TweetFollow Us on Twitter

September 96 - Balance of Power: Stalking the Wild Defect

Balance of Power: Stalking the Wild Defect

Dave Evans

Once again I found myself bleary eyed and fighting sleep, yet I continued to search for understanding. Having already struck down two possible causes for my enigma, I was now searching for new clues. I stubbornly refused to rest until I had flushed out the software defect.

My journey had begun modestly enough as I chanced upon a capricious crash in my software. I wondered which assumption or logic was at fault. Armed with only my low-level debugger, I began a hunt that would consume me into the dead of night. On this adventure through the dark Mac OS interior, I crossed rivers of mode switches, hopped islands of cross-TOC glue, and set snares in a jungle of native PowerPC code.

In this column I'll walk you through one facet of that relentless pursuit, pointing out the key landmarks I used to navigate and demonstrating the tools I used to survive. This should help guide you through your own future explorations of the innards of PowerPC code.

ON THE HUNT

Programming for a Power Macintosh may appear similar to your efforts on a 680x0-based Macintosh, but on close inspection you'll find PowerPC code far more interesting to debug. The relatively simple landscape of a 680x0 world gives way to confusing and insidious terrain on a Power Macintosh. Routine descriptors, dual assembly languages, and native glue are obstacles that impede your progress.

My subject was a crash that occurred when PowerPC applications called MaxApplZone. I was certain the problem was in my recent system software changes, but I needed to see what happened right before the crash to understand it. I started by setting a breakpoint when an application called MaxApplZone. (Later I'll describe a good technique for setting these breakpoints.) Then I traced through the system routine and looked for anything startling.

One application executed the following code just before calling MaxApplZone: 

 0093B260   mflr       r0
 0093B264   stw        r31,-0x0004(SP)
 0093B268   stw        r30,-0x0008(SP) 
 0093B26C   stw        r29,-0x000C(SP)
 0093B270   stw        r0,0x0008(SP)
 0093B274   stwu       SP,-0x0050(SP)
 0093B278   lwz        r30,-0x3940(RTOC)
 0093B27C   bl         MaxApplZone
The preamble to MaxApplZone saves registers R29 to R31 on the stack, creates a stack frame, and loads a local variable into R30 from the application's TOC globals before calling the routine. If we trace through this and then step into the bl (branch and link) instruction to MaxApplZone, we find the following: 
 0094CBFC   lwz        r12,-0x7E60(RTOC)
 0094CC00   stw        RTOC,0x0014(SP)
 0094CC04   lwz        r0,0x0000(r12)
 0094CC08   lwz        RTOC,0x0004(r12)
 0094CC0C   mtctr      r0
 0094CC10   bctr
This code is standard cross-TOC glue. The caller of a routine has the responsibility to set the TOC register (RTOC) correctly for it. Routines imported from other code fragments will have a different TOC value than the application. The PowerPC Code Fragment Manager supplies the correct TOC value and the address of the imported routine in a pair of long words called a transition vector, or TVector. In this case, the TVector is stored as global data at the application's TOC value minus $7E60 bytes. This glue code loads the TVector's address in R12 and then uses that to load the address of the routine in R0 and the new TOC value. It uses the counter register and the bctr (branch to counter register) instruction to jump to the correct address, so the return address in the link register will not be changed.

After tracing through this glue code, we find ourselves in a different kind of glue. The MaxApplZone TVector points to a routine in the InterfaceLib code fragment, as listed below. On this computer, you can guess that the code fragment is in ROM because the address of the routine is very high, $40A0E30C in this case. Since the routine is in ROM, you can't effectively set a breakpoint at its beginning. 

MaxApplZone
 +00000 40A0E30C   mflr    r0
 +00004 40A0E310   stwu    SP,-0x0040(SP)
 +00008 40A0E314   stw     r0,0x0048(SP)
 +0000C 40A0E318   lis     r0,0x0001
 +00010 40A0E31C   subic   r5,r0,0x5F9D
 +00014 40A0E320   lwz     r3,MaxApplZone(r0)
 +00018 40A0E324   li      r4,0x3802
 +0001C 40A0E328   bl      CallOSTrapUniversalProc
 +00020 40A0E32C   lwz     RTOC,0x0014(SP)
 +00024 40A0E330   lwz     r12,0x0048(SP)
 +00028 40A0E334   addic   SP,SP,0x0040
 +0002C 40A0E338   mtlr    r12
 +00030 40A0E33C   blr
You might expect the real MaxApplZone routine to do much more than what appears in this routine. In fact, this routine is simply glue for the 680x0 A-trap table: it gets the address of MaxApplZone from that trap table (don't try this yourself without GetOSTrapAddress, kids) and then uses the CallOSTrapUniversalProc routine to call the address.

Most of the routines in InterfaceLib are actually just like this glue routine for the trap table. Because the routines go through the trap table, PowerPC applications will be affected by patches to the trap table; if they were to bind directly with the system code fragments, patches would be bypassed.

To continue with our tracing, we must step up to and then into CallOSTrapUniversalProc. This takes us to more cross-TOC glue: 

 40A06D10   lwz        r12,0x0008(RTOC)
 40A06D14   stw        RTOC,0x0014(SP)
 40A06D18   lwz        r0,0x0000(r12)
 40A06D1C   lwz        RTOC,0x0004(r12)
 40A06D20   mtctr      r0
 40A06D24   bctr
Since CallOSTrapUniversalProc is part of the Mixed Mode Manager, it's implemented in the MixedMode code fragment. This cross-TOC glue finds the TVector for that routine and calls through to it. When we step through this and over the last bctr instruction, we're magically transferred not to the Mixed Mode Manager but instead to 680x0 code. Wow! MacsBug knew we were calling a universal procedure pointer, so it spared us the trace through the mode switch and took us directly to the location of the universal procedure pointer, in this case the following 680x0 code: 
 0031B160   MOVE.L     ApplLimit,D0
 0031B164   MOVE.L     HeapEnd,D1
 0031B168   SUB.L      D1,D0
 0031B16A   MOVEQ      #$14,D1
 0031B16C   CMP.L      D0,D1
 0031B16E   BLE.S      *+$000A
 0031B170   MOVEQ      #$00,D0
 0031B172   MOVE.W     D0,MemErr 
 0031B176   RTS
 0031B178   JMP        $00167FCC
From my experience tracing through the system, I'd guess that this 680x0 code is a patch on top of the real MaxApplZone, because it compares two numbers and in one of only two cases jumps to an absolute address. The absolute address was probably set when this code was installed as a patch, and it points to either the real MaxApplZone routine or another patch.

The patch appears to check whether the value of the ApplLimit low-memory global is within 20 bytes of the value of HeapEnd. If so, it simply returns noErr in the low-memory global MemErr without calling through to the real MaxApplZone. This patch is probably part of the system software, designed to fix a bug in the ROM without having to replace the entire real MaxApplZone routine.

Now if we trace through this patch and visit the absolute address $167FCC from the patch, we find the following: 

No procedure name
 00167FCC  *_MixedModeMagic
 00167FCE   BTST       D3,D0
 00167FD0   ORI.B      #$00,D0
 00167FD4   ORI.B      #$00,D0
 00167FD8   ORI.B      #$3002,D0
 00167FDC   ORI.B      #$04,D1
 00167FE0   ORI.B      #$8274,D7
 00167FE4   ORI.B      #$00,D0
 00167FE8   ORI.B      #$00,D0
 00167FEC   ORI.B      #$A036,D0
Aha! This ugly disassembly is actually a routine descriptor in disguise. The _MixedModeMagic trap invokes the Mixed Mode Manager from 680x0 code, and it always appears at the beginning of a routine descriptor. Since this trap is at the beginning of each routine descriptor, you can simply construct a routine descriptor and then jump to it in 680x0 code. The drd dcmd in MacsBug will let you see this routine descriptor in a meaningful way. When I typed drd pc in this case, I saw the contents of Listing 1.


