AaÄÄrÄ–Ä¹Åôô ‰0U `Ä@ê0ƒ ÝÑê 0Ý0Ý¿ê0ýHH $ Ä@ˆ¬d¡ HHHHÄÃÃÄÃÃÄÃÃÄffÄ@ ¯ ¯ ¯ÄÄÄ¡ê– ¯Äô dÅ Footnote TableFootnote*Ýý*Ýý.\t.\t/ - ‹:;,.Š!?bÄs/ bÅTOCHeading1Heading2 /EquationVariablesÄÄ@Æ6ó6ò9·":B$:[&:v(: *;,;o.;¥0;ð2<$monthname> <$daynum>, <$year>"<$monthnum>/<$daynum>/<$shortyear>;<$monthname> <$daynum>, <$year> <$hour>:<$minute00> <$ampm>"<$monthnum>/<$daynum>/<$shortyear><$monthname> <$daynum>, <$year>"<$monthnum>/<$daynum>/<$shortyear> <$fullfilename> <$filename><$paratext[Title]><$paratext[Heading1]> <$curpagenum> <$marker1> <$marker2> (Continued)+ (Sheet <$tblsheetnum> of <$tblsheetcount>)Heading & Page ³<$paratext>² on page<$pagenum>Pagepage<$pagenum>See Heading & Page%See ³<$paratext>² on page<$pagenum>. Table All7Table<$paranumonly>, ³<$paratext>,² on page<$pagenum>Table Number & Page'Table<$paranumonly> on page<$pagenum>AAlAÄ5y5|55ÇÄ5Ö5à9‘<“Ä)?–?—?¯9×9ÿ9*9Ž9¤9Ð9ð9Þ9þ9ý9”, Exercise 1. 9Â9Ê*9Á9Ë9È9Í.9Î9Ï9Ì9Ó9Ô9•9Ò9Ú9Û9Ù9ž9–9—9¯9˜9™9š9¸9›9œ9::::Ä::Ä4:Ä4::6:: : :1:.: ::::::::::::::::::: :!:":#:$:%:&6:':(1:):*1:+:,1:-:.:/1:01:1<:2<:3<:4:5<:6<:7<:8<:9<:::;1:<:=1:>:?6:@:A1:E, Exercise 2. :F.?˜?™?š?¸?›?œ?@@@@:U1:V1:W1:X:Y1:Z:^, Exercise 3. :_:`:a.:b:c:d:e:f:g:h:i:j:kÅ=:l:m:n:o:p:q1:r1:s:t1:u:y, Exercise 4. :z6:{:|.:}:~€:€:Ä€:Å€:Ç€:É€:Ñ€:Ö€:Ü€:á€:à:â*:ä:ã.:å:ç:é:è:ê:ë:í6:ì:î6:ï:ñ:ó:ò:ô:ö1:õ:ú1:ù:û:ü:Ý:°:¢:£:§:€:¶:ß:®:©::´:¨:‚:Æ:Ø:ƒ:±:¾:„:¥:µ::…:½:¼:†:ª:º:‡:æ:ø:¿:¡:¬:ˆ:Ÿ:‰::«:»:Š:Õ, Exercise 5. :‘, Exercise 6. :¦.::‹:³:²:Œ:¹:÷:×:ÿ::Ž:¤:Ð:ð:Þ:þ:ý:·:’:“:”:Â:Ê:Á:Ë:È:Í:Î:Ï:Ì:Ó:Ô:•:Ò:Ú:Û:Ù:ž:–:—:¯:˜:™:š:¸:›:œ:;;;;;;;;;; 1; ;1;; ;;1;;;, Exercise 7. ;, Exercise 8. ;, Exercise 9. ;;;;;;;;; ;!;";#;$;%;&;';(;);*;+;,;-;.;/;0;1;2;3;4;5;6;7;8;9;:;;;<;=;>;?;@;A;B;C;D;E;F;G;H;I;J;K;L;M;N;O;P;Q;R;S;T;U;V;W;X1;Y;Z;[;\1;];^#1.;_ 2.;`!3.;a;b;c;d;e;f;g1;h;i<;j<;k<;l;m6;n;r, Exercise 10. ;s,Exercise 11. ;t.;u;v;w;x;y;z;{;|;};~;;Ä;Å;Ç;É;Ñ;Ö;Ü;á;à;â;ä;ã;å;ç;é;è;ê;ë;í;ì;î;ï;ñ;ó;ò;ô;ö;õ;ú;ù;û;ü;Ý;°;¢;£;§6;€;¶1;ß;®1;©;;´;¨1;‚;Æ;Ø1;ƒ;±1;¾;„1;…,Exercise 12. Ä$;¼.;†;ª;º;‡;æ;ø;¿;¡;¬;ˆ;Ÿ;‰;;«;»;Š; ;À;Ã;Õ;‘;¦;;‹;³;²;Œ;¹;÷;×;ÿ;;Ž1;¤;Ð1;ý, Exercise 13. ;·,Exercise 14. ;’;“.;”;Â;Ê;Á;Ë;È;Í;Î;Ï;Ì;Ó;Ô;•;Ò;Ú;Û;Ù;ž;–;—;¯;˜;™;š;¸;›;œ;<<<<<<<<<< < <<< <<<<<<1<.<<<<<<<<<<<< count = ¹newvalue Œ; :ï©$Äwhere ¦qptr is a pointer to the relevant queue and ¦newvalue the expression for the new value to be assigned to the °®Dqueue¹s counter. ;ƒß$|The use of the macro ³MAXELT also limits the reusability of the library. If the size of the queues is changed, the º¶wlibrary must be recompiled. However, as the include file macro has changed, the callers of the queue library must also ‡UPpbe recompiled; otherwise, the pointers may be invalid (depending on the architecture) and if a routine directly ‡UPDcaccesses any field in the queue structure, not recompiling that file will cause incorrect results. <¿c£dJSo, the problem with including this header file in the callers¹ files is: =¿à¢dP+ The callers have access to the internal elements of the queue structure. >¿ã—dThe Queue Management Function ?Ü¿õ°dAThe first function controls the creation and deletion of stacks: @¿Ýd/* A¿üd * create or delete a queue B¿”Ûd * C¡UFd@ * PARAMETERS:QUEUE **qptrspace for, or pointer to, queue Dd. * int flag1 1 for create, 0 for delete Ed& *int sizemax elements in queue Fd */ Gd/void qmanage(QUEUE **qptr, int flag, int size) Hd{ Idif (flag){ Jd/* allocate a new queue */ Kd!*qptr = malloc(sizeof(QUEUE)); Ld&(*qptr)->head = (*qptr)->count = 0; Md-(*qptr)->que = malloc(size * sizeof(int)); Nd(*qptr)->size = size; Od} Pdelse{ Qd!/* delete the current queue */ Rd(void) free((*qptr)->que); Sd(void) free(*qptr); Td} Ud} V¡µä$ÄGlancing over it, we see it uses logical cohesion because the parameter ¦flag indicates which of two distinct, logically ¡¡âvseparate operations are to be performed. The operations could be written as separate functions. That this routine has ŸõÅD;such poor cohesion does not speak well for its robustness. W¡Ðá$ÄConsider the parameter list, and the calling sequence. The ¦flag parameter is an integer that indicates whether a queue ¡ËÜÄis to be created (if ¦flag is non-zero) or deleted (if ¦flag is zero). The ¦size parameter gives the maximum number of inte«çwDHgers to be allowed in the queue. Suppose a caller interchanged the two: X¬Ñdqmanage(&qptr, 85, 1); Y–ŒÝ$The ¦qmanage routine would not detect this as an error, and will allocate a queue with room for 1 element rather than ¬ÇDn85. This ease of confusion in the parameters is the first problem, and one that cannot be checked for easily. Z¬-ÅdC+ The order of elements in the parameter list is not checked. [Îˆ†$}Next, consider the ¦flag argument. When does it mean to create a queue and when does it mean to delete a queue? For ¬Hwthis function, the intention is that 1 means create and 0 means delete, but the coding style has changed this to allow /7tany non-zero value to mean create. But there is little connection between 1 and create, and 0 and delete. So psychop=ð©šrlogically, the programmer may not remember which number to use and this can cause a queue to be destroyed when it Äshould have been created. Using ¦enum s would help here if the library is compiled with the program, but if the library D~is simply loaded, ¦enum s do not help as the elements are translated into integers (so no type checking can be done). HH¡Œ¬à>é•l¬dˆ 0 and ÿb > 0 , then overp±ùÇ"oflow has occurred). Does this always work? What problems does it introduce? ( ¦Hint : think about archibtectures allowing arithmetic overflow to cause a trap.) Suggest an alternate method without these E problems. HH¡Œ¬à<|@HH¡Œ¬à?EAA é•l¬dˆ<ÄEEHH¡Œ¬à<ÅCHH¡Œ¬à¬É‹11&&EudAdding to a Queue Üó$sThis function adds an element to the queue. It adds the index of the head element to the current count (modulo the £©DXqueue size), and places the new element at that location; it then increments the count: ¾®d/* æßd' * add an element to an existing queue vø¸d * wd9 * PARAMETERS:QUEUE *qptrpointer for queue involved xd# *int nelement to be appended yd */ zd&void put_on_queue(QUEUE *qptr, int n) {d{ |d(/* add new element to tail of queue */ }d9qptr->que[(qptr->head + qptr->count) % qptr->size] = n; ~dqptr->count++; d} Ä¿‰ú$ÄTwo basic problems arise. First, the ¦qptr parameter is not checked to ensure it refers to a valid queue; it may refer to a ¿‹õ|queue that has been deleted, or to random memory, or may be ³NULL . Any of these will cause problems; if the caller 0¿eUL~is lucky, the problem will arise in this routine; if the caller is unlucky, the symptom will not appear until later on in the D/program, with no indication of what caused it. Ä¿¯òd+ Check all parameters. Ä¬dÇd|As an offshoot of this, suppose ¦qptr is valid but ¦que is not. Then the routine will not work correctly: Äd?+ Check for incorrect values in structures and variables. Ä$ÄSecond, suppose the queue is full (that is, ¦qptr->count equals ¦qptr->size ). If this function is called, it will overwrite ¡1îqthe head of the queue. There is no check for an overflowing queue, doubtless because the author assumed it would š†ËDnever happen. Ä¡Líd6+ Check for array overflow when inserting items. Ä ÃU©Ë$vA more sophisticated problem is the placing of trust in the values of the queue structure. The integrity of the queue ¡gêÄstructure depends on the consistency of the ¦count , ¦size , and ¦head fields. If ¦size increases between calls, the routine 0Îp´’Äwill think that the queue has been allocated more space than it actually has, leading to a segmentation fault. If ¦size D6decreases between calls, some elements might be lost. Ä ¡éç",n]Write a program that demonstrates when decreasing ¦size between calls to ¦add_to_queue ¡öåecauses elements previously added to the queue to become inaccessible. Describe the problems that can øöÆÑDrarise if the values of ¦head and/or ¦count are changed across calls to ¦put_on_queue . Ä¡µäd ÄÖ¢ò$sGiven the accessibility of the queue structure elements to the callers, these elements may change (accidentally or ¡àDdeliberately). Ä ¡Èðd!Removing Elements from the Queue ÄÜ¡˜á$ÄTaking elements off the queue begins by getting the element at index ¦head . Then count is decremented, and ¦head is ¬ÜD%incremented (modulo ¦size ): Ä¬Öd/* Ä¬ Ñd6 * take an element off the front of an existing queue Ä NELd * Äd9 * PARAMETERS:QUEUE *qptrpointer for queue involved Äd, *int *nstorage for the return element Äd */ Äd)void take_off_queue(QUEUE *qptr, int *n) Äd{ Äd3/* return the element at the head of the queue */ AÄd*n = qptr->que[qptr->head++]; HH¡Œ¬à<ÉCHH¡Œ¬àBHDD é•l¬dˆ<áHH HH¡Œ¬à<àFHH¡Œ¬à¬É²..((HÄÜÜdqptr->count--; Äí©dqptr->head %= MAXELT; Äóœd} Ä‚ß$ÄThe parameter problems described in the previous section exist here too; ¦qptr may be invalid, ³NULL , or point to an ¼¶DQinvalid queue. Moreover, ¦n may also be an invalid integer pointer. So: Ä¿H€d+ Check all parameters. Ä¿[˜d?+ Check for incorrect values in structures and variables. Ä $ÄHere. the danger is underflow, not overflow. Suppose there are no elements in the queue. The value returned through ¦n ¿r¢DJwill be garbage, and ¦count will be set to a bogus value. Hence: Ä!¿Å°d8+ Check for array underflow when extracting items. Ä"¿ÝüdOThe problem of variable consistency across calls occurs in this routine, also. Ä#"le^What problems might an invalid pointer for ¦n cause? Specifically, suppose in the call Ä$d take_off_queue(qptr, c) Ä%$zthe variable c is declared as a ¦char * or a ¦float * ? How would you solve these problems in a portable ¿ŠúEmanner? Ä&¿’ÒdSummary Ä'Ü¿ÚõdThe library ¦fqlib.c , the contents of which are presented in this section, is very fragile code. Among its flaws are: Ä(¡ödIThe callers have access to the internal elements of the queue structure. Ä)¡ ôd9The order of elements in parameter lists is not checked. Ä*¿‚ÛdbThe value of command parameters (which tell the function what operation to perform) is arbitrary. Ä+d> 16) & 0xffff) - 0x1221 Ä=¿\§dand Ä> WHdOnonce Œ = ( ¹f Œ( ¹index Œ, ¹nonce Œ) & 0xffff) - 0x0502 Ä?d*where & and >> are the usual C operators. Ä@$zThis simplifies the interface considerably, but at the cost of assuming a 32-bit quantity (or greater). Fortunately, most ¿¢üD\systems have a datatype supporting integers of this length. So, in the header file, we put: ÄA¿±ûdJ/* queue identifier; contains internal index and nonce mashed together */ ÄB¿‡ùdtypedef long int QTICKET; ÄC¿Ãúd[With this token defined, calling routines need know nothing about the internal structures. ÄD¿ÝÝdP+ Don¹t hand out pointers to internal data structures; use tokens instead. ÄEÿªX$sThe second issue is errors; how to handle them? We can print error messages (and take action, possibly even termi¿–ô{nating), we can return error results and allow the caller to handle the error, or we can set up special error handlers (if ¡§ävthe language supports these; they are typically written as trap or exception handlers). Unfortunately, C does not pro0¾2bvvide exception handlers for errors. The