We Keep Coding

How to find the source of an 'Access Violation'

To put in a nutshell, I have a C# application doing lots of mciSendString calls ( via dllimport ) to control wav files playback ( essentially open, play, pause, stop, status, close ). And after running for a while, the application crashes without notice with an 'access violation'.
Even though I'm running the app from my vs2012, the exception is not caught by visual studio. Even with the 'force break on an exception' option, I've had no luck in debugging this from the vs2012. So instead I've setup WER to generate me crash dumps and I am using windbg with psscor2.dll plugin to debug it.
Then in sequence, using the following commands, this is what I get ( shorten to the essential for readability purposes ) :
$>.ecxr
eax=00000001 ebx=00000000 ecx=00000401 edx=00000000 esi=049725b8 edi=00000002
eip=4e88159e esp=0a4efa38 ebp=0a4efa54 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
<Unloaded_mciwave.dll>+0x159e:
4e88159e ?? ???
$>~*kb
# 19 Id: 105c.28cc Suspend: 1 Teb: 7ef06000
Unfrozen
user32!NtUserGetMessage+0x15
user32!GetMessageA+0xa1
winmm!mciwindow+0x102
kernel32!BaseThreadInitThunk+0xe
ntdll!__RtlUserThreadStart+0x70
ntdll!_RtlUserThreadStart+0x1b
# 30 Id: 105c.15f8 Suspend: 0 Teb: 7ef1b000 Unfrozen
ntdll!ZwWaitForMultipleObjects+0x15
KERNELBASE!WaitForMultipleObjectsEx+0x100
kernel32!WaitForMultipleObjectsExImplementation+0xe0
kernel32!WaitForMultipleObjects+0x18
kernel32!WerpReportFaultInternal+0x186
kernel32!WerpReportFault+0x70
kernel32!BasepReportFault+0x20
kernel32!UnhandledExceptionFilter+0x1af
ntdll!__RtlUserThreadStart+0x62
ntdll!_EH4_CallFilterFunc+0x12
ntdll!_except_handler4+0x8e
ntdll!ExecuteHandler2+0x26
ntdll!ExecuteHandler+0x24
ntdll!RtlDispatchException+0x127
ntdll!KiUserExceptionDispatcher+0xf
WARNING: Frame IP not in any known module. Following frames may be wrong.
<Unloaded_mciwave.dll>+0x159e
# 31 Id: 105c.2310 Suspend: 1 Teb: 7ef00000 Unfrozen
user32!NtUserGetMessage+0x15
user32!GetMessageW+0x33
mciwave!TaskBlock+0x1d
mciwave!PlayFile+0xcb
mciwave!mwTask+0x98
winmm!mmStartTask+0x22
kernel32!BaseThreadInitThunk+0xe
ntdll!__RtlUserThreadStart+0x70
ntdll!_RtlUserThreadStart+0x1b:
$>!analyze -v
FAULTING_IP:
mciwave_4e880000!TaskBlock+1d
4e88159e ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 4e88159e (mciwave_4e880000!TaskBlock+0x0000001d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 4e88159e
Attempt to execute non-executable address 4e88159e
PROCESS_NAME: Titan.vshost.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 4e88159e
WRITE_ADDRESS: 4e88159e
FOLLOWUP_IP:
mciwave_4e880000!TaskBlock+1d
4e88159e ?? ???
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0x15f8 (30)
====> Exception cxr#a4ef750
FAULTING_THREAD: 000015f8
BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT_CODE_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT_CODE
DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT_CODE
LAST_CONTROL_TRANSFER: from 4e881999 to 4e88159e
STACK_TEXT:
0a4efa54 4e881999 0a4efa88 078db198 078db1a4 mciwave_4e880000!TaskBlock+0x1d
0a4efa68 74370ae5 00038edc 00000000 00000000 mciwave_4e880000!mwTask+0x45
0a4efa88 7670338a 078db198 0a4efad4 76f99f72 winmm!mmStartTask+0x22
0a4efa94 76f99f72 078db198 79f84a28 00000000 kernel32!BaseThreadInitThunk+0xe
0a4efad4 76f99f45 74370ac3 078db198 00000000 ntdll!__RtlUserThreadStart+0x70
0a4efaec 00000000 74370ac3 078db198 00000000 ntdll!_RtlUserThreadStart+0x1b
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: mciwave!TaskBlock+1d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: mciwave_4e880000
IMAGE_NAME: mciwave.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bcb4a
STACK_COMMAND: ~30s; .ecxr ; kb
FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_CODE_c0000005_mciwave.dll!TaskBlock
BUCKET_ID: APPLICATION_FAULT_SOFTWARE_NX_FAULT_CODE_WRONG_SYMBOLS_mciwave!TaskBlock+1d
Followup: MachineOwner
---------
Exception seems to happen in thread #30 in Unloaded_mciwave.dll, but I have no idea how to push further the debugging.. How can I get a better idea of what's going ??
How can I get what's happening between these two lines ?
ntdll!KiUserExceptionDispatcher+0xf
--> WARNING: Frame IP not in any known module. Following frames may be wrong.
<Unloaded_mciwave.dll>+0x159e
Thank you for your help in advance.

