Valgrind and OpenSSL

June 28, 2009 | etbe

I’ve just filed Debian bug report #534534 about Valgrind/Helgrind reporting “Possible data race during write” [1]. I included a patch that seems to fix that problem (by checking whether a variable is not zero before setting it to zero). But on further testing with Valgrind 3.4.1 (backported from Debian/Unstable) it seems that my patch is not worth using, I expect that Valgrind related patches won’t be accepted into the Lenny version of OpenSSL.

I would appreciate suggestions on how to fix this, the problem is basically having a single static variable that is initialised to the value 1 but set to 0 the first time one of the malloc functions is called. Using a lock for this is not desirable as it will add overhead to every malloc operation. However without the lock it does seem possible to have a race condition if one thread calls CRYPTO_set_mem_functions() and then before that operation is finished a time slice is given to a thread that is allocating memory. So in spite of the overhead I guess that using a lock is the right thing to do.

deb http://www.coker.com.au lenny gcc

For the convenience of anyone who is testing these things on Debian and wants to use the latest valgrind, the above Debian repository has Valgrind 3.4.1 and a build of GCC to fix the problem I mentioned in my previous blog post about Valgrind [2].

if (default_RSA_meth == NULL)
default_RSA_meth=RSA_PKCS1_SSLeay();

I have also filed bug #534656 about another reported race condition in the OpenSSL libraries [3]. Above is the code in question (with some C preprocessor stuff removed). This seems likely to be a problem on an architecture for which assignment of a pointer is not an atomic operation, I don’t know if we even have any architectures that work in such a way.

static void impl_check(void) Â {
Â Â Â Â CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
Â Â Â Â if(!impl)
Â Â Â Â Â Â Â Â impl = &impl_default;
Â Â Â Â CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
}
#define IMPL_CHECK if(!impl) impl_check();

A similar issue is my bug report bug #534683 [4] which is due to a similar issue with the above code. If the macro is changed to just call impl_check() then the problem will go away, but at some performance cost.

I filed bug report #534685 about a similar issue with the EX_DATA_CHECK macro [5].

I filed bug report #534687 about some code that has CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA); before it [6], so it seems that the code may be safe and it may be an issue with how Valgrind recognises problems (maybe a Valgrind bug or an issue with how Valgrind interprets what the OpenSSL code is doing). Valgrind 3.3.1 reported many more issues that were similar to this, so it appears that version 3.4.1 improved the analysis of this but didn’t do quite enough.

I filed bug report #534706 about the cleanse_ctr global variable that is used as a source of pseudo-randomness for the OPENSSL_cleanse() function without locking [7]. It seems that they have the idea that memset() is not adequate for clearing memory. Does anyone know of a good research paper about recovering the contents of memory after memset()? I doubt that we need such things.

I filed bug report #534699 about what appears to be a potential race condition in int_new_ex_data() [8]. The def_get_class() function obtains a lock before returning a pointer to a member of a hash table. It seems possible for an item to be deleted from the hash table (and it’s memory freed) after def_get_class() has returned the pointed but before int_new_ex_data() accesses the memory in question.

I filed bug report #534889 about int_free_ex_data() and int_new_ex_data() which call def_get_class() before obtaining a lock and then use the data returned from that function in a locked area[9] (it seems that obtaining the lock earlier would solve this).

I filed bug report #534892 about another piece of code which would have a race condition if pointer assignment isn’t atomic, this time in err_fns_check() [10]. In my first pass I didn’t bother filing bug reports about most of the issues helgrind raised with the error handling code (there were so many that I just hoped that there was some subtle locking involved that eluded helgrind and my brief scan of the source). But a new entry in my core file collection suggests that this may be a problem area for my code.

I think that it is fairly important to get security related libraries to be clean for use with valgrind and other debugging tools – if only to allow better debugging of the code that calls them. I would appreciate any assistance that people can offer in terms of fixing these problems. I know that there are security risks in terms of changing code in such important libraries, but there are also risks in leaving potential race conditions in such code.

As an aside, I’ve filed a wishlist bug report #534695 requesting that valgrind would have a feature to automatically add entries to the suppressions file [11]. As a function that is considered to be unsafe can be called from different contexts, and code that is considered unsafe can be in a macro that is called from multiple functions there can be many different suppressions needed. Pasting them all into the suppressions file is tedious.