method of returning error codes to the caller allows much greater flexibility xthan handling the error in the routine, and is equally simple to perform. The complication is that a set of error codes ymust indicate the errors that could occur. So, as we proceed through our library, we shall track errors and define error Dcodes. ÄF¡Aì$x+ Handle errors in a consistent manner: either print error messages from a centralized printing routine, or return ¡MíD?error codes to the caller and let the caller report the error. ÄG¡\ë$uWe make some decisions about the library functions for this purpose. The return value will indicate whether an error ¡hê}has occurred; if so, the function returns an error code and an expositor message in a buffer. If not, it returns a flag indi‰:;D?cating no error. So, we define all error codes to be negative: ÄH¡Ééd/* ÄI¡èçd * error return values ÄJŠ$©”d6 * all the queue manipulation functions return these; ÄK|Spd7 * you can interpret them yourself, or print the error ÄLd5 * message in qe_errbuf, which describes these codes ÄMd */ ÄNdI#define QE_ISERROR(x)((x) < 0)/* true if x is a qlib error code */ ÄOd'#define QE_NONE 0/* no errors */ ÄPd/* ÄQdB * the error buffer; contains a message describing the last queue ÄRdF * error (but is NUL if no error encountered); not cleared on success ÄSd */ ÄTdextern char qe_errbuf[256]; ÄU¬"Å$Ä Like the UNIX system variable ¦errno (3), ¦qe_errbuf is set on an error but not cleared on success. The buffer will con¬.Äutain additional information (such as in which routine the error occurred and relevant numbers). The following macros \£¢üDaid this process: ÄV¬I~d"/* macros to fill qe_errbuf */ ÄW¬U}dI#define ERRBUF(str)(void) strncpy(qe_errbuf, str, sizeof(qe_errbuf)) ÄX…0öºd<#define ERRBUF2(str,n)(void) sprintf(qe_errbuf, str, n) ÄY±AdA#define ERRBUF3(str,n,m)(void) sprintf(qe_errbuf, str, n, m) SÄZ¬|z$ÄThese are defined in ¦qlib.c because they format messages placed in ¦qe_errbuf ; the functions that call the library have HH¡Œ¬à<ëIHH¡Œ¬àHNJJé•l¬dˆ<ïNNHH¡Œ¬à<ñLHH¡Œ¬à¬Ñ11**NÄZÜÜDno use for them. Ä[ï©dhWe also redefine the function interface to eliminate the low cohesion of the ¦qmanage routine: Ä\ùœd7int create_queue(QTICKET *);/* create a queue */ Ä]ƒßd5int delete_queue(QTICKET);/* delete a queue */ Ä^†šdFint put_on_queue(QTICKET, int);/* put number on end of queue */ Ä_dNint take_off_queue(QTICKET, int *);/* pull number off front of queue */ Ä`¿W§dKThis eliminates the use of a flag variable to manage creation or deletion. Äa¿_€dgIn the ¦qlib.c file we place the definition of the queue structure and the related variables: Äbd./* macros for the queue structure (limits) */ Äc¿Å°d1#define MAXQ1024/* max number of queues */ Äd¿ìõd?#define MAXELT1024/* max number of elements per queue */ Äed Äfd/* the queue structure */ Ägd:typedef int QELT;/* type of element being queued */ Ähdtypedef struct queue { Äid4QTICKET ticket;/* contains unique queue ID */ Äjd.QELT que[MAXELT];/* the actual queue */ Äkd4int head;/* head index in que of the queue */ Äld3int count;/* number of elements in queue */ Ämd } QUEUE; Änd+/* variables shared by library routines */ Äod;static QUEUE *queues[MAXQ];/* the array of queues */ Äpd%/* nonce generator -- this */ ÄqdLstatic unsigned int noncectr = NOFFSET;/* MUST be non-zero always */ Är¡8í$vWe made one change to the queue definition: all queues are to be of fixed size. This was for simplicity (see the exer¡DëDÄcise below). Also, all globals are declared ¦static so they are not accessible to any functions outside the library file. Äs¡Sê$ÄWe distinguish between an ¦empty queue and a ¦nonexistent queue. The former has its ¦count field set to 0 (so the queue ¡_èÄexists but contains no elements); the latter has the relevant element in ¦queues set to ³NULL (so the queue does not ¡øCDexist). Ät¡zç",u_The macros ¦ERRBUF2 and ¦ERRBUF3 use ¦sprintf to format the error message. What prob¡ÜåDYlem does this function not guard against? Why can we ignore this problem in our library? Äu¡ïã$[What problems does static allocation of space for each queue¹s contents and for all queues ¡°äDintroduce? What advantages? Äv¡†þdToken Creation and Analysis ÄwÜ¡ â$yOne function internal to the library creates a token from an index, and another takes a token, validates it, and returns ¡÷àDthe appropriate index. Äx¡Âá$xThese are separate routines because we need to be able to change the token¹s representation if the library is ported to ¡ÒÜpa system without a 32-bit quantity to store the token in. Or, we may prefer to modify the mathematical function 0¡VU«winvolved. In either case, this increases cohesion and decreases coupling, laudable goals from the software engineering D!(and maintenance!) perspectives. Äy¬É$ÄIn what follows, ¦IOFFSET is the offset added to the index of the element and ¦NOFFSET is the initial nonce. Both are ¬$ÇDdefined in ¦qlib.c : Äz¬3ÅdD#define IOFFSET0x1221/* used to hide index number in ticket */ Ä{¬?Äd.#define NOFFSET0x0502/* initial nonce */ Ä|¬Nd*Here is the function to generate a token: Ä}ŸM®¼d/* Ä~¬i}dF * generate a token; this is an integer: index number + OFFSET,,nonce ÄœÜÆd0 * WARNING: each quantity must fit into 16 bits AÅd * HH¡Œ¬à<òLHH¡Œ¬àKQMMé•l¬dˆ<úQQHH¡Œ¬à<ùOHH¡Œ¬à¬ÖÀ55Q ÅÜÜd) * PARAMETERS:int indexindex number Åí©d6 * RETURNED:QTICKETticket of corresponding queue Åóœd6 * ERRORS:QE_INTINCON* index + OFFSET is too big Åóœd ** nonce is too big Åd ** index is out of range Åd- *(qe_errbuf has disambiguating string) Åd * EXCEPTIONS:none Åd */ Å d+static QTICKET qtktref(unsigned int index) Å d{ Åd<unsigned int high;/* high 16 bits of ticket (index) */ Åd:unsigned int low;/* low 16 bits of ticket (nonce) */ Å d Åd4/* sanity check argument; called internally ... */ Ådif (index > MAXQ){ Åd8ERRBUF3("qtktref: index %u exceeds %d", index, MAXQ); Ådreturn(QE_INTINCON); Åd} Åd Åd/* Åd> * get the high part of the ticket (index into queues array, Åd' * offset by some arbitrary amount) ÅdG * SANITY CHECK: be sure index + OFFSET fits into 16 bits as positive Åd */ Åd"high = (index + IOFFSET)&0x7fff; Ådif (high != index + IOFFSET){ Åd5ERRBUF3("qtktref: index %u larger than %u", index, Åd0x7fff - IOFFSET); Ådreturn(QE_INTINCON); Åd} Åd Å d/* Å!d+ * get the low part of the ticket (nonce) Å"d2 * SANITY CHECK: be sure nonce fits into 16 bits Å#d */ Å$dlow = noncectr & 0xffff; Å%d'if ((low != noncectr++) || low == 0){ Å&d8ERRBUF3("qtktref: generation number %u exceeds %u\n", Å'd(noncectr - 1, 0xffff - NOFFSET); Å(dreturn(QE_INTINCON); Å)d} Å*d Å+d'/* construct and return the ticket */ Å,d)return((QTICKET) ((high << 16) | low)); Å-d} Å.¬%}d_The function is declared ¦static so that only functions in the library may access it. Å/ˆMµ$vRather than return a value through the parameter list, we compute the token and return it as the function value. This ¬@{xallows us to return error codes as well (since tokens are always positive, and error codes always negative). The single ã D=parameter is an index for which the token is to be computed. Å0¬[ydV+ Make interfaces simple, even if they are for routines internal to the library. Å1·[$The next ¦if statement checks the value of the parameter; in this case, it must be a valid array index (between 0 and ¬vwsMAXQ inclusive). As the parameter is unsigned, only the upper bound need be checked. This may seem excessive; R˜Ö±wafter all, this function is only called within our library, so can¹t we ensure the parameter is always in the expected HH¡Œ¬à<üOHH¡Œ¬àNTPPé•l¬dˆ<£TT HH¡Œ¬à<§RHH¡Œ¬à¬ÖÕ33,,T Å1ÜÜvrange? The principle of ³can¹t happen² applies here. We can indeed assure the index always lies within the range, but í©wsuppose someone else one day modifies our code and makes an error. That error could cause the library to fail. So it¹s óœDbest to program defensively. Å2‚ßdA+ Always check parameters to make sure they are reasonable. Å3‡š$xIf an error occurs, it should be identified precisely. Two techniques are combined here. The first is an error message, ¿H€Ägiving the name of the routine and an exact description of the problem. It is in ¦qe_errbuf , and available to the caller. ¿BšD\The second is a return value indicating an error (specifically, an internal inconsistency): Å4¿c£d7#define QE_INTINCON-8/* internal inconsistency */ Å5¿âžd@The calling routine must detect this error and act accordingly. Å6$t+ Give useful and informative error messages. Include the name of the routine in which the error occurs. Allow ¿çÝDQnumbers in the error message. Use error codes that precisely describe the error. Å7¿úü$x.The error code here indicates an internal inconsistency (because an error indicates another library routine is calling ¿®ûzqtktref incorrectly). An error message or code simply indicating an error occurred would be less helpful, because we ¿\€DRwould not know why the error occurred, or (depending on the error message) where. Å8¿ˆú$z The next statements add the offset to the index. As this is to be the upper half of a 32-bit number, it must fit into 16 ¿¦õybits as a signed number. The code checks that this requirement is met. Again, if it is not met, a detailed error message ®D is given. Å9¿Íô"l-`Explain how the check works, in detail. Å:¬Sy$xThe code uses À0x7fff to mask ¦index for the comparison instead of using À0xffff . Why is the ¡óDmask 15 bits instead of 16? Å;¡ñ$hThe check for ¦noncectr is similar, but uses 0xffff as a mask. Explain why it does not need to ¡ ïDuse 0x7fff. Å<¡/îd]The routine to break down a token into its component parts, and check the queue, is similar: Å=ˆ¯Ud/* Å>¡Jíd3 * check a ticket number and turn it into an index Å?š²´d * Å@d: * PARAMETERS:QTICKET qnoqueue ticket from the user ÅAd+ * RETURNED:intindex from the ticket ÅBd= * ERRORS:QE_BADTICKETqueue ticket is invalid because: ÅCd) ** index out of range [0 .. MAXQ) ÅDd# ** index is for unused slot ÅEd ** nonce is of old queue ÅFd. *(qe_errbuf has disambiguating string) ÅGd= *QE_INTINCONqueue is internally inconsistent because: ÅHd. ** one of head, count is uninitialized ÅId ** nonce is 0 ÅJd. *(qe_errbuf has disambiguating string) ÅKd * EXCEPTIONS:none ÅLd */ ÅMd static int readref(QTICKET qno) ÅNd{ ÅOd;register unsigned index;/* index of current queue */ ÅPd9register QUEUE *q;/* pointer to queue structure */ ÅQd ÅRd6/* get the index number and check it for validity */ ÅSd+index = ((qno >> 16) & 0xffff) - IOFFSET; ÅTdif (index >= MAXQ){ ÅUd8ERRBUF3("readref: index %u exceeds %d", index, MAXQ); ÅVdreturn(QE_BADTICKET); ÅWd} AÅXdif (queues[index] == NULL){ HH¡Œ¬à<¶RHH¡Œ¬àQWSS é•l¬dˆ<WWHH¡Œ¬à<´UHH¡Œ¬à¬ÖÃ44WÅYÜÜd=ERRBUF2("readref: ticket refers to unused queue index %u", ÅZí©dindex); Å[óœdreturn(QE_BADTICKET); Å\óœd} Å]d Å^d/* Å_d< * you have a valid index; now validate the nonce; note we Å`d< * store the ticket in the queue, so just check that (same Åad * thing) Åbd */ Åcd$if (queues[index]->ticket != qno){ ÅddCERRBUF3("readref: ticket refers to old queue (new=%u, old=%u)", Åed0((queues[index]->ticket)&0xffff) - IOFFSET, Åfd(qno&0xffff) - NOFFSET); Ågdreturn(QE_BADTICKET); Åhd} Åid Åjd/* Åkd% * check for internal consistencies Åld */ Åmd;if ((q = queues[index])->head < 0 || q->head >= MAXELT || Ånd)q->count < 0 || q->count > MAXELT){ Åod?ERRBUF3("readref: internal inconsistency: head=%u,count=%u", Åpdq->head, q->count); Åqdreturn(QE_INTINCON); Ård} Åsd!if (((q->ticket)&0xffff) == 0){ Åtd6ERRBUF("readref: internal inconsistency: nonce=0"); Åudreturn(QE_INTINCON); Åvd} Åwd Åxd"/* all's well -- return index */ Åydreturn(index); Åzd} Å{¡°à$vThe argument for this function is a token representing a queue; the purpose of this function is to validate the token ¡‚áÄand return the corresponding index. The first section of ¦readref does this; it derives the index number from the token, ¿Žú~and checks first that the index is a legal index, then that there is a queue with that index. If either fails, an appropriate 0¡ÖU<serror message is given. Notice that the error code simply indicates a problem with the parameter, although the mesD;sage in ¦qe_errbuf distinguishes between the two. Å|¡ýÉdT+ Make parameters quantities that can be checked for validity, and check them. Å}‰_+$zAs the caller of the library has supplied the token, a bogus token is not an internal error. So we use another error code ¡šÅDto indicate the problem: Å~¬ Äd:#define QE_BADTICKET-3/* bad ticket for the queue */ Å»¸©‹$wNext, we check that the queue with the same index as the token is the queue the token refers to. This is the ³dangling ¬%~preference² problem mentioned earlier. The current queue¹s token is stored in each queue structure, so we simply Ù\´ŽDZensure the current token is the queue¹s token. If not, we handle the error appropriately. Ç¬@|d9+ Check for references to outdated data structures. ÇðÌß¬$xThe last section of code checks for internal consistency. The goal is to detect problems internal to the queue library. ¬[zDThe consistency checks are: Ç¬jydRThe position of the queue ¦head must lie between 0 and ³MAXELT . Ç¬vxdgThe ¦count of elements in the queue must be nonnegative and no greater than ³MAXELT . QÇÀ4ØÍd^The nonce can never be 0. This prevents a random integer 0 from being taken as a valid token. HH¡Œ¬à<‚UHH¡Œ¬àTZVVé•l¬dˆ<±ZZHH¡Œ¬à<¾XHH¡Œ¬à¬~11..ZÇÜÜd>When any of these are detected, the routine reports an error. Çï©$uAn alternate approach, favored by some experts, is to make this code conditionally compilable, and omit it on produc°®D=tion versions. They either use #ifdefs to surround the code: Çƒßd #ifdef DEBUG Çº¶d/* the code goes here */ Ç ‡UPd#endif Ç ¿W§$~or use the ¦assert() macro. This saves space when the library is provided for production, but can make tracking down ¿c£sany problems more difficult when they occur in production software, because less information is provided than in a ¿U¯Ddevelopment environment. Ç¿~°dp+ Assume ³debugged code² isn¹t. When it¹s moved to other environments, previously unknown bugs may appear. Ç¿¥ž$ÄThe ¦assert() macro is described in the manual as ¦assert (3) Its argument is an expression, and that expression is evalu¿ôüyated. If the expression is false, the macro writes a message to the standard error, aborts the program and forces a core ¿GžDidump for debugging purposes. For example, the internal consistency checking code could be replaced with: Ç ¿¥ùdhead < 0 || q->head >= MAXELT); Ç¿¿úd+assert(q->count < 0 || q->count > MAXELT); ÇéUId"assert((q->ticket)&0xffff) != 0); Ç¿¤ödRIf the middle ¦assert expression were false, the error message would be: Ç¬[U>dMassertion ³q->count < 0 || q->count > MAXELT² failed file ³qlib.c², line 178 Ç$Ä If the compile-time constant ³NDEBUG is defined, all ¦assert() macros are empty, so they are in effect deleted from the ¡óD program. Ç¡ñ",naThe ¦assert macro aborts the program if the condition fails. It applies the theory that ³if the ¡ ïmlibrary is internally inconsistent, the entire set of queues cannot be trusted.² The other methods allow the ¸»¶D5caller to attempt to recover. Which is better? When? Ç¡;ì$_Assume ¦IOFFSET were not added to indices. What error message would be printed if the ¡GíD(QTICKET were 0? Why is this misleading? Ç¡`ÁdQueue Creation ÇÜ¡pëd3The routine ¦create_queue creates queues: Ç¡êd/* Ç¡ãèd * create a new queue Ç¯¿d * Çd * PARAMETERS:none Çd? * RETURNED:QTICKETtoken (if > 0); error number (if < 0) Çd- * ERRORS:QE_BADPARAMparameter is NULL Çd6 *QE_TOOMANYQStoo many queues allocated already Çd1 *QE_NOROOMno memory to allocate new queue Çd+ *(qe_errbuf has descriptive string) Ç d * EXCEPTIONS:none Ç!d */ Ç"dQTICKET create_queue(void) Ç#d{ Ç$d3register int cur;/* index of current queue */ Ç%d=register QTICKET tkt;/* new ticket for current queue */ Ç&d Ç'd/* check for array full */ Ç(d!for(cur = 0; cur < MAXQ; cur++) Ç)dif (queues[cur] == NULL) Ç*d break; Ç+dif (cur == MAXQ){ AÇ,d;ERRBUF2("create_queue: too many queues (max %d)", MAXQ); HH¡Œ¬à<¥XHH¡Œ¬àW]YY é•l¬dˆ<½]]HH¡Œ¬à<¼[HH¡Œ¬à¬‘22] Ç-ÜÜdreturn(QE_TOOMANYQS); Ç.