Writing a Bug Check Reason Callback Routine
Drivers can register callback routines that the system executes when it issues a bug check. Drivers can use a bug check callback routine to reset their device to a known state.
In Windows the system calls the KBUGCHECK_REASON_CALLBACK_ROUTINE callback function after the crash dump file is written.
The KBUGCHECK_REASON_CALLBACK_ROUTINE can be used to write secondary data to the crash dump file.
A driver can implement a KBUGCHECK_REASON_CALLBACK_ROUTINE to add pages of driver-specific data to the crash dump file. To register and remove the callback, drivers use the following routines:
The KBUGCHECK_CALLBACK_REASON enumeration specifies the types of callback routines.
For general information about bug check data, see Reading Bug Check Callback Data.
Bug Check Callback Routine Restrictions
A bug check callback routine executes at IRQL = HIGH_LEVEL, which imposes strong restrictions on what it can do.
A bug check callback routine cannot:
Access pageable memory
Use any synchronization mechanisms
Call any routine that must execute at IRQL = DISPATCH_LEVEL or below
Bug check callback routines are guaranteed to run without interruption, so no synchronization is required. (If the bug check routine does use any synchronization mechanisms, the system will deadlock.)
A driver's bug check callback routine can safely use the READ_PORT_XXX, READ_REGISTER_XXX, WRITE_PORT_XXX, and WRITE_REGISTER_XXX routines to communicate with the driver's device. (For information about these routines, see Hardware Abstraction Layer Routines.)
Implementing KbCallbackAddPages Callback Routine
A kernel-mode driver can implement a KBUGCHECK_REASON_CALLBACK_ROUTINE callback function of type KbCallbackAddPages to add one or more pages of data to a crash dump file when a bug check occurs. To register this routine with the operating system, the driver calls the KeRegisterBugCheckReasonCallback routine. Before the driver unloads, it must call the KeDeregisterBugCheckReasonCallback routine to remove the registration.
Starting with Windows 8, a registered KbCallbackAddPages routine is called during a kernel memory dump or a complete memory dump. In earlier versions of Windows, a registered KbCallbackAddPages routine is called during a kernel memory dump, but not during a complete memory dump. By default, a kernel memory dump includes only the physical pages that are being used by the Windows kernel at the time that the bug check occurs, whereas a complete memory dump includes all of the physical memory that is used by Windows. A complete memory dump does not, by default, include physical memory that is used by the platform firmware.
Your KbCallbackAddPages routine can supply driver-specific data to add to the dump file. For example, for a kernel memory dump, this additional data can include physical pages that are not mapped to the system address range in virtual memory but that contain information that can help you to debug your driver. The KbCallbackAddPages routine might add to the dump file any driver-owned physical pages that are unmapped or that are mapped to user-mode addresses in virtual memory.
When a bug check occurs, the operating system calls all the registered KbCallbackAddPages routines to poll drivers for data to add to the crash dump file. Each call adds one or more pages of contiguous data to the crash dump file. A KbCallbackAddPages routine can supply either a virtual address or a physical address for the starting page. If more than one page is supplied during a call, the pages are contiguous in either virtual or physical memory, depending on whether the starting address is virtual or physical. To supply noncontiguous pages, the KbCallbackAddPages routine can set a flag in the KBUGCHECK_ADD_PAGES structure to indicate that it has additional data and has to be called again. For more information, see the KBUGCHECK_ADD_PAGES structure.
Unlike a KbCallbackSecondaryDumpData routine, which appends data to the secondary crash dump region, a KbCallbackAddPages routine adds pages of data to the primary crash dump region. During debugging, primary crash dump data is easier to access than secondary crash dump data.
Before the operating system calls a KbCallbackAddPages routine, it fills in the BugCheckCode member of the KBUGCHECK_ADD_PAGES structure that ReasonSpecificData points to. During the call, the KbCallbackAddPages routine must set the values of the Flags, Address, and Count members of this structure. If the KbCallbackAddPages routine is called more than one time, the operating system preserves the value that the callback routine wrote to the Context member in the previous call. Before the first call, the operating system initializes Context to NULL.
A KbCallbackAddPages routine is very restricted in the actions it can take. For more information, see "Bug Check Callback Routine Restrictions" in this topic.
