Planet Fp-Syd

Dave Thomas, who is widely known for his work on virtual machines and the YOW! Australia conference series, will be in Sydney this month. He kindly agreed to talk about VMs at CSE. Anybody with an interest in VM engineering and programming language implementations should mark the date in their calendar!

Time: 29 May 2013 (Wed), 11AM

Location: CSE Seminar room (K17_113), Level 1, CSE Building (K17)

Title: VMs Demystified – A Tour of the Engine Room

Speaker: David Thomas (Bedarra Research Labs and YOW! Developer Conference)

Also showing at: The talk is also presented at ScalaSyd the previous evening, 28 May, 18:30 — details here. 

Abstract

Language virtual machines are an essential part of current and next generation platforms.  Yet many developers have no real idea of what is actually happening when their program is run on a VM or the hardware.  This leads to many false assumptions about speed and space performance.  In this talk you will see under the hood of language virtual machines and gain an understanding of what makes VMs tick as well as differences between the languages they support.

First we explain the essence VM engineering including object representations, stack versus register VMs, RISC versus CISC byte codes; static dispatch to polymorphic inline cache; context management; interpretation versus dynamic translation/tracing versus compilation; garbage collection; and native types and code interfaces. We discuss benchmark speed and space performance versus real application performance.

Armed with the above knowledge we then engage in some of the entertaining educational VM debates. How can a JVM or PHP VM faster than C++? When is the JVM or CLR better? How does the language, or the language library impact the VM? Are strongly typed languages always faster than dynamic languages? How does hosting with CRuby, compare to JRuby or Java? Let’s put the VM in hardware? How do functional language VMs differ from object VMs? How can thousands of processes in Erlang be efficient compared to using native OS threads?

Bio

Dave Thomas is an expert in dynamic languages and has decades of experience building and deploying language VMs for mobile, instrumentation, embedded command and control, and business application on platforms from mainframes to micro devices. He is widely known and respected in the programming language community and this year will be presenting the keynote at the Commercial Users of Functional Programming (CUFP) conference. While CEO of OTI, now IBM OTI Labs, he over saw IBM’s Smalltalk and J9 family of Java enterprise and embedded JVMs, OSGi as well as the initial releases of Eclipse. He lead an IBM OTI research effort into universal virtual machines. After leaving IBM he worked on JVM support for dynamic languages and the use of V8 for embedded applications. For the past 6 years Dave has been working with high performance vector functional virtual machines, DSLs and most recently exploring special purpose HW VMs.

With the demise of Posterous (after it was swallowed by Twitter), my blog is back to Tumblr. I have got plans for a more customised set up in the medium term, but currently I don’t have the time to set up blogging software.

As the URL scheme of Posterous and Tumblr is different, this breaks all existing direct links to post. Moreover, many of the old posts include a footer that points back to the defunct Posterous, and comments are also gone. I’m sorry for the mess.

We just completed a draft of a new paper, Optimising Purely Functional GPU Programs, that explains two crucial optimisations of Accelerate, our embedded array language for GPU programming in Haskell. These two optimisations are a novel typed form of sharing recovery for embedded languages and a new array fusion method for massively parallel SIMD programs. The paper includes details on eight benchmark programs that support the effectiveness of our optimisations and pit Accelerate against competing frameworks, including CUDA C code.

I’ve decided that I should be using xmega AVR microcontrollers rather than the older series — the timer architecture is much nicer for one thing. The only downside is that they are 3.3V only — and have a different programming interface.

I bought the ZeptoProg II and a simple header board from Justin Mattair at mattairtech.com.

The programmer isn’t explicitly supported on OS X, but in fact it works fine once you set it up correctly.

I use avrdude for programming AVRs, and when I first ran it with the ZeptoProg II I got:

Blonder:avrtest tomd$ avrdude -c avrisp2 -p x128a4 -P usb:000200012345 -U flash:r:flash.hex:h -v -v -v -v

avrdude: Version 5.11.1, compiled on Feb 16 2012 at 22:11:20
    Copyright (c) 2000-2005 Brian Dean, http://www.bdmicro.com/
    Copyright (c) 2007-2009 Joerg Wunsch

    System wide configuration file is "/usr/local/CrossPack-AVR-20120217/etc/avrdude.conf"
    User configuration file is "/Users/tomd/.avrduderc"

    Using Port                    : usb:000200012345
    Using Programmer              : avrisp2
avrdude: usbdev_open(): Found AVRISP mkII, serno: 000200012345
avrdude: usbdev_open(): using read endpoint 0x82
avrdude: Sent: . [01] 
avrdude: usbdev_recv_frame(): usb_bulk_read(): usb_bulk_read: An error occured during read (see messages above)
avrdude: stk500v2_recv_mk2: error in USB receive
avrdude: usbdev_send(): wrote -104 out of 1 bytes, err = usb_bulk_write: An error occured during write (see messages above)
avrdude: stk500_send_mk2(): failed to send command to serial port

I contacted Justin, who explained that this meant that the ZeptoProg was in AVR Studio mode, not avrdude mode. There’s a Java application which allows you to change this (it also allows you to use the ZeptoProg as a logic analyzer and signal generator).

There was one gotcha — the jar containing this application bundles the librxtxSerial.jnilib library which it needs to talk to the USB port, but only a 32 bit version. Java on my OS X version is 64 bit only, so I got messages like:

Blonder:xmega tomd$ java -jar ~/Downloads/ZeptoProg_II.jar 
java.lang.UnsatisfiedLinkError: /private/var/folders/tv/58qc8nq53x50q8f7r31z_6280000gn/T/natives3881310/librxtxSerial.jnilib: dlopen(/private/var/folders/tv/58qc8nq53x50q8f7r31z_6280000gn/T/natives3881310/librxtxSerial.jnilib, 1): no suitable image found.  Did find:
/private/var/folders/tv/58qc8nq53x50q8f7r31z_6280000gn/T/natives3881310/librxtxSerial.jnilib: no matching architecture in universal wrapper thrown while loading gnu.io.RXTXCommDriver
Exception in thread "main" java.lang.UnsatisfiedLinkError: /private/var/folders/tv/58qc8nq53x50q8f7r31z_6280000gn/T/natives3881310/librxtxSerial.jnilib: dlopen(/private/var/folders/tv/58qc8nq53x50q8f7r31z_6280000gn/T/natives3881310/librxtxSerial.jnilib, 1): no suitable image found.  Did find:
/private/var/folders/tv/58qc8nq53x50q8f7r31z_6280000gn/T/natives3881310/librxtxSerial.jnilib: no matching architecture in universal wrapper
at java.lang.ClassLoader$NativeLibrary.load(Native Method)
at java.lang.ClassLoader.loadLibrary1(ClassLoader.java:1939)
at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1868)
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1854)
at java.lang.Runtime.loadLibrary0(Runtime.java:845)
at java.lang.System.loadLibrary(System.java:1084)
at gnu.io.CommPortIdentifier.<clinit>(CommPortIdentifier.java:83)
at GUITerminal.getAvailableSerialPortNames(GUITerminal.java:234)
at GUITerminal.<init>(GUITerminal.java:134)
at ZeptoProgGUI.<init>(ZeptoProgGUI.java:56)
at ZeptoProg_II.main(ZeptoProg_II.java:25)

The strange /private/var/folders/tv/58qc8nq53x50q8f7r31z_6280000gn/T... path in the message above is where the jnilib from the jar is unpacked.

To fix this I needed to:

• download this file http://code.google.com/p/create-lab-commons/source/browse/trunk/java/lib/rxtx/librxtxSerial64.jnilib (this contains 64 bit and 32 bit architectures)
• rename it to librxtxSerial.jnilib (possible not necessary)
• replace the file in the jar: jar uf ZeptoProg_II.jar librxtxSerial.jnilib
• then it runs fine with java -jar ZeptoProg_II.jar
• Put the board into multitool mode, then a file /dev/tty.usbmodem513281 will appear (not sure if the number is always the same) and you can refresh the COM port list, select it and connect. When the board is not in tool mode that device is not present in /dev.

Once set up like that the ZeptoProg works with avrdude.

I had a long running, CPU intensive Haskell program that I wanted to speed up. The program was basically a loop consisting of a a small sequential part followed by a map of a CPU intensive pure function over a list of 1500 elements.

Obviously I needed some sort of parallel map function and I had a faint recollection of a function called parMap. The wonderful Hoogle search engine pointed me to the parMap documentation.

Changing the existing sequential map operation into a parallel map required a 3 line change (one of them to import the required module). I then added "-threaded" to the compile command line to enable the threaded runtime system in the generated executable and "+RTS -N6" to the executable's command line. The resulting program went from using 100% of 1 CPU to using 560% of 1 CPU on an 8 CPU box. Win!

I wish all code was this easy to parallelize.

Over the last couple of days I wrote a small Haskell program to read a large CSV file (75Meg, approx. 1000 columns and 50000 rows) and calculate some statistics. Since I would have to do this for much larger files as well, I decided to use the csv-conduit library to read the data and use a function passed to Data.Conduit's sinkState to calculate the statistics.

The code was pretty easy to put together, and only came to about 100 lines of code. Unfortunately, when I ran the program, it tried to consume all 8Gig of memory on my laptop and when I actually let it run to completion, it took over an hour to produce useful output.

A bit of quick profiling showed that the problem was with the state used to hold the statistics. The state itself wasn't huge, but Haskell's lazy evaluation meant there were a huge number of thunks (pending calculations) piling up.

Aside : Haskell does lazy (more correctly called non-strict) evaluation by default. This means that values are calculated when they are needed rather than when the program hits that point in the code. For instance if a value is generated by calling a pure function, the GHC runtime will forgo actually calling the function and replace the value with a thunk containing the function and it's input parameters. Later, when the value is actually needed, the runtime will call the function stored in the thunk.

My first attempt to fix this problem was to add some strictness annotations to my data types, but that didn't seem to help. I then looked at the deepseq package and tried adding the $!! operator in a few places. This resulted in a compile error complaining about my data structures not having an NFData instance. A bit of googling for "custom NFData instance" showed up the deepseq-th package which uses Template Haskell to generate NFData instances.

Aside : For a value to be an instance of the NFData typeclass means that it can be fully evaluated, ie a thunk to calculate a value of this type can be forced by deepseq to replace the thunk with the value.

About 10 minutes later I had my code working again, but now it processed the same file in a little over 2 minutes and used less than 0.1% of the 8Gig it was using previously.

I was happy with this. So happy that I decided to thank the author of deepseq-th, Herbert Valerio Riedel (hvr) on the #haskell IRC channel. Herbert was pleased to hear of my success, but suggested that instead of deepseq-th I try using deepseq-generics. Someone else on the channel suggested that this might be slower, but Herbert said that he had not found that to be the case. Switching from one to the other was trivially easy and pleasingly enough the generics version ran just as fast.

That's when José Pedro Magalhães (dreixel in #haskell) said that he had a draft paper "Optimisation of Generic Programs through Inlining" explaining how and why this generic implementation is just as fast as the Template Haskell version. Basically it boils down to the compiler having all the information it needs at compile time to inline and specialize the code to be just as fast as hand written code.

Reflections:

1. Streaming I/O libraries like Data.Conduit (there's more than one) do give guarantees about space usage so that when you get a space leak the I/O is probably not the first place to look.
2. For small programs its relatively easy to reason about where the space leak is happening.
3. For a relatively experienced Haskeller, following the bread crumbs to a working solution is relatively easy.
4. Code that uses a struct to accumulate state is a common contributor to space leaks.
5. Interacting with the Haskell community can often get a better result than the first thing you find (eg deepseq-generics instead of deepseq-th).
6. Generics can be just as fast as Template Haskell generated code.

We are delighted to announce the new Goanna 2.7 release across all product lines!

There are some major improvements and a bunch of new features in the new release.
Most noteworthy, we completely redesigned the  way we handle different compilers
and environments in Goanna Studio for Eclipse. It is now straightforward to support
different embedded compilers and cross-compilation settings.

In this release we also provide some early support for Visual Studio 11. As one
of the leaders in Visual Studio support we provide a beta for public download and
exploration.

As usual there has been a lot of improvements to the underlying analysis engine often times
significantly reducing the overall runtime. There are improved checks and reduced false positives
as well as a re-worked interprocedural analysis that finds more issues in a single run.

Goanna Studio Eclipse & Visual Studio

• The IDE versions now come with preconfigured setting for different needs:  ”Quick Check”
  and “Deep Check” . The “Quick Check” performs most checks that  can be run quickly to allow fast results. The “Deep Check” option does thorough analysis and includes all possible checks. These are simple alternatives to the default/customised configuration.
• There is a free beta version of a new “Suppression Manager” included to view sort, filter, and manage the warnings from a project.
• Goanna has early support for Visual Studio 11 (beta).

All Versions

• Goanna has changed from a custom configuration file format to use JSON. By moving to the new format it is much easier to support different compilers and environments.
• There is a new user guide as well as a separate reference guide with more introductions, check examples and explanations.

• The Goanna interprocedural analysis has been improved to give stable results between runs.
• Reduced false positive reporting for many cases including the RED-unusued-var-all  check.
• Better handling of random numbers (from the “rand()” function).
• Support for the “-isystem” argument by default.
• Improved  overall Goanna performance including avoiding some pathological examples.
• Greater support of the C++11 standard and future options to support other languages.

I have released version 1.19-rc5 of Perdition. The key changes are:

• ldap: fix segmentation fault in dbserver_get2()
• Manage-sieve: Fix handling of plain login which would segmentation fault in some cases
• Manage-sieve: Fix handling of long authentication hashes
• Enhance --bind_address option parsing to handle IPv6 addresses
• Fix 8/4byte integer type miss-matches which may lead to undefined behaviour

The code and related libraries are available as tarballs here. More information is available in the announcement email. More information about perdition here.

Red Lizards Software is preparing for the future! As one of the pioneers for supporting Visual Studio 2010, we are once again leading innovation and we are happy to announce our preparation for a sim-ship release with the upcoming Visual Studio 11.

As recently announced, Visual Studio 11 beta is now available for download. The new IDE comes with a simplified design and a much streamlined user experience. At this point in time MSDN subscribers can download and trial the beta release: 

Goanna Studio, previously already available for Visual Studio 2005,  Visual Studio 2008, and Visual Studio 2010, will be available in time for the upcoming Visual Studio 11 to seamlessly support our innovative and trend defining users. A big thanks also goes to our development team for working with the guys at Microsoft to make Goanna Studio even better in the upcoming release. As a sneak peak we give you a first screenshot below, but if you want to try Goanna Studio for Visual Studio yourself, send us an email at vs11@redlizards.com.

Goanna Studio in Visual Studio 11 beta

About

Red Lizard Software is the leading provider of code confidence tools for C/C++ developers, bringing advanced static analysis closer to the developer by providing solutions for flexible build integration on the server and deep IDE embedding on the desktop across platforms.

Goanna is a fast, scalable, and precise software solution that detects software bugs and security vulnerabilities automatically during the development process, helping to keep product launch timetables on track and to reduce life cycle costs.

I'm currently working on converting my http-proxy library from using the Data.Enumerator package to Data.Conduit (explanation of why in my last blog post).