í©d} Ç/óœd Ç0óœd/* allocate a new queue */ Ç1d5if ((queues[cur] = malloc(sizeof(QUEUE))) == NULL){ Ç2d2ERRBUF("create_queue: malloc: no more memory"); Ç3dreturn(QE_NOROOM); Ç4d} Ç5d Ç6d/* generate ticket */ Ç7d&if (QE_ISERROR(tkt = qtktref(cur))){ Ç8d:/* error in ticket generation -- clean up and return */ Ç9d(void) free(queues[cur]); Ç:dqueues[cur] = NULL; Ç;dreturn(tkt); Ç<d} Ç=d Ç>d"/* now initialize queue entry */ Ç?d-queues[cur]->head = queues[cur]->count = 0; Ç@dqueues[cur]->ticket = tkt; ÇAd ÇBdreturn(tkt); ÇCd} ÇD¡ì$uThe parameter list for this routine is empty; all information is returned as a function value. An alternate approach ¡)íDRwould be to pass the QTICKET back through the parameter list with the declaration ÇE¡8ëdint create_queue(QTICKET *tkt) ÇF¡‹U-$wand have the return value be the error code. But this can lead to confusion. Some library routines require pointers as ¡Sèqarguments; others do not. Programmers may become confused, or suffer memory lapses, about which routines require ‡UUDVpointers and which do not. The routine should guard against these potential problems. ÇG¡nçd(+ Keep parameter lists consistent. ÇHˆT$uMaking all parameters be pointers is not suitable. First, pointers are difficult to check for validity; one can (and ¡âãÄshould) check for ³NULL pointers, but how can one portably determine if a non- ³NULL pointer contains an address in ›U€xthe process¹ address space or that the address is not properly aligned for the quantity to be stored there (on some sys0™¤Uÿstems, notably RISC systems, this can cause an alignment fault and terminate the program)? Using a style of programDEming akin to functional programming languages avoids these problems. ÇI¡ºáde+ Avoid changing variables through a parameter list; whenever possible, avoid passing pointers. ÇJ²¿œ${This routine checks if there is room for another queue; if so, it determines the index of the queue; if not, it reports an ¡×ÖDxerror and returns an error code. The error code is returned to the calling routine, which is not a part of the library: ÇK¡ÊÑdB#define QE_TOOMANYQS-7/* too many queues in use (max 100) */ ÇL%“Q‚$nIn the error message we supply helpful information, namely the maximum number of queues allowed. This enables ¬ÇDRthe programmers to know why the routine failed and tailor their code accordingly. ÇM¬Ådk+ Check for array overflow and report an error when it would occur (or take other corrective action). ÇNI›¯Œ$ÄThe next part allocates space for the queue. Again, the routine checks for a failure in ¦malloc , and reports it should it ¬+Ähappen. Again, a special error code is used. This is of special importance since a ¦malloc failure is usually due to a sysrl ×Ätem call failure, and ¦perror (3) will print a more informative message that the caller may desire. The queue library¹s C&dDerror indicator is: ÇO¬R|d=#define QE_NOROOM-6/* can't allocate space (sys err) */ ÇP±½ÄqdB+ Check for failure in C library functions and system calls. ÇQr´¬¤$uThe routine then obtains a token for the new queue, checking again for failure. If the token cannot be obtained, the P¬|yDÄnew queue is deleted and an error is returned. No error message is provided; the token generator ¦qtktref provides that. HH¡Œ¬à<ª[HH¡Œ¬àZ`\\é•l¬dˆ<ø``HH¡Œ¬à<¿^HH¡Œ¬à¬Z³//00`ÇRÜÜdE+ Check for failure in other library functions in your library. ÇSï©$zFinally, all quantities in the queue structure are set to default values (here, indicating an empty queue), and the token °®yis returned. This way, we need not worry about initialization later in the library, when it might be harder to determine €URDif initialization is needed. ÇTº¶d+ Initialize on creation. ÇU¿PUP",tbIf a token can¹t be generated, then the error message in ¦qe_errbuf comes from ¦qtktref , but ¿W§vthere is no indication of what routine called ¦qtktref . Write a macro that will append this to the error mes¿KUNfsage in ¦qe_errbuf . Remember to check for bounds problems when you append to the contents of Dqe_errbuf . ÇW¿à—dQueue Deletion ÇXÜ¿ò°dThis routine deletes queues. ÇY¿ßÝd/* ÇZ¿„üd * delete an existing queue Ç[¿iÙd * Ç\dB * PARAMETERS:QTICKET qnoticket for the queue to be deleted Ç]d * RETURNED:interror code Ç^dE * ERRORS:QE_BADPARAMparameter refers to deleted, unallocated, Ç_d+ *or invalid queue (from readref()). Ç`d: *QE_INTINCONqueue is internally inconsistent (from Çad *readref()). Çbd * EXCEPTIONS:none Çcd */ Çddint delete_queue(QTICKET qno) Çed{ Çfd3register int cur;/* index of current queue */ Çgd Çhd/* Çid0 * check that qno refers to an existing queue; Çjd * readref sets error code Çkd */ Çld%if (QE_ISERROR(cur = readref(qno))) Çmdreturn(cur); Çnd Çod/* Çpd/ * free the queue and reset the array element Çqd */ Çrd(void) free(queues[cur]); Çsdqueues[cur] = NULL; Çtd Çudreturn(QE_NONE); Çvd} Çw¬Ç$xThis routine takes as a parameter the token of the queue to be deleted. It determines if the token is valid, and if not ¬ÅDxreturns the error code. Thus, a queue which is not created, or one that has already been deleted, will report an error. Çx¬-ÄdB+ Check that the parameter refers to a valid data structure. ÇyÀÁ¬$ÄThe queue is then freed. The entry in the ¦queues array is reset to indicate that an element of the array is available for ¬H~Dreassignment. SÇz¬W}dJ+ Always clean up deleted information it prevents errors later on. HH¡Œ¬à<¬^HH¡Œ¬à]c__é•l¬dˆ<ccHH¡Œ¬à<«aHH¡Œ¬à¬~‘3322cÇ{ÜÜ (ÄcDo we need to check that ¦queues [ ¦cur ] is not ³NULL before we call ¦free ? Why or why not? í©@aIf we do, what error will occur in the above code? If we do not, should we? Justify your answer. Ç|°®`;What prevents a caller from deleting the same queue twice? Ç}` Ç~¿I¸`Adding an Element to a Queue ÇÜ¿Y¶`EAdding an element to a queue requires that it be placed at the tail: É¿h€`/* É¿t§`' * add an element to an existing queue É` * É`= * PARAMETERS:QTICKET qnoticket for the queue involved É`$ *int nelement