shared - i need it to be useful

Timon Gehr timon.gehr at gmx.ch
Mon Oct 22 10:26:14 UTC 2018 

On 22.10.18 02:54, Manu wrote:
> On Sun, Oct 21, 2018 at 5:40 PM Timon Gehr via Digitalmars-d
> <digitalmars-d at puremagic.com> wrote:
>>
>> On 21.10.18 21:04, Manu wrote:
>>> On Sun, Oct 21, 2018 at 12:00 PM Timon Gehr via Digitalmars-d
>>> <digitalmars-d at puremagic.com> wrote:
>>>>
>>>> On 21.10.18 17:54, Nicholas Wilson wrote:
>>>>>
>>>>>> As soon as that is done, you've got a data race with the other
>>>>>> existing unshared aliases.
>>>>>
>>>>> You're in @trusted code, that is the whole point. The onus is on the
>>>>> programmer to make that correct, same with regular @safe/@trusted at system
>>>>> code.
>>>>
>>>> Not all of the parties that participate in the data race are in @trusted
>>>> code. The point of @trusted is modularity: you manually check @trusted
>>>> code according to some set of restrictions and then you are sure that
>>>> there is no memory corruption.
>>>>
>>>> Note that you are not allowed to look at any of the @safe code while
>>>> checking your @trusted code. You will only see an opaque interface to
>>>> the @safe code that you call and all you know is that all the @safe code
>>>> type checks according to @safe rules. Note that there might be an
>>>> arbitrary number of @safe functions and methods that you do not see.
>>>>
>>>> Think about it this way: you first write all the @trusted and @system
>>>> code, and some evil guy who does not like you comes in after you looks
>>>> at your code and writes all the @safe code. If there is any memory
>>>> corruption, it will be your fault and you will face harsh consequences.
>>>> Now, design the @safe type checking rules. It won't be MP!
>>>>
>>>> Note that there may well be a good way to get the good properties of MP
>>>> without breaking the type system, but MP itself is not good because it
>>>> breaks @safe.
>>>
>>> Show me. Nobody has been able to show that yet. I'd really like to know this.
>>>
>>
>> I just did,
> 
> There's no code there... just a presumption that the person who wrote
> the @trusted code did not deliver the promise they made.
> ...

Yes, because there is no way to write @trusted code that holds its 
promise while actually doing something interesting in multiple threads 
if @safe code can implicitly convert from unshared to shared.

>> but if you really need to, give me a non-trivial piece of> correct multithreaded code that accesses some declared-unshared field
>> from a shared method and I will show you how the evil guy would modify
>> some @safe code in it and introduce race conditions. It needs to be your
>> code, as otherwise you will just claim again that it is me who wrote bad
>> @trusted code.
> 
> You can pick on any of my prior code fragments. They've all been ignored so far.
> 

I don't want "code fragments". Show me the real code.

I manually browsed through posts now (thanks a lot) and found this 
implementation:

struct Atomic(T){
   void opUnary(string op : "++")() shared { atomicIncrement(&val); }
   private T val;
}

This is @system code. There is no @safe or @trusted here, so I am 
ignoring it.


Then I browsed some more, because I had nothing better to do, and I 
found this. I completed it so that it is actually compilable, except for 
the unsafe implicit conversion.

Please read this code, and then carefully read the comments below it 
before you respond. I will totally ignore any of your answers that 
arrive in the next two hours.

---
module borked;

void atomicIncrement(int* p)@system{
     import core.atomic;
     atomicOp!("+=",int,int)(*cast(shared(int)*)p,1);
}

struct Atomic(T){
     private T val;
     void opUnary(string op : "++")() shared @trusted {
         atomicIncrement(cast(T*)&val);
     }
}
void main()@safe{
     Atomic!int i;
     auto a=&[i][0];// was: Atomic!int* a = &i;
     import std.concurrency;
     spawn((shared(Atomic!int)* a){ ++*a; }, a);
     ++i.val; // race
}
---


Oh no! The author of the @trusted function (i.e. you) did not deliver on 
the promise they made!

Now, before you go and tell me that I am stupid because I wrote bad 
code, consider the following:

- It is perfectly @safe to access private members from the same module.

- You may not blame the my @safe main function for the problem. It is 
@safe, so it cannot be blamed for UB. Any UB is the result of a bad 
@trusted function, a compiler bug, or hardware failure.

- The only @trusted function in this module was written by you.

You said that there is a third implementation somewhere. If that one 
actually works, I apologize and ask you to please paste it again in this 
subthread.

More information about the Digitalmars-d mailing list