handtabl.c File Reference

#include "precomp.h"

Go to the source code of this file.

Defines
#define	HTIENTRY(szObjectType, structName, fnDestroy, dwAllocTag, bObjectCreateFlags)   {(FnDestroyUserObject)fnDestroy, (CONST DWORD)dwAllocTag, (CONST BYTE)(bObjectCreateFlags)}
#define	CPAGEENTRIESINIT   4
#define	DBGValidateHandleQuota()
#define	DBGHMValidateFreeLists()
#define	CHANDLEENTRIESINIT   200
#define	CLOCKENTRIESINIT   100
Functions
void	HMNullFnDestroy (PVOID pobj)
void	HMDestroyUnlockedObject (PHE phe)
void	HMRecordLock (PVOID ppobj, PVOID pobj, DWORD cLockObj)
BOOL	HMUnrecordLock (PVOID ppobj, PVOID pobj)
VOID	ShowLocks (PHE)
void	HMInitHandleEntries (ULONG_PTR iheFirstFree)
BOOL	HMInitHandleTable (PVOID pReadOnlySharedSectionBase)
BOOL	HMGrowHandleTable ()
PVOID	HMAllocObject (PTHREADINFO ptiOwner, PDESKTOP pdeskSrc, BYTE bType, DWORD size)
BOOL	HMFreeObject (PVOID pobj)
BOOL	HMMarkObjectDestroy (PVOID pobj)
BOOL	HMDestroyObject (PVOID pobj)
PVOID	HMUnlockObjectInternal (PVOID pobj)
PVOID FASTCALL	HMAssignmentLock (PVOID *ppobj, PVOID pobj)
PVOID FASTCALL	HMAssignmentUnlock (PVOID *ppobj)
PVOID	ThreadUnlock1 (VOID)
VOID	HMChangeOwnerThread (PVOID pobj, PTHREADINFO pti)
VOID	HMChangeOwnerPheProcess (PHE phe, PTHREADINFO pti)
VOID	DestroyThreadsObjects ()
void	FixupCursor (PCURSOR pcur, PPROCESSINFO ppi)
VOID	DestroyProcessesObjects (PPROCESSINFO ppi)
void	MarkThreadsObjects (PTHREADINFO pti)
VOID	_QueryUserHandles (LPDWORD paPids, DWORD dwNumInstances, DWORD dwResult[][TYPE_CTYPES])
void	HMCleanupGrantedHandle (HANDLE h)
Variables
CONST HANDLETYPEINFO	gahti [TYPE_CTYPES]
DWORD	gcHandlePages
PHANDLEPAGE	gpHandlePages

---

Define Documentation

#define CHANDLEENTRIESINIT   200

Definition at line 572 of file handtabl.c.

#define CLOCKENTRIESINIT   100

Definition at line 573 of file handtabl.c.

#define CPAGEENTRIESINIT   4

Definition at line 206 of file handtabl.c. Referenced by HMGrowHandleTable(), and HMInitHandleTable().

#define DBGHMValidateFreeLists (   )

Definition at line 455 of file handtabl.c. Referenced by HMAllocObject(), HMFreeObject(), and HMInitHandleEntries().

#define DBGValidateHandleQuota (   )

Definition at line 269 of file handtabl.c. Referenced by DestroyProcessesObjects(), DestroyThreadsObjects(), HMAllocObject(), HMChangeOwnerPheProcess(), HMChangeOwnerThread(), and HMFreeObject().

#define HTIENTRY (  szObjectType, structName, fnDestroy, dwAllocTag, bObjectCreateFlags   )     {(FnDestroyUserObject)fnDestroy, (CONST DWORD)dwAllocTag, (CONST BYTE)(bObjectCreateFlags)}

Definition at line 23 of file handtabl.c.

---

Function Documentation

VOID _QueryUserHandles (  LPDWORD  paPids, DWORD  dwNumInstances, DWORD  dwResult[][TYPE_CTYPES] )

Definition at line 2776 of file handtabl.c. References tagSHAREDINFO::aheList, tagHANDLETYPEINFO::bObjectCreateFlags, _HANDLEENTRY::bType, DWORD, gahti, giheLast, gSharedInfo, OCF_PROCESSOWNED, OCF_THREADOWNED, _HANDLEENTRY::pOwner, QUC_PID_TOTAL, TYPE_CTYPES, and VOID(). { PHE pheCurPos; // Current position in the table PHE pheMax; // address of last table entry DWORD index; DWORD pid; DWORD dwTotalCounters[TYPE_CTYPES]; // system wide counters RtlZeroMemory(dwTotalCounters, TYPE_CTYPES*sizeof(DWORD)); RtlZeroMemory(dwResult, dwNumInstances*TYPE_CTYPES*sizeof(DWORD)); /* * Walk the handle table and update the counters */ pheMax = &gSharedInfo.aheList[giheLast]; for(pheCurPos = gSharedInfo.aheList; pheCurPos <= pheMax; pheCurPos++) { UserAssert(pheCurPos->bType < TYPE_CTYPES); pid = 0; if (pheCurPos->pOwner) { if (gahti[pheCurPos->bType].bObjectCreateFlags & OCF_PROCESSOWNED) { /* * Object is owned by process * some objects may not have an owner */ pid = HandleToUlong(((PPROCESSINFO)pheCurPos->pOwner)->Process->UniqueProcessId); } else if (gahti[pheCurPos->bType].bObjectCreateFlags & OCF_THREADOWNED) { /* * Object owned by thread */ pid = HandleToUlong(((PTHREADINFO)pheCurPos->pOwner)->pEThread->ThreadsProcess->UniqueProcessId); } } /* * search to see if we are interested in this process * unowned handles are reported for the "System" process whose pid is 0 */ for (index = 0; index < dwNumInstances; index++) { if (paPids[index] == pid) { dwResult[index][pheCurPos->bType]++; } } /* * update the totals */ dwTotalCounters[pheCurPos->bType]++; } /* * search to see if we are interested in the totals */ for (index = 0; index < dwNumInstances; index++) { if (paPids[index] == QUC_PID_TOTAL) { RtlMoveMemory(dwResult[index], dwTotalCounters, sizeof(dwTotalCounters)); } } }

VOID DestroyProcessesObjects (  PPROCESSINFO  ppi  )

Definition at line 2511 of file handtabl.c. References tagSHAREDINFO::aheList, _HANDLEENTRY::bFlags, tagHANDLETYPEINFO::bObjectCreateFlags, BOOL, _HANDLEENTRY::bType, DBGValidateHandleQuota, FixupCursor(), gahti, giheLast, gpepCSRSS, gptiRit, gSharedInfo, HANDLEF_DESTROY, HMChangeOwnerPheProcess(), HMDestroyUnlockedObject(), ISTS, OCF_PROCESSOWNED, _HANDLEENTRY::phead, _HANDLEENTRY::pOwner, TYPE_CURSOR, TYPE_FREE, VOID(), and ZombieCursor(). Referenced by xxxDestroyThreadInfo(). { PHE pheT, pheMax; BOOL bGlobal = (ISTS() && ppi->Process == gpepCSRSS); /* * Loop through the table destroying all objects created by the current * process. All objects will get destroyed in their proper order simply * because of the object locking. */ DBGValidateHandleQuota(); pheMax = &gSharedInfo.aheList[giheLast]; for (pheT = gSharedInfo.aheList; pheT <= pheMax; pheT++) { /* * Check against free before we look at ppi... because pq is stored * in the object itself, which won't be there if TYPE_FREE. */ if (pheT->bType == TYPE_FREE) continue; /* * Destroy those objects created by this queue. */ if (!(gahti[pheT->bType].bObjectCreateFlags & OCF_PROCESSOWNED) || (PPROCESSINFO)pheT->pOwner != ppi) continue; /* * Make sure this object isn't already marked to be destroyed - we'll * do no good if we try to destroy it now since it is locked. * Change the owner since the process is going away */ if (pheT->bFlags & HANDLEF_DESTROY) { HMChangeOwnerPheProcess(pheT, gptiRit); continue; } if (bGlobal) { /* * For global cursors set the ppi in the pcur * to be CSRSS */ if (pheT->bType == TYPE_CURSOR) { FixupCursor((PCURSOR)pheT->phead, ppi); } } /* * Destroy this object. */ HMDestroyUnlockedObject(pheT); /* * When the object is freed, the handle type is set to TYPE_FREE. * Zombie this object, since its process is going away and it couldn't * be freed. This may include unlinking it and resetting the owner. */ if (pheT->bType != TYPE_FREE) { if (pheT->bType == TYPE_CURSOR) { RIPMSG1(RIP_WARNING, "About to zombie pcur %#p\n", pheT->phead); ZombieCursor((PCURSOR)pheT->phead); } else { HMChangeOwnerPheProcess(pheT, gptiRit); } } } /* for loop */ DBGValidateHandleQuota(); }

VOID DestroyThreadsObjects (   )

Definition at line 2284 of file handtabl.c. References tagSHAREDINFO::aheList, BEGINATOMICCHECK, _HANDLEENTRY::bFlags, tagHANDLETYPEINFO::bObjectCreateFlags, _HANDLEENTRY::bType, DBGValidateHandleQuota, DestroyCacheDCEntries(), DWORD, ENDATOMICCHECK, gahti, GETPTI, giheLast, gSharedInfo, HANDLEF_DESTROY, HMDestroyUnlockedObject(), KeGetCurrentThread, NULL, OCF_PROCESSOWNED, OCF_THREADOWNED, _HANDLEENTRY::phead, _HANDLEENTRY::pOwner, PtiCurrent, tagTHREADINFO::ptl, ThreadUnlock, TYPE_FREE, TYPE_MENU, Unlock, and VOID(). Referenced by xxxDestroyThreadInfo(). { PTHREADINFO ptiCurrent; HANDLEENTRY volatile * (*pphe); PHE pheT; DWORD i; ptiCurrent = PtiCurrent(); DBGValidateHandleQuota(); /* * Before any window destruction occurs, we need to destroy any dcs * in use in the dc cache. When a dc is checked out, it is marked owned, * which makes gdi's process cleanup code delete it when a process * goes away. We need to similarly destroy the cache entry of any dcs * in use by the exiting process. */ DestroyCacheDCEntries(ptiCurrent); /* * Remove any thread locks that may exist for this thread. */ while (ptiCurrent->ptl != NULL) { UserAssert((ULONG_PTR)ptiCurrent->ptl > (ULONG_PTR)&i); UserAssert((ULONG_PTR)ptiCurrent->ptl < (ULONG_PTR)KeGetCurrentThread()->StackBase); ThreadUnlock(ptiCurrent->ptl); } /* * CleanupPool stuff must happen before handle table clean up (as it always has been). * This is because SMWPs can be HM objects and still be locked in ptlPool. * If the handle is destroyed first (and it's not locked) we would end up with a * bogus pointer in ptlPool. If ptlPool is cleaned up first, the handle will be freed * or properly preserved if locked. */ CleanupW32ThreadLocks((PW32THREAD)ptiCurrent); /* * Eventhough HMDestroyUnlockedObject might call xxxDestroyWindow, the * following loop is not supposed to leave the critical section. We must * have called PatchThreadWindows before coming here. */ BEGINATOMICCHECK(); /* * Loop through the table destroying all objects created by the current * thread. All objects will get destroyed in their proper order simply * because of the object locking. */ pphe = &gSharedInfo.aheList; for (i = 0; i <= giheLast; i++) { /* * This pointer is done this way because it can change when we leave * the critical section below. The above volatile ensures that we * always use the most current value */ pheT = (PHE)((*pphe) + i); /* * Check against free before we look at pti... because pq is stored * in the object itself, which won't be there if TYPE_FREE. */ if (pheT->bType == TYPE_FREE) continue; /* * If a menu refererences a window owned by this thread, unlock * the window. This is done to prevent calling xxxDestroyWindow * during process cleanup. */ if (gahti[pheT->bType].bObjectCreateFlags & OCF_PROCESSOWNED) { if (pheT->bType == TYPE_MENU) { PWND pwnd = ((PMENU)pheT->phead)->spwndNotify; if (pwnd != NULL && GETPTI(pwnd) == ptiCurrent) Unlock(&((PMENU)pheT->phead)->spwndNotify); } continue; } /* * Destroy those objects created by this queue. */ if ((PTHREADINFO)pheT->pOwner != ptiCurrent) continue; UserAssert(gahti[pheT->bType].bObjectCreateFlags & OCF_THREADOWNED); /* * Make sure this object isn't already marked to be destroyed - we'll * do no good if we try to destroy it now since it is locked. */ if (pheT->bFlags & HANDLEF_DESTROY) { continue; } /* * Destroy this object. */ HMDestroyUnlockedObject(pheT); } ENDATOMICCHECK(); DBGValidateHandleQuota(); }

void FixupCursor (  PCURSOR  pcur, PPROCESSINFO  ppi )

Definition at line 2475 of file handtabl.c. References CURSORF_ACON, CURSORF_ACONFRAME, NULL, and pacon. Referenced by DestroyProcessesObjects(). { int i; PACON pacon = (PACON)pcur; if (pcur->head.ppi == NULL) { pcur->head.ppi = ppi; } if (pacon->CURSORF_flags & CURSORF_ACON) { for (i = 0; i < pacon->cpcur; i++) { UserAssert(pacon->aspcur[i]->CURSORF_flags & CURSORF_ACONFRAME); if (pacon->aspcur[i]->head.ppi == NULL) { pacon->aspcur[i]->head.ppi = ppi; } } } }

PVOID HMAllocObject (  PTHREADINFO  ptiOwner, PDESKTOP  pdeskSrc, BYTE  bType, DWORD  size )

