[UDFS] Reduce mount-time NonPagedPool pressure to allow mounting on Windows Server 2003 with 2 GB RAM

[Copilot]

• Identify root cause: 3 performance/size issues in chunked bitmap
  • UDFGetBitmapLen chunked path scans bit-by-bit (no null-chunk skip, no byte fast-path)
  • UDFSetBits/UDFClrBits macros do per-bit chunk lookup instead of bulk fill
  • ZeroChunk[UDF_CHUNK_SIZE] in inline header function grows binary with chunk shift
• Fix UDFChunkedGetBytePtr: decouple ZeroChunk size from UDF_CHUNK_SIZE (fixed 4096 + C_ASSERT)
• Add UDFChunkedSetBitRange / UDFChunkedClrBitRange bulk helpers
• Replace UDFSetBits/UDFClrBits macros with the bulk helpers
• Fix UDFGetBitmapLen chunked path: byte-at-a-time + null-chunk skip

[Zero3K20]

@copilot The chunking method should be used in all the other places besides the ones that currently use it that were changed from NonpagedPool to PagedPool in the PR at assorted#19.

[Copilot]

@copilot The chunking method should be used in all the other places besides the ones that currently use it that were changed from NonpagedPool to PagedPool in the PR at https://github.com/assorted/rea...

Done in commit 675515a. The remaining mount-path allocations from that PR are now converted:

• _XSBM in UDFPrepareXSpaceBitmap → PagedPool (on-disk space bitmap read buffer, needs contiguous memory for I/O)
• tmp in UDFAddXSpaceBitmap and UDFVerifyXSpaceBitmap → PagedPool (same reason)
• Vcb->Vat in UDFLoadVAT → PagedPool (large uint32 array scaling with LastPossibleLBA)
• TempBuffer / tmp_buff in phys_lib.cpp → PagedPool
• Also fixed the Vcb->BlockSize → Vcb->SectorSize size bug in UDFUpdateVDS from that PR

The I/O read buffers (_XSBM, tmp) use PagedPool rather than the chunked approach because they must be passed as flat contiguous buffers to UDFReadTagged/UDFReadData; chunking is used for the long-lived in-memory bitmaps (FSBM_Bitmap, FSBM_OldBitmap, BSBM_Bitmap) which are accessed through the bitmap helpers.

[Zero3K20]

@copilot Please fix the conflicts.

[Zero3K20]

@copilot Increasing the chunk size didn’t result in the extraction of archives, etc. being the same speed as before all of the changes in this branch. Those actions are still extremely slow. Also, the driver’s file size has increased because of that change.

[Copilot]

@copilot Increasing the chunk size didn’t result in the extraction of archives, etc. being the same speed as before all of the changes in this branch. Those actions are still extremely slow. Also, t...

Reverted in ff4a156 — UDF_CHUNK_SHIFT is back to 12 (4 KB chunks). The 128 KB chunk size is removed along with its binary size impact.

[Zero3K20]

@copilot

..\drivers\filesystems\udfs\udf_info\mount.cpp(81): error C2065: 'BS': undeclare
d identifier

[Copilot]

@copilot

..\drivers\filesystems\udfs\udf_info\mount.cpp(81): error C2065: 'BS': undeclare

...

Fixed in ea5bf81. BS was a dead leftover assignment (never declared, never used after the assignment); LBS on the next line already captures the same Vcb->SectorSize value, so the BS = ... line was simply removed.

[Zero3K20]

@copilot

..\drivers\filesystems\udfs\udf_info\udf_info.cpp(5201): error C2440: '=': canno
t convert from 'uint32 *' to 'PCHAR'
..\drivers\filesystems\udfs\udf_info\udf_info.cpp(5201): note: Types pointed to
are unrelated; conversion requires reinterpret_cast, C-style cast or function-st
yle cast
..\drivers\filesystems\udfs\udf_info\udf_info.cpp(5225): error C2440: '=': canno
t convert from 'uint32 *' to 'PCHAR'
..\drivers\filesystems\udfs\udf_info\udf_info.cpp(5225): note: Types pointed to
are unrelated; conversion requires reinterpret_cast, C-style cast or function-st
yle cast
[12/40] Building CXX object drivers\fi...udfs\CMakeFiles\udfs.dir\close.cpp.obj
ninja: build stopped: subcommand failed.

