assume, assert, enforce, @safe

Walter Bright via Digitalmars-d digitalmars-d at puremagic.com
Thu Jul 31 18:19:59 PDT 2014 

On 7/31/2014 3:07 PM, David Bregman wrote:
> On Thursday, 31 July 2014 at 18:58:11 UTC, Walter Bright wrote:
>> On 7/31/2014 4:28 AM, David Bregman wrote:
>>> Sigh. Of course you can assume the condition after a runtime check has been
>>> inserted. You just showed that
>>>
>>> assert(x); assume(x);
>>>
>>> is semantically equivalent to
>>> assert(x);
>>>
>>> as long as the runtime check is not elided. (no -release)
>>
>> No. I showed that you cannot have an assert without the assume. That makes
>> them equivalent that direction.
>
> That is only true if assert always generates a runtime check. i.e. it is not
> true for C/C++ assert (and so far, D assert) in release mode.
>
>> For the other direction, adding in a runtime check for an assume is going to
>> be expected of an implementation.
>
> No. It is expected that assume does /not/ have a runtime check. Assume is used
> to help the compiler optimize based on trusted facts, doing a runtime check
> could easily defeat the purpose of such micro optimizations.

I'm rather astonished you'd take that position. It opens a huge door wide for 
undefined behavior, and no obvious way of verifying that the assume() is correct.

I'm confident that if D introduced such behavior, the very first comment would 
be "I need it to insert a runtime check on demand."


>> And, in fact, since the runtime check won't change the semantics if the assume
>> is correct, they are equivalent.
>
> Right, only "if the assume is correct". So they aren't equivalent if it isn't
> correct.
>
> Q.E.D. ?

I'm not buying those uncheckable semantics as being workable and practical.


>>> But you still want to assert to become assume in release mode? How
>>> will you handle the safety issue?
>>
>> I don't know yet.
>
> I would think the easiest way is to just not inject the assumption when inside
> @safe code, but I don't know anything about the compiler internals.
>
> Even for @system code, I'm on the fence about whether asserts should affect
> codegen in release, it doesn't seem like a clear tradeoff to make: safety vs
> some dubious optimization gains.

So why do you want assume() with no checking whatsoever? Does anybody want that? 
Why are we even discussing such a misfeature?

> Do we really want to go down the same road as C
> with undefined behavior?

So you don't want assume()? Who does?

More information about the Digitalmars-d mailing list