Definition at line 828 of file handtabl.c. References tagSHAREDINFO::aheList, _HANDLEENTRY::bFlags, tagHANDLETYPEINFO::bObjectCreateFlags, BOOL, _HANDLEENTRY::bType, BYTE, tagSERVERINFO::cHandleEntries, CheckCritIn, DBGHMValidateFreeLists, DBGValidateHandleQuota, DesktopAlloc(), DTAG_HANDTABL, DWORD, ExQueryPoolBlockSize(), gahti, gcHandlePages, giheLast, gpHandlePages, gpsi, gpvSharedAlloc, gSharedInfo, gUserProcessHandleQuota, _HEAD::h, HMGrowHandleTable(), HMHandleFromIndex, HMINDEXBITS, HMIndexFromHandle, tagTDB::hTaskWow, _HANDLEPAGE::iheFreeEven, _HANDLEPAGE::iheFreeOdd, tagPERFINFO::lCount, tagPERFINFO::lMaxCount, LockDesktop, tagPERFINFO::lSize, tagPERFINFO::lTotalCount, NULL, OCF_DESKTOPHEAP, OCF_MARKPROCESS, OCF_PROCESSOWNED, OCF_SHAREDHEAP, OCF_THREADOWNED, OCF_USEPOOLIFNODESKTOP, OCF_USEPOOLQUOTA, OCF_VARIABLESIZE, PBYTE, _HANDLEENTRY::phead, tagDESKTOP::pheapDesktop, _HANDLEENTRY::pOwner, tagTHREADINFO::ppi, PPROCMARKHEAD, tagTHREADINFO::ptdb, RtlSizeHeap(), SharedAlloc(), TIF_16BIT, tagTHREADINFO::TIF_flags, and TYPE_WINDOW. Referenced by _BeginDeferWindowPos(), _ConvertMemHandle(), _CreateAcceleratorTable(), _CreateEmptyCursorObject(), _SetWinEventHook(), CreateInputContext(), CreateMonitor(), Createpxs(), GetCPD(), InternalCreateMenu(), InternalSetTimer(), LoadKeyboardLayoutFile(), NewConversation(), xxxCreateWindowEx(), xxxCsDdeInitialize(), xxxLoadKeyboardLayoutEx(), and zzzSetWindowsHookEx(). { DWORD i; PHEAD phead; PHE pheT; ULONG_PTR iheFree, *piheFreeHead; PHANDLEPAGE php; BYTE bCreateFlags; PPROCESSINFO ppiQuotaCharge = NULL; BOOL fUsePoolIfNoDesktop; BOOL fEven; CheckCritIn(); bCreateFlags = gahti[bType].bObjectCreateFlags; #if DBG /* * Validate size */ if (bCreateFlags & OCF_VARIABLESIZE) { UserAssert(gahti[bType].uSize <= size); } else { UserAssert(gahti[bType].uSize == size); } #endif /* * Check for process handle quota */ if (bCreateFlags & (OCF_PROCESSOWNED | OCF_THREADOWNED)) { UserAssert(ptiOwner != NULL); ppiQuotaCharge = ptiOwner->ppi; if (ppiQuotaCharge->UserHandleCount >= gUserProcessHandleQuota) { RIPERR0(ERROR_NO_MORE_USER_HANDLES, RIP_WARNING, "USER: HMAllocObject: out of handle quota\n"); return NULL; } } /* * Find the next free handle * Window handles must be even; hence we try first to use odd handles * for all other objects. * Old comment: * Some wow apps, like WinProj, require even Window handles so we'll * accomodate them; build a list of the odd handles so they won't get lost * 10/13/97: WinProj never fixed this; even the 32 bit version has the problem. */ fEven = (bType == TYPE_WINDOW); piheFreeHead = NULL; do { php = gpHandlePages; for (i = 0; i < gcHandlePages; ++i, ++php) { if (fEven) { if (php->iheFreeEven != 0) { piheFreeHead = &php->iheFreeEven; break; } } else { if (php->iheFreeOdd != 0) { piheFreeHead = &php->iheFreeOdd; break; } } } /* for */ /* * If we couldn't find an odd handle, then search for an even one */ fEven = ((piheFreeHead == NULL) && !fEven); } while (fEven); /* * If there are no free handles we can use, grow the table */ if (piheFreeHead == NULL) { HMGrowHandleTable(); /* * If the table didn't grow, get out. */ if (i == gcHandlePages) { RIPMSG0(RIP_WARNING, "HMAllocObject: could not grow handle space"); return NULL; } /* * Because the handle page table may have moved, * recalc the page entry pointer. */ php = &gpHandlePages[i]; piheFreeHead = (bType == TYPE_WINDOW ? &php->iheFreeEven : &php->iheFreeOdd); if (*piheFreeHead == 0) { UserAssert(gpsi->cHandleEntries == (HMINDEXBITS + 1)); RIPMSG0(RIP_WARNING, "HMAllocObject: handle table is full"); return NULL; } } /* * HMINDEXBITS is a reserved value that should never be in the free lists * (see HMGrowHandleTable()); */ UserAssert(HMIndexFromHandle(*piheFreeHead) != HMINDEXBITS); /* * Try to allocate the object. If this fails, bail out. */ if ((bCreateFlags & OCF_DESKTOPHEAP) && pdeskSrc) { phead = (PHEAD)DesktopAlloc(pdeskSrc, size, DTAG_HANDTABL); if (phead) { LockDesktop(&((PDESKOBJHEAD)phead)->rpdesk, pdeskSrc, LDL_OBJ_DESK, (ULONG_PTR)phead); ((PDESKOBJHEAD)phead)->pSelf = (PBYTE)phead; } } else if (bCreateFlags & OCF_SHAREDHEAP) { UserAssert(!pdeskSrc); phead = (PHEAD)SharedAlloc(size); } else { fUsePoolIfNoDesktop = !pdeskSrc && (bCreateFlags & OCF_USEPOOLIFNODESKTOP); UserAssert(!(bCreateFlags & OCF_DESKTOPHEAP) || fUsePoolIfNoDesktop); if ((bCreateFlags & OCF_USEPOOLQUOTA) && !fUsePoolIfNoDesktop) { phead = (PHEAD)UserAllocPoolWithQuotaZInit(size, gahti[bType].dwAllocTag); } else { phead = (PHEAD)UserAllocPoolZInit(size, gahti[bType].dwAllocTag); } } if (phead == NULL) { RIPERR0(ERROR_NOT_ENOUGH_MEMORY, RIP_WARNING, "USER: HMAllocObject: out of memory"); return NULL; } /* * We're going to use this handle so get it off its free list. * The free handle phead points to the next free handle. */ iheFree = *piheFreeHead; pheT = &gSharedInfo.aheList[iheFree]; *piheFreeHead = (ULONG_PTR)pheT->phead; DBGHMValidateFreeLists(); /* * Track high water mark for handle allocation. */ if ((DWORD)iheFree > giheLast) { giheLast = (DWORD)iheFree; } /* * Setup the handle contents, plus initialize the object header. */ pheT->bType = bType; pheT->phead = phead; UserAssert(pheT->bFlags == 0); if (bCreateFlags & OCF_PROCESSOWNED) { if ((ptiOwner->TIF_flags & TIF_16BIT) && (ptiOwner->ptdb)) { ((PPROCOBJHEAD)phead)->hTaskWow = ptiOwner->ptdb->hTaskWow; } else { ((PPROCOBJHEAD)phead)->hTaskWow = 0; } pheT->pOwner = ptiOwner->ppi; if (bCreateFlags & OCF_MARKPROCESS) { ((PPROCMARKHEAD)phead)->ppi = ptiOwner->ppi; } } else if (bCreateFlags & OCF_THREADOWNED) { ((PTHROBJHEAD)phead)->pti = pheT->pOwner = ptiOwner; } else { /* * The caller is wasting time if ptiOwner != NULL * The handle entry must already have pOwner == NULL. */ UserAssert(ptiOwner == NULL); UserAssert(pheT->pOwner == NULL); } phead->h = HMHandleFromIndex(iheFree); if (ppiQuotaCharge) { ppiQuotaCharge->UserHandleCount++; DBGValidateHandleQuota(); } #if DBG /* * performance counter dumphmgr * dwPrevCount is used for the snapshot option */ gaPerfhti[bType].lTotalCount++; gaPerfhti[bType].lCount++; if (gaPerfhti[bType].lCount > gaPerfhti[bType].lMaxCount) { gaPerfhti[bType].lMaxCount = gaPerfhti[bType].lCount; } if ((bCreateFlags & OCF_DESKTOPHEAP) && (pdeskSrc != NULL)) { gaPerfhti[bType].lSize += RtlSizeHeap(Win32HeapGetHandle(pdeskSrc->pheapDesktop), 0, phead); } else if (bCreateFlags & OCF_SHAREDHEAP) { gaPerfhti[bType].lSize += RtlSizeHeap(Win32HeapGetHandle(gpvSharedAlloc), 0, phead); } else { unsigned char notUsed; gaPerfhti[bType].lSize += ExQueryPoolBlockSize(phead, &notUsed); } #endif // DBG /* * Return a handle entry pointer. */ return pheT->phead; }

PVOID FASTCALL HMAssignmentLock (  PVOID *  ppobj, PVOID  pobj )

Definition at line 1509 of file handtabl.c. References FASTCALL, HMIsMarkDestroy, HMLockObject, HMRecordLock(), HMUnlockObject, HMUnrecordLock(), HMValidateCatHandleNoSecure(), NULL, PHEAD, and TYPE_GENERIC. { PVOID pobjOld; pobjOld = *ppobj; *ppobj = pobj; /* * Unlocks the old, locks the new. */ if (pobjOld != NULL) { /* * if we are locking in the same object that is there then * it is a no-op but we don't want to do the Unlock and the Lock * because the unlock could free object and the lock would lock * in a freed pointer; 6410. */ if (pobjOld == pobj) { return pobjOld; } #if DEBUGTAGS /* * Track assignment locks. */ if (IsDbgTagEnabled(DBGTAG_TrackLocks)) { if (!HMUnrecordLock(ppobj, pobjOld)) { HMRecordLock(ppobj, pobjOld, ((PHEAD)pobjOld)->cLockObj - 1); } } #endif } if (pobj != NULL) { UserAssert(pobj == HMValidateCatHandleNoSecure(((PHEAD)pobj)->h, TYPE_GENERIC)); if (HMIsMarkDestroy(pobj)) { RIPERR2(ERROR_INVALID_PARAMETER, RIP_WARNING, "HMAssignmentLock, locking object %#p marked for destruction at %#p\n", pobj, ppobj); } #if DEBUGTAGS /* * Track assignment locks. */ if (IsDbgTagEnabled(DBGTAG_TrackLocks)) { HMRecordLock(ppobj, pobj, ((PHEAD)pobj)->cLockObj + 1); if (HMIsMarkDestroy(pobj)) { RIPMSG2(RIP_WARNING, "Locking object %#p marked for destruction at %#p", pobj, ppobj); } } #endif HMLockObject(pobj); } /* * This unlock has been moved from up above, so that we implement a * "lock before unlock" strategy. Just in case pobjOld was the * only object referencing pobj, pobj won't go away when we unlock * pobjNew -- it will have been locked above. */ if (pobjOld) { pobjOld = HMUnlockObject(pobjOld); } return pobjOld; }

PVOID FASTCALL HMAssignmentUnlock (  PVOID *  ppobj  )

Definition at line 1599 of file handtabl.c. References FASTCALL, HMRecordLock(), HMUnlockObject, HMUnrecordLock(), and NULL. { PVOID pobjOld; pobjOld = *ppobj; *ppobj = NULL; /* * Unlocks the old, locks the new. */ if (pobjOld != NULL) { #if DEBUGTAGS /* * Track assignment locks. */ if (IsDbgTagEnabled(DBGTAG_TrackLocks)) { if (!HMUnrecordLock(ppobj, pobjOld)) { HMRecordLock(ppobj, pobjOld, ((PHEAD)pobjOld)->cLockObj - 1); } } #endif pobjOld = HMUnlockObject(pobjOld); } return pobjOld; }

VOID HMChangeOwnerPheProcess (  PHE  phe, PTHREADINFO  pti )

Definition at line 2220 of file handtabl.c. References tagHANDLETYPEINFO::bObjectCreateFlags, _HANDLEENTRY::bType, DBGValidateHandleQuota, gahti, HMObjectFlags, tagTDB::hTaskWow, NULL, OCF_MARKPROCESS, OCF_PROCESSOWNED, _HANDLEENTRY::phead, _HANDLEENTRY::pOwner, tagTHREADINFO::ppi, tagTHREADINFO::ptdb, TIF_16BIT, tagTHREADINFO::TIF_flags, TYPE_CURSOR, and VOID(). Referenced by DestroyProcessesObjects(). { PPROCESSINFO ppiOwner = (PPROCESSINFO)(phe->pOwner); PVOID pobj = phe->phead; UserAssert(HMObjectFlags(pobj) & OCF_PROCESSOWNED); UserAssert(pti != NULL); /* * Dec current owner handle count */ ppiOwner->UserHandleCount--; /* * hTaskWow */ if ((pti->TIF_flags & TIF_16BIT) && (pti->ptdb)) { ((PPROCOBJHEAD)pobj)->hTaskWow = pti->ptdb->hTaskWow; } else { ((PPROCOBJHEAD)pobj)->hTaskWow = 0; } /* * ppi */ if (gahti[phe->bType].bObjectCreateFlags & OCF_MARKPROCESS) { ((PPROCMARKHEAD)pobj)->ppi = pti->ppi; } /* * Set new owner in handle entry */ phe->pOwner = pti->ppi; /* * Inc new owner handle count */ ((PPROCESSINFO)(phe->pOwner))->UserHandleCount++; /* * If the handle is a cursor, adjust GDI cursor handle count */ if (phe->bType == TYPE_CURSOR) { GreDecQuotaCount((PW32PROCESS)ppiOwner); GreIncQuotaCount((PW32PROCESS)phe->pOwner); if (((PCURSOR)pobj)->hbmColor) { GreDecQuotaCount((PW32PROCESS)ppiOwner); GreIncQuotaCount((PW32PROCESS)phe->pOwner); } } DBGValidateHandleQuota(); }

VOID HMChangeOwnerThread (  PVOID  pobj, PTHREADINFO  pti )

Definition at line 2112 of file handtabl.c. References tagCLS::atomClassName, tagSERVERINFO::atomSysClass, _HANDLEENTRY::bType, tagTHREADINFO::cVisWindows, tagTHREADINFO::cWindows, tagCLS::cWndReferenceCount, DBGValidateHandleQuota, DereferenceClass(), FVisCountable(), GetClassPtr(), gpsi, gptiRit, tagWND::head, HF_GLOBAL, HMObjectFlags, hModuleWin, HMPheFromObject, ICLS_ICONTITLE, LockDesktop, NULL, OCF_THREADOWNED, tagWND::pcls, PHOOK, _HANDLEENTRY::pOwner, tagTHREADINFO::ppi, PpiCurrent, tagTHREADINFO::rpdesk, TestWF, TYPE_HOOK, TYPE_WINDOW, VOID(), WFDESTROYED, and WFVISIBLE. Referenced by MarkThreadsObjects(), xxxCreateDesktop(), xxxCreateWindowStation(), xxxDestroyWindow(), xxxFreeWindow(), and xxxMNOpenHierarchy(). { PHE phe = HMPheFromObject(pobj); PTHREADINFO ptiOld = ((PTHROBJHEAD)(pobj))->pti; PWND pwnd; PPCLS ppcls; PPROCESSINFO ppi; UserAssert(HMObjectFlags(pobj) & OCF_THREADOWNED); UserAssert(pti != NULL); ((PTHREADINFO)phe->pOwner)->ppi->UserHandleCount--; ((PTHROBJHEAD)pobj)->pti = phe->pOwner = pti; ((PTHREADINFO)phe->pOwner)->ppi->UserHandleCount++; DBGValidateHandleQuota(); /* * If this is a window, update the window counts. */ switch (phe->bType) { case TYPE_WINDOW: /* * Desktop thread used to hit this assert in HYDRA * because pti == ptiOld */ UserAssert(ptiOld->cWindows > 0 || ptiOld == pti); pti->cWindows++; ptiOld->cWindows--; pwnd = (PWND)pobj; /* * Make sure thread visible window count is properly updated. */ if (TestWF(pwnd, WFVISIBLE) && FVisCountable(pwnd)) { pti->cVisWindows++; ptiOld->cVisWindows--; } /* * If the owning process is changing, fix up * the window class. */ if (pti->ppi != ptiOld->ppi) { ppcls = GetClassPtr(pwnd->pcls->atomClassName, pti->ppi, hModuleWin); if (ppcls == NULL) { if (pwnd->head.rpdesk) ppi = pwnd->head.rpdesk->rpwinstaParent->pTerm->ptiDesktop->ppi; else ppi = PpiCurrent(); ppcls = GetClassPtr(gpsi->atomSysClass[ICLS_ICONTITLE], ppi, hModuleWin); } UserAssert(ppcls); /* * The window is either destroyed or the desktop of the class is * the same as the window's desktop */ UserAssert((*ppcls)->rpdeskParent == pwnd->head.rpdesk || TestWF(pwnd, WFDESTROYED)); DereferenceClass(pwnd); pwnd->pcls = *ppcls; pwnd->pcls->cWndReferenceCount++; } break; case TYPE_HOOK: /* * If this is a global hook, remember this hook's desktop so we'll be * able to unlink it later (gptiRit might switch to a different desktop * at any time). */ UserAssert(!!(((PHOOK)pobj)->flags & HF_GLOBAL) ^ (((PHOOK)pobj)->ptiHooked != NULL)); if (((PHOOK)pobj)->flags & HF_GLOBAL) { UserAssert(pti == gptiRit); LockDesktop(&((PHOOK)pobj)->rpdesk, ptiOld->rpdesk, LDL_HOOK_DESK, 0); } else { /* * This must be a hook on another thread or it was supposed to be * gone by now. */ UserAssert(((PHOOK)pobj)->ptiHooked != ptiOld); } break; default: break; } }

void HMCleanupGrantedHandle (  HANDLE  h  )

