[ros-bugs] [Bug 1213] Crash with r20404 under vmware when using mouse and vmx_svga

ReactOS.Bugzilla at reactos.org ReactOS.Bugzilla at reactos.org
Thu Jan 5 20:30:27 CET 2006 

http://www.reactos.org/bugzilla/show_bug.cgi?id=1213


gvg at reactos.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |alex.ionescu at reactos.com




------- Additional Comments From gvg at reactos.org  2006-01-05 20:30 CET -------
Sequence of events leading to crash:
- subsys/win32k/eng/mouse.c function IntEngMovePointer() calls
BITMAPOBJ_LockBitmapBits() to get exclusive access to the surface. This lock is
currently implemented as a FAST_MUTEX so this action raises IRQL to APC_LEVEL.
Then it asks the VMware display driver to move the mouse pointer.
- VMware display driver needs to pass the request on to its miniport and calls
subsys/win32k/eng/device.c function EngDeviceIoControl(). This function
allocates a KEVENT and IO_STATUS_BLOCK on the stack, creates an IRP and calls
the driver. Since the request is handled immediately by the miniport driver no
wait is necessary so EngDeviceIoControl exits.
- VMware display driver does some more calls to EngDeviceIoControl() and finally
returns to IntEngMovePointer()
- IntEngMovePointer() unlocks the surface by calling BITMAPOBJ_UnlockBitmapBits,
which will lower IRQL to PASSIVE_LEVEL. At this point queued APCs for the thread
will be executed, among them calls to IopCompleteRequest (2nd stage completion
routine) for the IRPs created by EngDeviceIoControl. As part of the processing,
the status block is filled and the event is set. Since these were originally
allocated on the stack and have long since gone this results in the crash.

The reason it worked before 20403 was that BITMAPOBJ_LockBitmapBits was then
implemented as a call to ExEnterCriticalRegionAndAcquireFastMutexUnsafe(), which
left IRQL at PASSIVE_LEVEL. Since that also made EngDeviceIoControl run at
PASSIVE_LEVEL, the call to IopCompleteRequest was done while the status block
and event were still valid.

-- 
Configure bugmail: http://www.reactos.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the QA contact for the bug, or are watching the QA contact.

More information about the Ros-bugs mailing list