During this conversion, I have been studying the sources of the Warp web server because my http-proxy was originally derived from the Enumerator version of Warp. While digging through the Warp code I found the following code (and comment) which is used to parse the number provided in the Content-Length field of a HTTP header:

  -- Note: This function produces garbage on invalid input. But serving an
  -- invalid content-length is a bad idea, mkay?
  readInt :: S.ByteString -> Integer
  readInt = S.foldl' (\x w -> x * 10 + fromIntegral w - 48) 0

The comment clearly states that that this function can produce garbage, specifically if the string contains anything other than ASCII digits. The comment is also correct that an invalid Content-Length is a bad idea. However, on seeing the above code, and remembering something I had seen recently in the standard library, I naively sent the Yesod project a patch replacing the above code with a version that uses the readDec function from the Numeric module:

  import Data.ByteString (ByteString)
  import qualified Data.ByteString.Char8 as B
  import qualified Numeric as N

  readInt :: ByteString -> Integer
  readInt s =
      case N.readDec (B.unpack s) of
          [] -> 0
          (x, _):_ -> x

About 3-4 hours after I submitted the patch I got an email from Michael Snoyman saying that parsing the Content-Length field is a hot spot for the performance of Warp and that I should benchmark it against the code I'm replacing to make sure there is no unacceptable performance penalty.

That's when I decided it was time to check out Bryan O'Sullivan's Criterion bench-marking library. A quick read of the docs and bit of messing around and I was able to prove to myself that using readDec was indeed much slower than the code I wanted to replace.

The initial disappointment of finding that a more correct implementation was significantly slower than the less correct version quickly turned to joy as I experimented with a couple of other implementations and eventually settled on this:

  import Data.ByteString (ByteString)
  import qualified Data.ByteString.Char8 as B
  import qualified Data.Char as C

  readIntTC :: Integral a => ByteString -> a
  readIntTC bs = fromIntegral
          $ B.foldl' (\i c -> i * 10 + C.digitToInt c) 0
          $ B.takeWhile C.isDigit bs

By using the Integral type class, this function converts the given ByteString to any integer type (ie any type belonging to the Integral type class). When used, this function will be specialized by the Haskell compiler at the call site to to produce code to read string values into Ints, Int64s or anything else that is a member of the Integral type class.

For a final sanity check I decided to use QuickCheck to make sure that the various versions of the generic function were correct for values of the type they returned. To do that I wrote a very simple QuickCheck property as follows:

  prop_read_show_idempotent :: Integral a => (ByteString -> a) -> a -> Bool
  prop_read_show_idempotent freader x =
      let posx = abs x
      in posx == freader (B.pack $ show posx)

This QuickCheck property takes the function under test freader and QuickCheck will then provide it values of the correct type. Since the function under test is designed to read Content-Length values which are always positive, we only test using the absolute value of the value randomly generated by QuickCheck.

The complete test program can be found on Github in this Gist and can be compiled and run as:

  ghc -Wall -O3 --make readInt.hs -o readInt && ./readInt

When run, the output of the program looks like this:

  Quickcheck tests.
  +++ OK, passed 100 tests.
  +++ OK, passed 100 tests.
  +++ OK, passed 100 tests.
  Criterion tests.
  warming up
  estimating clock resolution...
  mean is 3.109095 us (320001 iterations)
  found 27331 outliers among 319999 samples (8.5%)
    4477 (1.4%) low severe
    22854 (7.1%) high severe
  estimating cost of a clock call...
  mean is 719.4627 ns (22 iterations)

  benchmarking readIntOrig
  mean: 4.653041 us, lb 4.645949 us, ub 4.663823 us, ci 0.950
  std dev: 43.94805 ns, lb 31.52653 ns, ub 73.82125 ns, ci 0.950

  benchmarking readDec
  mean: 13.12692 us, lb 13.10881 us, ub 13.14411 us, ci 0.950
  std dev: 90.63362 ns, lb 77.52619 ns, ub 112.4304 ns, ci 0.950

  benchmarking readRaw
  mean: 591.8697 ns, lb 590.9466 ns, ub 594.1634 ns, ci 0.950
  std dev: 6.995869 ns, lb 3.557109 ns, ub 14.54708 ns, ci 0.950

  benchmarking readInt
  mean: 388.3835 ns, lb 387.9500 ns, ub 388.8342 ns, ci 0.950
  std dev: 2.261711 ns, lb 2.003214 ns, ub 2.585137 ns, ci 0.950

  benchmarking readInt64
  mean: 389.4380 ns, lb 388.9864 ns, ub 389.9312 ns, ci 0.950
  std dev: 2.399116 ns, lb 2.090363 ns, ub 2.865227 ns, ci 0.950

  benchmarking readInteger
  mean: 389.3450 ns, lb 388.8463 ns, ub 389.8626 ns, ci 0.950
  std dev: 2.599062 ns, lb 2.302428 ns, ub 2.963600 ns, ci 0.950

At the top of the output is proof that all three specializations of the generic function readIntTC satisfy the QuickCheck property. From the Criterion output its pretty obvious that the Numeric.readDec version is about 3 times slower that the original function. More importantly, all three version of this generic function are an order of magnitude faster than the original.

That's a win! I will be submitting my new function for inclusion in Warp.

Update : 14:13

At around the same time I submitted my latest version for readInt Vincent Hanquez posted a comment on the Github issue suggesting I look at the GHC MagicHash extension and pointed me to an example.

Sure enough, using the MagicHash technique resulted in something significantly faster again.

Update #2 : 2012-01-29 19:46

In version 0.3.0 and later of the bytestring-lexing package there is a function readDecimal that is even faster than the MagiHash version.

Below is a simple telnet client written using Haskell's new Conduit library. This library was written by Michael Snoyman the man behind the Yesod Web Framework for Haskell.

The Conduit library is a second generation approach to the problem of guaranteeing bounded memory usage in the presence of lazy evaluation. The first generation of these ideas were libraries like Iteratee, Enumerator, and IterIO. All of these first generation libraries use the the term enumerator for data producers and iteratee for data consumers. The new Conduit library calls data producers "sources" and data consumers "sinks" to make them a little more approachable.

The other big difference between Conduit and the early libraries in this space is to do with guaranteeing early clean up of potentially scarce resources like sockets. Although I have not looked in any detail at the IterIO library, both Iteratee and Enumerator simply rely on Haskell's garbage collector to clean up resources when they are no longer required. The Conduit library on the other hand uses Resource transformers to guarantee release of these resources as soon as possible.

The client looks like this (latest available here):

  import Control.Concurrent (forkIO, killThread)
  import Control.Monad.IO.Class (MonadIO, liftIO)
  import Control.Monad.Trans.Resource
  import Data.Conduit
  import Data.Conduit.Binary
  import Network (connectTo, PortID (..))
  import System.Environment (getArgs, getProgName)
  import System.IO


  main :: IO ()
  main = do
      args <- getArgs
      case args of
          [host, port] -> telnet host (read port :: Int)
          _ -> usageExit
    where
      usageExit = do
          name <- getProgName
          putStrLn $ "Usage : " ++ name ++ " host port"


  telnet :: String -> Int -> IO ()
  telnet host port = runResourceT $ do
      (releaseSock, hsock) <- with (connectTo host $ PortNumber $ fromIntegral port) hClose
      liftIO $ mapM_ (`hSetBuffering` LineBuffering) [ stdin, stdout, hsock ]
      (releaseThread, _) <- with (
                            forkIO $ runResourceT $ sourceHandle stdin $$ sinkHandle hsock
                            ) killThread
      sourceHandle hsock $$ sinkHandle stdout
      release releaseThread
      release releaseSock

There are basically three blocks, a bunch of imports at the top, the program's entry point main and the telnet function.

The telnet function is pretty simple. Most of the function runs inside a runResourceT resource transformer. The purpose of these resources transformers is to keep track of resources such as sockets, file handles, thread ids etc and make sure they get released in a timely manner. For example, in the telnet function, the connectTo function call opens a connection to the specified host and port number and returns a socket. By wrapping the connectTo in the call to with then the socket is registered with the resource transformer. The with function has the following prototype:

  with :: Resource m
       => Base m a             -- Base monad for the current monad stack
       -> (a -> Base m ())     -- Resource de-allocation function
       -> ResourceT m (ReleaseKey, a)

When the resource is registered, the user must also supply a function that will destroy and release the resource. The with function returns a ReleaseKey for the resource and the resource itself. Formulating the with function this way makes it hard to misuse.

