

A colleague made some code changes that should not have had any effect on the generated binary. Specifically, they migrated from the NDIS_STRING_CONST macro to the more type-safe RTL_CONSTANT_STRING macro. The two macros produce the same results at the end of the day, so the expectation was that this would not result in any change to the binary.
But they found a change to the binary.
Specifically, four functions changed, and what is particularly strange is that none of them involved the macro changes. Three of the functions are in one source file, and the fourth is in a source file that wasn’t even touched!
The changes looked like this:
| Before | After |
|---|---|
| contoso!EvtWdfWidgetContextCleanup | |
| mov rax, [contoso!WdfFunctions_01031] lea rcx, [??_C@__0DK@MPBCIIPN@...] mov [rsp+20h], rcx mov r9d, 62Bh mov r8d, 52467443h mov rcx, [contoso!WdfDriverGlobals] mov rdx, rbx mov rax, [rax+670h] call __guard_dispatch_call |
mov rax, [contoso!WdfFunctions_01031] lea rcx, [??_C@__0DK@MPBCIIPN@...] mov [rsp+20h], rcx mov r9d, 62Ah mov r8d, 52467443h mov rcx, [contoso!WdfDriverGlobals] mov rdx, rbx mov rax, [rax+670h] call __guard_dispatch_call |
| contoso!Function2 | |
| mov rax, [contoso!WdfFunctions_01031] lea rcx, [??_C@__0DK@MPBCIIPN@...] mov [rsp+20h], rcx mov r9d, 616h mov rcx, [contoso!WdfDriverGlobals] mov r8d, 52467443h mov rdx, rdi mov rax, [rax+668h] call __guard_dispatch_call |
mov rax, [contoso!WdfFunctions_01031] lea rcx, [??_C@__0DK@MPBCIIPN@...] mov [rsp+20h], rcx mov r9d, 615h mov rcx, [contoso!WdfDriverGlobals] mov r8d, 52467443h mov rdx, rdi mov rax, [rax+668h] call __guard_dispatch_call |
| contoso!Function3 | |
| mov rax, [contoso!WdfFunctions_01031] lea rcx, [??_C@__0DK@MPBCIIPN@...] mov [r11-20h], rcx xor r8d, r8d mov rcx, [contoso!WdfDriverGlobals] mov r9d, 35Dh mov rax, [rax+0DB0h] call __guard_dispatch_call |
mov rax, [contoso!WdfFunctions_01031] lea rcx, [??_C@__0DK@MPBCIIPN@...] mov [r11-20h], rcx xor r8d, r8d mov rcx, [contoso!WdfDriverGlobals] mov r9d, 35Ch mov rax, [rax+0DB0h] call __guard_dispatch_call |
| contoso!Function4 | |
| mov rax, [contoso!WdfFunctions_01031] lea rcx, [??_C@__0DK@MPBCIIPN@...] mov rdx, [rbp+8] mov r9d, 377h mov [rsp+20h], rcx mov r8d, 49507443h mov rcx, [contoso!WdfDriverGlobals] mov rax, [rax+0DB8h] call __guard_dispatch_call |
mov rax, [contoso!WdfFunctions_01031] lea rcx, [??_C@__0DK@MPBCIIPN@...] mov rdx, [rbp+8] mov r9d, 376h mov [rsp+20h], rcx mov r8d, 49507443h mov rcx, [contoso!WdfDriverGlobals] mov rax, [rax+0DB8h] call __guard_dispatch_call |
In all of the cases, the change is that a single integer changed to a value one smaller.
My colleague asked an LLM to explain this change, and it suggested that the changes were related to control flow guard metadata. Does this make sense?
It didn’t make sense to me, on two points. First, for the guard dispatch call, the only parameter to control flow guard is the rax register, which is the function being checked. All the other registers contain the parameters to the called function. Since the changes are to the r9d register, they are not related to control flow guard.
Second, the control flow guard metadata is not stored in code. It’s stored as a data block inside the binary.
So what are we seeing?
I took a look a EvtWdfWidgetContextCleanup.
void EvtWdfWidgetContextCleanup(_In_ WDFOBJECT Object)
{
auto widgetContext = GetContextFromWidgetHandle(Object);
if (widgetContext->NeedsDereference)
{
widgetContext->NeedsDereference = FALSE;
WdfObjectDereferenceWithTag(Object, CONTOSO_WIDGET_TAG);
}
}
The compiler points to the WdfObjectDereferenceWithTag as the location of the change. And we see that it is defined as a macro:
#define WdfObjectDereferenceWithTag(Handle, Tag) \
WdfObjectDereferenceActual(Handle, Tag, __LINE__, __FILE__)
which is itself an inline function:
_IRQL_requires_max_(DISPATCH_LEVEL)
VOID
FORCEINLINE
WdfObjectReferenceActual(
_In_
WDFOBJECT Handle,
_In_opt_
PVOID Tag,
_In_
LONG Line,
_In_z_
PCCH File
)
{
((PFN_WDFOBJECTREFERENCEACTUAL) WdfFunctions[WdfObjectReferenceActualTableIndex])
(WdfDriverGlobals, Handle, Tag, Line, File);
}
The last little detail is that WdfFunctions is a macro that expands to WdfFunctions_01031. The WDF header files give each version a unique name so that mismatched versions lead to a linker error rather than undefined behavior at runtime.
