DIP 1006 - Preliminary Review Round 1
Timon Gehr
timon.gehr at gmx.ch
Mon Mar 5 19:34:18 UTC 2018
On 05.03.2018 11:30, Walter Bright wrote:
> The idea behind removal of the runtime checks is as a performance
> optimization done on a debugged program.
Optimizing performance is fine, but why pessimize safety? The hints will
usually not make a significant difference in performance anyway. I guess
it is fine to have a compiler option that is all speed no safety, but it
should not be the only option.
> It's like turning on or off array bounds checking.
It is not.
void main()@safe{
int[] x=[];
writeln(x[0]); // range violation even with -release
// defined behavior even with -boundscheck=off (!)
}
If I now add an assertion, I suddenly get UB:
void main()@safe{
int[] x=[];
assert(0<x.length); // obviously this should hold, or next line is
invalid
writeln(x[0]); // UB with -release
}
I did not make the code any more wrong by adding the assertion.
Why should I get more UB?
> Many leave asserts and array bounds checking on
> even in released code to ensure memory safety.
> ...
Maybe the requirements change and it is now too costly to leave
contracts on in release mode, or the number of contracts in the code
base slowly accumulates until we reach a point where the total cost is
too large, or we replace a library, and the new version has costly
contracts, etc. Now we have the following options:
- Leave contracts in -- fail performance requirements.
- Remove contracts -- fail safety requirements.
- Track down all 'assert's, even those in external libraries, and
replace them by a custom home-cooked solution that is incompatible with
everyone else's -- fail maintainability requirements.
To me this situation is ridiculous.
> At a minimum, turning it off and on will illuminate just what the checks
> are costing you.
> ...
Well, no. If the bug is elusive enough to not have shown up in debug
mode, it probably won't be seen early during -release testing, and even
if it does, the UB may mask it. (Note that when the program becomes
faster, the likelihood of timing-dependent bugs showing up may change.)
I.e., if something goes wrong, it is likely that you won't see the
safety costs until it is too late.
> It's at the option of the programmer.
It is not, but I want it to be. That's all I want. [1]
I'm just saying there should be the following option:
- Remove contracts -- sufficient performance and retain memory safety.
FWIW, this is what all contract systems that I'm aware of do, except D,
and maybe C asserts in certain implementations (if you want to call that
contracts).
[1] Well, maybe add a @system "__assume" intrinsic.
More information about the Digitalmars-d
mailing list