[Copilot]

@copilot

..\drivers\filesystems\udfs\udf_info\udf_info.cpp(5201): error C2440: '=': canno

...

Fixed in baac20c. The merge reintroduced the old (uint32*) cast at lines 5201 and 5225; changed both back to (PCHAR) to match the PCHAR Vcb->Vat field type.

[Zero3K20]

@copilot
This BSOD happens after applying the latest changes when it makes some progress in downloading a game via SteamCMD:

*** Fatal System Error: 0x000000c2
                       (0x00000007,0x0000109B,0x00000000,0x856304C0)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x86 compatible target at (Thu Apr 30 10:33:15.367 2026 (UTC - 4:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
..........
Loading User Symbols

Loading unloaded module list
......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, 109b, 0, 856304c0}

Probably caused by : ntkrpamp.exe ( nt!ExFreePoolWithTag+1b3 )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
83477788 cc              int     3
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 0000109b, (reserved)
Arg3: 00000000, Memory contents of the pool block
Arg4: 856304c0, Address of the block of pool being deallocated

Debugging Details:
------------------


POOL_ADDRESS:  856304c0 Nonpaged pool

FREED_POOL_TAG:  Udfn

BUGCHECK_STR:  0xc2_7_Udfn

DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO

PROCESS_NAME:  System

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from 834f2407 to 83477788

STACK_TEXT:  
8b243694 834f2407 00000003 a7ac35ce 00000065 nt!RtlpBreakWithStatusInstruction
8b2436e4 834f2f04 00000003 856304b8 000001ff nt!KiBugCheckDebugBreak+0x1c
8b243aa8 8353dc71 000000c2 00000007 0000109b nt!KeBugCheck2+0x68a
8b243b20 8348ec11 856304c0 00000000 000c0000 nt!ExFreePoolWithTag+0x1b3
8b243b94 8364546b 855fc368 855fc368 855fc390 nt!MiDeleteSegmentPages+0x3c0
8b243bbc 834e3763 00088081 854d5b58 00000000 nt!MiSegmentDelete+0xdc
8b243c18 834d8eac 854ef220 00000000 00000000 nt!MiProcessDereferenceList+0xdb
8b243c44 83625b84 00000000 a7ac3fba 00000000 nt!MiDereferenceSegmentThread+0xc5
8b243c90 834c28d1 834d8de5 00000000 00000000 nt!PspSystemThreadStartup+0x159
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!ExFreePoolWithTag+1b3
8353dc71 cc              int     3

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!ExFreePoolWithTag+1b3

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  5e0eaf08

FAILURE_BUCKET_ID:  0xc2_7_Udfn_nt!ExFreePoolWithTag+1b3

BUCKET_ID:  0xc2_7_Udfn_nt!ExFreePoolWithTag+1b3

Followup: MachineOwner
---------

[Copilot]

@copilot
This BSOD happens after applying the latest changes when it makes some progress in downloading a game via SteamCMD:

...

The current crash (BAD_POOL_CALLER 0xC2 / arg1=7 = double-free) gives us the second free (via MiDeleteSegmentPages) but hides where the first free happened. The Windows MM deferred-segment thread is a red herring in the stack — the real culprit is something in the driver that freed FCB_NONPAGED while the cache/section manager still held a reference to it via FcbNonpaged->SegmentObject.

Yes, Driver Verifier with special pool will find it. Here's the specific configuration:

1. Run verifier /standard /driver udfs.sys (or tick "Special pool" + "Pool tracking" in the GUI). For the tightest attribution, also pass /flags 0x9 (standard + I/O verification).
2. If you want to narrow it to just the Udfn pool tag: verifier /flags 0x8 /PoolTags Udfn /driver udfs.sys.
3. With special pool active, every freed Udfn pool block (FCB_NONPAGED) is immediately backed by a no-access guard page. The first use-after-free (or premature second free) will trap right at the faulting instruction with a full stack trace pointing to the UDFS function responsible, rather than deferring to MiDereferenceSegmentThread.

The resulting bugcheck will include a stack showing the exact UDFS call site — which should reveal whether the FCB teardown is racing with cache teardown, or whether there is a reference-count imbalance somewhere in the FCB lifecycle code.

Note: since VAT is not active on a VHD, the bitmap/allocation changes are the only significant runtime difference. If the Driver Verifier trap points into one of the new chunked-bitmap helpers (e.g., UDFChunkedSetBitRange / UDFChunkedClrBitRange), please share the new bugcheck output and I'll address it directly.