to be appended É` * RETURNED:interror code É`E * ERRORS:QE_BADPARAMparameter refers to deleted, unallocated, É`+ *or invalid queue (from readref()). É`; * QE_INTINCONqueue is internally inconsistent (from É ` *readref()). É `: *QE_TOOFULLqueue has MAXELT elements and a new one É` *can¹t be added É` * EXCEPTIONS:none É ` */ É`%int put_on_queue(QTICKET qno, int n) É`{ É`3register int cur;/* index of current queue */ É`8register QUEUE *q;/* pointer to queue structure */ É` É`/* É`0 * check that qno refers to an existing queue; É` * readref sets error code É` */ É`%if (QE_ISERROR(cur = readref(qno))) É`return(cur); É` É`/* É`% * add new element to tail of queue É` */ É`)if ((q = queue[cur])->count == MAXELT){ É`"/* queue is full; give error */ É`=ERRBUF2("put_on_queue: queue full (max %d elts)", MAXELT); É `return(QE_TOOFULL); É!`} É"`else{ É#`/* append element to end */ É$`)q->que[(q->head+q->count)%MAXELT] = n; É%`/* one more in the queue */ É&`q->count++; É'`} É(` É)`return(QE_NONE); É*`} É+¬oz }The variables in the parameter list are not pointers; all are passed by value. As before, the validity of the token is first P¬{y@~checked, and as ¦readref builds the error message and code, if the token is not valid, the error is simply returned. HH¡Œ¬à<ŠaHH¡Œ¬à`fbbé•l¬dˆ<ÕffHH¡Œ¬à<‘dHH¡Œ¬à¬áÕ44fÉ,ÜÜ Ä Adding an element to the queue requires checking that the queue is not full. The first part of the ¦if Š ¦else Š state0í©sment does this. The error message again gives the maximum number of elements that the queue can hold. If the queue @1is full, an appropriate error code is generated: É-‚ß`9#define QE_TOOFULL-5/* append it to a full queue */ É.`G+ Allow error messages to contain numbers or other variable data. É/¿Uš`#Removing an Element from the Queue É0Ü¿e€`/We remove elements from the head of the queue: É1¿t§`/* É2¿Ä£`6 * take an element off the front of an existing queue É3` * É4`= * PARAMETERS:QTICKET qnoticket for the queue involved É5`) * RETURNED:interror code or value É6`4 * ERRORS:QE_BADPARAMbogus parameter because: É7`0 ** parameter refers to deleted, invalid, É8`0 * or unallocated queue (from readref()) É9`- ** pointer points to NULL address for É:` * returned element É;`+ *(qe_errbuf has descriptive string) É<`: *QE_INTINCONqueue is internally inconsistent (from É=` *readref()). É>`5 *QE_EMPTYno elements so none can be retrieved É?` * EXCEPTIONS:none É@` */ ÉA` int take_off_queue(QTICKET qno) ÉB`{ ÉC`4register int cur;/* index of current queue */ ÉD`9register QUEUE *q;/* pointer to queue structure */ ÉE`;register int n;/* index of element to be returned */ ÉF` ÉG`/* ÉH`0 * check that qno refers to an existing queue; ÉI` * readref sets error code ÉJ` */ ÉK`%if (QE_ISERROR(cur = readref(qno))) ÉL`return(cur); ÉM` ÉN`/* ÉO`1 * now pop the element at the head of the queue ÉP` */ ÉQ`%if ((q = queues[cur])->count == 0){ ÉR`/* it's empty */ ÉS`)ERRBUF("take_off_queue: queue empty"); ÉT`return(QE_EMPTY); ÉU`} ÉV`else{ ÉW`/* get the last element */ ÉX`q->count--; ÉY`n = q->head; ÉZ`$q->head = (q->head + 1) % MAXELT; É[`return(q->que[n]); É\`} AÉ]` HH¡Œ¬à<dHH¡Œ¬àcieeé•l¬dˆ<ŒiiHH¡Œ¬à<¹gHH¡Œ¬à¬TŒ,,46iÉ^ÜÜd*/* should never reach here (sure ...) */ É_í©dIERRBUF("take_off_queue: reached end of routine despite no path there"); É`óœdreturn(QE_INTINCON); Éad} Éb¼¶$tHere we must distinguish between a return value that is an error code and a return value that comes from the queue. ¿E€ÄThe solution is to check the error buffer ¦qe_errbuf . Before this function is called, the first byte of that array is set to 0†¶wthe NUL byte Œ\0¹. If, on return, the error buffer contains a string of length 1 or greater, an error occurred and the D[returned value is an error code; otherwise, no error occurred. So the calling sequence is: Éc¿l¢dqe_errbuf[0] = Œ\0¹; Éd¿x°drv = take_off_queue(qno); Éeº¶d,if (QE_ISERROR(rv) && qe_errbuf[0] != Œ\0¹) ÉfdDŠ ¹rv contains error code, qe_errbuf the error message Œ Š Égdelse ÉhdAŠ ¹no error; rv is the value removed from the queue Œ Š Éi¿…ú$vThis way, we need not pass a pointer through the parameter list. The disadvantage of this method is the complexity of ¿ˆõzcalling the function; however, that seems a small price to pay to avoid a possible segmentation fault within the library. d½D~The standard I/O library function ¦fseek uses a similar technique to distinguish failure from success in some cases. Éj¿Þôde+ Avoid changing variables through a parameter list; whenever possible, avoid passing pointers. Ékˆ…]",qdRewrite ¦take_off_queue to use a second parameter, ¦int *n , and return the value removed ¿˜ókfrom the queue through that parameter. (Use the error code ³BADPARAM , defined as 1, to report an 0šb´ hinvalid pointer.) The function value is the error code. Compare and contrast this approach with the one D4used in the above version. When would you use each? Él¡ îdVHow does ¦fseek (3S) use ¦errno to distinguish failure from success? Ém³©/$|The rest of this routine is similar to ¦add_to_queue . We check the parameter, and then validate the queue. We next ¡;íDEcheck for an empty queue, and report an error if the queue is empty: Én¡Jëd8#define QE_EMPTY-4/* take it off an empty queue */ Éo#ß»$ÄIf it is not empty, it returns the element at the head of the queue. The ¦head index is incremented to move to the next ¡eèDJelement in the queue, which becomes the element at the head of the queue. Ép¡~”dSummary ÉqÜ¡éé$rThe above routines give several examples of the