You should get more details by reloading the DLL in the Debugger.
For that you need to do:
lmvm mciwave.dll
start end module name
Unloaded modules:
e6510000 e6548000 mciwave.dll
Timestamp: Fri Oct 14 12:00:00 2011 (4E98E6E2)
Checksum: 0003E937
ImageSize: 00038000
You need to set up the Symbol and Exe-Path so the debugger can find the DLL and PDB (which shouldn't be a problem if you have it in your machine). Then you can do
.reload mciwave.dll=e6510000,00038000
DBGHELP: <path>\mciwave.dll - OK
Now if you do !analyze -v again, it should give you the correct call stack.

Using Getaddrinfo() and SendTo() on Socket UDP fails - Segmentation fault (core dumped)

After I start using getaddrinfo() to retrieve dynamic IP addresses, the sendTo() of my socket no longer works and returns error "Segmentation fault (core dumped)". Why is that happening, is there any initialization or memory allocation missing in my codes please? I've tried quite a while but haven't figured out the reason. Any help would be really appreciated!
Here is the portion of codes :
// variables declaration
int s;
struct sockaddr_in si_other;
struct addrinfo hints;
struct addrinfo *result, *rp;
char *hostname = "localhost";
const char* portnum = "8000";
// settings of hints
memset(&hints, 0, sizeof(struct addrinfo));
hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */
hints.ai_socktype = SOCK_DGRAM; /* Datagram socket */
hints.ai_flags = 0;
hints.ai_protocol = 0;
hints.ai_flags = AI_NUMERICSERV;
// resolve dynamically IP adress by getaddrinfo()
s = getaddrinfo(hostname, NULL, &hints, &result);
if (s != 0) {
fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(s));exit(EXIT_FAILURE);
}
// create socket s
for (rp = result; rp != NULL; rp = rp->ai_next)
{
s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
}
// loop for sending m x struct ECA_message_t
int m=0;
for (; m<NbMesPerFile; ++m)
{
ECA_message_t* ECA_paquet;
ECA_paquet=(ECA_message_t*)malloc(sizeof(ECA_message_t)*2400);
// 2400 to workaround some not understood memory issue and make sendto() to
// work
// function initializing ECA_paquet
Client_update_ECA_data(ECA_paquet,m);
if (sendto(s, ECA_paquet, sizeof(ECA_paquet)*2400, 0 ,(struct
sockaddr*)&si_other,slen)==-1)
{
perror("sendto()");
}
}
To add details to my struct, and to find why my malloc(sizeof(ECA_message_t) goes wrong, please see below the codes for struct ECA_message_t :
typedef struct{
unsigned int version:2;
unsigned int p:1;
unsigned int x:1;
unsigned int cc:4;
unsigned int m:1;
unsigned int pt:7;
unsigned int seq:16;
u_int32_t timestamp;
u_int32_t ssrc;
