Voting for std.experimental.checkedint (page 3)

On Sunday, 26 February 2017 at 10:34:07 UTC, Patrick Schluter wrote:
> On Sunday, 26 February 2017 at 09:53:42 UTC, Seb wrote:
>> On Sunday, 26 February 2017 at 09:41:46 UTC, rumbu wrote:
>>> [...]
>>
>> If you want a module with a lot less features, the low-level core.checkedint might be interesting for you:
>>
>> http://dlang.org/phobos/core_checkedint.html
>>
>>> [...]
>>
>>
>> It is now: http://dlang.org/phobos-prerelease/std_experimental_checkedint.html
>>
>> If this is still unclear, please submit a PR to improve the docs! ;-)
>
> The runnable examples fail at compilation with
> /d947/f268.d(1): Error: module checkedint is in file 'std/experimental/checkedint.d' which cannot be read

Yes that's expected as DPaste doesn't support dmd-nightly builds :/
There's not much I can update this - the maintainer of DPaste hasn't been very active recently.
So if you want to do sth. about it, there are two ways:

1) Ping him friendly -> https://github.com/nazriel
2) Write your DPaste replacement (could be based on the dlang-tour [1])

[1] https://github.com/stonemaster/dlang-tour/issues/501

February 26, 2017

Re: Voting for std.experimental.checkedint

Posted by Andrei Alexandrescu
in reply to Seb

Permalink

Andrei Alexandrescu

Posted in reply to Seb

Permalink

On 2/26/17 4:53 AM, Seb wrote:
> On Sunday, 26 February 2017 at 09:41:46 UTC, rumbu wrote:
>> On Saturday, 25 February 2017 at 15:21:10 UTC, Andrei Alexandrescu wrote:
>>> On 02/25/2017 10:17 AM, rumbu wrote:
>>>> A lot of bloat code for something extremely basic.
>>>
>>> If you can do it with less code, I'm all ears. Thanks! -- Andrei
>>
>> This was not about coding skills, was about usability. The module
>> contains too many options and failure scenarios instead of a simple
>> default behavior.
>>
>> Considering that in most languages with integrated overflow checking,
>> the default behavior is throwing some kind of exception (Ada, C#,
>> Pascal, Rust, Swift)
>
> If you want a module with a lot less features, the low-level
> core.checkedint might be interesting for you:
>
> http://dlang.org/phobos/core_checkedint.html

Thanks for making this point. I agree with the sentiment "you mean I need a 1 KLOC library just to check a handful of operations?" This paradox is very interesting and worth looking into.

(BTW the number of lines as dscanner --sloc counts is 1261.)

Indeed, the routines in core.checkedint are everything needed (in addition to some inline code for comparisons) if the purpose is to check operations individually. However, if the intent is to check for errors systematically for certain values or program fragments, that doesn't scale; before long, the code becomes a bloatfest. Not to mention the difficulty in making sure that all operations of interest have been, in fact, covered.

So the next logical step is to attempt encapsulation of these checks in a type. Here is where one way or another the code bulk must increase, and the key question here is how much ability to customize you get per unit of code increase.

One issue with checked integers in general, and as a standard (i.e. highly reusable) library in particular, is that they are quite project specific: what to do upon violation, and which operations to verify and which to let run at full speed. As soon as a library does something even slightly different from what's necessary, the usability and efficiency margins are so narrow, you need to throw the library away and write your own. This is very opposite from, say, writing a sorting algorithm wherein the API design is very narrow and the difficulty is in the algorithm itself. So if you want to write a highly reusable checkedint library, you must put ability to customize front, left, and center.

I've started work on an article on DbI, and did a little research on other libraries. I found these:

* Mozilla's CheckedInt: https://hg.mozilla.org/mozilla-central/file/tip/mfbt/CheckedInt.h, clocking at only 791 LoC (no docs and unittests). Though compact and ingenious, it makes two design decisions that I think are problematic: (a) it stores a "valid" bit (which costs an actual word) together with the integral value (https://hg.mozilla.org/mozilla-central/file/tip/mfbt/CheckedInt.h#l503), which leads to an inefficient layout and also puts all enforcement onus on the user; and (b) it separates overflow checks from the actual operations, which leads to bulky and inefficient overflow checks (see e.g. https://hg.mozilla.org/mozilla-central/file/tip/mfbt/CheckedInt.h#l256 for addition).

* https://safeint.codeplex.com by Microsoft - a behemoth of a library clocking at 7055 LoC including comments. Speed is an explicit goal. It makes a number of design decisions that might not work for everyone, for example:

- accepts (somewhat obliquely) implicit conversion back to the representation type, which is kind of defeating the purpose

- taking the address decays to a pointer to unchecked integral (what?)

- has a rigid error policy (either assert or throw)

- the checks and the error handling policies are awkwardly controlled via command line instead of template parameters

- binary operators don't work against two SafeInts

- signed/unsigned comparisons are not checked (this is a consequence of the implicit decay)

* https://github.com/robertramey/safe_numerics, meant as an addition to Boost. That's also a large lbrary (4969 lines with light comments, going up to over 10K lines with unittests, and requiring 6 other Boost libraries: MPL, Integer, Config, Concept Checking, Tribool, and Enable_if). The author also wrote a recent article (Overload Feb 2017) that describes the library: http://www.rrsd.com/software_development/safe_numerics/Overload137.pdf. The article does a great job at motivating such libraries. The facility allows good error policy customization, and allows to some extent customizing the checks being done (only for promotions). It also has a mode that is at least theoretically interesting - it expands the result of operations whenever possible to preserve correctness, and refuses to compile code that might overflow. I speculate that that feature is of very limited use; in just a couple of steps everything goes to 64 bits, and we're done. The implementation has the usual genuflections one would expect, for example:

   template<class T, class U>
    using calculate_max_t =
        typename boost::mpl::if_c<
            // clause 1 - if both operands have the same sign
            std::numeric_limits<T>::is_signed
            == std::numeric_limits<U>::is_signed,
            // use that sign
            typename boost::mpl::if_c<
                std::numeric_limits<T>::is_signed,
                std::intmax_t,
                std::uintmax_t
            >::type,
        // clause 2 - otherwise if the rank of the unsigned type exceeds
        // the rank of the of the maximum signed type
        typename boost::mpl::if_c<
            (rank< select_unsigned<T, U>>::value
            > rank< std::intmax_t >::value),
            // use unsigned type
            std::uintmax_t,
        // clause 3 - otherwise if the type of the signed integer type can
        // represent all the values of the unsigned type
        typename boost::mpl::if_c<
            std::numeric_limits< std::intmax_t >::digits >=
            std::numeric_limits< select_unsigned<T, U> >::digits,
            // use signed type
            std::intmax_t,
        // clause 4 - otherwise use unsigned version of the signed type
            std::uintmax_t
        >::type >::type >::type;

* https://code.dlang.org/packages/checkedint by Thomas Stuart Bockman. I might be biased but it compares favorably against all of the above. A major goal of std.experimental.checkedint was to allow more customization in a smaller package.

Andrei

Forums