TweetFollow Us on Twitter

March 96 - KON & BAL'S PUZZLE PAGE: Printing, Patching, and Fonts

KON & BAL'S PUZZLE PAGE: Printing, Patching, and Fonts

Dave Hersey and Cameron Esfahani

See if you can solve this programming puzzle, presented in the form of a dialog between guest puzzlers Dave Hersey and Cameron Esfahani (cam). The dialog gives clues to help you. Keep guessing until you're done; your score is the number to the left of the clue that gave you the correct answer. Even if you never run into the particular problems being solved here, you'll learn some valuable debugging techniques that will help you solve your own programming conundrums.

Dave Hey cam, it's kinda quiet. Where are KON and BAL?

cam Since the local salad bar closed, I haven't seen KON. BAL disappeared after he left the video game industry. Have you been getting enough sleep? You look tired.

Dave I've been under a lot of pressure to track down this bug.

cam Maybe I can help. What's the problem?

Dave I have a Power Mac 6100/66 running System 7.5 with QuickDraw GX 1.1. When I try to print from a word processor, I get the message "The application has unexpectedly quit, because an error of type 11 occurred." What's an error of type 11?

cam That's an unhandled exception from native code. What word processor are you using?

Dave Um, a very large one in a very large office suite from a very large company up north.

cam Have you updated to version 1.1.3 of QuickDraw GX?

Dave Yeah. The problem still happens.

cam Does it happen on any other machine?

Dave Yes. It crashes on any Power Mac but works fine on 680x0 machines.

cam Hmm. Is the word processor native on the Power Mac?

Dave Yes -- it's fat.

cam It sure is. But I have the same version of system software and the same word processor, yet my machine doesn't crash.

Dave Well, I have a standard system installed, but I added a bunch of whizzy fonts.

cam If I install one of your fonts, will my machine crash?

Dave Sometimes. If you install all my fonts, it crashes all the time.

cam That's easy, then: bad fonts. Here, take out this Thingamajigs font.

Dave No way, man. This is a standard bitmap-only font. It should work. Ike's machine doesn't have Thingamajigs on it and his machine still crashes.

cam Does he have bitmap-only fonts installed?

Dave Yes.

cam At what point in the printing process do you crash?

Dave The crash occurs just as the application starts spooling the print file.

cam Is this word processor QuickDraw GX-aware?

Dave Yes. It has support for the new QuickDraw GX print dialogs, and it calls the QuickDraw GX translator to translate QuickDraw drawing commands into QuickDraw GX shapes during printing.

cam Good for them. Have you tried to reproduce the crash with other QuickDraw GX-aware applications?

Dave Yup. I tried to reproduce it with several QuickDraw GX-aware and QuickDraw GX-savvy applications. No luck.

cam Try running the 680x0 version of this program on your Power Mac. It will be slow and piggy, but try it anyway.

Dave The problem went away! So, the crash seems to have something to do with the PowerPC code in this application.

cam Hmm. Let's install MacsBug and take a look at this from the debugger.

Dave I tried that before, but I couldn't see any symbols in the PowerPC code where it crashes. I couldn't tell which routine the PC was in.

cam You should install the new version of MacsBug. Version 6.5.2 understands native exceptions and can use embedded symbols.

Dave Nifty. . . . OK, I've done that. But I still crash.

cam Why do you crash? Type how.

Dave MacsBug claims that there was a "PowerPC access exception at 001DB030 ConstructNFNTDirectory+002B4."

cam What does ConstructNFNTDirectory do? Hey, wait, there's Alex Beaman. Alex, can you help us out here?

Alex Sure. QuickDraw GX views all fonts as type 'sfnt'. It's really elegant: ConstructNFNTDirectory will make an NFNT font appear to have an 'sfnt' directory. It can build either just the directory header or the entire directory, and this is controlled by a Boolean parameter passed into the function. OK, gotta run!

Dave Thanks, Alex. When I disassemble ConstructNFNTDirectory with MacsBug, I get this:

ilp ConstructNFNTDirectory
 Disassembling PowerPC code from ConstructNFNTDirectory
  ConstructNFNTDirectory
    +00000 001DAD7C stmw        r14,-0x0048(SP)
    +00004 001DAD80 mflr        r0
    +00008 001DAD84 clrlwi      r27,r5,0x18
    +0000C 001DAD88 addi        r28,r3,0x0000
    +00010 001DAD8C mfcr        r12
    ...
    +00060 001DADDC addi        r3,r30,0x0000
    +00064 001DADE0 addi        r4,r28,0x0000
    +00068 001DADE4 bl          GetNoLoadResource
    ...
    +000E4 001DAE60 addi        r3,r20,0x0000
    +000E8 001DAE64 bl          ComputeSearchFields
    +000EC 001DAE68 crmove      cr7_SO,cr7_SO
    +000F0 001DAE6C cmpwi       cr2,r27,0x0000
    ...
    +002B4 001DB030  *lwzx      r5,r19,r5
    ...
    +002F0 001DB06C lhz         r5,0x0004(r20)
    +002F4 001DB070 li          r16,0x0001
    +002F8 001DB074 addic       r5,r5,0x0001
    +002FC 001DB078 sth         r5,0x0004(r20)
    +00300 001DB07C beq         cr2,ConstructNFNTDirectory+00324
    ...
    +003C8 001DB144 addic       SP,SP,0x00A0
    +003CC 001DB148 mtcrf       0x38,r12
    +003D0 001DB14C mtlr        r0
    +003D4 001DB150 lmw         r16,-0x0040(SP)
    +003D8 001DB154 blr
cam An access exception means we're trying to read or write to an invalid address. That, of course, could be caused by many things, such as uninitialized variables or trashed memory. Let's check the heaps with hc.

Dave Both the system heap and the application heap are fine.

cam OK, I restart the program and use brp in MacsBug to set a breakpoint at ConstructNFNTDirectory. brp is just like br, except it works for PowerPC code. After I start printing and the breakpoint is hit, I step through this function to follow the code flow.

Dave At offset 0x0300 you don't take that branch, and you eventually begin executing code that will corrupt the QuickDraw GX heap.

cam But that's wrong -- we should've taken that branch. The caller didn't ask ConstructNFNTDirectory to create the entire directory, just its header; it didn't allocate enough space for all of it. Check the heaps again.

Dave The heaps seem fine. QuickDraw GX allocates out of its own heap, which MacsBug doesn't know about. Even if it did know about it, it wouldn't be able to tell us if the heap was corrupt, as QuickDraw GX has its own memory manager.

cam Darn, memory corruption bugs are the worst. You can trash memory and not see the effects of it until you're miles away from that code. OK, why didn't it take the branch at offset 0x0300?

Dave Well, CR2 is true, so the branch won't be taken.

cam How can you tell that CR2 is true?

Dave The PowerPC chip has eight condition register fields, CR0 through CR7, stored in nibbles in a 32-bit condition register (Dave Evans talked about this in his column in develop Issue 21). So the value of CR2 would be bits 8 through 11 of the condition register. The chip has its bits numbered from 0 through 31, from left to right. We can tell that CR2 contains a true value because its second logical bit isn't set. That bit corresponds to the equals operator, so the fact that it's 0 means the operation that set this register was not equal.

cam Who sets up CR2?

Dave The code at offset 0x00F0. As Alex mentioned, one of the parameters to this function is a Boolean that controls whether the whole directory is created or only the header. Because this parameter is a Boolean, the PowerPC processor can just compare it against 0 and use the result as a flag for later branches. Parameters passed in PowerPC code are put from left to right into registers R3 through R10; since this parameter is the third parameter to the function, it's passed to the routine in register R5. (A much better description of this is in Inside Macintosh: PowerPC System Software.)

cam I love this chip. I'll reexecute the program and get back to the start of this function and examine CR2.

Dave It starts out false.

cam So someone's trashing it along the way. Well, we can't use some of our normal tricks for detecting when memory gets trashed. One problem is that step spy doesn't work yet for PowerPC. Another problem is that we would want to step spy on CR2, which is a register, and step spy never worked on registers. We'll have to do this the hard way: let's step through this function, watching CR2 to see just when it gets changed.

Dave The subroutine GetNoLoadResource at offset 0x0068 changes CR2 from false to true. GetNoLoadResource is a wrapper to GetResource.

cam I restart the program and trace over the GetResource call.

Dave Yep, that's the function that trashes CR2.

cam Is it legal for the compiler to rely on CR2 being preserved across function calls?

Dave Yes. According to the PowerPC ABI (Application Binary Interface) documentation -- section 3.6 in the first edition -- CR2 through CR5 are nonvolatile and need to be saved across function calls.

cam Look at the code for GetResource. Since in System 7.5 GetResource is a native trap with a routine descriptor, I can use the MacsBug dcmd drd to dump that out. Here's what I get:

drd GetResource
 The RoutineDescriptor at:      011EDFEC
    Mixed Mode Magic Trap: AAFE, version: 07,
    routine descriptor flags: 00 (NotIndexable),
    loadLocation: 00000000, reserved2: 00,
    selectorInfo: 00 (No Selector),
    routine count: 0000
    --- Routine Record 00000000 -----
    procInfo: 000002F0, reserved1: 00, ISAType: 01 (kPowerPCISA),
    Routine Flags: 0004 (IsAbsolute, IsPrepared, NativeISA,
        PassSelector, IsNotDefault), procPtr: 01219EEC,
    storedOffset: 00000000, selector: 00000000
Dave There's only one routine associated with the trap and it's the native implementation.

cam Where's that function? On the Power Mac, every ProcPtr is actually a data structure that contains the routine's real address and TOC. This is called a TVector (transition vector). This allows every fragment to have its own globals, because the correct TOC gets loaded for each routine by the runtime environment. So, to find the routine's address, you need to dereference the ProcPtr.

WH 1219EEC^

Address 00E77B78 is in the "Porky WProcessor" heap at 00DFC430 
The address is in a CFM fragment "Porky WProcessor" [non-write exec]
It is 00073058 bytes into this heap block:
  Start      Length      Tag  Mstr  Ptr  Lock Prg Type ID  File Name
* 00E04B20   003D35D8+0C N
Dave Apparently it's in the heap of the application.

cam So this program is patching GetResource. At least they have a native patch -- a good habit these days because you don't know what traps will go native from now on. If you're patching native PowerPC code with 680x0 code, performance-sensitive code will run slower. For this reason, you should make all of your patches fat. Let's disassemble the patch on GetResource.

ilp 1219eec^
 Disassembling PowerPC code from 1219eec^
  No procedure name
        00E77B78    stwu    SP,-0x0058(SP)
        00E77B7C    mflr    r12 
        00E77B80    stw     r12,0x0060(SP)
        00E77B84    stmw    r26,0x0040(SP)
        00E77B88    stw     r3,0x0070(SP)
        00E77B8C    sth     r4,0x0074(SP)
        00E77B90    extsh   r4,r4
        00E77B94    lis     r5,0x4D42
        00E77B98    ori     r5,r5,0x4446
        00E77B9C    cmplw   cr2,r3,r5
        ...
        00E77C10    lmw     r26,0x0040(SP)
        00E77C14    lwz     r12,0x0060(SP)
        00E77C18    mtlr    r12
        00E77C1C    addic   SP,SP,0x0058
        00E77C20    blr
Dave At 0x00E77B9C they do a compare and store the result in CR2. However, they don't save and restore CR2 across this function, so it's trashed when we return to ConstructNFNTDirectory.

cam OK, I restart the program and manually save and restore the value of CR2 across the GetResource calls. I do this by futzing with bit 2 in CR2.

Dave Everything prints fine.

cam It looks like a compiler bug. Either they shouldn't be using CR2 or they should be preserving it. In any case, the GetResource patch is trashing CR2, and that changes a Boolean which causes us to read in extra data. The caller never allocated enough space for the extra data, so the QuickDraw GX heap gets corrupted.

Dave Holy cow! A compiler bug. Shouldn't we notify the compiler developer?

cam Well, this company has their own in-house development tools group. They write their own compilers, linkers, and debuggers. We should contact them anyway, so that they can create a patch that fixes this problem. [This patch, "Office4.2x Update for Power Mac," is now available on most online services.]

Dave Why are they patching GetResource?

cam It looks like they were looking for resources of type 'MBDF' (menu bar definition procedures). I can tell this from the instructions at addresses 0x00E77B94 through 0x00E77B9C. The PowerPC architecture has a limitation of 16 bits on the size of an immediate constant. So, if you wanted to compare a value against a 32-bit constant, you would have to build the 32-bit value with two instructions. This is what occurs at addresses 0x00E77B94 and 0x00E77B98, where they insert 0x4D42 and 0x4446 together into a 32-bit value. If you look at the ASCII of this constant, it's 'MBDF'. At address 0x00E77B9C, they compare this constant to the resource type parameter passed to GetResource. Since that parameter is the first parameter, it will be in register R3.

Dave Why didn't we crash when we had only one NFNT font installed?

cam This patch would cause ConstructNFNTDirectory to always overwrite the buffer passed in. But that wouldn't always cause your machine to freak out. By adding enough NFNT fonts, we trashed the QuickDraw GX heap significantly enough to cause the crash.

Dave Wow, all this and it was an application patch that caused the problem! It sure would have been cool if we could have used the patch dcmd.

cam Yeah. The patch dcmd does works on the Power Mac -- but we didn't know that was the problem when we started.

Dave It's interesting that it was an application bug. That would explain why I crash in a spreadsheet application by the same company. They share the same patch.

cam Nasty.

Dave Yeah.

