traphdlr.c File Reference

#include <ntoskrnl.h>
#include <debug.h>

Include dependency graph for traphdlr.c:

Go to the source code of this file.

Macros
#define	NDEBUG

Functions
VOID __cdecl	KiFastCallEntry (VOID)
VOID __cdecl	KiFastCallEntryWithSingleStep (VOID)
VOID FASTCALL	Ke386LoadFpuState (IN PFX_SAVE_AREA SaveArea)
FORCEINLINE BOOLEAN	KiVdmTrap (IN PKTRAP_FRAME TrapFrame)
FORCEINLINE BOOLEAN	KiV86Trap (IN PKTRAP_FRAME TrapFrame)
FORCEINLINE BOOLEAN	KiIsFrameEdited (IN PKTRAP_FRAME TrapFrame)
FORCEINLINE VOID	KiCommonExit (IN PKTRAP_FRAME TrapFrame, BOOLEAN SkipPreviousMode)
DECLSPEC_NORETURN VOID FASTCALL	KiEoiHelper (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiServiceExit (IN PKTRAP_FRAME TrapFrame, IN NTSTATUS Status)
DECLSPEC_NORETURN VOID FASTCALL	KiServiceExit2 (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiDebugHandler (IN PKTRAP_FRAME TrapFrame, IN ULONG Parameter1, IN ULONG Parameter2, IN ULONG Parameter3)
DECLSPEC_NORETURN VOID FASTCALL	KiNpxHandler (IN PKTRAP_FRAME TrapFrame, IN PKTHREAD Thread, IN PFX_SAVE_AREA SaveArea)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap00Handler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap01Handler (IN PKTRAP_FRAME TrapFrame)
VOID __cdecl	KiTrap02Handler (VOID)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap03Handler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap04Handler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap05Handler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap06Handler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap07Handler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID __cdecl	KiTrap08Handler (VOID)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap09Handler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap0AHandler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap0BHandler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap0CHandler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap0EHandler (IN PKTRAP_FRAME)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap0DHandler (IN PKTRAP_FRAME TrapFrame)
BOOLEAN FASTCALL	KiCheckForSListFault (PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap0FHandler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap10Handler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap11Handler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiTrap13Handler (IN PKTRAP_FRAME TrapFrame)
VOID FASTCALL	KiRaiseSecurityCheckFailureHandler (IN PKTRAP_FRAME TrapFrame)
VOID FASTCALL	KiGetTickCountHandler (IN PKTRAP_FRAME TrapFrame)
VOID FASTCALL	KiCallbackReturnHandler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiRaiseAssertionHandler (IN PKTRAP_FRAME TrapFrame)
DECLSPEC_NORETURN VOID FASTCALL	KiDebugServiceHandler (IN PKTRAP_FRAME TrapFrame)
FORCEINLINE VOID	KiDbgPreServiceHook (ULONG SystemCallNumber, PULONG_PTR Arguments)
FORCEINLINE ULONG_PTR	KiDbgPostServiceHook (ULONG SystemCallNumber, ULONG_PTR Result)
DECLSPEC_NORETURN VOID FASTCALL	KiSystemServiceHandler (IN PKTRAP_FRAME TrapFrame, IN PVOID Arguments)
VOID FASTCALL	KiCheckForSListAddress (IN PKTRAP_FRAME TrapFrame)
VOID NTAPI	Kei386EoiHelper (VOID)

Variables
PVOID	KeUserPopEntrySListFault
PVOID	KeUserPopEntrySListResume
PVOID	FrRestore
UCHAR	KiTrapPrefixTable []
UCHAR	KiTrapIoTable []
PFAST_SYSTEM_CALL_EXIT	KiFastCallExitHandler

Macro Definition Documentation

NDEBUG

#define NDEBUG

Definition at line 12 of file traphdlr.c.

Function Documentation

Ke386LoadFpuState()

VOID FASTCALL Ke386LoadFpuState

(

IN PFX_SAVE_AREA

SaveArea

)

Referenced by KiTrap07Handler().

Kei386EoiHelper()

VOID NTAPI Kei386EoiHelper

(

VOID

)

Definition at line 1868 of file traphdlr.c.

{
    /* We should never see this call happening */
    KeBugCheck(MISMATCHED_HAL);
}

KiCallbackReturnHandler()

VOID FASTCALL KiCallbackReturnHandler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 1641 of file traphdlr.c.

{
    PKTHREAD Thread;
    NTSTATUS Status;
 
    /* Save the SEH chain, NtCallbackReturn will restore this */
    TrapFrame->ExceptionList = KeGetPcr()->NtTib.ExceptionList;
 
    /* Set thread fields */
    Thread = KeGetCurrentThread();
    Thread->TrapFrame = TrapFrame;
    Thread->PreviousMode = KiUserTrap(TrapFrame);
    ASSERT(Thread->PreviousMode != KernelMode);
 
    /* Pass the register parameters to NtCallbackReturn.
       Result pointer is in ecx, result length in edx, status in eax */
    Status = NtCallbackReturn((PVOID)TrapFrame->Ecx,
                              TrapFrame->Edx,
                              TrapFrame->Eax);
 
    /* If we got here, something went wrong. Return an error to the caller */
    KiServiceExit(TrapFrame, Status);
}

KiCheckForSListAddress()

VOID FASTCALL KiCheckForSListAddress

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 1858 of file traphdlr.c.

{
    UNIMPLEMENTED;
}

KiCheckForSListFault()

BOOLEAN FASTCALL KiCheckForSListFault

(

PKTRAP_FRAME

TrapFrame

)

Definition at line 1221 of file traphdlr.c.

{
    /* Explanation: An S-List fault can occur due to a race condition between 2
       threads simultaneously trying to pop an element from the S-List. After
       thread 1 has read the pointer to the top element on the S-List it is
       preempted and thread 2 calls InterlockedPopEntrySlist on the same S-List,
       removing the top element and freeing it's memory. After that thread 1
       resumes and tries to read the address of the Next pointer from the top
       element, which it assumes will be the next top element.
       But since that memory has been freed, we get a page fault. To handle this
       race condition, we let thread 1 repeat the operation.
       We do NOT invoke the page fault handler in this case, since we do not
       want to trigger any side effects, like paging or a guard page fault.
 
       Sequence of operations:
 
           Thread 1 : mov eax, [ebp] <= eax now points to the first element
           Thread 1 : mov edx, [ebp + 4] <= edx is loaded with Depth and Sequence
            *** preempted ***
           Thread 2 : calls InterlockedPopEntrySlist, changing the top element
           Thread 2 : frees the memory of the element that was popped
            *** preempted ***
           Thread 1 : checks if eax is NULL
           Thread 1 : InterlockedPopEntrySListFault: mov ebx, [eax] <= faults
 
        To be sure that we are dealing with exactly the case described above, we
        check whether the ListHeader has changed. If Thread 2 only popped one
        entry, the Next field in the S-List-header has changed.
        If after thread 1 has faulted, thread 2 allocates a new element, by
        chance getting the same address as the previously freed element and
        pushes it on the list again, we will see the same top element, but the
        Sequence member of the S-List header has changed. Therefore we check
        both fields to make sure we catch any concurrent modification of the
        S-List-header.
    */
    if ((TrapFrame->Eip == (ULONG_PTR)ExpInterlockedPopEntrySListFault) ||
        (TrapFrame->Eip == (ULONG_PTR)KeUserPopEntrySListFault))
    {
        ULARGE_INTEGER SListHeader;
        PVOID ResumeAddress;
 
        /* Sanity check that the assembly is correct:
           This must be mov ebx, [eax]
           Followed by cmpxchg8b [ebp] */
        ASSERT((((UCHAR*)TrapFrame->Eip)[0] == 0x8B) &&
               (((UCHAR*)TrapFrame->Eip)[1] == 0x18) &&
               (((UCHAR*)TrapFrame->Eip)[2] == 0x0F) &&
               (((UCHAR*)TrapFrame->Eip)[3] == 0xC7) &&
               (((UCHAR*)TrapFrame->Eip)[4] == 0x4D) &&
               (((UCHAR*)TrapFrame->Eip)[5] == 0x00));
 
        /* Check if this is a user fault */
        if (TrapFrame->Eip == (ULONG_PTR)KeUserPopEntrySListFault)
        {
            /* EBP points to the S-List-header. Copy it inside SEH, to protect
               against a bogus pointer from user mode */
            _SEH2_TRY
            {
                ProbeForRead((PVOID)TrapFrame->Ebp,
                             sizeof(ULARGE_INTEGER),
                             TYPE_ALIGNMENT(SLIST_HEADER));
                SListHeader = *(PULARGE_INTEGER)TrapFrame->Ebp;
            }
            _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
            {
                /* The S-List pointer is not valid! */
                return FALSE;
            }
            _SEH2_END;
            ResumeAddress = KeUserPopEntrySListResume;
        }
        else
        {
            SListHeader = *(PULARGE_INTEGER)TrapFrame->Ebp;
            ResumeAddress = ExpInterlockedPopEntrySListResume;
        }
 
        /* Check if either the Next pointer or the Sequence member in the
           S-List-header has changed. If any of these has changed, we restart
           the operation. Otherwise we only have a bogus pointer and let the
           page fault handler deal with it. */
        if ((SListHeader.LowPart != TrapFrame->Eax) ||
            (SListHeader.HighPart != TrapFrame->Edx))
        {
            DPRINT1("*** Got an S-List-Fault ***\n");
            KeGetCurrentThread()->SListFaultCount++;
 
            /* Restart the operation */
            TrapFrame->Eip = (ULONG_PTR)ResumeAddress;
 
            return TRUE;
        }
    }
 
    return FALSE;
}

Referenced by KiTrap0EHandler().