Implementing a KbCallbackDumpIo callback routine
A kernel-mode driver can implement a KBUGCHECK_REASON_CALLBACK_ROUTINE callback function of type KbCallbackDumpIo to perform work each time data is written to the crash dump file. The system passes, in the ReasonSpecificData parameter, a description of the data being written. The Buffer member points to the current data, and the BufferLength member specifies its length. The Type member indicates the type of data currently being written, such as dump file header information, memory state, or data provided by a driver. For a description of the possible types of information, see KBUGCHECK_DUMP_IO_TYPE.
The system can write the crash dump file either sequentially, or out of order. If the system is writing the crash dump file sequentially, then the Offset member of ReasonSpecificData is -1; otherwise, Offset is set to the current offset, in bytes, in the crash dump file.
When the system writes the file sequentially, it calls each KbCallbackDumpIo routine one or more times when writing the header information (Type = KbDumpIoHeader), one or more times when writing the main body of the crash dump file (Type = KbDumpIoBody), and one or more times when writing the secondary dump data (Type = KbDumpIoSecondaryDumpData). Once the system has completed writing the crash dump file, it calls the callback with Buffer = NULL, BufferLength = 0, and Type = KbDumpIoComplete.
The main purpose of a KbCallbackDumpIo routine is to allow system crash dump data to be written to devices other than the disk. For example, a device that monitors system state can use the callback to report that the system has issued a bug check, and to provide a crash dump for analysis.
Use KeRegisterBugCheckReasonCallback to register a KbCallbackDumpIo routine. A driver can subsequently remove the callback by using the KeDeregisterBugCheckReasonCallback routine. If the driver can be unloaded, it must remove any registered callbacks in its Unload routine.
A KbCallbackDumpIo routine is strongly restricted in the actions it can take. For more information, see "Bug Check Callback Routine Restrictions" in this topic.
A kernel-mode driver can implement a KBUGCHECK_REASON_CALLBACK_ROUTINE callback function of type KbCallbackSecondaryDumpData to provide data to append to the crash dump file.
The system sets the InBuffer, InBufferLength, OutBuffer, and MaximumAllowed members of the KBUGCHECK_SECONDARY_DUMP_DATA structure that ReasonSpecificData points to. The MaximumAllowed member specifies the maximum amount of dump data the routine can provide.
The value of the OutBuffer member determines whether the system is requesting the size of the driver's dump data, or the data itself, as follows:
- If the OutBuffer member of KBUGCHECK_SECONDARY_DUMP_DATA is NULL, the system is only requesting size information. The KbCallbackSecondaryDumpData routine fills in the OutBuffer and OutBufferLength members.
- If the OutBuffer member of KBUGCHECK_SECONDARY_DUMP_DATA equals the InBuffer member, the system is requesting the driver's secondary dump data. The KbCallbackSecondaryDumpData routine fills in the OutBuffer and OutBufferLength members, and writes the data to the buffer specified by OutBuffer.
The InBuffer member of KBUGCHECK_SECONDARY_DUMP_DATA points to a small buffer for the routine's use. The InBufferLength member specifies the size of the buffer. If the amount of data to be written is less than InBufferLength, the callback routine can use this buffer to supply the crash dump data to the system. The callback routine then sets OutBuffer to InBuffer and OutBufferLength to the actual amount of data written to the buffer.
A driver that must write an amount of data that is larger than InBufferLength can use its own buffer to provide the data. This buffer must have been allocated before the callback routine is executed, and must reside in resident memory (such as nonpaged pool). The callback routine then sets OutBuffer to point to the driver's buffer, and OutBufferLength to the amount of data in the buffer to be written to the crash dump file.
Each block of data to be written to the crash dump file is tagged with the value of the Guid member of KBUGCHECK_SECONDARY_DUMP_DATA. The GUID used must be unique to the driver. To display the secondary dump data corresponding to this GUID, you can use the .enumtag command or the IDebugDataSpaces3::ReadTagged method in a debugger extension. For information about debuggers and debugger extensions, see Windows Debugging.
A driver can write multiple blocks with the same GUID to the crash dump file, but this is very poor practice, because only the first block will be accessible to the debugger. Drivers that register multiple KbCallbackSecondaryDumpData routines should allocate a unique GUID for each callback.
Use KeRegisterBugCheckReasonCallback to register a KbCallbackSecondaryDumpData routine. A driver can subsequently remove the callback routine by using the KeDeregisterBugCheckReasonCallback routine. If the driver can be unloaded, then it must remove any registered callback routines in its Unload routine.
A KbCallbackSecondaryDumpData routine is very restricted in the actions it can take. For more information, see "Bug Check Callback Routine Restrictions" in this topic.