Microsoft Open Source Information Evening

June 24, 2009 | etbe

I have just attended a Microsoft Open Source Information Evening. It was in some ways one of the stranger things that I have experienced in my computer career.

Firstly there was the location, it was in a function room in the CBD, it was convenient for public transport and had good service but seemed likely to be quite expensive. A MS employee said that they believed that some people wouldn’t want to enter an MS office – I can’t imagine why they think that they could convince people who refuse to enter the MS office of anything if they got them to attend. As there were only about 6 people who weren’t from MS it seems likely that they paid something in excess of $200 per head for each non-MS delegate (I can’t imagine two function rooms, two dedicated hotel employees manning the bar, and a supply of food for a larger audience costing less than $1200).

If they had spent $100 per head for us all to have dinner at a good restaurant then I think that the result would have been better. They might want to consider running targeted meetings in future with a small number of people personally invited to dinner at a good restaurant. That said, the dinner of duck canapes and asian-style chicken noodles that they provided was pretty good.

I suggested that they should find other ways of promoting such events as the audience was obviously smaller than they desired. One suggestion that I made was that they create a blog about what MS in Australia is doing in relation to Linux and to offer the RSS feed URL to the people who run Planet Linux Australia. They were reluctant to accept that idea and stated that they don’t want to be seen to be forcing their presence where they are not wanted. That is a good approach (and a contrast to some activities of MS in the past). But I believe that it is misguided in terms of RSS feeds. When you create a blog you make the RSS feed available and then the people who run syndication services have the option of using it. The Linux community is on the side of open discussion, I don’t think that we have anything to fear from hearing what MS people have to say. While my opinion of MS has improved this evening, I still have no interest in using any of their software. Linux just works really well and satisfies all of my needs.

There were a bunch of smart MS people there, they seemed to really care about their work and want to improve things. Their pitch was about how Open Source software works on Windows, they showed demos of the installation process for a variety of PHP programs and showed Python code being used in a MS web environment. Most of the presentation time involved technologies developed outside of MS, while there was obviously a lot of MS code involved in getting Python, Ruby, PHP, etc working well the focus was mostly on the free software. They also mentioned some of their work in opening APIs so that free software programs can access Exchange servers (among other things). I didn’t pay a great deal of attention to the technology as I’m never going to use it. I was more interested in their approach which was positive and respectful and the general trend of what they are doing.

It seems that there is an increasing number of people within MS who realise that free software is not going away and that their customers demand that things work together.

They also didn’t display any of the arrogance for which MS is known. When one of the delegates predicted that MS would take a fall the way IBM did there was no argument about that possibility, instead there was a discussion about how MS software can be used with software from other sources to meet the current and future needs of customers.

The discussion of software patents was generally not very productive, I got the impression that they were not permitted to give anything that I would have considered to be a good answer to any of the questions. They did show examples of software that they have released with RAND terms for patents and other situations in which there would be no patent liabilities. But it seems that MS as a whole has no interest in getting any of the patent problems fixed. I can only hope that IBM, NEC, or one of the other big patent companies will give MS a demonstration of why software patents are bad.

Finally I was given a couple of 8GB USB sticks and a copy of MS Expression Studio 2. If anyone wants the unopened copy of Expression Studio they can make me an offer by email.

Unreasonably Large Source Packages

June 24, 2009 | etbe

For the past few hours I’ve been going a build of the GCC packages on a dual-core Opteron system with 2.5G of RAM and a pair of reasonably fast SATA disks in a RAID-1 array. The machine is reasonably powerful so presumably such a build would take a significantly larger amount of time on a laptop or an older machine – my primary development machine is an old laptop and is thus unsuitable for such things.

My aim is to do a build with the patch for GCC bug 40518 [1] – which is a small patch to the STL.

Presumably the people who are seriously involved in GCC development don’t do this, they would be doing a build of a small sub-set that matches the code that they are working on. But as someone who is not involved in the project such an approach doesn’t seem viable, by using the Debian build tools to rebuild all packages from the source package I can reliably get a good build.