KiCommonExit()

FORCEINLINE VOID KiCommonExit	(	IN PKTRAP_FRAME	TrapFrame,
		BOOLEAN	SkipPreviousMode
	)

Definition at line 96 of file traphdlr.c.

{
    /* Disable interrupts until we return */
    _disable();
 
    /* Check for APC delivery */
    KiCheckForApcDelivery(TrapFrame);
 
    /* Restore the SEH handler chain */
    KeGetPcr()->NtTib.ExceptionList = TrapFrame->ExceptionList;
 
    /* Check if there are active debug registers */
    if (__builtin_expect(TrapFrame->Dr7 & ~DR7_RESERVED_MASK, 0))
    {
        /* Check if the frame was from user mode or v86 mode */
        if (KiUserTrap(TrapFrame) ||
            (TrapFrame->EFlags & EFLAGS_V86_MASK))
        {
            /* Handle debug registers */
            KiHandleDebugRegistersOnTrapExit(TrapFrame);
        }
    }
 
    /* Debugging checks */
    KiExitTrapDebugChecks(TrapFrame, SkipPreviousMode);
}

Referenced by KiEoiHelper(), KiServiceExit(), and KiServiceExit2().

KiDbgPostServiceHook()

FORCEINLINE ULONG_PTR KiDbgPostServiceHook	(	ULONG	SystemCallNumber,
		ULONG_PTR	Result
	)

Definition at line 1710 of file traphdlr.c.

{
#if DBG && !defined(_WINKD_)
    if (SystemCallNumber >= 0x1000 && KeWin32PostServiceHook)
        return KeWin32PostServiceHook(SystemCallNumber, Result);
#endif
    return Result;
}

Referenced by KiSystemServiceHandler().

KiDbgPreServiceHook()

FORCEINLINE VOID KiDbgPreServiceHook	(	ULONG	SystemCallNumber,
		PULONG_PTR	Arguments
	)

Definition at line 1700 of file traphdlr.c.

{
#if DBG && !defined(_WINKD_)
    if (SystemCallNumber >= 0x1000 && KeWin32PreServiceHook)
        KeWin32PreServiceHook(SystemCallNumber, Arguments);
#endif
}

Referenced by KiSystemServiceHandler().

KiDebugHandler()

DECLSPEC_NORETURN VOID FASTCALL KiDebugHandler	(	IN PKTRAP_FRAME	TrapFrame,
		IN ULONG	Parameter1,
		IN ULONG	Parameter2,
		IN ULONG	Parameter3
	)

Definition at line 219 of file traphdlr.c.

{
    /* Check for VDM trap */
    ASSERT(KiVdmTrap(TrapFrame) == FALSE);
 
    /* Enable interrupts if the trap came from user-mode */
    if (KiUserTrap(TrapFrame)) _enable();
 
    /* Dispatch the exception. Fix EIP in case its a break breakpoint (sic) */
    KiDispatchExceptionFromTrapFrame(STATUS_BREAKPOINT,
                                     0,
                                     TrapFrame->Eip - (Parameter1 == BREAKPOINT_BREAK),
                                     3,
                                     Parameter1,
                                     Parameter2,
                                     Parameter3,
                                     TrapFrame);
}

Referenced by KiDebugServiceHandler(), and KiTrap03Handler().

KiDebugServiceHandler()

DECLSPEC_NORETURN VOID FASTCALL KiDebugServiceHandler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 1685 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Increment EIP to skip the INT3 instruction */
    TrapFrame->Eip++;
 
    /* Continue with the common handler */
    KiDebugHandler(TrapFrame, TrapFrame->Eax, TrapFrame->Ecx, TrapFrame->Edx);
}

KiEoiHelper()

DECLSPEC_NORETURN VOID FASTCALL KiEoiHelper

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 126 of file traphdlr.c.

{
    /* Common trap exit code */
    KiCommonExit(TrapFrame, TRUE);
 
    /* Check if this was a V8086 trap */
    if (TrapFrame->EFlags & EFLAGS_V86_MASK) KiTrapReturnNoSegments(TrapFrame);
 
    /* Check for user mode exit */
    if (KiUserTrap(TrapFrame)) KiTrapReturn(TrapFrame);
 
    /* Check for edited frame */
    if (KiIsFrameEdited(TrapFrame)) KiEditedTrapReturn(TrapFrame);
 
    /* Check if we have single stepping enabled */
    if (TrapFrame->EFlags & EFLAGS_TF) KiTrapReturnNoSegments(TrapFrame);
 
    /* Exit the trap to kernel mode */
    KiTrapReturnNoSegmentsRet8(TrapFrame);
}

Referenced by _HalpApcInterruptHandler(), HalpApcInterruptHandler(), HalpClockInterruptHandler(), HalpClockIpiHandler(), HalpDispatchInterrupt2ndEntry(), HalpDispatchInterruptHandler(), HalpTrap0DHandler(), KiDispatchExceptionFromTrapFrame(), KiEndInterrupt(), KiEnterV86Mode(), KiExitInterrupt(), KiExitV86Trap(), KiGetTickCountHandler(), KiNpxHandler(), KiTrap01Handler(), KiTrap07Handler(), KiTrap0EHandler(), and KiTrap10Handler().

KiFastCallEntry()

VOID __cdecl KiFastCallEntry

(

VOID

)

Referenced by KiTrap01Handler().

KiFastCallEntryWithSingleStep()

VOID __cdecl KiFastCallEntryWithSingleStep

(

VOID

)

Referenced by KiTrap01Handler().

KiGetTickCountHandler()

VOID FASTCALL KiGetTickCountHandler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 1624 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /*
     * Just fail the request
     */
    DbgPrint("INT 0x2A attempted, returning 0 tick count\n");
    TrapFrame->Eax = 0;
 
    /* Exit the trap */
    KiEoiHelper(TrapFrame);
}

KiIsFrameEdited()

FORCEINLINE BOOLEAN KiIsFrameEdited

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 87 of file traphdlr.c.

{
    /* An edited frame changes esp. It is marked by clearing the bits
       defined by FRAME_EDITED in the SegCs field of the trap frame */
    return ((TrapFrame->SegCs & FRAME_EDITED) == 0);
}

Referenced by KiEoiHelper(), KiServiceExit(), and KiServiceExit2().

KiNpxHandler()

DECLSPEC_NORETURN VOID FASTCALL KiNpxHandler	(	IN PKTRAP_FRAME	TrapFrame,
		IN PKTHREAD	Thread,
		IN PFX_SAVE_AREA	SaveArea
	)

Definition at line 244 of file traphdlr.c.

{
    ULONG Cr0, Mask, Error, ErrorOffset, DataOffset;
 
    /* Check for VDM trap */
    ASSERT(KiVdmTrap(TrapFrame) == FALSE);
 
    /* Check for kernel trap */
    if (!KiUserTrap(TrapFrame))
    {
        /* Kernel might've tripped a delayed error */
        SaveArea->Cr0NpxState |= CR0_TS;
 
        /* Only valid if it happened during a restore */
        if ((PVOID)TrapFrame->Eip == FrRestore)
        {
            /* It did, so just skip the instruction */
            TrapFrame->Eip += 3; /* Size of FRSTOR instruction */
            KiEoiHelper(TrapFrame);
        }
    }
 
    /* User or kernel trap -- check if we need to unload the current state */
    if (Thread->NpxState == NPX_STATE_LOADED)
    {
        /* Update CR0 */
        Cr0 = __readcr0();
        Cr0 &= ~(CR0_MP | CR0_EM | CR0_TS);
        __writecr0(Cr0);
 
        /* Save FPU state */
        Ke386SaveFpuState(SaveArea);
 
        /* Mark CR0 state dirty */
        Cr0 |= NPX_STATE_NOT_LOADED;
        Cr0 |= SaveArea->Cr0NpxState;
        __writecr0(Cr0);
 
        /* Update NPX state */
        Thread->NpxState = NPX_STATE_NOT_LOADED;
        KeGetCurrentPrcb()->NpxThread = NULL;
    }
 
    /* Clear the TS bit and re-enable interrupts */
    SaveArea->Cr0NpxState &= ~CR0_TS;
    _enable();
 
    /* Check if we should get the FN or FX error */
    if (KeI386FxsrPresent)
    {
        /* Get it from FX */
        Mask = SaveArea->U.FxArea.ControlWord;
        Error = SaveArea->U.FxArea.StatusWord;
 
        /* Get the FPU exception address too */
        ErrorOffset = SaveArea->U.FxArea.ErrorOffset;
        DataOffset = SaveArea->U.FxArea.DataOffset;
    }
    else
    {
        /* Get it from FN */
        Mask = SaveArea->U.FnArea.ControlWord;
        Error = SaveArea->U.FnArea.StatusWord;
 
        /* Get the FPU exception address too */
        ErrorOffset = SaveArea->U.FnArea.ErrorOffset;
        DataOffset = SaveArea->U.FnArea.DataOffset;
    }
 
    /* Get legal exceptions that software should handle */
    Mask &= (FSW_INVALID_OPERATION |
             FSW_DENORMAL |
             FSW_ZERO_DIVIDE |
             FSW_OVERFLOW |
             FSW_UNDERFLOW |
             FSW_PRECISION);
    Error &= ~Mask;
 
    /* Check for invalid operation */
    if (Error & FSW_INVALID_OPERATION)
    {
        /*
         * Now check if this is actually a Stack Fault. This is needed because
         * on x86 the Invalid Operation error is set for Stack Check faults as well.
         */
        if (Error & FSW_STACK_FAULT)
        {
            /* Issue stack check fault */
            KiDispatchException2Args(STATUS_FLOAT_STACK_CHECK,
                                     ErrorOffset,
                                     0,
                                     DataOffset,
                                     TrapFrame);
        }
        else
        {
            /* This is an invalid operation fault after all, so raise that instead */
            KiDispatchException1Args(STATUS_FLOAT_INVALID_OPERATION,
                                     ErrorOffset,
                                     0,
                                     TrapFrame);
        }
    }
 
    /* Check for divide by zero */
    if (Error & FSW_ZERO_DIVIDE)
    {
        /* Issue fault */
        KiDispatchException1Args(STATUS_FLOAT_DIVIDE_BY_ZERO,
                                 ErrorOffset,
                                 0,
                                 TrapFrame);
    }
 
    /* Check for denormal */
    if (Error & FSW_DENORMAL)
    {
        /* Issue fault */
        KiDispatchException1Args(STATUS_FLOAT_INVALID_OPERATION,
                                 ErrorOffset,
                                 0,
                                 TrapFrame);
    }
 
    /* Check for overflow */
    if (Error & FSW_OVERFLOW)
    {
        /* Issue fault */
        KiDispatchException1Args(STATUS_FLOAT_OVERFLOW,
                                 ErrorOffset,
                                 0,
                                 TrapFrame);
    }
 
    /* Check for underflow */
    if (Error & FSW_UNDERFLOW)
    {
        /* Issue fault */
        KiDispatchException1Args(STATUS_FLOAT_UNDERFLOW,
                                 ErrorOffset,
                                 0,
                                 TrapFrame);
    }
 
    /* Check for precision fault */
    if (Error & FSW_PRECISION)
    {
        /* Issue fault */
        KiDispatchException1Args(STATUS_FLOAT_INEXACT_RESULT,
                                 ErrorOffset,
                                 0,
                                 TrapFrame);
    }
 
    /* Unknown FPU fault */
    KeBugCheckWithTf(TRAP_CAUSE_UNKNOWN, 1, Error, 0, 0, TrapFrame);
}

Referenced by KiTrap07Handler(), and KiTrap10Handler().

KiRaiseAssertionHandler()

DECLSPEC_NORETURN VOID FASTCALL KiRaiseAssertionHandler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 1668 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Decrement EIP to point to the INT2C instruction (2 bytes, not 1 like INT3) */
    TrapFrame->Eip -= 2;
 
    /* Dispatch the exception */
    KiDispatchException0Args(STATUS_ASSERTION_FAILURE,
                             TrapFrame->Eip,
                             TrapFrame);
}

KiRaiseSecurityCheckFailureHandler()

VOID FASTCALL KiRaiseSecurityCheckFailureHandler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 1580 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Decrement EIP to point to the INT29 instruction (2 bytes, not 1 like INT3) */
    TrapFrame->Eip -= 2;
 
    /* Check if this is a user trap */
    if (KiUserTrap(TrapFrame))
    {
        /* Dispatch exception to user mode */
        KiDispatchExceptionFromTrapFrame(STATUS_STACK_BUFFER_OVERRUN,
                                         EXCEPTION_NONCONTINUABLE,
                                         TrapFrame->Eip,
                                         1,
                                         TrapFrame->Ecx,
                                         0,
                                         0,
                                         TrapFrame);
    }
    else
    {
        EXCEPTION_RECORD ExceptionRecord;
 
        /* Bugcheck the system */
        ExceptionRecord.ExceptionCode = STATUS_STACK_BUFFER_OVERRUN;
        ExceptionRecord.ExceptionFlags = EXCEPTION_NONCONTINUABLE;
        ExceptionRecord.ExceptionRecord = NULL;
        ExceptionRecord.ExceptionAddress = (PVOID)TrapFrame->Eip;
        ExceptionRecord.NumberParameters = 1;
        ExceptionRecord.ExceptionInformation[0] = TrapFrame->Ecx;
 
        KeBugCheckWithTf(KERNEL_SECURITY_CHECK_FAILURE,
                         TrapFrame->Ecx,
                         (ULONG_PTR)TrapFrame,
                         (ULONG_PTR)&ExceptionRecord,
                         0,
                         TrapFrame);
    }
}

KiServiceExit()

DECLSPEC_NORETURN VOID FASTCALL KiServiceExit	(	IN PKTRAP_FRAME	TrapFrame,
		IN NTSTATUS	Status
	)

Definition at line 150 of file traphdlr.c.

{
    ASSERT((TrapFrame->EFlags & EFLAGS_V86_MASK) == 0);
    ASSERT(!KiIsFrameEdited(TrapFrame));
 
    /* Copy the status into EAX */
    TrapFrame->Eax = Status;
 
    /* Common trap exit code */
    KiCommonExit(TrapFrame, FALSE);
 
    /* Restore previous mode */
    KeGetCurrentThread()->PreviousMode = (CCHAR)TrapFrame->PreviousPreviousMode;
 
    /* Check for user mode exit */
    if (KiUserTrap(TrapFrame))
    {
        /* Check if we were single stepping */
        if (TrapFrame->EFlags & EFLAGS_TF)
        {
            /* Must use the IRET handler */
            KiSystemCallTrapReturn(TrapFrame);
        }
        else
        {
            /* We can use the sysexit handler */
            KiFastCallExitHandler(TrapFrame);
            UNREACHABLE;
        }
    }
 
    /* Exit to kernel mode */
    KiSystemCallReturn(TrapFrame);
}

Referenced by KiCallbackReturnHandler(), KiSystemServiceHandler(), and KiUserModeCallout().

KiServiceExit2()

DECLSPEC_NORETURN VOID FASTCALL KiServiceExit2

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 189 of file traphdlr.c.

{
    /* Common trap exit code */
    KiCommonExit(TrapFrame, FALSE);
 
    /* Restore previous mode */
    KeGetCurrentThread()->PreviousMode = (CCHAR)TrapFrame->PreviousPreviousMode;
 
    /* Check if this was a V8086 trap */
    if (TrapFrame->EFlags & EFLAGS_V86_MASK) KiTrapReturnNoSegments(TrapFrame);
 
    /* Check for user mode exit */
    if (KiUserTrap(TrapFrame)) KiTrapReturn(TrapFrame);
 
    /* Check for edited frame */
    if (KiIsFrameEdited(TrapFrame)) KiEditedTrapReturn(TrapFrame);
 
    /* Check if we have single stepping enabled */
    if (TrapFrame->EFlags & EFLAGS_TF) KiTrapReturnNoSegments(TrapFrame);
 
    /* Exit the trap to kernel mode */
    KiTrapReturnNoSegmentsRet8(TrapFrame);
}

KiSystemServiceHandler()

DECLSPEC_NORETURN VOID FASTCALL KiSystemServiceHandler	(	IN PKTRAP_FRAME	TrapFrame,
		IN PVOID	Arguments
	)

Definition at line 1722 of file traphdlr.c.

{
    PKTHREAD Thread;
    PKSERVICE_TABLE_DESCRIPTOR DescriptorTable;
    ULONG Id, Offset, StackBytes;
    NTSTATUS Status;
    PVOID Handler;
    ULONG SystemCallNumber = TrapFrame->Eax;
 
    /* Get the current thread */
    Thread = KeGetCurrentThread();
 
    /* Set debug header */
    KiFillTrapFrameDebug(TrapFrame);
 
    /* Chain trap frames */
    TrapFrame->Edx = (ULONG_PTR)Thread->TrapFrame;
 
    /* No error code */
    TrapFrame->ErrCode = 0;
 
    /* Save previous mode */
    TrapFrame->PreviousPreviousMode = Thread->PreviousMode;
 
    /* Save the SEH chain and terminate it for now */
    TrapFrame->ExceptionList = KeGetPcr()->NtTib.ExceptionList;
    KeGetPcr()->NtTib.ExceptionList = EXCEPTION_CHAIN_END;
 
    /* Default to debugging disabled */
    TrapFrame->Dr7 = 0;
 
    /* Check if the frame was from user mode */
    if (KiUserTrap(TrapFrame))
    {
        /* Check for active debugging */
        if (KeGetCurrentThread()->Header.DebugActive & 0xFF)
        {
            /* Handle debug registers */
            KiHandleDebugRegistersOnTrapEntry(TrapFrame);
        }
    }
 
    /* Set thread fields */
    Thread->TrapFrame = TrapFrame;
    Thread->PreviousMode = KiUserTrap(TrapFrame);
 
    /* Enable interrupts */
    _enable();
 
    /* Decode the system call number */
    Offset = (SystemCallNumber >> SERVICE_TABLE_SHIFT) & SERVICE_TABLE_MASK;
    Id = SystemCallNumber & SERVICE_NUMBER_MASK;
 
    /* Get descriptor table */
    DescriptorTable = (PVOID)((ULONG_PTR)Thread->ServiceTable + Offset);
 
    /* Validate the system call number */
    if (__builtin_expect(Id >= DescriptorTable->Limit, 0))
    {
        /* Check if this is a GUI call */
        if (!(Offset & SERVICE_TABLE_TEST))
        {
            /* Fail the call */
            Status = STATUS_INVALID_SYSTEM_SERVICE;
            goto ExitCall;
        }
 
        /* Convert us to a GUI thread -- must wrap in ASM to get new EBP */
        Status = KiConvertToGuiThread();
 
        /* Reload trap frame and descriptor table pointer from new stack */
        TrapFrame = *(volatile PVOID*)&Thread->TrapFrame;
        DescriptorTable = (PVOID)(*(volatile ULONG_PTR*)&Thread->ServiceTable + Offset);
 
        if (!NT_SUCCESS(Status))
        {
            /* Set the last error and fail */
            goto ExitCall;
        }
 
        /* Validate the system call number again */
        if (Id >= DescriptorTable->Limit)
        {
            /* Fail the call */
            Status = STATUS_INVALID_SYSTEM_SERVICE;
            goto ExitCall;
        }
    }
 
    /* Check if this is a GUI call */
    if (__builtin_expect(Offset & SERVICE_TABLE_TEST, 0))
    {
        /* Get the batch count and flush if necessary */
        if (NtCurrentTeb()->GdiBatchCount) KeGdiFlushUserBatch();
    }
 
    /* Increase system call count */
    KeGetCurrentPrcb()->KeSystemCalls++;
 
    /* FIXME: Increase individual counts on debug systems */
    //KiIncreaseSystemCallCount(DescriptorTable, Id);
 
    /* Get stack bytes */
    StackBytes = DescriptorTable->Number[Id];
 
    /* Probe caller stack */
    if (__builtin_expect((Arguments < (PVOID)MmUserProbeAddress) && !(KiUserTrap(TrapFrame)), 0))
    {
        /* Access violation */
        UNIMPLEMENTED_FATAL();
    }
 
    /* Call pre-service debug hook */
    KiDbgPreServiceHook(SystemCallNumber, Arguments);
 
    /* Get the handler and make the system call */
    Handler = (PVOID)DescriptorTable->Base[Id];
    Status = KiSystemCallTrampoline(Handler, Arguments, StackBytes);
 
    /* Call post-service debug hook */
    Status = KiDbgPostServiceHook(SystemCallNumber, Status);
 
    /* Make sure we're exiting correctly */
    KiExitSystemCallDebugChecks(Id, TrapFrame);
 
    /* Restore the old trap frame */
ExitCall:
    Thread->TrapFrame = (PKTRAP_FRAME)TrapFrame->Edx;
 
    /* Exit from system call */
    KiServiceExit(TrapFrame, Status);
}

KiTrap00Handler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap00Handler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 407 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Check for VDM trap */
    ASSERT(KiVdmTrap(TrapFrame) == FALSE);
 
    /*  Enable interrupts */
    _enable();
 
    /* Dispatch the exception */
    KiDispatchException0Args(STATUS_INTEGER_DIVIDE_BY_ZERO,
                             TrapFrame->Eip,
                             TrapFrame);
}

KiTrap01Handler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap01Handler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 427 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Check for VDM trap */
    ASSERT(KiVdmTrap(TrapFrame) == FALSE);
 
    /* Check if this was a single step after sysenter */
    if (TrapFrame->Eip == (ULONG)KiFastCallEntry)
    {
        /* Disable single stepping */
        TrapFrame->EFlags &= ~EFLAGS_TF;
 
        /* Re-enter at the alternative sysenter entry point */
        TrapFrame->Eip = (ULONG)KiFastCallEntryWithSingleStep;
 
        /* End this trap */
        KiEoiHelper(TrapFrame);
    }
 
    /* Enable interrupts if the trap came from user-mode */
    if (KiUserTrap(TrapFrame)) _enable();
 
    /*  Mask out trap flag and dispatch the exception */
    TrapFrame->EFlags &= ~EFLAGS_TF;
    KiDispatchException0Args(STATUS_SINGLE_STEP,
                             TrapFrame->Eip,
                             TrapFrame);
}

KiTrap02Handler()

VOID __cdecl KiTrap02Handler

(

VOID

)

Definition at line 460 of file traphdlr.c.

{
    PKTSS Tss, NmiTss;
    PKTHREAD Thread;
    PKPROCESS Process;
    PKGDTENTRY TssGdt;
    KTRAP_FRAME TrapFrame;
    KIRQL OldIrql;
 
    /*
     * In some sort of strange recursion case, we might end up here with the IF
     * flag incorrectly on the interrupt frame -- during a normal NMI this would
     * normally already be set.
     *
     * For sanity's sake, make sure interrupts are disabled for sure.
     * NMIs will already be since the CPU does it for us.
     */
    _disable();
 
    /* Get the current TSS, thread, and process */
    Tss = KeGetPcr()->TSS;
    Thread = ((PKIPCR)KeGetPcr())->PrcbData.CurrentThread;
    Process = Thread->ApcState.Process;
 
    /* Save data usually not present in the TSS */
    Tss->CR3 = Process->DirectoryTableBase[0];
    Tss->IoMapBase = Process->IopmOffset;
    Tss->LDT = Process->LdtDescriptor.LimitLow ? KGDT_LDT : 0;
 
    /* Now get the base address of the NMI TSS */
    TssGdt = &((PKIPCR)KeGetPcr())->GDT[KGDT_NMI_TSS / sizeof(KGDTENTRY)];
    NmiTss = (PKTSS)(ULONG_PTR)(TssGdt->BaseLow |
                                TssGdt->HighWord.Bytes.BaseMid << 16 |
                                TssGdt->HighWord.Bytes.BaseHi << 24);
 
    /*
     * Switch to it and activate it, masking off the nested flag.
     *
     * Note that in reality, we are already on the NMI TSS -- we just
     * need to update the PCR to reflect this.
     */
    KeGetPcr()->TSS = NmiTss;
    __writeeflags(__readeflags() &~ EFLAGS_NESTED_TASK);
    TssGdt->HighWord.Bits.Dpl = 0;
    TssGdt->HighWord.Bits.Pres = 1;
    TssGdt->HighWord.Bits.Type = I386_TSS;
 
    /*
     * Now build the trap frame based on the original TSS.
     *
     * The CPU does a hardware "Context switch" / task switch of sorts
     * and so it takes care of saving our context in the normal TSS.
     *
     * We just have to go get the values...
     */
    RtlZeroMemory(&TrapFrame, sizeof(KTRAP_FRAME));
    TrapFrame.HardwareSegSs = Tss->Ss0;
    TrapFrame.HardwareEsp = Tss->Esp0;
    TrapFrame.EFlags = Tss->EFlags;
    TrapFrame.SegCs = Tss->Cs;
    TrapFrame.Eip = Tss->Eip;
    TrapFrame.Ebp = Tss->Ebp;
    TrapFrame.Ebx = Tss->Ebx;
    TrapFrame.Esi = Tss->Esi;
    TrapFrame.Edi = Tss->Edi;
    TrapFrame.SegFs = Tss->Fs;
    TrapFrame.ExceptionList = KeGetPcr()->NtTib.ExceptionList;
    TrapFrame.PreviousPreviousMode = (ULONG)-1;
    TrapFrame.Eax = Tss->Eax;
    TrapFrame.Ecx = Tss->Ecx;
    TrapFrame.Edx = Tss->Edx;
    TrapFrame.SegDs = Tss->Ds;
    TrapFrame.SegEs = Tss->Es;
    TrapFrame.SegGs = Tss->Gs;
    TrapFrame.DbgEip = Tss->Eip;
    TrapFrame.DbgEbp = Tss->Ebp;
 
    /* Store the trap frame in the KPRCB */
    KiSaveProcessorState(&TrapFrame, NULL);
 
    /* Call any registered NMI handlers and see if they handled it or not */
    if (!KiHandleNmi())
    {
        /*
         * They did not, so call the platform HAL routine to bugcheck the system
         *
         * Make sure the HAL believes it's running at HIGH IRQL... we can't use
         * the normal APIs here as playing with the IRQL could change the system
         * state.
         */
        OldIrql = KeGetPcr()->Irql;
        KeGetPcr()->Irql = HIGH_LEVEL;
        HalHandleNMI(NULL);
        KeGetPcr()->Irql = OldIrql;
    }
 
    /*
     * Although the CPU disabled NMIs, we just did a BIOS call, which could've
     * totally changed things.
     *
     * We have to make sure we're still in our original NMI -- a nested NMI
     * will point back to the NMI TSS, and in that case we're hosed.
     */
    if (KeGetPcr()->TSS->Backlink == KGDT_NMI_TSS)
    {
        /* Unhandled: crash the system */
        KiSystemFatalException(EXCEPTION_NMI, NULL);
    }
 
    /* Restore original TSS */
    KeGetPcr()->TSS = Tss;
 
    /* Set it back to busy */
    TssGdt->HighWord.Bits.Dpl = 0;
    TssGdt->HighWord.Bits.Pres = 1;
    TssGdt->HighWord.Bits.Type = I386_ACTIVE_TSS;
 
    /* Restore nested flag */
    __writeeflags(__readeflags() | EFLAGS_NESTED_TASK);
 
    /* Handled, return from interrupt */
}

KiTrap03Handler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap03Handler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 586 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Continue with the common handler */
    KiDebugHandler(TrapFrame, BREAKPOINT_BREAK, 0, 0);
}

KiTrap04Handler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap04Handler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 598 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Check for VDM trap */
    ASSERT(KiVdmTrap(TrapFrame) == FALSE);
 
     /* Enable interrupts */
    _enable();
 
    /* Dispatch the exception */
    KiDispatchException0Args(STATUS_INTEGER_OVERFLOW,
                             TrapFrame->Eip - 1,
                             TrapFrame);
}

KiTrap05Handler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap05Handler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 618 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Check for VDM trap */
    ASSERT(KiVdmTrap(TrapFrame) == FALSE);
 
    /* Check for kernel-mode fault */
    if (!KiUserTrap(TrapFrame)) KiSystemFatalException(EXCEPTION_BOUND_CHECK, TrapFrame);
 
    /* Enable interrupts */
    _enable();
 
    /* Dispatch the exception */
    KiDispatchException0Args(STATUS_ARRAY_BOUNDS_EXCEEDED,
                             TrapFrame->Eip,
                             TrapFrame);
}

KiTrap06Handler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap06Handler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 641 of file traphdlr.c.

{
    PUCHAR Instruction;
    ULONG i;
    KIRQL OldIrql;
 
    /* Check for V86 GPF */
    if (__builtin_expect(KiV86Trap(TrapFrame), 1))
    {
        /* Enter V86 trap */
        KiEnterV86Trap(TrapFrame);
 
        /* Must be a VDM process */
        if (__builtin_expect(!PsGetCurrentProcess()->VdmObjects, 0))
        {
            /* Enable interrupts */
            _enable();
 
            /* Setup illegal instruction fault */
            KiDispatchException0Args(STATUS_ILLEGAL_INSTRUCTION,
                                     TrapFrame->Eip,
                                     TrapFrame);
        }
 
        /* Go to APC level */
        KeRaiseIrql(APC_LEVEL, &OldIrql);
        _enable();
 
        /* Check for BOP */
        if (!VdmDispatchBop(TrapFrame))
        {
            /* Should only happen in VDM mode */
            UNIMPLEMENTED_FATAL();
        }
 
        /* Bring IRQL back */
        KeLowerIrql(OldIrql);
        _disable();
 
        /* Do a quick V86 exit if possible */
        KiExitV86Trap(TrapFrame);
    }
 
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Enable interrupts */
    Instruction = (PUCHAR)TrapFrame->Eip;
    _enable();
 
    /* Check for user trap */
    if (KiUserTrap(TrapFrame))
    {
        /* FIXME: Use SEH */
 
        /* Scan next 4 opcodes */
        for (i = 0; i < 4; i++)
        {
            /* Check for LOCK instruction */
            if (Instruction[i] == 0xF0)
            {
                /* Send invalid lock sequence exception */
                KiDispatchException0Args(STATUS_INVALID_LOCK_SEQUENCE,
                                         TrapFrame->Eip,
                                         TrapFrame);
            }
        }
 
        /* FIXME: SEH ends here */
    }
 
    /* Kernel-mode or user-mode fault (but not LOCK) */
    KiDispatchException0Args(STATUS_ILLEGAL_INSTRUCTION,
                             TrapFrame->Eip,
                             TrapFrame);
 
}

KiTrap07Handler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap07Handler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 722 of file traphdlr.c.

{
    PKTHREAD Thread, NpxThread;
    PFX_SAVE_AREA SaveArea, NpxSaveArea;
    ULONG Cr0;
 
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Try to handle NPX delay load */
    for (;;)
    {
        /* Get the current thread */
        Thread = KeGetCurrentThread();
 
        /* Get the NPX frame */
        SaveArea = KiGetThreadNpxArea(Thread);
 
        /* Check if emulation is enabled */
        if (SaveArea->Cr0NpxState & CR0_EM)
        {
            /* Not implemented */
            UNIMPLEMENTED_FATAL();
        }
 
        /* Save CR0 and check NPX state */
        Cr0 = __readcr0();
        if (Thread->NpxState != NPX_STATE_LOADED)
        {
            /* Update CR0 */
            Cr0 &= ~(CR0_MP | CR0_EM | CR0_TS);
            __writecr0(Cr0);
 
            /* Get the NPX thread */
            NpxThread = KeGetCurrentPrcb()->NpxThread;
            if (NpxThread)
            {
                /* Get the NPX frame */
                NpxSaveArea = KiGetThreadNpxArea(NpxThread);
 
                /* Save FPU state */
                Ke386SaveFpuState(NpxSaveArea);
 
                /* Update NPX state */
                NpxThread->NpxState = NPX_STATE_NOT_LOADED;
           }
 
            /* Load FPU state */
            Ke386LoadFpuState(SaveArea);
 
            /* Update NPX state */
            Thread->NpxState = NPX_STATE_LOADED;
            KeGetCurrentPrcb()->NpxThread = Thread;
 
            /* Enable interrupts */
            _enable();
 
            /* Check if CR0 needs to be reloaded due to context switch */
            if (!SaveArea->Cr0NpxState) KiEoiHelper(TrapFrame);
 
            /* Otherwise, we need to reload CR0, disable interrupts */
            _disable();
 
            /* Reload CR0 */
            Cr0 = __readcr0();
            Cr0 |= SaveArea->Cr0NpxState;
            __writecr0(Cr0);
 
            /* Now restore interrupts and check for TS */
            _enable();
            if (Cr0 & CR0_TS) KiEoiHelper(TrapFrame);
 
            /* We're still here -- clear TS and try again */
            __writecr0(__readcr0() &~ CR0_TS);
            _disable();
        }
        else
        {
            /* This is an actual fault, not a lack of FPU state */
            break;
        }
    }
 
    /* TS should not be set */
    if (Cr0 & CR0_TS)
    {
        /*
         * If it's incorrectly set, then maybe the state is actually still valid
         * but we could have lost track of that due to a BIOS call.
         * Make sure MP is still set, which should verify the theory.
         */
        if (Cr0 & CR0_MP)
        {
            /* Indeed, the state is actually still valid, so clear TS */
            __writecr0(__readcr0() &~ CR0_TS);
            KiEoiHelper(TrapFrame);
        }
 
        /* Otherwise, something strange is going on */
        KeBugCheckWithTf(TRAP_CAUSE_UNKNOWN, 2, Cr0, 0, 0, TrapFrame);
    }
 
    /* It's not a delayed load, so process this trap as an NPX fault */
    KiNpxHandler(TrapFrame, Thread, SaveArea);
}

KiTrap08Handler()

DECLSPEC_NORETURN VOID __cdecl KiTrap08Handler

(

VOID

)

Definition at line 831 of file traphdlr.c.

{
    PKTSS Tss, DfTss;
    PKTHREAD Thread;
    PKPROCESS Process;
    PKGDTENTRY TssGdt;
 
    /* For sanity's sake, make sure interrupts are disabled */
    _disable();
 
    /* Get the current TSS, thread, and process */
    Tss = KeGetPcr()->TSS;
    Thread = ((PKIPCR)KeGetPcr())->PrcbData.CurrentThread;
    Process = Thread->ApcState.Process;
 
    /* Save data usually not present in the TSS */
    Tss->CR3 = Process->DirectoryTableBase[0];
    Tss->IoMapBase = Process->IopmOffset;
    Tss->LDT = Process->LdtDescriptor.LimitLow ? KGDT_LDT : 0;
 
    /* Now get the base address of the double-fault TSS */
    TssGdt = &((PKIPCR)KeGetPcr())->GDT[KGDT_DF_TSS / sizeof(KGDTENTRY)];
    DfTss  = (PKTSS)(ULONG_PTR)(TssGdt->BaseLow |
                                TssGdt->HighWord.Bytes.BaseMid << 16 |
                                TssGdt->HighWord.Bytes.BaseHi << 24);
 
    /*
     * Switch to it and activate it, masking off the nested flag.
     *
     * Note that in reality, we are already on the double-fault TSS
     * -- we just need to update the PCR to reflect this.
     */
    KeGetPcr()->TSS = DfTss;
    __writeeflags(__readeflags() &~ EFLAGS_NESTED_TASK);
    TssGdt->HighWord.Bits.Dpl = 0;
    TssGdt->HighWord.Bits.Pres = 1;
    // TssGdt->HighWord.Bits.Type &= ~0x2; /* I386_ACTIVE_TSS --> I386_TSS */
    TssGdt->HighWord.Bits.Type = I386_TSS; // Busy bit cleared in the TSS selector.
 
    /* Bugcheck the system */
    KeBugCheckWithTf(UNEXPECTED_KERNEL_MODE_TRAP,
                     EXCEPTION_DOUBLE_FAULT,
                     (ULONG_PTR)Tss,
                     0,
                     0,
                     NULL);
}

KiTrap09Handler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap09Handler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 882 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Enable interrupts and kill the system */
    _enable();
    KiSystemFatalException(EXCEPTION_NPX_OVERRUN, TrapFrame);
}

KiTrap0AHandler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap0AHandler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 895 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Check for VDM trap */
    ASSERT(KiVdmTrap(TrapFrame) == FALSE);
 
    /* Kill the system */
    KiSystemFatalException(EXCEPTION_INVALID_TSS, TrapFrame);
}

KiTrap0BHandler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap0BHandler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 910 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* FIXME: Kill the system */
    UNIMPLEMENTED;
    KiSystemFatalException(EXCEPTION_SEGMENT_NOT_PRESENT, TrapFrame);
}

KiTrap0CHandler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap0CHandler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 923 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* FIXME: Kill the system */
    UNIMPLEMENTED;
    KiSystemFatalException(EXCEPTION_STACK_FAULT, TrapFrame);
}

KiTrap0DHandler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap0DHandler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 939 of file traphdlr.c.

{
    ULONG i, j, Iopl;
    BOOLEAN Privileged = FALSE;
    PUCHAR Instructions;
    UCHAR Instruction = 0;
    KIRQL OldIrql;
 
    /* Check for V86 GPF */
    if (__builtin_expect(KiV86Trap(TrapFrame), 1))
    {
        /* Enter V86 trap */
        KiEnterV86Trap(TrapFrame);
 
        /* Must be a VDM process */
        if (__builtin_expect(!PsGetCurrentProcess()->VdmObjects, 0))
        {
            /* Enable interrupts */
            _enable();
 
            /* Setup illegal instruction fault */
            KiDispatchException0Args(STATUS_ILLEGAL_INSTRUCTION,
                                     TrapFrame->Eip,
                                     TrapFrame);
        }
 
        /* Go to APC level */
        KeRaiseIrql(APC_LEVEL, &OldIrql);
        _enable();
 
        /* Handle the V86 opcode */
        if (__builtin_expect(Ki386HandleOpcodeV86(TrapFrame) == 0xFF, 0))
        {
            /* Should only happen in VDM mode */
            UNIMPLEMENTED_FATAL();
        }
 
        /* Bring IRQL back */
        KeLowerIrql(OldIrql);
        _disable();
 
        /* Do a quick V86 exit if possible */
        KiExitV86Trap(TrapFrame);
    }
 
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Check for user-mode GPF */
    if (KiUserTrap(TrapFrame))
    {
        /* Should not be VDM */
        ASSERT(KiVdmTrap(TrapFrame) == FALSE);
 
        /* Enable interrupts and check error code */
        _enable();
        if (!TrapFrame->ErrCode)
        {
            /* FIXME: Use SEH */
            Instructions = (PUCHAR)TrapFrame->Eip;
 
            /* Scan next 15 bytes */
            for (i = 0; i < 15; i++)
            {
                /* Skip prefix instructions */
                for (j = 0; j < sizeof(KiTrapPrefixTable); j++)
                {
                    /* Is this a prefix instruction? */
                    if (Instructions[i] == KiTrapPrefixTable[j])
                    {
                        /* Stop looking */
                        break;
                    }
                }
 
                /* Is this NOT any prefix instruction? */
                if (j == sizeof(KiTrapPrefixTable))
                {
                    /* We can go ahead and handle the fault now */
                    Instruction = Instructions[i];
                    break;
                }
            }
 
            /* If all we found was prefixes, then this instruction is too long */
            if (i == 15)
            {
                /* Setup illegal instruction fault */
                KiDispatchException0Args(STATUS_ILLEGAL_INSTRUCTION,
                                         TrapFrame->Eip,
                                         TrapFrame);
            }
 
            /* Check for privileged instructions */
            DPRINT("Instruction (%lu) at fault: %lx %lx %lx %lx\n",
                    i,
                    Instructions[i],
                    Instructions[i + 1],
                    Instructions[i + 2],
                    Instructions[i + 3]);
            if (Instruction == 0xF4)                            // HLT
            {
                /* HLT is privileged */
                Privileged = TRUE;
            }
            else if (Instruction == 0x0F)
            {
                /* Test if it's any of the privileged two-byte opcodes */
                if (((Instructions[i + 1] == 0x00) &&              // LLDT or LTR
                     (((Instructions[i + 2] & 0x38) == 0x10) ||        // LLDT
                      (Instructions[i + 2] == 0x18))) ||               // LTR
                    ((Instructions[i + 1] == 0x01) &&              // LGDT or LIDT or LMSW
                     (((Instructions[i + 2] & 0x38) == 0x10) ||        // LGDT
                      (Instructions[i + 2] == 0x18) ||                 // LIDT
                      (Instructions[i + 2] == 0x30))) ||               // LMSW
                    (Instructions[i + 1] == 0x08) ||               // INVD
                    (Instructions[i + 1] == 0x09) ||               // WBINVD
                    (Instructions[i + 1] == 0x35) ||               // SYSEXIT
                    (Instructions[i + 1] == 0x21) ||               // MOV DR, XXX
                    (Instructions[i + 1] == 0x06) ||               // CLTS
                    (Instructions[i + 1] == 0x20) ||               // MOV CR, XXX
                    (Instructions[i + 1] == 0x22) ||               // MOV XXX, CR
                    (Instructions[i + 1] == 0x23) ||               // MOV YYY, DR
                    (Instructions[i + 1] == 0x30) ||               // WRMSR
                    (Instructions[i + 1] == 0x33))                 // RDPMC
                    // INVLPG, INVLPGA, SYSRET
                {
                    /* These are all privileged */
                    Privileged = TRUE;
                }
            }
            else
            {
                /* Get the IOPL and compare with the RPL mask */
                Iopl = (TrapFrame->EFlags & EFLAGS_IOPL) >> 12;
                if ((TrapFrame->SegCs & RPL_MASK) > Iopl)
                {
                    /* I/O privilege error -- check for known instructions */
                    if ((Instruction == 0xFA) || (Instruction == 0xFB)) // CLI or STI
                    {
                        /* These are privileged */
                        Privileged = TRUE;
                    }
                    else
                    {
                        /* Last hope: an IN/OUT instruction */
                        for (j = 0; j < sizeof(KiTrapIoTable); j++)
                        {
                            /* Is this an I/O instruction? */
                            if (Instruction == KiTrapIoTable[j])
                            {
                                /* Then it's privileged */
                                Privileged = TRUE;
                                break;
                            }
                        }
                    }
                }
            }
 
            /* So now... was the instruction privileged or not? */
            if (Privileged)
            {
                /* Whew! We have a privileged instruction, so dispatch the fault */
                KiDispatchException0Args(STATUS_PRIVILEGED_INSTRUCTION,
                                         TrapFrame->Eip,
                                         TrapFrame);
            }
        }
 
        /* If we got here, send an access violation */
        KiDispatchException2Args(STATUS_ACCESS_VIOLATION,
                                 TrapFrame->Eip,
                                 0,
                                 0xFFFFFFFF,
                                 TrapFrame);
    }
 
    /*
     * Check for a fault during checking of the user instruction.
     *
     * Note that the SEH handler will catch invalid EIP, but we could be dealing
     * with an invalid CS, which will generate another GPF instead.
     *
     */
    if ((PVOID)TrapFrame->Eip >= (PVOID)KiTrap0DHandler &&
        (PVOID)TrapFrame->Eip <  (PVOID)KiTrap0EHandler)
    {
        /* Not implemented */
        UNIMPLEMENTED_FATAL();
    }
 
    /*
     * NOTE: The ASM trap exit code would restore segment registers by doing
     * a POP <SEG>, which could cause an invalid segment if someone had messed
     * with the segment values.
     *
     * Another case is a bogus SS, which would hit a GPF when doing the iret.
     * This could only be done through a buggy or malicious driver, or perhaps
     * the kernel debugger.
     *
     * The kernel normally restores the "true" segment if this happens.
     *
     * However, since we're restoring in C, not ASM, we can't detect
     * POP <SEG> since the actual instructions will be different.
     *
     * A better technique would be to check the EIP and somehow edit the
     * trap frame before restarting the instruction -- but we would need to
     * know the extract instruction that was used first.
     *
     * We could force a special instrinsic to use stack instructions, or write
     * a simple instruction length checker.
     *
     * Nevertheless, this is a lot of work for the purpose of avoiding a crash
     * when the user is purposedly trying to create one from kernel-mode, so
     * we should probably table this for now since it's not a "real" issue.
     */
 
    /*
     * NOTE2: Another scenario is the IRET during a V8086 restore (BIOS Call)
     * which will cause a GPF since the trap frame is a total mess (on purpose)
     * as built in KiEnterV86Mode.
     *
     * The idea is to scan for IRET, scan for the known EIP address, validate CS
     * and then manually issue a jump to the V8086 return EIP.
     */
    Instructions = (PUCHAR)TrapFrame->Eip;
    if (Instructions[0] == 0xCF)
    {
        /*
         * Some evil shit is going on here -- this is not the SS:ESP you're
         * looking for! Instead, this is actually CS:EIP you're looking at!
         * Why? Because part of the trap frame actually corresponds to the IRET
         * stack during the trap exit!
         */
        if ((TrapFrame->HardwareEsp == (ULONG)Ki386BiosCallReturnAddress) &&
            (TrapFrame->HardwareSegSs == (KGDT_R0_CODE | RPL_MASK)))
        {
            /* Exit the V86 trap! */
            Ki386BiosCallReturnAddress(TrapFrame);
        }
        else
        {
            /* Otherwise, this is another kind of IRET fault */
            UNIMPLEMENTED_FATAL();
        }
    }
 
     /* So since we're not dealing with the above case, check for RDMSR/WRMSR */
    if ((Instructions[0] == 0xF) &&            // 2-byte opcode
        ((Instructions[1] == 0x32) ||        // RDMSR
         (Instructions[1] == 0x30)))         // WRMSR
    {
        /* Unknown CPU MSR, so raise an access violation */
        KiDispatchException0Args(STATUS_ACCESS_VIOLATION,
                                 TrapFrame->Eip,
                                 TrapFrame);
    }
 
    /* Check for lazy segment load */
    if (TrapFrame->SegDs != (KGDT_R3_DATA | RPL_MASK))
    {
        /* Fix it */
        TrapFrame->SegDs = (KGDT_R3_DATA | RPL_MASK);
    }
    else if (TrapFrame->SegEs != (KGDT_R3_DATA | RPL_MASK))
    {
        /* Fix it */
        TrapFrame->SegEs = (KGDT_R3_DATA | RPL_MASK);
    }
    else
    {
        /* Whatever it is, we can't handle it */
        KiSystemFatalException(EXCEPTION_GP_FAULT, TrapFrame);
    }
 
    /* Return to where we came from */
    KiTrapReturn(TrapFrame);
}

Referenced by KiTrap0DHandler().

KiTrap0EHandler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap0EHandler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 1321 of file traphdlr.c.

{
    PKTHREAD Thread;
    ULONG_PTR Cr2;
    NTSTATUS Status;
 
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Check if this is the base frame */
    Thread = KeGetCurrentThread();
    if (KeGetTrapFrame(Thread) != TrapFrame)
    {
        /* It isn't, check if this is a second nested frame */
        if (((ULONG_PTR)KeGetTrapFrame(Thread) - (ULONG_PTR)TrapFrame) <=
            FIELD_OFFSET(KTRAP_FRAME, EFlags))
        {
            /* The stack is somewhere in between frames, we need to fix it */
            UNIMPLEMENTED_FATAL();
        }
    }
 
    /* Save CR2 */
    Cr2 = __readcr2();
 
    /* Enable interrupts */
    _enable();
 
    /* Check if we came in with interrupts disabled */
    if (!(TrapFrame->EFlags & EFLAGS_INTERRUPT_MASK))
    {
        /* This is completely illegal, bugcheck the system */
        KeBugCheckWithTf(IRQL_NOT_LESS_OR_EQUAL,
                         Cr2,
                         (ULONG_PTR)-1,
                         TrapFrame->ErrCode,
                         TrapFrame->Eip,
                         TrapFrame);
    }
 
    /* Check for S-List fault */
    if (KiCheckForSListFault(TrapFrame))
    {
        /* Continue execution */
        KiEoiHelper(TrapFrame);
    }
 
    /* Call the access fault handler */
    Status = MmAccessFault(TrapFrame->ErrCode,
                           (PVOID)Cr2,
                           KiUserTrap(TrapFrame),
                           TrapFrame);
    if (NT_SUCCESS(Status))
    {
        /* Check whether the kernel debugger has owed breakpoints to be inserted */
        KdSetOwedBreakpoints();
        /* We succeeded, return */
        KiEoiHelper(TrapFrame);
    }
 
    /* Check for syscall fault */
#if 0
    if ((TrapFrame->Eip == (ULONG_PTR)CopyParams) ||
        (TrapFrame->Eip == (ULONG_PTR)ReadBatch))
    {
        /* Not yet implemented */
        UNIMPLEMENTED_FATAL();
    }
#endif
 
    /* Check for VDM trap */
    if (KiVdmTrap(TrapFrame))
    {
        DPRINT1("VDM PAGE FAULT at %lx:%lx for address %lx\n",
                TrapFrame->SegCs, TrapFrame->Eip, Cr2);
        if (VdmDispatchPageFault(TrapFrame))
        {
            /* Return and end VDM execution */
            DPRINT1("VDM page fault with status 0x%lx resolved\n", Status);
            KiEoiHelper(TrapFrame);
        }
        DPRINT1("VDM page fault with status 0x%lx NOT resolved\n", Status);
    }
 
