but we are going to handle it anyways” approach, you just need to
know which philosophy is used when you read the code (which is why I
asked).

Let’s put it nice and simple here; released drivers which are not critical
to survival of the operating system must not breakpoint.

How is an ASSERT going to generate a blue screen on a customer’s computer?
Do you normally ship checked drivers? ASSERT is inactive in free builds.

“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Edouard A.[SMTP:xxxxx@wanadoo.fr]
> Reply To: Windows System Software Devs Interest List
> Sent: Wednesday, April 26, 2006 7:27 PM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] problem
>
> Indeed… But did you know that the former compiles as well? Not in
> vc8,
> but in vc7 I think it compiles. I could be pedantic and mention that your
> code doesn’t compile because of the capital I. ;p
>
It is known bug/feature in the VS compilers. for ( int i = 0;…) defines i
for the rest of function. There was a compiler switch how to turn it of in
previous versions but it is great they finally made it default in VS8.

> > But, mostly this is personal philosophy. Setting an inline
> > trap to catch the failing side in an ASSERT simply insures
> > that condition is properly handled. Not setting an inline
> > time means you are absolutely, positively sure the failing
> > condition will never ever happen in release code. It’s simply
> > a matter of how thoroughly you think you need to cover your ass.
>
> I agree. In general the more in-depth the code is, the more I assert. For
> example, I do ASSERT(p != NULL) if I’m the only one passing p, so if it’s
> NULL, either I have memory corruption or my code is wrong somewhere. Our
> approach is that if an assertion fails in release we should bugcheck the
> system because something is obviously wrong. But I understand the “ok we
> assert but we are going to handle it anyways” approach, you just need to
> know which philosophy is used when you read the code (which is why I
> asked).
>
I meant it as Gary wrote and I agree this is personal philosophy. Also
experience. Failed assertion informs developer some of his expectation
wasn’t met. It can be because of a bug, because the expectation is wrong or
because of an unexpected external problem. Or because somebody else used the
code written several years before and changed some conditions. So developer
is informed about possible problem but why not handle it if it is possible
or at least fail gracefully?

Before I had similar approach as yours. Later I realized it is pretty
arrogant. Take it from user’s perspective. S/he uses computer to make some
work and doesn’t care about drivers at all. Now one of them detects some of
its developer’s expectation wasn’t met and causes bugcheck. All the unsaved
work is lost and in the worst case data or FS structures are corrupted. Just
because one of many drivers decided something isn’t as expected. It can fail
current action, stop work, commit suicide but why the hell it should kill
whole system? IMO bugcheck is the last resort solution and usually only OS
itself can make such decision.

Next thing what changed my mind was embedded development. There is no BSOD
in embedded devices because usually there is no screen at all. When
connected to computer, they can be taken as a black box which works or
doesn’t work. The firmware should make its best to handle anything and be
able to report at least something. Total failure because of failed assertion
is the worst possibility.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

I commented the following:

Our approach is that if an assertion fails in release we should bugcheck the system because something is obviously wrong.

Next, I use own asserts and traces which can be active in the free build, too. It depends on build configuration. We sometimes ship such a driver for customers who use them for field testing.

Finally, we discuss the difference between two approaches:

ASSERT(p != NULL);
*p = x;

and

if (TVERIFY(p != NULL)) {
*p = x;
}

The first would cause bugcheck in the free build if assertion fails, the second won’t.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of David J. Craig[SMTP:xxxxx@yoshimuni.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, April 27, 2006 12:51 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] problem

How is an ASSERT going to generate a blue screen on a customer’s computer?
Do you normally ship checked drivers? ASSERT is inactive in free builds.

“Michal Vodicka” wrote in message
> news:xxxxx@ntdev…
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Edouard A.[SMTP:xxxxx@wanadoo.fr]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Wednesday, April 26, 2006 7:27 PM
> > To: Windows System Software Devs Interest List
> > Subject: RE: [ntdev] problem
> >
> > Indeed… But did you know that the former compiles as well? Not in
> > vc8,
> > but in vc7 I think it compiles. I could be pedantic and mention that your
> > code doesn’t compile because of the capital I. ;p
> >
> It is known bug/feature in the VS compilers. for ( int i = 0;…) defines i
> for the rest of function. There was a compiler switch how to turn it of in
> previous versions but it is great they finally made it default in VS8.
>
> > > But, mostly this is personal philosophy. Setting an inline
> > > trap to catch the failing side in an ASSERT simply insures
> > > that condition is properly handled. Not setting an inline
> > > time means you are absolutely, positively sure the failing
> > > condition will never ever happen in release code. It’s simply
> > > a matter of how thoroughly you think you need to cover your ass.
> >
> > I agree. In general the more in-depth the code is, the more I assert. For
> > example, I do ASSERT(p != NULL) if I’m the only one passing p, so if it’s
> > NULL, either I have memory corruption or my code is wrong somewhere. Our
> > approach is that if an assertion fails in release we should bugcheck the
> > system because something is obviously wrong. But I understand the “ok we
> > assert but we are going to handle it anyways” approach, you just need to
> > know which philosophy is used when you read the code (which is why I
> > asked).
> >
> I meant it as Gary wrote and I agree this is personal philosophy. Also
> experience. Failed assertion informs developer some of his expectation
> wasn’t met. It can be because of a bug, because the expectation is wrong or
> because of an unexpected external problem. Or because somebody else used the
> code written several years before and changed some conditions. So developer
> is informed about possible problem but why not handle it if it is possible
> or at least fail gracefully?
>
> Before I had similar approach as yours. Later I realized it is pretty
> arrogant. Take it from user’s perspective. S/he uses computer to make some
> work and doesn’t care about drivers at all. Now one of them detects some of
> its developer’s expectation wasn’t met and causes bugcheck. All the unsaved
> work is lost and in the worst case data or FS structures are corrupted. Just >
> because one of many drivers decided something isn’t as expected. It can fail
> current action, stop work, commit suicide but why the hell it should kill
> whole system? IMO bugcheck is the last resort solution and usually only OS
> itself can make such decision.
>
> Next thing what changed my mind was embedded development. There is no BSOD
> in embedded devices because usually there is no screen at all. When
> connected to computer, they can be taken as a black box which works or
> doesn’t work. The firmware should make its best to handle anything and be
> able to report at least something. Total failure because of failed assertion
> is the worst possibility.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

> -----Original Message-----

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David J. Craig
Sent: Thursday, April 27, 2006 00:52
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] problem

How is an ASSERT going to generate a blue screen on a
customer’s computer?
Do you normally ship checked drivers? ASSERT is inactive in
free builds.

ASSERT is indeed removed in the free build, which means it’s as if it wasn’t
present. We don’t add any specific code to replace with a bugcheck. By the
way, we don’t have ASSERT on data provided by the user, system or other
drivers, because as you said it would be a bold statement, an arrogant one.

As for bugchecks, I think any driver which detects a major inconstency
should bugcheck. The earliest you bugcheck, the safest. Imagine your
corruption is caused by malware: you offered the user the opportunity to
realize something was wrong with his system. If this is error is simply
internal, then a status_error* is enough of course. Again it’s very general
and like Lindon said if you write a driver for an USB coffee mug or a file
system driver the rules aren’t the same.

–

Edouard

“Let’s put it nice and simple here; released drivers which are not
critical
to survival of the operating system must not breakpoint.”

And should NEVER, EVER, spew debug print outs to the debug command window.

Gary G. Little

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J. Clarke
Sent: Wednesday, April 26, 2006 5:27 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] problem

“And should NEVER, EVER, spew debug print” Well that is a bit too
absolute for me. For example an ASSERT that transforms itself into a
debug print is probably a good thing. If you mean spew as in a
continuous stream of debug prints, fine. If you mean any debug prints, I
disagree.

Also, drivers that have a runtime settable production build debug print
trace stream are fine with me, although I prefer ETW (gak that is hard
to write) for this functionality.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@seagate.com
Sent: Thursday, April 27, 2006 10:23 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] problem

“Let’s put it nice and simple here; released drivers which are not
critical
to survival of the operating system must not breakpoint.”

And should NEVER, EVER, spew debug print outs to the debug command
window.

Gary G. Little

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J. Clarke
Sent: Wednesday, April 26, 2006 5:27 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] problem

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

“Let’s put it nice and simple here; released drivers which are not critical to survival of the operating system must not breakpoint.”


[/quote]


I’m not sure I follow this line of reasoning. You’re saying:

1) Drivers that ARE NOT crucial to the operation of the system shouldn’t breakpoint when they detect a fatal condition. Why not? What should they do instead, call KeBugCheck? The breakpoint will result in a BSOD.

2) Drivers that ARE crucial to the operation of the system CAN breakpoint when they detect a fatal condition??

Are you attempting to differentiate between taking a breakpoint and calling KeBugCheck? I’m not sure.

In my opinion – which has in fact changed over the years – if a driver detects a condition that cannot be accounted for, then SOME crash is in order. There’s been a failure of some logic… either the programmer’s or the driver’s. Ignoring the problem just propagates it and makes it impossible to debug the 3rd, 4th, 5th order effects later on.

While Mr. Vodicka’s position that non-crucial drivers should “fail current action, stop work, commit suicide” might sound good in theory. However, except in the cases of embedded and closed systems (which Mr. Vodicka cites), in practice we don’t know which drivers are crucial TO THE USER’S USE of the machine. Further, in practice, it’s rarely easy to just make your kernel-mode driver “commit suicide” – we don’t really have a very good environment for restartable kernel-mode drivers on Windows. And when you fail-back the current operation, you could be failing it to another driver or a user app, that’ll do… who knows what hideous thing.