It would be convenient if these large source packages could be split into smaller packages. It shouldn’t be necessary to compile the C compiler (presumably with the full double-compile process), as well as the C++, Objective C, and Fortran compilers when I only want to compile the STL (libstdc++). It also shouldn’t be necessary for me to hack around a build system when all I want to do is to apply and test a single patch.

It seems to me that the current situation discourages contributions. If I can build a package in a reasonable amount of time on my laptop (Pentium-M 1.7GHz with 1.5G of RAM) then I can work on it at any time and in any place. If it requires hours of build time on my biggest machine then I can only work on it when at home and only when I have hours to spare (or if I have enough of a need to come back to it the next day).

So if there are two bugs that have equal importance to me and one of them happens to be in part of the GCC family then the probability that I will work on the GCC bug is close to zero.

I realise that packaging GCC etc is really hard work. But it seems that making it easier for more people to contribute would alleviate the burden slightly.

[1] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=40518

Valgrind/Helgrind and STL string

June 22, 2009 | etbe

I am trying to track down a thread-safety problem in one of my programs. Valgrind when run as “valgrind –tool=helgrind ./thread-test” claims that there is a problem with the following program (the Valgrind errors are at the end of the post). The SGI documents state [1]: “The SGI implementation of STL is thread-safe only in the sense that simultaneous accesses to distinct containers are safe, and simultaneous read accesses to to shared containers are safe. If multiple threads access a single container, and at least one thread may potentially write, then the user is responsible for ensuring mutual exclusion between the threads during the container accesses. “.

My interpretation of the SGI document is that different STL strings can be manipulated independently. When I have two threads running I have two stacks, so strings that are allocated on the stack will be “distinct containers“. So this looks like a bug in the STL or a bug in Valgrind. I am hesitant to file a bug report because I remember the advice that a wise programmer once gave me: “the people who develop compilers and tool chains are much better at coding than you, any time you think there’s a bug in their code there is probably a bug in yours“. I know that my blog is read by some really great programmers. I look forward to someone explaining what is wrong with my code or confirming that I have found a bug in Valgrind or the STL.

#define NUM_THREADS 2
#include <stdlib.h>
#include <pthread.h>
#include <stdio.h>
#include <string>

using namespace std;

void whatever()
{
string str;
str.erase();
}

struct thread_data
{
int thread_id;
};

void *do_work(void *data)
{
struct thread_data *td = (struct thread_data *)data;
printf("%d:stack:%X\n", td->thread_id, &td);
while(1)
whatever();
}

int main(int argc, char **argv)
{
pthread_t *thread_info = (pthread_t *)calloc(NUM_THREADS, sizeof(thread_info));
pthread_attr_t attr;
if(pthread_attr_init(&attr) || pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE) || pthread_attr_setstacksize(&attr, 32*1024))
fprintf(stderr, "Can't set thread attributes.\n");

int t;
struct thread_data td[NUM_THREADS];
for(t = 0; t < NUM_THREADS; t++)
{
printf("created thread %d\n", t);
td[t].thread_id = t;
int p = pthread_create(&thread_info[t], &attr, do_work, (void *)&td[t]);
if(p)
{
fprintf(stderr, "Can't create thread %d\n", t);
exit(1);
}
}
pthread_attr_destroy(&attr);
void *value_ptr;
for(t = 0; t < NUM_THREADS; t++)
pthread_join(thread_info[t], &value_ptr);
free(thread_info);