The other thing of interest is that because a telnet client needs to send data in both directions, the server-to-client communication path and the client-to-server communication run in separate GHC runtime threads. The thread is spawned using forkIO and even though the thread identifier is thrown away, the resource transformer still records it and will later call killThread to clean up the thread.

The main core of the program are the two lines containing calls to sourceHandle and sinkHandle. The first of these lines pulls data from stdin and pushes it to the socket hsock while the second pulls from the socket and pushes it to stdout.

It should be noted that the final two calls to release are not strictly necessary since the resource transformer will clean up these resources automatically.

The experience of writing this telnet client suggests that the Conduit library is certainly easier to use than the Enumerator or Iteratee libraries.

Goanna 2.6 is now available from the download page. In this release we have focused on the usability of our Goanna Studio for Eclipse offering which at the same time increases stability and flexibility in the face of the many different configurations that are possible within the Eclipse CDT environment. Here is a summary of what has changed in this release:

- All versions

• Bounds checking for arrays of arbitrary dimension
• Bounds checking for arrays within classes, structs and unions
• Arrays of unspecified size are no longer considered to have size 0
• Constant global variables are now modelled with a value that does not change
• The constant “-1U” and others will now be modelled with an appropriately large value instead of -1
• Check FPT-misuse no longer warns about function pointers that are the result of the ternary operator (?:)
• Check ITR-uninit now works correctly for iterators that are initialized using operator=
• Check RED-unused-param no longer warns for parameters that have the GNU attribute (unused)
• Checks RED-cond-const-assign and EXP-cond-assign no longer consider “+=” and similar operators to be constant assignments
• Non-system #include files are now included in the analysis of a file that includes them.

- Goanna Studio for Visual Studio

• preprocessor macros within parentheses are expanded
• macros in comments are not expanded

- Goanna Central

• Cygwin support for windows, use –compiler-sort=cygwin to create a cygwin configuration
• Other compiler sort added, use –compiler-sort=other for an empty configuration
• Remove the dependencies on the hard to manage predefined_macro.txt files
• Predefined macros are now stored in the Goanna resource files, which are generated during configuration

- Goanna Studio for Eclipse

• Completely re-organised configuration
  • Per project configuration
  • File based (under a goanna directory in the project file system)
  • User editable, or use the Goanna Project Properties dialogs. (two way synchronisation)
• Menu item “Run Goanna on Selected File(s)” now appears when right-clicking on folders, and will analyse all files found in the selected folder.
• Cygwin toolchain support on windows

On the same day that the computing world lost Steve Jobs, the company I work for lost its own star, founder and CEO of bCODE, Michael Mak.

I remember meeting Michael in late 2005 when I first came to interview for a job with bCODE. Michael impressed me immediately with his keen intelligence and his easy going personality. As I worked with him over the years, my respect grew. I came to trust him and the rest of the management team far more than I had ever trusted any other employer. I always felt that Michael saw the employees as an important part of the company and he wouldn't do anything to further the company at the expense of the employees. This was even true when he had to retrench a third of the workforce after the global financial crisis of 2008. I saw first hand how much distress this caused him and our COO.

When Michael moved the business side of the enterprise to the US, he would still make regular trips back to visit the Sydney office. During these visits three or four of us would go out to lunch and he would regale us with tales of people he met and deals that he was working on. These were exciting times and Michael was a great motivator.

The things I will remember about Michael was his enthusiasm, his integrity, his leadership and just being a great all round guy.

My condolences to his family and his girlfriend Emily. No one will miss Michael as much as them.

Michael was 37 years old.

Video @ vimeo

The Brisbane FP Group (BFPG) kindly invited me to give a talk about our work on data parallel programming in Haskell. The talk motivates the use of functional programming for parallel, and in particular, data parallel programming and explains the difference between regular and irregular (or nested) data parallelism. It also discusses the Repa library (regular data parallelism for multicore CPUs), the embedded language Accelerate (regular data parallelism for GPUs), and Data Parallel Haskell (nested data parallelism for multicore CPUs).  The slides of the presentation are available in two formats: HTML5 slideshow and PDF. Thank you to everybody who attended. Special thanks go to OJ Reeves and Tony Morris for organising everything, to Rob Manthey for producing the video, to Mincom for the venue, and to Functional IO for the sponsorship.

Posted via email from Just Testing | Comment »

Goanna 2.5 is now available from the download page. Here’s a summary of what’s changed in this release.

- All versions

• stored filenames are now specified as relative paths, allowing the Goanna database to be used in multiple locations
• better support for Unicode source code
• the ARR-inv-index check now allows for unbounded subscripts

– Goanna Central

• license server options can be specified on the command line
• the language choice, C or C++, can be given on the command line

– Visual Studio

• clicking on a warning in a project summary navigates to the relevant code
• better support for Win64 targets
• partial compatibility with Intel Parallel Studio (on VS2005 and VS2008, Goanna does not work with projects converted to use the Intel C++ compiler)

As usual, feedback is welcome.

Do you want to know more about software security? Learn about cyber defense? Meet some of the team behind the Goanna technology from NCITA at DSR 2011 in Singapore, August 3-5. We will be giving an overview of at the Symposium on Cyber Terrorism titled “Cyber Security at Software Development Time” and highlighting some of our experiences from the NIST/SAMATE program.

Recently, MITRE introduced the Common Weakness Scoring System (CWSS) for classifying and ranking common vulnerabilities. This systems has around 18 dimensions comprising technical severity, business impact, authentication/security barriers and overall probability mentioning just a few. While this is certainly a detailed scoring system it raises the common question: “Which of the detected issues should I fix first?”.

This is not an easy question to answer for any (automated) tool. While certain classes of bugs such as buffer overflows are likely more severe than, let’s say, unused function parameters it is not guaranteed that they have a larger impact. Sometimes a buffer overflow might only happen in a very unlikely scenario in some abandoned part of the code base, while the unused function parameter stems from a copy&paste mistake within the function leading to an always wrong and potentially dangerous result.  Similarly, it is difficult for any tool to tell, which parts of the code base are more important than others.

Having said that, we developed Goanna Studio and Goanna Central with openness in mind. This means all our detected issues can be easily exported and post-processed by the end user (you can even query our internal SQLite database if you really want to), filtered according to their needs and  ranked according to your system. Moreover, we provide a mapping of all issues to the common CWE criteria and we give you the following classification:

Goanna's Impact Guidance

This 2-dimensional  classification is used for all issues detected by Goanna (see user manuals):

Severity: How serious is this issue typically?
Certainty: How confident are we that this will likely happen?

Both dimensions are based on our experience from having analyzed literally hundreds of millions of lines of code. Severity is ranked similarly to the above example, where a buffer overflow is deemed to be serious. Certainty on the other hand addresses a number of sub-dimensions: How likely is this from our experience to happen in real-life? How certain is Goanna, i.e., does the analysis conclude the issue will appear on every program part or just on a few? How sensitive is the issue to input data etc.? The combined dimensions should give you a good idea where to spend your time first. And while we are looking into integrating a CWSS ranking, we believe that less is sometimes more.

In the latest round of development we aimed for the most rock solid and sane implementation of C/C++ static analysis that we could. We did this by working on three fronts: consistency, speed and features.

As usual, all current users get the upgrade for free. If you were a trial user in the past and need a trial extension visit: http://redlizards.com/trial-extension.

Whats new in 2.4?

General improvements:

• We revamped the integer arithmetic interval analysis engine with a new algorithm which affords us increased speed and precision. So much speed that we have also added the ability to track pointer arithmetic as mentioned in the previous blog post.
• Our interval analysis engine can handle new operations: Casts, Logical operators and shift operators.
• We have enabled floating licenses in our Studio and Central products; please contact us if you are interested.

