Daniel Higginbottom and The Penguin

Family, Family|Bible|More, Stories

Another Five Things Story, for my girls.  Just need an illustrator now and I can retire.

One of the girls (I honestly can’t remember which) gave me these five things to incorporate into the story: Talking Penguin; magic stone; tree; red eel; blueberry bush, and a special request that Daniel Higginbottom make an appearance.  If you can bear to read it, here’s the result.

The first episode, Daniel Higginbottom and the Hairbrush, is buried in my blog about my holiday with Hannah.

Daniel Higginbottom and The Penguin

Talking Penguin; magic stone; tree; red eel; blueberry bush

Daniel Higginbottom woke up, got up, and got dressed.  He got into his normal, boring work clothes.  Then he ate his normal, boring breakfast cereal and read his normal, boring newspaper.  After brushing his teeth, with his normal, boring toothbrush, he got into his normal, boring, brown car and drove to his normal, boring office at the government’s Treasury Building, where he worked as an accountant.

He drove into the carpark under the office building, and took the lift up to his office, and here he stopped being quite so boring, because he immediately saw a note on his desk saying, “Come to my office at once.  S”.

He knew who S was.  Do you?

Without delay, Daniel strode down the hallway to S’s office, and knocked upon the fancy door.  “Come in,” came the call, and Daniel opened the door and walked into the office, treading upon the deep pile carpet and coming to a standstill in front of the fine walnut and oak desk behind which, in a large and comfortable chair, sat S, the Spy Master.

“Daniel, I have a new mission for you,” started the Spy Master.  At this point, no doubt you realise that Daniel was not quite what he seemed.  In fact, Daniel was a really truly spy.  And he’d already had many missions, including most recently one to the neighbouring kingdom to capture nothing less than a talking hairbrush!

While we were learning a bit more about Daniel, the Spy Master had continued talking, so we’ll have to go back a bit so we don’t miss anything.  “This mission will be as hard as any you have ever undertaken.  You must travel in our top secret spy plane to the next kingdom but three, and there locate a priceless magic stone, which we believe will be guarded by a talking penguin!”

Daniel was a little nonplussed.  Why did he keep getting missions to, well, not to put too fine a point on it, steal magical objects from other kingdoms?  Magical stones, magical hairbrushes?  Well, he was not one to argue, and of course this was his job.  So he took a deep breath, turned on his heel and strode straight back to the lift, and down to the carpark.

On the way down in the lift, he closed his eyes, and composed himself, and when he opened them, he was no longer Daniel Higginbottom, but now was Fred Smith, spy extraordinaire!  I know that Fred Smith sounds like a very boring name, but Daniel was smart, and knew that a good cover name had to be boring so that people would not suspect that he was a spy!

Even though Daniel-Fred was smart, he knew he had to have something special to drive.  A spy simply couldn’t drive a boring brown car.  Nothing less than a red sports car would do.  And a red sports car was what Daniel jumped into, and tore out of the car park in, on his way to the airport.

At the airport Daniel parked in a secret car park just for spies (no, I’m not telling you where it is), and raced over to the hangar where the top secret spy plane waited, engines fuelled and turning over, for him to climb into.  As he stepped into the cabin, the door closed behind him and the plane eased its way out of the hangar and taxied straight to the nearest runway and took off.  Spy planes get some special treatment at airports.

Soon, all too soon, the plane was descending to land in the next kingdom but three.  Daniel had read his dossier on the mission and flushed it down the toilet in the airplane.  He hoped that wouldn’t cause any problems but he simply couldn’t have it falling into enemy hands.

At the airport, the top secret spy plane, now posing as a fairly ordinary business jet plane, taxied to the business terminal and Fred (as we must now call him), looking like a normal and simply too-boring-for-words businessman, walked through the terminal and picked up his rental car – not a red sports car, sadly, but a too-appropriate-to-be-quite-nice expensive sedan car.

Fred drove to his hotel, and as the day was already drawing to a close, ate dinner and went to bed.  How boring!  The next morning, one might have thought that he’d forgotten his real job as he ate a boring breakfast while reading a boring newspaper (although not his normal paper as that could have given him away).  But behind his newspaper, Fred’s mind was racing.  How could he find this magical stone?  Where would a talking penguin be kept?  And why had he never heard of either of these things?

After some thought, and after finishing the comic section of the newspaper, he decided to go to the zoo.  He dressed in some zoo-going clothes (don’t you have special zoo-going clothes?), climbed into his too-appropriate-to-be-quite-nice expensive sedan car, and drove down to the zoo, which was quite some distance from his hotel and the airport.

It took him no time at all to find the penguin enclosure, and after making side trips to the lions, the badgers and the emus, to make sure any potential tails would be well and truly lost and confused, he entered the enclosure.  He stood watching the penguins, which seemed like completely normal and completely untalkative penguins, and wondered what to do next.

Suddenly he became aware that the man standing next to him was behaving surreptitiously.  And surreptitiously handing him a note.  Daniel—I mean Fred—took the note equally surreptitiously and the man surreptitiously wandered away, not looking anything like someone who had just engineered a clandestine note pass.  Fred used his spy skills to read the note without being noticed.

To the rear of this building lies a blueberry bush.  Under this bush lies a door.  This message will self-destruct in 10 seconds.

“Oh dear,” thought Fred.  He’d encountered self-destructing messages before and they were always a real pain – sometimes literally!

Sure enough, the note caught fire and burnt up rapidly, without smoke, and basically disappeared.  Fred was ready though and let it drop as the last piece disintegrated, and saved his fingers from being burned, this time.

When he was sure that the coast was clear, Fred exited the building and quickly located the blueberry bush.  Glancing around, and seeing no one watching, he reached under the bush and found the trap door that he now expected.  As the door opened with a quiet whoosh of escaping air, he did stop to ponder just how that man knew he’d be in the penguin enclosure, and whether he should be trusting this stranger, or not!  Maybe he had learned something from his previous adventure (see  Daniel Higginbottom and the Hairbrush)!  Or had he?

As Fred had no other leads or ideas, he climbed into the open trapdoor, and rapidly descended the tall flight of steel rungs to the bottom of the well.  The trapdoor hissed closed above him, and glaring electric lights clicked on, one after another, all the way down the long corridor that opened up in front of him.

A deep hum could be heard.  Fred figured that perhaps that was the pump equipment for the penguin enclosure.  (See, I told you he was smart.)  Without a pause, he strode down the hall way, now looking kinda spy-like, because you simply can’t look ordinary, no matter what you do, when striding down a secret passage hidden under a blueberry bush.

Soon he came to a door.  It had a porthole in it, and Daniel carefully peeked in.   SNAP!  A glimpse of jaws filled the porthole and disappeared!  That looked suspiciously like a penguin’s jaw, thought Fred-Daniel.  This was clearly his destination.  “This is just a little too easy,” he thought.

He looked into the porthole again.  No sign of the penguin now, but the room was quite dark.  Easing open the door, he squeezed in the gap, and quietly closed the door again.  He turned on his toothpaste, and with the light examined the room.  He stood in a large room, with a big pool at one end, and a bench with what looked like aquariums to one side.  Apart from that, on the far side of the pool, was a small pedestal with something glowing and pulsating gently sitting on top.  No prizes if you guess what that was!

But between the pedestal and Daniel was the pool, and in the pool was what certainly appeared to be a ferocious penguin.  Never one to be frustrated long, Daniel (we might as well forget his Fred persona for now) crept over to the aquariums and looked in.  Expecting fish, he was surprised to see them filled with red eels instead – and had an idea!

Carefully he pulled out a plastic spondoolickle from his spy toolkit, and gently used it to capture a single wriggling red eel.  The eel looked decidedly electric and dangerous!  He carried the eel over to the big pool and just as he was about to drop it in, was interrupted by a cry!

“Mon, what are ye doin’!  Ye’ll kill that poor eel!”

Daniel didn’t miss a beat.  He looked straight at the penguin, and sure enough, it was clambering out of the pool and waddling straight for him.  It was a very large penguin indeed, he saw now, as at it came closer, and grabbed his spondoolickle with his flipper, and carried the poor eel back to the aquarium.  Daniel now did miss a beat.  That was so unexpected that he stood there somewhat flabbergasted.

The penguin dropped the eel back into the aquarium, and as the eel swam gratefully away, the penguin turned and slid on its tummy back to Daniel, pulling a gun out of its side as it slid!  All of a sudden Daniel realised that this penguin wasn’t a penguin at all, and as the penguin handcuffed Daniel’s hands behind his back, he wondered how he could have been so easily fooled by a man in a penguin suit.

The penguin-man pushed Daniel out the door, and down the electric-light-corridor, and into a cell.  The door slammed closed and Daniel sank to the floor.  It wasn’t that long ago that he had been stuck in a cell but this time he didn’t expect any quick escape.  How on earth could he have been so foolish?  How could he have trusted that man from the enclosure?  And why didn’t he secure the room with the eel and penguin before proceeding?  It was all in his spy-craft course.

Time passed.  Daniel thought upon his mistakes, but could not stop thinking about that man from the enclosure.  So much hinged on his presence – how did he know about Daniel?  And how did he know about the blueberry bush?  Surely … maybe … no, Daniel couldn’t figure it out.  He’d nearly nodded off to sleep when he heard a scratching noise at the door.

With a creak the door swung open.  And there stood the man from the enclosure!  “Follow me, and don’t make a noise,” he hissed.  Daniel followed him.  After all, given the choice of a sleep in a dark, dank cell, or escaping with an unknown and potentially dangerous stranger, which would you do?  Okay, perhaps you’d stay in the cell, but Daniel was a spy!

They raced back along the corridor, and ducked into the penguin-eel room.  It was now deserted, apart from a large number of red eels swimming in aquariums.  Daniel dove into the pool, swam across to the pedestal and grabbed the pulsating stone, while the penguin-enclosure-man waited.    Then, back out, up the rungs of the ladder in the well, and out the trapdoor under the blueberry bush.  It was nearly dark, and the zoo was closed.  The penguin-enclosure-man led Daniel to the zoo wall, where they quickly found an overhanging tree, and with standard spy-skills they swung over the wall, no problems.

The man led Daniel to a motorbike, and they both jumped on and raced away.  Too late, Daniel realised that he could have run to his car and left.  But, yes, it was too late.  They zoomed through the city and finally turned into a garage.  The garage door closed behind them, and they both climbed off the motorbike.

“Wait here,” instructed the penguin-enclosure-man, and he walked through a door.  Daniel waited.  What else could he do?

Moments later, the man returned, with a gun.  “Oh of course,” thought Daniel, “that would have to happen.”  The man grabbed the pulsating and glowing stone from Daniel and disappeared through the door again.

Daniel looked around.  What resources did he have?  What could he use?  He examined the door and realised it wasn’t a fortified door but just an ordinary old house door.  It was locked, but he could pick that lock in seconds.  Now he was on a roll!  He grabbed a lock-pick from his spy kit, picked the lock, in seconds, and jumped back on the motorbike.  Revving it up, he drove down the hallway that was visible behind the wide open door, and into what looked like a lounge room at the end.  The penguin-enclosure-man was in the room, handing the stone to a woman.  Daniel drove the motorbike between the astonished pair and reached out and grabbed the stone!  Without slowing, he drove the motorbike straight through the big glass window and, engine roaring, jumped onto the street!  As he landed the motorbike, bending his knees to absorb the shock, he revved the engine again and pulled a big skid as he roared off down the street and to freedom!

As he ducked and wove through the late evening traffic, he thought back to the woman he’d seen.  He’d caught only a glimpse in the seconds he’d been in the room, but he could have sworn it was Madelina Brompton!  But there was no time to consider the implications, for in his rear view mirror, he saw a rapidly approaching black car, chasing him down!  Just as well he was on a motorbike.  Redoubling his ducking and weaving, he opened up the throttle and made a beeline for the airport.

How do you make a beeline for the airport?  In a plane it’s easy, but it is anything but easy on a motorbike, in traffic, with a black car chasing you.  But it was not for nothing that Daniel was a spy, and he finally raced into the airport, quickly parked the motorbike, raced through the terminal and out to the top secret spy plane (posing, as you recall, as a fairly ordinary business jet).

As he hurtled up the stairs to the plane, he heard an almighty crash in the distance and looked back to see the black sedan smashing through the airport gates and onto the tarmac far away on the other side of the airport.  The top secret spy plane taxied out of the hangar and down to the runway.  But this time it was a fairly ordinary business jet, and had to wait.  The car came closer and closer.  Daniel muttered quietly under his breath.  Surely he’d be safe!  Finally they taxied onto the runway and started taking off, with the black car chasing behind the plane!

Racing down the runway, engines screaming, the plane shuddered as it tried to take off.  The driver leaned out of the car window, as it chased dangerously down the runway after Daniel.  He was shaking his fist, which Daniel thought was strangely ineffectual and as the plane finally lifted into the air and he relaxed in his ever-so-comfortable top secret spy plane chair, he looked down at the rock now sitting on the table in front of him, still pulsating and glowing.  What was the rock for?  What made it so special – apart from the pulsating and glowing, that is?  He’d probably never know.

They landed without incident at their home airport, and Daniel drove his red sports car back to the office, went back up the lift and went to see S.  As he handed the rock over, S said, “Well done!  I am somewhat surprised that you came back with this rock, but good work all the same!  Take a couple of days off and enjoy yourself!”

Daniel went back to the car park, got into his boring brown car, and drove home.  A couple of days would be good, but he wasn’t sure if it was enough time to think through all that had happened on this very action-packed mission.

THE END

Generics and Delphi enumerated types without RTTI

Computing, Delphi, Development, Suggestions

Some Delphi types do not have RTTI. This is no fun. This happens when, and I quote:

whereas enumerated constants with a specific value, such as the following, do not have RTTI:
type SomeEnum = (e1 = 1, e2 = 2, e3 = 3);

In normal use, this will go unnoticed, and not cause you any grief, until you throw these enumerated types into a generic construct (or have any other need to use RTTI). As soon as you do that, you’ll start getting the unhelpful and misleading “Invalid Class Typecast” exception. (No it’s not a Class!)

To avoid this problem, you must wander into the dark world of pointer casting, because once you are pointing at some data, Delphi no longer cares what its actual type is.

Here’s an example of how to convert a Variant value into a generic type, including support for RTTI-free enums, in a reasonably type-safe way. This is part of a TNullable record type, which mimics, in some ways, the .NET Nullable type. The workings of this type are not all that important for the example, however. This example works with RTTI types, and with one byte non-RTTI enumerated types &mdash you’d need to extend it to support larger enumerated types. While I could reduce the number of steps in the edge case by spelunking directly into the Variant TVarData, that would not serve to clarify the murk.

constructor TNullable<T>.Create(AValue: Variant);
type
  PT = ^T;
var
  v: Byte;
begin
  if VarIsEmpty(AValue) or VarIsNull(AValue) then
    Clear
  else if (TypeInfo(T) = nil) and
    (SizeOf(T) = 1) and
    (VarType(AValue) = varByte) then
  begin
    { Assuming an enum type without typeinfo, have to
      do some cruel pointer magics here to avoid type
      cast errors, so am very careful to validate
      first! }
    v := AValue;
    FValue := PT(@v)^;
  end
  else
    Create(TValue.FromVariant(AValue).AsType<T>);
end;

So what is going on here? Well, first if we are passed Null or “Empty” variant values, then we just clear our TNullable value.

Otherwise we test if (a) we have no RTTI for our generic, and (b) it’s one byte in size, and (c) our variant is also a Byte value. If all these prerequisites are met, we perform the casting, in which we hark back to the ancient incantations with a pointer typecast, taking the address of the value and dereferencing it, fooling the compiler along the way. (Ha ha!)

Finally, we find a modern TValue incantation suffices to wreak the type change for civilised types such as Integer or String.

Testing for design time in Delphi, in an initialization section

Delphi, Development, Suggestions, Tools

Sometimes it can be handy to test for design-time in a component unit when the component package is first loaded, e.g. within an initialization section, rather than when a component is created or registered. We use this to validate that runtime units that interoperate with a component are linked into a project, and raise an error as early as possible if they are not.

With Delphi’s RTTI, this is fairly straightforward, I believe:

function IsDesignTime: Boolean;
begin
  Result := TRttiContext.Create.FindType('ToolsAPI.IBorlandIDEServices') <> nil;
end;

Is there anything wrong with this?