return 0;
}

==30622== Possible data race during write of size 4 at 0x414FED0
==30622== at 0x40FAD9A: std::string::_Rep::_M_set_sharable() (basic_string.h:201)
==30622== by 0x40A945E: _ZNSs4_Rep26_M_set_length_and_sharableEj@@GLIBCXX_3.4.5 (basic_string.h:206)
==30622== by 0x40FD6B6: std::string::_M_mutate(unsigned, unsigned, unsigned) (basic_string.tcc:471)
==30622== by 0x40FDBEE: std::string::erase(unsigned, unsigned) (basic_string.h:1133)
==30622== by 0x8048AA8: whatever() (thread-test.cpp:16)
==30622== by 0x8048B0A: do_work(void*) (thread-test.cpp:29)
==30622== by 0x402641B: mythread_wrapper (hg_intercepts.c:193)
==30622== by 0x40464BF: start_thread (in /lib/i686/cmov/libpthread-2.7.so)
==30622== by 0x42696DD: clone (in /lib/i686/cmov/libc-2.7.so)
==30622== Old state: shared-readonly by threads #2, #3
==30622== New state: shared-modified by threads #2, #3
==30622== Reason: this thread, #3, holds no consistent locks
==30622== Location 0x414FED0 has never been protected by any lock
==30622==
==30622== Possible data race during write of size 4 at 0x414FEC8
==30622== at 0x40A9465: _ZNSs4_Rep26_M_set_length_and_sharableEj@@GLIBCXX_3.4.5 (basic_string.h:207)
==30622== by 0x40FD6B6: std::string::_M_mutate(unsigned, unsigned, unsigned) (basic_string.tcc:471)
==30622== by 0x40FDBEE: std::string::erase(unsigned, unsigned) (basic_string.h:1133)
==30622== by 0x8048AA8: whatever() (thread-test.cpp:16)
==30622== by 0x8048B0A: do_work(void*) (thread-test.cpp:29)
==30622== by 0x402641B: mythread_wrapper (hg_intercepts.c:193)
==30622== by 0x40464BF: start_thread (in /lib/i686/cmov/libpthread-2.7.so)
==30622== by 0x42696DD: clone (in /lib/i686/cmov/libc-2.7.so)
==30622== Old state: shared-readonly by threads #2, #3
==30622== New state: shared-modified by threads #2, #3
==30622== Reason: this thread, #3, holds no consistent locks
==30622== Location 0x414FEC8 has never been protected by any lock
==30622==
==30622== Possible data race during write of size 1 at 0x414FED4
==30622== at 0x40A9012: std::char_traits<char>::assign(char&, char const&) (char_traits.h:246)
==30622== by 0x40A9488: _ZNSs4_Rep26_M_set_length_and_sharableEj@@GLIBCXX_3.4.5 (basic_string.h:208)
==30622== by 0x40FD6B6: std::string::_M_mutate(unsigned, unsigned, unsigned) (basic_string.tcc:471)
==30622== by 0x40FDBEE: std::string::erase(unsigned, unsigned) (basic_string.h:1133)
==30622== by 0x8048AA8: whatever() (thread-test.cpp:16)
==30622== by 0x8048B0A: do_work(void*) (thread-test.cpp:29)
==30622== by 0x402641B: mythread_wrapper (hg_intercepts.c:193)
==30622== by 0x40464BF: start_thread (in /lib/i686/cmov/libpthread-2.7.so)
==30622== by 0x42696DD: clone (in /lib/i686/cmov/libc-2.7.so)
==30622== Old state: owned exclusively by thread #2
==30622== New state: shared-modified by threads #2, #3
==30622== Reason: this thread, #3, holds no locks at all

[1] http://www.sgi.com/tech/stl/thread_safety.html

Lies and Online Dating

June 21, 2009 | etbe

Separating Fact From Fiction: An Examination of Deceptive Self-Presentation in Online Dating Profiles is a really interesting paper by Catalina L. Toma and Jeffrey Hancock of Cornell University and Nicole Ellison Michigan State University [1]. People who don’t use the Internet much regard online dating as an area that is filled with liars – largely due to a small number of gross liars that are well publicised (EG people conducting net-relationships while lying about their gender), but the evidence suggests that this is not the case.

The first point this paper made which I found to be particularly interesting is that anyone who desires a meeting in person will be limited in their lies (EG they have to post a real photograph of themself). So it seems that someone who doesn’t want to be lied to should insist on phone calls and meetings in person without much delay – the worst horror stories about online dating seem to concern people who interact over the net for many months before meeting. Maybe it would be a good strategy for users of singles sites to have a paragraph stating “I want to talk to you after receiving X messages” where X is some number significantly less than 10.

The next point was that connections to the real-world persona decrease the ability to lie, lying on a dating site that is only read by other singles is going to be easier than lying on your favorite social networking site, personal web-site, blog, or any other online resource that is read by people who know you. So someone who didn’t want to be lied to could demand the link to other online resources of the person that they are corresponding to.

Also the ability to track different versions of the profile decreases the ability to lie. It would be interesting if some of the singles sites added a history tracking feature so that it was possible to see the previous versions of someone’s profile. But even without such a feature the need to have a single profile greatly decreases the ability to lie. When trying to impress someone in a bar I believe that it is standard practice to pretend to be interested in whatever interests them, but on a profile page it is necessary to provide a short list of interests that remains relatively static.

Later in the paper there is an analysis of the average discrepancies of the profiles, which in most cases are small enough that they would not be noticed when meeting in person. But it does note that there were a few extreme lies (such as someone misrepresenting their age by 11 years).

Near the end of the paper there is a brief description of some related research. One interesting point is that even when there is no way for a liar to be caught (EG online discussion forums in which no meeting in person is planned) most people will still tend not to lie much. Great lies require a change in self-concept, and most people don’t want to think of themself as a liar.

It seems to me that this paper provides strong evidence to show that no-one should be afraid of being lied to on an Internet singles site and it can also be used to form strategies to avoid being the victim of a lie. So for those of you who are single and afraid of singles sites, fear no more!

[1] http://www.cl.cam.ac.uk/~rja14/shb09/hancock2.pdf

A “Well Rounded” CV

June 20, 2009 | etbe

When discussing career advice one idea that occasionally comes up is that someone should be “well rounded” and should demonstrate this by listing skills that are entirely unrelated to the job in question. Something along the lines of “I’m applying for your C programmer position, and I like spending my spare time playing tennis and golf“.

I suspect that the bad idea in question originated in the days when it was not uncommon to work for the same company for 20+ years and when there were company picnics etc. In that social environment employing someone implied socialising with them outside work so it would be a benefit to have something in common with your employees other than working for the same company. Also in those times there were few laws about discrimination in the hiring process.

It is often claimed that participation in team sports teaches people how to do well in team activities in a work environment. I have previously described the ways in which software development is a team sport [1]. Like most analogies this one is good in some ways and bad in others. Team-work is required in software development but it’s not quite the same as the team-work in sports. One significant difference is that most team sports have a single ball, and the person who has the ball (or who is about to catch it, hit it, etc) is (for a moment) the most important person on the field. There have been many sporting debacles when two players from the same team tried to catch a ball at the same time, so the rule in team sports is that you don’t compete with a colleague. In a work environment there are many situations where it’s necessary for tasks to be passed between colleagues at short notice. For example when a deadline is imminent tasks often need to be reassigned to the most skilled people. A junior programmer needs to know that they aren’t an athlete who is running with the ball, their teamwork involves having difficult tasks being reassigned from them at short notice.

Another significant difference between sports and work is the amount of aggression that is tolerated. In most sports some level of harassment of opposing players is tolerated. But in the modern workplace using a single naughty word can be considered as just cause for instantly sacking an employee. So it seems that exposure to an aggressive sporting environment would be a bad thing if it actually makes any difference.

One thing that is sometimes ignored is the teamwork that is involved with hobbyist computer work. Being involved with a software development team for fun will surely give teamwork experience that is more relevant to paid software development work than any sport!

One of the reasons cited for being “well rounded” is the ability to have a “work life balance“. I might almost believe such a claim if it wasn’t made in connection with the IT industry. But given how common it is to demand 60 hour working weeks (or longer) and the number of people who are required to have mobile phones turned on when they aren’t at work it seems that the general trend in the IT industry is against a work-life balance. When hiring people to work in cultures where a strict 40 hour working week is well accepted it seems that hiring people who are willing to work as long as required is important. When I worked in the Netherlands I lost count of the number of times I worked until 10PM or later to fix a broken system after all my Dutch colleagues departed at 5PM.

I have also seen the bizarre claim that consumption of alcohol leads to developing better social skills. It seems really strange to me that anyone would want to work in a company where social skills that are relevant to a bar would be useful (I am reminded of a company that was named after the founder’s penis – I declined to send my CV to that company). Also of course there is the fact that in most countries where I would want to live it is illegal to discriminate against hiring someone for refusing to drink alcohol.

It is quite common for the geekiest people to do a significant portion of their socialising via email and instant/short-messaging (formerly IRC, now Jabber, Twitter, and other services). It seems to me that this experience is more relevant to most aspects of the modern work environment (where most communication that matters is via email and instant-messaging) than any form of socialising that happens in a sports club or a bar. In fact people who are used to face-to-face dealings might have difficulty fitting in to an environment where most communication is electronic.