u_int32_t csrc;
} RTP_header_t; // 16 bytes
typedef struct {
unsigned int version:2;
unsigned int reserved_1:6;
unsigned int reserved_2:8;
unsigned int number_sample:16;
}ECA_header_t; // 4 bytes
typedef struct {
//every line composed of 6 values, 2 byte per value, all signed
int32_t v_phase_1;
int32_t v_phase_2;
int32_t v_phase_3;
int32_t i_phase_1;
int32_t i_phase_2;
int32_t i_phase_3;
}ECA_payload_t; // 12 bytes
typedef struct {
RTP_header_t rtp_header;
ECA_header_t eca_header;
ECA_payload_t eca_payload[MAX_ECA_SAMPLES]; // MAX_ECA_SAMPLES of 100
}ECA_message_t; // 1220 bytes
Here is the Aborted (Core dumpted) Back trace message :
*** glibc detected *** ./clientUDPIniDyn: double free or corruption (!prev): 0x081768c8 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x75ee2)[0xb7642ee2]
./clientUDPIniDyn[0x804896b]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb75e64d3]
./clientUDPIniDyn[0x80486b1]
======= Memory map: ========
08048000-0804a000 r-xp 00000000 08:01 1319522 /home/lin/ULB/Memoire/Client_Server
/Server/clientUDPIniDyn
0804a000-0804b000 r--p 00001000 08:01 1319522 /home/lin/ULB/Memoire/Client_Server
/Server/clientUDPIniDyn
0804b000-0804c000 rw-p 00002000 08:01 1319522 /home/lin/ULB/Memoire/Client_Server
/Server/clientUDPIniDyn
08176000-08197000 rw-p 00000000 00:00 0 [heap]
b7589000-b75a5000 r-xp 00000000 08:05 264147 /lib/i386-linux-gnu/libgcc_s.so.1
b75a5000-b75a6000 r--p 0001b000 08:05 264147 /lib/i386-linux-gnu/libgcc_s.so.1
b75a6000-b75a7000 rw-p 0001c000 08:05 264147 /lib/i386-linux-gnu/libgcc_s.so.1
b75bf000-b75ca000 r-xp 00000000 08:05 293796 /lib/i386-linux-gnu/libnss_files-
2.15.so
b75ca000-b75cb000 r--p 0000a000 08:05 293796 /lib/i386-linux-gnu/libnss_files-
2.15.so
b75cb000-b75cc000 rw-p 0000b000 08:05 293796 /lib/i386-linux-gnu/libnss_files-
2.15.so
b75cc000-b75cd000 rw-p 00000000 00:00 0
b75cd000-b7770000 r-xp 00000000 08:05 293791 /lib/i386-linux-gnu/libc-2.15.so
b7770000-b7771000 ---p 001a3000 08:05 293791 /lib/i386-linux-gnu/libc-2.15.so
b7771000-b7773000 r--p 001a3000 08:05 293791 /lib/i386-linux-gnu/libc-2.15.so
b7773000-b7774000 rw-p 001a5000 08:05 293791 /lib/i386-linux-gnu/libc-2.15.so
b7774000-b7777000 rw-p 00000000 00:00 0
b778d000-b7791000 rw-p 00000000 00:00 0
b7791000-b7792000 r-xp 00000000 00:00 0 [vdso]
b7792000-b77b2000 r-xp 00000000 08:05 293804 /lib/i386-linux-gnu/ld-2.15.so
b77b2000-b77b3000 r--p 0001f000 08:05 293804 /lib/i386-linux-gnu/ld-2.15.so
b77b3000-b77b4000 rw-p 00020000 08:05 293804 /lib/i386-linux-gnu/ld-2.15.so
bfbad000-bfbce000 rw-p 00000000 00:00 0 [stack]
Aborted (core dumped)

Here are fixed codes, no more segmentation fault by using calloc()
for (rp = result; rp != NULL; rp = rp->ai_next)
{
s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); // socket creation
ECA_message_t* ECA_paquet;
ECA_paquet=calloc(NbMesPerFile, sizeof(* ECA_paquet)); // calloc to assign table [NbMesPerFile] length bloc memory for my struct EA_message_t
// sending m paquets of my struct
int m=0;
for (; m<NbMesPerFile; ++m)
{
Client_update_ECA_data(ECA_paquet,m); //update the ECA data paquet
if (sendto(s,ECA_paquet, sizeof(*ECA_paquet) ,0, rp->ai_addr,rp->ai_addrlen)==-1) // send data ECA data pointed by ECA_paquet
{
perror("sendto()");
}
}
}

// create socket s
for (rp = result; rp != NULL; rp = rp->ai_next)
{
s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
}
You are leaking filedescriptors (sockets) here. With every iteration of the loop s is reassigned. And the previous value of s is lost. (I don't know how long your linked list is)
// loop for sending m x struct ECA_message_t
int m=0;
for (; m<NbMesPerFile; ++m)
{
ECA_message_t* ECA_paquet;
ECA_paquet=(ECA_message_t*)malloc(sizeof(ECA_message_t)*2400);
// 2400 to workaround some not understood memory issue and make sendto() to
// work
// function initializing ECA_paquet
Client_update_ECA_data(ECA_paquet,m);
if (sendto(s, ECA_paquet, sizeof(ECA_paquet)*2400, 0 ,(struct
sockaddr*)&si_other,slen)==-1)
{
perror("sendto()");
}
}
You are leaking memory here. With every iteration of the loop ECA_paquet is reassigned. And the previous value of ECA_paquet is lost. Forever. (I don't know how large NbMesPerFile is)
(this is probably not the cause of your segfault, but it at least indicates substandard quality) You should also not cast the return value of malloc(), (+ #include <stdlib.h>, , plus check malloc()s return value. And turn up the warning level of your compiler.

How do I read buffer data retrieved from sysctlbyname() in iPhone?

I'm trying to get TCP open port list in iphone by using sysctlbyname().
sysctlbyname(const char *name, void *oldp, size_t *oldlenp, void *newp,
size_t newlen);
.
#include <sys/sysctl.h>
size_t len = 0;
if (sysctlbyname("net.inet.tcp.pcblist", 0, &len, 0, 0) < 0) {
perror("sysctlbyname");
} else {
char *buf = malloc(len);
//printf("%d",sizeof(buf));
sysctlbyname("net.inet.tcp.pcblist", buf, &len, 0, 0);
NSData *data = [NSData dataWithBytesNoCopy:buf length:len];
NSLog(#"data = %#", data);
//printf("%d",sizeof(buf));
//printf("%s",buf);
}
The information is copied into the buffer specified by oldp.
OUTPUT::
data = <18000000 34000000 d8160000 00000000 7d760000 00000000 0c020000 00000000 00000000 00000000 00000000 0050c598 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 c2160000 00000000 40008000 00000000 01400000
Buffer is filled with data here.but I'm unable to print the data in readable format.converting this data into NSString won't help as internally buffer has its own structure.
Anyone knows how to obtain TCP open port list as output from this data?
Thanks.

copy netstat code from BSD source.
see the printproto() function in main.c
This will explore all related to this buffer and how to get TCP port list.
Thanks.

