Driver debugging
This presentation is the property of its rightful owner.
Sponsored Links
1 / 46

Driver Debugging PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on
  • Presentation posted in: General

Driver Debugging. Eliyas Yakub Developer Support DDK. Agenda. Overview of PnP driver How to get device status with a debugger Debug driver unload issue How to debug & enable debug tracing in: NDIS Video PCI/PCMCIA SCSI 1394 USB HID Serial Audio Printer. Basic Objects.

Download Presentation

Driver Debugging

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Driver debugging

Driver Debugging

Eliyas Yakub

Developer Support

DDK


Agenda

Agenda

  • Overview of PnP driver

  • How to get device status with a debugger

  • Debug driver unload issue

  • How to debug & enable debug tracing in:

    • NDIS

    • Video

    • PCI/PCMCIA

    • SCSI

    • 1394

    • USB

    • HID

    • Serial

    • Audio

    • Printer


Basic objects

Basic Objects

  • Driverobject – one for every driver

  • Deviceobjects – one or more object created by drivers to represent devices

  • Three kinds of Deviceobjects

    • PDO (Physical deviceobject created by bus driver)

    • FDO (Functional deviceobject created function driver)

    • FiDO (Filter deviceobjects created by filter drivers)

  • Devnode – present in the PDO

  • Devnode contains the PNP state of the device


Device stack

FiDO

FiDO

FDO

FiDO

FiDO

PDO

PDO

FDO

Device Stack

Upper Class

Upper Device

Function Driver

Lower Class

Lower Device

Bus Driver

PDO


Driverobject

DriverObject

  • If you know the service name:

    !drvobj toaster

    Driver object (81254df8) is for:

    \Driver\toaster

    Driver Extension List: (id , addr)

    Device Object list:

    811b4bf8

  • !drvobj 81254df8


Device stack1

Device Stack

  • From the deviceobject, you can get the entire device stack information:

    KD>!devstack 811b4bf8

    !DevObj !DrvObj !DevExt ObjectName

    >811b4bf8 \Driver\toaster 811b4cb0

    81753a30 \Driver\busenum 81753ae8 0000004f

    !DevNode 81750a60 :

    DeviceInst is "Toaster\MsToaster\1&1a590e2c&0&01"

    ServiceName is "toaster"


Status of a device devnode

Status of a device - Devnode

  • Dump the devnode to get the pnp state and resources of a device:

    !DevNode 0x81750a60

    DevNode 0x81750a60 for PDO 0x81753a30

    Parent 0x8179b350 Sibling 0000000000 Child 0000000000

    InstancePath is "Toaster\MsToaster\1&1a590e2c&0&01"

    ServiceName is "toaster"

    State = DeviceNodeStarted (0x308)

    Previous State = DeviceNodeEnumerateCompletion (0x30d)

    StateHistory[07] = DeviceNodeEnumerateCompletion (0x30d)

    StateHistory[06] = DeviceNodeStarted (0x308)

    StateHistory[05] = DeviceNodeStartPostWork (0x307)

    StateHistory[04] = DeviceNodeStartCompletion (0x306)

    StateHistory[03] = DeviceNodeResourcesAssigned (0x304)

    StateHistory[02] = DeviceNodeDriversAdded (0x303)

    StateHistory[01] = DeviceNodeInitialized (0x302)

    StateHistory[00] = DeviceNodeUninitialized (0x301)

    Flags (0x00000030) DNF_ENUMERATED, DNF_IDS_QUERIED

    CapabilityFlags (0x00000218) EjectSupported, Removable,

    SurpriseRemovalOK


Devnode 2

Devnode (2)

  • !DevNode 817ba310 2

    DevNode 0x817ba310 for PDO 0x817958e0

    <snip>

    CmResourceList at 0xe139f7f8 Version 0.0 Interface 0x5 Bus #0

    Entry 0 - Port (0x1) Device Exclusive (0x1)

    Flags (0x31) - PORT_MEMORY PORT_IO 16_BIT_DECODE POSITIVE_DECODE

    Range starts at 0xffa0 for 0x10 bytes

    Entry 1 - DevicePrivate (0x81) Device Exclusive (0x1)

    Flags (0000) -

    Data - {0x00000001, 0x00000004, 0000000000}

    BootResourcesList at 0xe1392f40 Version 1.1 Interface 0x5 Bus #0

    Entry 0 - Port (0x1) Undetermined Sharing (0)

    Flags (0x01) - PORT_MEMORY PORT_IO

    Range starts at 0xffa0 for 0x10 bytes


Devnode 3

Devnode (3)

  • To display the entire device tree starting from the root device

    !devnode 0 1


Resource conflict

Resource Conflict

  • !arbiter – current system resource arbiters and arbitrated ranges.