DAVE HERSEY (AppleLink HERSEY) works in the QuickDraw GX PrintShop level 4 bio-containment facility, thousands of feet beneath the Cupertino R&D campus. There, he develops PowerPC-native QuickDraw GX printing code, works on Copland, and relaxes by dabbling with an occasional hot agent over lunch.*

CAMERON ESFAHANI (AppleLink DIRTY, Internet dirty@powertalk.apple.com) is the shortest member of the Graphics team at Apple. To add a few more inches to his height, he sometimes wears roller blades in meetings. If that doesn't help, he has been known to don his large purple hat with sparkles.*

SCORING

80-100 You could have a promising career writing compilers for a company up north.

45-70 Dr. MacsBug could always use another assistant.

25-40 Don't worry, it took us a while to figure it out too.

5-20 Visual Basic fan, are you?*

Thanks to Alex Beaman, Tom Dowdy, Ron Voss, KON (Konstantin Othmer), and BAL (Bruce Leak) for reviewing this column.*

 
AAPL
$111.78
Apple Inc.
-0.87
MSFT
$47.66
Microsoft Corpora
+0.14
GOOG
$516.35
Google Inc.
+5.25

MacTech Search:
Community Search:

Software Updates via MacUpdate

NeoOffice 2014.6 - Mac-tailored, OpenOff...
NeoOffice is a complete office suite for OS X. With NeoOffice, users can view, edit, and save OpenOffice documents, PDF files, and most Microsoft Word, Excel, and PowerPoint documents. NeoOffice 3.x... Read more
LibreOffice 4.3.5.2 - Free Open Source o...
LibreOffice is an office suite (word processor, spreadsheet, presentations, drawing tool) compatible with other major office suites. The Document Foundation is coordinating development and... Read more
CleanApp 5.0.0 Beta 5 - Application dein...
CleanApp is an application deinstaller and archiver.... Your hard drive gets fuller day by day, but do you know why? CleanApp 5 provides you with insights how to reclaim disk space. There are... Read more
Monolingual 1.6.2 - Remove unwanted OS X...
Monolingual is a program for removing unnecesary language resources from OS X, in order to reclaim several hundred megabytes of disk space. It requires a 64-bit capable Intel-based Mac and at least... Read more
NetShade 6.1 - Browse privately using an...
NetShade is an Internet security tool that conceals your IP address on the web. NetShade routes your Web connection through either a public anonymous proxy server, or one of NetShade's own dedicated... Read more
calibre 2.13 - Complete e-library manage...
Calibre is a complete e-book library manager. Organize your collection, convert your books to multiple formats, and sync with all of your devices. Let Calibre be your multi-tasking digital librarian... Read more
Mellel 3.3.7 - Powerful word processor w...
Mellel is the leading word processor for OS X and has been widely considered the industry standard since its inception. Mellel focuses on writers and scholars for technical writing and multilingual... Read more
ScreenFlow 5.0.1 - Create screen recordi...
Save 10% with the exclusive MacUpdate coupon code: AFMacUpdate10 Buy now! ScreenFlow is powerful, easy-to-use screencasting software for the Mac. With ScreenFlow you can record the contents of your... Read more
Simon 4.0 - Monitor changes and crashes...
Simon monitors websites and alerts you of crashes and changes. Select pages to monitor, choose your alert options, and customize your settings. Simon does the rest. Keep a watchful eye on your... Read more
BBEdit 11.0.2 - Powerful text and HTML e...
BBEdit is the leading professional HTML and text editor for the Mac. Specifically crafted in response to the needs of Web authors and software developers, this award-winning product provides a... Read more

