Latest Entries »

There’s an old engineering proverb that a bad programmer does the same task over and over, a good programmer automates the task, and a great programmer makes it unnecessary.

In the iPhone world, the Bad Programmer overrides -(void)layoutSubviews for every view class to customize the layout the way the client wants it.

The Good Programmer figures out the commonalities and creates a view class with a layout function that does things the way the client wants, and inherits all the program’s views from it.

The Great Programmer figures out how to make UIView’s layout do what the client wants directly, and doesn’t fight Cocoa to make it work.


In last week’s episode we single stepped through the assembly code generated by the compiler, to see what happens when a function is called.  We learned that selectors are just C strings, how they are stored and how to find them in the code.

Now we will use otool to explore the program as it’s saved on disk, so we can find the selector strings themselves.  Compile the helloworld example from the previous episode.  Click the disclosure arrow by Product.  Open a terminal window, then type “cd ” (note the space following, it’s important) in the terminal and drag to the terminal to paste in the path.

Enter “otool -o helloworld | less” on the terminal.  What you see is a list of all the objective-c classes defined in the executable, along with the protocols they adopt, and the ivars and methods they define.  What you’re looking at here is the __OBJC segment of the executable.

Have a look at the MACH-O specification.  Programs on disk are divided into segments.  For simple C programs, there’s just __TEXT and __DATA.  The __TEXT segment contains the assembly language from the compiled code and immutable constants.  You can look at the generated code with otool -tV executable_file | less.  If it’s a C++ program, also pipe it through c++filt to demangle the names.  By using less’s search feature or the -p flag to otool you can find the compiled code corresponding to any function in your program.

The __DATA segment contains all the mutable constants declared in your program.  Integer and shorter constants are just immediates in the code, e.g. MOV r0,7, but strings, arrays, and structs are put in the data segment.

Which leads us to sections.  A segment is broken up into one or more sections.  For example, the constant C strings are stored in the __cstring section of the __TEXT segment.  Note that segment names are all caps, and section names are all lower case.

Enter otool -s __TEXT __cstring helloworld.  If you compiled for both armv6 and armv7 you’ll notice that each architecture has its own cstring section.  You’ll also notice that the output is in hex, with the load address as determined by the linker on the left, then the string data as 4-byte words.  Add the -v flag and you’ll see the output as strings.

The segment and section for the selectors is __TEXT __objc_methname, so if you enter otool -arch armv7 -v -s __TEXT __objc_methname helloworld you’ll see all the selectors that your program calls as strings.

otool -arch armv7 -v -s __TEXT __objc_methname helloworld
Contents of (__TEXT,__objc_methname) section
000036ec  release
000036f4  init
000036f9  alloc
000036ff  window
00003706  viewController
00003715  setWindow:
00003720  setViewController:
00003733  dealloc

Now that we know what selectors our program calls, the next step is to determine which ones correspond to illegal calls.

Tune in next week for the exciting conclusion!  In the mean time, read up on the mach-o specification and otool, there is a lot of interesting information you can query out of a program.

Like this Blog?

The more people my Dashboard shows me are reading this, the more time I will spend crafting interesting articles, and the more likely I am to buy the “no ad” option!

My plan is to blog about things I’ve learned in my 20+-odd year career as a software engineer, as well as my excursions into the Arduino, embedded microcontrollers, and electronics.

Tell your friends, or tell me!

thanks, Rob D

Forbidden APIs, part 2/n

Riddle me this…

When last we left our heroes, they were about to start the debugger and probe the mysteries of the Objective-C objc_msgSend function.

Pull down and build the hello world project from github.  You can run it in the simulator if you don’t have an iDevice or developer license.

Put a breakpoint in the first source line of touchesEnded in helloWorldViewController.m.  Make sure the build settings are set for Simulator and Debug.  Click “Build and Debug” and wait for the simulator to come up.  Click in the window on the simulator or device.  The breakpoint should hit, and you’ll see something like this:

Right after the first breakpoint

We’re now going to leave the comfy confines of the source debugger behind, and dive into the world of assembly.  If you don’t see the disassembly pane on the bottom right of your debugger window, select Run→Debugger Display→Source and Disassembly, as shown:

We’ll start with the standard C call to NSLog, to introduce you to the Application Binary Interface, or ABI.  The ABI defines the way that high level languages should organize the compiled code, so any compiled code can be linked together, and external libraries will work with your code.

The first thing we need to do is pass the parameters to the function that will be called.  The first four 32-bit parameters are placed into processor registers for speed.  Registers R0,R1,R2, and R3 are used.  Any past the first four are saved to memory in an area called the stack.  The stack starts at the highest address and works its way down in descending addresses.  There are two parameters to this invocation of NSLog: the format string, @”touchesended: %@” and the first argument, event.  The string constant is passed as a pointer to constant memory, and event relative to the stack pointer, since it’s a parameter of the current function.

The instruction that actually calls the function is BLX – that stores the return address in a special register called the Link Register – this prevents memory reference if the return address does not need to be saved.  Note that I switched from the simulator in the above two images to actual device debugging.

Let’s delve into how the constants are figured out.  They are stored right after the compiled code for each function, in the TEXT segment, which is the same one the code is in.  They are specified as offsets from the current value of the program counter, since the compiler doesn’t know what address the function will reside at after it’s linked.  All it can do is insert an offset once the function is fully compiled.  Switch to the debug console (Command-Shift-R) and enter the “si” command twice.  The cursor on the assembly side should now be on “mov r0,r3”.  We need to add the PC to the value of R3 for the same reason as we had to load R3 from an offset of the PC.  The linker places a string table in a completely different section from the compiled code, the offset to the string in the table is what is placed at the address pc+#648 in the above code, by the linker.

In the top right pane, where local variables and parameters are displayed, you can scroll to the bottom and see a category labelled “Registers” with a disclosure arrow.  Click that arrow and look for $r3.  That is pointing to the offset to the string in memory.  In this case $r3 had the value 0x4040.

If you select Run→Show→Memory Browsers, you can look at the contents of memory.  Enter 0x4040 into the address field.  Set the word size to 4, since we are looking at an “indirect” memory offset.  Notice that the contents of address 0x4040 is 0x3e2184e0.  Let’s follow that offset, which takes us to the program’s String Table.

That is what a NSString looks like in memory.

Back to function calls and the ABI.  After the BLX instruction, we’re in the function prolog.  This sets things up so the function itself has storage space to run, and can call other functions and ultimately return without messing up the memory of its calling function.  We need to save all the processor registers, including the Link Register, to the stack.  If you compile with optimization, only the registers that are affected by the function will be saved to the stack.  After that, a register called the Frame Pointer is set to the current value of the stack pointer (the frame pointer is always saved before this).  This is so the stack pointer can be restored at the end of the function, in a section called the epilog.  Then the number of bytes necessary for the function’s local variables, including those in subordinate scopes, is subtracted from the stack pointer.  After that, the function itself runs.

The function epilog then undoes what the prolog does, so when control is transferred back to the calling function, everything is restored to what was there before the function call, except for the registers which are known to contain the return value.

So NSLog is called, and has no return so we don’t check anything.  Let’s step ahead to an objective-c function, so we can see the similarities.  Place a breakpoint at the first objective-c call, which will be the [[CATransition alloc] init] (the first will be the alloc), and hit Continue.

Let’s have a look at the assembly language here.

Disassembly of objc_msgsend call

We can see that this is a call to objc_msgsend(self, cmd).  There are two arguments to this function, stored in r0 and r1.  R0 will contain the objective-c class CATransition, and r1 will contain the selector for the alloc method.  The selector is what we’re looking for, since that is how we’ll put together our scanner for Forbidden APIs.  Let’s step ahead to just before the call itself, and have a look from the debugger console:

So what we get from this is that $r0 is an object, the CATransition class, and $r1, the selector is simply an old-style C char*!  This makes things a lot easier for us – all we have to do is find the selectors and basically grep out the text of the ones we want to avoid!

Whew!  That was quite a bit – I hope I didn’t leave too many people behind.  In my next post, which is the first of the New Year, I will talk about the organization of a program on disk, and where those selectors are.


Mach-o EABI



Apologies for the delay, there’s a lot of backstory I’m preparing for this – The ABI is much more complex than I originally thought, and I would rather be complete and late, than inscrutably on-time.

Now that we have some idea of the system architecture, it’s time to connect the thermocouple to the Arduino and see if it works.

From the datasheet, we see that it’s a pretty simple chip.  We connect the power to Vcc and Ground, the thermocouple to T+ and T-, and the SPI interface to the microcontroller.  Wait, what’s SPI?

View full article »

Forbidden APIs, part 1

Anyone who’s submitted an application to Apple’s app store knows that your app will be rejected if it uses any undocumented APIs.  Which is a shame, since there is lots of useful stuff in there.

I recently had to resubmit an app because of a forbidden API, and started wondering if there were a way to detect these things automatically, and save a bunch of heartache.

View full article »

A friend of mine has a Big Green Egg.  This is a barbecue grill and smoker that’s fairly expensive, but made very solidly of ceramic, has the heat-retaining properties of a brick oven, and will last forever.

He would like to be able to use this to smoke meats for 10+ hours semi-attended.  There have been some projects doing this already, so I read a few web sites to see what they were doing.

View full article »

Welcome and Introduction

Welcome to Rob’s Adam’s Apple, where I will blog about my trials and travails as a programmer and occasional hardware hacker.

I am currently an iThing developer at Barnes and Noble, working on the Nook Reader application. I am also developing an Arduino clone called the Carduino, and am building a Nixie Tube Calculator.

Having over a quarter century of programming experience, there are a few things that I have found to be very important to be a successful programmer.  The first is communication.  This one still trips me up.  When not talking to computers in their respective native tongues, you are talking to:

  1. Other Programmers
  2. People who do not necessarily understand what you are doing, but want to control how you do it.  Also known as Managers.
  3. People who likely don’t understand what you are doing, but want to change how you do it.  Also known as Customers, Clients, and/or Stakeholders.
  4. Other people.  These may include friends, significant others, potential managers, or potential significant others.

I will concern myself with the first 3, the last is up to you.

When communicating with other programmers, be respectful.  You may not understand why they didn’t initialize a variable, which caused it to have a random value and crash the system during a customer demo.  Which may make you think they are stupid or incompetent.  Even if they are, it won’t help to accuse them of it.  When talking to anyone, always consider how you would feel if they said what you’re about to say to you, in the tone of voice you’re about to use.  Now think of how you’d rather hear it and say it that way.  These people may have your back some day – do you want them to tell you about your uninitialized variable first, or the CEO?

When talking to managers, honesty is the key.  These people need to represent you up the food chain.  To do this, they need to know what’s going on.  Resist the temptation to say that the project that you feel will take four weeks can be done in 1.  It can’t, and you may be fired after week two when it’s still only half done.  Better to find out what they need implemented next week, then plan out the following three.  They’ll be less upset, and in the long run you’ll get the reputation of dependability, which leads to promotions.

Stakeholders don’t care how you’re implementing your web fetches.  If you tell them you’re performing asynchronous background fetches, they won’t understand and will feel frustrated.  You always want stakeholders to associate you with warm fuzzies.  Delegate the bad news and compromise to the manager, and come through for the clients.

I definitely speak autobiographically here – hopefully some of you reading this can get the benefit of my mistakes 🙂