  • This command is useful for debugging resource conflicts

  • Windbg help describes how to use !arbiter command to identify resource conflict


Get dispatch points

Get dispatch points

  • !drvobj toaster 2

    Driver object (81254df8) is for:

    \Driver\toaster

    DriverEntry: f9e20242toaster!DriverEntry

    DriverStartIo: 00000000

    DriverUnload: f9e1db9ctoaster!ToasterUnload

    Dispatch routines:

    [00] IRP_MJ_CREATE f9e1d369toaster!ToasterCreate

    [16] IRP_MJ_POWER f9e1dc57toaster!ToasterDispatchPower

    [17] IRP_MJ_SYSTEM_CONTROL f9e1ed26toaster!ToasterSystemControl

    [18] IRP_MJ_DEVICE_CHANGE 804f9fe2nt!IopInvalidDeviceRequest

    [1b] IRP_MJ_PNP f9e1ca44toaster!ToasterDispatchPnp

  • bp toaster!ToasterDispatchPnp


Dump deviceobject

Dump Deviceobject

  • !devobj 811b4bf8

    Device object (811b4bf8) is for:

    \Driver\toaster DriverObject 81254df8

    Current Irp 00000000 RefCount 0 Type 00000022 Flags 00002004

    DevExt 811b4cb0 DevObjExt 811b4d98

    ExtensionFlags (0000000000)

    AttachedTo (Lower) 81753a30 \Driver\busenum

    Device queue is not busy.


Dump a pdo

Dump a PDO

  • !devobj 81753a30

    Device object (81753a30) is for:

    0000004f \Driver\busenum DriverObject 8123de18

    Current Irp 00000000 RefCount 0 Type 0000002a Flags 00003040

    DevExt 81753ae8 DevObjExt 81753b20 DevNode 81750a60

    ExtensionFlags (0000000000)

    AttachedDevice (Upper) 811b4bf8 \Driver\toaster

    Device queue is not busy.


Debugging driver unload

Debugging Driver Unload

  • Due to leaked references or open handles

  • Get the driverobject/deviceobject address (IopLoadDriver or IoCreateDevice)

  • !object 81a578c0

    Object: 81a578c0 Type: (81bd0e70) Device ObjectHeader: 81a578a8 HandleCount: 0 PointerCount: 3

    Directory Object: e1001208 Name: Serial0

  • ba w4 81a578a8 "k;g"


Due to open handles

Due to Open Handles

  • Run oh.exe on the target checked build system

  • This tells the system to track handles

  • Restart the machine & disable the device

  • PNP dumps following info when a query remove is vetoed:

    1:Beginning handle dump:1: (Failed Query-Remove - *Might* by due to leaked handles)1: DeviceObject:816CAEE0 ProcessID:1744T FileObject:817808D0 Handle:636T 1:Dump complete - 1 total handles found.

  • !process 6D0


Debug trace

Debug Trace

  • Introduced new DbgPrintEx function on XP

    ULONG DbgPrintEx(IN ULONGComponentID,

    IN ULONGLevel, IN PCHARFormat, . . . . [arguments] );

  • Microsoft has defined ~95 component filter IDs (Look for DPFLTR_TYPE in ntddk.h)

  • For every component filter, there is global mask variable

    NT! Kd_IHVVIDEO_Mask

    NT!Kd_IHVAUDIO_Mask


Debug trace1

Debug Trace

  • You can set the value of the mask either thru registry or with a debugger: HKLM\SYSTEM\CCS\Control\Session Manager\Debug Print Filter “IHV_AUDIO”=REG_DWORD:0xFFFFFFFF

    Or

    ed NT! Kd_IHVAUDIO_Mask 0xffffffff

  • Debug output is filtered based on global mask (Kd_Win2000_Mask) and component level mask

  • How the mask and level values are used in filtering the output is documented in the Windbg Help file.


