Development system and methods with direct compiler support for detecting invalid use and management of resources and memory at runtime

Abstract

A development system having a compiler, a linker, and an interface for detecting invalid use of resource is generated. When the system is (optionally) operating in a "code guarded" mode, the linker links the object modules with a CodeGuard.RTM. Library to generate "code guarded" program(s). The API (Application Programming Interface) calls to the runtime libraries are "wrappered" by CodeGuard wrapper functions. Additionally in this mode, operation of the compiler is altered to insert calls from the user code (e.g., compiled code in object modules) to the CodeGuard Runtime Library, for checking runtime use of resources and memory. As a result, the system can identify a programming error at the location where it occurs that is, at the original line of code which gave rise to the problem in the first place. Errors are found immediately as they happen, so that the original offending site can be determined. In this manner, the task of creating computer programs is simplified.

Claims

What is claimed is:

1. In a development system for compiling source listings into a compiled program for execution on a computer, said source listings declaring variables for storing values during execution of the program, a method for detecting memory-access errors occurring during runtime use of the variables, the method comprising:

for each variable declared in the source listing whose storage is allocated at compile time, allocating at compile time an amount of storage space in the compiled program based on a data type for the variable;

as space is allocated in the compiled program for each variable at compile time, allocating at compile time an additional amount of storage for padding each of said variables;

maintaining information about validly allocated storage space, said information indicating storage space allocated for each of said variables;

during runtime execution of the compiled program, determining whether an attempt is mae by the compiled program, during operations involving the variables, to access memory which has not been allocated for the variables; and

if such an attempt is made, indicating a memory-access error.

2. The method of claim 1, wherein said variables comprise local and global variables.

3. The method of claim 1, wherein said variables comprise function arguments, with functions being invoked with a calling convention which permits padding of function arguments.

4. The method of claim 1, wherein padding for each variable comprises a machine addressable unit.

5. The method of claim 4, wherein said machine addressable unit comprises a byte.

6. The method of claim 5, wherein said compiled program comprises compiled machine code.

7. The method of claim 1, wherein padding is allocated so that no two variables reside at contiguous locations in memory.

8. The method of claim 1, wherein said variables comprise variables of simple data types.

9. The method of claim 8, wherein said simple data types include an integer data type.

10. The method of claim 1, wherein said variables include array variables.

11. The method of claim 1, wherein said determining step includes determining for each operation involving said variables, a location and size of memory accessed for each such operation.

12. The method of claim 1, wherein said allocating an additional amount step is performed by a compiler which compiles said source listings into the compiled program.

13. The method of claim 1, wherein said information about valid storage space comprises a descriptor for each variable, for characterizing storage associated with the variable.

14. The method of claim 1, further comprising:

maintaining information about valid storage space allocated during runtime execution of the program.

15. The method of claim 14, wherein said maintaining information about valid storage space allocated dynamically is provided without direct compiler support by a runtime library.

Description

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.

BACKGROUND OF THE INVENTION

The present invention relates generally to system and methods for increasing reliability of software programs. More particularly, the present invention relates to a development system and methods for runtime detection of resource and memory errors occurring in software programs operative on digital computers.

Before a digital computer may accomplish a desired task, it must receive an appropriate set of instructions. Executed by the computer's microprocessor, these instructions, collectively referred to as a "computer program," direct the operation of the computer. Expectedly, the computer must understand the instructions which it receives before it may undertake the specified activity.

Owing to their digital nature, computers essentially only understand "machine code," i.e., the low-level, minute instructions for performing specific tasks--the sequence of ones and zeros that are interpreted as specific instructions by the computer's microprocessor. Since machine language or machine code is the only language computers actually understand, all other programming languages represent ways of structuring human language so that humans can get computers to perform specific tasks.

While it is possible for humans to compose meaningful programs in machine code, practically all software development today employs one or more of the available programming languages. The most widely used programming languages are the "high-level" languages, such as C or Pascal. These languages allow data structure and algorithms to be expressed in a style of writing which is easily read and understood by fellow programmers.

A program called a "compiler" translates these instructions into the requisite machine language. In the context of this translation, the program written in the high-level language is called the "source code" or source program. The ultimate output of the compiler is an "object module," which includes instructions for execution by a target processor. Although an object module includes code for instructing the operation of a computer, the object module itself is not in a form which may be directly executed by a computer. Instead, it must undergo a "linking" operation before the final executable program is created.

Linking may be thought of as the general process of combining or linking together one or more compiled object modules to create an executable program. This task usually falls to a program called a "linker." In typical operation, a linker receives, either from the user or from an integrated compiler, a list of object modules desired to be included in the link operation. The linker scans the object modules from the object and library files specified. After resolving interconnecting references as needed, the linker constructs an executable image by organizing the object code from the modules of the program in a format understood by the operating system program loader. The end result of linking is executable code (typically an .exe file) which, after testing and quality assurance, is passed to the user with appropriate installation and usage instructions.

Since computer programs are created from source code which a user supplies, the source code is an inherent source of errors. During the course of software development, therefore, substantial development resources are allocated today to the process of finding "bugs" in the software. As used herein, "bugs" refer to errors occurring in the program being developed. Bugs, for example, can be anything from taking an unexpected path in the logical flow to inadvertently writing to a wrong memory location. Expectedly, there is keen interest in finding ways to improve the "debugging" of software.

A program called a "debugger" is often employed for finding and eliminating errors in software programs. A debugger should provide certain basic services to assist programmers in finding and correcting errors in software programs. These services include breakpointing, stepping and stopping a debuggee. Other services may include inspecting and changing data in memory, symbolic debugging, source level debugging, and setting breakpoints with expression evaluation. The general topic of debuggers is well covered by the technical, trade, and patent literature. For a detailed introduction to the topic, the reader may consult Swan, T., Mastering Turbo Debugger, Hayden Books, 1990. Additional treatment of the topic may be found in Intel Corporation's 80386 Programmer's Reference Manual, Intel Corp., Santa Clara, Calif., 1986. The disclosures of the foregoing are hereby incorporated by reference.

Although debuggers are good for examining particular locations of program code for errors, whole classes of programming exist for which the "location" of the error is not easily discerned. Examples of these types of problems include memory overruns, incorrectly type-casted C.sup.++ objects, memory allocation/de-allocation errors, heap correction, and use of uninitialized data. In addition to general memory problems, similar problems occur with other resources, such as file handles, window handles, windows GDI (graphic device independent) objects, and other objects which must be freed after use. Stated generally, these comprise errors or bugs which lead to memory corruption and "resource leaks."

Prior art attempts at addressing these types of errors have focused largely on diagnosing "the problem" after the damage has occurred. In Microsoft Windows, for instance, built-in support exists for detecting an attempt to access an in valid region of memory--de-referencing a "bad pointer." The mechanism is a post-problem tool, with results that are far from perfect. De-referencing a bad pointer in a program may or may not trigger the built-in protection mechanism, depending on whether the memory being accessed belongs to the application (despite the fact that the attempted access is not what is desired). All told, there exists a variety of problems which result from user errors in the source code, which are not detected at compile time and which are difficult to diagnose with available debuggers.

A rudimentary approach to preventing memory errors is to write a wrapper function around the memory allocation function, malloc. This fairly well known technique is described, for instance, in Writing Solid Code, by Steve McGuire (Microsoft Press). Typically, the malloc routine is rewritten to include an ASSERT (macro) call, for validating the parameter passed to the call. The approach does not allow one to track the error down to the level where the corruption really occurred--what the programmer really wants. Thus, the foregoing approach does not give the information which is really desired (i.e., exactly where the corruption occurred). It also requires the programmer to maintain additional code (i.e., the programmer's own wrapper code) outside of the standard library and that he or she really understand the wrapper's interaction with the library.

SUMMARY OF THE INVENTION

A development system of the present invention includes a compiler, a linker, and an interface. Through the interface, the developer user supplies source modules to the compiler. From the source code or listings and headers/includes files, the compiler "compiles" or generates object module(s). In turn, the linker "links" or combines the object modules with runtime libraries (e.g., Standard C runtime library functions) to generate program(s), which may be executed by a target processor. The runtime libraries include previously-compiled standard routines, such as graphics, I/O routines, startup code, math libraries and the like.

When the system is (optionally) operating in a "code guarded" mode, the linker links the object modules with a CodeGuard.RTM. Library of the present invention to generate "code guarded" program(s). Specifically, the API (Application Programming Interface) calls to the runtime libraries are "wrappered" by CodeGuard wrapper functions. Appropriate CodeGuard header files and CodeGuard Import Library are provided for permitting linking to the CodeGuard wrapper functions. Additionally in this mode, operation of the compiler is altered to insert calls from the user code (e.g., compiled user code in object modules) to the CodeGuard Runtime Library, for checking runtime use of resources and memory. In a preferred embodiment, the CodeGuard Runtime itself is typically provided as a dynamically-linked library (i.e., "DLL"). The approach adopted by the present invention is to identify a programming error at the location where it occurs--that is, at the original line of code which gave rise to the problem in the first place. Errors are found immediately as they happen, so that the original site can be determined.

In a preferred embodiment, the CodeGuard Library in the system of the present invention provides for rigorous validation of memory and resource operations. The library is employed at runtime for runtime validation, as well as at compile time, so that the compiler can validate the object which it is working on. As a result, in a preferred embodiment, the development environment is modified at two locations providing the support, at the runtime libraries and at the compiler.

Of particular interest to the present invention are all program objects which "allocate" resources and "free" resources, as well as objects which use those resources. As a result, use of the runtime libraries is of particular interest, since the vast majority of functions (e.g., standard C functions) allocate resources, free resources, and/or use those resources. Functions which copy strings are typical in this regard. For instance, the standard string runtime library functions (e.g., string Standard C library) process strings which are "resources." The system observes these types of operations, for checking for validity.

A particular category of direct compiler operations exist for which the only way to feasibly catch an error is at the compiler--that is, the compiler must be taught how to catch the error. This category of problems, which includes direct assignments (e.g., direct assignments of pointers or of data, requires some access to the underlying source code, before underlying symbol information is discarded. In the present invention, this is addressed by setting up data descriptors which describe or characterize the data as the compiler is emitting the compiled program or the runtime library describes as it is allocating it. When the compiler wants to perform a particular operation on a piece of data, it calls a check routine to verify that the operation is valid for that piece of data. In a preferred embodiment, this is done by storing a database of the data descriptors, from which the compiler can determine legal operations for the individual data members. Instead of losing valuable information when going from source code to compiled program, therefore, the compiler stores the valuable information in the descriptor database so that it may be employed for locating errors in program code.

Additionally, in the system of the present invention, the "life" of data is tracked in the system, including where the data was allocated and where the data was freed--the particular sequence of calls which led to the current state of the data. For instance, if a programmer attempts to "free" (i.e., de-allocate) a memory block twice, the system can indicate exactly where the block was allocated and where the block was freed, in the source code. This greatly simplifies the task of the programmer in tracking down and eliminating the source of the error.

For objects which can be allocated and freed (e.g., file handles, window resources, memory blocks, and the like), the system tracks allocation/de-allocation in an allocation database. When an object is first allocated, the system creates a record for the database, indicating that the object has been allocated. When the object is freed by the programmer, the system of the present invention, instead of returning the object back to the operating system and forgetting about it, keeps a record of the freed object. Upon the next attempt to use the object (e.g., as an argument to a function or another attempt to free the object), the system of the present invention looks up the object to see whether it has been previously freed and, thus, whether the currently-requested operation is illegal. When the object is freed and placed in the database of freed (i.e., illegal) objects, the system of the present invention records exactly where (i.e., in the source code) the object was freed, together with the call sequence which led to the object being freed. Upon encountering an attempted illegal use at runtime, the system of the present invention can dump a log indicating the exact source of the error, or, if the user is executing the program within the Integrated Development Environment, display the offending line of source code which gave rise to the error.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A is a block diagram of a computer system in which the present invention may be embodied.

FIG. 1B is a block diagram of a computer system for programming and controlling the operation of the computer system of FIG. 1A.

FIG. 2 is a block diagram of a development system of the present invention, which includes a compiler, a linker, and an interface.

FIG. 3A is a diagram illustrating memory allocated for two arrays.

FIG. 3B is a block diagram illustrating "padding" bytes which are employed between variables, by the compiler in the system of the present invention.

FIG. 4 is a diagram indicating use of a mnemonic as a procedure check.

FIG. 5 illustrates a parse tree for an assignment statement.

FIG. 6 illustrates a parse tree for an assignment to a variable (which is then used without change).

FIG. 7A is a diagram of a parse tree for a statement which indexes through an array.

FIG. 7B is a block diagram which illustrates that checking for a node (of a parse tree) is deferred until a particular address of interest (i.e., field member within a structure) is resolved.

FIG. 8 is a diagram of a parse tree for a statement which illustrates checking access for the assignment between two elements of an array.

FIG. 9 is a diagram of a parse tree for a statement which illustrates that the system will, at times, check for an "access" to an address, and at other times check for the address itself (i.e., without access).

FIG. 10 is a diagram of a parse tree which illustrates the general processing of an index node.

FIG. 11 is a diagram of a parse tree which illustrates treatment for a pointer which points to an array.

FIGS. 12A-B are diagrams illustrating use of flags when processing parse trees,

FIG. 13 is a diagram of a parse tree, illustrating processing of a field node, by a method of the present invention.

FIG. 14 is a diagram of a parse tree, illustrating processing of a de-reference node, by a method of the present invention.

DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT

General Architecture

A. System Hardware

The present invention may be embodied on a computer system such as the system 100 of FIG. 1A, which includes a central processor 101, a main memory 102, an input/output controller 103, a keyboard 104, a pointing device 105 (e.g., mouse, track ball, pen device, or the like), a display device 106, and a mass storage 107 (e.g., removable disk, fixed disk, optical disk, and the like). Additional input/output devices, such as a printing device 108, may be provided with the system 100 as desired. As shown, the various components of the system 100 communicate through a system bus 110 or similar architecture.

B. System Software

The following description will focus on a preferred embodiment of the present invention (and certain alternatives) operative in an event-driven system, such as the Microsoft.RTM. Windows environment. The present invention, however, is not limited to any particular application or any particular environment. Instead, those skilled in the art will find that the system and methods of the present invention may be advantageously applied to a variety of platforms and environments, whether command-line or GUI based, including MS-DOS, Macintosh, UNIX, NextStep, and the like. Therefore, the description of the exemplary embodiments which follows is for purposes of illustration and not limitation.

Illustrated in FIG. 1B, a computer software system 150 is provided for programming the operation of the computer system 100. Software system 150, which is stored in system memory 102 and/or on disk memory 107, includes a kernel or operating system (OS) 160 and a windows shell or interface 180. One or more application programs, such as application programs 170 or windows applications programs 190, may be "loaded" (i.e., transferred from storage 107 into memory 102) for execution by the system 100. OS 160 and shell 180, as well as application software 170, 190 include an interface for receiving user commands and data and displaying results and other useful information. Software system 150 also includes a development system 200 of the present invention for developing system and application programs. As shown, the development system 200 includes components which interface with the system 100 through windows shell 180, as well as components which interface directly through OS 160.

In a preferred embodiment, the system 100 includes an IBM-compatible personal computer, available from a variety of vendors (including IBM of Armonk, N.Y.). Operating system 160 is MS-DOS and shell 180 is Microsoft.RTM. Windows, both of which are available from Microsoft Corporation of Redmond, Wash. Alternatively, the system 100 may be implemented in other platforms, including Macintosh, UNIX, and the like. Development systems 200 include Borland.RTM.0 C.sup.++, available from Borland International of Scotts Valley, Calif. Application software 170, 190, on the other hand, can be any one of a variety of application software, including word processing, database, spreadsheet, text editors, and the like.

C. Development System

Shown in further detail in FIG. 2, the development system 200 of the present invention includes a compiler 220, a linker 250, and an interface 210. Through the interface, the developer user supplies source modules 120 to the compiler 200. Interface 210 includes both command-line driven 213 and Integrated Development Environment (IDE) 211 interfaces, the former accepting user commands through command-line parameters, the latter providing menuing equivalents thereof. From the source code or listings 120 and headers/includes files 230, the compiler 220 "compiles" or generates object module(s) 130. In turn, linker 250 "links" or combines the object modules 130 with runtime libraries 260 (e.g., Standard C runtime library functions) to generate program(s) 140, which may be executed by a target processor (e.g., processor 101 of FIG. 1A). The runtime libraries 260 include previously-compiled standard routines, such as graphics, I/O routines, startup code, math libraries and the like. A description of the general operation of development system 200 is provided with Borland.RTM. C.sup.++, available directly from Borland International. Additional description is provided in commonly-owned U.S. Pat. No. 5,481,708, issued Jan. 2, 1996. Further description of the linker is provided in commonly-owned U.S. Pat. No. 5,408,665, issued Apr. 18, 1995. The disclosures of each of the foregoing are hereby incorporated by reference.

When the system is (optionally) operating in a "code guarded" mode, the linker 250 links the object modules 130 with CodeGuard.RTM. Library 265 to generate "code guarded" program(s) 140. Specifically, the API (Application Programming Interface) calls to the runtime libraries are "wrappered" by CodeGuard wrapper functions. Appropriate CodeGuard header files and CodeGuard Import Library are provided for permitting linking to the CodeGuard wrapper functions. Additionally in this mode, operation of the compiler 220 is altered to insert calls from the user code (e.g., compiled user code in object modules 130) to the CodeGuard Runtime Library 147, for checking runtime use of resources and memory. In a preferred embodiment, the CodeGuard Runtime itself is typically provided as a dynamically-linked library (i.e., "DLL"). Construction and operation of CodeGuard.RTM. Library, as well as modification of the compiler 220 for providing direct CodeGuard support, will now be described in further detail.

Runtime Detection of Memory and Resource Errors

A. Introduction

Today, most commercial development is done in the C programming language. From its inception, the C programming language is a "loose" language. Specifically, it is a language which does not perform much checking and, in fact, is designed to do minimal checking. Although this aspect of C is a significant advantage to many developers (e.g., it does not burden developers with a lot of error checking), this "looseness" of C leads to a whole class of problems. In the Pascal environment, in contrast, runtime range checking (e.g., of arrays) is provided. Additionally, in Pascal, string comparisons are compiler generated; they are not generic string comparison routines, such as found in C. Despite the problems created by the laxness of C, it remains the programming language of choice for professional developers.

The present invention recognizes that it is far easier for a programmer to deal with an error if it is caught at the location where it occurs--that is, at the original line of code which gave rise to the problem in the first place. A principal design consideration in the system of the present invention, therefore, is that errors are found immediately as they happen, so that the original offending site can be determined. Compilers are generally good at catching all types of programmer errors. There remains a class of problems, however, that cannot be caught at compile time. These are errors which are syntactically correct yet, at runtime, lead to an error in program execution.

B. General Design

In a preferred embodiment, the CodeGuard Library in the system of the present invention provides for rigorous validation of memory and resource operations. The library is employed at runtime for runtime validation, as well as at compile time, so that the compiler can validate the object which it is working on. As a result, in a preferred embodiment, the development environment is modified at two locations providing the support, as the runtime libraries and at the compiler.

Of particular interest to the present invention are all program objects which "allocate" resources and "free" resources, as well as objects which use those resources. As a result, use of the runtime libraries is of particular interest, since the vast majority of functions (e.g., standard C functions) allocate resources, free resources, and/or use those resources. Functions which copy strings are typical in this regard. For instance, the standard string runtime library functions (i.e., string Standard C library) process strings which are "resources." Consider, for example, the operation of copying one string (i.e., some number of characters) into a particular (destination) string, using a standard library string copy function. First, the string is allocated; this is monitored by the system. Next, information (e.g., another string) is copied into the string. Again, the system observes this operation, making sure that too much is not copied into the string and that the specified candidates (i.e., source and destination) are valid in the first place.

A particular category of direct compiler operations exist for which the only way to feasibly catch an error is at the compiler--that is, the compiler must be taught how to catch the error. This category of problems includes direct assignments, such as direct assignments of pointers or of data. This type of problem requires some access to the underlying source code, before underlying symbol information is discarded. Once a program has been emitted as machine code, there is simply no way to catch these types of problems

In the present invention, this is addressed by setting up data descriptors which describe or characterize the data as the compiler is emitting the compiled program or the runtime library describes as it is allocating it. When the compiler wants to perform a particular operation of a piece of data, it calls a check routine to verify that the operation is valid for that piece of data. In a preferred embodiment, this is done by storing a database of the data descriptors, from which the compiler can determine legal operations for the individual data members. Instead of losing valuable information when going from source code to compiled program, therefore, the compiler stores the valuable information in the descriptor database so that it may be employed for locating errors in program code.

Oftentimes when dealing with data, one can detect that data is "bad," for instance, when a bad pointer is passed to a string function in the accompanying runtime library. What the developer really wants to know is not that the data is bad but, instead, exactly "where" this data arose which went bad. In the system of the present invention, therefore, the "life" of data is tracked in the system, including where the data was allocated and where the data was freed--the particular sequence of calls which led to the current state of the data. For instance, if a programmer attempts to "free" (i.e., de-allocate) a memory block twice, the system can indicate exactly where the block was allocated and where the block was freed, in the source code. This greatly simplifies the task of the programmer in tracking down and eliminating the source of the error.

For objects which can be allocated and freed (e.g., file handles, window resources, memory blocks, and the like), the system tracks allocation/de-allocation in an allocation database. When an object is first allocated, the system creates a record for the database, indicating that the object has been allocated. When the object is freed by the programmer, the system of the present invention, instead of returning the object back to the operating system and forgetting about it, keeps a record of the freed object. Upon the next attempt to use the object (e.g., as an argument to a function or another attempt to free the object), the system of the present invention looks up the object to see whether it has been previously freed and, thus, whether the currently-requested operation is illegal. When the object is freed and placed in the database of freed (i.e., illegal) objects, the system of the present invention records exactly where (i.e., in the source code) the object was freed, together with the call sequence which led to the object being freed. Upon encountering an attempted illegal use at runtime, the system of the present invention can dump a log indicating the exact source of the error, or, if the user is executing the program within the Integrated Development Environment (211), display the offending line of source code which gave rise to the error.

A particular problem which arises when freeing a memory block is the use of pointers which themselves may remain valid. Consider a block of memory storing pointers which is freed. The pointers themselves (i.e., memory addresses which are stored thereat) may or may not continue to be valid. Nevertheless, the memory block in which they are stored is clearly no longer valid. This gives rise to a particularly difficult problem in that an application program continues operation, apparently without error. At some point in time, however, the freed memory block is eventually overwritten with other data, thus displacing the previously-stored pointers (which the application continued to use from an inappropriate memory block). The problem is particularly implementation-dependent. A program which appears to be operating normally may, after a change to its memory allocator, now exhibit runtime errors. This results because, in this example, there is a change in how the memory block is freed; for example, it may now be overwritten with other data upon freeing.

One approach to avoiding the problem is to have the application overwrite the block before it actually frees the block back to the operating system, for example, by implementing a de-allocator "wrapper" function on top of the existing de-allocator. Such an approach is described in Writing Solid Code, Microsoft Press; the disclosure of which is hereby incorporated by reference. In the system of the present invention, this approach is taken further, however. In particular, the system includes a method which generates an incrementally unique code (e.g., 4-byte code) for overriding the memory block. By placing a unique value at each location, the system of the present invention is able to determine exactly where (in memory) the error occurred. The actual data chosen for overriding the memory block is selected such that the data yields bad pointers for the particular platform (which is targeted by the application). The codes are, from block to block, unique, so that the system can discern the location of the error among multiple old memory blocks. In operation, the system can catch not only instances where a bad pointer is employed but also indicate where in memory the bad pointer originated from. Still further, since the system keeps a database of freed objects, the system can indicate to the user the exact line of code where the block of memory was freed which had stored the errant pointer.

In a corresponding manner, when memory is allocated, the system fills the just-allocated memory with "garbage" data, thereby forcing to the surface errors which are hidden as a result of a programmers' (unfounded) assumption of a particular state of memory upon allocation (e.g., that it would be initialized to zeros). When initialization is dictated by the language, such as static and global arrays in C (which, according to the C language, are initialized to zeros), the system does not perform this initialization. In all other instances, however, the initialization (with garbaged data) is made so that the programmer cannot rely on implementation-dependent side effects for correctness of his or her code.

In the system of the present invention, descriptors are stored for each stack frame which is created. It is known in the art to use stack-checking routines to guard against stack overflow or underflow. In addition to this, however, the descriptors include information characterizing the various components which comprise each stack frame--namely, function arguments, local variables, and return address. This may be employed for catching the very common problem of returning (from the function) an address of a local variable in the function (which of course is no longer valid to de-reference once the function has returned and its stack frame has been destroyed).

C. Modification of Runtime Library

For the runtime library, it is desirable to catch errors which include passing bad pointers/handles to runtime library functions as well as attempting to use objects (e.g., memory blocks) which have already been freed. In an exemplary embodiment, each runtime library function is provided with a "wrapper" function, which provides an additional level of checking before the true runtime function is actually called (to carry out the functionality which is desired). In this manner, the standard runtime library itself requires little change. Instead, change can be effected through the wrapper functions which include parameter checking and validation functionality. The wrapper functions themselves may be implemented in a separate DLL (Dynamically-Linked Library). In this fashion, the application calls into the wrapper DLL which, after error checking and validation, calls into the true runtime DLL.

At compile time, the compiler builds a descriptor for each global and for each stack data member which it encounters. This information is emitted to the data segment (or, alternatively, to the code segment) of the object file (i.e., .OBJ file). For this purpose, static data members are treated the same as global data members: descriptors are emitted for them as well. Each descriptor itself stores the location for the data member in memory together with a size for that data member.

For stack data members, the descriptor stores essentially the same information as just described. However, the location for each data member is indicated as offsets within the stack. Another difference exists with stack data members. The CodeGuard Library is not notified of the existence of particular stack data members. For static and global data members (for which the compiler emits descriptors to the data segment), on the other hand, the CodeGuard Runtime Library is notified. The compiler generates for each object module which includes global and/or static data an initialization procedure, which calls into the CodeGuard Runtime Library. The initialization procedure for each module is invoked by the CodeGuard Runtime Library at application startup (i.e., execution); here, the CodeGuard Library walks a list of initialization procedures for each object module linked into the final executable program. The initialization procedure itself is compiled into the object file for each object module which includes global and/or static data members. The procedure itself is actually written out as pure data to either the code segment and/or data segment of the object module.

Upon invocation, the initialization procedure is passed on a per object module basis a pointer to the list of descriptors (for that object module). Upon invocation by the CodeGuard Library, the invocation procedure may call back into the CodeGuard Library with a notification of data blocks in the object module (i.e., address, size, and padding). The CodeGuard Library, in turn, enters these items into its database of allocated objects. In essence, these items are treated as implicitly allocated objects--having been implicitly allocated by the application program loader.

For stack-based objects, a callback mechanism is not used. Instead, the standard function prologue code is modified as follows. When the function is entered, it pushes onto the stack offsets (and signatures) for the descriptors of the current stack frame. In this manner, when a particular pointer is being validated for a runtime library function, the system can "walk up" the stack and find the corresponding signature, thus allowing the system to find the offset to the descriptor for the stack. In an exemplary embodiment, a 32-bit space is reserved on the stack for storing the signature.

Runtime or dynamic allocation is handled differently, using "wrappers" on standard library allocation function. For memory allocation, for instance, the malloc function is wrapped. For file handle resources, on the other hand, the fopen function is wrapped. Collectively, these are treated generically as allocation of "resources." Within this generic class exists types of resources, including memory, file handles, streams, windows, GDI objects (e.g., Graphics-device independent--such as Windows pen), and the like. Whenever one of these "resources" is allocated, the CodeGuard Library enters it into its database of allocated objects. Whenever such a resource is de-allocated or freed, the CodeGuard library removes it from its database of allocated or "legal" objects and places it in its database of "illegal" objects.

Actual knowledge about what each resource represents is contained within the wrapper for each of the runtime library functions. When a file handle is passed to open a file (i.e., passed to fopen), for instance, the CodeGuard wrapper function makes the following determination: (1) whether this is the right type of object, and (2) whether it is valid. In particular, the wrapper function can make this determination by looking up the passed-in data member in its list of valid objects. For instances where an allocator function is being called (i.e., a function which will return a particular value for the resource which is being allocated), the wrapper function, on the return (i.e., the return from the true runtime library function), stores the value in its database of allocated objects and then returns the value back to the user application.

In addition to checking resources at allocation and de-allocation, the system also checks "use" of resources at runtime. This is accomplished by two means. First is the compiler support, which is previously described (and described in further detail below). Second is the use of wrapper functions for the individual RTL functions which "use" the resources. For memory block resources, for instance, the corresponding RTL string functions strcpy and strncmp are wrappered, with the wrapper function validating the passed-in memory pointers which reference particular memory blocks (i.e., resources). At times, resources may be mixed, such as in the case of RTL functions fread and fwrite. In the case of fwrite, the function takes a buffer (i.e., memory pointer to a buffer) which is going to be written out and a FILE pointer which is the file to receive the output. Here, two different types of resources are validated: a memory block and file pointer. Additionally, the CodeGuard Library validates all other parameters, to the extent it can. For instance, if the constant string "my.sub.-- file" is passed to the fopen function, the CodeGuard Library checks to make sure that the string is a valid string.

