NT Kernel

1
NT Kernel

• CS 470 -- Spring 2002

2
Overview

• Interrupts and Exceptions Trap Handler
• Interrupt Request Levels and IRT
• DPCs, and APCs
• System Service Dispatching
• Exception Dispatching
• Dispatcher Objects
• Example Reading a file

3
Interrupts vs Exceptions

• An interrupt is an asynchronous event, one that
  occurs at a time unrelated to what the processor
  is executing I/O device interrupts, clocks,
  timers, etc. They usually can be enabled or
  disabled.
• An exception is a synchronous event, one that
  results from the execution of an instruction
  memory access violations, debugger instructions,
  divide-by-zero, etc.

4
Interrupt Exception Handling

• Wide variety of hardware supported
• The kernel provides a uniform interface by
  transferring control to the trap handler.
• The trap handler fills TrapFrame field in
  _KTHREAD with the execution state of the thread
  and transfers control to an appropriate kernel or
  executive module for handling the condition.

5
Interrupt Exception Dispatching
Trap Handler
Interrupt Service Routines
Interrupt Dispatcher
Interrupt
System Service Dispatcher
System Service Call
System Services
Hard/Software Exceptions
Exception Dispatcher
Exception Handlers
Virtual Address Exceptions
VM Manager Pager
6
Interrupt Request Levels

• Each processor runs at a particular interrupt
  request level (IRQL)
• Threads running in kernel mode can change their
  current processors IRQL.
• Each type of interrupt is associated with a
  particular IRQL.
• Only interrupts at IRQL greater than that of a
  processor are enabled for that processor.

7
NT Defined IRQLs
IRQL
Types of Interrupts

• High Level
• Power Level
• Interprocessor Interrupt Level
• Clock Levels
• Device Levels n to 1
• Dispatch/DPC Level
• APC Level
• Low Level

• Machine check or bus error
• Power failure (not used)
• Work request from another processor
• Clock, kernel profiler
• I/O Device levels
• Thread dispatching DPCs
• Asynchronous proc. calls
• Normal Thread Execution

8
Interrupt Dispatch Table

• One IDT per processor
• One entry for each IRQL
• An entry is a list of interrupt objects which
  were connected by device drivers
• When an interrupt occurs, it is mapped to an
  IRQL and so to an entry in the table.
• Each interrupt object specifies an ISR to handle
  the interrupt. So several devices can interrupt
  at the same level.

9
Software Interrupt Uses

• To initiate thread dispatching For
  synchronization, kernel runs at DPC level it
  requests a dispatch interrupt which will not be
  serviced until it lowers IRQL.
• Handle timer expiration
• Asynchronously execute a procedure in the context
  of a particular thread. For example,
  asynchronous I/O is done this way.

10
Deferred Procedure Calls

• Handlers can issue deferred procedure calls for
  non-time critical operations. Timers and the
  clock interrupt are handled this way.
• These are DPC objects which are ly queued per
  processor, and a DPC interrupt is requested.
  When IRQL below DPC level, they are executed.

11
Asynchronous Procedure Calls

• APC objects are queued on a per thread queue and
  an APC level interrupt is requested.
• Executes only in a specified thread.
• Kernel mode APCs require no permission, but user
  mode APCs execute only if the target thread has
  declared itself to be alertable (using e.g.
  WaitForSingleObjectEx or SleepEx)
• Asynchronous I/O uses this method.

12
KTHREAD
Dispatcher Header
User kernel times
Kernel stack info
System service table
Thread scheduling info
Trap frame
Thread Local storage
Synchronization info
Pending APC list
Object Wait List
TEB
13
System Service Dispatching

• Uses SYSCALL or INT 0x2e to trap to kernel mode.
• _KTHREAD SystemTable field specifies up to four
  System Service Dispatch Tables, 1K entries per
  table
• Arguments are copied to kernel mode stack to
  protect them.
• Flexible expansion or modification by changing
  table entries.

14
Exception Dispatching

• Save trap frame and exception record
• LPC to debugger port
• Check Frame based handlers
• LPC to debugger port
• LPC to exception port (monitored by environment
  subsystem -- e.g. POSIX signals sent this way)
• Kernel Default handler -- terminates process --
  DrWtsn32.exe

15
Exception Types

• ACCESS_VIOLATION
• DATATYPE_MISALIGNMENT
• BREAKPOINT
• SINGLE_STEP
• ARRAY_BOUNDS_EXCEEDED
• FLT_DENORMAL_OPERAND
• FLT_DIVIDE_BY_ZERO
• FLT_INEXACT_RESULT
• FLT_INVALID_OPERATION
• FLT_OVERFLOW
• FLT_STACK_CHECK

• FLT_UNDERFLOW
• INT_DIVIDE_BY_ZERO
• INT_OVERFLOW
• PRIV_INSTRUCTION
• IN_PAGE_ERROR
• ILLEGAL_INSTRUCTION
• NONCONTINUABLE_EXCEPTION
• STACK_OVERFLOW
• INVALID_DISPOSITION
• GUARD_PAGE
• INVALID_HANDLE

16
Example Read.c

• void main(void)
• HANDLE hFile
• char buffer256
• DWORD numRead
• if ((hFile CreateFile(foo.bar, ...)
• !INVALID_HANDLE_VALUE)
• if(!ReadFile(hFile, buffer, 256,
• numRead, NULL)) ...

17
Tracking the Read (1 of 2)

• ReadFile called from main
• NtReadFile called from ReadFile
• Trap handler System Service Dispatch Table ? I/O
  Manager ? Device Driver
• Device Driver queues read job
• Interrupt ? Trap handler IDT ? Device Driver
  ISR Queue DPC

18
Tracking the Read (2 of 2)

• IRQL drops DPC starts disk read
• Interrupt ? Trap handler IDT ? Device Driver ISR
  ? ISR queues DPC
• IRQL drops ? DPC checks status, etc.
• DPC queues Kernel APC
• IRQL drops, Thread runs ? APC runs,copies data to
  user buffer
• NtRead returns, ReadFile returns.