I recently read the implementation code for the WaitforSingleObject function in Reactos: https://github.com/reactos/reactos/blob/master/ntoskrnl/ke/wait.c
KeWaitForSingleObject(IN PVOID Object,
IN KWAIT_REASON WaitReason,
IN KPROCESSOR_MODE WaitMode,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout OPTIONAL)
{
. . .
/* Start wait loop */
for (;;)
{
. . .
else if (CurrentObject->Header.SignalState > 0)
{
/* Another satisfied object */
KiSatisfyNonMutantWait(CurrentObject);
WaitStatus = STATUS_WAIT_0;
goto DontWait;
}
. . .
/* Do the actual swap */
WaitStatus = (NTSTATUS)KiSwapThread(Thread, KeGetCurrentPrcb());
/* Check if we were executing an APC */
if (WaitStatus != STATUS_KERNEL_APC) return WaitStatus;
/* Check if we had a timeout */
if (Timeout)
{
/* Recalculate due times */
Timeout = KiRecalculateDueTime(OriginalDueTime,
&DueTime,
&NewDueTime);
}
}
WaitStart:
/* Setup a new wait */
Thread->WaitIrql = KeRaiseIrqlToSynchLevel();
KxSingleThreadWait();
KiAcquireDispatcherLockAtSynchLevel();
}
/* Wait complete */
KiReleaseDispatcherLock(Thread->WaitIrql);
return WaitStatus;
DontWait:
/* Release dispatcher lock but maintain high IRQL */
KiReleaseDispatcherLockFromSynchLevel();
/* Adjust the Quantum and return the wait status */
KiAdjustQuantumThread(Thread);
return WaitStatus;
}
I encountered a question: How does a thread break out of the while loop in this function without considering APC?
Assuming a thread calls WaitforSingleObject and gets stuck waiting on a semaphore object, the simplified logic of the loop in this function is: check the value of the semaphore -> get stuck waiting -> be woken up -> check the value of the semaphore -> get stuck waiting...
My problem is that in the "wake up" step (another thread call NtReleaseSemaphore() ->KiWaitTest()->KiSatisfyObjectWait ), there is already an operation to decrement the value of the semaphore, because waking up a thread requires consuming a value, The value of the assumed semaphore is therefore changed from 1 to 0. The awakened thread enters a new cycle, checks the value of the semaphore, and because it is zero, falls back into waiting. Isn't this process endless? Doesn't it seem like we can't break out of this dead cycle?
VOID
FASTCALL
KiWaitTest(IN PVOID ObjectPointer,
IN KPRIORITY Increment)
{
PLIST_ENTRY WaitEntry, WaitList;
PKWAIT_BLOCK WaitBlock;
PKTHREAD WaitThread;
PKMUTANT FirstObject = ObjectPointer;
NTSTATUS WaitStatus;
WaitList = &FirstObject->Header.WaitListHead;
WaitEntry = WaitList->Flink;
while ((FirstObject->Header.SignalState > 0) && (WaitEntry != WaitList))
{
WaitBlock = CONTAINING_RECORD(WaitEntry, KWAIT_BLOCK, WaitListEntry)
WaitThread = WaitBlock->Thread;
WaitStatus = STATUS_KERNEL_APC;
if (WaitBlock->WaitType == WaitAny)
{
WaitStatus = (NTSTATUS)WaitBlock->WaitKey;
KiSatisfyObjectWait(FirstObject, WaitThread); //P-operation
}
KiUnwaitThread(WaitThread, WaitStatus, Increment);
WaitEntry = WaitList->Flink;
}
}
I have carefully read the implementation code for the waitforsingleobject function in Reactos: https://github.com/reactos/reactos/blob/master/ntoskrnl/ke/wait.c