Definition at line 2853 of file handtabl.c. References DWORD, gpJobsList, NULL, tagW32JOB::pgh, tagW32JOB::pNext, and tagW32JOB::ughCrt. Referenced by HMFreeObject(). { PW32JOB pW32Job; pW32Job = gpJobsList; while (pW32Job != NULL) { PULONG_PTR pgh; DWORD dw; pgh = pW32Job->pgh; /* * search for the handle in the array. */ for (dw = 0; dw < pW32Job->ughCrt; dw++) { if (*(pgh + dw) == (ULONG_PTR)h) { /* * found the handle granted to this process */ RtlMoveMemory(pgh + dw, pgh + dw + 1, (pW32Job->ughCrt - dw - 1) * sizeof(*pgh)); (pW32Job->ughCrt)--; /* * we should shrink the array also */ break; } } pW32Job = pW32Job->pNext; } }

BOOL HMDestroyObject (  PVOID  pobj  )

Definition at line 1299 of file handtabl.c. References BOOL, FALSE, HMFreeObject(), HMMarkObjectDestroy(), and TRUE. Referenced by HMNullFnDestroy(). { /* * First mark the object for destruction. This tells the locking code * that we want to destroy this object when the lock count goes to 0. * If this returns FALSE, we can't destroy the object yet (and can't get * rid of security yet either.) */ if (!HMMarkObjectDestroy(pobj)) return FALSE; /* * Ok to destroy... Free the handle (which will free the object * and the handle). */ HMFreeObject(pobj); return TRUE; }

void HMDestroyUnlockedObject (  PHE  phe  )

Definition at line 2069 of file handtabl.c. References BEGINATOMICCHECK, _HANDLEENTRY::bFlags, _HANDLEENTRY::bType, _HEAD::cLockObj, ENDATOMICCHECK, tagHANDLETYPEINFO::fnDestroy, gahti, HANDLEF_DESTROY, HANDLEF_INDESTROY, _HANDLEENTRY::phead, and TYPE_FREE. { BEGINATOMICCHECK(); /* * Remember that we're destroying this object so we don't try to destroy * it again when the lock count goes from != 0 to 0 (especially true * for thread locks). */ phe->bFlags |= HANDLEF_INDESTROY; /* * This'll call the destroy handler for this object type. */ (*gahti[phe->bType].fnDestroy)(phe->phead); /* * HANDLEF_INDESTROY is supposed to be cleared either by HMMarkObjectDestroy * or by HMFreeObject; the destroy handler was supposed to call at least * the former. */ UserAssert(!(phe->bFlags & HANDLEF_INDESTROY)); /* * If the object wasn't freed, it must be marked as destroyed * and must have a lock count */ UserAssert((phe->bType == TYPE_FREE) || ((phe->bFlags & HANDLEF_DESTROY) && (phe->phead->cLockObj > 0))); ENDATOMICCHECK(); }

BOOL HMFreeObject (  PVOID  pobj  )

Definition at line 1069 of file handtabl.c. References tagSHAREDINFO::aheList, _HANDLEENTRY::bFlags, tagHANDLETYPEINFO::bObjectCreateFlags, BOOL, _HANDLEENTRY::bType, BYTE, DBGHMValidateFreeLists, DBGValidateHandleQuota, DesktopFree, DWORD, ExQueryPoolBlockSize(), gahti, gcHandlePages, gpHandlePages, gpvSharedAlloc, gSharedInfo, _HEAD::h, HANDLEF_GRANTED, HANDLEF_POOL, HMCleanupGrantedHandle(), HMPheFromObject, HMUNIQBITS, HtoPqCat, _HANDLEPAGE::iheFreeEven, _HANDLEPAGE::iheFreeOdd, _HANDLEPAGE::iheLimit, tagPERFINFO::lCount, tagPERFINFO::lSize, NULL, OCF_DESKTOPHEAP, OCF_PROCESSOWNED, OCF_SHAREDHEAP, OCF_THREADOWNED, _HANDLEENTRY::phead, tagDESKTOP::pheapDesktop, _LOCKRECORD::plrNext, _HANDLEENTRY::pOwner, PtoHq, RtlSizeHeap(), SharedFree(), TRUE, TYPE_FREE, UnlockDesktop, and _HANDLEENTRY::wUniq. Referenced by _BeginDeferWindowPos(), _ConvertMemHandle(), _CreateAcceleratorTable(), _DestroyMenu(), DestroyEmptyCursorObject(), DestroyEventHook(), DestroyKF(), DestroyKL(), DestroyMonitor(), DestroySMWP(), FreeDdeConv(), FreeDdeXact(), FreeHook(), FreeInputContext(), FreeTimer(), HMDestroyObject(), InternalSetTimer(), LoadKeyboardLayoutFile(), MungeClipData(), NewConversation(), NtUserDestroyAcceleratorTable(), UT_FreeCBFormat(), xxxCreateWindowEx(), xxxCsDdeInitialize(), xxxDestroyThreadDDEObject(), xxxFreeWindow(), xxxGetDummyDib(), xxxGetDummyDibV5(), and zzzSetWindowsHookEx(). { PHE pheT; WORD wUniqT; PHANDLEPAGE php; DWORD i; ULONG_PTR iheCurrent, *piheCurrentHead; BYTE bCreateFlags; PDESKTOP pdesk; PPROCESSINFO ppiQuotaCharge = NULL; #if DBG PLR plrT, plrNextT; unsigned char notUsed; #endif UserAssert(((PHEAD)pobj)->cLockObj == 0); UserAssert(pobj == HtoPqCat(PtoHq(pobj))); /* * Free the object first. */ pheT = HMPheFromObject(pobj); bCreateFlags = gahti[pheT->bType].bObjectCreateFlags; UserAssertMsg1(pheT->bType != TYPE_FREE, "Object already marked as freed!!! %#p", pobj); /* * decr process handle use */ if (bCreateFlags & OCF_PROCESSOWNED) { ppiQuotaCharge = (PPROCESSINFO)pheT->pOwner; UserAssert(ppiQuotaCharge != NULL); } else if (bCreateFlags & OCF_THREADOWNED) { ppiQuotaCharge = (PPROCESSINFO)(((PTHREADINFO)(pheT->pOwner))->ppi); UserAssert(ppiQuotaCharge != NULL); } else { ppiQuotaCharge = NULL; } if (ppiQuotaCharge != NULL) { ppiQuotaCharge->UserHandleCount--; } if (pheT->bFlags & HANDLEF_GRANTED) { HMCleanupGrantedHandle(pheT->phead->h); pheT->bFlags &= ~HANDLEF_GRANTED; } #if DBG /* * performance counters */ gaPerfhti[pheT->bType].lCount--; if ((bCreateFlags & OCF_DESKTOPHEAP) && ((PDESKOBJHEAD)pobj)->rpdesk) { pdesk = ((PDESKOBJHEAD)pobj)->rpdesk; gaPerfhti[pheT->bType].lSize -= RtlSizeHeap(Win32HeapGetHandle(pdesk->pheapDesktop), 0, pobj); } else if (bCreateFlags & OCF_SHAREDHEAP) { gaPerfhti[pheT->bType].lSize -= RtlSizeHeap(Win32HeapGetHandle(gpvSharedAlloc), 0, pobj); } else { gaPerfhti[pheT->bType].lSize -= ExQueryPoolBlockSize(pobj, &notUsed); } #endif // DBG if ((bCreateFlags & OCF_DESKTOPHEAP)) { #if DBG BOOL bSuccess; #endif UserAssert(((PDESKOBJHEAD)pobj)->rpdesk != NULL); pdesk = ((PDESKOBJHEAD)pobj)->rpdesk; UnlockDesktop(&((PDESKOBJHEAD)pobj)->rpdesk, LDU_OBJ_DESK, (ULONG_PTR)pobj); if (pheT->bFlags & HANDLEF_POOL) { UserFreePool(pobj); } else { #if DBG bSuccess = #endif DesktopFree(pdesk, pobj); #if DBG if (!bSuccess) { /* * We would hit this assert in HYDRA trying to free the * mother desktop window which was allocated out of pool */ RIPMSG1(RIP_ERROR, "Object already freed from desktop heap! %#p", pobj); } #endif } } else if (bCreateFlags & OCF_SHAREDHEAP) { SharedFree(pobj); } else { UserFreePool(pobj); } #if DBG /* * Go through and delete the lock records, if they exist. */ for (plrT = pheT->plr; plrT != NULL; plrT = plrNextT) { /* * Remember the next one before freeing this one. */ plrNextT = plrT->plrNext; FreeLockRecord((HANDLE)plrT); } #endif /* * Clear the handle contents. Need to remember the uniqueness across * the clear. Also, advance uniqueness on free so that uniqueness checking * against old handles also fails. */ wUniqT = (WORD)((pheT->wUniq + 1) & HMUNIQBITS); RtlZeroMemory(pheT, sizeof(HANDLEENTRY)); pheT->wUniq = wUniqT; /* * Change the handle type to TYPE_FREE so we know what type this handle * is. (TYPE_FREE is defined as zero) */ /* pheT->bType = TYPE_FREE; */ UserAssert(pheT->bType == TYPE_FREE); /* * Put the handle on the free list of the appropriate page. */ php = gpHandlePages; iheCurrent = pheT - gSharedInfo.aheList; for (i = 0; i < gcHandlePages; ++i, ++php) { if (iheCurrent < php->iheLimit) { piheCurrentHead = (iheCurrent & 0x1 ? &php->iheFreeOdd : &php->iheFreeEven); pheT->phead = (PHEAD)*piheCurrentHead; *piheCurrentHead = iheCurrent; DBGHMValidateFreeLists(); break; } } /* * We must have found it. */ UserAssert(i < gcHandlePages); UserAssert(pheT->pOwner == NULL); DBGValidateHandleQuota(); return TRUE; }

