I just read Herb Sutter’s C++0x lambda/closure teaser post. It’s intriguing, although I cringe at the new syntax. I’ll be mulling over this somewhat and waiting to see what else is said about it by the Internet’s hoard of people more qualified than I… though, of course, Herb Sutter may be the most qualified out there! No doubt I’ll eventually be convinced the new features are wonderful. For now I’m going to hope the technical brilliance of the ISO C++ committee has given birth to something beautiful – and in this instance Herb Sutter hasn’t done a good job of marketing it to numpties like me. (Then again, exception specifications got into the standard as well and it seems that even the people responsible for them would like to disown them now.)

In the “Write collection to console” example I have trouble seeing how the lambda version is obviously better. I look at the three examples and think to myself “huh, what’s the point?” The fact is that the for loop is clear, the for_each lambda version just makes it a little more terse. How about:

    #include <boost/foreach.hpp>
    ...
    BOOST_FOREACH(const Widget & widget, w) {
        cout << widget << " ";
    }

More readable than all Herb’s examples? Possibly. Herb Sutter makes a note that the final lambda-using example is the only one he typed up correctly before doing a complier-run. Maybe this could be related to the fact he’s probably been steeped in the specification of the lambda features lately?

The “Find element with Weight() > 100” example is a better one, aside from the grotesqueness of the lambda syntax. This []( has a face that only a mother could love:

    find_if( w.begin(), w.end(),
        []( const Widget& w ) -> bool { w.Weight() > 100; } ); 

Herb dares us to have a go with binders, here’s what I knock up for boost::bind:

    std::find_if(w.begin(), w.end(), boost::bind(std::greater(), boost::bind(&Widget::Weight, _1), 100));

This is a typical “bind class member return value to function (functor) argument” usage, I see (and use) it a lot. Though for the “>” case there’s an even more terse solution:

    std::find_if(w.begin(), w.end(), boost::bind(&Widget::Weight, _1) > 100);

I don’t particularly think one syntax is more readable or obvious than the other, but I’m used to reading uses of bind. Truth be told however, Herb’s functor example is easily the clearest at point-of-use. Is the clarity not worth the small clutter of having the GreaterThan functor implementation lying around somewhere (and entirely re-usable.) Herb has perhaps not chosen the best example here. Something just a little more complex could make the lambda version seem a lot better than the bind version, though such complexity would just make the overhead of writing the functor less of a concern (and the non-reusable lambda code seem more of a bad idea.)

[[Note: Since I wrote the above, on Saturday, a lively discussion has popped up in the comments on Herb Sutter’s post. In there he explains two strong disadvantages of the binder approach: 1) recognisable function syntax is lost with binders, 2) errors in binders generate some of the most horrible C++ template-spew error messages you can get out of compliers. That latter part is certainly a pain, it takes a few weeks of working with, and making mistakes with, binders before you can weed useful information out of those errors. Though they’re usually down to just a couple of syntax mistakes and you can check for them first and correct without needing to decipher the errors in 80%, or more, of cases. The other common problem I find with boost::bind is passing object arguments and forgetting boost::ref, an error you’d be much less likely to make with the function-declaration style of the lambda syntax.]]

The final “Most algorithms are loops” example is more compelling. But again, the example used doesn’t seem a great win over boost::bind. And both lambdas and binders seem a less maintainable route than functors. [[Note: See previous note for positive points of the lambda syntax over binders that also apply here.]]

It seems to me that the lambda syntax may offer a more robust and maintainable replacement for binders and, in extension, be a better way to “turn things into functors.” That is certainly a worthy achievement in itself. For simple cases the lambda syntax can provide an “it’s all in front of you” clarity to improve the readability of algorithms. For more complex cases I see it being used in lazy ways and giving the world some knotty code maintenance nightmares in the name of the quick hack. Stick to functors is my leaning at the moment, or use functions combined with the lambda syntax as a replacement for binders, if you must. It’s early days yet though, these are some first simple examples and the standard is still in progress. [[Note: insights from the “Beautiful Code” blog. Note that the non-standard solution to his .begin()/.end() pattern dislike is BOOST_FOREACH, it’d be nice to see something like that go into the standard.]

It’s great to see non-trivial new features going into C++, I look forward to reading what the experts have to say about it all! It’s worth noting that the items mentioned by Herb are just the most buzz-word friendly ones, an act of marketing no doubt. I suggest exploring the “Other approved features” that he links to, there’s some interesting ones in there. I’m most immediately intrigued by N2555, N2559, N2540, and N2535 – unfortunately I don’t have time to consider them in detail.

After a recent trip I seem to have left the charger for my mobile behind. I Googled for charger specifications but had no luck, so for the record: You can charge the Motofone F3 with 4.5v DC pin-positive. I have no idea if this is the actual output of the official charger, all I know is that it works. It’s easy to do if you have a multi-voltage power supply and a good collection of plugs for it! The supply I used was 500mA, which should be way above requirements in any case.

I was meaning to give a review of this phone model some time, but I doubt I’ll ever do it. In short: argh! That shouldn’t be surprising though, this is an ultra-simple phone. The only interesting feature is the E-Ink display, which is excellent – you can honestly read the display outdoors at night without turning on the backlight! That’s the only positive though, I though a dead-simple phone would be liberating but it really is just a pain in the backside. Keep in mind that I went from a fully-kitted out PDA phone (Motorola A1000) to the F3, about as huge a leap as you could make. (As far as I can see there are few PDA phones available even now that are compellingly better than the A1000, a phone from 2003 IIRC, in any feature other than battery life, and I’ve looked into this a fair bit as I’ve been trying to find an A1000 replacement – I await the release of Android handsets! I was almost tempted to get a Neo 1973 but no-3G was no-go for me.)

The main draw-back of the F3, aside from the lack of web and all those other modern features, is that it uses the SIM card for all data storage. This means the number of SMS messages it can store and the number of address records is tiny. The address records are also really simple, the usual for SIM storage. And, of course, there’s no computer interface (no USB, no blue-tooth, there’s a contact-pad that may be promising but that isn’t “out of the box.”)

The big plus of the F3 is that it is only 15 quid– I spend more than that a week on coffee. It’s the ideal travelling phone, robust and cheap. On the robustness front, I dropped a 30kg dumbbell on it (from only about 4 inches high, and by mistake!) and all it suffered was a minor dent near the screen.

I think that the potential of future models in this line is huge… but I’ll be going back to a feature-bloat model soon, I hope.

On attempting to install CentOS 5.1 using the “netinstall” ISO I had an annoying problem. Not long into the install process I was met with something like:

The file pam_krb5-2.2.14-1.i386.rpm cannot be opened.  This is due
to a missing file, a corrupt package or corrupt media.  Please
verify your installation source.

...

The options provided to either “Retry” or “Reboot” (default).

But I’m using netinstall, how can it be corrupt?! My netinstall source was UK Mirror Service which should be pretty reliable I’d expect. Anyway, I persisted in hitting “Retry” and eventually it seems it got pam_krb5-2.2.14-1.i386.rpm downloaded OK. Then a few seconds later I hit the same problem with rcs-5.7-30.1.i386.rpm, a few “Retry“s later the problem moves onto another package. This problem occurred for:

• pam_krb5-2.2.14-1.i386.rpm
• rcs-5.7-30.1.i386.rpm
• libICE-1.0.1-2.1.i386.rpm
• mintetty-1.07-5.2.2.i386.rpm
• sqlite-3.3.6-2.i386.rpm

I have no idea why this happened.

The message is: If you get the above error trying to do a CentOS “netinstall” just keep hitting “Retry” (even if it repeatedly fails on the same package.)

“Have form?” That’s the phrase that popped into mind when I first saw the name of this new “Phorm” company that’s recently found itself on the uncomfortable side of Internet privacy debates. I don’t know if the phrase is all that common, but if you grew up watching The Bill you probably know what I’m taking about, I think it’s Pommie police slang. Anyway, back to Phorm, It turns out they do have “form” … they even changed their name over it, from “121Media.” Under their earlier moniker they distributed something called “PeopleOnPage” which was widely proclaimed to be “spyware” (though some, including Phorm, debate that it is really just “adware” – I’ve made no attempt to determine whether I think it is one or the other myself, though based on the removal instructions it seems somewhat benign at least.)

What’s the story now? It turns out that they dumped the so-called spyware in favour of moving the spying to ISPs. (They have an “ain’t we good” story about how they bravely dumped the adware business, risking the potential wrath of their shareholders.) What’s more they’ve already signed on all the major UK providers, and have even run live integration tests! This leaked out recently and has caused quite a stir, first with The Register and now it’s even hit the mainstream news (thanks somewhat to The Netfather, Berners-Lee, expressing concern about it.) Phorm are also chasing deals in the US (not that people in the US have any privacy left to loose) and I’m sure Australia will be on the list too (and then the world! Murwahahahaarrr!)

Phorm’s executive did a pretty open and revealing interview with The Register, and on the face of it the technology seems pretty “privacy safe.” But a) would you really believe it’ll be flawless? And b) what’s the guarantee it’ll stay that way? The idea is that keywords are extracted from the URLs you request (i.e. search string) and the response data, this is filtered to remove “sensitive” content (sure, I bet that is really reliable – though if you’re sending sensitive data over a non-HTTPS connection you get what you deserve.) These keywords are used to categorise the browsing session, then ad delivery is tuned for this categorisation. I’m unclear as to whether they’re going to inject ads into pages (ick!) or if the information will only be used to tune ads on pages that use Phorm as an ad source.

All in all it’s somewhat interesting, but ads are ads and my ad filter means I never see the things anyway. How about this “you are being watched” aspect then? Frankly, it surprises me that anyone would think they can expect much privacy in their online wanderings. Every page you visit has embedded ads from a small handful of providers, do you think they don’t track some sort of “profile” and can track your transitions between the pages of their vast number of clients? (Check your cookies sometime and note the likes of “adclick”, and probably even things like “sextracker”!) Note that this sort of cookie technique will make even something like tor fairly useless in hiding your online “profile.”

What’s most amusing is that Phorm claim is be creating a revolution in privacy? Golly, I wish I had the time to research further into exactly how they explain that one. “Doesn’t store any personally identifiable information,” we’ve heard that before and even when it’s said in good conscience it can turn out to be far more identifiable than expected (remember the AOL search queries release that gave enough information for reporter to track someone to their home?) They seem to claim to not store any information at all, which sounds hopeful and would be good … but it doesn’t seem like much of a revolution! I think they may have been better off being open about things but not going to far as to put on the mangle of Internet freedom fighters, this just makes them a juicy target.

Anyway, if you do want some privacy, with caveats that I don’t have time to go into, then:

1. Use tor
2. Disable cookies

It’s fun to see how much of the web doesn’t work without cookies though! Or you could make them “always ask”, and find out how annoying that is. It could be nice to disallow cookies for any site other than the one displayed in your URL-bar (i.e. disallow for iframes, popups too would make sense), I don’t know if there’s a browser plugin for this though (sounds like we might need one.)

Personally, I mostly gave up on the “ad tracking” privacy issue a long time ago. I don’t expect that noisy privacy advocates, or even legislation, will change things much. Much like many other online security issues it is the very nature and design of the Internet that makes these things possible; want to redesign the whole Internet? Anyone? (Yes, I know people are trying, etc.) When it comes to the legal enforcement of these things it always seems to break apart at international borders, little surprise there. Finally, the tighter control schemes that may have some effect get the privacy advocates screaming as well! I.e. moving monitoring, ads (i.e. Phorm), security, and similar measures to the ISP – net neutrality anyone? And why is some random ISP any more trustworthy than doubleclick anyway?

All that said, I do personally bounce all my web browsing through a foreign end-point (but I don’t bother with tor) and I use a cookie blacklist. (The bounce is mainly because proxying via a machine somewhere in Europe, using an SSH port-forward, is actually faster than direct browsing over my Talk Talk connection. Yes, it’s insane.) Ultimately, I don’t think there’s any privacy to be had or expected when it comes to the “web”, as sad as that seems. That said, you can and should expect that data sent to sites (via HTTPS) is kept safe and secure – when this expectation is broken, then is it worth raising all kinds of hell!

It’s a wild world out there on the ‘net … it allows the bad guys to do bad, but also allows the good guys to do good, and, really, this is the way I like it. Some are a kind of geek equivalent to cowboys and know how to look after themselves, everyone else? Easy targets… who we should try to protect and educate.

[For the record: Personally, I don’t like the Phorn idea and I’d prefer them to be shown the door and thoroughly booted out of ISPs. But, realistically, I don’t think this would improve (or degrade) anyone’s privacy. I’m not so keen on the “we own our browsing” history argument from the privacy advocates though. Everything seems to turn to ownership eventually, I suspect this is one of the great problems with the way humans see the world. Things, even the metaphysical, must belong to someone.]

I’ve been using O’Reilly’s Safari a bit lately, thanks to ACM getting into bed with them and offering something like 600 titles as part of ACM membership. This alone makes the membership worthwhile AFAIC, it’s an excellent benefit. Of course, it is only as good as the books you have access to and I wondered if the selection would be any good. It turns out that the list of available books is actually not all that bad (not excellent, but you have to expect that – pay a bit more to access the full array of titles.)

Safari its self turns out to be quite friendly to use too. The books are presented in sensibly broken up sections (as opposed to “printed page” based) and in plain text using a fairly simple layout. A contents tree and current location sits unobtrusively on the left. And you can add notes and bookmarks, which is very useful but could do with a little web-twopointohey ajaxy goodness (link->form->post->return is so passé). It’s much better than all the crap I’ve seen done in putting magazines online (i.e. IEEE Spectrum, ACM Queue.) Books are a different concept I guess, but not that different maybe the crap magazine efforts stem from a resistance to making redundant all those poor souls who manage print layouts?

Anyway, I’ve resisted trying the Safari thing given that I prefer a good old paper book when I’m not in front of the PC. Thanks to ACM I’ve been able to give it a spin and, while it’s not going to replace print tech books in my life, there’s definitely a place for it in my reading habits.

Now if only Safari Books Online had an Offline mode… and I had a nice gadget for offline reading. Amazon’s Kindle doesn’t seem so crash hot to me, the high end HTC Advantage “phone” might do, but what I’d really like to see is an ASUS Eee in a tablet form (and had longer battery life.) That said, the whole offline thing isn’t going to matter all that much soon, well, now even.

Here’s an interesting little bug that good old pimpl can easily lead you to, with nary a whistle from the compiler. It actually all boils down to being damn lazy and not doing pimpl properly, but I’ll get to that later. First, let me introduce some lazy
code:

///////////////////////////////////////////////////////////////////////////////
// LazyThing.h
#include <boost/shared_ptr.hpp>
#include <string>

class LazyThing {
public:
    LazyThing();
    void setThing(const std::string & thing, bool value);
    bool getThing(const std::string & thing) const;
    unsigned thingCount() const;
private:
    class LazyThingImpl;
    // here's our pimpl
    boost::shared_ptr<LazyThingImpl> m_impl;
};

///////////////////////////////////////////////////////////////////////////////
// LazyThing.cpp
// #include <LazyThing.h>
#include <map>

// Declare the impl
class LazyThing::LazyThingImpl {
public:
    std::map<std::string,bool> m_thingMap;
};

// Define LazyThing
LazyThing::LazyThing() : m_impl(new LazyThingImpl()) {}

void LazyThing::setThing(const std::string & thing, bool value) {
    m_impl->m_thingMap[thing] = value;
}

bool LazyThing::getThing(const std::string & thing) const {
    return m_impl->m_thingMap[thing];
}

unsigned LazyThing::thingCount() const {
    return m_impl->m_thingMap.size();
}

///////////////////////////////////////////////////////////////////////////////
// main.cpp
// #include <LazyThing.h>
#include <iostream>

int main() {
    LazyThing t;
    t.setThing("foo", false);
    t.setThing("bar", true);
    std::cout << t.thingCount() << std::endl;
    std::cout << (t.getThing("foo") ? "true" : "false") << std::endl;
    std::cout << (t.getThing("bar") ? "true" : "false") << std::endl;
    std::cout << (t.getThing("baz") ? "true" : "false") << std::endl;
    std::cout << t.thingCount() << std::endl;
    return 0;
}