Goanna Central improvements:

• The argument –parse-error=0 is now a default, this will cause Goanna to exit with an exit code of 0 when a parse error is encountered. We have also revamped the way parse errors are handled.
• The interprocedural analysis in the Goanna Central command line is now even simpler to use and manage by conveniently specifying a user-defined folder with the argument –ipa=<project name>.  All new database files are then stored in ~/.goanna_project_store/<project name>.

Goanna Studio improvements:

• In Eclipse there is now an option to not run the tool chain compiler during analysis.
• In Eclipse there is a new menu item to jump to the currently selected projects Goanna Studio Properties page.

Renamed checks for consistency:

• ATH-div-0-aft-assign -> ATH-div-0-assign
• ATH-div-0-aft-cmp -> ATH-div-0-cmp-aft
• ATH-div-0-bef-cmp -> ATH-div-0-cmp-bef
• ATH-div-0-param-unchk -> ATH-div-0-unchk-param
• PTR-param-unchk -> PTR-unchk-param
• PTR-param-unchk-some -> PTR-unchk-param-some
• RED-const-assign-cond -> RED-cond-const-assign
• RED-const-expr-cond -> RED-cond-const-expr
• SPC-ret-stack -> MEM-stack
• builtin_ctor_dtor_leak -> COP-ctor-dtor-leak

New checks:

• ARR-inv-index-ptr – A pointer is assigned to an array, static or dynamic, and it is accessed with an index that is out of the array’s bounds.
• ARR-inv-index-ptr-pos – A pointer is assigned to an array, static or dynamic, and it is accessed with an index that may be out of the array’s bounds.
• ATH-overflow-cast – An expression is cast to a different type, resulting in an overflow or underflow of its value.
• ATH-shift-neg – The left-hand side of a right shift operation may be a negative value.
• COP-dtor-throw – An exception is thrown, or may be thrown, in a class’ destructor.
• CPU-delete-throw – An exception is thrown, or may be thrown, in an overloaded delete or delete[] operator.
• FPT-arith-address – Performing pointer arithmetic on the address of a function.
• FPT-literal – Dereferencing a function pointer that refers to a literal address.
• FPT-misuse – A function pointer is used in an invalid context.
• ITR-end-cmp-aft – An iterator is used, then compared with end().
• ITR-invalidated – An iterator is assigned to point into a container, but subsequent modifications to that container have possibly invalidated the iterator. The iterator is then used or dereferenced, which may be undefined behavior.
• ITR-mismatch-alg – A pair of iterators passed to an STL algorithm function point to different containers.
• ITR-store – A container’s begin() or end() iterator is stored and subsequently used.
• MEM-malloc-diff-type – A call to malloc tries to allocate memory based on a sizeof operator, but the target type of the call is of a different type.
• MEM-stack-ref – A stack object is returned from a function as a reference.
• PTR-arith-field – Direct access to a field of a struct using an offset from the address of the struct.
• PTR-arith-var – Invalid pointer arithmetic with an automatic variable that is neither an array nor a pointer.
• RED-cond-var-always – The value of the variable used as a condition will always evaluate to non-zero or true. This means the condition will always be met.
• RED-cond-var-never – The value of the variable used as a condition will always evaluate to zero or false. This means the condition will never be met.

slides

Over the last few months we’ve been hard at work expanding our interval analysis and writing new checks for array bounds checking. I am happy to announce that we can now detect out-of-bounds array accesses for pointers to arrays, both automatic and dynamic. We also now fully handle pointers that offset arrays, allowing us to track their values and detect some extremely hard-to-find bugs.

For example:

int arr[15];

int example(int random){
  int *p = arr;
  p += 3;

  int offset = (random > 10 ? random : 10);
  return p[offset + 4];    //'p' points to 4th element, and index will be at least 14.
}

In this code sample, the pointer ‘p’ is used to alias the global, automatic array of ints, ‘arr’. This pointer is then increased by 3, making it point to the 4th element of the array.  An int, ‘offset’ , is set to be some unknown value, but we know it is at least 10. Finally, the pointer is accessed with index (offset + 4). Since the pointer already refers to the 4th element, and we are trying to access an at least 14 elements further along, Goanna will give the following warning:

8: warning: Goanna[ARR-inv-index-ptr] Array pointer `arr' is accessed with index [17,INF]
which is out of array bounds [0,14]

Similarly, we can perform the same analysis on dynamic arrays allocated with new or malloc. We also handle different syntactic forms of array access. The following example illustrates this, as well as our ability to warn for possible, as opposed to definite index violations, from a range of possible index values that may be out of bounds:

#include <malloc.h>
#include <assert.h>

int example2(int random){
  int *p = malloc(5 * sizeof(int));  //p is an array of size
  int offset = (random ? 7 : 3);
  return *(p + offset);    //'offset' will be either 7 or 3.
}

Here, ‘p’ points to a dynamic array of ints, with 5 elements. The ‘offset’ is set to be either 7 or 3. Accessing the index of value ‘offset’, by explicitly dereferencing the pointer, we know that the index may be within the bounds of the array, but it may be too large. Goanna will issue the following warning:

7: warning: Goanna[ARR-inv-index-ptr-pos] Array pointer `p' is accessed with index [3,7]
which may be out of array bounds [0,4]

Both these checks, along with some others we’ve been working on, will appear in the upcoming 2.4 release.

slides, etc...

Some of our users may have experienced a bug when using Goanna Studio for Eclipse or Goanna Central 2.3 on linux 64-bit systems. This error looked something like this:

internal error: assertion failed: conv_host_fp_to_double:
error on conversion of DBL_MAX: Numerical result out of range:
((double)1.7...e+308L) (float_pt.c, line 524)

This bug was caused by us upgrading our release build infrastructure that defined DBL_MAX to a value that contained a cast, and our parser was not able to deal with this. We are releasing a patch that will correct this issue. Please download version 2.3.1 if you are using goanna on a 64-bit linux system. Windows and 32-bit linux systems are not affected.

For the past several months we have received a lot of great feedback and support requests which have helped us dramatically improve the stability of our products Goanna Studio and Central. And yesterday we pushed a new version to our website which bear the fruits of our labor. At the same time we are releasing a bunch of new features that we hope will help people understand what Goanna is doing and make people more effective at using Goanna.

As usual, all current users get the upgrade for free. If you were a trial user in the past and need a trial extension visit: http://redlizards.com/trial-extension

What is new in 2.3?

New Checks:

• ATH-div-0-param-unchk: Dividing by a parameter value without first checking that it is not zero
• MEM-stack-global-field: storing the address of a field of a local struct in a global variable
• ITR-uninit: using (dereferencing or incrementing) an iterator that hasn’t been initialized
• ITR-end-cmp-bef: using an iterator after it has been compared with end(). This can occur when using an iterator after it is used in a loop.

New Goanna Studio features:

• access check descriptions and examples through the IDE
• added ability to manage warnings by suppressing/unsuppressing
• added ability to pass specific options to the Goanna command line that is used during analysis.

Goanna Studio for Eclipse:

• New ability to right-click on a file/project and run the Goanna analysis over just that item
• Project specific settings have been moved to the Properties of the project (out of the Goanna Preferences)
• Right-click menu now includes a link to the Goanna summary page for projects
• If you close the Goanna Warning view it can be reopened from the Goanna menu
• Improved stability of the Goanna warnings pane (with regards to close/open of Eclipse)

Goanna Studio for Visual Studio:

• redesign of menu structure, Goanna is now a top-level menu
• auto updating: no more uninstall-install updating.
  Note: you cannot do this from version 2.2 -> 2.3. It will work from now on.

General:

• Improved handling of floating point numbers in the data tracking analysis
• Warning suppression captured in the database structure
• Several bug fixes including handling of very large ASTs.