Even charset geeks can be fooled by character spoofing

Computing, Tools, Unicode, Windows

I was preparing a new git repository today for a website, on my Windows machine, and moving a bunch of existing files over for addition.  When I ran git add ., I ran into a weird error:

C:\tavultesoft\website\help.keyman.com> git add .
fatal: unable to stat 'desktop/docs/desktop_images/usage-none.PNG': No such file or directory

How could a file be there — and not there?  I fired up Explorer to find the file and there it was, looked fine.  I’d just copied there, so of course it was there!

usage.png seems to be there just fine

For a moment, I scratched my head, trying to figure out what could be wrong.  The file looked fine.  It was in alphabetical order, so it seemed that the letters were of the correct script.

Being merely a bear of little brain, it took me some time to realise that I could just examine the character codepoints in the filename.  When this finally sunk in, I quickly pulled out my handy charident tool and copied the filename text to the clipboard:

usage-none-selection

And pasted it into the Character Identifier:

usage-none-charident

With a quick scan of the Unicode code points, I quickly noticed that, sure enough, the letter ‘g‘ (highlighted) was not what was expected.  It turns out that U+0261 is LATIN SMALL LETTER SCRIPT G, not quite what was anticipated (U+0067 LATIN SMALL LETTER G).  And in the Windows 8.1 fonts used in Explorer, the ‘ɡ‘ and ‘g‘ characters look identical!

g-g
I checked some of the surrounding files as well.  And looking at usage-help.PNG, I could see no problems with it:

usage-help-charident

So why did git get so confused?  OK, so git is a tool ported from the another world (“Linux”).  It doesn’t quite grok Windows character set conventions for filenames.  This is kinda what it saw when looking at the file (yes, that’s from a dir command):

usa[]e

But then somewhere in the process, a normalisation was done on the original filename, converting ɡ to g, and thus it found a mismatch, and reported a missing usage-none.PNG.

Windows does a similar compatibility normalisation and so confuses the user with seemingly sensible sort orders.  But it doesn’t prevent you from creating two files with visually identical names, thus:

double-usage-none

I’m sure there’s a security issue there somewhere…

Camping at Freycinet

Family, Family|Bible|More, Photos

On Sunday, I finally took Hannah camping, as I had promised quite some time ago.  The weather was great and off we went, a Dad and Daughter camping trip!  We ate fish and chips in Swansea, had a coffee and cake (dad had coffee, daughter had cake!) at Tombolo’s in Coles Bay, and then started walking over the Wineglass Bay Lookout, and down to Wineglass Bay.  Wineglass Bay Beach seemed to last forever, but we eventually arrived at our camp spot, at the far end of the beach, which was warm, and still, and deserted.  It was beautiful, as we ate our pasta for dinner and then explored after dinner, finding amazing views, and shells and bones.  Wallabies were interested, and none too shy, of us and our packs and things.

Camping overnight went well, and the following morning, we walked back out, and back over the Wineglass Bay Lookout.  To pass the time as we climbed, Hannah gave me a Five Things Story to tell.  This is a little tradition we have, where one of us gives the other five random things, and we have to construct a story out of it.  Here’s the story for the climb:

Five Things: Little girl, man, spy agency, secret spy lamp, magical talking hairbrush

Daniel Higginbottom was, to all appearances, a very ordinary man.  He drove a boring brown car, ate boring breakfast cereal, and worked as an accountant in the Department of the Treasury in the Kingdom.  But as we shall see, things aren’t always quite what they seem.  Not even to Daniel.

One morning, Daniel arose, got dressed, ate his breakfast, and drove his ordinary brown car down to his office, where he parked in his usual spot under the building, and took the lift up to his office.  And here’s where we discover the first thing.  For while Daniel appeared to work in the Department of the Treasury, in actual fact, his job was definitely interesting.  Because Daniel was a spy!

On this fine morning, Daniel walked into the Spy Master’s office, to which he had been summoned the instant he arrived in the building.

“Daniel, my man, I have a new mission for you!  Do you wish to accept it?”

“What?  How can I decide if I will accept it unless I know what it is?”

“Well, I could tell you, but then if you didn’t accept, I’d have to kill you,” his boss replied.

“Uh, well, in that case, I accept!” said Daniel.

“Good man!  I knew I could count on you!” cried the Spy Master.  “Now, in the neighbouring kingdom, there is a princess who has a priceless magical talking hairbrush.  We require you to obtain this hairbrush and return it to our kingdom.  Any questions?”

“None so far,” said Daniel, who as you can probably tell by now was a very confident fellow.

“Very well.  We have prepared your usual Spy Gadgets, and one new one: this tube of toothpaste which I am passing you now appears to be completely normal, until you press it just so” – and the Spy Master pressed it, just so – “and then it turns into a Secret Spy Lamp.”  And so it did.

“Excellent!” said Daniel enthusiastically.  He turned and walked out of the office, collecting his Spy Kit on the way, and made his way back down to the car park.  I should mention at this point that he was now known as Fred Smith, Agent Extraordinaire.  And there was no way that Fred Smith, Agent Extraordinaire could possibly drive a boring brown car.  No, he drove a bright red sports car.

And so “Fred” drove his bright red sports car all the way to the neighbouring kingdom.  He had no trouble making his way to the capital, and as soon as he arrived, he saw the posters announcing that there was to be a Ball at the King’s Castle-Palace the following evening, to celebrate the eighth birthday of the princess.  “Excellent!” thought our intrepid agent.  Now he just needed to get an invitation.

He drove around the beautiful little city that surrounded the palace-castle up on the mount, until he found a couturier, where a steady stream of young ladies entered and exited, getting last minute changes made to their ball gowns.  He watched and waited for a bit until he spotted a young lady that he decided would be his target.

He approached her and introduced himself.  Then he asked about all the people going into the milliners’ store, and she explained about the Ball.

“Oh wow!” said Fred-Daniel.  “I’ve always wanted to go to a Ball!”

“That’s amazing!” exclaimed the young lady. “It just so happens I have a spare invitation.  Would you like it?”

“Would I ever?” responded Fred, enthusiastically as ever.  “Boy,” he thought to himself, “this mission is a walk in the park.  Twenty minutes in and I’ve already got a way into the Palace!”  And then he tried his next card: “would you like a lift home in my bright red sports car?”

“That would be lovely,” said the young lady.  (And here, may I add, if an enthusiastic young man ever offers *you* a lift home, especially if he is driving in a bright red sports car, I would highly recommend you *don’t* accept!)

A few minutes later, the young lady said, “please drop me at this corner.”  They stopped, and she continued, “I’d really like to introduce you at the Ball – would you like to pick me up from this corner tomorrow evening, at 5pm?”

“Certainly!” said Daniel-Fred.  “How much easier could this mission get?” he thought.

So Agent Fred made his way to his hotel, where he slept and then breakfasted somewhat in the manner of his alter ego, that is, boringly, and prepared for the Ball that evening.  Near 5 o’clock, all dressed up in his finest clothes, he made his way to the corner, where sure enough, the young lady was waiting!

They drove together up the hill to the castle, a windy road clinging to the edge of the cliff, passing every now and then houses perched on the very edge of the precipice.  Finally, they arrived at the palace gates, and the young lady leaned over and said, “Madelina Brompton, and guest.”  (So now we finally know her name.)  The palace guard seemed to think this was just fine, and opened the gate, and in they drove.

They followed the line of cars carrying guests to the Ball, until Madelina told Fred to park in her own parking spot, before they reached the front door.  As soon as the car pulled to a stop, four men leaped out of a door and surrounded the car!  Daniel-Fred looked at Madelina with astonishment, as she now sat there holding a gun, pointing at him.  “Out of the car, please, Mr Smith, or should I say Mr Higginbottom!” she asked.

Daniel certainly felt confused.  How had she cracked his secret identity?  But he didn’t have much time to think about that, as he was hustled down the stairs and into a dark cell.  As the door slammed, he started to feel a bit sorry for himself, until he remembered his toothpaste tube.  They hadn’t taken that from him, at least.  He could have clean teeth … no, wait, he could see!  He pressed the toothpaste tube just so, and it lit up, just so.  He explored his cell carefully, and finally found down in one corner, some writing scratched on the wall: “the way lies beneath.”

This seemed too good to be true, but Daniel was enthusiastic and confident, even despite this minor setback in his plans, so he set to testing all the flagstones until he found one that lifted up.  And indeed there was a passage out from his cell from this flagstone.  Without hesitation, he dived down the passage, and shortly thereafter found himself in the sewer tunnel under the Palace.

A few minutes later, he found himself outside the Palace walls, the Palace high above him on the cliff face.  But Daniel was on familiar ground again: he knew how he could get into the Palace, and instantly started to climb his way up the cliff face to the windows shining out into the night, high above him.  Surely there would be an open window somewhere, and he wouldn’t have to climb all the way to the roof!

And there was, above and to the right, an open window.  Carefully but smoothly he climbed up the wall, swinging himself from handhold to handhold, just like any secret agent would.  He reached the window very quickly indeed, considering how high the cliff was, and how high the walls reached above the cliff, and swung himself inside, behind the curtain, and caught his breath.

He felt like gasping for breath, and his heart hammered in his chest, but he could hear someone talking in the room, on the phone it sounded like, so he worked hard to make no noise at all.  The person’s voice sounded somewhat familiar, and he listened as she spoke: “… yes … no problem at all … he did seem rather the confident sort … oh no, I’m sure he has escaped from that cell now … any moment now I’m sure he’ll be climbing in my window and I’ll be ready …”

Daniel froze.  But only for a second, and then he dove back out the window, and clung grimly to the wall, waiting and straining to hear the rest of the conversation.

“ … just a second …” and, yes, it was Madelina Brompton who pulled the curtains back and looked around while Daniel pushed himself against the wall and tried his hardest to keep out of sight in the shadows.  She let the curtains swing open and went back to the telephone “ … no, no sign of him … he mustn’t be as good as we thought …” and here Daniel grinned to himself in grim glee – at least here he had outwitted her!  Madelina finished her conversation and Daniel heard the door close.  He waited a minute, and then hauled himself back into the room.

Daniel pondered.  What was going on?  How did Madelina know about him?  Did she know about his mission?  Had someone given him away?

But the room was now deserted, and Daniel quickly cracked the door open and looked down the hallway.  It shouldn’t be hard from here to make his way to the Princess’s suite, he thought.  And it wasn’t.  The hallways seemed to be deserted, although he could hear in the distance the sounds of a Grand Ball.

Daniel looked at his clothes regretfully.  They certainly weren’t spick and span now, ready for a Ball, after having clambered through a secret passage, slithered down a sewer, and climbed up a wall.  Despite that, they were surprisingly clean!

Without a lot of trouble, and without being spotted, he found the Princess’s suite, and eased his way in the door.  And there, sitting on a dressing table, visible through the open door of the dressing room, was a hairbrush.  No doubt, the very hairbrush he had been tasked to collect!

He quickly strode across the room, walked into the dressing room, reached for the hairbrush, and felt someone looking at him.  He turned, and there sitting in the corner of the dressing room, was Madelina Brompton!

“Welcome, Daniel!” she said.  Daniel swung around to leave, but someone was now standing in the doorway.  His Spy Master was standing in the doorway.  Daniel’s world was falling.  What was going on?  Now, the young princess arrived in the doorway too!

The Spy Master looked at him.  “Daniel,” he said, “you’ve been too over-confident recently, and we wanted to teach you a little lesson.  You fell for the basic trick of trusting a stranger!  And see where it got you!”

“What I think is funny,” said the princess, “is that you just believed that my hairbrush was magical and could talk!  That’s just crazy!”

“But I can talk!” said her hairbrush.

THE END

After the lookout, we made our way to the carpark, deposited our big packs, and immediately started the climb of Mt Amos. We knew we had only 3 hours to get to the top and back, and it certainly was a challenging climb! But we made it! And got back to the car park, only 2 hours and 50 minutes later.

We took lots of photos. Here are some of the best holiday photos (the scenery photos are later):

[AFG_gallery id=’1′]

Hannah and Dad Trip – Holiday Photos, a set on Flickr.

Then we drove back, stopping in Swansea for fish and chips, and a quick sorbet at Kate’s Berry Farm, before driving all the way back to Hobart, to the telling of another Five Things Story.

Five Things: king, queen, ballerina, diamond, boy
Once upon a time, in the far-off Kingdom of Knott, there lived a kindly King and Queen. They loved their Kingdom, and looked after it, and the pride of their hearts and in fact the pride of the entire Kingdom was the stupendous diamond that was on display in the most important ballroom in their palace!

This diamond sat on a velvet cushion in a glass display case in the ballroom. The King would sometimes lie awake at night, worrying that the diamond might be stolen, but he had protected the diamond as best as he knew how, with the Palace Guards, a secret camera, and even the glass case itself was bulletproof! All would come from far around to gaze upon the magnificence of the diamond. The King and Queen would often stop, on their way to bed, just to admire it!

Now, the Kingdom of Knott (not the Kingdom of Not, nor even of Nott, or Knot, but Knott) was going to have a magnificent celebration. And the highlight of the celebration would be the solo ballet performance by none other than the most famous star of ballet, Madame Tutu! The whole Kingdom waited for the day to arrive.

All but one, that is. Young Jack was not really looking forward to the day to arrive. Jack worked as a servant in the Palace, in the kitchens, and he was the least important person in the whole palace. His usual job was to peel the potatoes for the all the meals and banquets, and to be bossed around by everyone else from the Head Cook on down to the Scullery Maids.

But Jack was also a nice boy and didn’t complain or really even mind that much! All the same, the Grand Banquet on the day of celebration would involve a lot of potatoes so he was dreading that a bit! Of course, the king and queen had no idea that he even existed, because they would never go into the kitchens.

The day before the celebration finally arrived. Madame Tutu arrived, in pomp and state, dressed in resplendent gown and trailing feathers and jewels. She was immediately taken to see the diamond, and it was hard to tell which outshone the other – the ballet dancer, or the jewel! After mutual admiration (if a diamond can admire…) Madame Tutu retired to her suite to prepare for the big day.

Downstairs, Jack peeled potatoes. Lots and lots and lots of potatoes! In fact the pile looked so large, it didn’t seem like he’d ever finish it. But finally, after midnight, he finished peeling the last potato, placing it on the huge pile next to him, ready for cooking, and climbed wearily into his bed, between the scullery door and the potato bin, pulling the old sacks that he used for blankets over his shoulders and instantly falling asleep.

Back upstairs, Madame Tutu’s bed didn’t have any sacks for blankets. No sir! In fact, she had silk, and cushions, and duvets, and a mattress ever so soft and large. But surprisingly enough, Madame Tutu was not in the bed. She was sitting at a table, looking at a large piece of paper. Paper that looked surprisingly like a floor plan. And in fact, it was a floor plan of the palace! What on earth was she up to? And then she picked up an instruction manual for a security camera. Why would she be interested in that?

With a satisfied smile, she placed the manual down on the table, and started to get changed. But not into pyjamas. She put on black tights, black top, and even small black shoes. She put on a black belt with little compartments on it, and a thin black rope looped up on it. She pulled black gloves over her hands, and finally pulled a black mask over her head! What was going on?

Madame Tutu opened her door, and stealthily crept down the stairs, into the servants’ wing, where she slipped past the sleeping boy Jack, and opened the scullery door. A chill breeze blew in and down Jack’s neck, and he woke up and opened one eye lazily. He saw a lady all dressed in black clothes quietly closing the door, and creeping back up the stairs.
Now Jack was curious, so he slipped out of bed and quietly followed her. And saw her stop just outside the grand ballroom, and unhook her rope and toss it over a beam far overhead. Then she quickly climbed up the rope and swung through a window up near the ceiling, into the ballroom itself! Jack could just see her, putting something on top of the security camera in the ballroom, before she swung back down into the ballroom and out of sight.

Jack quickly crept into the ballroom. This lady in black was certainly up to no good! He watched her pull out a diamond saw from her belt and cut a hole in the magnificent diamond’s display case. It may have been bulletproof, but it wasn’t sawproof! She pulled the cut piece of glass away with a sucker, and pulled a small rock out of her belt (her belt had a lot of useful things in it!) The lady (who we know as Madame Tutu) hefted the rock in her hand before gently, ever so gently, passing it through the hole in the display case, and smoothly, but quickly, replacing the diamond with the rock!

She placed the diamond in her belt and then Jack acted. He jumped out, grabbed her rope, and tripped her over with it! All of a sudden, the graceful, lithe lady in black didn’t seem so graceful as she fell over with a thud and uttered a whole lot of very unladylike words! She tried to fight but Jack had surprised her and managed to tie her up. Then he raised the alarm. How did he do that? Well, he just pulled the rock off the diamond’s cushion, and the diamond alarm system went off immediately!
The palace guard came charging in. He knew Jack, of course, and in fact Jack was his nephew. Then he saw the lady in black. Jack told him to look in her belt compartment, so he did, and discovered the diamond! The king and queen came running in, the king in his dressing gown, and with a night cap on, not looking at all like a king, and the queen in her dressing gown and hair rollers, not looking at all like a queen! They stared as the palace guard took off the lady’s mask, and all gasped as they realised it was none other than Madame Tutu! The palace guard told the king and queen that Jack had uncovered the plot, and the king was astonished, and asked Jack what he would like as a reward.

Jack was embarrassed. “Oh I don’t need anything,” he said, “I was just happy to save the diamond!”

“In that case,” replied the king, “I think I will give you a knighthood! But for now, off to bed!”

And with that Jack went back down to his bed, between the scullery door and the potato bin, pulling his sacks over his shoulders and eventually falling asleep again. Madame Tutu was taken down to a cell, where a much more uncomfortable bed than she had been expecting awaited her!

The next morning, Jack told the other servants what had happened, but they laughed at him and told him to go and clean the big pile of dishes. Only moments later, though, a huge stir went through the servants’ hall, as none other than the king made his way down the stairs and asked for Jack! Could it possibly be true? And it was, as the king took him upstairs, where servants fussed over him, and cut his hair, and his fingernails, and scrubbed him until he was pink, and generally pushed and pulled until Jack thought he might prefer scrubbing potatoes! They dressed him in clothes so fine that Jack didn’t know what to say, and was afraid to even look in case he tore or stained them.

Jack was led into the grand ballroom, where all the nobles of the kingdom waited for the ceremony to start. The royal herald stood and announced, “please welcome Madame Tutu, here for her solo ballet performance!” The king leaned over and whispered in his ear. “Um,” said the royal herald, at a loss for words, for once in his life, before he recovered, and said, “Due to unforseen circumstances, we shall be cancelling Madame Tutu’s performance and shall instead have a knighthood ceremony!”

The nobles all looked at each other and started whispering. What could be going on? The king called Jack forward, and in an official and pompous voice, explained: “Last night, Madame Tutu was caught red handed, attempting to steal our most precious and beloved jewel, the Royal Diamond of Knott! Caught red handed, that is, by none other than young Jack here, as he went far above and beyond his duties …” Here he paused and looked at Jack, and whispered, “Ah, what are your normal duties, Jack?”

“Peeling potatoes, Sire,” Jack whispered back.

“Oh… ah,” continued the king, and then decided to leave Jack’s duties unmentioned, “ … and he raised the alarm and rescued our kingdom from certain ignomy and disaster!” As you can tell, the king liked to use big and official sounding words in his speeches. “Thus we have ascertained that we must offer Jack no less than a knighthood for his services to the Kingdom!”

The nobles stood and applauded! Jack stood first on one leg, and then the other, and wished he could disappear into his shoes. But the king took out his sword, and laid it first on one shoulder, and then the other, and proclaimed, “I hereby name you Sir Jack, Most Honourable Knight of Knott!” (Does that sound complicated?)

From that day on, Jack’s life was never the same. In fact, it was much more complicated, even if he did sleep in a more comfortable bed, and occasionally he would think back to his simple life peeling potatoes. But of course, Jack grew up and served the Kingdom as a Knight, and finally ended up marrying the princess. But he never really did like eating potatoes all that much!

THE END

Do you want to know what happened to Madame Tutu? Well as I said, the king and queen were kindly, so they decided that her punishment should just be to peel potatoes, for the rest of her life!

I won’t try to relate Hannah’s Five Things stories, as I’d be sure to make mistakes. So perhaps I’ll ask her to write them up and add them to the story!

Scenery photos!

[AFG_gallery id=’2′]

Hannah and Dad Trip – Scenery, a set on Flickr.

(Edited, 11 Mar, a milliner is a hatmaker, duh)

Finding class instances in a Delphi process using WinDbg

Computing, Delphi, Development, Tools, Windows

Using WinDbg to debug Delphi processes can be both frustrating and rewarding. Frustrating, because even with the tools available to convert Delphi’s native .TDS symbol file format into .DBG or .PDB, we currently only get partial symbol information. But rewarding when you persist, because even though it may seem obscure and borderline irrational, once you get a handle on the way objects and Run Time Type Information (RTTI) are implemented with Delphi, you can accomplish a lot, quite easily.

For the post today, I’ve created a simple Delphi application which we will investigate in a couple of ways. If you want to follow along, you’ll need to build the application and convert the debug symbols generated by Delphi to .DBG format with map2dbg or tds2dbg. I’ll leave the finer details of that to you — it’s not very complicated. Actually, to save effort, I’ve uploaded both the source, and the debug symbols + dump + executable (24MB zip).

I’ve made reference to a few Delphi internal constants in this post. These are defined in System.pas, and I’m using the constants as defined for Delphi XE2. The values may be different in other versions of Delphi.

In the simple Delphi application, SpelunkSample, I will be debugging a simulated crash. You can choose to either attach WinDbg to the process while it is running, or to create a crash dump file using a tool such as procdump.exe and then working with the dump file. If you do choose to create a dump file, you should capture the full process memory dump, not just stack and thread information (use -ma flag with procdump.exe).

I’ll use procdump.exe. First, I use tds2dbg.exe to convert the symbols into a format that WinDbg groks:

Convert Delphi debug symbols
Convert Delphi debug symbols

Then I just fire up the SpelunkSample process and click the “Do Something” button.
Clicking "Do Something"
Clicking “Do Something”

Next, I use procdump to capture a dump of the process as it stands. This generates a rather large file, given that this is not much more than a “Hello World” application, but don’t stress, we are not going to be reading the whole dump file in hex (only parts of it).
Procdump to give us something to play with
Procdump to give us something to play with

Time to load the dump file up in Windbg.

I want to understand what is going wrong with the process (actually, nothing is going wrong, but bear with me). I figure it’s important to know which forms are currently instantiated. This is conceptually easy enough to do: Delphi provides the TScreen class, which is instantiated as a global singleton accessible via the Screen variable in Vcl.Forms.pas. If we load this up, we can see a member variable FForms: TList, which contains references to all the forms “on the screen”.

TScreen = class(TComponent)
private
  FFonts: TStrings;
  FImes: TStrings;
  FDefaultIme: string;
  FDefaultKbLayout: HKL;
  FPixelsPerInch: Integer;
  FCursor: TCursor;
  FCursorCount: Integer;
  FForms: TList;
  FCustomForms: TList;
  ...

But how to find this object in a 60 megabyte dump file? In fact, there are two good methods: use Delphi’s RTTI and track back; and use the global screen variable and track forward. I’ll examine them both, because they both come in handy in different situations.

Finding objects using Delphi’s RTTI

Using Delphi’s Run Time Type Information (RTTI), we can find the name of the class in memory and then track back from that. This information is in the process image, which is mapped into memory at a specific address (by default, 00400000 for Delphi apps, although you can change this in Linker options). So let’s find out where this is mapped:

0:000> lmv m SpelunkSample
start    end        module name
00400000 00b27000   SpelunkSample   (deferred)             
    Image path: C:\Users\mcdurdin\Documents\SpelunkSample\Win32\Debug\SpelunkSample.exe
    Image name: SpelunkSample.exe
    Timestamp:        Tue Dec 10 09:19:01 2013 (52A641D5)
    CheckSum:         0071B348
    ImageSize:        00727000
    File version:     1.0.0.0
    Product version:  1.0.0.0
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04e4
    ProductVersion:   1.0.0.0
    FileVersion:      1.0.0.0

Now we can search this memory for a specific ASCII string, the class name TScreen. When searching through memory, it’s important to be aware that this is just raw memory. So false positives are not uncommon. If you are unlucky, then the data you are searching for could be repeated many times through the dump, making this task virtually impossible. In practice, however, I’ve found that this rarely happens.

With that in mind, let’s do using the s -a command:

0:000> s -a 0400000 00b27000 "TScreen"
004f8f81  54 53 63 72 65 65 6e 36-00 90 5b 50 00 06 43 72  TScreen6..[P..Cr
004f9302  54 53 63 72 65 65 6e e4-8b 4f 00 f8 06 44 00 02  TScreen..O...D..
00a8e926  54 53 63 72 65 65 6e 40-24 62 63 74 72 24 71 71  TScreen@$bctr$qq
00a8ea80  54 53 63 72 65 65 6e 40-24 62 64 74 72 24 71 71  TScreen@$bdtr$qq
00a8ea9f  54 53 63 72 65 65 6e 40-47 65 74 48 65 69 67 68  TScreen@GetHeigh
00a8eac2  54 53 63 72 65 65 6e 40-47 65 74 57 69 64 74 68  TScreen@GetWidth
00a8eae4  54 53 63 72 65 65 6e 40-47 65 74 44 65 73 6b 74  TScreen@GetDeskt
00a8eb0b  54 53 63 72 65 65 6e 40-47 65 74 44 65 73 6b 74  TScreen@GetDeskt
00a8eb33  54 53 63 72 65 65 6e 40-47 65 74 44 65 73 6b 74  TScreen@GetDeskt
00a8eb5d  54 53 63 72 65 65 6e 40-47 65 74 44 65 73 6b 74  TScreen@GetDeskt
00a8eb86  54 53 63 72 65 65 6e 40-47 65 74 4d 6f 6e 69 74  TScreen@GetMonit

00ada300  54 53 63 72 65 65 6e 40-43 6c 65 61 72 4d 6f 6e  TScreen@ClearMon
00ada32b  54 53 63 72 65 65 6e 40-47 65 74 4d 6f 6e 69 74  TScreen@GetMonit
00ada354  54 53 63 72 65 65 6e 40-47 65 74 50 72 69 6d 61  TScreen@GetPrima

Whoa, that’s a lot of data. Looking at the results though, there are two distinct ranges of memory: 004F#### and 00A#####. Those in the 00A##### range are actually Delphi’s native debug symbols, mapped into memory. So I can ignore those. To keep myself sane, and make the debug console easier to review, I’ll rerun the search for a smaller range:

0:000> s -a 0400000 00a80000 "TScreen"
004f8f81  54 53 63 72 65 65 6e 36-00 90 5b 50 00 06 43 72  TScreen6..[P..Cr
004f9302  54 53 63 72 65 65 6e e4-8b 4f 00 f8 06 44 00 02  TScreen..O...D..

Now, these two references are close together, and I will tell you that the first one is the one we want. Generally speaking, the first one is in the class metadata, and the second one is not important today. Now that we have that "TScreen" string found in memory, we need to go back 1 byte. Why? Because "TScreen" is a Delphi ShortString, which is a string up to 255 bytes long, implemented as a length:byte followed by data (ANSI chars). And then we search for a pointer to that memory location with the s -d command:

0:000> s -d 0400000 00a80000 004f8f80
004f8bac  004f8f80 000000bc 0043ff28 00404ff4  ..O.....(.C..O@.

Only one reference, nearby in memory, which is expected — the class metadata is generally stored nearby the class implementation. Now this is where it gets a little brain-bending. This pointer is stored in Delphi’s class metadata, as I said. But most this metadata is actually stored in memory before the class itself. Looking at System.pas, in Delphi XE2 we have the following metadata for x86:

  vmtSelfPtr           = -88;
  vmtIntfTable         = -84;
  vmtAutoTable         = -80;
  vmtInitTable         = -76;
  vmtTypeInfo          = -72;
  vmtFieldTable        = -68;
  vmtMethodTable       = -64;
  vmtDynamicTable      = -60;
  vmtClassName         = -56;
  vmtInstanceSize      = -52;
  vmtParent            = -48;
  vmtEquals            = -44 deprecated 'Use VMTOFFSET in asm code';
  vmtGetHashCode       = -40 deprecated 'Use VMTOFFSET in asm code';
  vmtToString          = -36 deprecated 'Use VMTOFFSET in asm code';
  vmtSafeCallException = -32 deprecated 'Use VMTOFFSET in asm code';
  vmtAfterConstruction = -28 deprecated 'Use VMTOFFSET in asm code';
  vmtBeforeDestruction = -24 deprecated 'Use VMTOFFSET in asm code';
  vmtDispatch          = -20 deprecated 'Use VMTOFFSET in asm code';
  vmtDefaultHandler    = -16 deprecated 'Use VMTOFFSET in asm code';
  vmtNewInstance       = -12 deprecated 'Use VMTOFFSET in asm code';
  vmtFreeInstance      = -8 deprecated 'Use VMTOFFSET in asm code';
  vmtDestroy           = -4 deprecated 'Use VMTOFFSET in asm code';

Ignore that deprecated noise — it’s the constants that we want to know about. So the vmtClassName is at offset -56 (-38 hex). In other words, to find the class itself, we need to look 56 bytes ahead of the address of that pointer that we just found. That is, 004f8bac + 38h = 004f8be4. Now, if I use the dds (display words and symbols) command, we can see pointers to the implementation of each of the class’s member functions:

0:000> dds 004f8bac + 38
004f8be4  00445574 SpelunkSample!System.Classes.TPersistent.AssignTo
004f8be8  004515f8 SpelunkSample!System.Classes.TComponent.DefineProperties
004f8bec  004454a4 SpelunkSample!System.Classes.TPersistent.Assign
004f8bf0  004516f0 SpelunkSample!System.Classes.TComponent.Loaded
004f8bf4  00451598 SpelunkSample!System.Classes.TComponent.Notification
004f8bf8  00451700 SpelunkSample!System.Classes.TComponent.ReadState
004f8bfc  004520ac SpelunkSample!System.Classes.TComponent.CanObserve
004f8c00  004520b0 SpelunkSample!System.Classes.TComponent.ObserverAdded
004f8c04  00451f24 SpelunkSample!System.Classes.TComponent.GetObservers
004f8c08  00451b48 SpelunkSample!System.Classes.TComponent.SetName
004f8c0c  00452194 SpelunkSample!System.Classes.TComponent.UpdateRegistry
004f8c10  00451710 SpelunkSample!System.Classes.TComponent.ValidateRename
004f8c14  00451708 SpelunkSample!System.Classes.TComponent.WriteState
004f8c18  0045219c SpelunkSample!System.Classes.TComponent.QueryInterface
004f8c1c  00505b90 SpelunkSample!Vcl.Forms.TScreen.Create
004f8c20  00452070 SpelunkSample!System.Classes.TComponent.UpdateAction
004f8c24  0000000e
004f8c28  00010000
004f8c2c  12880000
004f8c30  00400040 SpelunkSample+0x40
004f8c34  00000000
004f8c38  00000000
004f8c3c  1800001d
004f8c40  3800439d
004f8c44  06000000
004f8c48  6e6f4646
004f8c4c  00027374
004f8c50  439d1800
004f8c54  00003c00
004f8c58  49460500
004f8c5c  0273656d
004f8c60  12880000

Huh. That’s interesting, but it’s a sidetrack; we can see TScreen.Create which suggests we are looking at the right thing. There’s a whole lot more buried in there but it’s not for this post. Let’s go back to where we were.

How do we take that class address and find instances of the class? I’m sure you can see where we are going. But here’s where things change slightly: we are looking in allocated memory now, not just the process image. So our search has to broaden. Rather than go into the complexities of memory allocation, I’m going to go brute force and look across a much larger range of memory, using the L? search parameter (which allows us to search more than 256MB of data at once):

0:000> s -d 00400000 L?F000000 004f8be4
004f8b8c  004f8be4 00000000 00000000 004f8c24  ..O.........$.O.
0247b370  004f8be4 00000000 00000000 00000000  ..O.............

Only two references. Why two and not one, given that we know that TScreen is a singleton? Well, because Delphi helpfully defines a vmtSelf metadata member, at offset -88 (and if we do the math, we see that 004f8be4 - 004f8b8c = 58h = 88d). So let’s look at the second one. That’s our TScreen instance in memory.

In this case, there was only one instance. But you can sometimes pickup objects that have been freed but where the memory has not been reused. There’s no hard and fast way (that I am aware of) of identifying these cases — but using the second method of finding a Delphi object, described below, can help to differentiate.

I’ll come back to how we use this object memory shortly. But first, here’s another way of getting to the same address.

Finding a Delphi object by variable or reference

As we don’t have full debug symbol information at this time, it can be difficult to find variables in memory. For global variables, however, we know that the location is fixed at compile time, and so we can use the disassembler in WinDbg to locate the address relatively simply. First, look in the source for a reference to the Screen global variable. I’ve found it in the FindGlobalComponent function (ironically, that function is doing programatically what we are doing via the long and labourious manual method):

function FindGlobalComponent(const Name: string): TComponent;
var
  I: Integer;
begin
  for I := 0 to Screen.FormCount - 1 do
  begin
    ...

So, disassemble the first few lines of the function. Depending on the conversion tool you used, the symbol format may vary (x spelunksample!*substring* can help in finding symbols).

0:000> u SpelunkSample!Vcl.Forms.FindGlobalComponent
SpelunkSample!Vcl.Forms.FindGlobalComponent:
004fcda8 53              push    ebx
004fcda9 56              push    esi
004fcdaa 57              push    edi
004fcdab 55              push    ebp
004fcdac 8be8            mov     ebp,eax
004fcdae a100435200      mov     eax,dword ptr [SpelunkSample!Spelunksample.initialization+0xb1ac (00524300)]
004fcdb3 e81c910000      call    SpelunkSample!Vcl.Forms.TScreen.GetFormCount (00505ed4)
004fcdb8 8bf0            mov     esi,eax

The highlighted address there corresponds to the Screen variable. The initialization+0xb1ac rubbish suggests missing symbol information, because (a) it doesn’t make much sense to be pointing to the “initialization” code, and (b) the offset is so large. And in fact, that is the case, we don’t have symbols for global variables at this time (one day).

But because we know this, we also know that 00524300 is the address of the Screen variable. The variable, which is a pointer, not the object itself! But because it’s a pointer, it’s easy to get to what it’s pointing to!

0:000> dd 00524300 L1
00524300  0247b370

Look familiar? Yep, it’s the same address as we found the RTTI way, and somewhat more quickly too. But now on to finding the list of forms!

Examining object members

Let’s dump that TScreen instance out and annotate its members. The symbols below I’ve manually added to the data, by looking at the implementation of TComponent and TScreen. I’ve also deleted some misleading annotations that Windbg added.

0:000> dds poi(00524300)
0247b370  004f8be4 TScreen
0247b374  00000000 TComponent.FOwner
0247b378  00000000 TComponent.FName
0247b37c  00000000 TComponent.FTag
0247b380  00000000 TComponent.FComponents
0247b384  00000000 TComponent.FFreeNotifies
0247b388  00000000 TComponent.FDesignInfo
0247b38c  00000000 TComponent.FComponentState
0247b390  00000000 TComponent.FVCLComObject
0247b394  00000000 TComponent.FObservers
0247b398  00000001 TComponent.FComponentStyle
0247b39c  00000000 TComponent.FSortedComponents
0247b3a0  0043fec8 
0247b3a4  0043fed8 
0247b3a8  00000000 TScreen.FFonts
0247b3ac  024b4e10 TScreen.FImes
0247b3b0  00000000 TScreen.FDefaultIme
0247b3b4  04090c09 TScreen.FDefaultKbLayout
0247b3b8  00000060 TScreen.FPixelsPerInch
0247b3bc  00000000 TScreen.FCursor
0247b3c0  00000000 TScreen.FCursorCount
0247b3c4  02489da8 TScreen.FForms
0247b3c8  02489dc0 ...

How did I map that? It’s not that hard — just look at the class definitions in the Delphi source. You do need to watch out for two things: packing, and padding. x86 processors expect variables to be aligned on a boundary of their size, so a 4 byte DWORD will be aligned on a 4 byte boundary. Conversely, a boolean only takes a byte of memory, and multiple booleans can be packed into a single DWORD. Delphi does not do any ‘intelligent’ reordering of object members (which makes life a lot simpler), so this means we can just map pretty much one-to-one. The TComponent object has the following member variables (TPersistent and TObject don’t have any member variables):

  TComponent = class(TPersistent, IInterface, IInterfaceComponentReference)
  private
    FOwner: TComponent;
    FName: TComponentName;
    FTag: NativeInt;
    FComponents: TList;
    FFreeNotifies: TList;
    FDesignInfo: Longint;
    FComponentState: TComponentState;
    FVCLComObject: Pointer;
    FObservers: TObservers;
    ...
    FComponentStyle: TComponentStyle;
    ...
    FSortedComponents: TList;

And TScreen has the following (we’re only interested in the members up to and including FForms):

  TScreen = class(TComponent)
  private
    FFonts: TStrings;
    FImes: TStrings;
    FDefaultIme: string;
    FDefaultKbLayout: HKL;
    FPixelsPerInch: Integer;
    FCursor: TCursor;
    FCursorCount: Integer;
    FForms: TList;
    ...

Let’s look at 02489da8, the FForms TList object. The first member variable of TList is FList: TPointerList. Knowing what we do about the object structure, we can:

0:000>dd 02489da8 L4
02489da8  004369e8 02482da8 00000001 00000004

It can be helpful to do a sanity check here and make sure that we haven’t gone down the wrong rabbit hole. Let’s check that this is actually a TList (poi deferences a pointer, but you should be able to figure the rest out given the discussion above):

0:000> da poi(004369e8-38)+1
00436b19  "TList'"

And yes, it is a TList, so we haven’t dereferenced the wrong pointer. All too easy to do in the dark cave that is assembly-language debugging. Back to the lead. We can see from the definition of TList:

  TList = class(TObject)
  private
    FList: TPointerList;
    FCount: Integer;
    FCapacity: Integer;
    ...

That we have a pointer to 02482da8 which is our list of form pointers, and a count of 00000001 form. Sounds good. Take a quick peek at that form:

0:000> dd poi(02482da8) L1
02444320  005112b4
0:000> da poi(poi(poi(02482da8))-38)+1
0051148e  "TSpelunkSampleForm."

Yes, it’s our form! But what is with that poi poi poi? Well, I could have dug down each layer one step at a time, but this is a shortcut, in one swell foop dereferencing the variable, first to the object, then dereferencing to the class, then back 38h bytes and dereferencing to the class name, and plus one byte for that ShortString hiccup. Saves time, and once familiar you can turn it into a WinDbg macro. But it’s helpful to be familiar with the structure first!

Your challenge

Your challenge now is to list each of the TMyObject instances currently allocated. I’ve added a little spice: one of them has been freed but some of the data may still be in the dump. So you may find it is not enough to just use RTTI to find the data — recall that the search may find false positives and freed instances. You should find that searching for RTTI and also disassembling functions that refer to member variables in the form are useful. Good luck!

Hint: If you are struggling to find member variable offsets to find the list, the following three lines of code from FormCreate may help (edx ends up pointing to the form instance):

0051168f e87438efff      call    SpelunkSample!System.TObject.Create (00404f08)
00511694 8b55fc          mov     edx,dword ptr [ebp-4]
00511697 898294030000    mov     dword ptr [edx+394h],eax

Rant: Why can’t Microsoft provide actually useful titles on their updates?

Computing, Pontificating, Suggestions, Windows, Windows 7

Windows Updates have improved dramatically over the last few years.  With Windows 7, the integrated updates install smoothly and without much fuss (apart from the occasional EULA or Internet Explorer Upgrade to throw a spanner in the works).