Both g++ and icc will compile this code with no errors or warnings (ignoring some spurious unrelated ones from icc when -Wall is set.) When we run the resultant binary we see this:

2
false
true
false
3

Fair enough? Well no, the code has a bug. Though you don’t know for sure since I haven’t given a specification for getThing, let it be this: returns the value set for thing; returns false if thing has not been set. So, that final 3 is a bit disturbing. Hey, isn’t getThing supposed to be const?! What’s the root of this? If you’ve much experience with C++/STL then you’ll know that operator[] is a non-const member that inserts a default-constructed element into the std::map if no element previously exists. You’ll know this either from properly reading the documentation, or from having this sort of situation bite you in the arse before (prompting you to properly read the documentation;) Quite simply, the code should not be using operator[] in getThing, that is completely retarded. But, you say, if it is non-const then why did the compiler let us call it?! The understanding is that a const method is not permitted to make non-const calls on data members. Right? Alas, this breaks down with pointers!

If we take the above code and remove the pimpl, embed the std::map into LazyThing, and then try to implement getThing with return m_map[thing] the code won’t compile. As we’d hope! If we take the above and change the boost::shared_ptr pimpl container to a plain LazyThingImpl* then the code will compile and exhibit the disturbing behaviour above. (In other words: don’t blame the shared_ptr.)

So, what gives? Compiler getting lost or does the C++ standard let this happen? In fact, the behaviour here is logically correct, even though it feels wrong. If we refer to 9.3.2 of the spec, namely “the this pointer“, and look at paragraph 2 we see what seems to be the extent of the power of applying const to a member function.

const member function, the object for which the function is called is
accessed through a const access path; therefore, a const member function
shall not modify the object and its non-static data members.

So a const member can’t modify non-static data members, if the std::map is a member then operator[] clearly modifies it, verboten! If a LazyThingImpl* is a member then calling a non-const method on the object the pointer points to clearly does not modify the pointer. Sure, it modifies the destination instance but I think that is beside the point… that instance is not the member in question, the pointer is. (And yeah, you can modify static “members” in const member functions too.)

So, we knew all this already right? In general it isn’t new to me, I’ve hit the const calling non-const on pointer “problem” before. However the pattern in the code above is simplified (a lot) from something I wrote last week, I committed this crime. At the root of the crime is a sin: laziness. Thus the name of the class! You see, you’re not really supposed to implement pimpl as “pointer to data struct”, as named the pattern is “pointer to implementation” and we can avoid the whole problem above, the foolish mistake of using operator[], by doing pimpl the right way.

Brace yourself for another code dump!

///////////////////////////////////////////////////////////////////////////////
// Thing.h
#include <boost/shared_ptr.hpp>
#include <string>

class Thing {
public:
    Thing();
    void setThing(const std::string & thing, bool value);
    bool getThing(const std::string & thing) const;
    unsigned thingCount() const;
private:
    class ThingImpl;
    boost::shared_ptr<ThingImpl> m_impl;
};  

///////////////////////////////////////////////////////////////////////////////
// Thing.cpp
// #include <Thing.h>
#include <map>

// Declare the impl - mirroring the Thing public interface!
class Thing::ThingImpl {
public:
    void setThing(const std::string & thing, bool value);
    bool getThing(const std::string & thing) const;
    unsigned thingCount() const;
private:
    std::map<std::string,bool> m_thingMap;
};

// Define ThingImpl methods
void Thing::ThingImpl::setThing(const std::string & thing, bool value) {
    m_thingMap[thing] = value;
}

bool Thing::ThingImpl::getThing(const std::string & thing) const {
    std::map<std::string,bool>::const_iterator res = m_thingMap.find(thing);
    if (res == m_thingMap.end()) {
        return false;
    }
    return res->second;
}

unsigned Thing::ThingImpl::thingCount() const {
    return m_thingMap.size();
}

// Define Thing methods
Thing::Thing() : m_impl(new ThingImpl()) {}
    
void Thing::setThing(const std::string & thing, bool value) {
    m_impl->setThing(thing, value);
}   
    
bool Thing::getThing(const std::string & thing) const { 
    return m_impl->getThing(thing);
}   

unsigned Thing::thingCount() const {
    return m_impl->thingCount();
}

I’ve left out main this time, aside from the altered class name it is identical to the previous main. So, the difference is that Thing is now no more than a proxy, every call to Thing just makes the same call to m_impl. It’s important that it is the same call too, otherwise you might get yourself lost. The public interface to ThingImpl should mirror that of Thing including constness! If you made ThingImpl‘s getThing non-const you’d still be permitted to make the operator[] mistake. As the code is above, if you tried using operator[] on m_map in Thing::ThingImpl::getThing the compiler would tell you to get buggered:

:; g++ -Wall -Wextra -pedantic Thing.cpp -o Thing
Thing.cpp: In member function 'bool Thing::ThingImpl::getThing(const std::string
&) const':
Thing.cpp:38: error: no match for 'operator[]' in '((const Thing::ThingImpl*)thi
s)->Thing::ThingImpl::m_thingMap[thing]'
/usr/include/c++/4.1.3/bits/stl_map.h:340: note: candidates are: _Tp& std::map<_
Key, _Tp, _Compare, _Alloc>::operator[](const _Key&) [with _Key = std::basic_str
ing<char, std::char_traits<char>, std::allocator<char> >, _Tp = bool, _Compare =
 std::less<std::basic_string<char, std::char_traits<char>, std::allocator<char> 
> >, _Alloc = std::allocator<std::pair<const std::basic_string<char, std::char_t
raits<char>, std::allocator<char> >, bool> >] <near match>

Love those g++ template messages! This is what I like to see though, the compiler letting me know when I’ve done something stupid. So, remember:

pimpl is “pointer to implementation“

This goes far beyond this silly example using std::map::operator[]. If you only move data members to your impl and access them all via the pimpl from logic in the interface class then you’ve entirely lost the enforcement of const. You could modify a std::string, increment an int, or whathaveyou. Know better, mirror the interface in the impl and make the data members private.

(A quick Google shows up a few pimpl examples out there on the web that do what I’ve called “pointer to data struct.” Then again, I don’t have 100% confidence that my interpretation of “implementation” is that of the originator(s) of the concept anyway – protecting the const enforcement as strongly as possible seems wise to me though.)

Or should that be virtualization. I’m sick of dealing with two slightly different dialects of English, we zhould remove the letter ezz from the alphabet or zomething. The problem is that back in those oh-so-formative years of primary school it was hammered into us that spelling errors are a crime against all things good and decent. Hammered in with a bloody pile-driver. People who didn’t “get it” in the spelling department, I being one of them, were labelled as stupid slow-learners and punished. This is despite getting into “talented” class streams (via some weird abstract test) and being a voracious reader of “very large books” — doesn’t matter, if you can’t spell you’re clearly a moron. (Do I hold a grudge against the Western Australian public Primary School curriculum, nah, despite life becoming incredibly better after I moved to a private school for my final year of primary school, never…)

The point is: not being able to spell is a crime and a word spelt incorrectly is an abomination. This facet of education is, I suspect, the reason so many people seem so ridiculously patriotic about their funny little localisations of English. My guess is that the root of the problem is a deep and abject fear of our primary school teachers, fascist dictators over years of our lives, who would mock and ridicule us if we forgot our i before e except after c (except the exceptions.)

So, what are we to do in a world where there are two correct ways to spell many words? Where, for business reasons, spelling something the wrong correct way (the uncomfortable way) is often required. A lot of people, such as the audience for that report you’re writing, suffer the same mental disability when it comes to uncomfortable foreign spelling. Grin and bear it I say, try to put the childhood monsters of “incorrect” spelling behind you. For any given document decide which is the best way to go and, first and foremost, strive for consistency.

OK… that was an unintentional rant-cum-ponderance. What I was meaning to write was that the Jan/Feb ACM Queue landed in my mailbox the other day and I’ve been reading it over my morning coffee this week. It provides a pragmatic, low-hype, introduction to virtualization. Starting with an essential history and “what is it” before moving on to an informative coverage of some technical gotchas by Ulrich Drepper. I highly recommend reading the articles to anyone curious about this latest buzz-word. They put the full Queue on the web now, not as nice to read as the paper version IMO (yeah, trees, I know) but better than nothing. (sigh using some non-web-format-for-the-web like IEEE spectrum.)

It’s probably no surprise that I’m a little hyper-aware of secure coding of late. Sure, I’ve got the certification – but there’s still so much I don’t know. One thing I note in much of my own code and most code I’ve read is that there is little regard for integer errors. I’d take a stab that this is the most common coding error out there.

Of particular note is the problem of assigning the result of an operation between two variables to a variable of a different type. For example (unsigned) int versus (signed) long. Intuitively you’d think something like “long has more bits so it’s safe to assign an unsigned int to a signed long.” That could result in the following code:

unsigned aardvarkCageCount();
unsigned aardvarkCount();

int main(void) {
    ...
    long x = aardvarkCount();
    x -= aardvarkCageCount();
    ...
}

Our assumption is that because the functions called return an unsigned int that it is safe to put this into a signed long because a long‘s gotta have at least one more bit than an int, right? Yeah?

It is best to never make assumptions. The C99 standard defines only minimum values for integer bounds, by the standard the relevant bounds are:

Hey, looks pretty safe doesn’t it? Recall that I said these are minimum bounds! Compiler writers can do whatever they like as far as maximum values are concerned. Compile and run this code:

#include <limits.h>
#include <stdio.h>

int main(void) {
    printf("UINT_MAX: %u (%d bytes)n", UINT_MAX, sizeof(unsigned));
    printf("LONG_MAX: %ld (%d bytes)n", LONG_MAX, sizeof(long));
    return 0;
}

For me:

:; gcc stdint.c -o stdint
:; ./stdint 
UINT_MAX: 4294967295 (4 bytes)
LONG_MAX: 2147483647 (4 bytes)
:;

Oh oh! An unsigned int can be larger than a signed long! So the assumption that the latter will be big enough to hold the former is wrong! Unfortunately this is an intuitive “easy fix” for those worrying about overflow, it seems good at the time, in theory. But the loose specification for int is that it represents the most natural value size for the underlying hardware, so 32 bits on most machines with which we’ve grown, with growing popularity for 64 bits. We’ll get to the relationship between int and long shortly.

#include <limits.h>
#include <stdio.h>

/* We have four billion aardvarks!  That's a lot of stew. */
unsigned aardvarkCount() { return 4000000000u; }
/* And only 20 cages. */
unsigned aardvarkCageCount() { return 20; }

int main(void) {
    long x = aardvarkCount();
    printf("There are %ld aardvarks.n", x);
    x -= aardvarkCageCount();
    printf("Aardvarks minus cages is %ld.n", x);
    return 0;
}

Gives:

:; gcc aardvark.c -Wall -o aardvark
:; ./aardvark 
There are -294967296 aardvarks.
Aardvarks minus cages is -294967316.

No surprise. Surely we can get the compiler to tell us when we’re doing something stupid like this?

:; gcc aardvark.cc -Wall -Wextra -ansi -pedantic -o aardvark
:;

No luck. As far as I can tell from scanning man gcc there isn’t an option that’s going to work for us. Some might be thinking, “what about -ftrapv?!” Sorry, not gonna help. The -ftrapv option in gcc only works when both arguments to arithmetic operations are signed – technically it works for overflow but not wrap. If we compile this code with -ftrapv it runs fine. For an example of how not-so-useful this can be:

:; cat ftrapv.c 
#include <stdio.h>
int main(void) {
    long x = 2000000000;
    unsigned y = 2000000000;
    long z = x + y;
    printf("z = %ldn", z);
    return 0;
}
:; gcc ftrapv.c -Wall -Wextra -ftrapv -o ftrapv
:; ./ftrapv 
z = -294967296
:;

To make -ftrapv do something the arguments to arithmetic operations must both be signed. As in:

:; cat ftrapv.c 
#include <stdio.h>
int main(void) {
    long x = 2000000000;
    long y = 2000000000;
    long z = x + y;
    printf("z = %ldn", z);
    return 0;
}
:; gcc ftrapv.c -Wall -Wextra -ftrapv -o ftrapv
:; ./ftrapv 
Aborted (core dumped)
:;

Unfortunately, as far as I can see, even then that’s all we can do. Aborting isn’t entirely useful, but I guess it is better than continuing on in an undefined state! Furthermore -ftrapv turns signed arithmetic operations into a function call, if we look at the disassembly of the generated code we see:

...
080483a4 <main>:
...
 80483b5: c7 45 f0 00 94 35 77 movl   $0x77359400,-0x10(%ebp)
 80483bc: c7 45 f4 00 94 35 77 movl   $0x77359400,-0xc(%ebp)
 80483c3: 8b 45 f4             mov    -0xc(%ebp),%eax
 80483c6: 89 44 24 04          mov    %eax,0x4(%esp)
 80483ca: 8b 45 f0             mov    -0x10(%ebp),%eax
 80483cd: 89 04 24             mov    %eax,(%esp)
 80483d0: e8 2b 00 00 00       call   8048400 <__addvsi3>
...
...
08048400 <__addvsi3>:
 80483f0: 55                 push  %ebp
 80483f1: 89 e5              mov   %esp,%ebp
 80483f3: 53                 push  %ebx
 80483f4: 83 ec 04           sub   $0x4,%esp
 80483f7: 8b 45 0c           mov   0xc(%ebp),%eax           # arg2
 80483fa: 8b 4d 08           mov   0x8(%ebp),%ecx           # arg1
 80483fd: e8 2a 00 00 00     call  804842c <__i686.get_pc_thunk.bx>
 8048402: 81 c3 e2 11 00 00  add   $0x11e2,%ebx
 8048408: 85 c0              test  %eax,%eax                # set SF if arg2 < 0
 804840a: 8d 14 01           lea   (%ecx,%eax,1),%edx       # 'lea' trick for arg1 + arg2
 804840d: 78 11              js    8048420 <__addvsi3+0x30> # if arg1 < 0 goto cmp below
 804840f: 39 d1              cmp   %edx,%ecx                # else compare result and arg1
 8048411: 0f 9f c0           setg  %al                      # %al = 1 if arg1 < result
 8048414: 84 c0              test  %al,%al
 8048416: 75 0f              jne   8048427 <__addvsi3+0x37> # if %al == 0 jump to abort!
 8048418: 83 c4 04           add   $0x4,%esp
 804841b: 89 d0              mov   %edx,%eax
 804841d: 5b                 pop   %ebx
 804841e: 5d                 pop   %ebp
 804841f: c3                 ret   
 8048420: 39 d1              cmp   %edx,%ecx                 # compare result and arg1
 8048422: 0f 9c c0           setl  %al                       # %al = 1 if arg1 > result
 8048425: eb ed              jmp   8048414 <__addvsi3+0x24>  # jump to test above
 8048427: e8 b0 fe ff ff     call  80482dc <abort@plt>
...

Ick! That’s a fair bit of code for an addition! A more readable representation of __addvsi3 would be:

int add(int a, int b) {
    int good = 0;
    int res = a + b;
    if ((b < 0) && (a > res)) good = 1;
    else if (a < res) good = 1;
    if (good == 0) abort();
    return res;
}

(Sorry about the iffy one-liners.)

Before you think “but what about -O[123]!?” … Yep, they get rid of the call. The optimisation takes precedence, since the code is adding two simple constants the optimiser does the addition at compile time. In this way optimisation reduced the effectiveness of -ftrapv. It doesn’t disable it entirely though, a simple trick is to set one of the variables volatile and do an optimised compile. In this case you’ll observe that the call to __addvsi3 is included despite optimisation. This is heading towards another can of worms now though, how often does optimisation really matter for most software? I’ll save the rest of this line of thought for another day…

Anyway, this is all beside the point as our original problem involved assignment with mixed signed values. I.e. it boils down to this:

    long x = 4000000000u;
    printf("z = %ldn", x);

We’ve failed to find any -W flags or any other trap/exception for gcc that will help us out here (or g++ for that matter, my original examples were all C++ but I decided to “purify” them.)