Now we can see how this code maps to the compiler output.
mov rax, [contoso!WdfFunctions_01031] ; WdfFunctions
lea rcx, [??_C@__0DK@MPBCIIPN@...] ; Address of something
mov [rsp+20h], rcx ; is the File parameter
mov r9d, 62Bh ; Line parameter
mov r8d, 52467443h ; Tag parameter
mov rcx, [contoso!WdfDriverGlobals] ; hard-coded parameter
mov rdx, rbx ; Handle parameter
mov rax, [rax+670h] ; Load the function pointer
call __guard_dispatch_call ; Validate and call¹
So the value that changed is the line number.
I went back to the pull request and observed that the pull requested deleted a line from the source file.
#include <strsafe.h>
#include "stringutils.h"
Part of the pull request included deleting the no-longer-needed header because it contained a private definition of the NDIS_STRING_CONST macro, which the code no longer uses.
Deleting a line from the source file causes all the line numbers to shift by one!
So what they were seeing was just a change to the line numbers. No change in functionality.
If they really wanted to make this a “no binary effect” change, they could replace the #include "stringutils.h with a comment or just leave it as a blank line.
Or they could just accept that line numbers can change when you change lines.
Bonus chatter: But wait, I said that three of the changes were in one file, the one with the deleted line, but a fourth was in a file that didn’t change at all. What’s that about?
The fourth function contained a call to a function in the modified file, and link-time code generation decided to inline that call. The changed line number propagated into the inline function and resulted in a code generation change in a file that wasn’t even affected by the pull request.
¹ Recall that in the validate-and-call pattern, the function pointer is passed in the rax register, and everthing else is set up as if you were calling the function yourself.
The post The case of the mysterious changes to integers when there shouldn’t have been any code generation effect appeared first on The Old New Thing.
OpenAI is facing calls for "serious sanctions" after fighting to keep news organizations from snooping through millions of logs to find evidence of users skirting their paywalls by prompting ChatGPT to regurgitate their articles.
This evidence is considered among the most important to both sides, potentially either dooming OpenAI as an infringer or exonerating its chatbot technology as a transformative fair use of news sites' content.
In a sanctions motion Thursday, news organizations suing OpenAI—led by The New York Times—accused the AI firm of repeatedly lying for years to conceal evidence of infringement that could hobble OpenAI's defense.
These alleged lies were exposed when the court compelled an “ill-prepared witness,” OpenAI privacy engineer Vincent Monaco, to be re-deposed. During the subsequent April deposition, he inadvertently revealed that OpenAI misled the court for two years about the cost and burdens of searching ChatGPT logs, NYT’s filing said.
Among the most shocking revelations, OpenAI allegedly pretended from the earliest stages of the case that it did not have the technical ability to search large anonymized samples of ChatGPT logs when it had actually already conducted such searches prior to the start of litigation, NYT alleged.
Sanctions are warranted because “OpenAI's concealment of this fact withheld highly relevant evidence, prolonged discovery, inflated expenses, and burdened the Court,” news plaintiffs alleged.
Asked for comment, an OpenAI spokesperson suggested that NYT's sanctions motion was a late litigation effort to access more logs and infringe more users' privacy. The spokesperson claimed that when the NYT recently dropped some claims in the lawsuit, it was a sign that news plaintiffs' case was crumbling, not OpenAI's defense.
"As the Times’ case weakens and they’ve been forced to drop claims against us, they’re persisting with their efforts to invade the privacy of people who have nothing to do with this case, including by making these blatantly false allegations," OpenAI's spokesperson said. "We'll continue defending our users’ privacy and the long-established principles of fair use.”
However, last month, NYT spokesperson Graham James disputed to Ars that news plaintiffs' case was weakened by dropping claims. He suggested instead the suit was streamlined and strengthened by adding claims against Microsoft. "Our core claims remain the same from the day we filed this lawsuit—that Microsoft and OpenAI stole millions of The Times’s copyrighted works to compete with our products and illegally enrich themselves,” James said.
Although the sanctions motion is heavily redacted, it’s alleged that Monaco testified that OpenAI had two large samples—spanning 10 million and 78 million logs—which had already been de-identified and could have been made available to news plaintiffs early on to maximize the discovery period.
“Not once did OpenAI disclose the existence” of those samples over two years, news plaintiffs alleged.
