The Lone Pole

In C functions are generally not considered first-class objects. Although pointers to functions exist and can be used to build some routines that have rudimentary higher-order behavior, there is no language syntax for dynamically creating a long-lived function at run time, partially evaluating a function, creating a closure, etc. But as we can build interpreters for higher level languages that do support this, surely there must be a way to achieve this?

Basic callbacks

A basic use-case for passing a function to another in C is a situation where we have asynchronous events that require notification. To solve this, we typically create a function called a callback to register with some kind of event-generating framework to notify us of these asynchronous events. Furthermore we likely want some kind of context to go along with the function, so that the same function definition could be used with multiple different context objects to handle different events.

If we have control of both sides of the API, then we could define a callback interface where we register a function which takes an additional parameter representing this context information. This is a common C idiom: in the real world it is used in the Linux kernel to register interrupt handlers so that they can be called with a pointer to the struct device that they need to actually handle the interrupt (interrupt handlers have two parameters, however, not just one, because they also include the interrupt number). An example API and usage for a one argument event system might look something like this:

#include <errno.h>
#include <stdint.h>
#include <stdio.h>

#define NUM_EVENTS 4

typedef int (*callback)(void *ctx);

struct handler {
    callback fn;
    void *ctx;
};

static struct handler handlers[NUM_EVENTS] = {0};

int register_callback(uint32_t id, callback fn, void *ctx) {
    if (id >= NUM_EVENTS)
        return -EINVAL;

    if (handlers[id].fn)
        return -EBUSY;

    handlers[id].fn = fn;
    handlers[id].ctx = ctx;
    return 0;
}

int raise_event(uint32_t id) {
    if (id >= NUM_EVENTS)
        return -EINVAL;

    if (handlers[id].fn)
        return handlers[id].fn(handlers[id].ctx);

    return -ENOSYS;
}

int print_data(void *ctx) {
    const char *name = ctx;
    printf("got event name = %s\n", name);
    return 0;
}

static const char event0[] = "event 0";
static const char event1[] = "event 1";

void test_events(void) {
    register_callback(0, print_data, event0);
    register_callback(1, print_data, event1);

    raise_event(0);
    raise_event(1);
}

which produces this output when we call test_events() from another function, giving us our desired behavior:

got event name = event 0
got event name = event 1

However, this approach requires that the callback API was designed to support this use case. When we're in charge we can guarantee that it does, but if we're designing a library we can't guarantee that we will support all use cases and will likely opt for a simple, one parameter version. What if the user needs two pieces of context? They could of course pack any number of contexts into a wrapper context and then manually introduce an unpacking step, but this introduces additional complexity. Now, to use our two parameter function with an API that only offers a single void pointer parameter, we will need to:

Allocate a context wrapper and populate it with our parameters and function pointer
Register a specific unwrapping function (not the function we actually wanted to call)
Deallocate the context wrapper after we're done, in addition to everything else, which creates one more opportunity to leak memory
Potentially implement a new wrapping function and struct for each two parameter function signature we need, or embrace void * and lose more type safety with one generic two parameter wrapping version

Here's a basic example of how this might look.

struct ctx_wrap {
    int (*fn)(const char *, int);
    const char *name;
    int id;
};

int unwrapping_thunk(void *ctx) {
    struct ctx_wrap *wrap = ctx;
    return wrap->fn(wrap->name, wrap->id);
}

struct ctx_wrap *alloc_wrap(int (*fn)(const char *, int), const char *name, int id) {
    struct ctx_wrap *ret;

    ret = calloc(sizeof(*ret), 1);
    if (!ret)
        return NULL;

    ret->fn = fn;
    ret->name = name;
    ret->id = id;
    return ret;
}

void free_wrap(struct ctx_wrap *wrap) {
    free(wrap);
}

void test_events(void) {
    register_callback(0, print_data, event0);
    register_callback(1, print_data, event1);

    raise_event(0);
    raise_event(1);
}

static const char event2[] = "event 2";

int print_two_data(const char *name, int id) {
    printf("got event name %s, id %d\n", name, id);
    return 0;
}

void test_events2(void) {
    struct ctx_wrap *wrap = alloc_wrap(print_two_data, event2, 100);
    register_callback(2, unwrapping_thunk, wrap);

    raise_event(2);
    free_wrap(wrap);
}

When executed, test_events2 illustrates the behavior we wanted, calling our function print_two_data with the two arguments we've specified while using the one context parameter register_callback and raise_event functions from earlier:

got event name event 2, id 100

This approach provides a relatively general solution. We can pass any number of fixed parameters to our callback function using only one context pointer, and it can easily be integrated with systems where the callback also receives dynamic, event-specific parameters.

Fixing parameters to functions, "partial evaluation"

However, what if we need to provide context when working with an API where we are not allowed parameters at all? What if we really want to create a self-contained, callable function that has no externally visible context data to manage separately? Ideally, the end result in this scenario is a function that enables us to do something like this:

int foo(int x) {
    return x + 1;
}

void demo(void) {
    int (*bar)(void);
    bar = alloc_partial(foo, 1);
    printf("%d\n", bar());
    free_partial(bar);
}

and receive an ouptut of 2.

To do this we should start by building off of the idea of a wrapper context and an entry thunk that will decode the wrapper context and then call our target function with the saved parameters. But we also need to overcome these challenges:

We need to actually create a new function, somewhere in memory, that can be called just like any function that was compiled into the program through a function pointer
We need to store data that is specific to each instance of that function as part of the memory region used to store the function itself so they can be deallocated together
The thunk needs to refer to variables that are not declared on the stack, are not passed as arguments, and do not have static storage, without a separate pointer available to find them
We will not be using any external tools (like asking clang to compile a string and then copying the binary into our memory space or loading a shared object it produces) to do this
There's no standards-compliant way to express this in C

So, we will need to carefully design our thunk. A quick disclaimer as there is a bit of assembly in the upcoming bits: day to day, I may read armv7 or armv8 assembly, but I generally do not write much. My x86 assembly is based mostly on how I would expect it to be done on ARM, so I don't do a very good job of taking advantage of x86 addressing options (but the compiler does, as we will see later). I set out to do this at first assuming that the C compiler could not or would not help me and hand wrote an assembly-only implementation, wrapped in a naked C function for ease of integration with the rest of my program:

__attribute__((naked))
void __thunk() {
    asm volatile("lea -0x17(%rip), %rax");
    asm volatile("mov 8(%rax), %rdi");
    asm volatile("mov 0(%rax), %rax");
    asm volatile("jmp *%rax");
}

This function is declared with the naked attribute, so that there is no additional assembly introduced related to stack frame management, except it is interesting to note that GCC inserts an intentional undefined instruction after the function body, presumably to catch mistakes and trigger an exception immediately. I think this is a very nice touch and would catch a mistake, such as if I tried to make a tail call to another function using the call opcode rather than jumping to it, because ud2 would be executed after that function returns here (instead of to my caller as was intended) and trigger an exception rather than falling through into whatever is located after __thunk:

0000000000001600 <__thunk>:
    1600:       48 8d 05 e9 ff ff ff    lea    -0x17(%rip),%rax        # 15f0 <__libc_csu_fini>
    1607:       48 8b 78 08             mov    0x8(%rax),%rdi
    160b:       48 8b 00                mov    (%rax),%rax
    160e:       ff e0                   jmp    *%rax
    1610:       0f 0b                   ud2

So how does this thunk work? It uses the current instruction pointer, available in the %rip register, to create a pointer to memory that resides immediately before the function body by adding the constant -0x17. We use -0x17 because this encoding of lea is 7 bytes long, and we wish to further subtract space for two 8 byte (= 0x10 total) values that are stored before lea in memory.

From there we read the function argument at ptr+8, as a uint64 sized value, into %rdi, which is where the one argument to a function of type int (*fn)(int) is expected according to the calling convention being used. Then we read the function pointer itself into %rax and jump to %rax to forward to the function we wanted to call originally.

To go along with this thunk, we need another function that will copy the function pointer, function argument, and thunk body into the right places in memory. Furthermore, we need to allocate this memory specially, as memory returned by malloc is typically not executable. To allocate executable memory, we can use mmap directly to request a fresh page of virtual memory with read, write, and execute permissions set:

buf = mmap(NULL, size, PROT_EXEC | PROT_READ | PROT_WRITE,
    MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

Further furthermore, we will need to find a way to access the compiled version of __thunk including its length from within the source code. Luckily the linker can help us out. If we place the original thunk into its own section and add two external symbols (which will be filled in by the linker), we can calculate the length of the section at run time:

__attribute__((naked,section("thunk")))
void __thunk() {
    asm volatile("lea -0x17(%rip), %rax");
    asm volatile("mov 8(%rax), %rdi");
    asm volatile("mov 0(%rax), %rax");
    asm volatile("jmp *%rax");
}
extern uint8_t __start_thunk;
extern uint8_t __stop_thunk;

The way that __start_thunk and __stop_thunk work are that the symbols are overlaid with the start and end of the section, and the value of each would be a single byte from the compiled representation of __thunk. So to compute the size of the section (which contains only our function, and thus the section size == the function size), we subtract the addresses of the two symbols: size = &__stop_thunk - &start_thunk.

We can combine all of this to create a very rough function that accomplishes our goal and creates a callable object:

typedef int (*retint)(void);

retint partial(int (*fn)(int), int x) {
    uint64_t *buf;
    retint result;
    size_t tsize;
    size_t size;

    tsize = &__stop_thunk - &__start_thunk;
    size = tsize + 2*sizeof(uint64_t);

    buf = mmap(NULL, size, PROT_EXEC | PROT_READ | PROT_WRITE,
        MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (buf == -1) {
        perror("mapping failed");
        return NULL;
    }

    buf[0] = (uint64_t) fn;
    buf[1] = x;

    memcpy(buf+2, __thunk, tsize);
    return (retint)(buf+2);
}

int main(int argc, char **argv) {
    retint foo_partial;
    foo_partial = partial(foo, 7);
    printf("%d\n", foo_partial());
    return 0;
}

This will print out 8 when it runs, just as we expected. We can now create function objects that store another function pointer and a single argument internally and otherwise work just like regular zero argument functions that we can call directly from anywhere in our code, forwarding the call to the stored pointer along with the stored argument!

A little C as a treat

We could be happy here, but it is really unfortunate that the entire thunk is implemented in assembly. Things seem kind of brittle, and if I wanted to have a function with a different argument type, or a function with two arguments, I'd need to re-create it by hand and manually check that everything lines up correctly, plus I would need to handle more of the calling convention and I have no desire to figure out all of the details. Ideally, we get the C compiler to cooperate with us as much as possible so that it can take care of these things, so let's start on version 2.

The first thing we want to do is define a C struct to handle our memory layout:

struct partial_fn {
    int (*fn)(int);
    uint64_t a0;
    char body[];
};

This will store our function pointer, one argument, and a flexible array member to represent the body of the thunk that will be copied around. From there, we can define a new thunk that is much less brittle, using lea to get a pointer to this struct and then locating the function we wish to call and its argument with the rest of the thunk written in C:

#define LEA_SIZE 0x07
__attribute__((section("t2")))
int __t2() {
    struct partial_fn *ctx;
    asm("lea %c1(%%rip), %0" : "=r" (ctx) : "i" (-LEA_SIZE - offsetof(struct partial_fn, body)));
    return ctx->fn(ctx->a0);
}
extern uint8_t __start_t2;
extern uint8_t __stop_t2;

Since we need to use the gcc extended assembly syntax in order to reference the local variable ctx, we can also introduce a dynamically computed constant to replace the -0x17 from before, which will account for changes to the layout of struct partial_fn, but which will not adapt to the size of any prologue instructions inserted before lea. Unfortunately, this version doesn't work out of the box. Since the function is not declared naked, it will insert a prologue and epilogue by default, resulting in disassembly like this:

00000000000016c4 <__t2>:
    16c4:       55                      push   %rbp
    16c5:       48 89 e5                mov    %rsp,%rbp
    16c8:       48 83 ec 20             sub    $0x20,%rsp
    16cc:       48 8d 05 e9 ff ff ff    lea    -0x17(%rip),%rax        # 16bc <__thunk+0xb>
    16d3:       48 89 45 e8             mov    %rax,-0x18(%rbp)
    16d7:       48 8b 45 e8             mov    -0x18(%rbp),%rax
    16db:       48 89 45 f0             mov    %rax,-0x10(%rbp)
    16df:       48 8b 45 e8             mov    -0x18(%rbp),%rax
    16e3:       48 83 c0 08             add    $0x8,%rax
    16e7:       48 89 45 f8             mov    %rax,-0x8(%rbp)
    16eb:       48 8b 45 f0             mov    -0x10(%rbp),%rax
    16ef:       48 8b 10                mov    (%rax),%rdx
    16f2:       48 8b 45 f8             mov    -0x8(%rbp),%rax
    16f6:       8b 00                   mov    (%rax),%eax
    16f8:       89 c7                   mov    %eax,%edi
    16fa:       ff d2                   call   *%rdx
    16fc:       c9                      leave
    16fd:       c3                      ret

Note that I've left the offset at -0x17 and compiled it just to grab this disassembly; this version won't work because that offset is incorrect for locating the function pointer and argument. However, we implemented something that was logically equivalent using only four instructions, so this seems wasteful--maybe we've failed at getting the compiler to understand what we want? Not really, we just need to turn on optimization. If I build with -O2 however, this output is created for __t2 instead, which is exactly what we were hoping to see:

0000000000001600 <__t2>:
    1600:       48 8d 05 e9 ff ff ff    lea    -0x17(%rip),%rax        # 15f0 <__thunk+0x10>
    1607:       8b 78 08                mov    0x8(%rax),%edi
    160a:       ff 20                   jmp    *(%rax)

Even better, the compiler has outdone me, because it knows about an indirect jump addressing mode that I didn't know about at the time, so it is able to combine the two instruction sequence I used into a single instruction for using the stored function pointer. So, based on our source code, gcc is able to infer that we do not need a stack frame, do not need a prologue or epilogue, and can optimize this as a tail call using jmp rather than call and ret.

With the memory layout codified as a struct definition, we can also improve the definition of partial in order to avoid manually computing the offsets or locations of things. This gives us a much more robust implementation:

retint partial2(int (*fn)(int), int x) {
    struct partial_fn *result;
    size_t tsize;
    size_t size;

    tsize = &__stop_t2 - &__start_t2;
    size = tsize + sizeof(*result);

    result = mmap(NULL, size, PROT_EXEC | PROT_READ | PROT_WRITE,
        MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (result == (void *)-1) {
        perror("mapping failed");
        return NULL;
    }

    result->fn = fn;
    result->a0 = x;

    memcpy(result->body, __t2, tsize);
    return (retint) result->body;
}

Testing this version gives the expected behavior:

int main(int argc, char **argv) {
    retint foo_partial;
    foo_partial = partial2(foo, 3);
    printf("%d\n", foo_partial());
    return 0;
}

prints 4 to the terminal. Now we have an implementation that is robust against changes to the memory layout and respects the calling convention; the only bit of magic left is the bit of inline assembly and the assumption that said inline assembly is the first instruction in the function body.

Do it without inline assembly?

Finally, I decided to try something I had ruled out earlier. This goes a little bit outside the defined behavior of the C language and relies on some implementation and platform details that are known to differ between architectures, but it yields a solution that mostly appears to work on x86 (but not on armv8, for example). I decided to see where gcc would place function-level static variables on x86 to see if they were located near the function and if they were accessed with %rip-relative addressing. It turns out they're placed in the data section (largely for security reasons--overflows on buffers allocated in data would not allow code injection into the read-only executable pages), but they are accessed with a relative load. Unfortunately, the offset between the code and data is large and changes with the amount of code, number of variables, link order etc. so it is too hard to predict, and we cannot adapt the partial function to store data at that offset relative to the new copy of the thunk function without a lot of extra work to read the offset from the compiled thunk. But, function pointers are accessed relative to the current instruction pointer as well. So, this snippet of code accomplishes what we want and gives us a pointer to the partial_fn struct allocated by the partial function, but the behavior is not guaranteed by the standard:

void *x = &__t2;
struct partial_fn *fn = x - sizeof(struct partial_fn);

This version works with optimization enabled or disabled and provides the shortest possible assembly implementation in -O2 by not calculating the pointer at all; instead it uses two instructions reads to load the argument relative to %rip and then jump to the function pointer:

0000000000001690 <__t3>:
    1690:       8b 3d f2 ff ff ff       mov    -0xe(%rip),%edi        # 1688 <__t2+0x8>
    1696:       ff 25 e4 ff ff ff       jmp    *-0x1c(%rip)        # 1680 <__t2>

This optimization was previously impossible because gcc doesn't optimize inline assembly beyond doing some dead code elimination, so the optimizer was not aware of what lea did and could not fuse it with the following mov and jmp instructions. My understanding is this is unlikely to change, and it is not something I would consider particularly important as a feature anyway.

This enables us to have version 3 implemented entirely in C:

extern uint8_t __start_t3;
extern uint8_t __stop_t3;

__attribute__((section("t3")))
int __t3(void) {
    void *x = &__t3;
    struct partial_fn *args = x - sizeof(struct partial_fn);
    return args->fn(args->a0);
}

retint partial3(int (*fn)(int), int x) {
    struct partial_fn *result;
    size_t tsize;
    size_t size;

    tsize = &__stop_t3 - &__start_t3;
    size = tsize + sizeof(*result);

    result = mmap(NULL, size, PROT_EXEC | PROT_READ | PROT_WRITE,
        MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (result == (void *)-1) {
        perror("mapping failed");
        return NULL;
    }

    result->fn = fn;
    result->a0 = x;

    memcpy(result->body, __t3, tsize);
    return (retint) result->body;
}

What happens on ARM?

This version however, is no more portable than the versions with inline assembly. If I compile this for armv8 using gcc 9.3, it disassembles into this (even with -O2 enabled):

0000000000000de4 <__t3>:
 de4:   a9be7bfd        stp     x29, x30, [sp, #-32]!
 de8:   910003fd        mov     x29, sp
 dec:   90000000        adrp    x0, 0 <_init-0x748>
 df0:   91379000        add     x0, x0, #0xde4
 df4:   f9000be0        str     x0, [sp, #16]
 df8:   f9400be0        ldr     x0, [sp, #16]
 dfc:   d1004000        sub     x0, x0, #0x10
 e00:   f9000fe0        str     x0, [sp, #24]
 e04:   f9400fe0        ldr     x0, [sp, #24]
 e08:   f9400001        ldr     x1, [x0]
 e0c:   f9400fe0        ldr     x0, [sp, #24]
 e10:   f9400400        ldr     x0, [x0, #8]
 e14:   d63f0020        blr     x1
 e18:   a8c27bfd        ldp     x29, x30, [sp], #32
 e1c:   d65f03c0        ret

This is interesting for a number of reasons. When we run a program containing this function it crashes; I get an Illegal Instruction, but it could produce other errors as well, because it jumps to an unexpected spot in memory instead of to the function pointer we wanted. The cause can be seen from the two instruction sequence used to calulate x:

 dec:   90000000        adrp    x0, 0 <_init-0x748>
 df0:   91379000        add     x0, x0, #0xde4

The adrp instruction is used to compute a PC-relative address (good), but does so in a roundabout way: it zeros the 12 lowest bits of the program counter and then adds the offset included in the instruction, which in this case is zero, so it loads the address of the start of the page containing the instruction. Then, the next instruction adds the constant 0xde4, which is the offset of __t3 relative to the start of the program in the executable, which was assumed to be loaded at a page boundary. Thus in order to compute the correct address, the function must be located at 0xde4 relative to the page it is part of, an offset that will change with the size of code in the program.

The other interesting thing about this assembly is that gcc is doing some very confusing things. It uses adrp and add to compute in two steps what could have been done with one, it writes to the stack and then immediately reads back the pointer (instructions 0xdf4 and 0xdf8), and then subtracts 16 bytes from x0 after this without using the earlier address for anything. The load/store could be eliminated and the three remaining pointer-calculation instructions could be combined into a single instruction. It repeats the store-load pair at instructions 0xe00 and 0xe04, and reloads x0 with the value it already contains at 0xe0c. I believe the same code should have been generated like this, but I haven't double-checked the calling convention. This is also the armv8 translation of the x86 instruction sequence I started with earlier.

adrp      x0, #0xdd4
ldr       x1, [x0]
ldr       x0, [x0, #8]
br        x1

To actually achieve what we wanted, adrp shouldn't be used at all; instead the PC-relative ldr with a literal argument should be used to directly load the the values stored before our thunk in memory. This is normally used for loading 32 or 64 bit constants that are stored directly in the .text section, but it can be used here. I haven't investigated how to get gcc to emit this instruction most easily, but the ideal assembly would look something like this instead:

ldr      x1, #-16
ldr      x0, #-16
br       x1

My syntax isn't entirely correct here, as this form normally needs to be written with a named literal as the second argument, which causes the assembler to encode it in the ldr (literal) way, but accounting for that, this three instruction sequence would accomplish the same behavior as the x86 version. I believe it should be reasonable for gcc to produce this same three instruction sequence for version 3 above because it is a simple interpretation of the source code, so I am surprised that it does what I wanted on x86 but not on armv8.

Conclusions

This is a pretty brittle way of dynamically creating function objects with saved parameters, but it has been fun to explore. It works well on x86 and can even be represented in C without inline assembly, but it relies on under-specified parts of the language specification to obtain the address of the function being executed using instruction-relative addressing. As we saw by looking at the ARM disassembly, other architectures may support instruction-relative addressing differently and this technique may not work as expected. However, fundamentally, it is possible to do using hand-written assembly on both platforms. Maybe a future version of the C language specification will include syntax and semantics for expressing this using well defined behavior only or directly include facilities to create functions dynamically, but of course this will open the door to more complicated dynamic functions such as closures.

It's also been fun to compare the x86 and armv8 products and see what gcc is doing. I am surprised by the issues in the output for armv8 on 9.3, but perhaps that has been improved by now (9.3 is almost two years old). If not maybe I can file a bug report or try to fix it myself.

Do I plan to actually use this technique? I'm not sure yet, but I am tempted because it may simplify some implementation in a project I am working on.

Full code as a single gist.

Once a year, I have to pay my renter's insurance bill. I get an email from Progressive, go to the website and find that I can't remember the password. I pull up the password manager and find Progressive-Homesite in the list, but the password is incorrect. Oh, I forgot, 4 months ago I needed to print proof of insurance while I wasn't home and had to reset the password to log in on the office computer. I reset the password again and pay my bill, saving the new password. The same basic scenario plays out every year for every infrequent account I have: insurance, internet, electricity.

So, if I never know what my password is, how am I really being authenticated? It comes down entirely to having access to my email address, but the process is tedious:

Click lost password/forgot password/trouble logging in
Enter email address
Wait for email to arrive, check spam, etc.
Click a link, where I create a new password, sometimes with confusing results:
Log in with the newly created password

These are effectively all low security websites. Contrast this with my bank, where if I were to forget my password, I would need to make a phone call and verify my identity in another way or visit a branch in person. That said, security questions, common personal details for verification, etc. are all pretty bad ways to verify someone's identity because they get reused and cannot be changed, so it's possible that the actual security in those processes is still quite low. For the sake of argument, however, let's classify this as a low security website because the password reset is automated and doesn't even offer the opportunity for another human to notice something may be amiss, in contrast with one where a person might stop and ask why someone is asking for access to my account but is unable to pronounce my last name consistently in conversation.

This process sucks. It's already established that if I have access to email, I can access anything that uses that email as a lost password address--we should cut out the middle man and use email directly to authenticate. Google already has a solution to this with Google Identity Platform, which is much faster to use, doesn't require me to store additional credentials, and easier to build and use correctly than homemade authentication systems might be (cf. Homesite requiring special characters in the password and tripping over the ones my random generator produced above). But Google isn't the only one that does this, and OpenID has been developed and deployed widely for authenticating users through third parties. If you don't like Google, you could use Facebook, or Twitter, or Steam. Just stop creating password-based logins. For the reboot of my blog I've used Google Identity Platform, and for the Dota 2 league I run, players sign in through Steam. So in both cases the login security is handled by companies with better security teams, and a data breach on my end also reveals no private information--the account names and IDs are public in both cases, after all, and I store no passwords or security questions.

At the end of the day, though, OpenID is somewhat inconsistently implemented, so most stable providers--the big names we can reasonably expect to continue to exist in five years--have unique-ish APIs for it, or in some cases (like Steam) don't really support OpenID and instead use OAuth with a basic permission to read account details. So currently, you end up needing to support each authentication provider separately, and the identity details they provide are not linked: you cannot programmatically tell that the same "person" operates both a twitter and facebook account, even if they wish to make that information public, without having them log in to both during the same session on your site.

Ideally, users could register themselves with a public key that they provide. Both RSA and ECC are standardized and have robust library support; plus they are already available on every client and server. Digital signature algorithms provide a means for a user to prove that they can access the private key associated with a public key. I know the HTTP spec currently supports client authentication, but I don't remember if it permits the use of unsigned certificates or if this varies by implementation. In this case, because the user is providing their public key at registration, the issuer doesn't need to be verified: we just need to see the same key again plus proof of ownership to authenticate.

Specialized applications, like the DoD's Common Access Card have already deployed this strategy and proven to be very successful, but there are challenges with a widespread deployment for a hardware security token, because people are very good at losing their tokens. For the CAC and other truly sensitive situations, the recovery procedure makes sense: you have to go in person and answer a lot of questions, but for my reddit account there's no need to travel to California if I lose my key or it is stolen. Nonetheless, it'd be nice if some keys could be recovered or replaced, which requires that the keys take advantage of existing public key infrastructure, but without requiring a central authority.

In particular, users should be able to federate their keys: use a master key to sign certificates for secondary keys. Then, authentication can be done by presenting a signed certificate, although no external certificate authorities have been involved: I sign my own secondary key to use on a mobile device, so that the master key for an identity does not need to be risked. Key revocation is more complicated, but a couple of options come to mind. (1) Since we are the masters of our own destiny, signed registration certificates could include a URL to check for related revocation status when the matching key is presented in the future. However, an attacker could disable this singular service to use the stolen key along with its identity chain. (2) Use a distributed revocation network that allows a master key to publish both the creation and (later, if necessary) the recovation of a secondary key. With a blockchain the history of a key is immutably documented, easy to consult by identity consumers, and not controlled by a central authority. There are, however, a lot of technical details to figure out there, and the best solution may be (3) require users to log in with a "more authoritative" key of some kind (for instance in a 3 tiered scheme the intermediate key in between the master and the daily key could be used for this) to discredit a lost/stolen key at affected services, with no networked or third party server checks.

Something like that is pretty far away, but for now, I'd just be happier if most services switched to identity providers rather than storing usernames and passwords. It's easier for end users, increases security, and reduces the damage of data breaches.

Since its release last week, I've been playing quite a bit of Fallout 4. There's an interesting mini-game (which was in previous iterations as well) for "hacking" computer terminals, where you must guess the passcode on a list of possibilities with a limited number of guesses. Each failed guess provides the number of correct letters (in both value and position) in that particular word, but not which letters were correct, allowing you to deduce the correct passcode similarly to the game "Mastermind." A natural question is, "what is the best strategy for identifying the correct passcode?" We'll ignore the possibility of dud removal and guess resets (which exist to simplify it a bit in game) for the analysis.

Reformulating this as a probability question offers a framework to design the best strategy. First, some definitions: $N$ denotes the number of words, $z$ denotes the correct word, and $x_i$ denotes a word on the list (in some consistent order). A simple approach suggests that we want to use the maximum likelihood (ML) estimate of $z$ to choose the next word based on all the words guessed so far and their results:

$\hat{z} = \underset{x_i}{\mathrm{argmax}}~~\mathrm{Pr}(z=x_i)$

However, for the first word, the probability prior is uniform--each word is equally likely. This might seem like the end of the line, so just pick the first word randomly (or always pick the first one on the list, for instance). However, future guesses depend on what this first guess tells us, so we'd be better off with an estimate which maximizes the mutual information between the guess and the unknown password. Using the concept of entropy (which I've discussed briefly before), we can formalize the notion of "mutual information" into a mathematical definition: $I(z, x) = H(z) - H(z|x)$ . In this sense, "information" is what you gain by making an observation, and it is measured by how it affects the possible states for a latent variable to take. For more compact notation, let's define $F_i=f(x_i)$ as the "result" random variable for a particular word, telling us how many letters matched, taking values $\{0,1,...,M\}$ , where $M$ is the length of words in the current puzzle. Then, we can change our selection criteria to pick the maximum mutual information:

$\hat{z} = \underset{x_i}{\mathrm{argmin}}~~H(z|F_i)$

But, we haven't talked about what "conditional entropy" might mean, so it's not yet clear how to calculate $H(z | F_i)$ , apart from it being the entropy after observing $F_i$ 's value. Conditional entropy is distinct from conditional probability in a subtle way: conditional probability is based on a specific observation, such as $F_i=1$ , but conditional entropy is based on all possible observations and reflects how many possible system configurations there are after making an observation, regardless of what its value is. It's a sum of the resulting entropy after each possible observation, weighted by the probability of that observation happening:

$H(Z | X) = \sum_{x\in X} p(x)H(Z | X = x)$

As an example, let's consider a puzzle with $M=5$ and $N=10$ . We know that $\forall x_i,\mathrm{Pr}(F_i=5)=p_{F_i}(5)=0.1$ . If we define the similarity function $L(x_i, x_j)$ to be the number of letters that match in place and value for two words, and we define the group of sets $S^{k}_{i}=\{x_j:L(x_i,x_j)=k\}$ as the candidate sets, then we can find the probability distribution for $F_i$ by counting,

$p_{F_i}(k)=\frac{\vert{S^k_i}\vert}{N}$

As a sanity check, we know that $\vert{S^5_i}\vert=1$ because there are no duplicates, and therefore this equation matches our intuition for the probability of each word being an exact match. With the definition of $p_{F_i}(k)$ in hand, all that remains is finding $H(z | F_i=k)$ , but luckily our definition for $S^k_i$ has already solved this problem! If $F_i=k$ , then we know that the true solution is uniformly distributed in $S^k_i$ , so

$H(z | F_i=k) = \log_2\vert{S^k_i}\vert$

Finding the best guess is as simple as enumerating $S^k_i$ and then finding the $x_i$ which produces the minimum conditional entropy. For subsequent guesses, we simply augment the definition for the candidate sets by further stipulating that set members $x_j$ must also be in the observed set for all previous iterations. This is equivalent to taking the set intersection, but the notation gets even messier than we have so far, so I won't list all the details here.

All that said, this is more of an interesting theoretical observation than a practical one. Counting all of the sets by hand generally takes longer than a simpler strategy, so it is not well suited for human use (I believe it is $O(n^2)$ operations for each guess), although a computer can do it effectively. Personally, I just go through and find all the emoticons to remove duds and then find a word that has one or two overlaps with others for my first guess, and the field narrows down very quickly.

Beyond its appearance in a Fallout 4 mini-game, the concept of "maximum mutual information" estimation has broad scientific applications. The most notable in my mind is in machine learning, where MMI is used for training classifiers, in particular, Hidden Markov Models (HMMs) such as those used in speech recognition. Given reasonable probability distributions, MMI estimates are able to handle situations where ML estimates appear ambiguous, and as such they are able to be used for "discriminative training." Typically, an HMM training algorithm would receive labeled examples of each case and learn their statistics only. However, a discriminative trainer can also consider the labeled examples of other cases in order to improve classification when categories are very similar but semantically distinct.

One of the benefits of an object oriented programming language is that functionality can be built into the object hierarchy in layers, deferring some details to a descendant while providing common functionality in a base class and avoiding repetition. However, when a group of classes all need to implement nearly the same method but with minor, class specific differences (more than just a constant), a curious anti-pattern tends to arise. In this situation, the base class implementation contains different behaviors based on the type identification of the true object even though we desire to push those implementations to the descendants.

In the Star Wars Combine's (SWC) codebase there are several examples of this, but today we'll use one from the actions system to illustrate the point. In this game, there are many different forms of travel, each of which works mostly the same way. Each works in steps, where the system establishes a deadline for the next travel update and then changes an entity's position after it expires. There are also common behaviors that need to be included, such as awarding experience points and sending events when travel expires.

The core functionality is captured in the abstract class StepTravelAction, which defines several key methods:

abstract class StepTravelAction extends BaseAction {

    public function setup(Entity $leader, $x, $y) {
        // ...
    }

    public function timerInterrupt(TimerInterrupt $payload) {
        // ...
    }

    public function abort() {
        // ...
    }

    public function finishTravelling($reason = null) {
        $leader = $this->leader;
        $travelType = $this->getTravelType();
        $party = $this->getParty();

        XPUtil::giveTravelXP($this->leader, $party, $this->XP, 'Finished ' . $this->getEventText());
        RewardUtil::testUniqueRewards($this->leader, enumRewardType::GROUND_TRAVEL);

        foreach ($this->getParty() as $member) {
            $member->travelID = null;
        }
        EntityLocationUtil::saveEntityLocation($leader);

        $this->delete();

        if ($reason == null) {
            $reason = TravelEndInterrupt::FINISH_NORMAL;
        }

        InterruptUtil::fire($leader, new TravelEndInterrupt($leader, $travelType, $reason));
    }

    abstract public function setupTravel();
    abstract public function applyStep(Entity $leader, Point $next);
    abstract public function getTravelType();
    // ...

}

Although the function bodies for some functions have been removed in the interest of space, we can see the core functionality, like aborting or finishing travel, is handled here in the base class. The concrete, travel type-specific details of things, like updating the entity's position, are farmed out to the derived classes.

However, at some point, it was decided that ground travel was awarding too much experience and could be abused by players (mostly to power level NPCs who can be set to patrol a location indefinitely, which takes months otherwise). Experience is awarded inside finishTravelling() as we can see, which is "common" to all of the travel action classes. At this point, there are several options for modifying the implementation, and the "simplest" in a language with dynamic type identification produces a design antipattern.

To reduce the XP awarded in ground travel only, an earlier programmer elected to add three lines to StepTravelAction::finishTravelling(), quickly resolving the issue:

    public function finishTravelling($reason = null) {
        // ...

        if ($this instanceof GroundTravelAction) {
            this->XP / 5);
        }

        // ...
    }

This ignores the benefits of object inheritance, produces less elegant code, and reduces the sustainability of the code in the future. Behavior specific to GroundTravelAction is now no longer contained within GroundTravelAction itself, so if we wanted to further modify the XP for this case, a lot of code walking would be needed to figure out where to do it. If multiple such exceptions are added, you might as well not have support for polymorphism at all and do everything in a single struct that stores type IDs and uses switch statements, taking us back to the early 80s. Exceptions like this were added to several other methods (abort(), etc.) for the same change as well.

The correct approach here is to refactor this method into three different components:

a concrete version of finishTravelling that follows the original implementation
a virtual method implemented in StepTravelAction that simply forwards to the concrete implementation
a virtual method in the descending class that layers additional functionality (such as changing the XP to be awarded) and then calls the concrete version from its parent

We need all three components because the default implementation is correct in most cases, so it should be available as the default behavior, but when we want to modify it we still need to have the original version available to avoid copying and pasting it into the derived class. I think it might be even worse if someone were to simply use a virtual method and copy it entirely into the derived class in order to add three lines.

For completeness, a preferable implementation would look like this and preserve the same behavior for all other derived classes:

abstract class StepTravelAction extends BaseAction {

    protected function _finishTravelling($reason = null) {
        $leader = $this->leader;
        $travelType = $this->getTravelType();
        $party = $this->getParty();

        XPUtil::giveTravelXP($this->leader, $party, $this->XP, 'Finished ' . $this->getEventText());
        RewardUtil::testUniqueRewards($this->leader, enumRewardType::GROUND_TRAVEL);

        foreach ($this->getParty() as $member) {
            $member->travelID = null;
        }
        EntityLocationUtil::saveEntityLocation($leader);

        $this->delete();

        if ($reason == null) {
            $reason = TravelEndInterrupt::FINISH_NORMAL;
        }

        InterruptUtil::fire($leader, new TravelEndInterrupt($leader, $travelType, $reason));
    }

    public function finishTravelling($reason = null) {
        $this->_finishTravelling($reason);
    }

}

class GroundTravelAction extends StepTravelAction {

    public function finishTravelling($reason = null) {
        $this->XP = ceil($this->XP / 5);
        $this->_finishTravelling($reason);
    }

}

The reason I want to highlight this is that the problem arose despite the developer having a familiarity with inheritance and deferring implementation details to derived classes where meaningful. There are abstract methods here and they are used to plug into common functionality implemented within StepTravelAction, but while targeting a change in behavior it is easy to lose sight of the overall design and simply insert a change where the implementation is visible. This kind of polymorphism antipattern is one of the most common implementation issues in SWC, likely due to the availability of the instanceof operator in PHP. In C++ it is a lot harder to do this (although RTTI does exist, I never use it), and people are often forced to learn the correct approach as a result.

Everything that happens in the world can be described in some way. Our descriptions range from informal and causal to precise and scientific, yet ultimately they all share one underlying characteristic: they carry an abstract idea known as "information" about what is being described. In building complex systems, whether out of people or machines, information sharing is central for building cooperative solutions. However, in any system, the rate at which information can be shared is limited. For example, on Twitter, you're limited to 140 characters per message. With 802.11g you're limited to 54 Mbps in ideal conditions. In mobile devices, the constraints go even further: transmitting data on the network requires some of our limited bandwidth and some of our limited energy from the battery.

Obviously this means that we want to transmit our information as efficiently as possible, or, in other words, we want to transmit a representation of the information that consumes the smallest amount of resources, such that the recipient can convert this representation back into a useful or meaningful form without losing any of the information. Luckily, the problem has been studied pretty extensively over the past 60-70 years and the solution is well known.

First, it's important to realize that compression only matters if we don't know exactly what we're sending or receiving beforehand. If I knew exactly what was going to be broadcast on the news, I wouldn't need to watch it to find out what happened around the world today, so nothing would need to be transmitted in the first place. This means that in some sense, information is a property of things we don't know or can't predict fully, and it represents the portion that is unknown. In order to quantify it, we're going to need some math.

Let's say I want to tell you what color my car is, in a world where there are only four colors: red, blue, yellow, and green. I could send you the color as an English word with one byte per letter, which would require 3, 4, 5, or 6 bytes, or we could be cleverer about it. Using a pre-arranged scheme for all situations where colors need to be shared, we agree on the convention that the binary values 00, 01, 10, and 11 map to our four possible colors. Suddenly, I can use only two bits (0.25 bytes, far more efficient) to tell you what color my car is, a huge improvement. Generalizing, this suggests that for any set $\chi$ of abstract symbols (colors, names, numbers, whatever), by assigning each a unique binary value, we can transmit a description of some value from the set using $\log_2(|\chi|)$ bits on average, if we have a pre-shared mapping. As long as we use the mapping multiple times it amortizes the initial cost of sharing the mapping, so we're going to ignore it from here out. It's also worthwhile to keep this limit in mind as a max threshold for "reasonable;" we could easily create an encoding that is worse than this, which means that we've failed quite spectacularly at our job.

But, if there are additional constraints on which symbols appear, we should probably be able to do better. Consider the extreme situation where 95% of cars produced are red, 3% blue, and only 1% each for yellow and green. If I needed to transmit color descriptions for my factory's production of 10,000 vehicles, using the earlier scheme I'd need exactly 20,000 bits to do so by stringing together all of the colors in a single sequence. But, given that by the law of large numbers, I can expect roughly 9,500 cars to be red, so what if I use a different code, where red is assigned the bit string 0, blue is assigned 10, yellow is assigned 110, and green 111? Even though the representation for two of the colors is a bit longer in this scheme, the total average encoding length for a lot of 10,000 cars decreases to 10,700 bits (1*9500 + 2*300 + 3*100 + 3*100), almost an improvement of 50%! This suggests that the probabilities for each symbol should impact the compression mapping, because if some symbols are more common than others, we can make them shorter in exchange for making less common symbols longer and expect the average length of a message made from many symbols to decrease.

So, with that in mind, the next logical question is, how well can we do by adapting our compression scheme to the probability distribution for our set of symbols? And how do we find the mapping that achieves this best amount of compression? Consider a sequence of $n$ independent, identically distributed symbols taken from some source with known probability mass function $p(X=x)$ , with $S$ total symbols for which the PMF is nonzero. If $n_i$ is the number of times that the $i$ th symbol in the alphabet appears in the sequence, then by the law of large numbers we know that for large $n$ it converges almost surely to a specific value: $\Pr(n_i=np_i)\xrightarrow{n\to \infty}1$ .

In order to obtain an estimate of the best possible compression rate, we will use the threshold for reasonable compression identified earlier: it should, on average, take no more than approximately $\log_2(|\chi|)$ bits to represent a value from a set $\chi$ , so by finding the number of possible sequences, we can bound how many bits it would take to describe them. A further consequence of the law of large numbers is that because $Pr(n_i=np_i)\xrightarrow{n\to \infty}1$ we also have $Pr(n_i\neq np_i)\xrightarrow{n\to \infty}0$ . This means that we can expect the set of possible sequences to contain only the possible permutations of a sequence containing $n_i$ realizations of each symbol. The probability of a specific sequence $X^n=x_1 x_2 \ldots x_{n-1} x_n$ can be expanded using the independence of each position and simplified by grouping like symbols in the resulting product:

$P(x^n)=\prod_{k=1}^{n}p(x_k)=\prod_{i=1}^{S} p_i^{n_i}=\prod_{i=1}^{S} p_i^{np_i}$

We still need to find the size of the set $\chi$ in order to find out how many bits we need. However, the probability we found above doesn't depend on the specific permutation, so it is the same for every element of the set and thus the distribution of sequences within the set is uniform. For a uniform distribution over a set of size $|\chi|$ , the probability of a specific element is $\frac{1}{|\chi|}$ , so we can substitute the above probability for any element and expand in order to find out how many bits we need for a string of length $n$ :

$B(n)=-\log_2(\prod_{i=1}^Sp_i^{np_i})=-n\sum_{i=1}^Sp_i\log_2(p_i)$

Frequently, we're concerned with the number of bits required per symbol in the source sequence, so we divide $B(n)$ by $n$ to find $H(X)$ , a quantity known as the entropy of the source $X$ , which has PMF $P(X=x_i)=p_i$ :

$H(X) = -\sum_{i=1}^Sp_i\log_2(p_i)$

The entropy, $H(X)$ , is important because it establishes the lower bound on the number of bits that is required, on average, to accurately represent a symbol taken from the corresponding source $X$ when encoding a large number of symbols. $H(X)$ is non-negative, but it is not restricted to integers only; however, achieving less than one bit per symbol requires multiple neighboring symbols to be combined and encoded in groups, similarly to the method used above to obtain the expected bit rate. Unfortunately, that process cannot be used in practice for compression, because it requires enumerating an exponential number of strings (as a function of a variable tending towards infinity) in order to assign each sequence to a bit representation. Luckily, two very common, practical methods exist, Huffman Coding and Arithmetic Coding, that are guaranteed to achieve optimal performance.

For the car example mentioned earlier, the entropy works out to about 0.35 bits, which means there is significant room for improvement over the symbol-wise mapping I suggested, which only achieved a rate of 1.07 bits per symbol, but it would require grouping multiple car colors into a compound symbol, which quickly becomes tedious when working by hand. It is kind of amazing that using only ~3,500 bits, we could communicate the car colors that naively required 246,400 bits (=30,800 bytes) by encoding each letter of the English word with a single byte.

$H(X)$ also has other applications, including gambling, investing, lossy compression, communications systems, and signal processing, where it is generally used to establish the bounds for best- or worst-case performance. If you're interested in a more rigorous definition of entropy and a more formal derivation of the bounds on lossless compression, plus some applications, I'd recommend reading Claude Shannon's original paper on the subject, which effectively created the field of information theory.

Older posts