I recently ran into some “interesting” behaviour when using lambda in Python. Perhaps it’s only interesting because I learnt lambdas from a functional language background, where I expect that they work a particular way, and the rest of the world that learnt lambdas through Python, Ruby or JavaScript disagree. (Shouts out to you Objective-C developers who are discovering the wonders of blocks, too.) Nevertheless, I thought this would be blog-worthy. Here’s some Python code that shows the behaviour that I found on Stack Overflow:

Since I succumb to reading source code in blog posts by interpreting them as “blah”¹, a high-level overview of what that code does is:

1. iterate over a list of strings,
2. create a new list of functions that prints out the strings, and then
3. call those functions, which prints the strings.

Simple, eh? Prints “do”, then “re”, then “mi”, eh? Wrong. It prints out “mi”, then “mi”, then “mi”. Ka-what?

(I’d like to stress that this isn’t a theoretical example. I hit this problem in production code, and boy, it was lots of fun to debug. I hit the solution right away thanks to the wonders of Google and Stack Overflow, but it took me a long time to figure out that something was going wrong at that particular point in the code, and not somewhere else in my logic.)

The second answer to the Stack Overflow question is the clearest exposition of the problem, with a rather clever solution too. I won’t repeat it here since you all know how to follow links. However, while that answer explains the problem, there’s a deeper issue. The inconceivable Manuel Chakravarty provides a far more insightful answer when I emailed him to express my surprise at Python’s lambda semantics:

This is a very awkward semantics for lambdas. It is also probably almost impossible to have a reasonable semantics for lambdas in a language, such as Python.

The behaviour that the person on SO, and I guess you, found surprising is that the contents of the free variables of the lambdas body could change between the point in time where the closure for the lambda was created and when that closure was finally executed. The obvious solution is to put a copy of the value of the variable (instead of a pointer to the original variable) into the closure.

But how about a lambda where a free variable refers to a 100MB object graph? Do you want that to be deep copied by default? If not, you can get the same problem again.

So, the real issue here is the interaction between mutable storage and closures. Sometimes you want the free variables to be copied (so you get their value at closure creation time) and sometimes you don’t want them copied (so you get their value at closure execution time or simply because the value is big and you don’t want to copy it).

And, indeed, since I love being categorised as a massive Apple fanboy, I found the same surprising behaviour with Apple’s blocks semantics in C, too:

You can see the Gist page for this sample code to see how to work around the problem in Objective-C (basically: copy the block), and also to see what it’d look like in Haskell (with the correct behaviour).

In Python, the Stack Overflow solution that I linked to has an extremely concise way of giving the programmer the option to either copy the value or simply maintain a reference to it, and the syntax is clear enough—once you understand what on Earth what the problem is, that is. I don’t understand Ruby or JavaScript well enough to comment on how they’d capture the immediate value for lambdas or whether they considered this design problem. C++0x will, unsurprisingly, give programmers full control over lambda behaviour that will no doubt confuse the hell out of people. (See the C++0x language draft, section 5.1.2 on page 91.)

In his usual incredibly didactic manner, Manuel then went on to explain something else insightful:

I believe there is a deeper issue here. Copying features of FP languages is the hip thing in language design these days. That’s fine, but many of the high-powered FP language features derive their convenience from being unspecific, or at least unconventional, about the execution time of a piece of code. Lambdas delay code execution, laziness provides demand-dependent code execution plus memoisation, continuations capture closures including their environment (ie, the stack), etc. Another instance of that problem was highlighted by Joe Duffy in his STM retrospective.

I would say, mutability and flexible control flow are fundamentally at odds in language design.

Indeed, I’ve been doing some language exploration again lately as the lack of static typing in Python is really beginning to bug me, and almost all the modern languages that attempt to pull functional programming concepts into object-oriented land seem like a complete Frankenstein, partially due to mutability. Language designers, please, this is 2011: multicore computing is the norm now, whether we like it or not. If you’re going to make an imperative language—and that includes all your OO languages—I’ll paraphrase Tim Sweeney: in a concurrent world, mutable is the wrong default! I’d love a C++ or Objective-C where all variables are const by default.

One take-away point from all this is to try to keep your language semantics simple. I love Dan Ingall’s quote from Design Principles Behind Smalltalk: “if a system is to serve the creative spirit, it must be entirely comprehensible to a single individual”. I love Objective-C partially because its message-passing semantics are straightforward, and its runtime has a amazingly compact API and implementation considering how powerful it is. I’ve been using Python for a while now, and I still don’t really know the truly nitty-gritty details about subtle object behaviours (e.g. class variables, multiple inheritance). And I mostly agree with Guido’s assertion that Python should not have included lambda nor reduce, given what Python’s goals are. After discovering this quirk about them, I’m still using the lambda in production code because the code savings does justify the complexity, but you bet your ass there’s a big comment there saying “warning, pretentous code trickery be here!”

1. See point 13 of Knuth et al.’s Mathematical Writing report.

UPDATE: There’s a lot more subtlety at play here than I first realised, and a couple of statements I’ve made above are incorrect. Please see the comments if you want to really figure out what’s going on: I’d summarise the issues, but the interaction between various language semantics are extremely subtle and I fear I’d simply get it wrong again. Thank you to all the commenters for both correcting me and adding a lot of value to this post. (I like this Internet thing! Other people do my work for me!)

Update #2

I’ve been overwhelmed by the comments, in both the workload sense and in the pleasantly-surprised-that-this-provoked-some-discussion sense. Boy, did I get skooled in a couple of areas. I’ve had a couple of requests to try to summarise the issues here, so I’ll do my best to do so.

Retrospective: Python

It’s clear that my misunderstanding of Python’s scoping/namespace rules is the underlying cause of the problem: in Python, variables declared in for/while/if statements will be declared in the compound block’s existing scope, and not create a new scope. So in my example above, using a lambda inside the for loop creates a closure that references the variable m, but m’s value has changed by the end of the for loop to “mi”, which is why it prints “mi, mi, mi”. I’d prefer to link to the official Python documentation about this here rather than writing my own words that may be incorrect, but I can’t actually find anything in the official documentation that authoritatively defines this. I can find a lot of blog posts warning about it—just Google for “Python for while if scoping” to see a few—and I’ve perused the entire chapter on Python’s compound statements, but I just can’t find it. Please let me know in the comments if you do find a link, in which case I’ll retract half this paragraph and stand corrected, and also a little shorter.

I stand by my assertion that Python’s for/while/if scoping is slightly surprising, and for some particular scenarios—like this—it can cause some problems that are very difficult to debug. You may call me a dumbass for bringing assumptions about one language to another, and I will accept my dumbassery award. I will happily admit that this semantics has advantages, such as being able to access the last value assigned in a for loop, or not requiring definitions of variables before executing an if statement that assigns to those variables and using it later in the same scope. All language design decisions have advantages and disadvantages, and I respect Python’s choice here. However, I’ve been using Python for a few years, consider myself to be at least a somewhat competent programmer, and only just found out about this behaviour. I’m surprised 90% of my code actually works as intended given these semantics. In my defence, this behaviour was not mentioned at all in the excellent Python tutorials, and, as mentioned above, I can’t a reference for it in the official Python documentation. I’d expect that this behaviour is enough of a difference vs other languages to at least be mentioned. You may disagree with me and regard this as a minor issue that only shows up when you do crazy foo like use lambda inside a for loop, in which case I’ll shrug my shoulders and go drink another beer.

I’d be interested to see if anyone can come up an equivalent for the “Closures and lexical closures” example at http://c2.com/cgi/wiki?ScopeAndClosures, given another Python scoping rule that assignment to a variable automatically makes it a local variable. (Thus, the necessity for Python’s global keyword.) I’m guessing that you can create the createAdder closure example there with Python’s lambdas, but my brain is pretty bugged out today so I can’t find an equivalent for it right now. You can simply write a callable class to do that and instantiate an object, of course, which I do think is about 1000x clearer. There’s no point using closures when the culture understands objects a ton better, and the resulting code is more maintainable.