Internal Operation

A. Approach Based on Object Type

From the viewpoint of implementing the present invention, essentially two types of objects or things exist in the system: memory and non-memory resources. Non-memory resources generally always include an allocator and a de-allocator (or destroyer). For non-memory resources, in other words, there typically exists a place where the resource is created (e.g., fopen) and a place where it is destroyed (e.g., fclose). Therefore, the creation and destruction of non-memory resources are usually well-defined events in the system.

Memory, in contrast, can come from a variety of places. As a result, it requires special treatment and, thus, special checking. Memory can come, for instance, from the operating system (from an RTL allocator), from static data in one's code, or from stack (local) variables in one's code. All told, when the system checks a resource, it must handle two classes of objects. Either it is a memory object and requires special checking, or it is a non-memory resource whose creation and destruction can be specifically determined. As a result of these classes of objects, the CodeGuard Library includes two classes or types of checks.

The types of objects which are not memory may be treated generically and handled in basically the same manner. The only issue specific to each of these objects is what is its "type". In an exemplary embodiment, theses objects include file handles, system handles (e.g., semaphores and mutexes), windows objects (e.g., pen, brushes, and icons), and the like. The system includes a notion of a generic handler, where the system treats an object as a generic object--that is, it does not attempt to understand its type. Nevertheless, the object may be tracked to monitor when it is created and destroyed. In operation, a descriptor for a resource is created on-the-fly, when the resource is acquired at runtime. In this manner, descriptors are not created for resources which are set forth in the code but are not employed at runtime.

B. Resource and Memory Block Retention

When a memory block is freed by the user application at runtime, the CodeGuard Library does not immediately return it back to the runtime library allocator. Instead, the CodeGuard Library "holds onto" the memory block, in an effort to force a subsequent memory request from the user application to be satisfied from a different memory block. During operation, if a user application frees up a block and then immediately requests another block, it is possible that a runtime allocator might return the very same block back to the user, thus hiding a certain class of bugs. By delaying the return of freed memory blocks, the CodeGuard Library forces the user application to go elsewhere for memory, the application cannot grab the very same memory block back which it has just freed. In addition to the "delayed freeing" of blocks, the system also fills freed blocks (i.e., "freed" from the applications perspective) with garbage data. In this manner the system can provoke problems up front and thus allow them to be fixed, instead of allowing them to remain dormant only to then create program errors when a program is ultimately deployed to customers.

C. Wrapper Functions

Exemplary wrapper functions for implementing the present invention will now be presented. First, the memory class of wrappers will be presented, followed by the non-memory wrappers.

1. General Approach to Memory Objects

The general approach to construction wrapper functions, in accordance with the present invention, is perhaps best described by way of example. Consider the standard C library function, strcpy:

char*strcpy(char*dest,const char*src);

Here, the function copies string src to dest, stopping after the terminating null character has been moved. In accordance with the present invention, both arguments are validated.

The process of validation is performed using a descriptor database of the present invention. At the outset, the system notes that the strcpy function takes as arguments two pointers to memory. Accordingly, the memory resides on the stack, in the heap, or in the application's data segment. Thus, in all cases, the corresponding memory (i.e., the memory pointed to by the pointers) can be found. First, the system checks items on the stack. If the pointer points to a memory location within the current stack frame (or within the range of the stack), the system looks to the location in the stack which points to the descriptor that pertains to that pointer. When the associated descriptor is found, the system compares the length specified by the descriptor (i.e., the size of the memory block) against how much information is to be copied (for the strcpy function). If the amount to copy fits within the determined size of the block, the parameter (i.e., pointer) is valid.

If, on the other hand, the pointer contains a value such that the memory could not possibly be on the stack, the system looks to its descriptor database. In other words, if the descriptor cannot be found from the stack at this point, the system ignores the stack frame and looks to its descriptor database. In operation, when a function is being called and its stack frame is set up, the system pushes onto the stack an offset to the stack frame descriptor (i.e., the descriptor which describes the local variables for that stack frame) and pushes a "signature"--a 32-bit constant which serves as a signature value. In the event that an object exists on the stack yet a descriptor for it cannot be found on the stack, the system takes a simplified approach as follows. Since the object cannot be validated, the system simply treats the object as a valid object. This approach is adopted since it is preferable to minimize false positives, so an not to interfere with normal development process. An object will generally not have a descriptor if the user (selectively) decides to not enforce CodeGuard checking for certain functions. In this manner, code can be mixed, using both code guarded and non-code guarded functions. Giving false positives is a particularly bad approach since it increases the likelihood that users will tend to ignore future warnings, some of which may be quite important. In addition to insuring that sufficient memory space exists for the string copy operation, the system also checks whether the destination is "writeable." Writeable locations include the stack, the heap, and the application's data segment, for instance. Non-writeable locations, on the other hand, include the code segment and the data segment of another program.

To validate the size of the string copy to the destination, the wrapper function first performs a strlen (string length) function, checking for the size of the source. After making this determination, the wrapper can then insure that the destination (memory object) includes sufficient space for storing a string of this length. Although the system actually knows the size of the source (memory block object), the string length is determined instead, since a string (which is NULL-terminated) may be copied which is less than the (complete) size of the source memory block. For the destination, the wrapper function first looks to a descriptor stored on the stack. If one is not found, it then proceeds to the descriptor database, for looking up a descriptor corresponding to that memory object. If a descriptor is found, the wrapper simply validates that the requested operation (i.e., copying a certain number of bytes) can be performed with the object at its given size (as indicated by the descriptor).

For stack-based objects (strings residing on the stack), the system of the present invention places the corresponding descriptors also on the stack. This is a design optimization intended to minimize the number of calls into the CodeGuard Library. Instead, a reference to the descriptor information is simply kept in the same stack frame as the corresponding objects; the actual descriptor for each stack frame is, itself, stored in the code segment. In this manner, stack-based objects can be checked without calling into the CodeGuard Library every time a stack frame is entered.

If after validation, the source and destination are found to be valid for the desired operation, the wrapper function calls the runtime library function (i.e., strcpy itself). If an error is found, on the other hand, the CodeGuard Library draws attention to the error, such as logging the event and/or displaying an alert dialogue. In a preferred embodiment, the wrapper function usually still calls into the corresponding standard library function even when an error is detected (except in the instance of freeing a memory block twice). This is to allow operation of the program to be observed even in the face of a potential error. Thus, in a preferred embodiment, the approach is one of detection but not exception handling (which can be provided by other libraries). In the event that a program does "crash" because of an error which has been detected, the cause of the crash is pinpointed by the above-described log information, which is stored to disk. If the application is running under IDE control (as previously described), the system displays the offending line of code where the errant runtime library call occurred.

Differences exist between descriptors for stack-based (local) variables and global ones. These differences are due, in part, to the difference which exists between these two types of variables. Within C.sup.++ functions, for instance, local variables can be nested. Specifically, within a function, a block may exist (e.g., "if" statement) which declares additional local variables (i.e., within the scope of that block). When the point of execution passes out of that particular block, the data members whose scope was limited to that block should be treated as no longer valid. Technically, access to these "nested" local variables which are no longer in scope should not be permitted.

Consider a function which declares a pointer to the integer and the function includes a block (e.g., "if" statement) which declared a local integer variable, with the address of that variable being assigned to the integer pointer within the block.

    __________________________________________________________________________
    void foo( int iParam )
    int* pMyInt;   // ptr to int
    if ( iParm > 0 ) {
    int MyInt;     // declar int within "if" block
    pMyInt = &MyInt;
                   // assign addr of MyInt to pMyInt
    }
    *pMyInt = 5;   // wrong -- dereference thru MyInt no longer valid|
    }
    __________________________________________________________________________

    __________________________________________________________________________
    1:
      /*
    2:
      * strcpy wrapper
    3:
      */
    4:
    5:
      char.sub.-- FAR *  .sub.-- export   .sub.-- cg.sub.-- strcpy(
    6:       char .sub.-- FAR * (*.sub.-- org.sub.-- strcpy) (char .sub.--
             FAR *.sub.-- dest,
    7:       const char .sub.-- FAR * .sub.-- src), unsigned int prevEBP,
    8:       void * retEIP,
    9:       char .sub.-- FAR * .sub.-- dest, const char .sub.-- FAR *
             .sub.-- src)
    10:
      {
    11:    static FUNCTION func.sub.-- strcpy
    12:       = {"strcpy",.sub.-- cg.sub.-- strcpy,F.sub.-- FUNC.sub.-- ALL,
              "ps=p", 0};
    13:    char .sub.-- FAR * r;
    14:    size.sub.-- t srcLen;
    15:
    16:    if(off.vertline..vertline.inRTL().vertline..vertline.isDisabled(&fu
           nc.sub.-- strcpy))
    17:    {
    18:        .sub.-- SWITCHTORTLDS;
    19:        return .sub.-- org.sub.-- strcpy(.sub.-- dest, .sub.-- .sub.--
               src);
    20:    }
    21:
    22:    srcLen = validateString(.sub.-- src, 0, &func.sub.-- strcpy,
           rt1EBP);
    23:    validate(.sub.-- dest, srcLen, &func.sub.-- strcpy, rt1EBP);
    24:
    25:    enterRTL();
    26:    .sub.-- SETRTLDS;
    27:    r = .sub.-- org.sub.-- strcpy(.sub.-- dest, .sub.-- src);
    28:    .sub.-- RESTOREDS;
    29:    leaveRTL();
    30:
    31:    apiRet(&func.sub.-- strcpy ,rt1EBP, (unsigned long) r);
    32:    return r;
    33:
      }
    (line numbers added to faciliate description)
    __________________________________________________________________________

    __________________________________________________________________________
    1:
      /*
    2:
       * fopen wrapper
    3:
       */
    4:
    5:
      FILE * .sub.-- export  .sub.-- cg.sub.-- fopen(
    6:
      FILE * (*.sub.-- org.sub.-- fopen) (const char * .sub.-- path, const
      char * .sub.-- mode),
    7:
      int (*.sub.-- org.sub.-- fclose) (FILE * .sub.-- stream),
    8:
      int (*.sub.-- org.sub.-- errno.sub.-- help) (int setErrno),
    9:
      int (*.sub.-- org.sub.-- close) (int .sub.-- handle),
    10:
      unsigned int prevEBP,
    11:
      void * retEIP,
    12:
      const char * .sub.-- path, const char * .sub.-- mode)
    13:
      {
    14:
       static, FUNCTION func.sub.-- fopen={"fopen",.sub.-- cg.sub.-- fopen,F.s
      ub.-- FUNC.sub.-- ALL, "ss=p",0};
    15:
       FILE * r;
    16:
    17:
       if (off.vertline..vertline.inRTL())
    18:
       {
    19:   .sub.-- SWITCHTORTLDS;
    20:   return .sub.-- org.sub.-- fopen(.sub.-- path, .sub.-- mode);
    21:
       }
    22:
    23:
       validateString(.sub.-- path, 0, &func.sub.-- fopen, rt1EBP);
    24:
       validateString(.sub.-- mode, 0, &func.sub.-- fopen, rt1EBP);
    25:
    26:
       enterRTL();
    27:
       do
    28:
       {
    29:   .sub.-- SETRTLDS;
    30:   r = .sub.-- org.sub.-- fopen(.sub.-- path, .sub.-- mode);
    31:   .sub.-- RESTOREDS;
    32:
       } while (r==NULL && geterrno==EMFILE && freeDelayed(&rsrc.sub.--
      fstream));
    33:
       leaveRTL();
    34:
    35:
       if (r|=NULL)
    36:
       {
    37:   ITEM .sub.-- FAR * i;
    38:   ITEM .sub.-- FAR * ih;
    39:
    40:   i = newResource( (unsigned long) r,
    41:           &rsrc.sub.-- fstream,.sub.-- org.sub.-- fclose,&func.sub.--
                  fopen,
    42:           rt1EBP );
    43:
    44:   if (i==NULL)
    45:   {
    46:      .sub.-- SETRTLDS;
    47:      .sub.-- org.sub.-- fclose(r);
    48:      .sub.-- RESTOREDS;
    49:      seterrno(ENOMEM);
    50:      apiFail(&func.sub.-- fopen, rt1EBP, NULL);
    51:      return NULL;
    52:   }
    53:
    54:   ih = newResource( (unsigned long).sub.-- fileno(r),
    55:           &rsrc.sub.-- handle,.sub.-- org.sub.-- close,&func.sub.--
                  fopen,
    56:           rt1EBP );
    57:   if (ih==NULL)
    58:   {
    59:      .sub.-- SETRTLDS;
    60:      org.sub.-- fclose(r);
    61:      .sub.-- RESTOREDS;
    62:      if (i->par1) free((char*) i->par1);
    63:      freeResource(i);
    64:      seterrno(ENOMEM);
    65:      apiFail(&func.sub.-- fopen, rt1EBP, NULL);
    66:      return NULL;
    67:   }
    68:
    69:   i->par1 = (unsigned long) strdup(.sub.-- path);
    70:   i->par2 = (unsigned long) ih;
    71:   ih->par1 = (unsigned long) strdup(.sub.-- path);
    72:   apiRet(&func.sub.-- fopen, rt1EBP, (unsigned long) r);
    73:
       }
    74:
       else
    75:
       {
    76:   apiFail(&func.sub.-- fopen, rt1EBP, NULL);
    77:
       }
    78:
    79:
       return r;
    80:
      }
    __________________________________________________________________________

    __________________________________________________________________________
    1:
      /*
    2:
       * fclose wrapper
    3:
       * /
    5:
      int  .sub.-- export  .sub.-- cg.sub.-- fclose(
    6:
      int (*.sub.-- org.sub.-- fclose) (FILE * .sub.-- stream),
    7:
      int (*.sub.-- org.sub.-- errno.sub.-- help) (int setErrno),
    8:
      int (*.sub.-- org.sub.-- close) (int .sub.-- handle),
    9:
      FILE * (*.sub.-- org.sub.-- freopen) ( const char * .sub.-- path, const
      char * .sub.-- mode,
    10:           FILE * .sub.-- stream),
    11:
      unsigned int prevEBP,
    12:
      void * retEIP,
    13:
      FILE * .sub.-- .sub.-- stream)
    14:
      {
    15:
       static FUNCTION func.sub.-- fclose={"fclose",.sub.-- cg.sub.--
      fclose,F.sub.-- FUNC.sub.-- ALL,"p=i",0};
    16:
       ITEM .sub.-- FAR * i, *ih;
    17:
       FILE * h;
    18:
    19:
       if (off.vertline..vertline.inRTL())
    20:
       {
    21:   .sub.-- SWITCHTORTLDS;
    22:   return .sub.-- org.sub.-- fclose(.sub.-- stream);
    23:
       }
    24:
    25:
       // checking parameter errors
    26:
    27:
       if (NULL==( i=isGoodRscParam((unsigned long).sub.-- stream,
      &rsrc.sub.-- fstream,
    28:      .sub.-- org.sub.-- fclose, &func.sub.-- fclose, rt1EBP)))
    29:
       {
    30:   if ( findDelayFreed((unsigned long).sub.-- .sub.-- stream,
          &rsrc.sub.-- fstream,
    31:    .sub.-- org.sub.-- fclose))
    32:   {
    33:     seterrno(EBADF);
    34:     apiFail(&func.sub.-- fclose, rt1EBP, NULL);
    35:     return EOF;
    36:   }
    37:   else // try to fclose (we can't fall thru to delay)
    38:   {
    39:     int r;
    40:     enterRTL();
    41:     .sub.-- SETRTLDS;
    42:     r = .sub.-- org.sub.-- fclose(.sub.-- stream);
    43:     .sub.-- RESTOREDS;
    44:     leaveRTL();
    45:     if (r|=EOF)
    46:       apiRet(&func.sub.-- fclose, rt1EBP, (unsigned long) r);
    47:     else
    48:       apiFail(&func.sub.-- fclose, rt1EBP, EOF);
    49:     return r;
    50:   }
    51:
       }
    52:
    53:
       // fclose and reopen it so others will have access to it|
    54:
    55:
       enterRTL();
    56:
       .sub.-- SETRTLDS;
    57:
       h = .sub.-- org.sub.-- freopen("null", "rb", .sub.-- stream);
    58:
       .sub.-- RESTOREDS;
    59:
      IeaveRTL();
    60:
    61:
       ih = (ITEM *) i->par2;
    62:
    63:
       // If we have a valid handle resource (fdopen may not) free it.
    64:
       if (ih)
    65:
       {
    66:   if (ih->par1)
    67:     free((char*) ih->par1);
    68:   freeResource(ih);
    69:
       }
    70:
    71:
       if (h==NULL && geterrno==EBADF)
    72:
      {
    73:   if (i->par1) free((char*) i=>par1);
    7A:   freeResource(i);
    75:   apiFail(&func.sub.-- fclose, rt1EBP, EOF);
    76:   return EOF;
    77:
       }
    78:
    79:
       // try to take hold of the same handle for delay stuff
    80:
    81:
       if (h|=.sub.-- stream)
    82:
       {
    83:   if (i->par1) free((char*) i->par1);
    84:   freeResource(i);
    85:   if (h)
    86:   {
    87:     .sub.-- SETRTLDS;
    88:     .sub.-- org.sub.-- fclose(h);
    89:     .sub.-- RESTOREDS;
    90:   }
    91:   apiRet(&func.sub.-- fclose, rtlEBP, 0);
    92:   return 0;
    93:
       }
    94:
    95:
       // resource free (delay free)
    96:
    97:
       delayFreeResource( i, &func.sub.-- fclose, rt1EBP,
    98:         (unsigned long) .sub.-- stream, .sub.-- org.sub.-- fclose
    99:         .sub.-- PASS.sub.-- USERDS );
    100:
    101:
        apiRet(&func.sub.-- fclose, rtlEBP, 0);
    102:
       return 0;
    103:
       }
    __________________________________________________________________________

    __________________________________________________________________________
    1:
      /*
    2:
       *  malloc wrapper
    3:
       */
    4:
    5:
      void .sub.-- FAR * .sub.-- export  .sub.-- cg.sub.-- malloc(
    6:
      void .sub.-- FAR * (*.sub.-- org.sub.-- malloc) (size.sub.-- t .sub.--
      size),
    7:
      void (*.sub.-- org.sub.-- free) (void .sub.-- FAR *.sub.-- .sub.--
      block),
    8:
      unsigned int prevEBP,
    9:
      void * retEIP,
    10:
      size.sub.-- t .sub.-- size)
    11:
      {
    12:
       static FUNCTION func.sub.-- malloc = { "malloc", .sub.-- cg.sub.--
      malloc,
    13:                F.sub.-- FUNC.sub.-- ALL, "i=p", 0 };
    14:
       void .sub.-- FAR * r;
    15:
    16:
       if (off.vertline..vertline.inRTLM())
    17:
       {
    18:   .sub.-- SWITCHTORTLDS;
    19:   return .sub.-- org.sub.-- malloc(.sub.-- size);
    20:
       }
    21:
    22:
       if (deref(.sub.-- org.sub.-- malloc)==dll.sub.-- mailoc)
    23:
       {
    24:   // RTLDLL
    25:   .sub.-- org.sub.-- malloc = new.sub.-- dll.sub.-- malloc;
    26:   .sub.-- org.sub.-- free  = new.sub.-- dll.sub.-- free;
    27:
       }
    28:
    29:
       enterRTLM();
    30:
       do
    31:
       {
    32:   .sub.-- SETRTLDS;
    33:   r = .sub.-- org.sub.-- malloc(.sub.-- size);
    34:   .sub.-- RESTOREDS;
    35:
       } while (r==NULL && freeDelayed(&rsrc.sub.-- memory));
    36:
       leaveRTLM();
    37:
    38:
       if (r|=NULL)
    39:
       {
    40:   ITEM .sub.-- FAR * i;
    41:
    42:
    43:   // if logging regions for access validation, do it
    44:
    45:   if (|insertRegion(r , .sub.-- size, 2, 2))
    46:   {
    47:     .sub.-- SETRTLDS;
    48:     .sub.-- org.sub.-- free(r);
    49:     .sub.-- RESTOREDS;
    50:     apiFail(&func.sub.-- malloc,rtlEBP, 0);
    51:     return NULL;
    52:   }
    53:
    54:   // if log resources, do it
    55:
    56:   i = newResource( (unsigned long) r,&rsrc.sub.-- memory,
    57:       .sub.-- org.sub.-- free,&func.sub.-- malloc,rtlEBP );
    58:
    59:   if (i==NULL)
    60:   {
    61:       .sub.-- SETRTLDS;
    62:       .sub.-- org.sub.-- free(r);
    63:       .sub.-- RESTOREDS;
    64:       deleteRegion(r);
    65:       apiFail(&func.sub.-- malloc,rtlEBP, 0);
    66:       return NULL;
    67:   }
    68:   i->par2 = .sub.-- size;
    69:   i->par1 = (unsigned long) r;
    70:   uninitFillBlock(i);
    71:
    72:   apiRet(&func.sub.-- malloc,rtlEBP,  (unsigned long) r);
    73:
    74:
       }
    75:
       else
    76:
       {
    77:   // if log API errors, do it here
    78:
    79:   if (.sub.-- size==0)
    80:       apiRet(&func.sub.-- malloc,rtlEBP, (unsigned long) r);
    81:   else
    82:       apiFail(&func.sub.-- malloc,rtlEBP, 0);
    83:
       }
    84:
       return r;
    85:
      }
    __________________________________________________________________________

    __________________________________________________________________________
    1:
      /*
    2:
       *  free wrapper
    3:
       */
    4:
    5:
      void .sub.-- export  .sub.-- cg.sub.-- free(
    6:
      void (*.sub.-- org.sub.-- free) (void.sub.-- FAR *.sub.-- block),
    7:
      /* size.sub.-- t (*.sub.-- org.sub.-- msize) (void .sub.-- FAR *
      .sub.-- block), */
    8:
      unsigned int prevEBP,
    9:
      void * retEIP,
    10:
      void .sub.-- FAR *.sub.-- block)
    11:
      {
    12:
      static FUNCTION func.sub.-- free= {"free",.sub.-- cg.sub.-- free,F.sub.-
      - FUNC.sub.-- ALL, "p", 0);
    13:
       ITEM .sub.-- FAR * i;
    14:
    15:
       if (off.vertline..vertline.inRTLM())
    16:
       {
    17:   .sub.-- SWITCHTORTLDS;
    18:   org.sub.-- free (.sub.-- block);
    19:   return;
    20:
       }
    21:
    22:
       if (deref(.sub.-- org.sub.-- free)==dll.sub.-- free)
      .sub.-- org.sub.-- free = new.sub.-- dll.sub.-- free;
    23:
    24:
       if (.sub.-- block==NULL) return;
    25:
    26:
       // checking parameter errors
    27:
    28:
       if (NULL==( i=isGoodRscParam((unsigned long).sub.-- block,
    29:       &rsrc.sub.-- memory, .sub.-- org.sub.-- free, &func.sub.--
              free, rtlEBP) ))
    30:
       {
    31:   // at this point we just want to emit a message
    32:   // (via findDelayFreed()) and then quit
    33:   findDelayFreed((unsigned long) .sub.-- block,&rsrc.sub.-- memory,
          .sub.-- org.sub.-- free);
    34:   apiRet(&func.sub.-- free,rtlEBP, 0);
    35:   return;
    36:
       }
    37:
    38:
       // resource free (delay free)
    39:
    40:
       delayFreeRegion (.sub.-- block);
    41:
       delayFreeResource( i, &func.sub.-- free,rt1EBP, (unsigned long)
      .sub.-- .sub.-- block,
    42:         .sub.-- org.sub.-- free .sub.-- PASS.sub.-- USERDS );
    43:
      apiRet(&func.sub.-- free, rtlEBP, 0);
    44:
      }
    __________________________________________________________________________

    ______________________________________
    1:  int i;
    2:  char a›10!, b›10!;
    3:  char *p, *q;
    4:
    5:  a›i + 3! = 0; // valid operation for 0 .ltoreq. i + 3 < 10 only
    6:  p = &a + i + 3; // valid operation for 0 .ltoreq. i + 3 < 10
    ______________________________________
        only

    ______________________________________
    push 1          ; element size
    push -20        ; offset of a
    push EAX        ; index of array
    push 0          ; no index scaling (i.e., 2.degree.)
    push 3          ; offset
    call .sub.-- CG.sub.-- LDA.sub.-- EOXSY
    ______________________________________

    ______________________________________
    down: mark n .fwdarw. base for no access check
    process    n .fwdarw. base
    process    n .fwdarw. index
    generate code for n depending on the
           addressing modes returned by the processing
           of n .fwdarw. base and n .fwdarw. index.
    ______________________________________

    __________________________________________________________________________
    static
          void CGDown(Node *n, Node *base, CGFlags f)
    /*
    propagate CG.sub.-- SAVExxx flags down
    add f to base->fld.cgflags if base is a node
    convert and add f to n->fld.cgflags if base is a symbol
    */
    CGFlags  g;
    if     (base->g.kind == NK.sub.-- CSE)
           base = base->op.right;
    g = n->fld.cgflags & (CG.sub.-- SAVEADR.vertline.CG.sub.-- SAVEVAL);
    if     (n->g.kind == NK.sub.-- ADR)
    {
           if (g & CG.sub.-- SAVEVAL)
              g = CG.sub.-- SAVEADR;
    }
    else
    {
           g &= .about.CG.sub.-- SAVEVAL; /* is propagated down through f if
           needed */
           if (n->g.kind == NK.sub.-- INDIR)
           {
              if (g & CG.sub.-- SAVEADR)
                 g = CG.sub.-- SAVEVAL;
              }
    }
    f .vertline.= g;
    if     (base->g.kind < NK.sub.-- NULL)
    {
           if (f & CG.sub.-- SAVEADR)
              n->fld.cgflags .vertline.= CG SAVEBADR;
           else if
                 (f & CG.sub.-- SAVEVAL)
           {
              if  (base->g.flags & SF.sub.-- REG)
              {
                 if (base->g.kind == SY.sub.-- ABSVAR)
                 /* should actually not occur: always a NK.sub.-- FIELD
                    on top of pseudoreg (pointer cast),
                    so CG.sub.-- SAVEVAL is masked out */
                    base->g.c.mr = base->sym.val.intVal;
                 CGSaveVal(base); /* save it before it's too late */
                 n->fld.cgflags .vertline.= CG.sub.-- SAVED;
              }
              else
                 n->fld.cgflags .vertline.= CG SAVEBVAL;
           }
    }
    else
    {
           base->fld.cgflags .vertline.= f;
           assert((base->fld.cgflags & (CG.sub.-- SAVEADR.vertline.CG.sub.--
           SAVEVAL))
              |= (CG.sub.-- SAVEADR.vertline.CG.sub.-- SAVEVAL), "C");
    }
    }
    __________________________________________________________________________

    __________________________________________________________________________
    static
          void CGUp(Node *n, Node *base, CGFlags f)
    /*
    save base symbol if marked
    propagate CG.sub.-- SAVED flag up if base is a node
    check if needed, and save n if needed */
    if    (base->g.kind == NK.sub.-- CSE)
          base = base->op.right;
    if    (base->g.kind < NK.sub.-- NULL)
    {
    if  (n->fld.cgflags & CG.sub.-- SAVEBADR)
    {
             CGSav.sub.-- Adr(base);
             n->fld.cgflags .vertline.= CG.sub.-- SAVED;
    }
    else if  (n->fld.cgflags & CG.sub.-- SAVEBVAL)
    {
             CGSaveVal(base);
             n->fld.cgflags .vertline.= CG.sub.-- SAVED;
    }
    }
    else
    n->fld.cgflags .vertline.= base->fld.cgflags & CG.sub.-- SAVED;
    if  (f & CG->CHECKACC)
    {
    if (n->fld.cgflags & CG.sub.-- NOACCCK)
    {
             if
               (n->fld.cgflags & CG.sub.-- NOUPCALL)
               CGCheckAdr(n);
    }
    else
             CGCheckAcc(n);
    }
    if    ((f & CG.sub.-- CHECKVAL) && |(n->fld.cgflags & CG.sub.-- NOVALCK))
          N
          CGCheckVal(n);
    if    ((n->fld.cgflags & (CG.sub.-- SAVEADR.vertline.CG.sub.-- SAVEVAL))
          && | (n->fld.cgflags & CG.sub.-- SAVED))
    {
    if       (n->fld.cgflags & CG.sub.-- SAVEADR)
             CGSavAdr(n);
    else
             CGSaveVal(n);
    n->fld.cgflags .vertline.= CGSAVED;
    }
    }
    __________________________________________________________________________

• Inventors
  Crelier, Regis; Cantey, James Lee;
• Assignee
  Inprise Corporation (Scotts Valley, CA)
• Published
  Jun-1-1999
• Current US Classes:
  717/131
  717/141
• Application #
  598309
• International Classes
  G06F 011/08
• Field of Search
  395/705 395/702-704 395/709 364/280.4
• Examiner
  Poinvil; Frantzy
• Agent
  Smart; John A.
• US Patent References:
  5193180
  5335344