Windbg native call stack trace does not make sense

I have a simple test program causing an infinite wait on lock.
public class SyncBlock
{
}
class Program
{
public static SyncBlock sync = new SyncBlock();
private static void ThreadProc()
{
try
{
Monitor.Enter(sync);
}
catch (Exception)
{
//Monitor.Exit(sync);
Console.WriteLine("3rd party code threw an exception");
}
}
static void Main(string[] args)
{
Thread newThread = new Thread(ThreadProc);
newThread.Start();
Console.WriteLine("Acquiring lock");
Monitor.Enter(sync);
Console.WriteLine("Releasing lock");
Monitor.Exit(sync);
}
}
So the main thread is basically get locked when it tries to do Monitor.Enter(sync). If I looked at !clrStack on main thread, its output basically show it which make sense but when I try to see native side of stack, I am expecting to see some Wait on single/multiple object type of call but I don't see it. Can anyone explain it. Thanks
0:000> !CLRStack
PDB symbol for mscorwks.dll not loaded
OS Thread Id: 0x1e8 (0)
ESP EIP
0012f0a8 77455e74 [GCFrame: 0012f0a8]
0012f178 77455e74 [HelperMethodFrame_1OBJ: 0012f178] System.Threading.Monitor.Enter (System.Object)
0012f1d0 00a40177 ConsoleApplication1.Program.Main(System.String[])
0012f400 70fc1b4c [GCFrame: 0012f400]
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012eeb4 710afb92 0012ee68 002d6280 00000000 ntdll!KiFastSystemCallRet
0012ef1c 710af7c3 00000001 002d6280 00000000 mscorwks!StrongNameFreeBuffer+0x1b1f2
0012ef3c 710af8cc 00000001 002d6280 00000000 mscorwks!StrongNameFreeBuffer+0x1ae23
0012efc0 710af961 00000001 002d6280 00000000 mscorwks!StrongNameFreeBuffer+0x1af2c
0012f010 710afae1 00000001 002d6280 00000000 mscorwks!StrongNameFreeBuffer+0x1afc1
0012f06c 70fdc5ae ffffffff 00000001 00000000 mscorwks!StrongNameFreeBuffer+0x1b141
0012f080 710df68a ffffffff 00000001 00000000 mscorwks!LogHelp_NoGuiOnAssert+0x10562
0012f10c 710b1154 002aad90 ffffffff 002aad90 mscorwks!StrongNameFreeBuffer+0x4acea
0012f128 710b10d8 42b8b47d 00000000 002aad90 mscorwks!StrongNameFreeBuffer+0x1c7b4
0012f1e0 70fc1b4c 0012f1f0 0012f230 0012f270 mscorwks!StrongNameFreeBuffer+0x1c738
0012f1f0 70fd2219 0012f2c0 00000000 0012f290 mscorwks+0x1b4c
0012f270 70fe6591 0012f2c0 00000000 0012f290 mscorwks!LogHelp_NoGuiOnAssert+0x61cd
0012f3ac 70fe65c4 0023c038 0012f478 0012f444 mscorwks!CoUninitializeEE+0x2ead
0012f3c8 70fe65e2 0023c038 0012f478 0012f444 mscorwks!CoUninitializeEE+0x2ee0
0012f3e0 7103389d 0012f444 42b8b0f1 00000000 mscorwks!CoUninitializeEE+0x2efe
0012f544 710337bd 002332e0 00000001 0012f580 mscorwks!GetPrivateContextsPerfCounters+0xf546
0012f7ac 71033d0d 00000000 42b8b9c9 00000001 mscorwks!GetPrivateContextsPerfCounters+0xf466
0012fc7c 71033ef7 00ce0000 00000000 42b8979 mscorwks!GetPrivateContextsPerfCounters+0xf9b6
0012fccc 71033e27 00ce0000 42b8b8a1 00000000 mscorwks!CorExeMain+0x168
* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll -
0012fd14 71cf55ab 71033d8f 0012fd30 71f37f16 mscorwks!CorExeMain+0x98
* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\mscoree.dll -
0012fd20 71f37f16 00000000 71cf0000 0012fd44 mscoreei!CorExeMain+0x38
0012fd30 71f34de3 00000000 7723d0e9 7ffd8000 mscoree!CreateConfigStream+0x13f
0012fd44 774319bb 7ffd8000 084952f9 00000000 mscoree!CorExeMain+0x8
0012fd84 7743198e 71f34ddb 7ffd8000 00000000 ntdll!RtlInitializeExceptionChain+0x63
0012fd9c 00000000 71f34ddb 7ffd8000 00000000 ntdll!RtlInitializeExceptionChain+0x36