What to do? I think the answer is: don’t make the mistake in the first place! Be aware of the limits, and the limitations of the limits. When necessary always check the values, but try not to get into problematic situations in the first place. If you can afford the overhead use an arithmetic library that deals with the details for you (I’d guess that the majority of code can afford the overhead.) Adding your own boundary guards can be tricky work and I’d recommend sticking to safe alternatives or, at least, recipes from a reliable source.

Let us follow some “intuition” again. An approach is to first store the return values in local variables of the right type. Then test the values before trying to store the result in a long (yes, the example is rather contrived, live with it.)

int main(void) {
    long x = 0;
    unsigned a = aardvarkCount();
    unsigned c = aardvarkCageCount();
    if ((a - c) > LONG_MAX) {
        printf("Oops: %u - %u = %u!n", a, c, (a-c));
        printf("LONG_MAX=%ld LONG_MIN=%ldn", LONG_MAX, LONG_MIN);
        return 1;
    }
    x = a - c;
    printf("There are %u aardvarks.n", a);
    printf("Aardvarks minus cages is %ld.n", x);
    return 0;
}

This is only a guard for the “subtraction result too large to store in a long” case. It looks reasonable enough to cover this though, right? Nup! What happens when a is 1 and c is 2?

:; ./aardvark 
Oops: 1 - 2 = 4294967295!
LONG_MAX=2147483647 LONG_MIN=-2147483648

The problem here is that the (unsigned - unsigned) expression yields an unsigned value, thus we get integer wrap! So, we’re not there yet. We’d better guard out the wrap case:

    if ( ((a > c) && (a - c) > LONG_MAX) ) {
        printf("Oops: %u - %u = %u!n", a, c, (a-c));
        printf("LONG_MAX=%ld LONG_MIN=%ldn", LONG_MAX, LONG_MIN);
        return 1;
    }

Now, we also want to guard the case where (a - c) is is too small for LONG_MIN. Don’t go thinking this is good enough either:

    (a < c) && (c - a) < LONG_MIN) /* BAD! */

Remember that (a - c) will always yield an unsigned result, thus the second condition will always be false. Good thing about this case is that the compiler will actually warn you about the comparison between signed and unsigned values. (You always compile with warnings on, right?) We’ll need to rearrange the arithmetic.

    if ( ((a > c) && (a - c) > LONG_MAX) ||
         ((a < c) && (c > (LONG_MIN + a))) ) {
        printf("Oops: %u - %u = %u!n", a, c, (a-c));
        printf("LONG_MAX=%ld LONG_MIN=%ldn", LONG_MAX, LONG_MIN);
        return 1;
    }

This raises the question: “is (LONG_MIN + unsigned int) a safe expression?” We can look at section 6.3.1.1 of the C standard to answer this. The integer conversion rank definition states, in part, “The rank of a signed integer type shall be greater than the rank of any signed integer type with less precision.” (The precision is defined as the number of bits used to represent values.) The following ranking clause is “The rank of long long int shall be greater than the rank of long int, which shall be greater than the rank of int, …” These two clauses tell us, I think, that if an int is 64 bits then a long will also be 64 bits, which would be the primary concern here. Phew, we seem to be safe.

I’ll leave this here since I don’t have time to dig any deeper. There’s more to consider though! For example, what about non-two’s-complement representations, can we derive the same safety from the rules? What about performance optimisations? What else? I suggest you read the specification. It’s hard going! And reading is very different to understanding. Of course, understanding what is specified also requires understanding exactly what isn’t specified! I’m not even close myself…

The main point of this exercise is to indicate that the problem is a difficult one and the solutions are often non-obvious. For this reason I’d recommend the previously suggested path of relying on a 3rd party secure/safe arithmetic library. This offloads the worry to someone else, who’s hopefully better informed and also does their best to keep their solutions optimal. Personally, I’d prefer to let someone else solve the problem.

A good starting point for learning more yourself is the CERT Secure Coding Standard wiki section on integers (in C.) Then try to find a reasonable safe integer arithmetic library, I’m afraid I don’t have the experience to recommend any particular one. The ones documented in literature I’ve covered are for Windows (I’m most familiar with IntegerLib on the CERT site, it is a Visual Studio project and needs some tweaking to be compiled on Linux. I’ve done enough tweaking to make it compile for me, see note [1] below.) Alternatively (and perhaps most simply) change your integer representation completely by switching to one of the various arbitrary precision arithmetic libraries available. GMP, for example, has been around for ages, is multi-platform, and even has a C++ wrapper.