Now employers seem to have worked these things out. Recruiting agents (who reject most job applicants) have told me that they want to see nothing on a CV that doesn’t relate to a job. That is an extreme position, but seems to represent the desires of the hiring managers who will see the CVs that get past the recruiters. Hiring managers often don’t even read a CV before an interview, they often entirely rely on recruiting agents to determine who they will interview. So it seems that an effective CV will in most cases list as many keywords as possible, demonstrate experience in the technologies that were listed in the job advert, show years of work with no long breaks, and have little else.

Finally the IT industry is distinguished by having a significant number of people who’s work and hobby are almost identical, those people tend to be significantly more skilled than average. It seems to be a bad idea to avoid the potential of hiring some of the most skilled people.

To a large extent your career success depends on what you learn from your colleagues, so if you end up working in a team of people with low skills then it is bad for your career. Therefore it seems that anyone who wants to have a successful career will strive to avoid working for a company who’s hiring process had any criteria other than the ability to do the job well and the ability to not be a jerk. So when it comes to the technical part of a job interview (where the hiring manager brings his most technical people to grill the candidate) it probably makes sense to ask those technical people what their hobbies are. If their hobby is something other than computers then it indicates that the employer might be a bad one – so at least you should ask for more money as compensation for not having highly skilled colleagues.

[1] http://etbe.coker.com.au/2008/04/16/software-development-team-sport/

Links June 2009

June 19, 2009 | etbe

KickStarter.com is an interesting new service that allows creative people to solicit funding to start new enterprises [1]. Note that it is not for investing in projects, sponsors give the money and the result is that the work gets done. Unfortunately it only allows people with US bank accounts to receive money at this time.

Corey Doctorow and Charles Stross gave an interesting public discussion about privacy on the net titled “Open Rights – the All Seeing Eye” [2].

Ray Kurzweil announced the Singularity University at TED [3]. It will be run from a NASA research facility and teach all the core areas of technology related to the Singularity.

Stewart Brand gave a short but interesting TED talk about squatter cities [4]. He predicts that the population movement from rural areas to squatter cities will defuse the population problems as the rate of reproduction in cities is much closer to the rate needed to sustain the population (2.1 children per family) than that in the country. He didn’t mention the fact that disease spreads rapidly in squatter cities which culls the population. A related TED talk by Paul Collier describes how a Marshall Plan could be used to help the poorest billion people in the world [5]. He focuses on good governance as a required part of such a plan because that is the least immediately obvious requirement.

Here is a link for a famous TV clip of a man dancing in Sydney to celebrate the end of WW2 [6].

Zeke M. Vanderhoek is starting a school in the US where each teacher will get a salary of $US125,000 plus bonuses [7]. The school will primarily accept local students from the Washington Heights area, primarily students who do not perform well academically and who are from low income households. The class size will be 30 and the aim is to show that great teachers are the key to good education not small classes. The article notes that some teachers seem great on paper but perform badly in the class – like most jobs it’s easy to say that you are good. I hope this experiment works.

As a counter-point to Zeke’s work Caulfield Grammar School has introduced a “Learning Mentor” program for years 7 and 8 [8] which involves having a second teacher in the class. It’s an interesting concept, but I think that it’s unlikely to do much good given the other things that they are doing. Caulfield is also implementing some awful ideas such as having lots of specialised sports coaches and spreading the VCE over three years instead of two. The two-year VCE is itself quite awful, if it had been introduced one year earlier I would have had to do year 12 in another state to avoid it.

The Atlantic has an interesting article about the Harvard Study of Adult Development and it’s long-time director George Vaillant [9]. The conclusion seems to be that the secret to happyness is to employ mature adaptations to adverse situations, be well educated, have a stable marriage, don’t smoking, abuse alcohol (and presumably don’t abuse any other drugs), get some exercise, and have a healthy weight.

Adam Harvey has a good post summarising the current Microsoft actions in advertising it’s new web browser [10]. I doubt that this will go well for MS.

