Let me try again.
Generically speaking, when you format a request, any WDFMEMORYs that you
pass to the format call will have a reference added. That reference is
removed when the formatted request is
- reused
- reformatted
- completed
When you reference a WDFMEMORY that you created, it increments the
WDFMEMORY object’s reference count. When you reference a WDFMEMORY from
a request (e.g. calling WdfRequestRetrieveInput/OutputMemory), it
increments the owning WDFREQUEST’s irp reference count. If a request is
completed with a irp reference count of != 0, we bugcheck.
So, if you format a WDFQUEUE presented request with its own WDFMEMORY,
things just work. Why? Because we deref the WDFMEMORY in the format in
the completion path (before the irp ref count check). If you format
some other request (request A) with another request’s WDFMEMORY (request
B), when request A completes back to your driver, you have to manually
dereference the memory used in the format. WdfRequestReuse does this
for you. If you format a request with your own WDFMEMORY, there is no
irp ref count to worry about because the ref on the WDFMEMORY will
increment the WDFMEMORY’s ref count.
Morale of the story: if you are using a request’s WDFMEMORY outside of
the context of the owning request, you have to be a bit careful.
This is covered in great detail in the WDF book. We also have a great
whitepaper describing the different scenarios,
http://www.microsoft.com/whdc/driver/tips/WDFmem.mspx?pf=true#wdfmem1
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David Voeller
Sent: Friday, March 16, 2007 4:41 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] WDF_VIOLATION (10D) 0x0000010d
In WinDbg, I didn’t see a reference count on the WDFMEMORY object, only
the
IRP.
In a different IOCTL handler of my driver, the WDFMEMORY object that I
create isn’t a problem. I reuse it until I’m completely done with it as
you
indicate.
The IOCTL handler and hence the WDFMEMORY I’m having a problem with is
the
one I’m trying to use from the IOCTL IRP. This IRP is from a direct in
IOCTL and I’d like to transfer the data directly to the data buffer
provided
by the direct IOCTL. So I did this:
WdfRequestRetrieveOutputMemory ;Get IRP’s memory
WdfUsbTargetPipeFormatRequestForRead ; Use IRP’s memory and fill it
directly when request is sent
;
IRP’s reference count incremented
:
:
Completion Routine
:
:
WdfRequestCompleteWithInformation
“Doron Holan” wrote in message
news:xxxxx@ntdev…
When you format a request with a WDFMEMORY, KMDF will take a reference
on
the memory you used to do the format. This reference increments the
request
memory ref count. If the request you are formatting owns the WDFMEMORY
you
are using in the format call (e.g. it will be the one you complete
later),
this reference is automatically removed upon completion. The reference
is
also removed on reformat (which would read the reference if you used the
same WDFMEMORY), deletion of the request, or reuse of the request (the
request must have been allocated by the driver for the last 2). Since
you
are using your own allocated request, the irp memory reference is not
automatically removed on completion,as you can csee. Reusing the reader
request will release the reference in question
WDF_REQUEST_REUSE_PARAMS reuse;
WDF_REQUEST_REUSE_PARAMS_INIT(&reuse, WDF_REQUEST_REUSE_NO_FLAGS);
WdfRequestReuse(pDC->m_hReadRequest, reuse);
Before completing pDC->m_hIoRequest
d
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David Voeller
Sent: Friday, March 16, 2007 2:33 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] WDF_VIOLATION (10D) 0x0000010d
I have a WDF USB driver on XP sp2 that is throwing WDF_VIOLATION (10d).
Driver Verifier v5.1.2600.0 is turned on.
Driver Verifier Settings
Yes Special Pool
Yes Pool Tracking
Yes Force IRQL checking
Yes I/O Verification
No Enhanced I/O verification
Yes Deadlock detection
Yes DMA checking
No Low Resources Simulation
WinDbg output at the point of the BugCheck.
kd> !analyze -v
****************************************************************
Bugcheck Analysis
*
*****************************************************************
WDF_VIOLATION (10d)
The Kernel-Mode Driver Framework has detected that Windows detected an
error
in a framework-based driver. In general, the dump file will yield
additional
information about the driver that caused this bug check.
Arguments:
Arg1: 00000003, Windows Driver Framework Verifier has encountered a
fatal
error.
In particular, an I/O request has been completed, but a framework
request object cannot be deleted because there are outstanding
references to the input buffer or the output buffer, or both. The
driver’s IFR will include details on the outstanding references.
Arg2: 759f7d30, WDFREQUEST handle
Arg3: 00000001, The number of outstanding references remaining on both
buffers
Arg4: 8883b118, Reserved.
Debugging Details:
------------------
:
:
:
If I call “WdfUsbTargetPipeFormatRequestForRead(…)” with a WDF Memory
object I created in the driver with “WdfMemoryCreate(…)” the
IrpRefCount
reported in WinDbg using !wdfkd.wdfrequest 0xXXXXXXXX is not
incremented. I
can send the request synchronously and it works.
If I call “WdfUsbTargetPipeFormatRequestForRead(…)” with a WDF Memory
object from the IOCTL such as in the following code the IrpRefCount
reported
in WinDbg using !wdfkd.wdfrequest 0xXXXXXXXX is incremented.
ntStatus = WdfRequestRetrieveOutputMemory(pDC->m_hIoRequest,
&hWdfMemory);
ntStatus = WdfUsbTargetPipeFormatRequestForRead(pDC->m_ImageInPipe,
pDC->m_hReadRequest, hWdfMemory, NULL);
I haven’t found anything in the documentation about the IrpRefCount
being
incremented but it makes sense to me that the reference count to the IRP
would be incremented. So I send this formatted request asychronously to
the
device and in the completion routine I get the WDF_VIOLATION (10d) when
the
function
WdfRequestCompleteWithInformation(pDC->m_hIoRequest, ntStatus,
pDC->m_lBytesReadFromDevice);
is called because there is still a reference count on the IRP. I know
there
is a reference count because it was reported in WinDbg using
!wdfkd.wdfrequest 0xXXXXXXXX.
Is there a WDF preferred way to decrement the reference count prior to
calling WdfRequestCompleteWithInformation(…)?
-Dave
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer