To Peter’s point, and more generally:
Except for exhaustive analysis, which is NP hard for extant single threaded platforms, theoretically impossible for future compatibility and might as we be impossible for any multi-threaded platform, testing can only prove the presence of bugs; not their absence.
Also, if there is an error in the documentation, the vendor always has two choices:
Fix the code to follow the documentation; or
Fix the documentation to match the code
Like most things in life, including the rationale behind code review, it is much less likely that two statements of a fact in two independent paradigms are wrong (and both in a compatible way) than one is.
Sent from Surface Pro
From: xxxxx@osr.com
Sent: Thursday, February 12, 2015 1:58 PM
To: Windows System Software Devs Interest List
Well, modulo documentation errors, the documentation describes the contract for the API. If it says the callback runs at IRQL PASSIVE_LEVEL in the context of the calling thread, you have the right to assume that’s what will happen.
Here’s where I differ with you: I don’t think it’s easy at all. In fact, I don’t think it’s even possible. The documentation is telling you that you’ll ALWAYS get called at IRQL PASSIVE_LEVEL in the context of the calling thread. Not that you’ll get called there when you test it. But every time. And in Windows 10. And on ARM. And on whatever new hardware architecture gets developed. And in Windows 11. You’ll get called at IRQL PASSIVE_LEVEL in the context of the calling thread. There’s no test you can do to prove this.
I’m sorry, but I differ with you here once again. “Arbitrary process context” means the process under which you’re running can’t be reliable determined in advance. Nothing more. It may very well make sense to see if you’re running in a specific thread context as an optimization.
So, to ME, it’s all about the CONTRACT. Not about what you happen to see when you run your test code… UNLESS what you see DISPROVES the contract as documented, in which case the contract as documented is clearly invalid.
And the documentation CAN indeed be wrong. Since we’re talking about callbacks, the best example here is documentation for PsSetCreateThreadNotifyRoutine. It said at one time (heck, maybe it still does) that the callback is called at IRQL PASSIVE_LEVEL, but we have documented cases where the callback is called at IRQL APC_LEVEL (see http://www.osronline.com/showthread.cfm?link=248406).
Peter
OSR
@OSRDrivers
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer