Jason Clark's Blog : Simple Main

Wednesday, March 30, 2005 2:29 PM jclark

Simple Main

Executable entry point methods in managed code (e.g. Main in C# or VB.Net) should be very simple. As an example, this Main is too complex and should be simplified.

class MyApp {

public static void Main() {

Application.Run(new MyForm()); // MyForm is a form-

// derived type

}

Furthermore in managed code an entry-point method should never diverge (very far) from the following code.

public static Int32 Main(String[] args) {

try {

return MainImpl(String[] args); // defined in same

// type as Main

} catch (Exception e) {

HandleTheUnhandled(Object e); // ditto

} catch {

HandleTheUnhandled(null);

}

I will get to the anatomy of a stable entry method in a moment.

Until then let’s look closer at the problem. Here are the precepts which lead me to conclude that that first Main is too complicated:

Applications should not be designed to crash.
By design, if the CLR cannot Just-In-Time (JIT) compile Main, the results are an application crash (or at least that is what it will look like to the end-user).
Methods that cause a type to load are less likely to JIT then methods that don’t.

Starting with number one, in an ideal world, applications should not crash. Taking this principle a step further, even if your application does encounter some failure that will prevent it from executing normally, it should still present the user with a notification of the problem, rather then “just crashing”.

So why the CLR’s designed crash in number two? In a JIT compiled environment, if a method doesn’t JIT it can’t be executed at all. There is no concept of partial execution here. So the CLR has no choice but to fail the execution of an application entirely if, for some reason, Main fails JIT compilation.

Alright, so that brings us to number three, which is really the crux of the problem. When managed code starts up it is inherently unstable. Methods get JIT compiled which causes types to be loaded. Types are loaded which cause assemblies to load. Assemblies are loaded, which involves file system operations, at minimum, and network operations in some deployments. You might imagine your application JIT compiling entirely, before Main is ever called; but that is not how it works. Instead, your methods are JIT compiled as they are called, and types and assemblies that your code references are loaded as your code executes.

Eventually the chaos settles down, and your application executes in a steady state. The trick is avoiding chaos in Main.

Let me reprint the too-complicated Main.

class MyApp {

public static void Main() {

Application.Run(new MyForm()); // MyForm is a form-

// derived type

}

This code is going to cause the System.Windows.Forms.Application type to load, as well as the application defined type MyForm. In the process of JITting a method, the types referenced by the method are loaded (if they have not already been, that is). Since Main is the first method to execute, we are fairly certain that any types that it references must be loaded.

If either type fails to load, then Main will most likely fail to JIT compile. Here are some situations that can cause a method to fail JIT compilation:

The method fails verification or contains invalid Intermediate Language.
Any type that the method references fails to load.
The type containing the method itself fails to load or fails to initialize.
The method cannot bind to a referenced type or method for security reasons.
The CLR itself has failed or there is not sufficient memory for the native instructions.

Let’s immediately write-off reasons 1 and 5 as edge-cases. If you manage to get your compiler to produce an invalid Main method, you will notice before you ship your product. And number five represents genuine system instability that is beyond the scope of an application to manage.

Reasons 2 and 3 are almost the same problem. In both cases a type-load did not result in a usable type. In one case the type was referenced explicitly by the method being JIT compiled. In the other case the type in question is the type that contains the method being JIT compiled. Failed type-loads can be caused by both unusual and usual situations. Again, don’t burden your application logic with handling bona-fide edge cases. These are things like missing system assemblies, bizarre binding and security policy configurations, CLR errors and such ignorables.

However, an application that late-binds to assemblies or is installed in a network deployment, should remain stable even if an application assembly goes missing or fails to load for some reason. Similarly, default security policy enforces a number of scenarios where a type may fail to load for security reasons. Finally, any type with a static constructor (type initializer) is surprisingly susceptible to initialization failure which for the type containing Main is just as bad as type-load failure.

Here is a fun example:

using System;

using System.Windows.Forms;

class MainForm : Form {

static Int32 num =

Math.Abs(Int32.MinValue); // evil code!

protected override void WndProc(ref Message msg) {

base.WndProc(ref msg);

}

public static void Main() {

try {

Application.Run(new MainForm());

}

catch { // catch *any* exception

Console.WriteLine(

"Alert user of unexpected failure");

}

If you compile this code as a console application, and run it, here is what you see on the console:

Unhandled Exception: System.TypeInitializationException: The type initializer for "MainForm" threw an exception. ---> System.OverflowException: Negating the minimum value of a twos complement number is invalid.

at System.Math.AbsHelper(Int32 value)

at System.Math.Abs(Int32 value)

at MainForm..cctor()

--- End of inner exception stack trace ---

at MainForm.Main()

The important detail, though, is that the phrase “Alert user of unexpected failure” is not part of the console output. The reason is that the exception occurred before Main could be JIT compiled, and Main’s exception handler is useless here.

A more subtle (and bothersome) case appears if you comment out the line of code commented as “evil code”, and then rebuild as a console application. Now if you run it, everything seems fine. Unless, that is, you copy the .exe to a share on your network, and run it from there. Then you get this on the command line:

Unhandled Exception: System.Security.SecurityException: Request for the permission of type System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.

The state of the failed permission was:

<IPermission class="System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"

version="1"

Flags="UnmanagedCode"/>

Again, an exception has occurred in the process of loading the type that contains Main, and so the exception handler in Main is useless. Incidentally the reason for the security exception in the first place is that our type overrode the WndProc virtual method. Yes, sometimes just overriding a method represents a security breach (if your app is run partially trusted from a network share), that can cause a type to fail load. In this case we would like to present UI to the user letting them know that their deployment is causing the app to fail for security reasons. But we never get the chance to alert the user, because Main is too complex to even JIT.

A Stable Entry Method

Fortunately it doesn’t take too much effort to make your entry method stable. Here are some guidelines:

Avoid type-loads of any kind in Main. Main should only call methods implemented in the same type definition.
Do not implement a static constructor in the type that contains Main. (Avoiding static fields entirely is the safest way to go).
Derive the type that contains Main from Object. This means that you need to hoist Main out of the type definition for your main form if you use Visual Studio .Net wizards to create your project.
Keep the type that contains Main focused on getting your application started. Don’t think of it as the “Application” type that holds your application-level state.

The following code is a template for an entry point that follows these rules. Forty-two lines of code may seem like quite a few, just to get things up and running. Think of it as boilerplate logic that increases the stability and determinism of the first moments of application execution.

using System;

using System.Security;

public class AppEntry {

public static Int32 Main(String[] args) {

// Do we need to roll our own unhandled behavior

// or was a handler successfully installed

Boolean unhandledInstalled = false;

try {

// Run Main's usual logic and

// install unhandled handler

return MainImpl(args, out unhandledInstalled);

} catch (SecurityException) {

// Let user know that application

// is shutting down due to

// security restrictions

} catch (Exception e) {

if (unhandledInstalled)

throw;

HandleUnhandled(null,

new UnhandledExceptionEventArgs(e, true));

} catch {

if (unhandledInstalled)

throw;

HandleUnhandled(null,

new UnhandledExceptionEventArgs(null, true));

}

return -1;

}

static Int32 MainImpl(

String[] args, out Boolean handlerInstalled) {

// Try to install an unhandled exception handler

// In v1.0/v1.1 failure to do this probably should

// be reason to terminate the application

// In v2.0 default unhandled behavior

// substantially improved

AppDomain.CurrentDomain.UnhandledException +=

new UnhandledExceptionEventHandler(

HandleUnhandled);

handlerInstalled = true;

// Perform main's "usual"

// application start-up logic

return 0;

}

static void HandleUnhandled(Object sender,

UnhandledExceptionEventArgs args) {

// log exception object

// let user know of unexpected failure

Environment.Exit(-1);

}

Filed under: Jason Clark

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

#

Wednesday, March 30, 2005 6:15 PM by haacked@gmail.com (Haacked)

Great stuff! I think this my apply to Rss Bandit's codebase.

#

Saturday, April 02, 2005 12:39 AM by Martin Kulov

True, true. Thanks for this valuable information Jason. I assume that catch with no exception specified is intended to handle unmanaged exceptions. Am I correct? How can we take the exception message and source from such ones?

#

Tuesday, April 05, 2005 1:16 AM by Jason Clark

Martin, I am pleased that you found the information useful :)

Actually, the runtime will convert native exceptions into managed exceptions. Here is an application that shows this in action:

using System;

using System.Runtime.InteropServices;

class App {

public static void Main() {

HeapAlloc(

GetProcessHeap(),

HEAP_GENERATE_EXCEPTIONS,

Int32.MaxValue);

}

[DllImport("Kernel32.dll")]

extern static IntPtr HeapAlloc(IntPtr heap, UInt32 flags, UInt32 size);

[DllImport("Kernel32.dll")]

extern static IntPtr GetProcessHeap();

const UInt32 HEAP_GENERATE_EXCEPTIONS = 0x00000004;

}

The HeapAlloc API throws a native exception, which the runtime happily converts into a OutOfMemory exception, which you can catch in the usual fashion.

No, believe it or not, the "catch all" syntax is for a much more obscure (and questionable) feature. It is used to catch "non-CLS compliant exceptions". These are exceptions which IL will let you throw, that are not derived from System.Exception. C# and VB.Net, however, don't support throwing such exceptions. But some languages may. Unfortunately, you can't get the source or stack information for such exceptions. In fact, you can't even find out the type of the exception, unless it reaches your unhandled exception handler. Fortunately, though, it is pretty unlikely that such an exception will be thrown (the runtime and class library never throw such anomalies).

If you want to see a non-CLS compliant exception in action, you can assemble the following IL code into a DLL using ILASM, and then call it from a C# or VB.Net application. You will see that this actually throws a System.Object instance as an exception.

.assembly except2 { }

.class public auto ansi beforefieldinit NonCLSLib

extends [mscorlib]System.Object

{

.method public hidebysig instance void

Throws() cil managed

{

.maxstack 8

IL_0000: nop

IL_0001: newobj instance void [mscorlib]System.Object::.ctor()

IL_0006: throw

}

.method public hidebysig specialname rtspecialname

instance void .ctor() cil managed

{

.maxstack 8

IL_0000: ldarg.0

IL_0001: call instance void [mscorlib]System.Object::.ctor()

IL_0006: ret

}

}

#

Tuesday, April 05, 2005 8:25 AM by Martin Kulov

Ahaa,

I see. Thanks again Jason. This is very interesting topic to me.

One more question (well actually three of them :)). After we register the unhandled exception handler is there any chance for an exception to skip it and bubble up to the catch statements in Main method? And why do you check for installed unhandled exception handler in the catch statements to rethrow the exception? Can't you just handle it?

#

Tuesday, April 05, 2005 11:36 PM by Jason Clark

Good questions. Actually, it is the exception handlers in Main that get “first crack” at the exception. Only in the case where they don’t handle the exceptions (re-throw) does the exception then become “unhandled”. This is the case where the unhandled exception handler event is raised.

I check for the unhandled handler being installed because an exception that reaches the top of the call stack is a bug in my application, and I want it to go through the CLR’s unhandled exception handler logic, if at all possible. This allows me to JIT debug, amongst other things. Most importantly, it allows my code to enjoy the improvements coming online in V2 of the runtime regarding unhandled exceptions. If I catch the exception in the top of my callstack, then it is no longer unhandled from the runtime’s perspective.

Looking at that code from a different angle, the presence of the catch-Exception and catch-all handlers in Main is an unfortunate compromise in my logic, due to the fact that I can’t be certain that I am going to successfully install an unhandled exception handler. If I was sure of that point, I would remove the catch-Exception and catch-all handlers entirely – allowing the unhandled-handler to do the work more naturally.

Hope this helps to further clarify a fairly muddy part of the platform :)

#

Wednesday, April 06, 2005 6:50 AM by Martin Kulov

Thanks a lot! It is much clearer now.

#

Friday, April 15, 2005 12:24 PM by Ilya Ryzhenkov

Why 'out', why not 'ref'? Also, WindowsForms applications are worse here. They will catch exceptions in Windows message handlers and route them to Application.ThreadException, and NOT rethrow them. So, additional handling (and most likely STAThread attribute) is required for GUI application.

PS: Add sealed and private .ctor for completenesss :)

#

Tuesday, April 19, 2005 7:18 AM by Dirk

This is my first trackback (sorry about the lame comment)

#

Wednesday, May 25, 2005 8:59 PM by Jason Clark

Regarding Ilya's feedback (the question portion), ‘out’ is a special-case of ‘ref’, where the called method is promising to assign to the variable in all non-exceptional cases. MainImpl has this guarantee, so ‘out’ is appropriate here. ‘Ref’ would work too, but would not enforce “out semantics” at compile time, and would be more prone to maintenance/implementation error. ‘Out’ has the additional advantage that an uninitialized variable can be used as an argument, though because of the variable-scoping rules of the try-block we don’t get to exploit this advantage here.

Regarding the statements in your feedback, they are all true! And you are also correct that I should have made the containing type sealed, with a private .ctor. (Good catch!) Incidentally, C# 2.0 allows you to define a class as “static” which obviates the need for the private .ctor and the sealed specifier. A useful feature, because it also enforces static semantics throughout the class definition.

#

Tuesday, January 03, 2006 6:08 PM by Inquiry

We have an application written in Visual Studio 2003 that was successfully converted into Visual Studio 2005.

When running the application in our development machine (has the Visual Studio 2005 Professional Edition installed on it), it works great. No problem, error or any warning messages, whatsoever.

When I deployed the application into another machine using the .msi file created, I cannot bring up the application. When double clicking on the EXE file installed by the .msi, I get the error "The error 'System.TypeInitializationException' has occurred". Any ideas on what's causing this error to pop out and how can we resolve this? Your help/suggestions will be greatly appreciated.

BTW, the machine used for the deployment has the MS Framework 2.0 installed on it. Also, I cannot debug the problem into the development machine because it works great over there. I even tried to deploy the application (using the .msi file) into the development machine itself and it works great.

Thanks and appreciate your help.

# re: Simple Main

Tuesday, September 11, 2007 12:19 PM by Lee

Thanks for the info but I have some problems with this method.

I have tried this approach but still my application crashes when run from a network share. Yes, I have overloaded WndProc which is the cause of the problem. Removing overriden WndProc, lets me catch the security exception and show a user message.

Secondly in the code above, why are there 2 catches

catch (Exception e) and catch

The compiler does not permit it as the first catch catches all exceptions.

# re: Simple Main

Monday, December 03, 2007 12:18 PM by Dewayne Christensen

Lee, you probably missed this rule: Derive the type that contains Main() from Object. This means Main() shouldn't be in a form. It should be in a standalone class that then creates and runs the main form.

Regarding the two catches, this article was written in the .NET 1.x days, where "catch (Exception)" did NOT catch all exceptions. See Jason's response in the comments to Martin.