BOOL HMGrowHandleTable (   )

Definition at line 704 of file handtabl.c. References tagSHAREDINFO::aheList, BOOL, _HANDLEENTRY::bType, tagSERVERINFO::cbHandleTable, tagSERVERINFO::cHandleEntries, CommitReadOnlyMemory(), CPAGEENTRIESINIT, DWORD, FALSE, gcHandlePages, ghSectionShared, gpHandlePages, gpsi, gpvSharedAlloc, gpvSharedBase, gSharedInfo, HMINDEXBITS, HMInitHandleEntries(), _HANDLEPAGE::iheFreeEven, _HANDLEPAGE::iheFreeOdd, _HANDLEPAGE::iheLimit, NT_SUCCESS, NTSTATUS(), NULL, PAGE_SIZE, PBYTE, _HANDLEENTRY::phead, Status, TRUE, TYPE_FREE, and _HANDLEENTRY::wUniq. Referenced by HMAllocObject(). { ULONG_PTR i, iheFirstFree; PHE pheT; PVOID p; PHANDLEPAGE phpNew; DWORD dwCommitOffset; SIZE_T ulCommit; NTSTATUS Status; /* * If we've run out of handle space, fail. */ i = gpsi->cHandleEntries; if (i & ~HMINDEXBITS) return FALSE; /* * Grow the page table if need be. */ i = gcHandlePages + 1; if (i > CPAGEENTRIESINIT) { DWORD dwSize = gcHandlePages * sizeof(HANDLEPAGE); phpNew = UserReAllocPool( gpHandlePages, dwSize, dwSize + sizeof(HANDLEPAGE), TAG_SYSTEM); if (phpNew == NULL) return FALSE; gpHandlePages = phpNew; } /* * Commit some more pages to the table. First find the * address where the commitment needs to be. */ p = (PBYTE)gSharedInfo.aheList + gpsi->cbHandleTable; if (p >= Win32HeapGetHandle(gpvSharedAlloc)) { return FALSE; } dwCommitOffset = (ULONG)((PBYTE)p - (PBYTE)gpvSharedBase); ulCommit = PAGE_SIZE; Status = CommitReadOnlyMemory(ghSectionShared, &ulCommit, dwCommitOffset, NULL); if (!NT_SUCCESS(Status)) return FALSE; phpNew = &gpHandlePages[gcHandlePages++]; /* * Update the global information to include the new * page. */ iheFirstFree = gpsi->cHandleEntries; if (gpsi->cHandleEntries & 0x1) { phpNew->iheFreeOdd = gpsi->cHandleEntries; phpNew->iheFreeEven = gpsi->cHandleEntries + 1; } else { phpNew->iheFreeEven = gpsi->cHandleEntries; phpNew->iheFreeOdd = gpsi->cHandleEntries + 1; } gpsi->cbHandleTable += PAGE_SIZE; /* * Check for handle overflow */ gpsi->cHandleEntries = gpsi->cbHandleTable / sizeof(HANDLEENTRY); if (gpsi->cHandleEntries & ~HMINDEXBITS) { gpsi->cHandleEntries = (HMINDEXBITS + 1); } phpNew->iheLimit = gpsi->cHandleEntries; if (phpNew->iheFreeEven >= phpNew->iheLimit) { phpNew->iheFreeEven = 0; } if (phpNew->iheFreeOdd >= phpNew->iheLimit) { phpNew->iheFreeOdd = 0; } HMInitHandleEntries(iheFirstFree); /* * HMINDEXBITS has a special meaning. We used to handle this in HMAllocObject. * Now we handle it here right after adding that handle to the table. * Old Comment: * Reserve this table entry so that PW(HMINDEXBITS) maps to a * NULL pointer. Set it to TYPE_FREE so the cleanup code doesn't think * it is allocated. Set wUniq to 1 so that RevalidateHandles on HMINDEXBITS * will fail. */ if ((gpsi->cHandleEntries > HMINDEXBITS) && (phpNew->iheFreeOdd != 0) && (phpNew->iheFreeOdd <= HMINDEXBITS)) { pheT = &gSharedInfo.aheList[HMINDEXBITS]; if (phpNew->iheFreeOdd == HMINDEXBITS) { phpNew->iheFreeOdd = (ULONG_PTR)pheT->phead; } else { UserAssert(pheT - 2 >= &gSharedInfo.aheList[iheFirstFree]); UserAssert((pheT - 2)->phead == (PVOID)HMINDEXBITS); (pheT - 2)->phead = pheT->phead; } pheT->phead = NULL; UserAssert(pheT->bType == TYPE_FREE); UserAssert(pheT->wUniq == 1); } return TRUE; }

void HMInitHandleEntries (  ULONG_PTR  iheFirstFree  )

Definition at line 529 of file handtabl.c. References tagSHAREDINFO::aheList, tagSERVERINFO::cHandleEntries, DBGHMValidateFreeLists, gpsi, gSharedInfo, NULL, _HANDLEENTRY::phead, and _HANDLEENTRY::wUniq. Referenced by HMGrowHandleTable(), and HMInitHandleTable(). { ULONG_PTR ihe; PHE pheT; /* * Zero out all the new entries */ RtlZeroMemory (&gSharedInfo.aheList[iheFirstFree], (gpsi->cHandleEntries - iheFirstFree) * sizeof(HANDLEENTRY)); /* * Link them together. * Each free odd/even entry points to the next odd/even free entry. */ ihe = iheFirstFree; for (pheT = &gSharedInfo.aheList[ihe]; ihe < gpsi->cHandleEntries; ihe++, pheT++) { pheT->phead = (PHEAD)(ihe + 2); /* pheT->bType = TYPE_FREE; */ pheT->wUniq = 1; } /* * Terminate the lists. */ if (gpsi->cHandleEntries > iheFirstFree) { UserAssert(pheT - 1 >= &gSharedInfo.aheList[iheFirstFree]); (pheT - 1)->phead = NULL; } if (gpsi->cHandleEntries > iheFirstFree + 1) { UserAssert(pheT - 2 >= &gSharedInfo.aheList[iheFirstFree]); (pheT - 2)->phead = NULL; } /* * Let's check that we got it right */ DBGHMValidateFreeLists(); }

BOOL HMInitHandleTable (  PVOID  pReadOnlySharedSectionBase  )

Definition at line 575 of file handtabl.c. References tagSHAREDINFO::aheList, tagHANDLETYPEINFO::bObjectCreateFlags, BOOL, _HANDLEENTRY::bType, BYTE, tagSERVERINFO::cbHandleTable, tagSERVERINFO::cHandleEntries, CommitReadOnlyMemory(), CPAGEENTRIESINIT, DESKOBJHEAD, FALSE, gahti, gcHandlePages, ghSectionShared, gpHandlePages, gpsi, gSharedInfo, HANDLEPAGE, HMINDEXBITS, HMInitHandleEntries(), _HANDLEPAGE::iheFreeEven, _HANDLEPAGE::iheFreeOdd, _HANDLEPAGE::iheLimit, NT_SUCCESS, NTSTATUS(), NULL, OCF_DESKTOPHEAP, OCF_MARKPROCESS, OCF_PROCESSOWNED, OCF_SHAREDHEAP, OCF_THREADOWNED, OCF_USEPOOLIFNODESKTOP, OCF_USEPOOLQUOTA, PAGE_SIZE, _HANDLEENTRY::phead, PROCDESKHEAD, PROCOBJHEAD, Status, THRDESKHEAD, TRUE, TYPE_CTYPES, TYPE_FREE, UINT, and _HANDLEENTRY::wUniq. Referenced by Win32UserInitialize(). { NTSTATUS Status; SIZE_T ulCommit; /* * Allocate the handle page array. Make it big enough * for 4 pages, which should be sufficient for nearly * all instances. */ gpHandlePages = UserAllocPool( CPAGEENTRIESINIT * sizeof(HANDLEPAGE), TAG_SYSTEM); if (gpHandlePages == NULL) return FALSE; #if DBG if (!NT_SUCCESS(InitLockRecordLookaside())) return FALSE; #endif /* * Allocate the array. We have the space from * NtCurrentPeb()->ReadOnlySharedMemoryBase to * NtCurrentPeb()->ReadOnlySharedMemoryHeap reserved for * the handle table. All we need to do is commit the pages. * * Compute the minimum size of the table. The allocation will * round this up to the next page size. */ ulCommit = gpsi->cbHandleTable = PAGE_SIZE; Status = CommitReadOnlyMemory(ghSectionShared, &ulCommit, 0, NULL); if (!NT_SUCCESS(Status)) return FALSE; gSharedInfo.aheList = pReadOnlySharedSectionBase; gpsi->cHandleEntries = gpsi->cbHandleTable / sizeof(HANDLEENTRY); gcHandlePages = 1; /* * Initialize the handlepage info. Handle 0 is reserved so even free list * starts at 2. */ gpHandlePages[0].iheFreeOdd = 1; gpHandlePages[0].iheFreeEven = 2; gpHandlePages[0].iheLimit = gpsi->cHandleEntries; /* * Initialize the handle entries. */ HMInitHandleEntries(0); /* * PW(NULL) (ie, handle 0) must map to a NULL pointer. * Old comment: * Reserve the first handle table entry so that PW(NULL) maps to a * NULL pointer. Set it to TYPE_FREE so the cleanup code doesn't think * it is allocated. Set wUniq to 1 so that RevalidateHandles on NULL * will fail. */ gSharedInfo.aheList[0].phead = NULL; UserAssert(gSharedInfo.aheList[0].bType == TYPE_FREE); UserAssert(gSharedInfo.aheList[0].wUniq == 1); #if DBG /* * Make sure we don't need to add the special case to handle HMINDEXBITS in this function. */ UserAssert(gpsi->cHandleEntries <= HMINDEXBITS); /* * PDESKOBJHEAD won't do the right casting unless these structs have * the same size. */ UserAssert(sizeof(THROBJHEAD) == sizeof(PROCOBJHEAD)); UserAssert(sizeof(THRDESKHEAD) == sizeof(PROCDESKHEAD)); UserAssert(sizeof(THRDESKHEAD) == sizeof(DESKOBJHEAD)); /* * Validate type flags to make sure that assumptions made * throughout HM code are OK. */ { HANDLETYPEINFO * pahti = (HANDLETYPEINFO *) gahti; UINT uTypes = TYPE_CTYPES; BYTE bObjectCreateFlags; while (uTypes-- != 0) { bObjectCreateFlags = pahti->bObjectCreateFlags; /* * Illegal flag combinations */ UserAssert(!((bObjectCreateFlags & OCF_DESKTOPHEAP) && (bObjectCreateFlags & OCF_MARKPROCESS))); /* * Pointless (and probably illegal) flag combinations */ UserAssert(!((bObjectCreateFlags & OCF_DESKTOPHEAP) && (bObjectCreateFlags & OCF_SHAREDHEAP))); UserAssert(!((bObjectCreateFlags & OCF_USEPOOLQUOTA) && (bObjectCreateFlags & OCF_SHAREDHEAP))); UserAssert(!((bObjectCreateFlags & OCF_THREADOWNED) && (bObjectCreateFlags & OCF_PROCESSOWNED))); UserAssert(!(bObjectCreateFlags & OCF_USEPOOLQUOTA) || !(bObjectCreateFlags & OCF_DESKTOPHEAP) || (bObjectCreateFlags & OCF_USEPOOLIFNODESKTOP)); /* * Required flag combinations */ UserAssert(!(bObjectCreateFlags & OCF_DESKTOPHEAP) || (bObjectCreateFlags & (OCF_PROCESSOWNED | OCF_THREADOWNED))); UserAssert(!(bObjectCreateFlags & OCF_MARKPROCESS) || (bObjectCreateFlags & OCF_PROCESSOWNED)); UserAssert(!(bObjectCreateFlags & OCF_USEPOOLIFNODESKTOP) || (bObjectCreateFlags & OCF_DESKTOPHEAP)); pahti++; } /* while (uTypes-- != 0) */ } #endif return TRUE; }

BOOL HMMarkObjectDestroy (  PVOID  pobj  )

