On attempting to install CentOS 5.1 using the “netinstall” ISO I had an annoying problem. Not long into the install process I was met with something like:

The file pam_krb5-2.2.14-1.i386.rpm cannot be opened.  This is due
to a missing file, a corrupt package or corrupt media.  Please
verify your installation source.

...

The options provided to either “Retry” or “Reboot” (default).

But I’m using netinstall, how can it be corrupt?! My netinstall source was UK Mirror Service which should be pretty reliable I’d expect. Anyway, I persisted in hitting “Retry” and eventually it seems it got pam_krb5-2.2.14-1.i386.rpm downloaded OK. Then a few seconds later I hit the same problem with rcs-5.7-30.1.i386.rpm, a few “Retry“s later the problem moves onto another package. This problem occurred for:

• pam_krb5-2.2.14-1.i386.rpm
• rcs-5.7-30.1.i386.rpm
• libICE-1.0.1-2.1.i386.rpm
• mintetty-1.07-5.2.2.i386.rpm
• sqlite-3.3.6-2.i386.rpm

I have no idea why this happened.

The message is: If you get the above error trying to do a CentOS “netinstall” just keep hitting “Retry” (even if it repeatedly fails on the same package.)

“Have form?” That’s the phrase that popped into mind when I first saw the name of this new “Phorm” company that’s recently found itself on the uncomfortable side of Internet privacy debates. I don’t know if the phrase is all that common, but if you grew up watching The Bill you probably know what I’m taking about, I think it’s Pommie police slang. Anyway, back to Phorm, It turns out they do have “form” … they even changed their name over it, from “121Media.” Under their earlier moniker they distributed something called “PeopleOnPage” which was widely proclaimed to be “spyware” (though some, including Phorm, debate that it is really just “adware” – I’ve made no attempt to determine whether I think it is one or the other myself, though based on the removal instructions it seems somewhat benign at least.)

What’s the story now? It turns out that they dumped the so-called spyware in favour of moving the spying to ISPs. (They have an “ain’t we good” story about how they bravely dumped the adware business, risking the potential wrath of their shareholders.) What’s more they’ve already signed on all the major UK providers, and have even run live integration tests! This leaked out recently and has caused quite a stir, first with The Register and now it’s even hit the mainstream news (thanks somewhat to The Netfather, Berners-Lee, expressing concern about it.) Phorm are also chasing deals in the US (not that people in the US have any privacy left to loose) and I’m sure Australia will be on the list too (and then the world! Murwahahahaarrr!)

Phorm’s executive did a pretty open and revealing interview with The Register, and on the face of it the technology seems pretty “privacy safe.” But a) would you really believe it’ll be flawless? And b) what’s the guarantee it’ll stay that way? The idea is that keywords are extracted from the URLs you request (i.e. search string) and the response data, this is filtered to remove “sensitive” content (sure, I bet that is really reliable – though if you’re sending sensitive data over a non-HTTPS connection you get what you deserve.) These keywords are used to categorise the browsing session, then ad delivery is tuned for this categorisation. I’m unclear as to whether they’re going to inject ads into pages (ick!) or if the information will only be used to tune ads on pages that use Phorm as an ad source.

All in all it’s somewhat interesting, but ads are ads and my ad filter means I never see the things anyway. How about this “you are being watched” aspect then? Frankly, it surprises me that anyone would think they can expect much privacy in their online wanderings. Every page you visit has embedded ads from a small handful of providers, do you think they don’t track some sort of “profile” and can track your transitions between the pages of their vast number of clients? (Check your cookies sometime and note the likes of “adclick”, and probably even things like “sextracker”!) Note that this sort of cookie technique will make even something like tor fairly useless in hiding your online “profile.”

What’s most amusing is that Phorm claim is be creating a revolution in privacy? Golly, I wish I had the time to research further into exactly how they explain that one. “Doesn’t store any personally identifiable information,” we’ve heard that before and even when it’s said in good conscience it can turn out to be far more identifiable than expected (remember the AOL search queries release that gave enough information for reporter to track someone to their home?) They seem to claim to not store any information at all, which sounds hopeful and would be good … but it doesn’t seem like much of a revolution! I think they may have been better off being open about things but not going to far as to put on the mangle of Internet freedom fighters, this just makes them a juicy target.

Anyway, if you do want some privacy, with caveats that I don’t have time to go into, then:

1. Use tor
2. Disable cookies

It’s fun to see how much of the web doesn’t work without cookies though! Or you could make them “always ask”, and find out how annoying that is. It could be nice to disallow cookies for any site other than the one displayed in your URL-bar (i.e. disallow for iframes, popups too would make sense), I don’t know if there’s a browser plugin for this though (sounds like we might need one.)

Personally, I mostly gave up on the “ad tracking” privacy issue a long time ago. I don’t expect that noisy privacy advocates, or even legislation, will change things much. Much like many other online security issues it is the very nature and design of the Internet that makes these things possible; want to redesign the whole Internet? Anyone? (Yes, I know people are trying, etc.) When it comes to the legal enforcement of these things it always seems to break apart at international borders, little surprise there. Finally, the tighter control schemes that may have some effect get the privacy advocates screaming as well! I.e. moving monitoring, ads (i.e. Phorm), security, and similar measures to the ISP – net neutrality anyone? And why is some random ISP any more trustworthy than doubleclick anyway?

All that said, I do personally bounce all my web browsing through a foreign end-point (but I don’t bother with tor) and I use a cookie blacklist. (The bounce is mainly because proxying via a machine somewhere in Europe, using an SSH port-forward, is actually faster than direct browsing over my Talk Talk connection. Yes, it’s insane.) Ultimately, I don’t think there’s any privacy to be had or expected when it comes to the “web”, as sad as that seems. That said, you can and should expect that data sent to sites (via HTTPS) is kept safe and secure – when this expectation is broken, then is it worth raising all kinds of hell!

It’s a wild world out there on the ‘net … it allows the bad guys to do bad, but also allows the good guys to do good, and, really, this is the way I like it. Some are a kind of geek equivalent to cowboys and know how to look after themselves, everyone else? Easy targets… who we should try to protect and educate.

[For the record: Personally, I don’t like the Phorn idea and I’d prefer them to be shown the door and thoroughly booted out of ISPs. But, realistically, I don’t think this would improve (or degrade) anyone’s privacy. I’m not so keen on the “we own our browsing” history argument from the privacy advocates though. Everything seems to turn to ownership eventually, I suspect this is one of the great problems with the way humans see the world. Things, even the metaphysical, must belong to someone.]

I’ve been using O’Reilly’s Safari a bit lately, thanks to ACM getting into bed with them and offering something like 600 titles as part of ACM membership. This alone makes the membership worthwhile AFAIC, it’s an excellent benefit. Of course, it is only as good as the books you have access to and I wondered if the selection would be any good. It turns out that the list of available books is actually not all that bad (not excellent, but you have to expect that – pay a bit more to access the full array of titles.)

Safari its self turns out to be quite friendly to use too. The books are presented in sensibly broken up sections (as opposed to “printed page” based) and in plain text using a fairly simple layout. A contents tree and current location sits unobtrusively on the left. And you can add notes and bookmarks, which is very useful but could do with a little web-twopointohey ajaxy goodness (link->form->post->return is so passé). It’s much better than all the crap I’ve seen done in putting magazines online (i.e. IEEE Spectrum, ACM Queue.) Books are a different concept I guess, but not that different maybe the crap magazine efforts stem from a resistance to making redundant all those poor souls who manage print layouts?

Anyway, I’ve resisted trying the Safari thing given that I prefer a good old paper book when I’m not in front of the PC. Thanks to ACM I’ve been able to give it a spin and, while it’s not going to replace print tech books in my life, there’s definitely a place for it in my reading habits.

Now if only Safari Books Online had an Offline mode… and I had a nice gadget for offline reading. Amazon’s Kindle doesn’t seem so crash hot to me, the high end HTC Advantage “phone” might do, but what I’d really like to see is an ASUS Eee in a tablet form (and had longer battery life.) That said, the whole offline thing isn’t going to matter all that much soon, well, now even.

Here’s an interesting little bug that good old pimpl can easily lead you to, with nary a whistle from the compiler. It actually all boils down to being damn lazy and not doing pimpl properly, but I’ll get to that later. First, let me introduce some lazy
code:

///////////////////////////////////////////////////////////////////////////////
// LazyThing.h
#include <boost/shared_ptr.hpp>
#include <string>

class LazyThing {
public:
    LazyThing();
    void setThing(const std::string & thing, bool value);
    bool getThing(const std::string & thing) const;
    unsigned thingCount() const;
private:
    class LazyThingImpl;
    // here's our pimpl
    boost::shared_ptr<LazyThingImpl> m_impl;
};

///////////////////////////////////////////////////////////////////////////////
// LazyThing.cpp
// #include <LazyThing.h>
#include <map>

// Declare the impl
class LazyThing::LazyThingImpl {
public:
    std::map<std::string,bool> m_thingMap;
};

// Define LazyThing
LazyThing::LazyThing() : m_impl(new LazyThingImpl()) {}

void LazyThing::setThing(const std::string & thing, bool value) {
    m_impl->m_thingMap[thing] = value;
}

bool LazyThing::getThing(const std::string & thing) const {
    return m_impl->m_thingMap[thing];
}

unsigned LazyThing::thingCount() const {
    return m_impl->m_thingMap.size();
}

///////////////////////////////////////////////////////////////////////////////
// main.cpp
// #include <LazyThing.h>
#include <iostream>

int main() {
    LazyThing t;
    t.setThing("foo", false);
    t.setThing("bar", true);
    std::cout << t.thingCount() << std::endl;
    std::cout << (t.getThing("foo") ? "true" : "false") << std::endl;
    std::cout << (t.getThing("bar") ? "true" : "false") << std::endl;
    std::cout << (t.getThing("baz") ? "true" : "false") << std::endl;
    std::cout << t.thingCount() << std::endl;
    return 0;
}

Both g++ and icc will compile this code with no errors or warnings (ignoring some spurious unrelated ones from icc when -Wall is set.) When we run the resultant binary we see this:

2
false
true
false
3

Fair enough? Well no, the code has a bug. Though you don’t know for sure since I haven’t given a specification for getThing, let it be this: returns the value set for thing; returns false if thing has not been set. So, that final 3 is a bit disturbing. Hey, isn’t getThing supposed to be const?! What’s the root of this? If you’ve much experience with C++/STL then you’ll know that operator[] is a non-const member that inserts a default-constructed element into the std::map if no element previously exists. You’ll know this either from properly reading the documentation, or from having this sort of situation bite you in the arse before (prompting you to properly read the documentation;) Quite simply, the code should not be using operator[] in getThing, that is completely retarded. But, you say, if it is non-const then why did the compiler let us call it?! The understanding is that a const method is not permitted to make non-const calls on data members. Right? Alas, this breaks down with pointers!

If we take the above code and remove the pimpl, embed the std::map into LazyThing, and then try to implement getThing with return m_map[thing] the code won’t compile. As we’d hope! If we take the above and change the boost::shared_ptr pimpl container to a plain LazyThingImpl* then the code will compile and exhibit the disturbing behaviour above. (In other words: don’t blame the shared_ptr.)

So, what gives? Compiler getting lost or does the C++ standard let this happen? In fact, the behaviour here is logically correct, even though it feels wrong. If we refer to 9.3.2 of the spec, namely “the this pointer“, and look at paragraph 2 we see what seems to be the extent of the power of applying const to a member function.

const member function, the object for which the function is called is
accessed through a const access path; therefore, a const member function
shall not modify the object and its non-static data members.

So a const member can’t modify non-static data members, if the std::map is a member then operator[] clearly modifies it, verboten! If a LazyThingImpl* is a member then calling a non-const method on the object the pointer points to clearly does not modify the pointer. Sure, it modifies the destination instance but I think that is beside the point… that instance is not the member in question, the pointer is. (And yeah, you can modify static “members” in const member functions too.)

So, we knew all this already right? In general it isn’t new to me, I’ve hit the const calling non-const on pointer “problem” before. However the pattern in the code above is simplified (a lot) from something I wrote last week, I committed this crime. At the root of the crime is a sin: laziness. Thus the name of the class! You see, you’re not really supposed to implement pimpl as “pointer to data struct”, as named the pattern is “pointer to implementation” and we can avoid the whole problem above, the foolish mistake of using operator[], by doing pimpl the right way.

Brace yourself for another code dump!

///////////////////////////////////////////////////////////////////////////////
// Thing.h
#include <boost/shared_ptr.hpp>
#include <string>

class Thing {
public:
    Thing();
    void setThing(const std::string & thing, bool value);
    bool getThing(const std::string & thing) const;
    unsigned thingCount() const;
private:
    class ThingImpl;
    boost::shared_ptr<ThingImpl> m_impl;
};  

///////////////////////////////////////////////////////////////////////////////
// Thing.cpp
// #include <Thing.h>
#include <map>

// Declare the impl - mirroring the Thing public interface!
class Thing::ThingImpl {
public:
    void setThing(const std::string & thing, bool value);
    bool getThing(const std::string & thing) const;
    unsigned thingCount() const;
private:
    std::map<std::string,bool> m_thingMap;
};

// Define ThingImpl methods
void Thing::ThingImpl::setThing(const std::string & thing, bool value) {
    m_thingMap[thing] = value;
}

bool Thing::ThingImpl::getThing(const std::string & thing) const {
    std::map<std::string,bool>::const_iterator res = m_thingMap.find(thing);
    if (res == m_thingMap.end()) {
        return false;
    }
    return res->second;
}

unsigned Thing::ThingImpl::thingCount() const {
    return m_thingMap.size();
}

// Define Thing methods
Thing::Thing() : m_impl(new ThingImpl()) {}
    
void Thing::setThing(const std::string & thing, bool value) {
    m_impl->setThing(thing, value);
}   
    
bool Thing::getThing(const std::string & thing) const { 
    return m_impl->getThing(thing);
}   

unsigned Thing::thingCount() const {
    return m_impl->thingCount();
}

I’ve left out main this time, aside from the altered class name it is identical to the previous main. So, the difference is that Thing is now no more than a proxy, every call to Thing just makes the same call to m_impl. It’s important that it is the same call too, otherwise you might get yourself lost. The public interface to ThingImpl should mirror that of Thing including constness! If you made ThingImpl‘s getThing non-const you’d still be permitted to make the operator[] mistake. As the code is above, if you tried using operator[] on m_map in Thing::ThingImpl::getThing the compiler would tell you to get buggered:

:; g++ -Wall -Wextra -pedantic Thing.cpp -o Thing
Thing.cpp: In member function 'bool Thing::ThingImpl::getThing(const std::string
&) const':
Thing.cpp:38: error: no match for 'operator[]' in '((const Thing::ThingImpl*)thi
s)->Thing::ThingImpl::m_thingMap[thing]'
/usr/include/c++/4.1.3/bits/stl_map.h:340: note: candidates are: _Tp& std::map<_
Key, _Tp, _Compare, _Alloc>::operator[](const _Key&) [with _Key = std::basic_str
ing<char, std::char_traits<char>, std::allocator<char> >, _Tp = bool, _Compare =
 std::less<std::basic_string<char, std::char_traits<char>, std::allocator<char> 
> >, _Alloc = std::allocator<std::pair<const std::basic_string<char, std::char_t
raits<char>, std::allocator<char> >, bool> >] <near match>

Love those g++ template messages! This is what I like to see though, the compiler letting me know when I’ve done something stupid. So, remember:

pimpl is “pointer to implementation“

This goes far beyond this silly example using std::map::operator[]. If you only move data members to your impl and access them all via the pimpl from logic in the interface class then you’ve entirely lost the enforcement of const. You could modify a std::string, increment an int, or whathaveyou. Know better, mirror the interface in the impl and make the data members private.

(A quick Google shows up a few pimpl examples out there on the web that do what I’ve called “pointer to data struct.” Then again, I don’t have 100% confidence that my interpretation of “implementation” is that of the originator(s) of the concept anyway – protecting the const enforcement as strongly as possible seems wise to me though.)

Or should that be virtualization. I’m sick of dealing with two slightly different dialects of English, we zhould remove the letter ezz from the alphabet or zomething. The problem is that back in those oh-so-formative years of primary school it was hammered into us that spelling errors are a crime against all things good and decent. Hammered in with a bloody pile-driver. People who didn’t “get it” in the spelling department, I being one of them, were labelled as stupid slow-learners and punished. This is despite getting into “talented” class streams (via some weird abstract test) and being a voracious reader of “very large books” — doesn’t matter, if you can’t spell you’re clearly a moron. (Do I hold a grudge against the Western Australian public Primary School curriculum, nah, despite life becoming incredibly better after I moved to a private school for my final year of primary school, never…)

The point is: not being able to spell is a crime and a word spelt incorrectly is an abomination. This facet of education is, I suspect, the reason so many people seem so ridiculously patriotic about their funny little localisations of English. My guess is that the root of the problem is a deep and abject fear of our primary school teachers, fascist dictators over years of our lives, who would mock and ridicule us if we forgot our i before e except after c (except the exceptions.)

So, what are we to do in a world where there are two correct ways to spell many words? Where, for business reasons, spelling something the wrong correct way (the uncomfortable way) is often required. A lot of people, such as the audience for that report you’re writing, suffer the same mental disability when it comes to uncomfortable foreign spelling. Grin and bear it I say, try to put the childhood monsters of “incorrect” spelling behind you. For any given document decide which is the best way to go and, first and foremost, strive for consistency.

OK… that was an unintentional rant-cum-ponderance. What I was meaning to write was that the Jan/Feb ACM Queue landed in my mailbox the other day and I’ve been reading it over my morning coffee this week. It provides a pragmatic, low-hype, introduction to virtualization. Starting with an essential history and “what is it” before moving on to an informative coverage of some technical gotchas by Ulrich Drepper. I highly recommend reading the articles to anyone curious about this latest buzz-word. They put the full Queue on the web now, not as nice to read as the paper version IMO (yeah, trees, I know) but better than nothing. (sigh using some non-web-format-for-the-web like IEEE spectrum.)

It’s probably no surprise that I’m a little hyper-aware of secure coding of late. Sure, I’ve got the certification – but there’s still so much I don’t know. One thing I note in much of my own code and most code I’ve read is that there is little regard for integer errors. I’d take a stab that this is the most common coding error out there.

Of particular note is the problem of assigning the result of an operation between two variables to a variable of a different type. For example (unsigned) int versus (signed) long. Intuitively you’d think something like “long has more bits so it’s safe to assign an unsigned int to a signed long.” That could result in the following code:

unsigned aardvarkCageCount();
unsigned aardvarkCount();

int main(void) {
    ...
    long x = aardvarkCount();
    x -= aardvarkCageCount();
    ...
}

Our assumption is that because the functions called return an unsigned int that it is safe to put this into a signed long because a long‘s gotta have at least one more bit than an int, right? Yeah?

It is best to never make assumptions. The C99 standard defines only minimum values for integer bounds, by the standard the relevant bounds are:

Hey, looks pretty safe doesn’t it? Recall that I said these are minimum bounds! Compiler writers can do whatever they like as far as maximum values are concerned. Compile and run this code:

#include <limits.h>
#include <stdio.h>

int main(void) {
    printf("UINT_MAX: %u (%d bytes)n", UINT_MAX, sizeof(unsigned));
    printf("LONG_MAX: %ld (%d bytes)n", LONG_MAX, sizeof(long));
    return 0;
}

For me:

:; gcc stdint.c -o stdint
:; ./stdint 
UINT_MAX: 4294967295 (4 bytes)
LONG_MAX: 2147483647 (4 bytes)
:;

Oh oh! An unsigned int can be larger than a signed long! So the assumption that the latter will be big enough to hold the former is wrong! Unfortunately this is an intuitive “easy fix” for those worrying about overflow, it seems good at the time, in theory. But the loose specification for int is that it represents the most natural value size for the underlying hardware, so 32 bits on most machines with which we’ve grown, with growing popularity for 64 bits. We’ll get to the relationship between int and long shortly.

#include <limits.h>
#include <stdio.h>

/* We have four billion aardvarks!  That's a lot of stew. */
unsigned aardvarkCount() { return 4000000000u; }
/* And only 20 cages. */
unsigned aardvarkCageCount() { return 20; }

int main(void) {
    long x = aardvarkCount();
    printf("There are %ld aardvarks.n", x);
    x -= aardvarkCageCount();
    printf("Aardvarks minus cages is %ld.n", x);
    return 0;
}

Gives:

:; gcc aardvark.c -Wall -o aardvark
:; ./aardvark 
There are -294967296 aardvarks.
Aardvarks minus cages is -294967316.

No surprise. Surely we can get the compiler to tell us when we’re doing something stupid like this?

:; gcc aardvark.cc -Wall -Wextra -ansi -pedantic -o aardvark
:;

No luck. As far as I can tell from scanning man gcc there isn’t an option that’s going to work for us. Some might be thinking, “what about -ftrapv?!” Sorry, not gonna help. The -ftrapv option in gcc only works when both arguments to arithmetic operations are signed – technically it works for overflow but not wrap. If we compile this code with -ftrapv it runs fine. For an example of how not-so-useful this can be:

:; cat ftrapv.c 
#include <stdio.h>
int main(void) {
    long x = 2000000000;
    unsigned y = 2000000000;
    long z = x + y;
    printf("z = %ldn", z);
    return 0;
}
:; gcc ftrapv.c -Wall -Wextra -ftrapv -o ftrapv
:; ./ftrapv 
z = -294967296
:;

To make -ftrapv do something the arguments to arithmetic operations must both be signed. As in:

:; cat ftrapv.c 
#include <stdio.h>
int main(void) {
    long x = 2000000000;
    long y = 2000000000;
    long z = x + y;
    printf("z = %ldn", z);
    return 0;
}
:; gcc ftrapv.c -Wall -Wextra -ftrapv -o ftrapv
:; ./ftrapv 
Aborted (core dumped)
:;

Unfortunately, as far as I can see, even then that’s all we can do. Aborting isn’t entirely useful, but I guess it is better than continuing on in an undefined state! Furthermore -ftrapv turns signed arithmetic operations into a function call, if we look at the disassembly of the generated code we see:

...
080483a4 <main>:
...
 80483b5: c7 45 f0 00 94 35 77 movl   $0x77359400,-0x10(%ebp)
 80483bc: c7 45 f4 00 94 35 77 movl   $0x77359400,-0xc(%ebp)
 80483c3: 8b 45 f4             mov    -0xc(%ebp),%eax
 80483c6: 89 44 24 04          mov    %eax,0x4(%esp)
 80483ca: 8b 45 f0             mov    -0x10(%ebp),%eax
 80483cd: 89 04 24             mov    %eax,(%esp)
 80483d0: e8 2b 00 00 00       call   8048400 <__addvsi3>
...
...
08048400 <__addvsi3>:
 80483f0: 55                 push  %ebp
 80483f1: 89 e5              mov   %esp,%ebp
 80483f3: 53                 push  %ebx
 80483f4: 83 ec 04           sub   $0x4,%esp
 80483f7: 8b 45 0c           mov   0xc(%ebp),%eax           # arg2
 80483fa: 8b 4d 08           mov   0x8(%ebp),%ecx           # arg1
 80483fd: e8 2a 00 00 00     call  804842c <__i686.get_pc_thunk.bx>
 8048402: 81 c3 e2 11 00 00  add   $0x11e2,%ebx
 8048408: 85 c0              test  %eax,%eax                # set SF if arg2 < 0
 804840a: 8d 14 01           lea   (%ecx,%eax,1),%edx       # 'lea' trick for arg1 + arg2
 804840d: 78 11              js    8048420 <__addvsi3+0x30> # if arg1 < 0 goto cmp below
 804840f: 39 d1              cmp   %edx,%ecx                # else compare result and arg1
 8048411: 0f 9f c0           setg  %al                      # %al = 1 if arg1 < result
 8048414: 84 c0              test  %al,%al
 8048416: 75 0f              jne   8048427 <__addvsi3+0x37> # if %al == 0 jump to abort!
 8048418: 83 c4 04           add   $0x4,%esp
 804841b: 89 d0              mov   %edx,%eax
 804841d: 5b                 pop   %ebx
 804841e: 5d                 pop   %ebp
 804841f: c3                 ret   
 8048420: 39 d1              cmp   %edx,%ecx                 # compare result and arg1
 8048422: 0f 9c c0           setl  %al                       # %al = 1 if arg1 > result
 8048425: eb ed              jmp   8048414 <__addvsi3+0x24>  # jump to test above
 8048427: e8 b0 fe ff ff     call  80482dc <abort@plt>
...

Ick! That’s a fair bit of code for an addition! A more readable representation of __addvsi3 would be:

int add(int a, int b) {
    int good = 0;
    int res = a + b;
    if ((b < 0) && (a > res)) good = 1;
    else if (a < res) good = 1;
    if (good == 0) abort();
    return res;
}

(Sorry about the iffy one-liners.)

Before you think “but what about -O[123]!?” … Yep, they get rid of the call. The optimisation takes precedence, since the code is adding two simple constants the optimiser does the addition at compile time. In this way optimisation reduced the effectiveness of -ftrapv. It doesn’t disable it entirely though, a simple trick is to set one of the variables volatile and do an optimised compile. In this case you’ll observe that the call to __addvsi3 is included despite optimisation. This is heading towards another can of worms now though, how often does optimisation really matter for most software? I’ll save the rest of this line of thought for another day…

Anyway, this is all beside the point as our original problem involved assignment with mixed signed values. I.e. it boils down to this:

    long x = 4000000000u;
    printf("z = %ldn", x);

We’ve failed to find any -W flags or any other trap/exception for gcc that will help us out here (or g++ for that matter, my original examples were all C++ but I decided to “purify” them.)

What to do? I think the answer is: don’t make the mistake in the first place! Be aware of the limits, and the limitations of the limits. When necessary always check the values, but try not to get into problematic situations in the first place. If you can afford the overhead use an arithmetic library that deals with the details for you (I’d guess that the majority of code can afford the overhead.) Adding your own boundary guards can be tricky work and I’d recommend sticking to safe alternatives or, at least, recipes from a reliable source.