You have to point windbg to the microsoft windows symbols server to get a good stack trace.
type in the following in your windbg command window:
.sympath srv*c:\websymbols*http://msdl.microsoft.com/download/symbols
Also see this:
Using microsoft symbol server to get symbols
Also, to answer your original question about how to debug this, here is the cookbook:
0:000> !clrstack
OS Thread Id: 0x1358 (0)
ESP EIP
0012f328 7c90e514 [GCFrame: 0012f328]
0012f3f8 7c90e514 [HelperMethodFrame_1OBJ: 0012f3f8] System.Threading.Monitor.Enter(System.Object)
0012f450 00d10177 Program.Main(System.String[])
0012f688 79e71b4c [GCFrame: 0012f688]
In your original program, the background thread was started first. So, it acquired the lock. However it exited without releasing the lock. After that your main thread tried to acquire the lock and it is stuck because the lock is already owned.
How do you find out who owns it? First do a !threads followed by !syncblk.
0:000> !threads
ThreadCount: 3
UnstartedThread: 0
BackgroundThread: 1
PendingThread: 0
DeadThread: 1
Hosted Runtime: no
PreEmptive GC Alloc Lock
ID OSID ThreadOBJ State GC Context Domain Count APT Exception
0 1 1358 0014bb00 200a020 Enabled 00000000:00000000 001540d0 0 MTA
2 2 1360 0015e320 b220 Enabled 00000000:00000000 001540d0 0 MTA (Finalizer)
XXXX 3 0 00175a98 9820 Enabled 00000000:00000000 001540d0 1 Ukn
0:000> !syncblk
Index SyncBlock MonitorHeld Recursion Owning Thread Info SyncBlock Owner
2 0017903c 3 1 00175a98 0 XXX 013503cc SyncBlock
-----------------------------
Total 2
CCW 0
RCW 0
ComClassFactory 0
Free 0
As you can see, !syncblk says that the owining thread object is 00175a98. From the !threads output, you can see that thread object 00175a98 is the dead thread that exited while owning the lock.
Hope this helps.

Understanding Objective c enum declaration

From iPhone UIControl
UIControlEventAllTouchEvents = 0x00000FFF,
UIControlEventAllEditingEvents = 0x000F0000,
UIControlEventApplicationReserved = 0x0F000000,
UIControlEventSystemReserved = 0xF0000000,
UIControlEventAllEvents = 0xFFFFFFFF
Now I assume the UIControlEventApplication is the 'range' I can use to specify custom control events, but I have no idea how to do it properly. Only if I assign 0xF0000000 the control event will correctly fire. If I assign anything else (0xF0000001) the control event fires when it's not supposed to.
Some clarification:
enum {
UIBPMPickerControlEventBeginUpdate = 0x0F000000,
UIBPMPickerControlEventEndUpdate = // Which value do I use here?
};
My assumption of it being a range is based on the docs. Which say:
I assume this because the docs say: A range of control-event values available for application use.
Could anyone help me understand the type of enum declaration used in UIControl?

I would think 0x0F000000 is the 4 bits you have at your disposal for creating your own control events.
0x0F000000 = 00001111 00000000 00000000 00000000
So any combination of:
0x00000001<<27 = 00001000 00000000 00000000 00000000
0x00000001<<26 = 00000100 00000000 00000000 00000000
0x00000001<<25 = 00000010 00000000 00000000 00000000
0x00000001<<24 = 00000001 00000000 00000000 00000000
You can of course OR these together to create new ones:
0x00000001<<24 | 0x00000001<<25 = 00000011 00000000 00000000 00000000
So in your example:
enum {
UIBPMPickerControlEventBeginUpdate = 0x00000001<<24,
UIBPMPickerControlEventEndUpdate = 0x00000001<<25, ...
};

To use the enums you just do bitwise operations:
UIControlEventAllEditingEvents | UIControlEventApplicationReserved | UIControlEventApplicationReserved