Definition at line 1237 of file handtabl.c. References _HANDLEENTRY::bFlags, BOOL, FALSE, HANDLEF_DESTROY, HANDLEF_INDESTROY, HANDLEF_MARKED_OK, HMPheFromObject, HMRecordLock(), LOCKRECORD_MARKDESTROY, and TRUE. Referenced by _DestroyCursor(), _DestroyMenu(), DestroyEventHook(), DestroyKF(), DestroyMonitor(), DestroySMWP(), FreeDdeConv(), FreeDdeXact(), FreeHook(), FreeInputContext(), FreeTimer(), FreeWindowStation(), HMDestroyObject(), NtUserDestroyAcceleratorTable(), UnlockAndFreeCPDs(), Win32kNtUserCleanup(), xxxDestroyThreadDDEObject(), xxxFreeWindow(), xxxInternalUnloadKeyboardLayout(), and xxxLoadKeyboardLayoutEx(). { PHE phe; phe = HMPheFromObject(pobj); #if DEBUGTAGS /* * Record where the object was marked for destruction. */ if (IsDbgTagEnabled(DBGTAG_TrackLocks)) { if (!(phe->bFlags & HANDLEF_DESTROY)) { HMRecordLock(LOCKRECORD_MARKDESTROY, pobj, ((PHEAD)pobj)->cLockObj); } } #endif /* * Set the destroy flag so our unlock code will know we're trying to * destroy this object. */ phe->bFlags |= HANDLEF_DESTROY; /* * If this object can't be destroyed, then CLEAR the HANDLEF_INDESTROY * flag - because this object won't be currently "in destruction"! * (if we didn't clear it, when it was unlocked it wouldn't get destroyed). */ if (((PHEAD)pobj)->cLockObj != 0) { phe->bFlags &= ~HANDLEF_INDESTROY; /* * Return FALSE because we can't destroy this object. */ return FALSE; } #if DBG /* * Ensure that this function only returns TRUE once. */ UserAssert(!(phe->bFlags & HANDLEF_MARKED_OK)); phe->bFlags |= HANDLEF_MARKED_OK; #endif /* * Return TRUE because Lock count is zero - ok to destroy this object. */ return TRUE; }

void HMNullFnDestroy (  PVOID  pobj  )

Definition at line 28 of file handtabl.c. References HMDestroyObject(). { RIPMSG1(RIP_WARNING, "HM: No clean up function for %#p", pobj); HMDestroyObject(pobj); return; }

void HMRecordLock (  PVOID  ppobj, PVOID  pobj, DWORD  cLockObj )

Referenced by HMAssignmentLock(), HMAssignmentUnlock(), and HMMarkObjectDestroy().

PVOID HMUnlockObjectInternal (  PVOID  pobj  )

Definition at line 1472 of file handtabl.c. References _HANDLEENTRY::bFlags, HANDLEF_DESTROY, HANDLEF_INDESTROY, HMDestroyUnlockedObject(), HMPheFromObject, and NULL. { PHE phe; /* * The object is not reference counted. If the object is not a zombie, * return success because the object is still around. */ phe = HMPheFromObject(pobj); if (!(phe->bFlags & HANDLEF_DESTROY)) return pobj; /* * We're destroying the object based on an unlock... Make sure it isn't * currently being destroyed! (It is valid to have lock counts go from * 0 to != 0 to 0 during destruction... don't want recursion into * the destroy routine. */ if (phe->bFlags & HANDLEF_INDESTROY) return pobj; HMDestroyUnlockedObject(phe); return NULL; }

BOOL HMUnrecordLock (  PVOID  ppobj, PVOID  pobj )

Referenced by HMAssignmentLock(), and HMAssignmentUnlock().

void MarkThreadsObjects (  PTHREADINFO  pti  )

Definition at line 2595 of file handtabl.c. References tagSHAREDINFO::aheList, _HANDLEENTRY::bFlags, tagHANDLETYPEINFO::bObjectCreateFlags, _HANDLEENTRY::bType, gahti, giheLast, gptiRit, gSharedInfo, gTermIO, _HEAD::h, HANDLEF_DESTROY, HMChangeOwnerThread(), ISTS, OCF_PROCESSOWNED, _HANDLEENTRY::phead, _HANDLEENTRY::pOwner, tagTERMINAL::ptiDesktop, ShowLocks(), and TYPE_FREE. Referenced by xxxDestroyThreadInfo(). { PHE pheT, pheMax; pheMax = &gSharedInfo.aheList[giheLast]; for (pheT = gSharedInfo.aheList; pheT <= pheMax; pheT++) { /* * Check against free before we look at pti... because pti is stored * in the object itself, which won't be there if TYPE_FREE. */ if (pheT->bType == TYPE_FREE) continue; /* * Change ownership! */ if (gahti[pheT->bType].bObjectCreateFlags & OCF_PROCESSOWNED || (PTHREADINFO)pheT->pOwner != pti) continue; #if DBG /* * This is just to make sure that RIT or DT never get here */ if (ISTS() && (pti == gptiRit || pti == gTermIO.ptiDesktop)) { RIPMSG2(RIP_ERROR, "pti %#p is RIT or DT. phe %#p\n", pti, pheT); } #endif HMChangeOwnerThread(pheT->phead, gptiRit); #if DEBUGTAGS if (IsDbgTagEnabled(DBGTAG_TrackLocks)) { /* * Object still around: print warning message. */ if (pheT->bFlags & HANDLEF_DESTROY) { TAGMSG2(DBGTAG_TrackLocks, "Zombie %s %#p still locked", gahti[pheT->bType].szObjectType, pheT->phead->h); } else { TAGMSG1(DBGTAG_TrackLocks, "Thread object %#p not destroyed.\n", pheT->phead->h); } ShowLocks(pheT); } #endif // DEBUGTAGS } }

VOID ShowLocks (  PHE   )

Referenced by MarkThreadsObjects().

PVOID ThreadUnlock1 (  VOID   )

Definition at line 1939 of file handtabl.c. References HMUnlockObject, NULL, PtiCurrent, tagTHREADINFO::ptl, and TRUE. { PHEAD phead; PTHREADINFO ptiCurrent; PTL ptl; ptiCurrent = PtiCurrent(); ptl = ptiCurrent->ptl; UserAssert(ptl != NULL); /* * Validate the thread lock list. */ ValidateThreadLocks(NULL, ptl, (ULONG_PTR)&ptlIn, TRUE); /* * Make sure the caller wants to unlock the top lock. */ UserAssert(ptlIn == ptl); ptiCurrent->ptl = ptl->next; /* * If the object address is not NULL, then unlock the object. */ phead = (PHEAD)(ptl->pobj); if (phead != NULL) { /* * Unlock the object. */ phead = (PHEAD)HMUnlockObject(phead); } #if DBG { /* * Remove the corresponding element from gFreeTLList */ ptl->ptl->next = gFreeTLList; ptl->ptl->uTLCount += TL_FREED_PATTERN; gFreeTLList = ptl->ptl; } #endif return (PVOID)phead; }

---

Variable Documentation

CONST HANDLETYPEINFO gahti[TYPE_CTYPES]

Definition at line 90 of file handtabl.c. Referenced by _QueryUserHandles(), _WOWCleanup(), DestroyHandleTableObjects(), DestroyProcessesObjects(), DestroyProcessInfo(), DestroyThreadsObjects(), HMAllocObject(), HMChangeOwnerPheProcess(), HMDestroyUnlockedObject(), HMFreeObject(), HMInitHandleTable(), IsHandleEntrySecure(), and MarkThreadsObjects().

DWORD gcHandlePages

Definition at line 208 of file handtabl.c. Referenced by HMAllocObject(), HMFreeObject(), HMGrowHandleTable(), and HMInitHandleTable().

PHANDLEPAGE gpHandlePages

Definition at line 209 of file handtabl.c. Referenced by HMAllocObject(), HMFreeObject(), HMGrowHandleTable(), HMInitHandleTable(), and Win32KDriverUnload().

---