Debug trace2

Debug Trace

  • Find your component ID either from the ntddk.h file or

    KD> x NT!Kd_*_Mask

  • Set the value to max for verbose output (0xffffffff)

  • Not all the drivers in the system are using this new function


Ndis debugging

NDIS Debugging

  • Requires checked build NDIS

  • Load NDIS debugger extension

    !load ndiskd.dll

  • Enable NDIS debug tracing

    ! dbglevel

    Current setting: INFO

    Available settings:

    INFO LOG WARN ERR

    ! dbgsystems

    Current settings: PNP

    Available settings:

    INIT CONFIG SEND RECV PROTOCOL

    BIND BUS_QUERY REGISTRY MEMORY FILTER

    REQUEST WORK_ITEM PNP PM OPEN

    LOCKS RESET WMI NDIS_CO REFERENCE


Ndis debug tracing

NDIS Debug Tracing

  • Enable through registry:

    HKLM\SYSTEM\CurrentControlSet\Services\NDIS\Parameters:

    "DebugLevel"=dword:00000000

    "DebugSystems"=dword:000030F3

    "DebugBreakPoint"=dword:00000001

  • Requires a reboot.

  • Values of DebugSystems & DebugLevel are documented in the DDK.


Ndis extensions

NDIS Extensions

  • !miniports

    Miniport Driver Block: 816f6190, Version 0.0

    Miniport: 81645870 Direct Parallel

    Miniport Driver Block: 8166f8b0, Version 4.5

    Miniport: 8166caf0 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)

    Miniport Driver Block: 81676b20, Version 2.0

    Miniport: 81673878 3Com 10/100 PCI Server NIC w/3XP (3CR990SVR95)

  • !miniport 81673878

    • Dumps both NDIS, PNP and Power state of the device


Ndis extensions 2

NDIS Extensions (2)

  • !protocols

    Protocol 815c3e90: TCPIP

    Open 81729be0 - Miniport: 8162f670 3Com 3C920 Integrated Fast Ethernet Controller

    Protocol 81712210: NDPROXY

    Open 81605008 - Miniport: 81645870 Direct Parallel

    Protocol 8171ddb8: NDISWAN

    Open 81721150 - Miniport: 81645870 Direct Parallel

    Open 81605110 - Miniport: 81582138 WAN Miniport (PPTP)

  • !protocol 815c3e90

  • !mopen 81721150


Ndis extensions 3

NDIS Extensions (3)


Video miniport debugging

Video Miniport Debugging

  • Requires checked build system or checked build video port & miniport drivers

  • Doesn’t have debugger extension

  • Enable debug tracing by setting the global variable(s)

  • Variable names are different between Win2K and XP


Video miniport 2

Video Miniport (2)

  • On Windows 2000, you can enable debug tracing either through registry or debugger

  • Set the value of VideoDebugLevel (0-3) in the registry:

    HKLM\SYSTEM\CCS\Services\DriverName\DeviceN

    VideoDebugLevel:REG_DWORD: 2

  • ed videoprt!VideoDebugLevel 3


Video miniport 3

Video Miniport (3)

  • Video port on XP uses new DbgPrintEx function

  • Following variables are defined for video drivers

    Kd_IHVVIDEO_Mask

    Kd_VIDEO_Mask

    Kd_VIDEOPRT_Mask

  • HKLM\SYSTEM\CCS\Control\Session Manager\Debug Print Filter

    “IHVVIDEO”=DWORD: 0xffffffff


Storage driver debugging

Storage Driver Debugging

  • On Win2K:

  • On XP, set values of

    NT!Kd_ScsiPort_Mask

    NT!Kd_ScsiMiniport_Mask


Scsi driver

SCSI Driver

  • To list device objects created for all SCSI controllers and devices:

    !object \device\scsi

    Object: 8186f410 Type: (818cbba0) Directory

    ObjectHeader: 8186f3f8

    HandleCount: 0 PointerCount: 4

    Directory Object: 8189d550 Name: Scsi

    HashBucket[ 15 ]: 81200a50 Device 'aic78xx1Port2Path0Target3Lun0'