Even more frustrating to plaintiffs, OpenAI had already searched those samples for NYT content as part of its research into “creating a filter that could be used to block the regurgitation of copyrighted content,” the court filing said.
“OpenAI was willing and able to search its output logs—when it benefitted OpenAI,” NYT alleged, accusing the ChatGPT maker of “making the discovery process as burdensome as possible.”
In a statement to Ars, NYT’s lead counsel, Ian Crosby, suggested that OpenAI obstructed access to logs and distorted evidence to shield its fair use claims.
“For over two years, OpenAI lied to The Times, The Daily News Plaintiffs, the public, and the court,” Crosby said. “It claimed searching ChatGPT outputs for copies of The Times’ and the Daily News Plaintiffs’ content was infeasible, burdensome, and invasive of users' privacy—while at the same time concealing that it had already done such searches. If OpenAI genuinely believed that copying our clients’ journalism was fair and legal, it wouldn’t have hid the truth about having done it.”
Instead of being transparent about the existing samples, OpenAI forced news plaintiffs to spend eight months searching in a “sandbox,” where they could only access a heavily redacted sample of 20 million logs. That sample was much smaller than the 120 million news logs plaintiffs originally requested, allegedly narrowed due to OpenAI’s “false representations regarding its existing technical capabilities” to search larger samples.
“This representation is belied by Mr. Monaco's testimony that OpenAI already had the ability” to search “large datasets, such as the more than 80 million output logs,” NYT alleged.
The 20 million log sample was further “skewed” when OpenAI used AI to make 19 billion redactions to the sample—so many that the court found the sample “unusable.”
Eventually, OpenAI removed some of the redactions, but “even then, a large number of redactions remain, including to News Plaintiffs’ domains, names, and other fields, which has hampered News Plaintiffs’ searches over the data,” NYT alleged.
Meanwhile, “the entire time that OpenAI was engaging in the improper over-redaction of this sample, it had in its possession a sample of 78 million conversations that had already been de-identified,” NYT alleged.
“OpenAI did not just oppose production of this evidence based on burden or relevance; it falsely represented to the Court that obtaining this evidence was beyond its capabilities without the expenditure of and months of work and that it would be just as easy for Plaintiffs to do this work—without disclosing that this work had already been done,” news plaintiffs alleged.
Similarly frustrating were dragged-out meet-and-confers over data searches that news plaintiffs claimed further limited discovery. For example, very close to discovery ending, OpenAI confusingly claimed that the 78 million log samples had been available for inspection for “over a year,” NYT alleged. However, “this makes no sense,” news plaintiffs argued, considering OpenAI’s very public fight to supposedly defend ChatGPT user privacy by blocking access to any logs beyond the 20 million sample.
“Either OpenAI unintentionally produced the dataset and it was so hidden in the training inspection data that even OpenAI did not realize it, or OpenAI knew it buried the dataset in a previous production, but hid that fact from the Court and News Plaintiffs for nearly two years—all the while vigorously arguing that turning over these logs would violate user privacy,” NYT argued.
Additionally, news plaintiffs accused OpenAI of other misconduct to obstruct access to evidence. Although the exact amount is redacted, OpenAI randomly deleted some parts of that limited 20 million sample, they alleged. And that's on top of allegedly deleting or compressing billions of logs that should have been preserved. According to NYT, OpenAI's witness testified that OpenAI simply "decided" that complying with the court's sweeping preservation order to retain all chats "would be hard; and thus took no steps to do so."
“There can be no question as to the wilfulness of OpenAI’s conduct, nor any excuse for its non-compliance. According to Mr. Monaco, OpenAI thought about complying with the Court’s Preservation Order, but then decided not to,” NYT alleged.
News organizations claim that they do not request sanctions against OpenAI “lightly” but that the “severity” of OpenAI’s alleged misconduct requires sanctions to punish the AI firm and deter any other AI firms from following a similar playbook.
Requesting “severe” sanctions, news plaintiffs want the court to prohibit OpenAI from using the 20 million sample that it fought so hard for. They have further asked the court to find that withheld output logs included “substantial” “regurgitation of News Plaintiffs’ copyrighted material” and to block OpenAI from arguing otherwise. Finally, the jury would be instructed that OpenAI deleted billions of logs, which would play into news plaintiffs’ narrative that OpenAI has been moving in shady ways to obscure alleged substitution in the market since the case began.
“Lesser sanctions would not be effective,” news plaintiffs warned. In fact,“serious sanctions are especially appropriate," they said, because OpenAI’s misconduct “was knowing and intentional.”
If the court agrees that OpenAI’s misconduct was “egregious,” OpenAI’s attempt to constrict news organizations’ access to logs could end up being a fatal misstep in this intently watched copyright fight.
Whether training on copyrighted content is fair use will likely depend on whether news organizations can establish market harms, and OpenAI’s defense could be substantially set back if its massively redacted sample is rejected and if that makes it harder to argue substantial infringement did not occur.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
