TweetFollow Us on Twitter

Self Modifying Code
Volume Number:8
Issue Number:4
Column Tag: Article Rebuttal

Self Modifying code is a No-No!

A better way to do an event patch without self-modifying code or Assembly

By Scott T. Boyd, Apple Computer, Inc. and Mike Scanlin, MacTutor Regular Contributing Author

Note: Source code files accompanying article are located on MacTech CD-ROM or source code disks.

Mike Scanlin’s article “Rotten Apple INIT for April Fool’s” brings up a minor but essential point. The GetNextEvent patch looks like:

;1

@first
 Lea    @exitAddress, A0
 Move.L (SP)+,(A0)
 Lea    @eventRecPtr,A0
 Move.L (SP),(A0)
 Pea    @tailPatch

 DCJmpInstruction
@origTrap
 NOP
 NOP

The NOPs get replaced with the original GetNextEvent trap address by the installation code:

;2

 Lea    @origTrap,A1
 Move.L A0,(A1)

Now, consider the processor instruction cache. It’s a piece of the processor which remembers what’s at a set of memory locations. It does this so the CPU won’t have to do a memory access for recently referenced instructions. This is designed to save time. It’s a neat hardware feature.

However, the Macintosh system software doesn’t make a distinction between code and data. That’s different from OSs like Unix, which keep code and data in separate address spaces. When Mike’s code installs the original trap address with the Move.L A0,(A1), it’s putting an address into the middle of a piece of code. Unfortunately, the cache which records the new value is the data cache.

The instruction cache has no clue that instructions just changed. This is one way of doing what’s commonly called “self-modifying code”.

Self-modifying code is, in general, a bad thing to write. Apple has long discouraged, and continues to discourage self-modifying code.

This is bad in this case because the processor, if it were to execute this code right away, might believe (for some unspecified reason) that those memory locations were cached in the instruction cache. If it did, it would pull whatever had been in that location the last time code was executed from that spot, then try to execute whatever was there. The odds that the instruction cache held the value you just put into the data cache are not in your favor.

Contrast that approach with this approach:

;3

@first
 ...

 Move.L @origTrap,A0
 JMP.L  (A0)
 ...

/* branch around this, or put it somewhere else, but don’t let the PC run through 
here */

@origTrap
 NOP
 NOP

While this approach still stores the old address into a piece of code, it’s never referenced as code by the processor. It’s treated specifically as data. The instruction cache never comes into play since the original address is moved as data.

Yet another approach, which also saves a register:

;4

@first
                        ...
                        Move.L@origTrap,-(SP)
                        RTS
                        ...

TN #261: “Cache As Cache Can” discusses this topic in more detail, especially with regard to moving whole chunks of code around.

As it happens, the caches are almost certainly flushed before this particular eight bytes ever get loaded for execution, but that’s a happy coincidence, and not something you should rely on. What’s happening is that we have made several traps flush the caches (guaranteeing that there won’t be any misunderstanding about something being in the instruction cache when it’s not), but we may change our minds about which traps should flush, and when. You shouldn’t count on any given trap’s current cache-flushing behavior.

One final consideration. Putting data into code does not work if code is ever write-protected, and that may happen one day. So where can you put something when you can’t allocate any global storage (e.g., PC-relative data or low-memory globals with a fixed address)? You can use NewGestalt to register a new selector. When you call Gestalt, it can return a value which is actually a pointer (or handle) to your global data. This technique won’t work well if you can’t afford to make the trap call (like from some time-sensitive routine you’ve patched), but it works nicely if you have the time and you want to avoid putting data into your patch code.

Scott T Boyd, Apple Computer, Inc.

Mike Scanlin Says

Scott's point about stale code in the instruction cache is well taken and I deserve a thumping for having written it. I made the poor judgement call that it wouldn't matter in this case because I expected the instruction cache to be flushed between the time the patch installation code finished and the first time the patch code was executed. I hang my head in shame.

As partial retribution (and to satisfy a few requests for a non-assembly version) I have written a trap patching shell in C that doesn't use any self-modifying code (see listing below). It obeys all of the rules except for the one about storing data into a code segment (Scott's solutions have this problem, too, as he mentions). Until we have write-protected code segments, this will not be a problem.

Mike Scanlin

/*********************************************************
 * PatchGNE.c:
 * This INIT installs a patch on GetNextEvent and 
 * SystemEvent that intercepts keyDown and autoKey events. 
 * For this example, the intercepted key events are 
 * converted to lower case if both the capsLock key and the 
 * shiftKey are down (thus making the Mac keyboard behave 
 * like an IBM keyboard). However, you can use this shell to 
 * do generalized event intercepting as well as generalized 
 * trap patching (with no asm and no self-modifying code). 
 * If your patches need globals, put them in the 
 * PatchGlobals struct and initialize them in main.
 * In Think C, set the Project Type to Code Resource, the 
 * File Type to INIT, the Creator to anything, the Type to 
 * INIT, the ID to something like 55 (55 will work but it 
 * doesn't have to be 55), turn Custom Header ON and Attrs 
 * to 20 (purgeable) and Multi Segment OFF.
 *
 * Mike Scanlin. 16 May 1992.
 *********************************************************/

#include "Traps.h"

/**********************************************************
 * typedefs
 *********************************************************/
typedef pascal short (*GNEProcPtr)(short eventMask,
 EventRecord *theEvent);
typedef pascal short (*SEProcPtr)(EventRecord *theEvent);

typedef struct PatchGlobals {
 GNEProcPtr pgOldGNE;
 SEProcPtrpgOldSE;
} PatchGlobals, *PatchGlobalsPtr;

/**********************************************************
 * prototypes
 *********************************************************/
void main(void);
void StartPatchCode(void);
pascal short MyGetNextEvent(short eventMask, EventRecord
 *theEvent); 
pascal short MySystemEvent(EventRecord *theEvent);
void CheckKeyCase(EventRecord *theEvent);
void EndPatchCode(void);

/**********************************************************
 * main:
 * Gets some memory in the system heap and installs the GNE 
 * and SE patches (as well as allocating and initializing 
 * the patc 8.4  Self Modifying Codeutine that gets 
 * executed at startup time (by the INIT mechanism).
 *
 * The block of memory that main allocates will look like 
 * this when main has finished:
 *
 *                   +--------------------+
 *                   |    PatchGlobals    |
 *                   +--------------------+
 *                   |  StartPatchCode()  |
 *  GNE trap addr -> +--------------------+
 *                   |  MyGetNextEvent()  |
 *   SE trap addr -> +--------------------+
 *                   |  MySystemEvent()   |
 *                   +--------------------+
 *                   |   CheckKeyCase()   |
 *                   +--------------------+
 *                   |   EndPatchCode()   |
 *                   +--------------------+
 *
 *********************************************************/
void main()
{
    Ptr             patchPtr;
    PatchGlobalsPtr pgPtr;
    long            codeSize, offset;

    /* try and get some memory in the system heap for code
       and globals */
    codeSize = (long) EndPatchCode - (long) StartPatchCode;
    patchPtr = NewPtrSys(codeSize + sizeof(PatchGlobals));
    if (!patchPtr)
        return; /* out of memory -- abort patching */

    /* initialize the patch globals at the beginning 
       of the block */
    pgPtr = (PatchGlobalsPtr) patchPtr;
    pgPtr->pgOldGNE = (GNEProcPtr)
      GetTrapAddress(_GetNextEvent);
    pgPtr->pgOldSE = (SEProcPtr)
      GetTrapAddress(_SystemEvent);

    /* move the code into place after the globals */
    BlockMove(StartPatchCode, patchPtr +
      sizeof(PatchGlobals), codeSize);

    /* set the patches */
    patchPtr += sizeof(PatchGlobals);
    offset = (long) MyGetNextEvent - (long) StartPatchCode;
    SetTrapAddress((long) patchPtr + offset, _GetNextEvent);
    offset = (long) MySystemEvent - (long) StartPatchCode;
    SetTrapAddress((long) patchPtr + offset, _SystemEvent);
}

/**********************************************************
 * StartPatchCode:
 * Dummy proc to mark the beginning of the code for the 
 * patches.  Make sure all of your patch code is between 
 * here and EndPatchCode.
*********************************************************/
void StartPatchCode()
{
}

/*********************************************************
 * MyGetNextEvent:
 * Tail patch on GetNextEvent.
 *
 * The reason this returns a short instead of a Boolean is 
 * because we need to make sure the low byte of the top word 
 * on the stack is zero because some programs do a Tst.W 
 * (SP)+ when this returns instead of Tst.B (SP)+ like they 
 * should (which is technically their bug but, we might as 
 * well work around it since it's not hard).
 *
 * If you want to eat the event and not pass it on to the 
 * caller then set returnValue to zero.
 *********************************************************/
pascal short MyGetNextEvent(short eventMask,
  EventRecord *theEvent)
{
    PatchGlobalsPtr pgPtr;
    short           returnValue;

    /* find our globals */
    pgPtr = (PatchGlobalsPtr) ((long) StartPatchCode -
      sizeof(PatchGlobals));

    /* call original GNE first */
    returnValue = (*pgPtr->pgOldGNE)(eventMask, theEvent);

    /* do some post-processing */
    CheckKeyCase(theEvent);

    /* return to original caller */
    return (returnValue);
}

/**********************************************************
 * MySystemEvent:
 * Tail patch on SystemEvent.
 *
 * The reason this returns a short instead of a Boolean is 
 * because we need to make sure the low byte of the top word 
 * on the stack is zero because some programs do a Tst.W 
 * (SP)+ when this returns instead of Tst.B (SP)+ like they 
 * should (which is technically their bug but, we might as 
 * well work around it since it's not hard).
 * 
 * We need this patch as well as the one on GetNextEvent 
 * because of desk accessories. If you don't patch 
 * SystemEvent then the patch will not apply to events that 
 * are sent to DAs.
 * 
 * If you want to eat the event and not pass it on to the 
 * caller then set returnValue to zero.
 *********************************************************/
pascal short MySystemEvent(EventRecord *theEvent)
{
    PatchGlobalsPtr pgPtr;
    short           returnValue;

    /* find our globals */
    pgPtr = (PatchGlobalsPtr) ((long) StartPatchCode -
      sizeof(PatchGlobals));

    /* call original GNE first */
    returnValue = (*pgPtr->pgOldSE)(theEvent);

    /* do some post-processing */
    CheckKeyCase(theEvent);

    /* return to original caller */
    return (returnValue);
}

/*********************************************************
 * CheckKeyCase:
 * If theEvent was a keyDown or autoKey event, this checks 
 * if both the shiftKey and the capsLock key were down. If 
 * so, it changes theEvent to be a lowercase letter. If not, 
 * nothing is changed.  Also, if either the optionKey or 
 * cmdKey is down then nothing is changed.
 ********************************************************/
void CheckKeyCase(EventRecord *theEvent)
{
    register long   theMods, theMessage;
    register char   theChar;

    if (theEvent->what == keyDown ||
      theEvent->what == autoKey) {
        theMods = theEvent->modifiers;
        theMods &= shiftKey | alphaLock |
          optionKey | cmdKey;
        theMods ^= shiftKey | alphaLock;
        if (!theMods) {
            theMessage = theEvent->message;
            theChar = theMessage & charCodeMask;
            if (theChar >= 'A' && theChar <= 'Z') {
                theMessage &= ~charCodeMask;
                theMessage |= theChar + 'a' - 'A';
                theEvent->message = theMessage;
            }
        }
    }
}
/*********************************************************
 * EndPatchCode:
 * Dummy proc to mark the end of the code for the patches.
 * Make sure all of your patch code is between here and 
 * StartPatchCode.
 *********************************************************/
void EndPatchCode()
{
}
 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Shadow Blade: Reload guide - How to hack...
Shadow Blade: Reload is the kind of action-platformer that would have happily sucked up hours of your time on a console a few years back.Now, you can take it with you wherever you go, and its mobile conversion is not too shabby at all. To help you... | Read more »
Tomb of the Mask guide - How to increase...
Tomb of the Mask is a great endless arcade game from Happymagenta in which quick reflexes and a persistent attitude can go a long way toward earning a top score. Check out these tips to see if you can give yourself an edge on the leaderboards. [... | Read more »
Smooth Operator! (Games)
Smooth Operator! 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: Smooth Operator is a weird, weird two-player kissing game. Squeeze in for 2 player fun on a single iPad, creating awkward... | Read more »
Sinless: Remastered (Games)
Sinless: Remastered 1.0 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0 (iTunes) Description: | Read more »
_PRISM Guide - How to solve those puzzle...
_PRISM is a rather delightful puzzle game that’s been tailor made for touch screens. While part of the fun is figuring things out as you go along, we thought we’d offer you a helping hand at getting in the right mindset. Don’t worry about messing... | Read more »
Fractal Space (Games)
Fractal Space 1.3.1 Device: iOS Universal Category: Games Price: $.99, Version: 1.3.1 (iTunes) Description: Live the memorable experience of Fractal Space, a unique first person adventure & puzzle game by Haze Games! Will you... | Read more »
Set off on an adventure through the Cand...
Like match three puzzlers? If so, Jelly Blast, the innovative iOS and Android game which launched last year, is worth a look. Jelly Blast sees you head off on an epic adventure through the Candy Kingdom with your friends Lily, Mr. Hare, and Mr.... | Read more »
Ellipsis - Touch. Explore. Survive. (...
Ellipsis - Touch. Explore. Survive. 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: | Read more »
Abzorb (Games)
Abzorb 1 Device: iOS Universal Category: Games Price: $2.99, Version: 1 (iTunes) Description: Abzorb is a tilt game about consuming orbs by getting as close as you can to them without touching. By tilting your mobile device, collect... | Read more »
A Short Tale (Games)
A Short Tale 1.0 Device: iOS Universal Category: Games Price: $3.99, Version: 1.0 (iTunes) Description: It’s been years since I lost Ben, so long yet it doesn’t seem long enough. I never thought I’d return here, to where everything... | Read more »

Price Scanner via MacPrices.net

cb Hardcase – Handmade and Premium Protective...
Baden-Baden, Germany based company cb innovations has introduced the new cb Hardcase for iPhone. Featuring fine Italian Premium leather that makes for a unique look and feel, the cb Hardcase... Read more
Sale! B&H Photo offers 12-inch Retina Mac...
B&H Photo has 12″ Retina MacBooks on sale for $300 off MSRP for a limited time. Shipping is free, and B&H charges NY tax only: - 12″ 1.1GHz Gray Retina MacBook: $999 $300 off MSRP - 12″ 1.... Read more
App Annie Reveals Future of the App Economy:...
App Annie, a San Francisco based mobile app data and insights platform, has launched its first comprehensive app economy forecast. This new offering will provide brands, agencies, investors and app... Read more
Apple restocks Certified Refurbished Mac mini...
Apple has restocked Certified Refurbished 2014 Mac minis, with models available starting at $419. Apple’s one-year warranty is included with each mini, and shipping is free: - 1.4GHz Mac mini: $419 $... Read more
What iPad Pro Still Needs To Make It Truly Pr...
I love my iPad Air 2. So much that I’m grudgingly willing to put up with its compromises and limitations as a production tool in order to take advantage of its virtues. However, since a computer for... Read more
21-inch 3.1GHz 4K on sale for $1399, $100 off...
B&H Photo has the 21″ 3.1GHz 4K iMac on sale $1399 for a limited time. Shipping is free, and B&H charges NY sales tax only. Their price is $100 off MSRP: - 21″ 3.1GHz 4K iMac (MK452LL/A): $... Read more
Apple price trackers, updated continuously
Scan our Apple Price Trackers for the latest information on sales, bundles, and availability on systems from Apple’s authorized internet/catalog resellers. We update the trackers continuously: - 15″... Read more
Save up to $240 with Apple Certified Refurbis...
Apple is now offering Certified Refurbished 12″ Retina MacBooks for up to $240 off the cost of new models. Apple will include a standard one-year warranty with each MacBook, and shipping is free. The... Read more
Apple refurbished 13-inch Retina MacBook Pros...
Apple has Certified Refurbished 13″ Retina MacBook Pros available for up to $270 off the cost of new models. An Apple one-year warranty is included with each model, and shipping is free: - 13″ 2.7GHz... Read more
Apple refurbished Time Capsules available for...
Apple has certified refurbished Time Capsules available for $120 off MSRP. Apple’s one-year warranty is included with each Time Capsule, and shipping is free: - 2TB Time Capsule: $179, $120 off - 3TB... Read more

Jobs Board

Infrastructure Engineer - *Apple* /Mac - Rem...
…part of a team Requires proven problem solving skills Preferred Additional: Apple Certified System Administrator (ACSA) Apple Certified Technical Coordinator (ACTC) Read more
Lead Engineer *Apple* OSX & Hardware -...
Lead Engineer Apple OSX & Hardware **Job ID:** 3125919 **Full/Part\-Time:** Full\-time **Regular/Temporary:** Regular **Listed:** 2016\-02\-10 **Location:** Cary, Read more
*Apple* Mobile Master - Best Buy (United Sta...
Job Title Apple Mobile Master **Brand** Best Buy **Job Description** **What does a Best Buy Apple Mobile Master do?** At Best Buy, our mission is to leverage the Read more
Infrastructure Engineer - *Apple* /Mac - Rem...
…part of a team Requires proven problem solving skills Preferred Additional: Apple Certified System Administrator (ACSA) Apple Certified Technical Coordinator (ACTC) Read more
Lead Engineer - *Apple* OSX & Hardware...
Lead Engineer - Apple OSX & Hardware **Job ID:** 3125919 **Full/Part\-Time:** Full\-time **Regular/Temporary:** Regular **Listed:** 2016\-02\-10 **Location:** Cary, Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.