Listing 1. Displaying a routine descriptor

drd: 00167fcc
  MixedModeMagic: 0xAAFE, version: #7, 
    flags: 0x00 (NotIndexable) 
  LoadLoc: 0x00000000, reserved2: 0x00000000,
    SelectorInfo: 0x00 (No Selector) 
  Routine Count (zero-based): 0x0000 (#0)
  ---- Routine Record 0x0000 (#0) at 0x00167fd8 ----
       ProcInfo: 0x00003002,
         Reserved1: 0x00000000, ISA: #1 (PowerPC) 
       Record Flags: 0x0004 (Absolute, IsPrepared, NativeISA,
         PassSelector, IsNotDefault) 
       ProcPtr: 0x00078274, offset: 0x00000000,
         selector: 0x00000000

    Notice the number of fields displayed in Listing 1. For simple routine descriptors like this one, you'll only need to look at the ProcPtr entry on the last line of the display. More complicated routine descriptors have an array of routines, and you'll need to look for a passed selector to determine which one is actually used.
The last line of the listing shows a ProcPtr value of $00078274. This is the address of the TVector for MaxApplZone in the MemoryMgr code fragment. Since the TVector structure has the routine address as its first element, dereferencing that address once will produce the address of the actual routine. Typing ilp @78274 to dereference the TVector and disassemble PowerPC code showed me this: 
__MaxApplZone
 +00000 000CA1A8   mflr       r0
 +00004 000CA1AC   stwu       SP,-0x0040(SP)
 +00008 000CA1B0   stw        r0,0x0048(SP)
 +0000C 000CA1B4   bl         __HSetStateQ+0073C
 +00010 000CA1B8   crmove     cr7_SO,cr7_SO
 +00014 000CA1BC   extsh      r4,r3
 +00018 000CA1C0   li         r3,0x0000
 +0001C 000CA1C4   bl         SetEmulatorRegister
 +00020 000CA1C8   lwz        RTOC,0x0014(SP)
 +00024 000CA1CC   lwz        r12,0x0048(SP)
 +00028 000CA1D0   addic      SP,SP,0x0040
 +0002C 000CA1D4   mtlr       r12
 +00030 000CA1D8   blr
This is the MaxApplZone routine in the Memory Manager. It appears to call more substantial subroutines when it branches to __HSetStateQ+0073C, but this is the actual routine.


WALKING BACK OUT

We've braved routine descriptors, glue, and patches to make it this far. I won't dive further into the Memory Manager for this illustration, but let's try an instructive walk back out from the MaxApplZone routine.

After tracing through this routine, we step over the blr instruction to branch back to the link register address. To our surprise we not only switch back to 680x0 emulation mode but we appear to be lost in darkness. The following 680x0 F-line instruction will be executed next: 

No procedure name
 0162D0A0   DC.W       $FE02
We switched back to 680x0 emulation mode because we're returning from the 680x0 patch call to a routine descriptor. Typing ip to disassemble at the current location shows what appears to be garbage, however: 
No procedure name
 0162D08C   NEGX.L     D7
 0162D08E   EOR.W      D3,(A0)+
 0162D090   BCHG       D0,-(A2)
 0162D092   DC.W       $D0F0
 0162D094   DC.W       $FFFF
 0162D096   ORI.B      #$00,D4
 0162D09A   DC.W       $FFFF
 0162D09C   ORI.B      #$A063,D0
 0162D0A0  *DC.W       $FE02
 0162D08C   NEGX.L     D7
 0162D08E   EOR.W      D3,(A0)+
 0162D090   BCHG       D0,-(A2)
 0162D092   DC.W       $D0F0
 0162D0A2   ORI.B      #$9C,D0
 0162D0A6   BCLR       D0,D3
 0162D0A8   BCHG       D0,-(A2)
 0162D0AA   ADD.B      D0,(A0)
Here's the secret: The $FE02 F-line instruction is very much like the _MixedModeMagic trap in that it can signal the transition from emulated 680x0 code to PowerPC code. Just as with the routine descriptor that we saw earlier, executing the $FE02 instruction will in this case cause us to switch back to PowerPC native mode and will bring us to a completely different address.