Let us follow some “intuition” again. An approach is to first store the return values in local variables of the right type. Then test the values before trying to store the result in a long (yes, the example is rather contrived, live with it.)

int main(void) {
    long x = 0;
    unsigned a = aardvarkCount();
    unsigned c = aardvarkCageCount();
    if ((a - c) > LONG_MAX) {
        printf("Oops: %u - %u = %u!n", a, c, (a-c));
        printf("LONG_MAX=%ld LONG_MIN=%ldn", LONG_MAX, LONG_MIN);
        return 1;
    }
    x = a - c;
    printf("There are %u aardvarks.n", a);
    printf("Aardvarks minus cages is %ld.n", x);
    return 0;
}

This is only a guard for the “subtraction result too large to store in a long” case. It looks reasonable enough to cover this though, right? Nup! What happens when a is 1 and c is 2?

:; ./aardvark 
Oops: 1 - 2 = 4294967295!
LONG_MAX=2147483647 LONG_MIN=-2147483648

The problem here is that the (unsigned - unsigned) expression yields an unsigned value, thus we get integer wrap! So, we’re not there yet. We’d better guard out the wrap case:

    if ( ((a > c) && (a - c) > LONG_MAX) ) {
        printf("Oops: %u - %u = %u!n", a, c, (a-c));
        printf("LONG_MAX=%ld LONG_MIN=%ldn", LONG_MAX, LONG_MIN);
        return 1;
    }

Now, we also want to guard the case where (a - c) is is too small for LONG_MIN. Don’t go thinking this is good enough either:

    (a < c) && (c - a) < LONG_MIN) /* BAD! */

Remember that (a - c) will always yield an unsigned result, thus the second condition will always be false. Good thing about this case is that the compiler will actually warn you about the comparison between signed and unsigned values. (You always compile with warnings on, right?) We’ll need to rearrange the arithmetic.

    if ( ((a > c) && (a - c) > LONG_MAX) ||
         ((a < c) && (c > (LONG_MIN + a))) ) {
        printf("Oops: %u - %u = %u!n", a, c, (a-c));
        printf("LONG_MAX=%ld LONG_MIN=%ldn", LONG_MAX, LONG_MIN);
        return 1;
    }

This raises the question: “is (LONG_MIN + unsigned int) a safe expression?” We can look at section 6.3.1.1 of the C standard to answer this. The integer conversion rank definition states, in part, “The rank of a signed integer type shall be greater than the rank of any signed integer type with less precision.” (The precision is defined as the number of bits used to represent values.) The following ranking clause is “The rank of long long int shall be greater than the rank of long int, which shall be greater than the rank of int, …” These two clauses tell us, I think, that if an int is 64 bits then a long will also be 64 bits, which would be the primary concern here. Phew, we seem to be safe.

I’ll leave this here since I don’t have time to dig any deeper. There’s more to consider though! For example, what about non-two’s-complement representations, can we derive the same safety from the rules? What about performance optimisations? What else? I suggest you read the specification. It’s hard going! And reading is very different to understanding. Of course, understanding what is specified also requires understanding exactly what isn’t specified! I’m not even close myself…

The main point of this exercise is to indicate that the problem is a difficult one and the solutions are often non-obvious. For this reason I’d recommend the previously suggested path of relying on a 3rd party secure/safe arithmetic library. This offloads the worry to someone else, who’s hopefully better informed and also does their best to keep their solutions optimal. Personally, I’d prefer to let someone else solve the problem.

A good starting point for learning more yourself is the CERT Secure Coding Standard wiki section on integers (in C.) Then try to find a reasonable safe integer arithmetic library, I’m afraid I don’t have the experience to recommend any particular one. The ones documented in literature I’ve covered are for Windows (I’m most familiar with IntegerLib on the CERT site, it is a Visual Studio project and needs some tweaking to be compiled on Linux. I’ve done enough tweaking to make it compile for me, see note [1] below.) Alternatively (and perhaps most simply) change your integer representation completely by switching to one of the various arbitrary precision arithmetic libraries available. GMP, for example, has been around for ages, is multi-platform, and even has a C++ wrapper.

[1] I got the CERT IntegerLib compiling under Linux. In theory this is written by experts who got all the guards right… Unfortunately it was clearly written with only Windows in mind as there is no support for a non-Windows build. I’ve worked through the code and added the trivial changes and a build system that make it compile for me (up to date Ubuntu gutsy.) My mods to IntegerLib are here (or here for just a diff.) Don’t mistake “compiles” for “is correct” though, it has not gone through rigorous testing. You’ll need a typical C build environment (with all the autotools/libtool junk if you want mod and regenerate the configure stuff.) To compile enter IntegerLib/IntegerLib and do a ./configure then a make. If you’re lucky this will give you the test binary, run it to see the examples of how it works. Have a look at their IntegerLib.h file for a listing of the available methods. Note especially that correct use of their library requires that all parameters must be of the type defined in their API and the same goes for the variable used to store the return type. This code doesn’t directly solve the original problem: subtracting unsigned int values to a signed long result. The main problem is that the unsigned int subtraction may result in a value that is perfectly reasonable for a signed long but no good for an unsigned int. The library as it stands doesn’t cover arithmetic operations assigned to a different type (where the result may possibly be valid.)

Be warned! If using pcrecpp::QuoteMeta on strings with embedded null bytes the results might not be as you expect!

