TweetFollow Us on Twitter

Self Modifying Code
Volume Number:8
Issue Number:4
Column Tag: Article Rebuttal

Self Modifying code is a No-No!

A better way to do an event patch without self-modifying code or Assembly

By Scott T. Boyd, Apple Computer, Inc. and Mike Scanlin, MacTutor Regular Contributing Author

Note: Source code files accompanying article are located on MacTech CD-ROM or source code disks.

Mike Scanlin’s article “Rotten Apple INIT for April Fool’s” brings up a minor but essential point. The GetNextEvent patch looks like:

;1

@first
 Lea    @exitAddress, A0
 Move.L (SP)+,(A0)
 Lea    @eventRecPtr,A0
 Move.L (SP),(A0)
 Pea    @tailPatch

 DCJmpInstruction
@origTrap
 NOP
 NOP

The NOPs get replaced with the original GetNextEvent trap address by the installation code:

;2

 Lea    @origTrap,A1
 Move.L A0,(A1)

Now, consider the processor instruction cache. It’s a piece of the processor which remembers what’s at a set of memory locations. It does this so the CPU won’t have to do a memory access for recently referenced instructions. This is designed to save time. It’s a neat hardware feature.

However, the Macintosh system software doesn’t make a distinction between code and data. That’s different from OSs like Unix, which keep code and data in separate address spaces. When Mike’s code installs the original trap address with the Move.L A0,(A1), it’s putting an address into the middle of a piece of code. Unfortunately, the cache which records the new value is the data cache.

The instruction cache has no clue that instructions just changed. This is one way of doing what’s commonly called “self-modifying code”.

Self-modifying code is, in general, a bad thing to write. Apple has long discouraged, and continues to discourage self-modifying code.

This is bad in this case because the processor, if it were to execute this code right away, might believe (for some unspecified reason) that those memory locations were cached in the instruction cache. If it did, it would pull whatever had been in that location the last time code was executed from that spot, then try to execute whatever was there. The odds that the instruction cache held the value you just put into the data cache are not in your favor.

Contrast that approach with this approach:

;3

@first
 ...

 Move.L @origTrap,A0
 JMP.L  (A0)
 ...

/* branch around this, or put it somewhere else, but don’t let the PC run through 
here */

@origTrap
 NOP
 NOP

While this approach still stores the old address into a piece of code, it’s never referenced as code by the processor. It’s treated specifically as data. The instruction cache never comes into play since the original address is moved as data.

Yet another approach, which also saves a register:

;4

@first
                        ...
                        Move.L@origTrap,-(SP)
                        RTS
                        ...

TN #261: “Cache As Cache Can” discusses this topic in more detail, especially with regard to moving whole chunks of code around.

As it happens, the caches are almost certainly flushed before this particular eight bytes ever get loaded for execution, but that’s a happy coincidence, and not something you should rely on. What’s happening is that we have made several traps flush the caches (guaranteeing that there won’t be any misunderstanding about something being in the instruction cache when it’s not), but we may change our minds about which traps should flush, and when. You shouldn’t count on any given trap’s current cache-flushing behavior.

One final consideration. Putting data into code does not work if code is ever write-protected, and that may happen one day. So where can you put something when you can’t allocate any global storage (e.g., PC-relative data or low-memory globals with a fixed address)? You can use NewGestalt to register a new selector. When you call Gestalt, it can return a value which is actually a pointer (or handle) to your global data. This technique won’t work well if you can’t afford to make the trap call (like from some time-sensitive routine you’ve patched), but it works nicely if you have the time and you want to avoid putting data into your patch code.

Scott T Boyd, Apple Computer, Inc.

Mike Scanlin Says

Scott's point about stale code in the instruction cache is well taken and I deserve a thumping for having written it. I made the poor judgement call that it wouldn't matter in this case because I expected the instruction cache to be flushed between the time the patch installation code finished and the first time the patch code was executed. I hang my head in shame.

As partial retribution (and to satisfy a few requests for a non-assembly version) I have written a trap patching shell in C that doesn't use any self-modifying code (see listing below). It obeys all of the rules except for the one about storing data into a code segment (Scott's solutions have this problem, too, as he mentions). Until we have write-protected code segments, this will not be a problem.