differences between robust and fragile coding. The above routines ¡öçware robust, because they cannot be crashed by poor or incorrect calls, or inconsistency in the caller. They form a mod0E-Oßqule, and have informational cohesion and stamp coupling (the latter because they share data in common variables; Äspecifically, ¦queues , ¦noncectr , and ¦qe_errbuf . While the coding of these versions of the routines takes more time than vthe fragile routines, they take much less to debug, and will require less debugging time for applications using these D routines. Ér¡à",\eRewrite this library to allocte space for each queue dynamically. Specifically, change ¡Âáycreate_queue to take the parameter ¦int size , where ¦size is to be the maximum number of elements Sè” DFallowed in the queue. Allocate space for the queue array dynamically. És¬Ö$\Rewrite this library to use a linked list structure for each queue. What are the advantages ¬ÑDand disadvantages to this? ÉtâUT¬&U-dConclusion ÉuÜ¬9Å$rMany security problems arise from fragile coding. The UNIX operating system, and the C standard libraries, encour¬EÄage this. They provide library calls that can cause severe problems; for example, ¦gets (3S) does not check for buffer P_å«D overflow. Avoid these routines! HH¡Œ¬à<×gHH¡Œ¬àflhh é•l¬dˆ<¤llHH¡Œ¬à<ÐjHH¡Œ¬à¿É—88lÉvÜÜ",xfWhy should the following functions be avoided when writing robust code: ¦gets , ¦strcpy , ¦strí©DPcat , ¦sprintf ? How would you modify them to make them acceptable? Éw°®$_When should members of the ¦scanf family of functions be avoided while writing robust ‚ßD#code? What should you use instead? Éx¿@¸dAcknowledgements ÉyÜ¿@¸§V Chip Elliott (then of Dartmouth College, later of BBN Communications Corp.) provided ¿M¶othe inspiration for this. His handout ³Writing Bomb-Proof Code² for Dartmouth¹s class COSC 23, Introduction to ¿Y€DiSoftware Engineering,, succinctly described many of the principles and techniques which I have extended. Éz¿h§$nThanks to Kim Knowles for her constructive suggestions on this document. Also, the students of ECS 40 and ECS ¿t£v153 at UC Davis helped me refine this exposition by asking questions and indicating what was difficult to understand. P¿_¯DNI hope this document is clear; it is certainly clearer than earlier versions!HH¡Œ¬à<ÞjHH¡Œ¬àikké•l¬dˆLeft¬dˆRight¬dˆ Reference¬dˆ¬dˆ:¬dˆ=¬dˆ@¬dˆ C¬dˆ F¬dˆ I¬dˆ L¬dˆ O¬dˆ R¬dˆ U¬dˆX¬dˆ[¬dˆ ^¬dˆa¬dˆd¬dˆg¬dˆjÄÊfÅôÄ@ÄÄÄôD 0ÅBodyBody. ÄÊfÅôÄ@ÄÄÄôE 0Å Bulleted€Bulleted. ÄÊfÅôÄ@ÄÄÄôN 0Å Numbered N:.\t. ÄÊfÅôÄ@ÄÄÄôE 0Å Bulleted€Bulleted. ûÄÊfÅôÄ@ÄÄÄô 0Åû Footnote. ÄÊfÅôÄ@ÄÄÄôP0Å TitleBody. ÄÊfÅôÄ@ÄÄÄôT0ÅHeading2Body. ÄÊfÅôÄ@ÄÄÄôT0ÅHeadingRunInBody. ÄÊfÅôÄ@ÄÄÄôD 0ÅBodyBody. $ÄÊfÅôÄ@ÄÄÄôAE 0Å$. LetteredA A:.Lettered. ÄÊfÅôÄ@ÄÄÄôNE 0Å Numbered1 N:.Numbered. ûÄÊfÅôÄ@ÄÄÄô 0Åû TableFootnote. ÄÊfÅôÄ@ÄÄÄôT0Å TableTitleT:Table : . Ä¿Å@Ä@ÄÄÄô 0¿Í¡ŒHeaderDouble Line. ÄÊfÅôÄ@ÄÄÄôT0Å TableTitleT:Table : . ÄÊfÅôÄ@ÄÄÄôT0ÅHeading1Body. $ÄÊfÅôÄ@ÄÄÄôA 0Å$. Lettered A:.\t. ÄÊfÅôÄ@ÄÄÄô0ÅCellFooting. ÄÊfÅôÄ@ÄÄÄôD 0Å BodyCenterBody. Ä@ÄÄÄô $H.l.¿ê.¿¥.¿ÿ.¿¸.¡ .¡D.¡h.¡å.¡ƒ.¡Œ.Code. Ä¿Å@Ä@ÄÄÄô 0¿Í¡ŒFooter. ÄÊfÅôÄ@ÄÄÄôD 0Å BodyCenterBody. ÄÊfÅôÄ@ÄÄÄô 0ÅRule. Ä@ÄÄÄô $H.l.¿ê.¿¥.¿ÿ.¿¸.¡ .¡D.¡h.¡å.¡ƒ.¡Œ.Code. Ä@ÄÄÄô $ÄH.l.¿ê.¿¥.¿ÿ.¿¸.¡ .¡D.¡h.¡å.¡ƒ.¡Œ.Code. Ä¿Å@Ä@ÄÄÄô0$ H l ¿ê ¿¥ ¿ÿ ¿¸ ¡ ¡D ¡h ¡å ManHeading. ÄÊfÅôÄ@ÄÄÄôN 0Å NumberedN:.. ÄÊfÅôÄ@ÄÄÄôN 0Å NumberedN:.. ÄÊfÅôÄ@ÄÄÄôNE 0Å Numbered1 N:.Numbered. ÄÊfÅôÄ@ÄÄÄô 0ÅCellHeading. ÄÊfÅôÄ@ÄÄÄôT0ÅHeadingRunInBody. ÄÊfÅôÄ@ÄÄÄôD 0ÅBodyBody. ÄÊfÅôÄ@ÄÄÄôT0ÅHeading1Body. ÄÊfÅôÄ@ÄÄÄôH 0ÅExerciseBoldH:Exercise . . ç³ÒÄÊfÅôÄ@ÄÄÄôP0ÅHeading InfoBody. ÄÊfÅôÄ@ÄÄÄôT0ÅHeading2Body. ÄÊfÅôÄ@ÄÄÄôH 0ÅExerciseBoldH:Exercise . . ÄÊfÅôÄ@ÄÄÄô 0ÅCellHeading. ÄÊfÅôÄ@ÄÄÄô 0Å Hand. ÄÊfÅôÄ@ÄÄÄô 0Å Hand. $$ÄÊfÅôÄ@ÄÄÄôD 0Å¿êÄBodyBody. ÄÊfÅôÄ@ÄÄÄô 0ÅCellBody. Ä@ÄÄÄô $H.l.¿ê.¿¥.¿ÿ.¿¸.¡ .¡D.¡h.¡å.¡ƒ.¡Œ. CodeCenter. ÄÊfÅôÄ@ÄÄÄô 0ÅCellBody. Ä@ÄÄÄô $H.l.¿ê.¿¥.¿ÿ.¿¸.¡ .¡D.¡h.¡å.¡ƒ.¡Œ. CodeCenter. ÄÊfÅôÄ@ÄÄÄôP0ÅTitleBody. $$ÄÊfÅôÄ@ÄÄÄôD 0Å¿êBodyListBody. $$ÄÊfÅôÄ@ÄÄÄôD 0Å¿êBodyListBody. $Ä@ÄÄÄô $H.l.¿ê.¿¥.¿ÿ.¿¸.¡ .¡D.¡h.¡å.¡ƒ.¡Œ. CodeIndent. $Ä@ÄÄÄô $H.l.¿ê.¿¥.¿ÿ.¿¸.¡ .¡D.¡h.¡å.¡ƒ.¡Œ. CodeIndent. Ä¿Å@Ä@ÄÄÄô 0¿Í¡ŒManHeading2. Ä¿Å@Ä@ÄÄÄô 0$ H l ¿ê ¿¥ ¿ÿ ¿¸ ¡ ¡D ¡h ¡å ManBody. Ä0ÅèœœœEmphasisÄ0ÅèœœœEquationVariables0Åèœœœ0Åèœœœ 0èœœœ 0Å 0 Ä3300Å Ä330 0Å0Å 0Å 0Å 7Å 0Superscript ÅComputer0Å 0Åèœœœ0Å 0Åèœœœ/’ÙÅBold 0ÅBold ÅCode Û¸ÅCodeÄÄÄÄÄÄThinMediumÄÄDoubleThickÄ@ Very ThinH&5H&5H&5H&5H&5Format AH&5H&5H&5H&5H&5Format BComment6ñd BlackT!WhiteddARedddÅGreendd BluedCyandMagentad YellowHeader/Footer $1Header/Footer $1Header/Footer $2Header/Footer $2IndexIndexCommentCommentSubjectSubjectAuthorAuthorGlossaryGlossaryEquationEquation Hypertext Hypertext Cross-Ref Cross-Ref Conditional TextConditional TextPositionFMPrivatePositionFMPrivateRangeEndFMPrivateRangeEndFMPrivate HTML Macro HTML MacroÄ M.Times.PTimes-Roman FrameRoman M.Times.B Times-Bold FrameRomanM.Courier.PCourier FrameRoman M.Times.BITimes-BoldItalic FrameRoman M.Times.ITimes-Italic FrameRoman M.Helvetica.BHelvetica-Bold FrameRomanM.Courier.ICourier-Oblique FrameRomanM.Zapf Dingbats.PZapfDingbats FrameRoman9Courier Helvetica/Times6 Zapf Dingbats!Regular#RomanMediumBoldRegular ObliqueItalicã=y~ÿ±ÂªÇ¹ÃØ"‡eèpÙ~ÆÚtd7Y;8'7MJ‡«ûÝîéC"Aä?£ilœ‡¸Ó]ª…¬ºG×jSaéƒ /€Ñ´B(Ñjuá2¯Ùe>‹Õ5É:†œN¥‰sÌ!$-z ?ŸZ¿LJ~ã>TŽ‡å×¡H•è:ã|Œóˆßž;›ƒÒ;k©5Eô›-aT~Ü!ŒzdŽùÀøæ‹Fa(D–¥àŠé:hŸº©ÞÆ/ ™Z©Ga®t©8ú«ñŒ§G+Íô0ãŒ>B)™µíHðeD<ìŒÓêÆªX~·ën…ñ%‘Ö´3Q8mF9“¾u„ÎÀ.×Ò‘‹[ø£;»ÆX‚•%9Kâï<7ü?fUèlß~¼œ= [B“Î\(a£˜Ž@CÁæ›AèòÓa®)¼Îô™MÖ¡.