#include <pcrecpp.h>
#include <string>
#include <iostream>

int main(void)
{
    std::string unquoted("foo");
    unquoted.push_back('');
    unquoted.append("bar");
    std::string autoquoted = pcrecpp::RE::QuoteMeta(unquoted);
    std::string manualquoted("foo\x00bar");
    std::cout &lt;&lt; "Auto quoted version is: " &lt;&lt; autoquoted &lt;&lt; std::endl;
    std::cout &lt;&lt; "Auto match result is: " &lt;&lt; pcrecpp::RE(autoquoted).FullMatch(unquoted) &lt;&lt; std::endl;
    std::cout &lt;&lt; "Manual quoted version is: " &lt;&lt; manualquoted &lt;&lt; std::endl;
    std::cout &lt;&lt; "Manual match result is: " &lt;&lt; pcrecpp::RE(manualquoted).FullMatch(unquoted) &lt;&lt; std::endl;
    return 0;
}

:; g++ quotemeta.cc -o quotemeta -lpcrecpp
:; ./quotemeta 
Auto quoted version is: foobar
Auto match result is: 0
Manual quoted version is: foox00bar
Manual match result is: 1
:;

Dammit!

But is it a bug? The documentation in pcrecpp.h says:

  // Escapes all potentially meaningful regexp characters in
  // 'unquoted'.  The returned string, used as a regular expression,
  // will exactly match the original string.  For example,
  //           1.5-2.0?
  // may become:
  //           1.5-2.0?
  static string QuoteMeta(const StringPiece& unquoted);

And that’s what man pcrecpp tells me too. So the definition is essentially “does what perl’s quotemeta does.” Hrm:

:; perl -e 'print quotemeta("foox00bar") . "n"'
foobar
:; perl -e 'print quotemeta("foox00bar") . "n"' | xxd
0000000: 666f 6f5c 0062 6172 0a                   foo.bar.

That second command is just to determine that the null byte is actually still there. The same trick with ./quotemeta shows that the null is also still there when pcrecpp::QuoteMeta is used.

So, the behaviour of pcrecpp::QuoteMeta is correct by definition.

What about the matching then? Should “” followed by a literal null be part of the regular expression? I’m not sure about libpcre semantics for this but let’s test with Perl. Note that pcrecpp::FullMatch means the whole string must match, so the Perl expression must have “^” and “$” at either
end.

:; perl -e '$s="foobar"; $p=quotemeta($s); $s =~ s/^$p$//; print "<$s>n"' | xxd
0000000: 3c3e 0a                                  <>.
:; perl -e '$s="foobar"; $p=quotemeta($s); $s =~ s/^foo//; print "<$s>n"' | xxd
0000000: 3c00 6261 723e 0a                        <.bar>.
:; perl -e '$s="foobar"; $p=quotemeta($s); $s =~ s/^foo//; print "<$s>n"' | xxd
0000000: 3c62 6172 3e0a                           <bar>.

OK, looks like pcrecpp isn’t matching like Perl. Digging into the pcrecpp.cc source equivalent to the Ubuntu package I’m using shows:

...
RE(const string& pat) { Init(pat, NULL); }
...
void RE::Init(const string& pat, const RE_Options* options) {
 pattern_ = pat;
...
  re_partial_ = Compile(UNANCHORED);
  if (re_partial_ != NULL) {
    re_full_ = Compile(ANCHOR_BOTH);
  }
...
pcre* RE::Compile(Anchor anchor) {
...
  if (anchor != ANCHOR_BOTH) {
    re = pcre_compile(pattern_.c_str(), pcre_options,
                      &compile_error, &eoffset, NULL);
  } else {
    // Tack a 'z' at the end of RE.  Parenthesize it first so that
    // the 'z' applies to all top-level alternatives in the regexp.
    string wrapped = "(?:";  // A non-counting grouping operator
    wrapped += pattern_;
    wrapped += ")\z";
    re = pcre_compile(wrapped.c_str(), pcre_options,
                      &compile_error, &eoffset, NULL);
  }
...

Hm! The problem is that the QuoteMeta leaves the literal null byte in then later on the compilation uses the string’s c.str(). Naturally this will be null-terminated, so that marks the end of our pattern.

It seems to be that pcre_compile doesn’t offer a version with a specified string length so there’s no way around this without printable-quoting the null. This is find in libpcre since the behaviour is obvious. Maybe not so find in pcrecpp since it is common to use std::string as a non-printable data container (it is very common, but maybe it is a “bad thing”™?) I think it is a bug in pcrecpp, but it could be a “document the caveat” bug rather than “do magic to make it work bug.”

Looks like pcrecpp.cc is actually part of upstream libpcre. Should file a bug I guess.

I had a hard time Googling a solution to this particular woe. Alas the exact string “unresolved overloaded function type” doesn’t give anything useful with “boost::bind” and “boost:mem_fn“. This is the typical sort error message from g++:

foo.cpp:18: error: no matching function for call to
    'bind(<unresolved overloaded function type>,
        const boost::reference_wrapper<FooMaster>, boost::arg<1> (&)())'

I’ve generated this using a rather contrived example based on the use pattern that was causing my woe:

#include <iostream>
#include <boost/bind.hpp>

class FooMaster {
public:
    void foo(std::string &s) {
        std::cout << "foo(s=" << s << ")" << std::endl;
    }

    void foo(int x) {
        std::cout << "foo(x=" << x << ")" << std::endl;
    }
};  
    
int main(int argc, char **argv) {
    FooMaster fm;
    boost::bind(&FooMaster::foo, boost::ref(fm), _1)(10);
    return 0;
}

The problem is obvious of course, it is exactly as the compiler is telling you. Mr compiler has no idea which “foo” you’re talking about. “But Mr Compiler, it is obvious!” You say. “I’m not passing it a bloody string!” Sometimes you just have to understand that Mr Compiler isn’t you and needs a little hand-holding.

