Voting for std.experimental.checkedint
Andrei Alexandrescu via Digitalmars-d
digitalmars-d at puremagic.com
Sun Feb 26 13:15:13 PST 2017
On 2/26/17 4:53 AM, Seb wrote:
> On Sunday, 26 February 2017 at 09:41:46 UTC, rumbu wrote:
>> On Saturday, 25 February 2017 at 15:21:10 UTC, Andrei Alexandrescu wrote:
>>> On 02/25/2017 10:17 AM, rumbu wrote:
>>>> A lot of bloat code for something extremely basic.
>>>
>>> If you can do it with less code, I'm all ears. Thanks! -- Andrei
>>
>> This was not about coding skills, was about usability. The module
>> contains too many options and failure scenarios instead of a simple
>> default behavior.
>>
>> Considering that in most languages with integrated overflow checking,
>> the default behavior is throwing some kind of exception (Ada, C#,
>> Pascal, Rust, Swift)
>
> If you want a module with a lot less features, the low-level
> core.checkedint might be interesting for you:
>
> http://dlang.org/phobos/core_checkedint.html
Thanks for making this point. I agree with the sentiment "you mean I
need a 1 KLOC library just to check a handful of operations?" This
paradox is very interesting and worth looking into.
(BTW the number of lines as dscanner --sloc counts is 1261.)
Indeed, the routines in core.checkedint are everything needed (in
addition to some inline code for comparisons) if the purpose is to check
operations individually. However, if the intent is to check for errors
systematically for certain values or program fragments, that doesn't
scale; before long, the code becomes a bloatfest. Not to mention the
difficulty in making sure that all operations of interest have been, in
fact, covered.
So the next logical step is to attempt encapsulation of these checks in
a type. Here is where one way or another the code bulk must increase,
and the key question here is how much ability to customize you get per
unit of code increase.
One issue with checked integers in general, and as a standard (i.e.
highly reusable) library in particular, is that they are quite project
specific: what to do upon violation, and which operations to verify and
which to let run at full speed. As soon as a library does something even
slightly different from what's necessary, the usability and efficiency
margins are so narrow, you need to throw the library away and write your
own. This is very opposite from, say, writing a sorting algorithm
wherein the API design is very narrow and the difficulty is in the
algorithm itself. So if you want to write a highly reusable checkedint
library, you must put ability to customize front, left, and center.
I've started work on an article on DbI, and did a little research on
other libraries. I found these:
* Mozilla's CheckedInt:
https://hg.mozilla.org/mozilla-central/file/tip/mfbt/CheckedInt.h,
clocking at only 791 LoC (no docs and unittests). Though compact and
ingenious, it makes two design decisions that I think are problematic:
(a) it stores a "valid" bit (which costs an actual word) together with
the integral value
(https://hg.mozilla.org/mozilla-central/file/tip/mfbt/CheckedInt.h#l503),
which leads to an inefficient layout and also puts all enforcement onus
on the user; and (b) it separates overflow checks from the actual
operations, which leads to bulky and inefficient overflow checks (see
e.g.
https://hg.mozilla.org/mozilla-central/file/tip/mfbt/CheckedInt.h#l256
for addition).
* https://safeint.codeplex.com by Microsoft - a behemoth of a library
clocking at 7055 LoC including comments. Speed is an explicit goal. It
makes a number of design decisions that might not work for everyone, for
example:
- accepts (somewhat obliquely) implicit conversion back to the
representation type, which is kind of defeating the purpose
- taking the address decays to a pointer to unchecked integral (what?)
- has a rigid error policy (either assert or throw)
- the checks and the error handling policies are awkwardly controlled
via command line instead of template parameters
- binary operators don't work against two SafeInts
- signed/unsigned comparisons are not checked (this is a consequence of
the implicit decay)
* https://github.com/robertramey/safe_numerics, meant as an addition to
Boost. That's also a large lbrary (4969 lines with light comments, going
up to over 10K lines with unittests, and requiring 6 other Boost
libraries: MPL, Integer, Config, Concept Checking, Tribool, and
Enable_if). The author also wrote a recent article (Overload Feb 2017)
that describes the library:
http://www.rrsd.com/software_development/safe_numerics/Overload137.pdf.
The article does a great job at motivating such libraries. The facility
allows good error policy customization, and allows to some extent
customizing the checks being done (only for promotions). It also has a
mode that is at least theoretically interesting - it expands the result
of operations whenever possible to preserve correctness, and refuses to
compile code that might overflow. I speculate that that feature is of
very limited use; in just a couple of steps everything goes to 64 bits,
and we're done. The implementation has the usual genuflections one would
expect, for example:
template<class T, class U>
using calculate_max_t =
typename boost::mpl::if_c<
// clause 1 - if both operands have the same sign
std::numeric_limits<T>::is_signed
== std::numeric_limits<U>::is_signed,
// use that sign
typename boost::mpl::if_c<
std::numeric_limits<T>::is_signed,
std::intmax_t,
std::uintmax_t
>::type,
// clause 2 - otherwise if the rank of the unsigned type exceeds
// the rank of the of the maximum signed type
typename boost::mpl::if_c<
(rank< select_unsigned<T, U>>::value
> rank< std::intmax_t >::value),
// use unsigned type
std::uintmax_t,
// clause 3 - otherwise if the type of the signed integer type can
// represent all the values of the unsigned type
typename boost::mpl::if_c<
std::numeric_limits< std::intmax_t >::digits >=
std::numeric_limits< select_unsigned<T, U> >::digits,
// use signed type
std::intmax_t,
// clause 4 - otherwise use unsigned version of the signed type
std::uintmax_t
>::type >::type >::type;
* https://code.dlang.org/packages/checkedint by Thomas Stuart Bockman. I
might be biased but it compares favorably against all of the above. A
major goal of std.experimental.checkedint was to allow more
customization in a smaller package.
Andrei
More information about the Digitalmars-d
mailing list