Truly perceptive readers might have noticed that the program counter at the $FE02 instruction is actually on the stack. Listing 2 shows a memory dump of the first 48 bytes of the stack at this time. Notice that the word at the beginning of the third line (at $162D0A0) is the $FE02 instruction we're about to execute.

Listing 2. The stack upon return to PowerPC code

Displaying memory from sp
 0162D080  DDDD DDDD DDDD DDDD 7FFF 7FFF 4087 B758
                               -+**********@á
 0162D090  0162 D0F0 FFFF 0004 0000 FFFF 0000 A063
                               [[Sigma]]X*b-***********
 0162D0A0  FE02 0000 009C 0183 0162 D110 0000 3802
                               +c*****ú*É*b--***

As we trace over that $FE02 instruction, we find ourselves back inside the InterfaceLib glue routine for MaxApplZone. Tracing through those last instructions finally takes us back to the application code where we started, as shown here: 

MaxApplZone
 +00020 40A0E32C   lwz        RTOC,0x0014(SP)
 +00024 40A0E330   lwz        r12,0x0048(SP)
 +00028 40A0E334   addic      SP,SP,0x0040
 +0002C 40A0E338   mtlr       r12
 +00030 40A0E33C   blr
No procedure name
 0093B280   lwz        RTOC,0x0014(SP)
 0093B284   li         r31,0x0001
Notice that when we returned to a previous code fragment, we immediately restored the TOC register to a value saved on the stack. Not only is the caller responsible for setting the TOC register before calling a routine, it's also responsible for restoring this register when the call returns.

This concludes our romp through the wilderness of the modern PowerPC environment. We traced from an application's code fragment, through the InterfaceLib fragment and then a patch in the trap table, to a routine descriptor for the real MaxApplZone routine, and ultimately back again.


CATCHING POWERPC CALLS

Earlier I glossed over how to set a breakpoint and catch an application as it calls MaxApplZone. Now I'll describe a good trick for doing this. The MacsBug debugger doesn't implement 680x0 A-trap break commands for PowerPC code yet. But you can easily mimic the A-trap break feature in PowerPC code, using the FindSym, PlayMem, and PPCJump MacsBug macros. You can use those macros if you install the file "PowerPC dcmds" (which you'll find on this issue's CD) into your MacsBug Preferences folder.

Say, as an example, that you'd like to catch all PowerPC code that calls the Toolbox routine ReleaseResource. PowerPC code fragments access this routine by importing its entry point from the InterfaceLib code fragment. Typing FindSym ReleaseResource on my Power Macintosh 8100 produces the following: 

findsym: "ReleaseResource"
 "ReleaseResource" #1796 TVec 0001acc0
 (40a15978,0001ea14) in "InterfaceLib"
    FindSym is case sensitive. When looking for an entry in InterfaceLib, for example, you must spell the routine name exactly and capitalize letters perfectly; typing "releaseresource" rather than "ReleaseResource" will not work.*
This tells us a few things. ReleaseResource's TVector is located at the address $0001ACC0. That vector contains the address for the routine at $40A15978 and the InterfaceLib's TOC value, which is $0001EA14. FindSym will return TVector addresses for each application or fragment bound to the routine. In System 7 these will usually all be the same TVector.

If I need to catch callers to ReleaseResource, I could then simply type brp 40a15978 to set a PowerPC breakpoint at the beginning of the InterfaceLib code. On the Power Macintosh 8100, however, this address is in ROM. Setting breakpoints in ROM is more difficult for MacsBug, which returns this message: 

Warning: This requires stepping through each instruction
Your Macintosh might become unusable if MacsBug is forced to single-step through all the code. Because MacsBug can set a breakpoint in RAM with less difficulty, we'll now use the PlayMem and PPCJump macros to set an equivalent breakpoint in RAM.

PlayMem is a MacsBug variable that points to 512 bytes of scratch memory in RAM. The PPCJump macro expands to a set of PowerPC instructions for jumping to an absolute address. So the command 

sl PlayMem PPCJump 40a15978
writes the following instructions to MacsBug's scratch memory: 
lis    r0,40a1         | 3C0040A1
ori    r0,r0,5978      | 60005978
mtctr  r0              | 7C0903A6
bctr                   | 4E800420
Now I'll replace the value of the TVector with our new code in scratch space, by typing sl 0001acc0 PlayMem. PowerPC code bound with InterfaceLib will now call my new code instead of ReleaseResource, but my code will then correctly pass control to ReleaseResource. Finally, typing brp PlayMem will set the PowerPC breakpoint we want.

When PowerPC code tries to call the ReleaseResource trap via InterfaceLib, execution will stop at my breakpoint in PlayMem. At that point, typing ipp lr will list PowerPC instructions around the address in the link register, quickly showing me which code was calling the trap.


AFTER THE HUNT

Although I seriously doubt I would find enjoyment in hunting live animals, I've found the hunt for software defects truly rewarding. Some problems are a definite challenge, and I often learn something new about the Mac OS with each riddle solved. I hope that knowing the details of my pursuit will help you in your own future quests.

DAVE EVANS and fellow Apple engineer Rus Maxham took another adventure by motorcycle this summer. This time they journeyed to Utah and skirted the Great Salt Lake. Turning north, they discovered the beautiful and unspoiled vistas of Idaho. Cottonwood flower petals rained on them as they crossed into Washington. Hectares of wheat farms and the blustery Columbia River guided them to Oregon. One cracked tailpipe and two quarts of oil later, they finally arrived home in California.

Thanks to Nitin Ganatra, Pete Gontier, Jim Luther, and Alex Rangel for reviewing this column.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Latest Forum Discussions

See All

Top Mobile Game Discounts
Every day, we pick out a curated list of the best mobile discounts on the App Store and post them here. This list won't be comprehensive, but it every game on it is recommended. Feel free to check out the coverage we did on them in the links... | Read more »
Price of Glory unleashes its 1.4 Alpha u...
As much as we all probably dislike Maths as a subject, we do have to hand it to geometry for giving us the good old Hexgrid, home of some of the best strategy games. One such example, Price of Glory, has dropped its 1.4 Alpha update, stocked full... | Read more »
The SLC 2025 kicks off this month to cro...
Ever since the Solo Leveling: Arise Championship 2025 was announced, I have been looking forward to it. The promotional clip they released a month or two back showed crowds going absolutely nuts for the previous competitions, so imagine the... | Read more »
Dive into some early Magicpunk fun as Cr...
Excellent news for fans of steampunk and magic; the Precursor Test for Magicpunk MMORPG Crystal of Atlan opens today. This rather fancy way of saying beta test will remain open until March 5th and is available for PC - boo - and Android devices -... | Read more »
Prepare to get your mind melted as Evang...
If you are a fan of sci-fi shooters and incredibly weird, mind-bending anime series, then you are in for a treat, as Goddess of Victory: Nikke is gearing up for its second collaboration with Evangelion. We were also treated to an upcoming... | Read more »
Square Enix gives with one hand and slap...
We have something of a mixed bag coming over from Square Enix HQ today. Two of their mobile games are revelling in life with new events keeping them alive, whilst another has been thrown onto the ever-growing discard pile Square is building. I... | Read more »
Let the world burn as you have some fest...
It is time to leave the world burning once again as you take a much-needed break from that whole “hero” lark and enjoy some celebrations in Genshin Impact. Version 5.4, Moonlight Amidst Dreams, will see you in Inazuma to attend the Mikawa Flower... | Read more »
Full Moon Over the Abyssal Sea lands on...
Aether Gazer has announced its latest major update, and it is one of the loveliest event names I have ever heard. Full Moon Over the Abyssal Sea is an amazing name, and it comes loaded with two side stories, a new S-grade Modifier, and some fancy... | Read more »
Open your own eatery for all the forest...
Very important question; when you read the title Zoo Restaurant, do you also immediately think of running a restaurant in which you cook Zoo animals as the course? I will just assume yes. Anyway, come June 23rd we will all be able to start up our... | Read more »
Crystal of Atlan opens registration for...
Nuverse was prominently featured in the last month for all the wrong reasons with the USA TikTok debacle, but now it is putting all that behind it and preparing for the Crystal of Atlan beta test. Taking place between February 18th and March 5th,... | Read more »
See All

Price Scanner via MacPrices.net

AT&T is offering a 65% discount on the ne...
AT&T is offering the new iPhone 16e for up to 65% off their monthly finance fee with 36-months of service. No trade-in is required. Discount is applied via monthly bill credits over the 36 month... Read more
Use this code to get a free iPhone 13 at Visi...
For a limited time, use code SWEETDEAL to get a free 128GB iPhone 13 Visible, Verizon’s low-cost wireless cell service, Visible. Deal is valid when you purchase the Visible+ annual plan. Free... Read more
M4 Mac minis on sale for $50-$80 off MSRP at...
B&H Photo has M4 Mac minis in stock and on sale right now for $50 to $80 off Apple’s MSRP, each including free 1-2 day shipping to most US addresses: – M4 Mac mini (16GB/256GB): $549, $50 off... Read more
Buy an iPhone 16 at Boost Mobile and get one...
Boost Mobile, an MVNO using AT&T and T-Mobile’s networks, is offering one year of free Unlimited service with the purchase of any iPhone 16. Purchase the iPhone at standard MSRP, and then choose... Read more
Get an iPhone 15 for only $299 at Boost Mobil...
Boost Mobile, an MVNO using AT&T and T-Mobile’s networks, is offering the 128GB iPhone 15 for $299.99 including service with their Unlimited Premium plan (50GB of premium data, $60/month), or $20... Read more
Unreal Mobile is offering $100 off any new iP...
Unreal Mobile, an MVNO using AT&T and T-Mobile’s networks, is offering a $100 discount on any new iPhone with service. This includes new iPhone 16 models as well as iPhone 15, 14, 13, and SE... Read more
Apple drops prices on clearance iPhone 14 mod...
With today’s introduction of the new iPhone 16e, Apple has discontinued the iPhone 14, 14 Pro, and SE. In response, Apple has dropped prices on unlocked, Certified Refurbished, iPhone 14 models to a... Read more
B&H has 16-inch M4 Max MacBook Pros on sa...
B&H Photo is offering a $360-$410 discount on new 16-inch MacBook Pros with M4 Max CPUs right now. B&H offers free 1-2 day shipping to most US addresses: – 16″ M4 Max MacBook Pro (36GB/1TB/... Read more
Amazon is offering a $100 discount on the M4...
Amazon has the M4 Pro Mac mini discounted $100 off MSRP right now. Shipping is free. Their price is the lowest currently available for this popular mini: – Mac mini M4 Pro (24GB/512GB): $1299, $100... Read more
B&H continues to offer $150-$220 discount...
B&H Photo has 14-inch M4 MacBook Pros on sale for $150-$220 off MSRP. B&H offers free 1-2 day shipping to most US addresses: – 14″ M4 MacBook Pro (16GB/512GB): $1449, $150 off MSRP – 14″ M4... Read more
 

Jobs Board

  • Generate a short URL for this page:



All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.