The issue clearly boils down to FooMaster having two methods that match &FooMaster::foo. This signature, used to instantiate the bind template, doesn’t take into account the arguments, so which foo are we taling about?! Alas, as obvious as the problem was I didn’t find the solution so obvious. I just don’t cut it as a C++ guy sometimes. I’d given up on the problem in fact, but then I stumbled on a solution while looking into some other problem I had. It was one of those “oh, duh!” moments really, I was looking at some code that assigned a member function pointer. The type specification for such a thing includes the argument types! So here’s a modified main that uses one extra step in order to explain what we want to the compiler:

int main(int argc, char **argv) {
    FooMaster fm;
    // Create a variable of the desired function signature type and assign
    // using desired member function.  This will resolve the correct
    // function thanks to the signature including the argument types.
    void (FooMaster::*fn)(int) = &FooMaster::foo;
    // Now pass the function variable to the template method so that it knows
    // exactly which function we mean.
    boost::bind(fn, boost::ref(fm), _1)(10);
    return 0;
}

All you have to do is give Mr Compiler a little bit of a helping hand…

Joy!

While I did get around to my one-extention-at-a-time testing of Firefox slowness I still haven’t got around to writing more about it. My, rough, observations are the following:

1. The longer Firefox is running the slower everything gets. As much as I’d love to turn my computer off every night and start afresh every morning the fact is that the best I can do really is put it into suspend, without wasting time every morning (I work at home and maintain a lot of state on my computer.) Another solution would be to stop-start firefox every now and then since it’ll reload my last set of open tabs/windows on starting, I really shouldn’t have to do that though, and it leads to point 2…
2. More tabs seems to mean more slowness. I tend to be tab-happy, like my 20-desktop(+tabs) spaces of state I find keeping stuff open in the browser to be simpler than worrying about “saving tabsets” and bookmarking everything (and trying to work out one end of the “history” from the other is just not going to work.) To this end I tend to have 2 or three browser windows open at a time with up to three rows of tabs in each. The slowness isn’t Firefox hitting swap so must be something else (Firefox memory use seems to grow linearly with number of tabs open, fair enough I guess since memory is cheap these days.) Maybe a plugin or extension, I haven’t tried the incremental-plugin/extension-addition + tab-growth experiment.
3. The “SwitchProxy Tool” extension does seem to cause slowness. I’m confounded as to why it should be so!
4. The “Google Browser Sync” extension also causes slowness. Again, I have no idea why, but it does a pretty complicated job.

That’s all I have to report. And AFAIC “problem solved!” “How so?!” You ask? Simple: I’ve mostly stopped using Firefox. Over the last few weeks I’ve been making a gradual switch to Opera. Oh no! It’s closed-source evilware! shrug It is:

1. Faster (oh, so much faster!), more responsive when I have 50 tabs open in three windows.
2. No longer encumbered with that annoying ad panel.
3. Now equipped (in the current beta) with native browser-sync functionality. This is nice since Google Browser Sync has become, for me, the most important Firefox feature. That said, I don’t know how “trusted” the Opera browser sync is and it certainly doesn’t seem to be as comprehensive as the Google offering. I expect Opera sync will be expanded in time.
4. No more of a memory hog than Firefox (as far as I can see, but I haven’t tested this exhaustively.)
5. Binary packaged for every distro I use and there’s an apt repository (though without Ubuntu dists, my sources.list line on Ubuntu gutsy is for Debian testing.)

On the downsides:

1. Has occasional problems with Flash, which require a browser restart but luckily Opera comes back up with all my windows and tabs rather quickly. Yes, in an ideal world there’d be no flash, wank, wank. Flash is a “fact of life” as far as the web goes these days, and IMO it gives us some useful things that would XHTML/CSS can’t. This particular problem is my most pressing issue with Opera at the moment.
2. No less of a memory hog than Firefox. This is based on occasional glances at top while running both, not any proper testing!
3. Much less of a CPU hog than Firefox but still pretty bad at idle sometimes. However this is mostly the fault of websites to some degree, it just seems that Opera keeps a tighter hold on not letting a site’s javascript get out of hand. For example, having smh.com.au open in Firefox really bogs it down, while Opera remains responsive (albeit at a constant ~10% CPU usage on my desktop.) It should be noted that the smh.com.au site runs some particularly disgusting javascript.
4. Hitting sites that “don’t work in Opera” is more common than “don’t work in Firefox”, but the Web’s become pretty good in this regard these days so this is fairly rare.

It should be noted that I’m using a beta version of Opera (on Ubuntu Gutsy.)

There are things I haven’t tried or worked out with Opera yet. Namely:

1. What’s on offer as far as equivalents to the Firebug and Web Developer Firefox extensions. I haven’t had to do any HTML/CSS debugging for a while.
2. AdBlock Plus equivalent? I think there might be one out there, but I have to admit I’m not hunting since I’ve kind of fallen out of love with auto-updated ad blocking, it was blocking things I wanted to see sometimes. Opera does have a “content block” feature and I use it to block out particularly bad ads and ad-iframes (anything I see that is large, or overtly bright, or animated.)

I haven’t spent much time looking into equivalent Opera functionality as I have everything I need for day-to-day browsing “out of the box.” However, I just found “Opera equivalents to Firefox extensions” and “Opera equivalents to Firefox extensions II” which look like a pretty good starting point!

In conclusion: I’m converted to Opera. It has it’s downsides, but so does Firefox and my feeling at the moment is that Firefox is more annoying than Opera.