@copilot
This BSOD happens after applying the latest changes when it makes some progress in downloading a game via SteamCMD:

...

The pool tag Udfn is TAG_FCB_NONPAGED = 'nfdU' (defined in struct.h:1005), which UDFS uses for the FCB_NONPAGED structure (contains SECTION_OBJECT_POINTERS SegmentObject, ERESOURCE locks, and mutexes). This is a double-free of an FCB_NONPAGED block — unrelated to VAT or bitmaps.

The sequence that leads to MiDeleteSegmentPages raising the BSOD:

1. UDFS double-frees an FCB_NONPAGED via ExFreeToNPagedLookasideList
2. When the lookaside list overflows, the second free returns the block to the system pool (tag Udfn on the free header)
3. MM allocates that same block for SEGMENT/subsection data
4. MiDereferenceSegmentThread eventually frees the MM segment → ExFreePoolWithTag sees the block is already free → BSOD 0xC2/7

Driver Verifier with special pool enabled: YES, this will find it. Special pool places each allocation on its own page backed by a guard page. As soon as UDFS calls ExFreeToNPagedLookasideList on an already-freed FCB_NONPAGED, the guard page triggers an immediate BSOD with the exact UDFS stack, instead of the delayed MM stack you see here. Enable it for udfs.sys specifically (verifier /flags 0x9 /driver udfs.sys for special pool + pool tracking). The resulting crash dump will show the exact UDFS teardown/close/create code path responsible for the second free.

The double-free is in the FCB lifecycle code (create/close/teardown), not in the bitmap changes in this PR. Without Driver Verifier output pinpointing the second-free stack, the exact location is difficult to identify from static analysis alone.

[Zero3K20]

@copilot

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught.  This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000014, the pool the caller is trying to free is already free.
Arg2: 00001b5e, (reserved)
Arg3: 8a9104f0, pool header
Arg4: 00000000, pool header contents

