Curse of the Credit Card

Some months ago our credit card details were fraudulently used to purchase a couple of train tickets in Italy.  It seemed to be an odd choice of purchase for the fraudsters but maybe they were really strapped for cash!

We had to go through the process of canceling the cards, waiting for replacements, and then updating various services that require the credit card number, such as GoDaddy for automatic domain-name renewals, or PayPal.

Well, the bank called today to notify us that a fraudulent transaction was attempted on our new card.  So once again we have the same process to look forward to.

Maybe that Nigerian Prince I’ve been emailing can help me track down the culprit!

Lack of Aussie C++ communities

There is a disappointing lack of C++ conferences, user groups, meet-ups and other such events in Australia.

Microsoft Australia’s Tech.Ed is one example where the developer sessions are virtually 100% focused on managed code and framework development.  I can appreciate the reasons for this, with .NET/Java accounting for most business and enterprise application development.

Nonetheless, native C/C++ skills remain critical for games, multimedia, drivers, embedded systems, and other applications (desktop or web) that demand the utmost performance and efficiency.

What to do?  Meditate on this, I will.

Scott Meyers on C++0x

Check out the podcast video from InformIT, which is Part 1 of an interview with Scott Meyers.  Not sure when they’ll be posting Part 2.

Secret credit card database

I got a call from UPS because a parcel I’m receiving from the U.S. is worth more than AU $1,000 and hence is applicable for Australian GST.

The UPS person asked for my credit card details so that I could pay the GST (which I’ll later claim back anyway since the goods are for business purposes).

The conversation went something like this:

UPS:  What’s your credit card number and expiry date?

Me:  <Gives details>  (No, I’m not going to list them here!)

(Pause; I can hear the details being entered into the computer.)

UPS:  And is the name on the card “Neil Henderson”?

Me:  Yes, how did you know that?  Do you have access to some kind of special credit card database?

UPS:  <Laughs>  No, it’s the name on the shipping address.

Balloon popping dog

Fixed array profiling

C++ has a number of solutions for collections/arrays, including arrays inherited from C, STL collections such as vector, and non-standard yet widely adopted solutions such as Boost’s scoped_array and shared_array.

STL’s vector is the preferred option for collections that need to dynamically resize. But what about fixed size arrays?

If you only need a fixed size array of, say, integers, and performance is critical then which solution is best?

This was the question I was faced with earlier, so I did some profiling tests. The following graph illustrates the results:

Tests were performed with MSVC 9 (Visual Studio 2008, with VC Feature Pack) and Boost version 1.34.1 on an Intel Q6600 CPU with Windows Vista SP1. See below for test details.

Interpretation of Results

Boost’s scoped_array and shared_array perform just as fast as a C-array solution. The tiny variance in results is likely to be memory/operating system factors rather than the solution itself.

Boost’s solutions should be preferred over C arrays since they minimise potential memory leaks.

As expected, vector suffered from it’s power; it’s designed for a wide variety of use cases, including the ability to dynamically resize itself, and in this scenario that extra power added some overhead. Note, however, that the vector test case did not do any dynamic resizing; the vector was manually resized/reserved to the required size before populating it with values.

Test Details

The following tests were performed on a C array, scoped_array, shared_array and vector:

1. Create 3 arrays of integers (named source1, source2, dest) with a size of 720 x 576 x 4. This size represents a typical RGBA video image.
2. Populate source1 and source2 arrays with random values.
3. Perform the following tests:

    for (size_t i = 0; i < arraySize; ++i)
    {
        dest[i] = source1[i] + source2[i];
    }

and:

    for (size_t i = 0; i < arraySize; ++i)
    {
        int rndSource1 = rand() % arraySize;
        int rndSource2 = rand() % arraySize;

        dest[i] = source1[rndSource1] + source2[rndSource2];
    }

Then finally, if necessary, destroy the arrays.

As can be observed, the test cases are quite basic and focus on accessing the array elements. The first loop accesses the elements in sequential order (which will take advantage of CPU cache lines), whereas the second loop accesses the elements somewhat randomly.

These test cases fulfilled the requirements that I wanted to profile, but performance results may differ with other test cases.

The test cases were repeated 10 times for each array solution, with timing done around the entire operation by using the QueryPerformanceFrequency and QueryPerformanceCounter Windows APIs.

The order of the array tests was changed as well, in case subsequent arrays benefited from previous execution.

First run:

1. scoped_array
2. shared_array
3. C array
4. vector

Second run:

1. vector
2. C array
3. shared_array
4. scoped_array

Third run:

1. vector
2. scoped_array
3. C array
4. shared_array

The Joy of Syntax

I spent a considerable amount of time recently trying to track down a bug that was causing a crash.

Not the nice kind of crash that is easily reproducible and the cause of which can be pinpointed with some careful debugging, but the kind that requires painful examination of stack calls, disassembler, and stripping away layers of code to try and find the root issue.

The only lead I had was that the crash was due to freeing memory.  So accidental double-delete or a buffer overrun was on my mind.  But finding the actual code that causes the problem is easier blogged about than done.

I finally tracked the problem down to a for loop, which was doing this:

for (int i = 0; i <= size; ++i)

instead of:

for (int i = 0; i < size; ++i)

Valid syntax, but the result had a massive flow-on effect which ended up writing to memory outside its limits, and when free’d, the runtime kicked-in to report a problem.

Parallelalism

Concurrently executing threads making use of SIMD CPU instructions is a potent combination.  It’s like an orgy of parallel goodness.

But it’s not as easy as it should be to join this party.

Concurrency kits, frameworks and libraries are available now or can be seen on the horizon.  In welcome news, Microsoft are building a Concurrency Runtime for native C++ code.  These libraries help to abstract the underlying thread APIs and some of the synchronisation issues.

But the same cannot be said of SIMD.  Apart from a few vector/matrix wrapper classes, most SIMD work still has to be done in assembly code or with compiler intrinsics.  Where are the SIMD abstraction layers?

Etiquette of Thank-you notes

Consider this scenario:

1. You give someone a gift.
2. That person sends you a thank-you note.

So far, so good.

But should you now thank the person who sent you the thank-you note?  I don’t mean with your own thank-you note, but rather an appreciative acknowledgment that you received their thank-you note.

This was the conundrum I was faced with earlier.  I erred on the side of thanking.

Secure site? Yeah, right

I visited Optus’ optusiphone.com.au web site to “express my interest” for the newly announced iPhone.

After clicking the “Already an Optus customer” button my browser was redirected to yesiphone.com.au, presumably because Optus’ web servers aren’t up to the challenge of handling both their own customers and new customers.

The site provides the option to pay a fully-refundable $50 deposit, with no obligation to buy the product, but which gives the depositor a 2 hour head start on any queues when the iPhone is released on 11 July.

So I figured I’d give it a shot, and after a not-so-smooth sign-up process I was presented with a page to enter my credit card details and pay the $50 deposit.

The page was kind enough to tell me that it is a “secure site” and that my credit card details are encrypted.

Yet my trusty browser told me otherwise, as the following screen shot illustrates.

It turns out that Optus is using a solution called CustomerConnect to handle these registrations, so the blame must be equally shared by the solution provider as well as Optus for not thoroughly testing it (at the least; they may also be to blame for the deployment).

As for the question of any malicious spoofing, both Apple and the Optus main web site provide links to optusiphone.com.au.  So I think it’s a case of poor security rather than an attack; though some kind of code injection that redirects users to yesiphone.com.au can’t be ruled out.

Fortunately I’m in the habit of confirming that a valid, encrypted connection is being used, but I’m not so confident for Mr. Joe “Just-got-his-credit-card-details-stolen” Average.