Jon (j_b) wrote,

  • Mood:

Interesting info from a Microsoft Uber-Nerd [kernel developer]
What is IRQL_NOT_LESS_OR_EQUAL</a> (Score:5, Informative)

by sgasch (239701)
on Friday November 14, @04:45PM (#7477037)


IRQL is "Interrupt Request Level". This is a DWORD in the NT kernel that cooresponds to a system state and determines what can preempt the currently running code. For example, raising the IRQL causes different priority device IRQs (interrupts) from the PICs to be masked off and ignored until the IRQL is lowered again. But the IRQL is not just to mask off interrupts, the NT kernel uses it for synchronization, communication between different CPUs on MP machines, to determine whether DPCs can run, to determine whether its ok to run user mode code, etc...

Any code running in kernel mode (x86 ring 0) on NT (drivers or the kernel) can change the IRQL by making a call. Code typically raises the IRQL when it needs to do something critical and cannot afford to be preempted. The IRQL has to be at a certain level to acquire certain system locks, etc. So with all this raising of the IRQL people have to remember to put it back before they return.

Invariably what happens is that someone forgets to lower the IRQL after they have raised it... maybe on an error path or something. They leave it raised, returned to whoever called them etc... and eventually you get to code that requires that the IRQL be below some level. For example, you try to acquire a spinlock, take a page fault, try to allocate memory (pool), try to schedule the next user mode job etc... All of these actions have code that basically asserts that the IRQL is where it should be. When it's not, the machine is bugchecked and you get the bluescreen.

This kind of bugcheck is not ususally caused by hardware, it's almost always software related. Someone raised the IRQL and forgot to lower it. There are ways to find out who, basically by logging all calls to KeRaiseIrql, KeLowerIrql and some other routines that change the IRQL as a side effect.
Well, I work at Microsoft in the Windows NT kernel test group.
  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded