Why Windows 8 drivers are buggy

WhyWindows8driversarebuggy

Author: Andrey Karpov

Date: 30.04.2013

We have checked the Windows 8 Driver Samples pack with our analyzer PVS-Studio and found various

bugs in its samples. There is nothing horrible about it - bugs can be found everywhere, so the title of this

article may sound a bit high-flown. But these particular errors may be really dangerous, as it is a usual

practice for developers to use demo samples as a basis for their own projects or borrow code fragments

from them.

Windows 8 Driver Samples Windows 8 Driver Samples is a pack of 283 independent solutions. This fact made our task somewhat

difficult, as we absolutely didn't feel like opening and checking all the solutions (*.sln files) one by one.

We investigated the issue and found out that we were not alone to face it. On programmers' forums you

may often come across the question how to unite several solutions into one. This task appears to be

relatively easy to fulfill. Those interested, please see this post: "How to unite several separate projects

into one general Visual Studio solution (.sln file): One Solution to Rule Them All".

Microsoft developers create very high-quality code. The Casablanca project's check results are a good

proof of that. Creating samples, however, seems to be a lower-priority task for them. I suspect they

don't use the static analysis technology or any other methods of quality monitoring when developing

these projects. A similar situation was with the IPP Samples collection created by Intel. As our checks

have shown, it contains quite a number of bugs (checks 1, 2, 3).

Bugs in samples are not that critical as bugs in real-life software. Nevertheless, bugs can migrate from

samples to real-life projects and cause developers a lot of troubles. Even within the Windows 8 Driver

Samples pack we found identical bugs. The reason is obvious: copying-and-pasting a code fragment from

a nearby sample. In the same way these errors will get into real-life drivers.

Now let's see what interesting issues can be found in Windows 8 Driver Samples. Analysis was

performed with the PVS-Studio 5.03 analyzer. As usually, let me point out that I'll cite only those

fragments which I found undoubtedly suspicious. Also, I only scanned through many of the diagnostic

messages, so if any of the sample collection's developers notices this post, please don't limit yourself to

reading the information given here, and consider analyzing your project more thoroughly.

Note. Visual Studio doesn't provide API for projects implemented as an extension of the standard Visual

C++ project model. This is just the case with the driver development projects. That's why you'll need to

additionally customize PVS-Studio to check your drivers, namely: you'll need to integrate PVS-Studio into

MSBuild. To learn more about the MSBuild integration mode, see these sources:

• Blog. Using PVS-Studio with huge projects (MSBuild integration)

• Documentation. Direct integration of PVS-Studio into MSBuild's build process. MSBuild

integration mode in Visual Studio IDE.

Unnecessary semicolon ';' NDIS_STATUS HwSetPowerMgmtMode(....)

{

....

if (!HW_MULTIPLE_MAC_ENABLED(Hw) &&

(PMMode->dot11PowerMode != dot11_power_mode_unknown));

{

NdisMoveMemory(&Hw->MacState.PowerMgmtMode, PMMode,

sizeof(DOT11_POWER_MGMT_MODE));

HalSetPowerMgmtMode(Hw->Hal, PMMode);

}

....

}

V529 Odd semicolon ';' after 'if' operator. hw_mac.c 95

Note the semicolon here: "...unknown));". It causes the code following it to be executed all the time,

regardless of the condition.

Poor ASSERT VOID MPCreateProgrammableFilter(....)

{

....

ASSERT (0 < dwMaskSize <5);

....

}

V562 It's odd to compare 0 or 1 with a value of 5: 0 < dwMaskSize < 5. nic_pm.c 825

No comments.

Strange initialization function NTSTATUS UartInitContext(_In_ WDFDEVICE Device)

{

....

pDevExt->WdfDevice;

....

}

V607 Ownerless expression 'pDevExt->WdfDevice'. uart16550pc.cpp 58

I suspect the developers forgot to initialize the variable 'pDevExt->WdfDevice' in the function

UartInitContext (). I cannot say for sure what it should be initialized with.

A misprint BOOLEAN DsmpFindSupportedDevice(....)

{

WCHAR tempString[32];

....

tempString[(sizeof(tempString) /

sizeof(tempString)) - 1] = L'\0';

....

}

V501 There are identical sub-expressions 'sizeof (tempString)' to the left and to the right of the '/'

operator. utils.c 931

A misprint will cause the null terminator to be written at the beginning of the string instead of its end.

The size of the sizeof(tempString) buffer must be divided by the size of one character. But it is divided by

itself instead. This is the fixed code:

tempString[(sizeof(tempString) /

sizeof(tempString[0])) - 1] = L'\0';

The programmer forgot that a string consists of WCHAR characters HRESULT CDot11SampleExtUI::CreateSecurityProperties(....)

{

....

WCHAR wbuf[128];

....

ZeroMemory(wbuf, 128);

....

}

V512 A call of the 'memset' function will lead to underflow of the buffer 'wbuf'. ihvsampleextui.cpp 288

The ZeroMemory() function will empty only half of the buffer 'wbuf'. Since this code refers to the

'CreateSecurityProperties()' function, we may say we have a potential vulnerability here. This is the fixed

code:

ZeroMemory(wbuf, 128 * sizeof(WCHAR));

Another bug of that kind:

typedef struct _DEVICE_INFO

{

....

WCHAR UnicodeSourceIp[MAX_LEN];

WCHAR UnicodeDestIp[MAX_LEN];

....

} DEVICE_INFO, *PDEVICE_INFO;

PDEVICE_INFO FindDeviceInfo(....)

{

....

PDEVICE_INFO deviceInfo = NULL;

....

memcpy(deviceInfo->UnicodeSourceIp,

InputInfo->SourceIp, MAX_LEN);

memcpy(deviceInfo->UnicodeDestIp,

InputInfo->DestIp, MAX_LEN);

....

}

V512 A call of the 'memcpy' function will lead to underflow of the buffer 'deviceInfo->UnicodeSourceIp'.

testapp.c 729

V512 A call of the 'memcpy' function will lead to underflow of the buffer 'deviceInfo->UnicodeDestIp'.

testapp.c 730

Only half of a string is copied. The analyzer generated some other V512 messages as well, but I would

have to examine the code more thoroughly to judge whether those were genuine bugs. But I can't do

that: I have a line of projects waiting to be checked.

A recheck I don't think I can cite the code fragment in full. It contains very long names like

"WFPSAMPLER_CALLOUT_BASIC_ACTION_BLOCK_AT_INBOUND_MAC_FRAME_NATIVE". Such long lines

will break the article's format when publishing it on our viva64.com website. So let me just give you a

description of the bug. The function KrnlHlprExposedCalloutToString() contains the following code:

else if (A == &inbound)

str = "inbound";

else if (A == &inbound)

str = "outbound";

It is meaningless because the second 'if' operator will never be executed. This code fragment is to be

found in the helperfunctions_exposedcallouts.cpp file several times. It must be copy-paste. Here is the

list of these fragments' locations:

• V517 The use of 'if (A) {...} else if (A) {...}' pattern was detected. There is a probability of logical

error presence. Check lines: 556, 558. helperfunctions_exposedcallouts.cpp 556













This is another example of a recheck.

HRESULT CSensor::HandleSetReportingAndPowerStates(....)

{

....

else if (SENSOR_POWER_STATE_LOW_POWER == ulCurrentPowerState)

{

Trace(TRACE_LEVEL_ERROR,

"%s Power State value is not correct = LOW_POWER, "

"hr = %!HRESULT!", m_SensorName, hr);

}

else if (SENSOR_POWER_STATE_LOW_POWER == ulCurrentPowerState)

{


"%s Power State value is not correct = FULL_POWER, "

"hr = %!HRESULT!", m_SensorName, hr);

}

....

}

V517 The use of 'if (A) {...} else if (A) {...}' pattern was detected. There is a probability of logical error

presence. Check lines: 5641, 5645. sensor.cpp 5641

I believe the second check must look like this:

else if (SENSOR_POWER_STATE_FULL_POWER == ulCurrentPowerState)

One-time loop NDIS_STATUS AmSetApBeaconMode(....)

{

....

while (BeaconEnabled != AssocMgr->BeaconEnabled)

{

ndisStatus = ....;

if (NDIS_STATUS_SUCCESS != ndisStatus)

{

break;

}

AssocMgr->BeaconEnabled = BeaconEnabled;

break;

}

....

}

V612 An unconditional 'break' within a loop. ap_assocmgr.c 1817

The loop body is executed no more than once. I find the 'break' operator at the end unnecessary.

Incorrect swap? NTSTATUS FatSetDispositionInfo (....)

{

....

TmpChar = LocalBuffer[0];

LocalBuffer[0] = TmpChar;

....

}

V587 An odd sequence of assignments of this kind: A = B; B = A;. Check lines: 2572, 2573. fileinfo.c 2573

Strange and meaningless code. Perhaps the programmer wanted to swap the "LocalBuffer[0]" array

item's value for another variable. But something was messed up.

A condition not affecting anything NDIS_STATUS Hw11QueryDiversitySelectionRX(....)

{

//

// Determine the PHY that the user wants to query

//

if (SelectedPhy)

return HwQueryDiversitySelectionRX(HwMac->Hw,

HwMac->SelectedPhyId,

MaxEntries,

Dot11DiversitySelectionRXList

);

else

return HwQueryDiversitySelectionRX(HwMac->Hw,

HwMac->SelectedPhyId,

MaxEntries,

Dot11DiversitySelectionRXList

);

}

V523 The 'then' statement is equivalent to the 'else' statement. hw_oids.c 1043

The value of the 'SelectedPhy' variable is of no importance: one and the same action is executed all the

time. I'm not sure whether this is an error. But the code is very suspicious. Other strange fragments:

• V523 The 'then' statement is equivalent to the 'else' statement. fail_driver1.c 188

• V523 The 'then' statement is equivalent to the 'else' statement. simgpio_i2c.c 2253

• V523 The 'then' statement is equivalent to the 'else' statement. simgpio.c 2181

Restoring settings incorrectly

If you want to disable warnings for a time, you should use a sequence of the following directives:

#pragma warning(push)

#pragma warning(disable: XXX)

....

#pragma warning(pop)

But programmers often do it in a simpler way:

#pragma warning(disable:XXX)

....

#pragma warning(default:XXX)

This practice is bad because the warning output state you set earlier could be different from the default

state. Therefore, the #pragma warning(default:XXX) directive may result in showing warnings you don't

want or, on the contrary, hiding those messages you need.

There are several fragments in Windows 8 Driver Samples where warnings are suppressed in such a poor

manner. For example:

// disable nameless struct/union warnings

#pragma warning(disable:4201)

#include <wdf.h>

#pragma warning(default:4201)

V665 Possibly, the usage of '#pragma warning(default: X)' is incorrect in this context. The '#pragma

warning(push/pop)' should be used instead. Check lines: 23, 25. common.h 25

Here is the list of all the rest fragments where warnings are disabled incorrectly:

• V665 Possibly, the usage of '#pragma warning(default: X)' is incorrect in this context. The

'#pragma warning(push/pop)' should be used instead. Check lines: 25, 29. protnotify.cpp 29


'#pragma warning(push/pop)' should be used instead. Check lines: 27, 29. common.h 29


'#pragma warning(push/pop)' should be used instead. Check lines: 30, 34. hidkmdf.c 34


'#pragma warning(push/pop)' should be used instead. Check lines: 446, 450. kbfiltr.c 450


'#pragma warning(push/pop)' should be used instead. Check lines: 48, 58. trace.h 58


'#pragma warning(push/pop)' should be used instead. Check lines: 175, 186. reg9656.h 186


'#pragma warning(push/pop)' should be used instead. Check lines: 3, 8. precomp.h 8


'#pragma warning(push/pop)' should be used instead. Check lines: 118, 128. trace.h 128


'#pragma warning(push/pop)' should be used instead. Check lines: 27, 33. precomp.h 33


'#pragma warning(push/pop)' should be used instead. Check lines: 57, 79. usb_hw.h 79


'#pragma warning(push/pop)' should be used instead. Check lines: 2497, 2499. pnp.c 2499


'#pragma warning(push/pop)' should be used instead. Check lines: 35, 38. hidumdf.c 38


'#pragma warning(push/pop)' should be used instead. Check lines: 47, 54. kmdf_vdev_sample.h

54


'#pragma warning(push/pop)' should be used instead. Check lines: 21, 25. kmdf_vdev.h 25




'#pragma warning(push/pop)' should be used instead. Check lines: 374, 1099. uvcdesc.h 1099


'#pragma warning(push/pop)' should be used instead. Check lines: 566, 575. uvcview.c 575




'#pragma warning(push/pop)' should be used instead. Check lines: 589, 604. wsksmple.c 604

A potential infinity loop VOID HwFillRateElement(....)

{

UCHAR i, j;

....

for (i = 0; (i < basicRateSet->uRateSetLength) &&

(i < 256); i++)

{

rate[i] = 0x80 | basicRateSet->ucRateSet[i];

}

....

}

V547 Expression 'i < 256' is always true. The value range of unsigned char type: [0, 255]. hw_mac.c 1946

An infinity loop may occur here. The 'i' variable has the UCHAR type. It means that its value range is

from 0 to 255, that is, any of its values is always below 256. The loop appears to be limited only by the (i

< basicRateSet->uRateSetLength) condition.

A similar bug can be found in this fragment:

VOID HwFillRateElement(....)

{

....

UCHAR rate[256];

UCHAR rateNum;

....

if (rateNum == sizeof(rate) / sizeof(UCHAR))

break;

....

}

V547 Expression is always false. The value range of unsigned char type: [0, 255]. hw_mac.c 1971

The "sizeof(rate) / sizeof(UCHAR)" expression equals 256. The 'rateNum' variable has the UCHAR type. It

means that the condition will never hold.

Potential null pointer dereferencing It is accepted to check pointers for being null pointers. But I know for sure that it is often done in a very

slapdash manner. That is, you do have a check, but it is useless. For example:

HRESULT CFileContext::GetNextSubscribedMessage()

{

....

m_pWdfRequest = pWdfRequest;

m_pWdfRequest->MarkCancelable(pCallbackCancel);

if (m_pWdfRequest != NULL)

{

CompleteOneArrivalEvent();

}

....

}

V595 The 'm_pWdfRequest' pointer was utilized before it was verified against nullptr. Check lines: 266,

267. filecontext.cpp 266

The 'm_pWdfRequest' pointer was used to call the MarkCancelable() function. And then the

programmer suddenly recalled that it might be a null pointer and made a check: "if (m_pWdfRequest !=

NULL)".

Such code usually appears during the refactoring process. Lines are moved and new expressions are

added. And it may happen that a pointer check is put below the place where the pointer is used for the

first time.

However, these errors don't affect the program execution in most cases. Pointers in these places simply

cannot equal zero, so the program works well. But I cannot say for sure whether or not these fragments

are buggy. It's up to the project's developers to figure it out.

Here is the list of the other fragments where this warning is generated:

• V595 The 'pAdapterCommon' pointer was utilized before it was verified against nullptr. Check

lines: 456, 477. adapter.cpp 456

• V595 The 'PortStream' pointer was utilized before it was verified against nullptr. Check lines:

111, 123. rtstream.cpp 111

• V595 The 'pncLock' pointer was utilized before it was verified against nullptr. Check lines: 85,

112. netcfgapi.cpp 85

• V595 The 'm_pInterruptSync' pointer was utilized before it was verified against nullptr. Check

lines: 707, 724. miniport.cpp 707

• V595 The 'deviceExtension' pointer was utilized before it was verified against nullptr. Check

lines: 798, 816. cdrom.c 798

• V595 The 'DeviceObject' pointer was utilized before it was verified against nullptr. Check lines:

9614, 9621. class.c 9614

• V595 The 'OffloadReadContext' pointer was utilized before it was verified against nullptr. Check

lines: 13704, 13706. class.c 13704

• V595 The 'device' pointer was utilized before it was verified against nullptr. Check lines: 206,

214. driver.cpp 206


214. driver.cpp 206

• V595 The 'instanceContext' pointer was utilized before it was verified against nullptr. Check

lines: 211, 237. support.c 211

• V595 The 'BiosCodeSpace' pointer was utilized before it was verified against nullptr. Check lines:

8229, 8249. lsi_u3.c 8229

• V595 The 'pAdapterCommon' pointer was utilized before it was verified against nullptr. Check

lines: 293, 319. adapter.cpp 293

• V595 The 'm_AdapterCommon' pointer was utilized before it was verified against nullptr. Check

lines: 217, 223. basetopo.cpp 217


lines: 200, 208. basewave.cpp 200

• V595 The 'port' pointer was utilized before it was verified against nullptr. Check lines: 216, 234.

common.cpp 216

• V595 The 'miniport' pointer was utilized before it was verified against nullptr. Check lines: 226,

239. common.cpp 226

• V595 The 'port' pointer was utilized before it was verified against nullptr. Check lines: 404, 412.

adapter.cpp 404


lines: 216, 222. basetopo.cpp 216

• V595 The 'targetPortGroupEntry' pointer was utilized before it was verified against nullptr.

Check lines: 534, 541. dsmmain.c 534

• V595 The 'dsmContext' pointer was utilized before it was verified against nullptr. Check lines:

364, 382. intrface.c 364

• V595 The 'passThrough' pointer was utilized before it was verified against nullptr. Check lines:

635, 648. utils.c 635


1537, 1550. utils.c 1537


1747, 1760. utils.c 1747

• V595 The 'ioStatus' pointer was utilized before it was verified against nullptr. Check lines: 5236,

5247. utils.c 5236

• V595 The 'devInfo' pointer was utilized before it was verified against nullptr. Check lines: 3227,

3229. wmi.c 3227

• V595 The 'pdi' pointer was utilized before it was verified against nullptr. Check lines: 575, 583.

codec.c 575

• V595 The 'AssocMgr' pointer was utilized before it was verified against nullptr. Check lines: 786,

789. ap_assocmgr.c 786

• V595 The 'newExtApPort' pointer was utilized before it was verified against nullptr. Check lines:

87, 101. ap_main.c 87

• V595 The 'ApPort' pointer was utilized before it was verified against nullptr. Check lines: 3068,

3070. ap_oids.c 3068

• V595 The 'HandleContext' pointer was utilized before it was verified against nullptr. Check lines:

2741, 2762. ncdirnotify.c 2741

• V595 The 'pHvl' pointer was utilized before it was verified against nullptr. Check lines: 277, 297.

hvl_main.c 277

• V595 The 'pNextActiveContext' pointer was utilized before it was verified against nullptr. Check

lines: 914, 916. hvl_main.c 914

• V595 The 'pNextActiveContext' pointer was utilized before it was verified against nullptr. Check

lines: 987, 989. hvl_main.c 987

• V595 The 'pNextCtx' pointer was utilized before it was verified against nullptr. Check lines: 874,

894. hvl_main.c 874

• V595 The 'pVNic' pointer was utilized before it was verified against nullptr. Check lines: 559,

584. vnic_main.c 559

• V595 The 'pExReq' pointer was utilized before it was verified against nullptr. Check lines: 1563,

1575. vnic_main.c 1563

• V595 The 'pJoinReq' pointer was utilized before it was verified against nullptr. Check lines: 241,

259. vnic_queue.c 241

• V595 The 'pChSwReq' pointer was utilized before it was verified against nullptr. Check lines: 439,

447. vnic_queue.c 439

• V595 The 'newPort' pointer was utilized before it was verified against nullptr. Check lines: 90,

100. base_port_main.c 90


1390. helper_port_main.c 1379

• V595 The 'adapter' pointer was utilized before it was verified against nullptr. Check lines: 168,

196. mp_pnp.c 168

• V595 The 'newAdapter' pointer was utilized before it was verified against nullptr. Check lines:

458, 472. mp_pnp.c 458

• V595 The 'portRegInfo' pointer was utilized before it was verified against nullptr. Check lines:

153, 166. port_main.c 153


280. port_main.c 268

• V595 The 'pso24' pointer was utilized before it was verified against nullptr. Check lines: 338,

352. brush.c 338

• V595 The 'newHw' pointer was utilized before it was verified against nullptr. Check lines: 338,

358. hw_main.c 338

• V595 The 'Hw->Hal' pointer was utilized before it was verified against nullptr. Check lines: 605,

623. hw_main.c 605

• V595 The 'UseCoalesce' pointer was utilized before it was verified against nullptr. Check lines:

1760, 1781. hw_send.c 1760

• V595 The 'm_pWdfRequest' pointer was utilized before it was verified against nullptr. Check

lines: 248, 250. filecontext.cpp 248

• V595 The 'pDOMSnapshot' pointer was utilized before it was verified against nullptr. Check

lines: 711, 736. gdlsmpl.cpp 711

• V595 The '* ppDOMSnapshot' pointer was utilized before it was verified against nullptr. Check

lines: 833, 842. gdlsmpl.cpp 833

• V595 The 'm_pRootDocument' pointer was utilized before it was verified against nullptr. Check

lines: 163, 168. xmlhandler.cxx 163

• V595 The 'pNewNode' pointer was utilized before it was verified against nullptr. Check lines:

403, 411. xmlhandler.cxx 403

• V595 The 'pNewNode' pointer was utilized before it was verified against nullptr. Check lines:


• V595 The 'pNewAttribute' pointer was utilized before it was verified against nullptr. Check lines:


• V595 The 'pCurrentNode' pointer was utilized before it was verified against nullptr. Check lines:


• V595 The 'pAttribute' pointer was utilized before it was verified against nullptr. Check lines: 993,

1001. xmlhandler.cxx 993

• V595 The 'pAttrMap' pointer was utilized before it was verified against nullptr. Check lines: 982,


• V595 The 'pAttrNode' pointer was utilized before it was verified against nullptr. Check lines: 990,


• V595 The 'ppszDisplayName' pointer was utilized before it was verified against nullptr. Check

lines: 1734, 1752. features.cpp 1734

• V595 The 'ppszDisplayName' pointer was utilized before it was verified against nullptr. Check

lines: 1903, 1921. features.cpp 1903

• V595 The 'pszTemp' pointer was utilized before it was verified against nullptr. Check lines: 353,

366. util.c 353

• V595 The 'pszTimeout' pointer was utilized before it was verified against nullptr. Check lines:

713, 723. util.c 713


201. driver.cpp 193

• V595 The 'queue' pointer was utilized before it was verified against nullptr. Check lines: 70, 79.

queue.cpp 70


214. driver.cpp 206

• V595 The 'ctx' pointer was utilized before it was verified against nullptr. Check lines: 521, 545.

swapbuffers.c 521

• V595 The 'trimContext' pointer was utilized before it was verified against nullptr. Check lines:

2454, 2457. common.c 2454


2579, 2582. common.c 2579


2568, 2582. common.c 2568

• V595 The 'pWriteBuffer' pointer was utilized before it was verified against nullptr. Check lines:

682, 707. accelerometerdevice.cpp 682

• V595 The 'pBuffer' pointer was utilized before it was verified against nullptr. Check lines: 838,

867. accelerometerdevice.cpp 838









• V595 The 'myDevice' pointer was utilized before it was verified against nullptr. Check lines: 193,

201. driver.cpp 193


214. driver.cpp 206

• V595 The 'deviceInterfaceDetailData' pointer was utilized before it was verified against nullptr.

Check lines: 170, 180. sensorcommunication.cpp 170


207. driver.cpp 199

• V595 The 'queue' pointer was utilized before it was verified against nullptr. Check lines: 119,

128. queue.cpp 119

• V595 The 'queue' pointer was utilized before it was verified against nullptr. Check lines: 1368,

1377. queue.cpp 1368


214. driver.cpp 206


214. driver.cpp 206


231. umdf_vdev_driver.cpp 223


214. driver.cpp 206


214. driver.cpp 206


214. driver.cpp 206

• V595 The 'packet' pointer was utilized before it was verified against nullptr. Check lines: 1305,

1312. inspect.c 1305

• V595 The 'FxRequest' pointer was utilized before it was verified against nullptr. Check lines: 937,

945. device.cpp 937

• V595 The 'pImageCodecInfo' pointer was utilized before it was verified against nullptr. Check

lines: 72, 83. gphelper.h 72

• V595 The 'pTargetBitmap' pointer was utilized before it was verified against nullptr. Check lines:

314, 329. gphelper.h 314

• V595 The 'pStreamOut' pointer was utilized before it was verified against nullptr. Check lines:

787, 790. imagefilter.cpp 787

• V595 The 'pWiaItemWrapper' pointer was utilized before it was verified against nullptr. Check

lines: 1590, 1620. imagefilter.cpp 1590

• V595 The 'pIWiaItemWrapper' pointer was utilized before it was verified against nullptr. Check

lines: 2028, 2032. imagefilter.cpp 2028

• V595 The 'pIWiaItemWrapper' pointer was utilized before it was verified against nullptr. Check

lines: 267, 282. segmentation.cpp 267

• V595 The 'm_pArray' pointer was utilized before it was verified against nullptr. Check lines: 193,

199. basicarray.h 193

• V595 The 'm_pArray' pointer was utilized before it was verified against nullptr. Check lines: 229,

235. basicarray.h 229

• V595 The 'pWIADeviceCapability' pointer was utilized before it was verified against nullptr.

Check lines: 233, 249. capman.cpp 233

• V595 The 'pImageCodecInfo' pointer was utilized before it was verified against nullptr. Check

lines: 298, 310. fileconv.cpp 298

• V595 The 'ppOutputStream' pointer was utilized before it was verified against nullptr. Check


• V595 The 'ppOutputStream' pointer was utilized before it was verified against nullptr. Check


• V595 The 'pwData' pointer was utilized before it was verified against nullptr. Check lines: 1966,

1996. scanjobs.cpp 1966

• V595 The 'm_pSensorManager' pointer was utilized before it was verified against nullptr. Check

lines: 4996, 5017. sensor.cpp 4996

• V595 The 'wszDataCopy' pointer was utilized before it was verified against nullptr. Check lines:

1320, 1334. basicddi.cpp 1320

• V595 The 'm_pOemCUIPParam' pointer was utilized before it was verified against nullptr. Check

lines: 490, 494. uictrl.cpp 490





True null pointer dereferencing We have just discussed potential null pointer dereferencing errors. Now let's examine the case when a

pointer is null for sure.

HRESULT CSensorDDI::OnGetDataFields(....)

{

....

if (nullptr != pSensor)

{

....

}

else

{

hr = E_POINTER;


"pSensor == NULL before getting datafield %!GUID!-%i "

"value from %s, hr = %!HRESULT!",

&Key.fmtid, Key.pid, pSensor->m_SensorName, hr);

}

}

V522 Dereferencing of the null pointer 'pSensor' might take place. sensorddi.cpp 903

If the 'pSensor' pointer equals zero, you want to save the related information into the log. But it's

obviously a bad idea to try to take the name using "pSensor->m_SensorName".

A similar error can be found here:

V522 Dereferencing of the null pointer 'pSensor' might take place. sensorddi.cpp 1852

Strange loop VOID ReportToString(

PHID_DATA pData,

_Inout_updates_bytes_(iBuffSize) LPSTR szBuff,

UINT iBuffSize

)

{

....

if(FAILED(StringCbPrintf (szBuff,

iBuffSize,

"Usage Page: 0x%x, Usages: ",

pData -> UsagePage)))

{

for(j=0; j<sizeof(szBuff); j++)

{

szBuff[j] = '\0';

}

return;

}

....

}

V604 It is odd that the number of iterations in the loop equals to the size of the 'szBuff' pointer. hclient.c

1688

Note the "j<sizeof(szBuff)" loop's truncation condition. It is very strange that the loop is iterated the

same number of times as size of pointer (that is, 4 or 8). The following code should be most likely

written instead:

for(j=0; j<iBuffSize; j++)

A misprint making the code vulnerable bool ParseNumber(....)

{

....

if ((*Value < Bounds.first) ||

(*Value > Bounds.second))

{

printf("Value %s is out of bounds\n", String.c_str());

false;

}

....

}

V606 Ownerless token 'false'. util.cpp 91

It is checked that the variable's value is outside certain boundaries. This event must stop the function's

operation, but that doesn't happen. The programmer made a misprint writing "false" instead of "return

false;".

The same bug can be found here:

V606 Ownerless token 'false'. util.cpp 131

A misprint in switch In the beginning of the article, I pointed out that errors taken from samples tend to spread all over. Now

I'll demonstrate it by an example. Take a look at this code.

PCHAR DbgDevicePowerString(IN WDF_POWER_DEVICE_STATE Type)

{

....

case WdfPowerDeviceD0:

return "WdfPowerDeviceD0";

case PowerDeviceD1:


case WdfPowerDeviceD2:


....

}

V556 The values of different enum types are compared: switch(ENUM_TYPE_A) { case ENUM_TYPE_B: ...

}. usb.c 450

Most likely, "case WdfPowerDeviceD1:" should be written instead of "case PowerDeviceD1:". And the

name 'PowerDeviceD1' refers to an absolutely different type which is enum type.

So, this error was found in several projects at once. It was multiplied thanks to Copy-Paste. These are

other fragments containing this bug:

• V556 The values of different enum types are compared: switch(ENUM_TYPE_A) { case

ENUM_TYPE_B: ... }. pcidrv.c 1707


ENUM_TYPE_B: ... }. device.c 367


ENUM_TYPE_B: ... }. device.c 935


ENUM_TYPE_B: ... }. power.c 366


ENUM_TYPE_B: ... }. power.c 56


ENUM_TYPE_B: ... }. kmdf_vdev_pnp.c 727

Pi equals 3 NTSTATUS KcsAddTrignometricInstance (....)

{

....

Angle = (double)(Timestamp.QuadPart / 400000) *

(22/7) / 180;

....

}

V636 The '22 / 7' expression was implicitly casted from 'int' type to 'double' type. Consider utilizing an

explicit type cast to avoid the loss of a fractional part. An example: double A = (double)(X) / Y;. kcs.c 239

This is a strange integer division. Why not write 3 right away? Perhaps it would be better to write

(22.0/7). Then we'd get 3.1428.... By the way, Wikipedia prompts us that the fraction 22/7 is sometimes

used to get an approximate value of Pi. Well, then the programmer has got a VERY approximate value in

this sample.

Vestiges of the past Long ago the 'new' operator used to return 0 if a memory allocation error occurred. Those times are

long gone. Now, according to the standard, the 'new' operator throws the std::bad_alloc() exception if

an error occurs. But many programmers either don't know or forget about this thing, or use their

ancient code still containing such checks.

No problem, one may say. Just an extra check, that's alright. Well, the point is that a program is usually

designed to perform some additional actions in case of an error. For instance it should release memory

or close a file. But now it throws an exception when there is not enough memory, and the code that

must handle it remains idle.

Have a look at this sample:

int SetHwidCallback(....)

{

....

LPTSTR * tmpArray = new LPTSTR[cnt+2];

if(!tmpArray) {

goto final;

}

....

final:

if(hwlist) {

DelMultiSz(hwlist);

}

return result;

}

V668 There is no sense in testing the 'tmpArray' pointer against null, as the memory was allocated using

the 'new' operator. The exception will be generated in the case of memory allocation error. cmds.cpp

2016

If the memory allocation error occurs, the program must move to the 'final' mark. After that, the

DelMultiSz() function must be called to delete something. That won't happen. An exception will be

generated which will leave the function. Even if this exception is correctly handled later, a memory leak

or some other bad thing will most likely happen.

In Windows 8 Driver Samples, there are a lot of fragments where a pointer received from the 'new'

operator is checked for being null. In most cases, everything should work well. But the programmers still

need to investigate these fragments more thoroughly. Here they are:

• V668 There is no sense in testing the 'pINotifyDataObject' pointer against null, as the memory

was allocated using the 'new' operator. The exception will be generated in the case of memory

allocation error. acallback.cpp 309

• V668 There is no sense in testing the 'pIAsynchCallback' pointer against null, as the memory was

allocated using the 'new' operator. The exception will be generated in the case of memory

allocation error. client.cpp 142

• V668 There is no sense in testing the 'pINotifyDataObject' pointer against null, as the memory


allocation error. acallback.cpp 226



allocation error. asyncnotify.cpp 57

• V668 There is no sense in testing the 'pClientNotification' pointer against null, as the memory






• V668 There is no sense in testing the 'pClientNotification' pointer against null, as the memory



• V668 There is no sense in testing the 'pNewItem' pointer against null, as the memory was


allocation error. tlist.h 129










• V668 There is no sense in testing the 'pAudioParamsCopy' pointer against null, as the memory


allocation error. advendpointproppage.cpp 1004

• V668 There is no sense in testing the 'pAudioFXParamsCopy' pointer against null, as the memory


allocation error. swapproppage.cpp 811

• V668 There is no sense in testing the 'array' pointer against null, as the memory was allocated

using the 'new' operator. The exception will be generated in the case of memory allocation

error. devcon.cpp 389

• V668 There is no sense in testing the 'multiSz' pointer against null, as the memory was allocated


error. devcon.cpp 434

• V668 There is no sense in testing the 'resDesData' pointer against null, as the memory was


allocation error. dump.cpp 250

• V668 There is no sense in testing the 'lpszMsgBuf' pointer against null, as the memory was


allocation error. debug.cpp 128




• V668 There is no sense in testing the 'pOemCB' pointer against null, as the memory was


allocation error. oemcom.cpp 448

• V668 There is no sense in testing the 'pFontCF' pointer against null, as the memory was















• V668 There is no sense in testing the 'queue' pointer against null, as the memory was allocated


error. controlqueue.cpp 104



error. readwritequeue.cpp 203

• V668 There is no sense in testing the 'device' pointer against null, as the memory was allocated


error. device.cpp 65

• V668 There is no sense in testing the 'instanceId' pointer against null, as the memory was


allocation error. device.cpp 415

• V668 There is no sense in testing the 'm_Ppd' pointer against null, as the memory was allocated



• V668 There is no sense in testing the 'factory' pointer against null, as the memory was allocated


error. dllsup.cpp 183

• V668 There is no sense in testing the 'driver' pointer against null, as the memory was allocated


error. driver.cpp 54

• V668 There is no sense in testing the 'buffer' pointer against null, as the memory was allocated


error. socketechoserver.cpp 59

• V668 There is no sense in testing the 'client' pointer against null, as the memory was allocated


error. socketechoserver.cpp 383










• V668 There is no sense in testing the 'pMyQueue' pointer against null, as the memory was


allocation error. queue.cpp 90

• V668 There is no sense in testing the 'pContext' pointer against null, as the memory was



• V668 There is no sense in testing the 'pConnection' pointer against null, as the memory was



• V668 There is no sense in testing the 'm_Luminous' pointer against null, as the memory was


allocation error. sauron.cpp 66

• V668 There is no sense in testing the 'pwszBuffer' pointer against null, as the memory was


allocation error. ihvsampleextui.cpp 633

• V668 There is no sense in testing the 'pOemPDEV' pointer against null, as the memory was


allocation error. intrface.cpp 730

• V668 There is no sense in testing the 'pOemCP' pointer against null, as the memory was






• V668 There is no sense in testing the 'm_pbPayload' pointer against null, as the memory was


allocation error. filecontext.h 48

• V668 There is no sense in testing the 'm_pszType' pointer against null, as the memory was


allocation error. filecontext.cpp 136

• V668 There is no sense in testing the 'pbNewPayload' pointer against null, as the memory was



• V668 There is no sense in testing the 'pMyPayload' pointer against null, as the memory was



• V668 There is no sense in testing the 'pConnection' pointer against null, as the memory was


allocation error. connection.cpp 46

• V668 There is no sense in testing the 'pMessage' pointer against null, as the memory was


allocation error. connection.cpp 251




• V668 There is no sense in testing the 'pszFileNameBuffer' pointer against null, as the memory









• V668 There is no sense in testing the 'pGDLSampleClassFactory' pointer against null, as the

memory was allocated using the 'new' operator. The exception will be generated in the case of

memory allocation error. gdlsmpl.cpp 255



allocation error. gdlsmpl.cpp 380













• V668 There is no sense in testing the 'poempdev' pointer against null, as the memory was
































allocation error. intrface.cxx 386

• V668 There is no sense in testing the 'pOemPT' pointer against null, as the memory was


















• V668 There is no sense in testing the 'pszAngle' pointer against null, as the memory was


allocation error. command.cpp 290



















• V668 There is no sense in testing the 'm_pData' pointer against null, as the memory was


allocation error. features.cpp 234

• V668 There is no sense in testing the 'm_pFeatures' pointer against null, as the memory was


allocation error. features.cpp 984

• V668 There is no sense in testing the 'pPairs' pointer against null, as the memory was allocated


error. features.cpp 1564

• V668 There is no sense in testing the 'pUIReplacementCF' pointer against null, as the memory












• V668 There is no sense in testing the 'p2' pointer against null, as the memory was allocated


error. pixel.cpp 585







• V668 There is no sense in testing the 'poempdev' pointer against null, as the memory was









• V668 There is no sense in testing the 'Contexts' pointer against null, as the memory was


allocation error. plx.cpp 442

• V668 There is no sense in testing the 'Threads' pointer against null, as the memory was allocated


error. plx.cpp 442













• V668 There is no sense in testing the 'pReadBuf' pointer against null, as the memory was


allocation error. streamfilter.cxx 224












error. queue.cpp 59










• V668 There is no sense in testing the 'deviceName' pointer against null, as the memory was









• V668 There is no sense in testing the 'pGeolocation' pointer against null, as the memory was


allocation error. sensormanager.cpp 395

• V668 There is no sense in testing the 'm_pDataBuffer' pointer against null, as the memory was


allocation error. accelerometerdevice.cpp 531

• V668 There is no sense in testing the 'pWriteBuffer' pointer against null, as the memory was



• V668 There is no sense in testing the 'pReadBuffer' pointer against null, as the memory was



• V668 There is no sense in testing the 'pBuffer' pointer against null, as the memory was allocated


error. accelerometerdevice.cpp 792
















• V668 There is no sense in testing the 'myDevice' pointer against null, as the memory was






• V668 There is no sense in testing the 'myDriver' pointer against null, as the memory was


allocation error. driver.cpp 54

• V668 There is no sense in testing the 'myRemoteTarget' pointer against null, as the memory was


allocation error. remotetarget.cpp 72

• V668 There is no sense in testing the 'pMyDevice' pointer against null, as the memory was


allocation error. device.h 47



allocation error. queue.h 46













• V668 There is no sense in testing the '_pSensorManagerEvents' pointer against null, as the

memory was allocated using the 'new' operator. The exception will be generated in the case of

memory allocation error. sampleradiomanager.cpp 39












error. queue.cpp 108



error. queue.cpp 1358




• V668 There is no sense in testing the 'devInstId' pointer against null, as the memory was



• V668 There is no sense in testing the 'pdoName' pointer against null, as the memory was












• V668 There is no sense in testing the 'buffer' pointer against null, as the memory was allocated


error. ringbuffer.cpp 43










• V668 There is no sense in testing the 'vDevice' pointer against null, as the memory was allocated


error. umdf_vdev_device.cpp 69



error. umdf_vdev_dll.cpp 181



error. umdf_vdev_driver.cpp 67



error. umdf_vdev_parallelqueue.cpp 124



error. umdf_vdev_sequentialqueue.cpp 111














































• V668 There is no sense in testing the 'pTargetBitmap' pointer against null, as the memory was


allocation error. imagefilter.cpp 209

• V668 There is no sense in testing the 'pWiaItemWrapper' pointer against null, as the memory



• V668 There is no sense in testing the 'pIWiaItemWrapper' pointer against null, as the memory



• V668 There is no sense in testing the 'm_pCurrentStream' pointer against null, as the memory



• V668 There is no sense in testing the 'pImageFilter' pointer against null, as the memory was



• V668 There is no sense in testing the 'pIWiaItemWrapper' pointer against null, as the memory


allocation error. segmentation.cpp 205

• V668 There is no sense in testing the 'pSegFilter' pointer against null, as the memory was


allocation error. segmentation.cpp 429

• V668 There is no sense in testing the 'pResult' pointer against null, as the memory was allocated


error. basicstr.h 963

• V668 There is no sense in testing the 'pTmpArray' pointer against null, as the memory was


allocation error. basicarray.h 139




• V668 There is no sense in testing the 'm_pBitmapData' pointer against null, as the memory was


allocation error. wiadevice.h 65

• V668 There is no sense in testing the 'm_pFormats' pointer against null, as the memory was


allocation error. wiadriver.cpp 2425

• V668 There is no sense in testing the 'pDev' pointer against null, as the memory was allocated


error. wiadriver.cpp 2615

• V668 There is no sense in testing the 'pcf' pointer against null, as the memory was allocated


error. wiadriver.cpp 2673

• V668 There is no sense in testing the 'pInfo' pointer against null, as the memory was allocated


error. wiapropertymanager.cpp 176

• V668 There is no sense in testing the 'pguid' pointer against null, as the memory was allocated


error. wiapropertymanager.cpp 778







• V668 There is no sense in testing the 'pImageCodecInfo' pointer against null, as the memory was


allocation error. fileconv.cpp 271

• V668 There is no sense in testing the 'pInfo' pointer against null, as the memory was allocated


error. propman.cpp 185

• V668 There is no sense in testing the 'pguid' pointer against null, as the memory was allocated


error. propman.cpp 1140

• V668 There is no sense in testing the 'pwData' pointer against null, as the memory was allocated


error. scanjobs.cpp 1905

• V668 There is no sense in testing the 'pWpdBaseDriver' pointer against null, as the memory was



• V668 There is no sense in testing the 'pClientContextMap' pointer against null, as the memory



• V668 There is no sense in testing the 'pEnumeratorContext' pointer against null, as the memory


allocation error. wpdobjectenum.cpp 105

• V668 There is no sense in testing the 'pResourceContext' pointer against null, as the memory


allocation error. wpdobjectresources.cpp 291






















• V668 There is no sense in testing the 'pszMsgBuf' pointer against null, as the memory was



• V668 There is no sense in testing the 'pFilter' pointer against null, as the memory was allocated


error. clasfact.h 75

• V668 There is no sense in testing the 'pFactory' pointer against null, as the memory was


allocation error. clasfact.h 158

• V668 There is no sense in testing the 'pRecvReport' pointer against null, as the memory was


allocation error. sensor.cpp 2320

• V668 There is no sense in testing the 'pRecvReport' pointer against null, as the memory was


allocation error. sensor.cpp 2976

• V668 There is no sense in testing the 'pSendReport' pointer against null, as the memory was


allocation error. sensorddi.cpp 530




• V668 There is no sense in testing the 'pVIC' pointer against null, as the memory was allocated


error. fakecontactsservicecontent.cpp 436






allocation error. wpdbasedriver.cpp 341






allocation error. wpdobjectpropertiesbulk.cpp 931







• V668 There is no sense in testing the 'm_pTask' pointer against null, as the memory was


allocation error. wpdservicemethods.cpp 61



allocation error. wpdservicemethods.cpp 295

• V668 There is no sense in testing the 'pContent' pointer against null, as the memory was


allocation error. fakedevice.h 1927






















• V668 There is no sense in testing the 'pszDeviceName' pointer against null, as the memory was











allocation error. wpdbasedriver.cpp 286






allocation error. wpdobjectmanagement.cpp 1026










• V668 There is no sense in testing the 'm_pNUpPage' pointer against null, as the memory was


allocation error. nupflt.cpp 428

• V668 There is no sense in testing the 'm_pNUpProps' pointer against null, as the memory was


allocation error. nuppage.cpp 82

• V668 There is no sense in testing the 'm_pNUpTransform' pointer against null, as the memory



• V668 There is no sense in testing the 'm_pNUpProps' pointer against null, as the memory was



• V668 There is no sense in testing the 'm_pNUpTransform' pointer against null, as the memory



• V668 There is no sense in testing the 'm_pMultiByte' pointer against null, as the memory was


allocation error. widetoutf8.cpp 136

• V668 There is no sense in testing the 'pXpsProcessor' pointer against null, as the memory was


allocation error. xdstrmflt.cpp 127

• V668 There is no sense in testing the 'pBuff' pointer against null, as the memory was allocated


error. xdstrmflt.cpp 157

• V668 There is no sense in testing the 'szFileName' pointer against null, as the memory was


allocation error. xpsarch.cpp 80

• V668 There is no sense in testing the 'pXpsWriteFile' pointer against null, as the memory was


allocation error. xpsproc.cpp 876

• V668 There is no sense in testing the 'pBuff' pointer against null, as the memory was allocated


error. cmimg.cpp 364



error. cmimg.cpp 640

• V668 There is no sense in testing the 'pProfileData' pointer against null, as the memory was


allocation error. profile.cpp 156

• V668 There is no sense in testing the 'm_phProfiles' pointer against null, as the memory was


allocation error. transform.cpp 189

• V668 There is no sense in testing the 'm_pcstrProfileKeys' pointer against null, as the memory


allocation error. transform.cpp 519

• V668 There is no sense in testing the 'm_pScanBuffer' pointer against null, as the memory was


allocation error. wictobmscn.cpp 708

• V668 There is no sense in testing the 'pFontData' pointer against null, as the memory was


allocation error. wmfont.cpp 159

• V668 There is no sense in testing the 'pControl' pointer against null, as the memory was


allocation error. colppg.cpp 62







• V668 There is no sense in testing the 'pXDSmplUICF' pointer against null, as the memory was


allocation error. dllentry.cpp 154



allocation error. ftrppg.cpp 62

















































• V668 There is no sense in testing the 'lpBuffer' pointer against null, as the memory was


allocation error. uictrl.cpp 1851

• V668 There is no sense in testing the 'lpBuffer' pointer against null, as the memory was



• V668 There is no sense in testing the 'lpOrgBuffer' pointer against null, as the memory was





allocation error. wmppg.cpp 63




















































• V668 There is no sense in testing the 'pXDSmplUI' pointer against null, as the memory was


allocation error. xdsmplcf.cpp 82

• V668 There is no sense in testing the 'pXDSmplPT' pointer against null, as the memory was


allocation error. xdsmplcf.cpp 113

• V668 There is no sense in testing the 'm_pUIProperties' pointer against null, as the memory was


allocation error. xdsmplui.cpp 477

Bad macro #define MP_FREE_MEMORY(_Memory) \

MpFreeMemory(_Memory); _Memory = NULL;

NDIS_STATUS StaStartScan(....)

{

....

if (pExternalScanRequest != NULL)

MP_FREE_MEMORY(pExternalScanRequest);

....

}

V640 The code's operational logic does not correspond with its formatting. The second statement will

always be executed. It is possible that curly brackets are missing. st_scan.c 564

The MP_FREE_MEMORY macro is written in a poor way: function calls are not united into a single block

by curly brackets. No error will occur in this particular place. It's simply that the pointer will be zeroed

anyway, regardless whether or not it equaled zero.

Something messed up in switch CPSUICALLBACK TVTestCallBack(....)

{

....

switch (DMPubID)

{

....

case DMPUB_TVOPT_OVERLAY_NO:

Action = CPSUICB_ACTION_REINIT_ITEMS;

case DMPUB_TVOPT_ECB_EP:

....

Action = CPSUICB_ACTION_OPTIF_CHANGED;

//

// Fall through

//

....

}

....

}

V519 The 'Action' variable is assigned values twice successively. Perhaps this is a mistake. Check lines:

1110, 1124. cpsuidat.c 1124

Something is not right here. The assignment operation "Action = CPSUICB_ACTION_REINIT_ITEMS;" is

pointless. The 'Action' variable will be assigned another value a bit later. Perhaps it is the 'break'

operator missing here. In other places where 'break' is not needed, you can see the comment "// Fall

through". But there is no such a comment here.

Not bugs, but code causing confusion There are some code fragments that don't contain errors but may puzzle you very much. Since these

code fragments confuse me, they will also confuse other programmers. Here is one example:

BOOLEAN FillDeviceInfo(IN PHID_DEVICE HidDevice)

{

....

HidDevice->InputReportBuffer = (PCHAR)calloc(....);

HidDevice->InputButtonCaps = buttonCaps =

(PHIDP_BUTTON_CAPS) calloc(....);

....

if (NULL == buttonCaps)

{

free(HidDevice->InputReportBuffer);

HidDevice->InputReportBuffer = NULL;

free(buttonCaps);

HidDevice->InputButtonCaps = NULL;

return (FALSE);

}

....

}

V575 The null pointer is passed into 'free' function. Inspect the first argument. pnp.c 406

The 'buttonCaps' pointer equals NULL. Despite that, the function free(buttonCaps) is called, which is

pointless. This code makes you think there's some error here. But there are not any. It's just an

unnecessary operation and a waste of time on code examination. The same meaningless calls of the

free() function can be found in some other fragments:

• V575 The null pointer is passed into 'free' function. Inspect the first argument. pnp.c 420








There were some other strange fragments as well. I won't cite them, as this post is long enough and we

have to finish.

Conclusion Because PVS-Studio finds more and more bugs in open-source projects, my articles reporting these

checks tend to grow larger and larger. In the future, I suppose, I'll have to describe only the most

interesting issues in my posts and attach a link to a complete list of suspicious fragments.

I hope that Microsoft will get my article right. By no means did I intend to show that their code is bad.

The article just shows that errors can be found in any projects and that we are capable of detecting

some of them. In fact, each of my posts describes errors found in this or that project. I hope this one will

help the developers to fix some defects. It will save other developers' time; but what's most important,

no one will doubt Microsoft's reputation. Don't you find it strange to hear someone saying at a

conference that Microsoft is concerned with their software's quality and then see the line "ASSERT (0 <

dwMaskSize <5);" in some published project? The quality of demo samples must be as high as that of

popular software. This is the code by which programmers will judge the quality of other solutions.

Why Windows 8 drivers are buggy

Technology

Transcript of Why Windows 8 drivers are buggy