Understanding the rationale behind a rule when trying to circumvent it

<p>In the documentation for <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/windows-kernel-mode-process-and-thread-manager#best-practices-for-implementing-process-and-thread-related-callback-functions"> best practices for implementing process and thread-related callback functions</a>, it calls out</p> <blockquote class="q"> <ul> <li>Keep routines short and simple.</li> <li>Don&#8217;t make calls into a user mode service to validate the process, thread, or image.</li> <li>Don&#8217;t make registry calls.</li> <li>Don&#8217;t make blocking and/or Interprocess Communication (IPC) function calls.</li> <li>Don&#8217;t synchronize with other threads because it can lead to reentrancy deadlocks.</li> </ul> </blockquote> <p>So far so good. It seems that these callback functions need to operate quickly and cannot block. These are callbacks that are invoked when a process starts or exits, when a thread starts or exits, when a DLL or EXE is loaded or unloaded, and various other low-level events.</p> <p>The various prohibitions above suggest that these callouts are called during the process creation/termination sequence, so if you take a long time to deal with them, you are slowing down the entire system. And the rather extreme requirements, like &#8220;Don&#8217;t make registry calls,&#8221; suggest that they might even be called while the system holds internal locks.</p> <p>The list of best practices continues:</p> <blockquote class="q"> <ul> <li>Use System Worker Threads to queue work especially work involving: <ul> <li>Slow APIs or APIs that call into other process.</li> <li>Any blocking behavior that could interrupt threads in core services.</li> </ul> </li> </ul> </blockquote> <p>Okay, so this is providing a suggestion on how you can offload expensive work to code running outside the callback. This once again highlights that the callback itself needs to be fast with minimal blocking.</p> <p>My colleagues in enterprise support often run into cases where the reason for a system hang is a driver violating the rule that these callbacks must return quickly. For example, a common anti-pattern is a driver whose callback starts by following the guidance above to queue work to a System Worker Thread, but then they block until the work item completes.</p> <p>This is a case of following the rules without understanding why the rules are there.</p> <p>The rule is that the callback needs to be fast and return quickly. The driver followed the letter of the law by delegating the work to a System Worker Thread, and there&#8217;s no rule that says &#8220;Don&#8217;t wait for work items&#8221;, so they must have figured that this gave them a loophole for executing synchronous long-running work.</p> <p>But the rules &#8220;Don&#8217;t make blocking and/or Interprocess Communication (IPC) function calls&#8221; and &#8220;Don&#8217;t synchronize with other threads because it can lead to reentrancy deadlocks&#8221; make it clear that you shouldn&#8217;t be blocking in your callback for extended periods of time. The &#8220;Don&#8217;t&#8221;s are just calling out some common ways that your callback can block.</p> <p>And it looks like the documentation was updated in 2020 to call out this specific case:</p> <blockquote> <ul> <li>If you use System Worker Threads, don&#8217;t wait on the work to complete. Doing so defeats the purpose of queuing the work to be completed asynchronously.</li> </ul> </blockquote> <p>One could argue that this rule is already covered by the &#8220;Don&#8217;t synchronize with other threads&#8221; rule, but I guess the driver vendor interpreted it as &#8220;But I&#8217;m not synchronizing with another thread. I&#8217;m synchronizing on an event!&#8221; But of course, the event is set by another thread, so you are effectively synchronizing with another thread.</p> <p>My colleague in enterprise support describes this as the &#8220;It wasn&#8217;t me, it was my brother&#8221; excuse. You are told by your parents not to turn on the television set, so you tell your brother to do it. Technically, you didn&#8217;t turn the television set on, but in effect, you did because your brother is acting under your instructions. (This is why contracts often contain wording like &#8220;may not disclose or cause to be disclosed,&#8221; so that you can&#8217;t say &#8220;No, I totally didn&#8217;t disclose it. I gave the information to Bob, and it was Bob who disclosed it!&#8221;)</p> <p>The documentation should open with something like this:</p> <blockquote class="q"><p>The callback function must perform its work quickly without blocking. If you need to do complex work or synchronize with other threads or processes, do the work asynchronously, such as by using System Worker Threads.</p></blockquote> <p>And then it can give a list of examples of things that count as blocking.</p> <blockquote class="q"><p>Some examples of blocking that is not allowed from the callback function:</p></blockquote> <p>And then it can follow up with additional constraints.</p> <blockquote class="q"><p>Furthermore, the callback function may not perform any of the following operations:</p></blockquote> <p>The post <a href="https://devblogs.microsoft.com/oldnewthing/20260611-00/?p=112415">Understanding the rationale behind a rule when trying to circumvent it</a> appeared first on <a href="https://devblogs.microsoft.com/oldnewthing">The Old New Thing</a>.</p>