This week I came across some C++ code like this:

if (foo & 0x0FFFFFFF >= width * height) {
    /* copy width * height items to a buffer */
} else {
    /* handle error */
}

This is buggy code. Worse, it’s probably a security vulnerability. The code parses a particular file format. This if-statement is attempting to make sure the fields are internally consistent. Getting this check wrong, probably means an attacker could craft a file to cause the parser to overrun a buffer, which is almost certainly an exploitable security bug.

Don’t see the problem? The variable foo in this case is a 32-bit integral type. The top bits are used for flags, and the remaining portion is a buffer size. The code is attempting to make sure that the buffer is at least large enough to hold width * height items.

Do you see the problem now? It’s a precedence problem. In C and C++, the & operator has a low precedence — lower than even the inquality operators. So the compiler interprets the condition as:

foo & ( 0x0FFFFFFF >= (width * height))

So first the code will compute the product width * height and then it will check if 0x0FFFFFFF is less than the product. This yields a boolean value: true or false. The bitwise AND is then performed between foo and the boolean. Well, sort of. First the boolean will be implicitly converted to an integral type to match foo‘s type. That is, it becomes a 0 for false or a 1 for true.

The net result is that it checks to see if foo is even or odd.

C++, like C, is full of pitfalls like this. It’s easy to write code that does the wrong thing. Programmers aren’t superhuman. Bugs like this get written, but we have lots of techniques for catching these kinds of mistakes.

The first line of defense is the compiler. The incorrect expression is perfectly legal, so it’ll happily compile the code. But most modern compilers are aware of common language pitfalls and will issue warnings about suspicious code. For example, I spotted this problem because the Micosoft VC++ compiler pointed at the line and said:

warning C4554: ‘&’ : check operator precedence for possible error; use parentheses to clarify precedence

There’s little excuse for ignoring (or worse, silencing) compiler warnings. Some programmers don’t want to be bothered with false positives.  In almost all cases, however, it’s possible to eliminate false positives by making the code more clearly express what you intended. For example, if you did intend to evaluate the bitwise-AND last, you could have added parentheses to make it explicit. This would not only eliminate the noisy warning, but it would also make the code more obvious to the next programmer to come along.

The next line of defense is to always step through new code in the debugger. This should be second nature to software engineers, but, unfortunately, many still don’t do it. It’s such a useful practice that Steve Maguire dedicated an entire chapter to it in Writing Solid Code. Stepping through the code while keeping an eye on the variables could have alerted the programmer to the fact that the condition wasn’t testing the right thing.

Unit tests definitely should have caught this mistake. If it’s important enough to check the condition, then it’s probably important enough that you have unit tests to check both outcomes. Alas, this code had no unit tests.

And you might think that normal testing would stumble over the problem. In this case, it wouldn’t because the condition was checking for a very unusual condition that’s not likely to occur with any normal data. And even if somehow a regular test case stumbled over the problem, it wouldn’t provide very good isolation for tracking the cause back to this line of code. File fuzzing could have caught the problem. Fuzzing should probably be done for all parsing code.

Having a peer code review your change–that is another programmer look them over–might have caught the problem. If one developer doesn’t see the bug, then a second might miss it, too. But that won’t always be the case. A fresh set of eyes with a different perspective might at least ask whether the expression does what is intended.  And if you know your colleague is going to be reading your code, you might be motivated to make it as clear as possible.  For example, you might make it a little more explicit like this:

const uint32_t buffer_length = foo & 0x0FFFFFFF;
if (buffer_length >= width * height) {
    /* copy width * height items to a buffer */
} else {
    /* handle error */
}

Notice how trying to make the code clearer to another human can “accidentally” fix the bug.

It’s hard to see how this bug could have made it into a product with all the usual bug defenses in place. I can only conclude that they weren’t all in place. Obviously, the compiler warnings were ignored or silenced. It’s a shame that programmers feel compelled to take such shortcuts. I love it when the compiler says, “um, this looks wrong.” It’s a golden opportunity to fix my stupid mistakes before anyone else sees them.

Leaden Skies by Ann Parker

My rating: 5 of 5 stars

I’ve enojoyed all the Leadville books, but Leaden Skies, the third book in the series, is my favorite (so far). Parker’s writing has improved with each book, and the mystery plot in this one was especially satisfying. I’m looking forward to Mercury’s Rise.

View all my reviews

The Path Between the Seas: The Creation of the Panama Canal, 1870-1914 by David McCullough

My rating: 5 of 5 stars

I’m tempted not to review this book. I don’t like long books. I don’t enjoy much non-fiction, and I certainly don’t seek out history texts. So The Path Between the Seas, weighing in at more than 600 dense pages, wasn’t the type of book I’d pick out for myself. My wife gave me this tome before our cruise through the Panama Canal, so I felt obligated to give it a try.

It seems unfair to rate and review a book I’m destined to detest, but McCullough’s striking detail brought the difficult birth of this most amazing engineering achievement to life. Unfortunately, I was only a third of the way through when we departed for our cruise, but as soon as we returned, I picked it right back up again.

The people in this story–de Lesseps, Gorgas, Taft, Rooseveldt, Banau-Varilla–are portrayed so vividly, it’s hard to believe they aren’t characters in a work of fiction. But McCullough is a real historian, and there are 40-50 pages of notes at the end of the book that leave little doubt that every detail woven into this utterly comprehensive narrative is factual.

If you’re used to modern fiction’s lean prose, McCullough’s long, winding sentences might be off-putting, but I found myself acclimated to them after just a couple pages. McCullough covers the economics and engineering of the canal with the same dexterity as the people, the events, and the historical context.

If you ever plan to visit the Panama Canal, this book is a must. But even if a passage isn’t on your bucket list, the book should be on your reading list.

View all my reviews

Blue Screen of Death is now listed on goodreads.com (thanks Laura!). If you’re a Goodreads user, drop by and leave a quick review. Also visit my author page to become my fan.

Also, Smashwords seems to have worked through their backlog and added BSoD to their premium catalog, which means the book is on the way to the Apple, Kobo, and Sony stores as well.

Thanks everyone for the great response to the book. If you’ve enjoyed the book or want to know more about it, check it out on Facebook.

Saba

Good news! Read an Ebook Week has been extended into a month-long affair. It’s still a Canadian thing, though, so there’s that.

So with several more weeks of ebook reading ahead, what’s next on your list? By now, I’m sure you’ve devoured Blue Screen of Death. I’d like to recommend Saba by Mary Jane (Amazon, B&N, Smashwords).

Saba (pronounced SAY-buh) is a little island in the Caribbean Sea that changes the lives of a couple who move there after a perfect vacation. Have you ever seen that TV show Househunters International, where couples decide to chuck it all and move to their vacation spot? Saba shows you what happens after they move in.

I’ve followed Mary Jane’s writing career closely, and I think this novel is her breakthrough. Highly recommended.

This weekend my bank accidentally canceled my ATM card.

Three days later, a fraudulent charge on our credit card caused us to close the account.

Last night, I did some shopping with cash. Remember that stuff?

It seems like just yesterday, cashiers viewed actual currency with suspicion. You’d hand over a twenty, and they would scrutinize the watermarks, pass it under a UV light, and scribble on it with those color changing pens before counting out your change. Those days seem to be over. Last night I handed the clerk a hundred, and she just dropped it into the register without a second glance.

This banking trouble is slowing down the roll-out plan for Blue Screen of Death. If you can’t wait, it’s already available on Kindle and Nook, but I still need to get it into the pipeline for all the other ebook retailers. I’m postponing that work until the new cards arrive and I get the banking situation back into a steady state.