Latest Forum Discussions

See All

Make your own Tribez Figures (and More)...
Make your own Tribez Figures (and More) with Toyze Posted by Jessica Fisher on December 19th, 2014 [ permalink ] Universal App - Designed for iPhone and iPad | Read more »
So Many Holiday iOS Sales Oh My Goodness...
The holiday season is in full-swing, which means a whole lot of iOS apps and games are going on sale. A bunch already have, in fact. Naturally this means we’re putting together a hand-picked list of the best discounts and sales we can find in order... | Read more »
It’s Bird vs. Bird in the New PvP Mode f...
It’s Bird vs. Bird in the New PvP Mode for Angry Birds Epic Posted by Jessica Fisher on December 19th, 2014 [ permalink ] Universal App - Designed for iPhone and iPad | Read more »
Telltale Games and Mojang Announce Minec...
Telltale Games and Mojang Announce Minecraft: Story Mode – A Telltale Games Series Posted by Jessica Fisher on December 19th, 2014 [ permalink ] | Read more »
WarChest and Splash Damage Annouce Their...
WarChest and Splash Damage Annouce Their New Game: Tempo Posted by Jessica Fisher on December 19th, 2014 [ permalink ] WarChest Ltd and Splash Damage Ltd are teaming up again to work | Read more »
BulkyPix Celebrates its 6th Anniversary...
BulkyPix Celebrates its 6th Anniversary with a Bunch of Free Games Posted by Jessica Fisher on December 19th, 2014 [ permalink ] BulkyPix has | Read more »
Indulge in Japanese cuisine in Cooking F...
Indulge in Japanese cuisine in Cooking Fever’s new sushi-themed update Posted by Simon Reed on December 19th, 2014 [ permalink ] Lithuanian developer Nordcurrent has yet again updated its restaurant simulat | Read more »
Badland Daydream Level Pack Arrives to C...
Badland Daydream Level Pack Arrives to Celebrate 20 Million Downloads Posted by Ellis Spice on December 19th, 2014 [ permalink ] | Read more »
Far Cry 4, Assassin’s Creed Unity, Desti...
Far Cry 4, Assassin’s Creed Unity, Destiny, and Beyond – AppSpy Takes a Look at AAA Companion Apps Posted by Rob Rich on December 19th, 2014 [ permalink ] These day | Read more »
A Bunch of Halfbrick Games Are Going Fre...
A Bunch of Halfbrick Games Are Going Free for the Holidays Posted by Ellis Spice on December 19th, 2014 [ permalink ] Universal App - Designed for iPhone and iPad | Read more »

Price Scanner via MacPrices.net

13-inch 2.6GHz Retina MacBook Pro on sale for...
Best Buy has lowered their price on the 2014 13″ 2.6GHz/128GB Retina MacBook Pro to $1149.99 on their online store for a limited time. That’s $150 off MSRP and the lowest price available for this... Read more
Kodak Returns to CES With New Consumer Produ...
Former photography colossus Kodak is returning to CES for the first time in three years where the Kodak booth (#21818 South Hall 1) will showcase a wide range of innovative, imaging-related products... Read more
Invaluable Launches New Eponymously -Named A...
Invaluable, the world’s largest online live auction marketplace, hhas announced the official launch of the Invaluable app for iPad, now available for download in the iTunes App Store. Invaluable... Read more
IDC Reveals Worldwide Mobile Enterprise Appli...
International Data Corporation (IDC) last week hosted the IDC FutureScape: Worldwide Mobile Enterprise Applications and Solutions 2015 Predictions Web conference. The session provided organizations... Read more
Hello Vino Wine App Launches “Safe Ride Home”...
Hello Vino has announced addition of a new “Get a Safe Ride Home” feature in its Food & Drink app with a direct connection to Uber, the technology platform that connects users with rides. The... Read more
DEVON-technologies Releases DEVONthink To Go...
Coeur d’Alene, Idaho based DEVON-technologies, LLC has updated DEVONthink To Go, its mobile companion to DEVONthink, to version 1.5. The update includes an iOS 8 extension, compatibility with the... Read more
The Apple Store offering free next-day shippi...
The Apple Store is now offering free next-day shipping on all in stock items if ordered before 12/23/14 at 10:00am PT. Local store pickup is also available within an hour of ordering for any in stock... Read more
It’s 1992 Again At Sony Pictures, Except For...
Techcrunch’s John Biggs interviewed a Sony Pictures Entertainment (SPE) employee, who quite understandably wished to remain anonymous, regarding post-hack conditions in SPE’s L.A office, explaining “... Read more
OtterBox Defender Series Case For iPad mini 3...
With their innovative Touch ID technology and ultrathin profile, the latest tranche of Apple iPads are more desirable than ever, and OtterBox has just announced the Defender Series custom-engineered... Read more
Holiday sales this weekend: MacBook Pros for...
 B&H Photo has new MacBook Pros on sale for up to $300 off MSRP as part of their Holiday pricing. Shipping is free, and B&H charges NY sales tax only: - 15″ 2.2GHz Retina MacBook Pro: $1699... Read more

Jobs Board

*Apple* Store Leader Program (US) - Apple, I...
…Summary Learn and grow as you explore the art of leadership at the Apple Store. You'll master our retail business inside and out through training, hands-on experience, Read more
Project Manager, *Apple* Financial Services...
**Job Summary** Apple Financial Services (AFS) offers consumers, businesses and educational institutions ways to finance Apple purchases. We work with national and Read more
*Apple* Retail - Multiple Positions (US) - A...
Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, you're also the Read more
*Apple* Retail - Multiple Positions (US) - A...
Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, you're also the Read more
*Apple* Retail - Multiple Positions (US) - A...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.