There’s just one thing.  In general, the update titles are useless.  Completely useless. “Security Update for Windows 7”? Why else would I be running Windows Update?

update-2

Furthermore, the detailed description is also useless — it doesn’t actually provide any details!  It’s even more ambiguous than the title! “A security issue has been identified in a Microsoft software product that could affect your system.”

update-1

Let’s look at what’s wrong with “Update for Windows 7 for x64-based Systems (KB2830477)”:

  • It doesn’t tell us what the update actually provides
  • We already know it’s for Windows 7 — that’s in the group title.
  • We don’t need to know it’s for x64-based Systems — Windows Update won’t serve us updates for the wrong system type

We couldn’t we see “Update for RemoteApp and Desktop Connections features is available for Windows (KB2830477)”, instead? So which sleeve did I pull that descriptive and useful title from?

Well, the thing is, Microsoft already do know exactly what the update is providing.  They have even taken the time to write a succinct title for the update: it’s the title of the Knowledge Base article associated with the update, and it’s even linked to from the update. For example, instead of “Update for Windows 7 (KB2852386)”, we could have “Update: Disk Cleanup Wizard addon lets users delete outdated Windows updates on Windows 7 SP1 (KB2852386)”

Now it’s even worse when using WSUS — you now have to trawl through hundreds of nearly identically titled updates, with only a KB article number to differentiate.  So easy to accidentally approve the wrong update.  Why, Microsoft, why?  Is it so you don’t scare consumers who don’t understand what the update provides?  They just press the big “Automatic Updates” button anyway!

update-4

Admittedly, Microsoft have taken a big step in the right direction with Visual Studio updates: the description for Visual Studio updates generally gives you some information about what is being updated:

update-3

But even that could be improved. We’ve got a lot of repeated information: “Visual Studio 2010” is referenced 4 times: in the group title, in the update title, in the update title in the preview pane, and in the description of the update, again in the preview pane! Surely we don’t need to know that 4 times! And why don’t we go with a title of “Update fixes coded UI test issues for Visual Studio 2010 SP1 in IE9 or IE10 when KB 2870699 is installed (KB2890573)”. Sure it’s a little bit long, but it’s better than “Update for Microsoft Visual Studio 2010 Service Pack 1 (KB2890573)”.

So in conclusion, may I ask you, Microsoft, please, fix these update titles? Just start giving us titles that mean something? And if you are feeling particularly generous, you could even update the description of the update to add more meaning, not less!

The farce of security challenge questions (yes, ANZ, I’m talking about you!)

Computing, Griping, Pontificating, silly ideas

My bank has decided that I have to have some security challenge questions, and gave me a fixed set of questions to add answers to.

They had some simple instructions: “Keep them secret and don’t disclose them to anyone.  Don’t write down or record them anywhere.”  And added a little threat as icing on the cake: “If you don’t follow these instructions, you may be liable for any loss arising from an unauthorised transaction.”

Security Questions 1 Security Questions 2 Security Questions 3If I actually attempt to give honest answers to the questions, any determined and reasonably intelligent hacker could find the answers to all the questions that I actually know the answer to, within a minute or two, online, tops.

So what if I opt to use 1-Password or another password management tool to generate secure and random “password” style answers to these questions?  These would not be readily memorisable and so I’d have to save them in the tool.  But according to their little threat, I can’t do that!  That’s called recording the answers to the questions and I could be liable if an unauthorised transfer occurs.

The real problem with questions like this is that too much of this information is recorded online, already.  It adds a layer of complexity to the security model, without actually improving security much, if at all.

Then another question arises.  If an acquaintance does happen to ask me where I got married, am I now liable to ANZ if I tell them?  It sounds ridiculous but lawyers be lawyers.  Mind you, given that I have no way of not agreeing to the terms, perhaps it’s unenforceable.  The whole thing is really badly thought out.

Update 9:46am: Blizzard and insecurity questions: My father’s middle name is vR2Ut1VNj is a really good read for more detail!

Hobart 10,000 Day 1, 2013 Report

Cycling, Strava

8am at sea level we gathered, 11 riders in all.  The hills loomed above us, but we were not daunted.  Climb them we would, and nothing would stop us.  And when we had climbed them, we would descend to the depths of the valleys, and again we would ascend their lofty heights.

‘Twas a pleasant dream.  And yet we prevailed.  Eight and nine tenths of us completed the course, a 2600m extravaganza of climbing following a tortuous and tangled route around the foothills of Mount Wellington.  One tenth of a rider?  Well, Dan descended the mountain in the support vehicle.  But he did complete all the climbing that was on the menu.  The other Dan pled broken ribs in his early abandon.  And one other rider — his name now lost to my ken — pled afternoon criterium.

Our organisers had fled.  Barry had a touch of the man flu.  And Mark seemed to think it would be more fun to play with awesome slag-destroying remote control robots!

Mark's Slag Destroying Robot
Mark’s Slag Destroying Robot

But we knew we could make it on our own.

The full route, annotated

IMG_5641

The morning started with a warm up on Napoleon St.

Napoleon St, 100m @ 16.1%. So short Mesmeride has trouble drawing it!

Then Lynton Ave.

Lynton Ave, 200m @ 12.5%

And Washington St.

Washington St. 400m @ 11.7%. But what a finish!
Washington St
Washington St

Followed closely by Hillborough Rd.

Hillborough Rd, 700m @ 13.6%

Lots of steep climbs.  Even Sam was forced to swap into the little ring on some of those hills.  After Hillborough Dan farewelled us, as we made our way to Waterworks, and then huffed and puffed our way to the top.

Waterworks, 1200m @ 11.8%

IMG_9239

A welcome break was had there, as our intrepid and trusty support driver Stephen awaited with food and drink.  Made the day so much better!

Back down the hill.  A good sensible gradient this time, Huon Rd.

Huon Rd, 4.5km @ 6%

But back to the silly climbs with Old Farm Rd shortly thereafter!

Old Farm Rd, 1.8km @ 8.9%

That was the last of the crazy short steep climbs.  Now we just had 2 climbs left: Strickland and Longley – Wellington.

IMG_9293

Strickland we cruised, slightly quicker than I thought we would be able to.

Strickland, 3.0km @ 5.6%

But when we arrived at Longley, another rider noticed that I had broken a spoke on my rear wheel.  Yay!  A quick text message to our support driver, and he turned up within mere seconds, we had the wheel swapped out and ready to ride in moments.  So it seemed.

Longley Wheel Replacement
Longley Wheel Replacement

Up and up again!  Longley – Neika.  Neika – Fern Tree turnoff.

Neika, 5.6km @ 5.2%

And Fern Tree to the summit of Mt Wellington.  At this point, my legs were telling me ‘enough’!  I dropped back from the front group, and found a more comfortable pace with Chris, and we made our way to the top at a much more survivable pace.  Kudos to all the riders — Tim, Piers, Sam, and others — who finished with PRs up the final climb!

Mt Wellington, 11.2km @ 7.2%

IMG_9300

The weather was good, still but not hot.  Cloudy, just a fraction too cold on the descents, but not overly unpleasant.  The company was excellent!  Our support driver was great, and appreciated by all!

Sam did climb Wellington in the Big Ring. Kudos!

IMG_9340

And the hills?  Well, I was not quite defeated but I was surely sore at the end.  My Wellington time was certainly not impressive, and while my heart and lungs were ready to give, my legs were not! And the next morning I could barely move, groaning my way out of bed and around the house.  The forecast rain, sleet, hail and wind, together with my evident lack of form, were enough motive for me to pull out of day 2 🙁  I hope they had a good day!

Updated 5 Nov 2013: Photos added to the story. Full set of photos by our support driver Stephen are now available on Flickr

Delphi’s TJSONString.ToString is broken, and how to fix it

Bugs, Computing, Delphi, Development, Suggestions, Unicode

As per several QC reports, Data.DBXJSON.TJSONString.ToString is still very broken. Which means, for all intents and purposes, TJSONAnything.ToString is also broken. Fortunately, you can just use TJSONAnything.ToBytes for a happy JSON outcome.

The following function will take any Delphi JSON object and convert it to a string:

function JSONToString(obj: TJSONAncestor): string;
var
  bytes: TBytes;
  len: Integer;
begin
  SetLength(bytes, obj.EstimatedByteSize);
  len := obj.ToBytes(bytes, 0);
  Result := TEncoding.ANSI.GetString(bytes, 0, len);
end;

Because TJSONString.ToBytes escapes all characters outside U+0020-U+007F, we can assume that the end result is 7-bit clean, so we can use TEncoding.ANSI.  You could instead stream the TBytes to a file or do other groovy things with it.