Windows Kernel Internals Traps Interrupts Exceptions David B

Windows Kernel Internals Traps, Interrupts, Exceptions David B. Probert, Ph. D. Windows Kernel Development Microsoft Corporation © Microsoft Corporation 1

What makes an OS interesting! Fundamental abstractions in modern CPUs: normal processor execution virtual address protection/mapping interruptions to the above Traps, hardware interrupts (devices, timers), exceptions, faults, machine checks, software interrupts © Microsoft Corporation 2

Intel’s System Architecture © Microsoft Corporation 4

The local APIC: Advanced Programmable Interrupt Controller) Local APIC built into modern Pentium processors Receives interrupts from: processor interrupt pins external interrupt sources hardwired devices timers (including internal timer) Perf monitors Thermal monitors Internal errors and/OR an external I/O APIC Sends IPIs in MP systems © Microsoft Corporation 5

NT Interrupt levels © Microsoft Corporation 7

Software Interrupt Delivery Software interrupts delivered by writing ICR in APIC xor mov ecx, ecx cl, _Halp. IRQLto. TPR[eax] ; get IDTEntry for IRQL ecx, (DELIVER_FIXED OR ICR_SELF) dword ptr APIC[LU_INT_CMD_LOW], ecx _Halp. IRQLto. TPR label byte db ZERO_VECTOR db APC_VECTOR db DPC_VECTOR #define APC_VECTOR #define DPC_VECTOR ; IRQL 0 ; IRQL 1 ; IRQL 2 0 x 3 D // IRQL 01 APC 0 x 41 // IRQL 02 DPC © Microsoft Corporation 8

IDT table _IDT label byte IDTEntry _Ki. Trap 00 IDTEntry _Ki. Trap 01 IDTEntry _Ki. Trap 02 IDTEntry _Ki. Trap 03 IDTEntry _Ki. Trap 04 IDTEntry _Ki. Trap 05 IDTEntry _Ki. Trap 06 IDTEntry _Ki. Trap 07 IDTEntry _Ki. Trap 08 IDTEntry _Ki. Trap 09. . . ; 0: Divide Error ; 1: DEBUG TRAP ; 2: NMI/NPX Error ; 3: Breakpoint ; 4: INTO ; 5: Print. Screen ; 6: Invalid Opcode ; 7: no NPX ; 8: Double. Fault ; 9: NPX Seg. Ovrn IDTEntry _Ki. Trap 0 A IDTEntry _Ki. Trap 0 B IDTEntry _Ki. Trap 0 C IDTEntry _Ki. Trap 0 D IDTEntry _Ki. Trap 0 E IDTEntry _Ki. Trap 0 F IDTEntry _Ki. Trap 10 IDTEntry _Ki. Trap 11 IDTEntry _Ki. Trap 0 F © Microsoft Corporation ; A: Invalid TSS ; B: no Segment ; C: Stack Fault ; D: Gen. Prot ; E: Page Fault ; F: Reserved ; 10: 486 coproc ; 11: 486 align ; 12: Reserved ; 13: XMMI ; 14: Reserved 9

$Entry of Interrupt Descriptor Table (KIDTENTRY) typedef struct _KIDTENTRY { USHORT Offset; USHORT Selector;$

Entry of Interrupt Descriptor Table (KIDTENTRY) typedef struct _KIDTENTRY { USHORT Offset; USHORT Selector; USHORT Access; USHORT Extended. Offset; } KIDTENTRY; © Microsoft Corporation 11

_Ki. Trapxx - trap entry points Entry points are for internally generated exceptions not external interrupts, or user software interrupts On entry the stack looks like: [ss] [esp] eflags cs eip ss: sp-> [error] CPU saves previous SS: ESP, eflags, and CS: EIP on the new stack if there was a privilige transition Some exceptions save an error code, others do not © Microsoft Corporation 13

ENTER_TRAP Macro Description: Build frame and set registers needed by trap or exception. Save: Non-volatile regs, FS, Exception. List, Previous. Mode, Volatile regs Seg Regs from V 86 mode DS, ES, GS Don't Save: Floating point state © Microsoft Corporation Set: Direction, DS, ES Don't Set: Previous. Mode, Exception. List 14

Intel exception lexicon Faults - correctable, faulting instuction reexecuted Traps - correctable, trapping instruction generally skipped Aborts - unrecoverable, cause © Microsoft Corporation 15

Common. Dispatch. Exception() Common. Dispatch. Exception ( Except. Code - Exception code to put into exception record Except. Address - Instruction at which HW exception Num. Parms, Parameters 1, 2, 3 ) Allocates exception record on stack Sets up exception record using specified parameters Sets up arguments and calls _Ki. Dispatch. Exception() © Microsoft Corporation 16

Ki. Dispatch. Exception() Ki. Dispatch. Exception ( IN PEXCEPTION_RECORD Exception. Record, IN PKEXCEPTION_FRAME Exception. Frame, IN PKTRAP_FRAME Trap. Frame, IN KPROCESSOR_MODE Previous. Mode, IN BOOLEAN First. Chance ) Move machine state from trap and exception frames to a context frame Select method of handling the exception based on previous mode Kernel-mode: try KD, try Rtl. Dispatch. Exception(), otherwise bugcheck User-mode: try Debug. Port, else copy exception to user stack, set Trap. Frame->Eip = (ULONG)Ke. User. Exception. Dispatcher and return © Microsoft Corporation 17

Psp. Lookup. Kernel. User. Entry. Points() // Lookup the user mode "trampoline" code for exception dispatching Psp. Lookup. System. Dll. Entry. Point ("Ki. User. Exception. Dispatcher“, &Ke. User. Exception. Dispatcher) // Lookup the user mode "trampoline" code for APC dispatching Psp. Lookup. System. Dll. Entry. Point ("Ki. User. Apc. Dispatcher", &Ke. User. Apc. Dispatcher) // Lookup the user mode "trampoline" code for callback dispatching Psp. Lookup. System. Dll. Entry. Point ("Ki. User. Callback. Dispatcher", &Ke. User. Callback. Dispatcher) // Lookup the user mode "trampoline" code for callback dispatching Psp. Lookup. System. Dll. Entry. Point ("Ki. Raise. User. Exception. Dispatcher", &Ke. Raise. User. Exception. Dispatcher) © Microsoft Corporation 18

Ke. User. Exception. Dispatcher ntdll: Ki. User. Exception. Dispatcher() // Entered on return from kernel mode to dispatch user mode exception // If a frame based handler handles the exception // then the execution is continued // else last chance processing is performed basically this just wraps Rtl. Dispatch. Exception() © Microsoft Corporation 19

Rtl. Dispatch. Exception() Rtl. Dispatch. Exception(Exception. Record, Context. Record) // attempts to dispatch an exception to a call frame based handler // searches backwards through the stack based call frames // search begins with the frame specified in the context record // search ends when handler found, stack is invalid, or end of call chain for (Registration. Pointer = Rtlp. Get. Registration. Head(); Registration. Pointer != EXCEPTION_CHAIN_END; Registration. Pointer = Registration. Pointer->Next) { check for valid record (#if ntos: check DPC stack too) switch Rtlp. Execute. Handler. For. Exception() case Exception. Continue. Execution: return TRUE case Exception. Continue. Search: continue case Exception. Nested. Exception: … default: return FALSE } © Microsoft Corporation 20