One of my latest projects is writing a debugger. How hard can it be, I thought, I’m basically just wrapping system calls. So, to make things a bit more interesting, I decided to support both Linux and OS X. Some of you—the poor souls who’ve tried writing a debugger yourselves—might know where this is going. I really have no excuse: I knew about the incompatibilities and, like an idiot, decided to go for it anyway. Here is my story.
Elegy to a system call
For those of you who are lucky enough not to know about
ptrace, let me introduce you: it is the mother of all
system calls. The UNIX wizards of the 70s, in their infinite wisdom,
decided to put all the facilities for inspecting and debugging a program
into one single function call that has about a gazillion possible
argument configurations, depending on what you want to do. Want to
single-step through a program? Want to get the register contents, or
modify them? Want to get or set memory? Want to work with breakpoints?
ptrace is the answer to all of those questions. Its first
argument, the ptrace_request, specifies what you want to
do, and the arguments that come after that change according to that.
Sounds like a job for multiple dedicated functions to me, but who am I
to challenge the wisdom that was handed to us by the sages of Bell
Labs?
uint64_t get_instruction_pointer(pid_t pid) {
struct user_regs_struct regs;
ptrace(PTRACE_GETREGS, pid, NULL, ®s);
/* rip is the instruction pointer register */
return regs.rip;
}Fig. 1: An example of how to get the current instruction pointer
using ptrace.
To my surprise, working with ptrace actually isn’t as
painful as I made it sound. After understanding its idiosyncracies, it’s
actually quite pleasurable. Sure, the names of the requests are
different on BSD and Linux, but that’s nothing a few cleverly placed
define statements can’t fix, right? At least the rest of
the interface is the same.
Enter OS X. Someone—or, more likely, some committee—came to a
conclusion that mirrors my complaints from earlier: let’s gut this
hellish mutation of a system call and split it up into a bunch of
different functions instead. Sounds like a good idea at first, until you
realize that that means that you have to implement integral parts of
your debugger again, and then hide all of that behind several massive
ifdef statements.
I’d happily pay that price if it meant that the interface was any better. Sadly, this is not the case. Let’s consider the example I provided in Figure 1 and reimplement it for OS X. Feel the pain.
uint64_t get_instruction_pointer(pid_t pid) {
thread_act_port_array_t thread_list;
mach_msg_type_number_t thread_count;
x86_thread_state64_t thread_state;
task_t port;
mach_msg_type_number_t sc = x86_THREAD_STATE64_COUNT;
task_for_pid(mach_task_self(), pid, &port);
task_threads(d->port, &thread_list, &thread_count);
thread_get_state(thread_list[0], x86_THREAD_STATE64,
(thread_state_t)&thread_state, &sc);
return thread_state.__rip;
}Fig. 2: Let’s just get this over wi—OH MY GOD, WHAT HAVE I DONE?!
Sorry you had to see that. I’m not going to walk you through that code—mostly because I think noone should have to know such a godawful API. If you’re persistent or masochistic enough to want to learn more, I suggest you read this tutorial from Uninformed.
To make matters worse, there is a mind-boggling scarcity of resources
regarding this API, and the tutorials that do exist are outdated. The
Uninformed article I linked to above talks about PowerPC, for instance,
an architecture that is pretty outdated and rare these days. And this is
one of the best resources I could find. How did I find out how to change
the macros and function calls to the x86 equivalent? I’m so glad you
asked: I grepped through /usr/include and tried a few wild
guesses. My favorite part is that the x in x86 is the only
thing that’s not capitalized in the constant. Whoever decided on that
naming caused me another minute of hell.
Of course this isn’t portable across OS X machines either, because
it’s architecture-dependent—x86 has two different structs
and constants for 32 and 64 bit, respectively, and then there’s also
i386 and PPC, but I sincerely hope I’ll never
have the urge to support those.
So what?
I guess the moral of the story is “be careful what you wish for”,
because my timid wishes for a bit of modularity just landed me in
ifdef purgatory. There is something to be learned even in
Gehenna, though, and that’s something I’ve written about
before: I like API updates. Some APIs need a thorough cleanup, and,
much like people who change for the better, emerge as more productive
members of society. I even applaud some updates that break my software,
because they provide soothing for my code that has been plagued by a
sore for no good reason. Sometimes, however, the updates don’t lead
anywhere; either they don’t address a need/make things worse or they
introduce incompatibilities that make supporting multiple platforms
harder for the user. OS X’s API is a prime example for both of these
points.
Wish me luck on my next adventures in writing a debugger.