    /* Either kernel or user trap (non VDM) so dispatch exception */
    if (Status == STATUS_ACCESS_VIOLATION)
    {
        /* This status code is repurposed so we can recognize it later */
        KiDispatchException2Args(KI_EXCEPTION_ACCESS_VIOLATION,
                                 TrapFrame->Eip,
                                 MI_IS_WRITE_ACCESS(TrapFrame->ErrCode),
                                 Cr2,
                                 TrapFrame);
    }
    else if ((Status == STATUS_GUARD_PAGE_VIOLATION) ||
             (Status == STATUS_STACK_OVERFLOW))
    {
        /* These faults only have two parameters */
        KiDispatchException2Args(Status,
                                 TrapFrame->Eip,
                                 MI_IS_WRITE_ACCESS(TrapFrame->ErrCode),
                                 Cr2,
                                 TrapFrame);
    }
 
    /* Only other choice is an in-page error, with 3 parameters */
    KiDispatchExceptionFromTrapFrame(STATUS_IN_PAGE_ERROR,
                                     0,
                                     TrapFrame->Eip,
                                     3,
                                     MI_IS_WRITE_ACCESS(TrapFrame->ErrCode),
                                     Cr2,
                                     Status,
                                     TrapFrame);
}

Referenced by KiTrap0DHandler().

KiTrap0FHandler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap0FHandler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 1440 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* FIXME: Kill the system */
    UNIMPLEMENTED;
    KiSystemFatalException(EXCEPTION_RESERVED_TRAP, TrapFrame);
}

KiTrap10Handler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap10Handler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 1453 of file traphdlr.c.

{
    PKTHREAD Thread;
    PFX_SAVE_AREA SaveArea;
 
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Check if this is the NPX thrad */
    Thread = KeGetCurrentThread();
    SaveArea = KiGetThreadNpxArea(Thread);
    if (Thread != KeGetCurrentPrcb()->NpxThread)
    {
        /* It isn't, enable interrupts and set delayed error */
        _enable();
        SaveArea->Cr0NpxState |= CR0_TS;
 
        /* End trap */
        KiEoiHelper(TrapFrame);
    }
 
    /* Otherwise, proceed with NPX fault handling */
    KiNpxHandler(TrapFrame, Thread, SaveArea);
}

KiTrap11Handler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap11Handler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 1481 of file traphdlr.c.

{
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Enable interrupts and kill the system */
    _enable();
    KiSystemFatalException(EXCEPTION_ALIGNMENT_CHECK, TrapFrame);
}

KiTrap13Handler()

DECLSPEC_NORETURN VOID FASTCALL KiTrap13Handler

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 1494 of file traphdlr.c.

{
    PKTHREAD Thread;
    PFX_SAVE_AREA SaveArea;
    ULONG Cr0, MxCsrMask, Error;
 
    /* Save trap frame */
    KiEnterTrap(TrapFrame);
 
    /* Check if this is the NPX thrad */
    Thread = KeGetCurrentThread();
    if (Thread != KeGetCurrentPrcb()->NpxThread)
    {
        /* It isn't, kill the system */
        KeBugCheckWithTf(TRAP_CAUSE_UNKNOWN, 13, (ULONG_PTR)Thread, 0, 0, TrapFrame);
    }
 
    /* Get the NPX frame */
    SaveArea = KiGetThreadNpxArea(Thread);
 
    /* Check for VDM trap */
    ASSERT(KiVdmTrap(TrapFrame) == FALSE);
 
    /* Check for user trap */
    if (!KiUserTrap(TrapFrame))
    {
        /* Kernel should not fault on XMMI */
        KeBugCheckWithTf(TRAP_CAUSE_UNKNOWN, 13, 0, 0, 2, TrapFrame);
    }
 
    /* Update CR0 */
    Cr0 = __readcr0();
    Cr0 &= ~(CR0_MP | CR0_EM | CR0_TS);
    __writecr0(Cr0);
 
    /* Save FPU state */
    Ke386SaveFpuState(SaveArea);
 
    /* Mark CR0 state dirty */
    Cr0 |= NPX_STATE_NOT_LOADED;
    Cr0 |= SaveArea->Cr0NpxState;
     __writecr0(Cr0);
 
    /* Update NPX state */
    Thread->NpxState = NPX_STATE_NOT_LOADED;
    KeGetCurrentPrcb()->NpxThread = NULL;
 
    /* Clear the TS bit and re-enable interrupts */
    SaveArea->Cr0NpxState &= ~CR0_TS;
    _enable();
 
    /* Now look at MxCsr to get the mask of errors we should care about */
    MxCsrMask = ~((USHORT)SaveArea->U.FxArea.MXCsr >> 7);
 
    /* Get legal exceptions that software should handle */
    Error = (USHORT)SaveArea->U.FxArea.MXCsr & (FSW_INVALID_OPERATION |
                                                FSW_DENORMAL |
                                                FSW_ZERO_DIVIDE |
                                                FSW_OVERFLOW |
                                                FSW_UNDERFLOW |
                                                FSW_PRECISION);
    Error &= MxCsrMask;
 
    /* Now handle any of those legal errors */
    if (Error & (FSW_INVALID_OPERATION |
                 FSW_DENORMAL |
                 FSW_ZERO_DIVIDE |
                 FSW_OVERFLOW |
                 FSW_UNDERFLOW |
                 FSW_PRECISION))
    {
        /* By issuing an exception */
        KiDispatchException1Args(STATUS_FLOAT_MULTIPLE_TRAPS,
                                 TrapFrame->Eip,
                                 0,
                                 TrapFrame);
    }
 
    /* Unknown XMMI fault */
    KeBugCheckWithTf(TRAP_CAUSE_UNKNOWN, 13, 0, 0, 1, TrapFrame);
}

KiV86Trap()

FORCEINLINE BOOLEAN KiV86Trap

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 79 of file traphdlr.c.

{
    /* Check if the V8086 flag is on */
    return ((TrapFrame->EFlags & EFLAGS_V86_MASK) != 0);
}

Referenced by KiTrap06Handler(), and KiTrap0DHandler().

KiVdmTrap()

FORCEINLINE BOOLEAN KiVdmTrap

(

IN PKTRAP_FRAME

TrapFrame

)

Definition at line 70 of file traphdlr.c.

{
    /* Either the V8086 flag is on, or this is user-mode with a VDM */
    return ((TrapFrame->EFlags & EFLAGS_V86_MASK) ||
            ((KiUserTrap(TrapFrame)) && (PsGetCurrentProcess()->VdmObjects)));
}

Referenced by KiDebugHandler(), KiNpxHandler(), KiTrap00Handler(), KiTrap01Handler(), KiTrap04Handler(), KiTrap05Handler(), KiTrap0AHandler(), KiTrap0DHandler(), KiTrap0EHandler(), and KiTrap13Handler().

Variable Documentation

FrRestore

PVOID FrRestore

extern

Referenced by KiNpxHandler().

KeUserPopEntrySListFault

PVOID KeUserPopEntrySListFault

extern

Definition at line 18 of file psmgr.c.

Referenced by KiCheckForSListFault().

KeUserPopEntrySListResume

PVOID KeUserPopEntrySListResume

extern

Definition at line 19 of file psmgr.c.

Referenced by KiCheckForSListFault().

KiFastCallExitHandler

PFAST_SYSTEM_CALL_EXIT KiFastCallExitHandler

Definition at line 56 of file traphdlr.c.

Referenced by KiRestoreFastSyscallReturnState(), and KiServiceExit().

KiTrapIoTable

UCHAR KiTrapIoTable[]

Initial value:

=
{
    0xE4,                      
    0xE5,                      
    0xEC,                      
    0xED,                      
    0x6C,                      
    0x6D,                      
    0xE6,                      
    0xE7,                      
    0xEE,                      
    0xEF,                      
    0x6E,                      
    0x6F,                      
}

Definition at line 40 of file traphdlr.c.

Referenced by KiTrap0DHandler().

KiTrapPrefixTable

UCHAR KiTrapPrefixTable[]

Initial value:

=
{
    0xF2,                      
    0xF3,                      
    0x67,                      
    0xF0,                      
    0x66,                      
    0x2E,                      
    0x3E,                      
    0x26,                      
    0x64,                      
    0x65,                      
    0x36,                      
}

Definition at line 25 of file traphdlr.c.

Referenced by KiTrap0DHandler().