Mike Scanlin

/*********************************************************
 * PatchGNE.c:
 * This INIT installs a patch on GetNextEvent and 
 * SystemEvent that intercepts keyDown and autoKey events. 
 * For this example, the intercepted key events are 
 * converted to lower case if both the capsLock key and the 
 * shiftKey are down (thus making the Mac keyboard behave 
 * like an IBM keyboard). However, you can use this shell to 
 * do generalized event intercepting as well as generalized 
 * trap patching (with no asm and no self-modifying code). 
 * If your patches need globals, put them in the 
 * PatchGlobals struct and initialize them in main.
 * In Think C, set the Project Type to Code Resource, the 
 * File Type to INIT, the Creator to anything, the Type to 
 * INIT, the ID to something like 55 (55 will work but it 
 * doesn't have to be 55), turn Custom Header ON and Attrs 
 * to 20 (purgeable) and Multi Segment OFF.
 *
 * Mike Scanlin. 16 May 1992.
 *********************************************************/

#include "Traps.h"

/**********************************************************
 * typedefs
 *********************************************************/
typedef pascal short (*GNEProcPtr)(short eventMask,
 EventRecord *theEvent);
typedef pascal short (*SEProcPtr)(EventRecord *theEvent);

typedef struct PatchGlobals {
 GNEProcPtr pgOldGNE;
 SEProcPtrpgOldSE;
} PatchGlobals, *PatchGlobalsPtr;

/**********************************************************
 * prototypes
 *********************************************************/
void main(void);
void StartPatchCode(void);
pascal short MyGetNextEvent(short eventMask, EventRecord
 *theEvent); 
pascal short MySystemEvent(EventRecord *theEvent);
void CheckKeyCase(EventRecord *theEvent);
void EndPatchCode(void);

/**********************************************************
 * main:
 * Gets some memory in the system heap and installs the GNE 
 * and SE patches (as well as allocating and initializing 
 * the patc 8.4  Self Modifying Codeutine that gets 
 * executed at startup time (by the INIT mechanism).
 *
 * The block of memory that main allocates will look like 
 * this when main has finished:
 *
 *                   +--------------------+
 *                   |    PatchGlobals    |
 *                   +--------------------+
 *                   |  StartPatchCode()  |
 *  GNE trap addr -> +--------------------+
 *                   |  MyGetNextEvent()  |
 *   SE trap addr -> +--------------------+
 *                   |  MySystemEvent()   |
 *                   +--------------------+
 *                   |   CheckKeyCase()   |
 *                   +--------------------+
 *                   |   EndPatchCode()   |
 *                   +--------------------+
 *
 *********************************************************/
void main()
{
    Ptr             patchPtr;
    PatchGlobalsPtr pgPtr;
    long            codeSize, offset;

    /* try and get some memory in the system heap for code
       and globals */
    codeSize = (long) EndPatchCode - (long) StartPatchCode;
    patchPtr = NewPtrSys(codeSize + sizeof(PatchGlobals));
    if (!patchPtr)
        return; /* out of memory -- abort patching */

    /* initialize the patch globals at the beginning 
       of the block */
    pgPtr = (PatchGlobalsPtr) patchPtr;
    pgPtr->pgOldGNE = (GNEProcPtr)
      GetTrapAddress(_GetNextEvent);
    pgPtr->pgOldSE = (SEProcPtr)
      GetTrapAddress(_SystemEvent);

    /* move the code into place after the globals */
    BlockMove(StartPatchCode, patchPtr +
      sizeof(PatchGlobals), codeSize);

    /* set the patches */
    patchPtr += sizeof(PatchGlobals);
    offset = (long) MyGetNextEvent - (long) StartPatchCode;
    SetTrapAddress((long) patchPtr + offset, _GetNextEvent);
    offset = (long) MySystemEvent - (long) StartPatchCode;
    SetTrapAddress((long) patchPtr + offset, _SystemEvent);
}