    HashBucket[ 22 ]: 8186e030 Device 'aic78xx1'


Scsi driver1

SCSI Driver

  • !devobj 81200a50

    Device object (81200a50) is for:

    aic78xx1Port2Path0Target3Lun0 \Driver\aic78xx DriverObject 81893cb0

    Current Irp 00000000 RefCount 0 Type 00000007 Flags 00001050

    DevExt 81200b08 DevObjExt 81200fc8 Dope 81247728 DevNode 8120cf28

    ExtensionFlags (0000000000)

    AttachedDevice (Upper) 81247030 \Driver\Disk

    DeviceQueue: 811c7308 811e9e68 811e9848 811e9508 811e91c8 811c6e68 811c6b28


Scsi driver2

SCSI Driver

  • !irp 811c7308

    Irp is active with 5 stacks 3 is current (= 0x811c73c0)

    Mdl = 811f4d48 Thread 811ef020: Irp stack trace.

    cmd flg cl Device File Completion-Context

    [ 0, 0] 0 0 00000000 00000000 00000000-00000000

    Args: 00000000 00000000 00000000 00000000

    [ 0, 0] 0 0 00000000 00000000 00000000-00000000

    Args: 00000000 00000000 00000000 00000000

    >[ f, 0] 0 e1 81200a50 00000000 ed051184-811c5928 Success Error Cancel pending

    \Driver\aic78xxCLASSPNP!ClassIoComplete

    Args: 811c5928 00000000 00000000 00000000

    [ 3,34] 2 e0 81247030 811bb1a8 80522ed2-00000000 Success Error Cancel

    \Driver\Diskntkrnlmp!PsLookupThreadByThreadId

    Args: 00001000 00000000 00107000 00000004

    [ 3, 0] 0 0 811fc020 811bb1a8 00000000-00000000

    \FileSystem\RAW

    Args: 00001000 00000000 00107000 00000000


Scsi driver3

SCSI Driver

  • !srb 811c5928

    Srb 811c5928 is from pool

    SRB_FUNCTION_EXECUTE_SCSI: Path 0, Tgt 3, Lun 0, Tag ff, SrbStat 0, ScsiStat 0

    OrgRequest 811c5868 SrbExtension 00000000 TimeOut 0000000a SrbFlags 00000342

    Queue Enable, No freeze, Cache Enable,

    10 byte command with data transfer in: 28 0 0 0 8 38 0 0 8 0

  • dt SCSI_REQUEST_BLOCK 0x811c5928


Scsi driver4

SCSI Driver

  • !scsikd.scsiext 81200a50

    Q Depth 020 (255) InquiryData 0x81200C0E

    DeviceMap Keys: Target 0x00019c Lun 0x000264

    Bypass SRB_DATA blocks 4 @ 0x81200c88 List 0x81200e68

    RS Irp 0x81259d68 Srb @ 0x81200f28 MDL @ 0x81200f68

    Request list @0x81200BF8:

    Tick count is 86376

    SrbData 0x811C7E68 Srb 0x811C7F28 Irp 0x811DC008 <1s

    SrbData 0x811C7B28 Srb 0x811C7BE8 Irp 0x811E7008 <1s

    ...

  • !srbdata 0x811C7E68


1394 debugging

1394 Debugging

  • Windows 2000/XP 1394 stack

  • ed ohci1394!ohcidebuglevel 6


Usb debugging

USB Debugging

  • Requires checked build system or checked build USB modules

  • Enable debug tracing by setting the global variables

  • One debugger extension (!urb <address>)

  • Different between Win2K and XP


Usb debugging 2

USB Debugging (2)

  • Windows 2000 USB stack

  • ed USBD!USBD_Debug_Trace_Level 2


Usb debugging 21

USB Debugging (2)

  • Windows XP USB stack

  • All USB miniport drivers use USBPORT for debug output


Pci debug extensions

PCI Debug Extensions

  • !pci - Displays the current status of the PCI buses and any devices attached to them.

  • !pcitree - Displays information on PCI device objects

  • !devext <addess> PCI

    <address> is the address of a device extension to

    be dumped.