[1] I got the CERT IntegerLib compiling under Linux. In theory this is written by experts who got all the guards right… Unfortunately it was clearly written with only Windows in mind as there is no support for a non-Windows build. I’ve worked through the code and added the trivial changes and a build system that make it compile for me (up to date Ubuntu gutsy.) My mods to IntegerLib are here (or here for just a diff.) Don’t mistake “compiles” for “is correct” though, it has not gone through rigorous testing. You’ll need a typical C build environment (with all the autotools/libtool junk if you want mod and regenerate the configure stuff.) To compile enter IntegerLib/IntegerLib and do a ./configure then a make. If you’re lucky this will give you the test binary, run it to see the examples of how it works. Have a look at their IntegerLib.h file for a listing of the available methods. Note especially that correct use of their library requires that all parameters must be of the type defined in their API and the same goes for the variable used to store the return type. This code doesn’t directly solve the original problem: subtracting unsigned int values to a signed long result. The main problem is that the unsigned int subtraction may result in a value that is perfectly reasonable for a signed long but no good for an unsigned int. The library as it stands doesn’t cover arithmetic operations assigned to a different type (where the result may possibly be valid.)

Be warned! If using pcrecpp::QuoteMeta on strings with embedded null bytes the results might not be as you expect!

#include <pcrecpp.h>
#include <string>
#include <iostream>

int main(void)
{
    std::string unquoted("foo");
    unquoted.push_back('');
    unquoted.append("bar");
    std::string autoquoted = pcrecpp::RE::QuoteMeta(unquoted);
    std::string manualquoted("foo\x00bar");
    std::cout &lt;&lt; "Auto quoted version is: " &lt;&lt; autoquoted &lt;&lt; std::endl;
    std::cout &lt;&lt; "Auto match result is: " &lt;&lt; pcrecpp::RE(autoquoted).FullMatch(unquoted) &lt;&lt; std::endl;
    std::cout &lt;&lt; "Manual quoted version is: " &lt;&lt; manualquoted &lt;&lt; std::endl;
    std::cout &lt;&lt; "Manual match result is: " &lt;&lt; pcrecpp::RE(manualquoted).FullMatch(unquoted) &lt;&lt; std::endl;
    return 0;
}

:; g++ quotemeta.cc -o quotemeta -lpcrecpp
:; ./quotemeta 
Auto quoted version is: foobar
Auto match result is: 0
Manual quoted version is: foox00bar
Manual match result is: 1
:;

Dammit!

But is it a bug? The documentation in pcrecpp.h says:

  // Escapes all potentially meaningful regexp characters in
  // 'unquoted'.  The returned string, used as a regular expression,
  // will exactly match the original string.  For example,
  //           1.5-2.0?
  // may become:
  //           1.5-2.0?
  static string QuoteMeta(const StringPiece& unquoted);

And that’s what man pcrecpp tells me too. So the definition is essentially “does what perl’s quotemeta does.” Hrm:

:; perl -e 'print quotemeta("foox00bar") . "n"'
foobar
:; perl -e 'print quotemeta("foox00bar") . "n"' | xxd
0000000: 666f 6f5c 0062 6172 0a                   foo.bar.

That second command is just to determine that the null byte is actually still there. The same trick with ./quotemeta shows that the null is also still there when pcrecpp::QuoteMeta is used.

So, the behaviour of pcrecpp::QuoteMeta is correct by definition.

What about the matching then? Should “” followed by a literal null be part of the regular expression? I’m not sure about libpcre semantics for this but let’s test with Perl. Note that pcrecpp::FullMatch means the whole string must match, so the Perl expression must have “^” and “$” at either
end.

:; perl -e '$s="foobar"; $p=quotemeta($s); $s =~ s/^$p$//; print "<$s>n"' | xxd
0000000: 3c3e 0a                                  <>.
:; perl -e '$s="foobar"; $p=quotemeta($s); $s =~ s/^foo//; print "<$s>n"' | xxd
0000000: 3c00 6261 723e 0a                        <.bar>.
:; perl -e '$s="foobar"; $p=quotemeta($s); $s =~ s/^foo//; print "<$s>n"' | xxd
0000000: 3c62 6172 3e0a                           <bar>.

OK, looks like pcrecpp isn’t matching like Perl. Digging into the pcrecpp.cc source equivalent to the Ubuntu package I’m using shows:

...
RE(const string& pat) { Init(pat, NULL); }
...
void RE::Init(const string& pat, const RE_Options* options) {
 pattern_ = pat;
...
  re_partial_ = Compile(UNANCHORED);
  if (re_partial_ != NULL) {
    re_full_ = Compile(ANCHOR_BOTH);
  }
...
pcre* RE::Compile(Anchor anchor) {
...
  if (anchor != ANCHOR_BOTH) {
    re = pcre_compile(pattern_.c_str(), pcre_options,
                      &compile_error, &eoffset, NULL);
  } else {
    // Tack a 'z' at the end of RE.  Parenthesize it first so that
    // the 'z' applies to all top-level alternatives in the regexp.
    string wrapped = "(?:";  // A non-counting grouping operator
    wrapped += pattern_;
    wrapped += ")\z";
    re = pcre_compile(wrapped.c_str(), pcre_options,
                      &compile_error, &eoffset, NULL);
  }
...

Hm! The problem is that the QuoteMeta leaves the literal null byte in then later on the compilation uses the string’s c.str(). Naturally this will be null-terminated, so that marks the end of our pattern.

It seems to be that pcre_compile doesn’t offer a version with a specified string length so there’s no way around this without printable-quoting the null. This is find in libpcre since the behaviour is obvious. Maybe not so find in pcrecpp since it is common to use std::string as a non-printable data container (it is very common, but maybe it is a “bad thing”™?) I think it is a bug in pcrecpp, but it could be a “document the caveat” bug rather than “do magic to make it work bug.”

Looks like pcrecpp.cc is actually part of upstream libpcre. Should file a bug I guess.