/**********************************************************
 * StartPatchCode:
 * Dummy proc to mark the beginning of the code for the 
 * patches.  Make sure all of your patch code is between 
 * here and EndPatchCode.
*********************************************************/
void StartPatchCode()
{
}

/*********************************************************
 * MyGetNextEvent:
 * Tail patch on GetNextEvent.
 *
 * The reason this returns a short instead of a Boolean is 
 * because we need to make sure the low byte of the top word 
 * on the stack is zero because some programs do a Tst.W 
 * (SP)+ when this returns instead of Tst.B (SP)+ like they 
 * should (which is technically their bug but, we might as 
 * well work around it since it's not hard).
 *
 * If you want to eat the event and not pass it on to the 
 * caller then set returnValue to zero.
 *********************************************************/
pascal short MyGetNextEvent(short eventMask,
  EventRecord *theEvent)
{
    PatchGlobalsPtr pgPtr;
    short           returnValue;

    /* find our globals */
    pgPtr = (PatchGlobalsPtr) ((long) StartPatchCode -
      sizeof(PatchGlobals));

    /* call original GNE first */
    returnValue = (*pgPtr->pgOldGNE)(eventMask, theEvent);

    /* do some post-processing */
    CheckKeyCase(theEvent);

    /* return to original caller */
    return (returnValue);
}

/**********************************************************
 * MySystemEvent:
 * Tail patch on SystemEvent.
 *
 * The reason this returns a short instead of a Boolean is 
 * because we need to make sure the low byte of the top word 
 * on the stack is zero because some programs do a Tst.W 
 * (SP)+ when this returns instead of Tst.B (SP)+ like they 
 * should (which is technically their bug but, we might as 
 * well work around it since it's not hard).
 * 
 * We need this patch as well as the one on GetNextEvent 
 * because of desk accessories. If you don't patch 
 * SystemEvent then the patch will not apply to events that 
 * are sent to DAs.
 * 
 * If you want to eat the event and not pass it on to the 
 * caller then set returnValue to zero.
 *********************************************************/
pascal short MySystemEvent(EventRecord *theEvent)
{
    PatchGlobalsPtr pgPtr;
    short           returnValue;

    /* find our globals */
    pgPtr = (PatchGlobalsPtr) ((long) StartPatchCode -
      sizeof(PatchGlobals));

    /* call original GNE first */
    returnValue = (*pgPtr->pgOldSE)(theEvent);

    /* do some post-processing */
    CheckKeyCase(theEvent);

    /* return to original caller */
    return (returnValue);
}

/*********************************************************
 * CheckKeyCase:
 * If theEvent was a keyDown or autoKey event, this checks 
 * if both the shiftKey and the capsLock key were down. If 
 * so, it changes theEvent to be a lowercase letter. If not, 
 * nothing is changed.  Also, if either the optionKey or 
 * cmdKey is down then nothing is changed.
 ********************************************************/
void CheckKeyCase(EventRecord *theEvent)
{
    register long   theMods, theMessage;
    register char   theChar;