    <type> is the type of the object owning this extension:

    PCI if it is a PCI device extension

    ISAPNP if it is an ISAPNP device extension

    PCMCIA if it a PCMCIA device extension

    USBD OPENHCI UHCD if it is a USB Host Controller extension

    USBHUB if it is a USB Hub extension

    HID if it is a HID device extension


Pcmcia debugging

PCMCIA Debugging

  • Set PCMCIA!PcmciaDebugMask (0x00000000 – 0xFFFFFFFF)

    #define PCMCIA_DEBUG_ALL 0xFFFFFFFF

    #define PCMCIA_DEBUG_TUPLES 0x00000001

    #define PCMCIA_DEBUG_ENABLE 0x00000002

    #define PCMCIA_DEBUG_PARSE 0x00000004

    #define PCMCIA_DUMP_CONFIG 0x00000008

    #define PCMCIA_DEBUG_INFO 0x00000010

    #define PCMCIA_DEBUG_IOCTL 0x00000020

    #define PCMCIA_DEBUG_DPC 0x00000040

    #define PCMCIA_DEBUG_ISR 0x00000080

    #define PCMCIA_DEBUG_CANCEL 0x00000100

    #define PCMCIA_DUMP_SOCKET 0x00000200

    #define PCMCIA_READ_TUPLE 0x00000400

    #define PCMCIA_SEARCH_PCI 0x00000800

    #define PCMCIA_DEBUG_FAIL 0x00008000

    #define PCMCIA_PCCARD_READY 0x00010000

    #define PCMCIA_DEBUG_DETECT 0x00020000

    #define PCMCIA_COUNTERS 0x00040000

    #define PCMCIA_DEBUG_OVERRIDES 0x00080000

    #define PCMCIA_DEBUG_IRQMASK 0x00100000

  • !devext <addess> PCMCIA


Printer driver debugging usermode

Printer Driver Debugging (Usermode)

  • Checked build system or checked build printer driver components (unidrv or pscript)

  • Attach to either the printing application or the spooler process (spoolsv.exe) depending on whether you are debugging the UI module or the rendering module

  • Unidrv debugging: "ed unidrv!giDebugLevel 1".

  • Debugger extensions: "!gdikdx.help" to view the gdikdx debugger extension.


Printer driver kernelmode

Printer Driver (Kernelmode)

  • Run gflags and enable “Place Heap Allocation at end of pages” on spoolsv.exe

  • Restart spooler (net stop/start spooler)

  • Run verifier.exe on Win32K.sys to debug your printer driver


Audio driver debugging

Audio Driver Debugging

  • For Windows2000/XP


Hid driver debugging

HID Driver Debugging

  • Debug trace from hidusb by setting hidusb.sys!HIDUSB_DebugLevel (0 or 1)

  • Debug trace from hidclass by setting hidclass!dbgverbose (0 or 1)

  • !devext <hid_device_extension> HID

  • !hidppd <address>

    address - Specifies the hexadecimal address of the HIDP_PREPARSED_DATA structure


Serial driver

Serial Driver

  • Serial: Set the DebugLevel in the registry HKLM\System\CCS\Services\Serial

    “DebugLevel”= REG_DWORD:0xFFFFFFFF

    Or

    ed Serial!SerialDebugLevel (0x00000000 – 0xFFFFFFFF)

  • Mask values are defined in %DDKROOT%\src\kernel\serial\serial.h

  • Serenum: Set the DebugLevel in the registry HKLM\System\CCS\Services\Serenum

    “DebugLevel”= REG_DWORD:1FF

  • Mask values are defined in %DDKROOT%\src\kernel\serenum\serenum.h


Device installation debugging

Device Installation Debugging

  • Enable SetupAPI logging through registry:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Setup

    “LogLevel” = REG_DWORD:0x8000FF00

  • LogLevel flag is made up of three parts: 0xSSSSDDGG (documented in the DDK)

    GG – general options

    DD – Device installation

    SSSS – Special flags


Device installation 2

Device Installation (2)

  • You can send trace to the debugger as well as to a log file %systemroot%\setupapi.log

  • Works on Free and Checked system.

  • Doesn’t require reboot.

  • To get verbose trace from kernel & usermode pnp manager, set nt!Kd_NTOSPNP_Mask and nt!Kd_PNPMGR_Mask to 0xFFFFFFFF


Discussion

Discussion

  • Q & A


  • Login