Open C Tips and Tricks |
Since Symbian OS has different mechanisms for handling or trapping errors and exceptions, standard libraries written on top of Symbian as part of Open C, may throw some panics or crash with Symbian-specific errors. This section lists out the possibilities of such a scenario.
Even though such errors can happen, these error cases can be eliminated if the user is aware of them and knows the solution.
Open C libc will panic during the startup of the application (before callingmain( ) of the application) if any of the following happens:
In either of the above cases, the application will panic before starting main( ) of the application.
In addition to the above Panics, applications linking with Open C STDLIBS may also panic or crash because of a bug introduced by the programmer.
One such common example can be an application panicking or crashing with the User-42 panic code. This may happen with those APIs of libc that use malloc, calloc, free, or realloc. See the code below:
#define ALLOC_DATA 500 int main() { char* p = (char*) malloc(1); /* Suppose to allocate ALLOC_DATA, but 1 byte is allocated, still doing memset for ALLOC_DATA length */ memset(p, 0, ALLOC_DATA); /* This will crash now, as heap is corrupted by previous memset */ char* q = (char*) malloc(ALLOC_DATA); free(p); free(q); }
This code has a bug that will cause the application to panic with User-42. This panic will be raised when the programmer tries to do allocation or reallocation or freeing up of memory from RHeap and if the address passed is not a valid cell (Bad Heap Cell Address).
In case of hybrid applications, the users may end up with several problems if they are not aware of the limitations that are mentioned in Introduction to Open C.
Some APIs expect a cleanup stack to be created and that a top-level TRAP is present. Using such APIs of libc like select, any pipe-related APIs (pipe, read, write on fd of a pipe), some socket-specific APIs, locale-specific APIs, iconv_open, mmap API, and ipc-related APIs may cause panics like E32USER-CBase:66 or E32USER-CBase:69 depending on whether the application has created a cleanup stack or whether a top-level TRAP/TRAPD exists. One such example can be:
void PipeTestL() { int fds[2]; int ret = pipe(fds); printf("pipe returned with %d", ret); close(fds[0]); close(fds[1]); } TInt E32Main() { __UHEAP_MARK; TInt retVal = KErrNone; TRAP(retVal, PipeTestL()); HelloWorldL(); __ASSERT_ALWAYS(!retVal, User::Panic(_L("Pipe Test PANIC"), retVal)); __UHEAP_MARKEND; return retVal; }
The above sample will panic with E32USER-CBase:69 because a cleanup stack is not created. The solution is to create a cleanup stack in E32Main() as in the example below:
TInt E32Main() { __UHEAP_MARK; CTrapCleanup* cleanup = CTrapCleanup::New(); TInt retVal = KErrNone; if (cleanup) { TRAP(retVal, PipeTestL()); HelloWorldL(); __ASSERT_ALWAYS(!retVal, User::Panic(_L("Pipe Test PANIC"), retVal)); Destroy cleanup stack delete cleanup; } __UHEAP_MARKEND; return retVal; }
Similarly, for threads created using direct Symbian APIs, the user has to take care of these limitations (cleanup stack and TRAP or TRAPD). The user does not have to create a cleanup stack or trap if the application has main( ) as the entry point and all the threads are created using the pthread_create API. This is because pthread_create will take care of creating the cleanup stack and trap for that thread.
In addition to the above, some common coding mistakes such as operating on uninitialized fds or file pointers will cause the application to crash with KERN-EXEC 3. This panic will be raised when an unhandled exception occurs, like de-referencing NULL or executing an invalid instruction. One such example can be:
void FileTest() { FILE* fp = NULL; int ret = fprintf(fp, "write me"); fclose(fp); }
This sample case will panic with KERN-EXEC 3 since fp is not pointing to a valid file.
The Open C APIs are subjected to stack, heap, any pointer arithmetic overflows and related issues (general programming bugs which has the similar behavior on all platforms). Some of the APIs that lead to buffer overflow are:
Heap Access Violation
If the user allocates a chunk of heap in addition, to the already allocated heap a few more heap cells are allocated forming the heap header. The heap chunk uses this heap header for the house keeping activity. Corrupting the heap chunk header makes the application to CRASH/PANIC and exit.
The following code snippet shows a use case where, two heap chunks are allocated and the heap chunk headers are corrupted leading to application CRASH/PANIC:
void HeapAllocationCheck() { char *buf1, *buf2, *buf3; printf("\nIn HeapAllocationCheck\n"); buf1 = (char*)malloc(4096); buf2 = (char*)malloc(8192); printf("buf1 : %08x\n", buf1); printf("buf2 : %08x\n", buf2); int headerSize = (int) buf2 - (int) buf1 - 4096; printf("Heap Header Size is : %d Bytes\n", headerSize); char* ptr = buf1 + 4096; int* ptr1 = (int*) ptr; //Display the Header Info headerSize /= 4; printf("%08x %08x %08x\n", *ptr1, *(ptr1+1), *(ptr1+2)); //Corrupt first 8 bytes of the header Info *ptr1 = 0x4444; // Modifying 1st word of header leads to CRASH while doing free (In WINDOWS and SYMBIAN EMULATOR) *(ptr1 + 1) = 0xAAAA; //Modifying 1st word of header leads to CRASH while doing free (In LINUX and SYMBIAN TARGET) printf("%08x %08x %08x\n", *ptr1, *(ptr1+1), *(ptr1+2)); //This does not lead to CRASH or PANIC //Copy some data to the 2nd buffer memcpy(buf2, "Hello Symbian", 12); printf("%08x %08x %08x\n", *ptr1, *(ptr1+1), *(ptr1+2)); //allocate new heap cell buf3 = (char*) malloc(4096); printf("%08x %08x %08x\n", *ptr1, *(ptr1+1), *(ptr1+2)); //free all heap buffers now free(buf1); free(buf2); free(buf3); //Display header info now.. headers will change now, as memory is released printf("%08x %08x %08x\n", *ptr1, *(ptr1+1), *(ptr1+2)); }
The following findings are based on the example given above:
Stack Access Violation
Based on the order in which the data is pushed on the stack the Function Stack Frame contains the following information:
The data can get corrupted if the user accesses any local or stack variable with its address. The operating system (OS) does not offer any protection for this kind of corruption. The code snippet below shows a use case that lists the contents of the function stack:
void StackFrameCheck(int argument) { int j = 0; int* addr = 0; printf("\nIn StackFrameCheck\n"); printf("&argument:%08x\n", &StackFrameCheck:(int)(&argument), (int)(StackFrameCheck)); for (j=0; j<4; j++) { addr = (int*)(&j+j); printf("Address: %08x Content: %08x\n", addr, *addr); } }
The behavior with the Stack Pointer example is the same across all the operating systems (OS) such as, WINDOWS, UNIX, and Symbian. The user is prone to corrupt the stack data and the return address. If the return address is corrupted, the behavior of the application is undefined and it will CRASH/PANIC.