    if (theEvent->what == keyDown ||
      theEvent->what == autoKey) {
        theMods = theEvent->modifiers;
        theMods &= shiftKey | alphaLock |
          optionKey | cmdKey;
        theMods ^= shiftKey | alphaLock;
        if (!theMods) {
            theMessage = theEvent->message;
            theChar = theMessage & charCodeMask;
            if (theChar >= 'A' && theChar <= 'Z') {
                theMessage &= ~charCodeMask;
                theMessage |= theChar + 'a' - 'A';
                theEvent->message = theMessage;
            }
        }
    }
}
/*********************************************************
 * EndPatchCode:
 * Dummy proc to mark the end of the code for the patches.
 * Make sure all of your patch code is between here and 
 * StartPatchCode.
 *********************************************************/
void EndPatchCode()
{
}
 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Logic Pro X 10.1.1 - Music creation and...
Apple Logic Pro X is the most advanced version of Logic ever. Sophisticated new tools for professional songwriting, editing, and mixing are built around a modern interface that's designed to get... Read more
VLC Media Player 2.2.0 - Popular multime...
VLC Media Player is a highly portable multimedia player for various audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, MP3, OGG, ...) as well as DVDs, VCDs, and various streaming protocols. It... Read more
Sound Studio 4.7.8 - Robust audio record...
Sound Studio lets you easily record and professionally edit audio on your Mac. Easily rip vinyls and digitize cassette tapes, or record lectures and voice memos. Prepare for live shows with live... Read more
LibreOffice 4.4.1.2 - Free, open-source...
LibreOffice is an office suite (word processor, spreadsheet, presentations, drawing tool) compatible with other major office suites. The Document Foundation is coordinating development and... Read more
Freeway Pro 7.0.3 - Drag-and-drop Web de...
Freeway Pro lets you build websites with speed and precision... without writing a line of code! With its user-oriented drag-and-drop interface, Freeway Pro helps you piece together the website of... Read more
Cloud 3.3.0 - File sharing from your men...
Cloud is simple file sharing for the Mac. Drag a file from your Mac to the CloudApp icon in the menubar and we take care of the rest. A link to the file will automatically be copied to your clipboard... Read more
Cyberduck 4.6.5 - FTP and SFTP browser....
Cyberduck is a robust FTP/FTP-TLS/SFTP browser for the Mac whose lack of visual clutter and cleverly intuitive features make it easy to use. Support for external editors and system technologies such... Read more
Firefox 36.0 - Fast, safe Web browser. (...
Firefox for Mac offers a fast, safe Web browsing experience. Browse quickly, securely, and effortlessly. With its industry-leading features, Firefox is the choice of Web development professionals and... Read more
Thunderbird 31.5.0 - Email client from M...
As of July 2012, Thunderbird has transitioned to a new governance model, with new features being developed by the broader free software and open source community, and security fixes and improvements... Read more
VOX 2.4 - Music player that supports man...
VoxIt just sounds better! The beauty is in its simplicity, yet behind the minimal exterior lies a powerful music player with a ton of features & support for all audio formats you should ever need... Read more

Get The Whole Story – Lone Wolf Complete...
Get The Whole Story – Lone Wolf Complete is Now Available and On Sale Posted by Jessica Fisher on February 27th, 2015 [ permalink ] Universal App - Designed for iPhone and iPad | Read more »
Who Wore it Best? The Counting Dead vs....
Like it or not, the “clicker” genre, popularized by cute distractions like Candy Box and Cookie Clicker, seems like it’s here to stay. So Who Wore it Best? takes a look at two recent examples: The Counting Dead and AdVenture Capitalist. | Read more »
Card Crawl, the Mini Deck Building Game,...
Card Crawl, the Mini Deck Building Game, is Coming Soon Posted by Jessica Fisher on February 27th, 2015 [ permalink ] Tinytouchtales and Mexer have announced their new game, | Read more »
Witness an all new puzzle mechanic in Bl...
Well, BlastBall MAX is not one of those games and is bucking trends such as timers, elements of randomness, and tacked-on mechanics in favor of pure puzzle gameplay. When you first boot up the game you’ll see a grid made up of squares that are each... | Read more »
This Princess Has a Dragon and She isn’t...
This Princess Has a Dragon and She isn’t Afraid to Useit. | Read more »
Mecha Showdown Review
Mecha Showdown Review By Lee Hamlet on February 27th, 2015 Our Rating: :: IN A SPINUniversal App - Designed for iPhone and iPad Mecha Showdown replaces traditional buttons with a slot machine mechanic in this robot fighting game,... | Read more »
Reliance Games and Dreamworks Unveil Rea...
Reliance Games and Dreamworks Unveil Real Steel Champions Posted by Ellis Spice on February 27th, 2015 [ permalink ] Reliance Games and Dreamworks have announced that a third game in | Read more »
Sum Idea Review
Sum Idea Review By Jennifer Allen on February 27th, 2015 Our Rating: :: TAXING NUMBERSUniversal App - Designed for iPhone and iPad Sum Idea is a fairly charming but taxing puzzle game.   | Read more »
A New Badland Update Brings Daydream Lev...
A New Badland Update Brings Daydream Levels to Co-Op Posted by Ellis Spice on February 27th, 2015 [ permalink ] Universal App - Designed for iPhone and iPad | Read more »
Slashing Demons Review
Slashing Demons Review By Lee Hamlet on February 27th, 2015 Our Rating: :: IT'S A LONG WAY TO THE TOPUniversal App - Designed for iPhone and iPad Slashing Demons lacks the depth or scope to take it beyond the point of being just... | Read more »

Price Scanner via MacPrices.net

Apple CEO Tim Cook to Deliver 2015 George Was...
Apple CEO Tim Cook will deliver the George Washington University’s Commencement address to GWU grads on May 17, at which time he will also be awarded an honorary doctorate of public service from the... Read more
Apple restocks refurbished Mac minis for up t...
The Apple Store has restocked Apple Certified Refurbished 2014 Mac minis, with models available starting at $419. Apple’s one-year warranty is included with each mini, and shipping is free: - 1.4GHz... Read more
Save up to $50 on iPad Air 2s, NY tax only, f...
 B&H Photo has iPad Air 2s on sale for $50 off MSRP including free shipping plus NY sales tax only: - 16GB iPad Air 2 WiFi: $469.99 $30 off - 64GB iPad Air 2 WiFi: $549 $50 off - 128GB iPad Air 2... Read more
16GB iPad Air 2 on sale for $447, save $52
Walmart has the 16GB iPad Air 2 WiFi on sale for $446.99 on their online store for a limited time. Choose free shipping or free local store pickup (if available). Sale price for online orders only,... Read more
iMacs on sale for up to $205 off MSRP
B&H Photo has 21″ and 27″ iMacs on sale for up to $205 off MSRP including free shipping plus NY sales tax only: - 21″ 1.4GHz iMac: $1029 $70 off - 21″ 2.7GHz iMac: $1199 $100 off - 21″ 2.9GHz... Read more
Apple Takes 89 Percent Share of Global Smartp...
According to the latest research from Strategy Analytics, global smartphone operating profit reached US$21 billion in Q4 2014. The Android operating system captured a record-low 11 percent global... Read more
New Travel Health App “My Travel Health” iOS...
Rochester, Minnesota based Travel Health and Wellness LLC has announced that its new iOS app help safeguard the user’s health when traveling abroad — “My Travel Health” is now available on the Apple... Read more
Sale! MacBook Airs for up to $115 off MSRP
B&H Photo has MacBook Airs on sale for up to $100 off MSRP. Shipping is free, and B&H charges NY sales tax only: - 11″ 128GB MacBook Air: $799 100 off MSRP - 11″ 256GB MacBook Air: $999 $100... Read more
15-inch 2.0GHz Retina MacBook Pro (refurbishe...
The Apple Store has Apple Certified Refurbished previous-generation 15″ 2.0GHz Retina MacBook Pros available for $1489 including free shipping plus Apple’s standard one-year warranty. Their price is... Read more
Wither The iPad mini? End Of The Road Imminen...
AppleDailyReport’s Dennis Sellers predicts that the iPad mini is going to be left to wither on the vine, as it were, and then just allowed to fade away — a casualty of the IPhone 6 Plus and other... Read more

Jobs Board

Sr. Technical Services Consultant, *Apple*...
**Job Summary** Apple Professional Services (APS) has an opening for a senior technical position that contributes to Apple 's efforts for strategic and transactional Read more
Event Director, *Apple* Retail Marketing -...
…This senior level position is responsible for leading and imagining the Apple Retail Team's global engagement strategy and team. Delivering an overarching brand Read more
*Apple* Pay - Site Reliability Engineer - Ap...
**Job Summary** Imagine what you could do here. At Apple , great ideas have a way of becoming great products, services, and customer experiences very quickly. Bring Read more
*Apple* Solutions Consultant - Retail Sales...
**Job Summary** The ASC is an Apple employee who serves as an Apple brand ambassador and influencer in a Reseller's store. The ASC's role is to grow Apple Read more
*Apple* Solutions Consultant - Retail Sales...
**Job Summary** As an Apple Solutions Consultant (ASC) you are the link between our customers and our products. Your role is to drive the Apple business in a retail Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.