Python summary: understand how scoping in for/while/if blocks work, otherwise you’ll run into problems that can cost you hours, and get skooled publicly on the Internet for all your comrades to laugh at. Even with all the language design decisions that I consider weird, I still respect and like Python, and I feel that Guido’s answer to the stuff I was attempting would be “don’t do that”. Writing a callable class in Python is far less tricky than using closures, because a billion times more people understand their semantics. It’s always a design question of whether the extra trickiness is more maintainable or not.

Retrospective: Blocks in C

My C code with blocks failed for a completely different reason unrelated to the Python version, and this was a total beginner’s error with blocks, for which I’m slightly embarrassed. The block was being stack-allocated, so upon exit of the for loop that assigns the function list, the pointers to the blocks are effectively invalid. I was a little unlucky that the program didn’t crash. The correct solution is to perform a Block_copy, in which case things work as expected.

Retrospective: Closures

Not all closures are the same; or, rather, closures are closures, but their semantics can differ from language to language due to many different language design decisions—such as how one chooses to define the lexical environment. Wikipedia’s article on closures has an excellent section on differences in closure semantics.

Retrospective: Mutability

I stand by all my assertions about mutability. This is where the Haskell tribe will nod their collective heads, and all the anti-Haskell tribes think I’m an idiot. Look, I use a lot of languages, and I love and hate many things about each of them, Haskell included. I fought against Haskell for years and hated it until I finally realised that one of its massive benefits is that things bloody well work an unbelievable amount of the time once your code compiles. Don’t underestimate how much of a revelation this is, because that’s the point where the language’s beauty, elegance and crazy type system fade into the background and, for the first time, you see one gigantic pragmatic advantage of Haskell.

One of the things that Haskell does to achieve this is the severe restriction on making things immutable. Apart from the lovely checkbox reason that you can write concurrent-safe algorithms with far less fear, I truly believe that this makes for generally more maintainable code. You can read code and think once about what value a variable holds, rather than keep it in the back of your mind all the time. The human mind is better at keeping track of multiple names, rather than a single name with different states.

The interaction of state and control flow is perhaps the most complex thing to reason about in programming—think concurrency, re-entrancy, disruptive control flow such as longjmp, exceptions, co-routines—and mutability complicates that by an order of magnitude. The subtle difference in behaviour between all the languages discussed in the comments is exemplar that “well-understood” concepts such as lexical scoping, for loops and closures can produce a result that many people still don’t expect; at least for this simple example, these issues would have been avoided altogether if mutability was disallowed. Of course mutability has its place. I’m just advocating that we should restrict it where possible, and at least a smattering of other languages—and hopefully everyone who has to deal with thread-safe code—agrees with me.

Closing

I’d truly like to thank everyone who added their voice and spent the time to comment on this post. It’s been highly enlightening, humbling, and has renewed my interest in discussing programming languages again after a long time away from it. And hey, I’m blogging again. (Though perhaps after this post, you may not think that two of those things are good things.) It’s always nice when you learn something new, which I wouldn’t have if not for the excellent peer review. Science: it works, bitches!

The following command is in my shell history

				A青ポ0〜〜〜〜?
				

I think we can assume that is the work of Hikari.

I think it translates as:

A blue "po" Oooooooooh?

I recently managed to make a bit of a mess of things while doing some multi-process programming using fork(). While the box was still semi-usable I was unable to kill off the processes faster than they were being created and I ended up resorting to a reboot.

At the time I wasn't entirely sure what the problem was and not cherishing the prospect of more reboots I used taskset to constrain my shell, its child processes including test runs of my program and of course its forked children to a single CPU.

# taskset -p 01 $$

The result? A subsequent fork explosion was indeed constrained to one CPU and I was able to kill off all the processes quite easily.

My system is a single socket with four cores. I have disabled hyper-threading so there is only one thread per core. I am unsure how well this technique would work in other situations, especially in the case of multiple threads but only one socket and one core.

This will be a follow-up to a presentation I made on the same topic at the MobileFOSS Mini-Conf at Linux.conf.au 2011 in January. Material from that presentation

You don’t have to download Goanna to try out Goanna.

Once you have an account on redlizards.com, you can try out Goanna via the online demo at http://redlizards.com/products/demo.html. Just log in, paste in your code in the text box and click the “Analyze” button. The results will show up on the Web page.

We’ve limited the amount of code you can analyze in the demo to 250 lines (so you still might want to download Goanna for serious work).

I recently consolidated all my email on MobileMe (for easy access from both my Mac and iPad). However, I ran into a problem with the MobileMe IMAP server when I tried to move my old mail archives to the MobileMe IMAP server. MobileMe uses the Sun Java System Messaging Server (which has since become the Oracle Communications Messaging Exchange Server). It turns out that this IMAP server (like some others as well) is rather strict about the format of mail headers; hence, uploading old mail archives usually aborts with the following error message: "The IMAP command “APPEND” (to …) failed with server error: Message contains invalid header".

Permalink | Leave a comment  »

Over the past few weeks eastern Australia, including Brisbane, has been subjected to devastating floods. My sympathy and condolences are with anyone adversely effected by these events.

Last night a decision was made by the organisers and Linux Australia that despite the floods Linux.Conf.Au 2011 will go ahead next week in Brisbane as scheduled. I am delighted to be able to be part of the event.

In Tuesday I will be making a presentation at the MobileFOSS miniconf on using zboot to boot Linux directly from flash or, SD or MMC cards on SH-Mobile ARM.

On Wednesday at 15:45 I will be making a presentation at the main conference on Network Bandwidth Control in Virtualized Environments. This covers the use of Linux's QoS facilities to control guest bandwidth usage.

Its going to be a great conference, I'm looking forward to it.

The LLVM backend for DDC that I've been working on sporadically since June is basically done. When compiling via the LLVM backend, all but three of 100+ tests in the DDC test suite pass. The tests that pass when going via the C backend but fail via the LLVM backend are of two kinds:

1. Use DDC's foreign import construct to name a C macro to perform a type cast where the macro is defined in one of C header files.
2. Use static inline functions in the C backend to do peek and poke operations on arrays of unboxed values.

In both of these cases, DDC is using features of the C language to make code generation easier. Obviously, the LLVM backend needs to do something else to get the same effect.

Fixing the type casting problem should be relatively simple. Ben is currently working on making type casts a primitive of the Core language so that both the C and LLVM backends can easily generate code for them.

The array peek and poke problem is little more complex. I suspect that it too will require the addition of new Core language primitive operations. This is a much more complex problem than the type casting one and I've only just begun to start thinking about it.

Now that the backend is nearly done, its not unreasonable to look at its performance. The following table shows the compile and run times of a couple of tests in the DDC test suite compiling via the C and the LLVM backend.

Although there is a small increase in compile times when compiling via LLVM, the LLVM run times are significantly reduced. The conceptual complexity of the LLVM backend is also low (the line count is about 4500 lines, which will probably fall with re-factoring) and thanks to LLVM's type checking being significantly better than C's, I think its reasonable to be more confident in the quality of the LLVM backend than the existing C backend. Finally, implementing things like proper tail call optimisation will be far easier in LLVM backend than in C.

All in all, I think doing this LLVM backend has been an interesting challenge and will definitely pay off in the long run.

There comes in the career of every motion picture that final occasion when all the artistry, all the earnest constructive endeavor of all the man-power and genius of the industry, and all the capital investment, too, must pour through the narrow gate of the projector on its way to the fulfilment of its purpose, the final delivery to the public.

The delivery is a constant miracle of men and mechanism in the projection rooms of the world’s fifty thousand theatres. That narrow ribbon, thirty-five millimetres, flowing at twenty-four frames a second through the scintillating blaze of the spot at the picture aperture and coursing by at an exactingly-precise 90 feet a minute past the light slit of the sound system, demands a quality of skill and faithful, unfailing attention upon which the whole great industry depends.