Religion vs Cult

June 18, 2009 | etbe

Diane Benscoter gave an interesting TED interview and a slightly less interesting TED lecture about her experiences with the Moonies [1]. She describes how she was a victim of the cult for five years, and then after being deprogrammed she spent five years working as a deprogrammer [2].

In her interview she described the first identifying trait of a cult as an “all or nothing world view” with “easy answers to complex questions are handed to you on a silver platter and if youâ€™re asked to believe in them unquestioningly and told not to seek an alternative“. However that seems to describe most religions.

It seems to me that when someone describes an organisation as a cult they are usually not referring to how old the organisation is (the term “new religious movement” is sometimes used as a synonym for “cult“) or whether it uses circular logic and specifies that belief in God is the answer to some significant questions. What they usually mean is that the organisation has harmed it’s members or society in some way.

Based on discussing various religions with many people, here are some criteria that I believe are generally regarded as differentiating religions and cults:

Religious leaders regard their followers as being individuals who need protection and assistance, while cult leaders tend to regard people as a resource to be exploited. It seems to be the standard practice that cult victims will end up with no money. But people who become religious are often encouraged to adopt practices that can increase their income (EG by avoiding alcohol and drug use). Most people who regularly attend church and who are in a good financial position are expected to donate 10% of their income – which still allows them to have a good standard of living.
Religions tend to encourage people to be healthy, there are many anecdotes of people recovering from health problems such as addiction to alcohol or other chemicals after becoming religious. Banning the consumption of alcohol (as most variants of Islam do) seems to be a reasonable measure for protecting the health of believers, banning the consumption of pork in times and places where the current first-world health technologies are unavailable also seems to be a good idea.
Cults often encourage people to be unhealthy. It’s common for cults to ban medical treatment or to compel their victims to take drugs. Some cults compel their victims to consume alcohol when there are medical reasons to avoid it (EG diabetes). Cults also often advocate activity that involves an unreasonable risk of sexually transmitted diseases.
Religions tend to focus on making the world a better place. Generally some of the money that is donated to religions is used for helping disadvantaged people. Religious leaders encourage their followers to act in a way that improves the world for everyone by objective criteria. Cult leaders tend to only want to personally benefit. If a leader has twenty Rolls-Royces then their organisation is more like a cult than a religion.
Cults break up families. When an organisation prohibits someone from associating with close relatives (such as parents) because they don’t agree with it then it’s a cult.
Religions respect personal beliefs and freedom of choice. Blindly following a leader is not required.
While it’s not commonly recognised, it seems to me that any organisation that tries to impose it’s own moral ideas by force of law is tending towards being a cult.
Religions don’t needlessly prevent people from being happy. A forced vow of celibacy is a cult feature.
Religions try to avoid encouraging their followers to break the law. In some cases nothing less than prohibiting a religion will make a religious leader advocate criminal activity.

Now if you examine the history of any religious group that has been operating for a few hundred years you will probably see cases where it matches the cult criteria. It seems to me that some of the ideas about cults were created by groups that want to protect their own status as “religions” and hobble the competition. The idea that new religions are cults is one example. Another is the idea that there is a boolean criteria of cult vs religion which allows groups recognised as religions to squash the competition without having to improve their own performance and become less cult-like.

The Cult page on Wikipedia is not very helpful when considering these issues and the leading definitions are the ones most opposed to the common use [3].

Finding Thread-unsafe Code

June 14, 2009 | etbe

One problem that I have had on a number of occasions when developing Unix software is libraries that use non-reentrant code which are called from threaded programs. For example if a function such as strtok() is used which is implemented with a static variable to allow subsequent calls to operate on the same string then calling it from a threaded program may result in a SEGV (if for example thread A calls strtok() and then frees the memory before thread B makes a second call to strtok(). Another problem is that a multithreaded program may have multiple threads performing operations on data of different sensitivity levels, for example a threaded milter may operate on email destined for different users at the same time. In that case use of a library call which is not thread safe may result in data being sent to the wrong destination.

One potential solution is to use a non-threaded programming model (IE a state machine or using multiple processes). State machines don’t work with libraries based on a callback model (EG libmilter), can’t take advantage of the CPU power available in a system with multiple CPU cores, and require asynchronous implementations of DNS name resolution. Multiple processes will often give less performance and are badly received by users who don’t want to see hundreds of processes in ps output.