So, in all likelihood, if you follow the kinder gentler advice and you don’t BugCheck the system, you leave the user with a system that might continue to run, maybe, but doesn’t work for SOME use, perhaps their PRIMARY use, and you’ve provided limited user-accessible debugging information.

On the other hand, you BugCheck the system, it’s clear indicate to the user that something’s hosed, the user submits the crash to OCA, and you’ve got the info you need to fix the problem.

Now, clearly, what you see is a function of where you sit. So I’m sure my opinion (and that of the other posters here) is colored by the type of drivers I tend to work on (most of which, I admit, tend to be critical to system operation). Still…

Peter
OSR

I don’t mind splashing a brag printout at start up or shut down, or having
ASSERT print out on an error, is perfectly fine. But miles and miles of
nothing but miles and miles of "I did this here and that there " is
unacceptable.

Gary G. Little

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
Sent: Thursday, April 27, 2006 9:38 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] problem

“And should NEVER, EVER, spew debug print” Well that is a bit too
absolute for me. For example an ASSERT that transforms itself into a
debug print is probably a good thing. If you mean spew as in a
continuous stream of debug prints, fine. If you mean any debug prints, I
disagree.

Also, drivers that have a runtime settable production build debug print
trace stream are fine with me, although I prefer ETW (gak that is hard
to write) for this functionality.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@seagate.com
Sent: Thursday, April 27, 2006 10:23 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] problem

“Let’s put it nice and simple here; released drivers which are not
critical
to survival of the operating system must not breakpoint.”

And should NEVER, EVER, spew debug print outs to the debug command
window.

Gary G. Little

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J. Clarke
Sent: Wednesday, April 26, 2006 5:27 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] problem

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Ok - we are in violent agreement.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@seagate.com
Sent: Thursday, April 27, 2006 11:04 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] problem

I don’t mind splashing a brag printout at start up or shut down, or
having
ASSERT print out on an error, is perfectly fine. But miles and miles of
nothing but miles and miles of "I did this here and that there " is
unacceptable.

Gary G. Little

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Roddy, Mark
Sent: Thursday, April 27, 2006 9:38 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] problem

“And should NEVER, EVER, spew debug print” Well that is a bit too
absolute for me. For example an ASSERT that transforms itself into a
debug print is probably a good thing. If you mean spew as in a
continuous stream of debug prints, fine. If you mean any debug prints, I
disagree.

Also, drivers that have a runtime settable production build debug print
trace stream are fine with me, although I prefer ETW (gak that is hard
to write) for this functionality.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@seagate.com
Sent: Thursday, April 27, 2006 10:23 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] problem

“Let’s put it nice and simple here; released drivers which are not
critical
to survival of the operating system must not breakpoint.”

And should NEVER, EVER, spew debug print outs to the debug command
window.

Gary G. Little

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J. Clarke
Sent: Wednesday, April 26, 2006 5:27 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] problem

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

> Now, clearly, what you see is a function of where you sit. So I’m sure my opinion (and that of the other posters here) is colored by the type of drivers I tend to work on (most of which, I admit, tend to be critical to system operation). Still…

I’d agree. If my USB driver fails for some reason, user won’t be able to use our fingerprint sensor. In the worst case it means user won’t be able to logon again or open encrypted data storage. Nothing of this excuses immediate BSOD and loss of big Word file which user just writes. On the other hand, if the problem is detected by a driver which controls filesystem to which Word just tries to write the data, situation is a bit different.

Still I believe 95% of drivers aren’t important enough to crash OS.

BTW, from developer’s point of view it is surely better to bugcheck and let user to submit crash to OCA. Better until pissed off users find you

(I love when checked build USB OS drivers bugcheck just because I disconnect USB flashdrive…)

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Roddy, Mark[SMTP:xxxxx@stratus.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, April 27, 2006 4:37 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] problem

“And should NEVER, EVER, spew debug print” Well that is a bit too
absolute for me. For example an ASSERT that transforms itself into a
debug print is probably a good thing. If you mean spew as in a
continuous stream of debug prints, fine. If you mean any debug prints, I
disagree.

Exactly. RtlAssert when kernel debugger is present and debug print otherwise.

Also, drivers that have a runtime settable production build debug print
trace stream are fine with me, although I prefer ETW (gak that is hard
to write) for this functionality.

No only drivers, apps too. With traces disabled by default. Sometimes settable traces are the only way how to find rare problem at user’s machine. And mostly the most convenient one for all involved.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

>It is known bug/feature in the VS compilers. for ( int i = 0;…) defines i
for the rest

of function.

This is C++ standard (at least according to Stroustrup/Ellis). I used this in
Borland C++ 3.1 in around 1993.

About assertions. In practice, they are not so good.

Usually, if the assertion fails, BSOD will follow very soon, and BSOD analyzis
will be enough to fix the bug.

Now note that assertions are only to help bug analyzing, they do not make the
system more robust - they make BSOD anyway, just earlier.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com