The projector lens is the neck in the bottle through which all must pass. The projectionist presiding over that mechanism is responsible for the ultimate performance upon which we must all depend.

The projector must not fail, and more importantly still, the man must not fail or permit it to waiver in its performance. It is to the tremendous credit of the skill of the modern projectionist that perfect presentation of the motion picture upon the screen is today a commonplace, a perfection that is taken as a matter of course.

Adolph Zukor, Chairman of Paramount Pictures, 1935. It still applies as much today as it did back then.

New feature for Visual Studio: For any Goanna warning in the VS ErrorList, right-click and choose “Describe Check”. You’ll get an editor tab filled with a description of the check that gave rise to the warning, the same text as in the User Guide. Coming soon to Eclipse.

I am thrilled to announce that Goanna Studio 2.2 is now the most stable version of Goanna Studio ever created. Goanna Studio 2.1 was an impressive piece of software, but thanks to all the great feedback we have received, we have nailed down all the outstanding issues and we are ready to let you reap the benefits of our efforts.

The major part of our efforts has been targeted at making the Goanna Studio experience much better. This means more features and more stability. On the Visual Studio front, Goanna Studio is now capable of fully handling the range of possible inputs that you can throw at it. That means full Unicode support in everything, from how we process filenames, to project names and folders names, even down to the default file name when you export your warnings to CSV format from the Goanna Summary web page. This means, Goanna works reliably now with, e.g., Korean, Chinese and Japanese Windows. In addition we have introduced a feature we are calling Macro Visualisation. It is a way of presenting to you exactly what your source code looks like underneath all that macro mess.

On the Eclipse side we have some amazing new features. Goanna Studio can now handle various custom CDT Tool Chain tools. It’s as simple as telling Goanna which Tool’s it should be emulating, and then the Goanna analysis in your build environment is one step closer to perfection. The long-standing annoyance that appears asking you to select a CDT Project when you first try to analyse something with Goanna is now fixed. In addition, Goanna Studio for Eclipse now works in Windows-based environments with the MinGW tool chain.

Another major feature we are pleased to announce is Flexelint and PC-Lint integration into the Goanna Studio for Eclipse package. This allows you to run your version of lint and Goanna analysis at the same time, and have all the warnings presented to you in one simple interface.

The fixed false positives and changes to checks include:

• ATH-div-0 - now warns for any expression that evaluates to 0
• ATH-div-0-* - these checks now only warn when there is a definite division by 0.
• ATH-neg-* - these checks no longer give warnings about floating point operations.
• ARR-inv-index - now warns about invalid global array accesses.
• COP-assign-op-ret - no longer warns about operator==.
• COP-copy-ctor - two false positives were fixed, no longer warns when the copy constructor is intentionally unimplemented, and now handles C++ structs properly.
• COP-member-uninit - now gives one warning for each uninitialised class member and now will also analyse assignment operators.
• LIB-* - we have added a number of new checks warning about the unsafe use of library functions
• RED-no-effect now has a more precise warning message.
• RED-unused-val - no longer warns when you return a value, and now warns more correctly and almost lines up with the MISRA coding standard rule: 0-1-6.
• SPC-ret-stack - no longer gives a warning when you return static local variables.
• MEM-double-free - gives less false positives due to assuming that delete operators can throw exceptions

Other minor improvements and bug fixes are:

• better handling of gcc arguments (particularly include path specifications).
• Goanna Central now smoothly handles multiple files on the same command line.

As usual, all current users get the upgrade for free. If you were a trial user in the past and need a trial extension visit: http://redlizards.com/trial-extension

After my last post on this topic, I ran into some problems with the AST (abstract syntax tree) that was being passed to my code for LLVM code generation. After discussing the problem with Ben, he spent some time cleaning up the AST definition, the result of which was that nearly all the stuff I already had, stopped working. This was a little disheartening. That and the fact that I was really busy, meant that I didn't touch the LLVM backend for a number of weeks.

When I finally did get back to it, I found that it wasn't as broken as I had initially thought. Although the immediate interface between Ben's code and mine had changed significantly, all the helper functions I had written were still usable. Over a week and a bit, I managed to patch everything up again and get back to where I was. I also did a lot of cleaning up and came up with a neat solution to a problem which was bugging me during my previous efforts.

The problem was that structs defined via the LLVM backend needed to have exactly the same memory layout as the structs defined via the C backend. This is a strict requirement for proper interaction between code generated via C and LLVM. This was made a little difficult by David Terei's haskell LLVM wrapper code (see previous post) which makes all structs packed by default, while structs on the C side were not packed. Another dimension of this problem was finding an easy way to generate LLVM code to access structs in a way that was easy to read and debug in the code generator and also not require different code paths for generating 32 and 64 bit code.

Struct layout is tricky. Consider a really simple struct like this:

  struct whatever
  {   int32_t tag ;
      char * pointer ;
  } ;

On a 32 bit system, that struct will take up 8 bytes; 4 bytes for the int32_t and 4 for the pointer. However, on a 64 bit system, where pointers are 8 bytes in size, the struct will take up 16 bytes. Why not 12 bytes? Well, some 64 bit CPUs (Alpha and Sparc64 are two I can think of) are not capable of unaligned memory accesses; a read from memory into a CPU register where the memory address (in bytes) is not an integer multiple of the size of the register. Other CPUs like x86_64 can read unaligned data, but reading unaligned data is usually slower than reading correctly aligned data.

In order to avoid unaligned, the compiler assumes that the start address of the struct will be aligned to the correct alignment for the biggest CPU register element in the struct, in this case the pointer. It then adds 4 bytes of padding between the int32_t and the pointer to ensure that if the struct is correctly aligned then the pointer will also be correctly aligned.

Because structs are packed in the David Terei's code, the above struct would require a different definition on 32 and 64 bit systems, ie

  ; 32 bit version of the struct
  %struct.whatever.32 = type { i32, i8 * }>

  ; 64 bit version of the struct
  %struct.whatever.64 = type { i32, [4 * i8], i8 * }>

where the 64 bit version contains 4 padding bytes. However, the difference between these two definitions causes another problem. To access fields within a struct, LLVM code uses the getelementptr operator which addresses fields by index. Unfortunately, the index (zero based) of the pointer is 1 for the 32 bit version and 2 for the 64 bit version. That would make code generation a bit of a pain in the neck.

The solution is allow the specification of LLVM structs in Haskell as a list of LlvmStructField elements, using

  data LlvmStructField
        = AField String LlvmType    -- Field name and type.
        | APadTo2                   -- Pad next field to a 2 byte offset.
        | APadTo4                   -- Pad next field to a 4 byte offset.
        | APadTo8                   -- Pad next field to a 8 byte offset.

        | APadTo8If64               -- Pad next field to a 8 byte offset only
                                    -- for 64 bit.

Note that the AField constructor requires both a name and the LlvmType. I then provide functions to convert the LlvmStructField list into an opaque LlvmStructDesc type and provide the following functions:

  -- | Turn an struct specified as an LlvmStructField list into an
  -- LlvmStructDesc and give it a name. The LlvmStructDesc may
  -- contain padding to make it conform to the definition.
  mkLlvmStructDesc :: String -> [LlvmStructField] -> LlvmStructDesc

  -- | Retrieve the struct's LlvmType from the LlvmStructDesc.
  llvmTypeOfStruct :: LlvmStructDesc -> LlvmType

  -- | Given and LlvmStructDesc and the name of a field within the
  -- LlvmStructDesc, retrieve a field's index with the struct and its
  -- LlvmType.
  structFieldLookup :: LlvmStructDesc -> String -> (Int, LlvmType)

Once the LlvmStructDesc is built for a given struct, fields within the struct can be addressed in the LLVM code generator by name, making the Haskell code generator code far easier to read.

Pretty soon after I got the above working I also managed to get enough LLVM code generation working to compile a complete small program which then runs correctly. I consider that to be milestone 3.