Debugging Details:
------------------


BUGCHECK_STR:  0xc4_14

POOL_ADDRESS:  00000000 

DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO

PROCESS_NAME:  7zG.exe

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from 8351b407 to 834a0788

STACK_TEXT:  
87f8b2e4 8351b407 00000003 bb23c4c1 00000065 nt!RtlpBreakWithStatusInstruction
87f8b334 8351bf04 00000003 8a9104f0 83406d74 nt!KiBugCheckDebugBreak+0x1c
87f8b6f8 8351b2a4 000000c4 00000014 00001b5e nt!KeBugCheck2+0x68a
87f8b718 83793c24 000000c4 00000014 00001b5e nt!KeBugCheckEx+0x1e
87f8b740 8377ff87 00000001 87f8b76c 87f8b760 nt!ExFreePoolSanityChecks+0x2d
87f8b750 8377ff52 8a9104f8 00000000 87f8b778 nt!VerifierExFreePoolWithTag+0x27
87f8b760 942326b9 8a9104f8 87f8b784 8a910514 nt!VerifierExFreePool+0x1f
87f8b778 94245149 8a9104f8 87f8b908 87f8b844 udfs!UDFDirIndexFree+0x79 [D:\reactos\drivers\filesystems\udfs\udf_info\dirtree.cpp @ 110]
87f8b834 9427625c 8b8aa5f0 8b045ed0 87f8b9b0 udfs!UDFCleanUpFile__+0x739 [D:\reactos\drivers\filesystems\udfs\udf_info\udf_info.cpp @ 2619]
87f8b920 94251c03 8a8b2f78 98a42568 00000000 udfs!UDFTeardownStructures+0x72c [D:\reactos\drivers\filesystems\udfs\strucsup.cpp @ 562]
87f8b9c8 9427695a 8a8b2f78 8c2ff290 00000000 udfs!UDFCommonClose+0x403 [D:\reactos\drivers\filesystems\udfs\close.cpp @ 213]
87f8ba54 8377e4d9 8b8aa520 8c2ff290 00000000 udfs!UDFFsdDispatch+0x18a [D:\reactos\drivers\filesystems\udfs\udfdata.cpp @ 163]
87f8ba78 83471ed9 85971562 8c2ff290 8b8aa520 nt!IovCallDriver+0x73
87f8ba8c 85971562 8b8a7440 8c2ff290 00000000 nt!IofCallDriver+0x1b
87f8bab0 85971721 87f8bad0 8b8a7440 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2b0
87f8bae8 8377e4d9 8b8a7440 8c2ff290 8c2ff290 fltmgr!FltpDispatch+0xc5
87f8bb0c 83471ed9 836781ce 8b8aa524 8b8a7440 nt!IovCallDriver+0x73
87f8bb20 836781ce 856ed6e0 8b02f030 00000000 nt!IofCallDriver+0x1b
87f8bb64 83668b30 8b02f048 8b02f048 8b02f030 nt!IopDeleteFile+0x10c
87f8bb7c 8349e1e0 00000000 0000014c 8b02f030 nt!ObpRemoveObjectRoutine+0x59
87f8bb90 8349e150 8b02f048 8368beb1 94cf1388 nt!ObfDereferenceObjectWithTag+0x88
87f8bb98 8368beb1 94cf1388 8c231148 0000014c nt!ObfDereferenceObject+0xd
87f8bbdc 8368bbc5 94cf1388 94c73298 8bdf5118 nt!ObpCloseHandleTableEntry+0x22f
87f8bc0c 8368bf71 8bdf5118 8c231101 0256f530 nt!ObpCloseHandle+0x7f
87f8bc28 83478a3a 0000014c 0256f5a4 77ad6b94 nt!NtClose+0x4e
87f8bc28 77ad6b94 0000014c 0256f5a4 77ad6b94 nt!KiSystemServicePostCall
0256f520 77ad4fbc 75b37bdd 0000014c 011483f8 ntdll!KiFastSystemCallRet
0256f524 75b37bdd 0000014c 011483f8 75ecb543 ntdll!NtClose+0xc
0256f5a4 01315aeb 0030cc30 00000010 01148918 KERNELBASE!SetFileAttributesW+0x17d
WARNING: Stack unwind information not available. Following frames may be wrong.
0256f5dc 01325fb9 01148918 01148850 01324ba7 7zG+0x5aeb
0256f644 0132564d 0256f68c 0256f693 00000000 7zG+0x15fb9
0256f684 6f0fae13 00000000 0100010a 0256f764 7zG+0x1564d
0256f780 013322b9 01148f80 0116c468 000001e3 7z!SetCodecs+0x41361
0256f868 0133184d 00000000 00000000 01148850 7zG+0x222b9
0256fa10 013579f3 0013f878 0013f890 0013f89c 7zG+0x2184d
0256faa0 0134d5f3 00000000 0013f100 01148850 7zG+0x479f3
0256faf4 0134d593 00000000 00000000 01148850 7zG+0x3d5f3
0256fb18 76651287 0013f100 049ececd 00000000 7zG+0x3d593
0256fb50 76651328 0256fb64 75edef3c 01148850 msvcrt!_endthreadex+0x44
0256fb58 75edef3c 01148850 0256fba4 77af360c msvcrt!_endthreadex+0xce
0256fb64 77af360c 01148850 75e143e4 00000000 kernel32!BaseThreadInitThunk+0xe
0256fba4 77af35df 766512e5 01148850 00000000 ntdll!__RtlUserThreadStart+0x70
0256fbbc 00000000 766512e5 01148850 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  kb

FOLLOWUP_IP: 
udfs!UDFDirIndexFree+79 [D:\reactos\drivers\filesystems\udfs\udf_info\dirtree.cpp @ 110]
942326b9 3bf4            cmp     esi,esp

FAULTING_SOURCE_CODE:  
   106:     if (!hDirNdx) return;
   107:     for(k=0; k<hDirNdx->FrameCount; k++, FrameList++) {
   108:         if (*FrameList) MyFreePool__(*FrameList);
   109:     }
>  110:     MyFreePool__(hDirNdx);
   111: } // UDFDirIndexFree();
   112: 
   113: /*
   114:     This routine grows DirIndex array
   115:  */


SYMBOL_STACK_INDEX:  7

SYMBOL_NAME:  udfs!UDFDirIndexFree+79

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: udfs

IMAGE_NAME:  udfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  69f3a37f

FAILURE_BUCKET_ID:  0xc4_14_VRF_udfs!UDFDirIndexFree+79

BUCKET_ID:  0xc4_14_VRF_udfs!UDFDirIndexFree+79

Followup: MachineOwner
---------