So the question is how to discover whether a library that is used by your program has code that is not reentrant. Obviously a library could implement it’s own functions that use static variables – I don’t have a solution to this. But a more common problem is a library that uses strtok() and other libc functions that aren’t reentrant – simply because they are more convenient. Trying to examine the program with nm and similar tools doesn’t seem viable as libraries tend to depend on other libraries so it’s not uncommon to have 20 shared objects being linked in at run-time. Also there is the potential problem of code that isn’t called, if library function foo() happens to call strtok() but I only call function bar() from that library then even though it resolves the symbol strtok at run-time it shouldn’t be a problem for me.

So the obvious step is to use a LD_PRELOAD hack to override all the undesirable functions with code that will assert() or otherwise notify the developer. Bruce Chapman of Sun did a good job of this in 2002 for Solaris [1]. His code is very feature complete but has a limited list of unsafe functions.

Instead of using his code I wrote a minimal implementation of the same concept which searches the section 3 man pages installed on the system for functions which have a _r variant. In addition to that list of functions I added some functions from Bruce’s list which did not have a _r variant. That way I got a list of 72 functions compared to the 40 that Bruce uses. Of course with my method the number of functions that are intercepted will depend on the configuration of the system used to build the code – but that is OK, if the man pages are complete then that will cover all functions that can be called from programs that you write.

Now there is one significant disadvantage to my code. That is the case where unsafe functions are called before child threads are created. Such code will be aborted even though in production it won’t cause any problems. One thing I am idly considering is writing code to parse the man pages for the various functions so it can use the correct parameters for proxying the library calls with dlsym(RTLD_NEXT, function_name). The other option would be to hand code each of the 72 functions (and use more hand coding for each new library function I wanted to add).

To run my code you simply compile the shared object and then run “LD_PRELOAD=./thread.so ./program_to_test” and the program will abort and generate a core dump if the undesirable functions are called.

Here’s the source to the main program:

#!/bin/bash
cat > thread.c << END
#undef NDEBUG
#include <assert.h>
END
OTHERS="getservbyname getservbyport getprotobyname getnetbyname getnetbyaddr getrpcbyname getrpcbynumber getrpcent ctermid tempnam gcvt getservent"
for n in $OTHERS $(ls -1 /usr/share/man/man3/*_r.*|sed -e "s/^.*\///" -e "s/_r\..*$//"|grep -v ^lgamma|sort -u) ; do
cat >> thread.c << END
void $n()
{
assert(0);
}
END
done

Here is the Makefile, probably the tabs will be munged by my blog but I’m sure you know where they go:

all: thread.so

thread.c: gen.sh Makefile
./gen.sh

thread.so: thread.c
gcc -shared -o thread.so -fPIC thread.c

clean:
rm thread.so thread.c

Update:
Simon Josefsson wrote an interesting article in response to this [2].

McDonalds – Wifi Without Power

June 12, 2009 | etbe

I am writing this post at a small cafe while my car is being serviced. I tried a local Red Rooster food store, a KFC, and a McDonalds but none of them had a power socket I could use. This seems quite perverse as McDonalds advertises free wifi net access to entice customers, but no power to charge laptops, phones, etc. So anyone who has 3G net access will avoid that particular McDonalds store in spite of the free Wifi.

Also this is not something that happens accidentally. Power sockets are needed to power the variety of cleaning equipment that is used at fast food stores and it would same some cleaning time if they were centrally located, so someone at those fast food stores apparently decided to put power sockets out of reach of customers. I’m currently seated in a position that is within vacuum cleaner range of every table in the cafe, so whoever rents the premises to the small restaurants has thought of these things.

At home tariffs a laptop will consume about 1/3 of a cent worth of electricity per hour. It seems to me that a smart business owner would want to have several power sockets available to customers and advertise this fact. One cafe has made considerably more than 1/3 of a cent profit from me due to having a power socket where I could use it.

Note that not all McDonalds stores have this problem. One I visited last week had a power socket where I could use it. I noticed that they had made a good choice of uncomfortable chairs to discourage customers from spending too long there, it took the rest of the day to recover from a couple of hours sitting in McDonalds.

etbe – Russell Coker

Linux, politics, and other interesting things

Monthly Archives: June 2009