Menu
Search

Forums

Forum Index

September 25, 2022
Gravatar of Paul BackusPosted by Paul Backus
in reply to Sebastiaan Koppe		Reply
Paul Backus
Gravatar of Paul Backus
Posted in reply to Sebastiaan Koppe


Reply

On Sunday, 25 September 2022 at 17:04:51 UTC, Sebastiaan Koppe wrote:

>

On Sunday, 25 September 2022 at 14:23:22 UTC, Paul Backus wrote:

>

If you have isolated, the deallocator can be made @safe by having it take an isolated pointer as its argument.

That would be nice, but doesn't that tantamount to only being able to deallocate something when you can proof there are no other aliases?

That's a necessary condition for being able to deallocate memory in @safe code, period. You can only do it if it doesn't create any dangling pointers.

>

At which point you might as well use that proof and have the compiler call deallocate for you ;)

Not necessarily. The proof is allowed to rely on runtime information, like reference counts, which the compiler does not necessarily know about. In these cases, the programmer can cast the pointer to isolated in @trusted code (similar to how you can cast away shared in @trusted code after locking a mutex).

September 26, 2022
Gravatar of jmh530Posted by jmh530
in reply to Paul Backus		Reply
jmh530
Gravatar of jmh530
Posted in reply to Paul Backus


Reply

On Sunday, 25 September 2022 at 12:03:08 UTC, Paul Backus wrote:

>

[snip]
The only solution is to somehow allow deallocate (and by extension free) to have a @safe interface on its own—which isn't possible in the current D language. At minimum, it would require something like an [isolated qualifier][3] (h/t deadalnix for the link), which would guarantee that a pointer is the only pointer to a particular block of memory. Some form of ownership/borrow checking would also work, of course.
[snip]

It makes sense to me, though I'm not an expert. Another way to think about it is some way to incorporate ownership into the type system.

Walter hasn't been convinced yet that @live isn't sufficient. I think this would need to be proven to his satisfaction before he starts considering alternative. Maybe it can't hurt to flesh this argument out further?

Nevertheless, I think being able to do allocator-aware @safe reference counting should be a necessary condition before moving to @safe by default.

September 27, 2022
Gravatar of Timon GehrPosted by Timon Gehr
in reply to jmh530		Reply
Timon Gehr
Gravatar of Timon Gehr
Posted in reply to jmh530


Reply
On 26.09.22 14:23, jmh530 wrote:
> 
> Walter hasn't been convinced yet that @live isn't sufficient.

To be fair, I don't think Walter ever made the claim that @live is sufficient.
April 14, 2023
Gravatar of Atila NevesPosted by Atila Neves
in reply to Paul Backus		Reply
Atila Neves
Gravatar of Atila Neves
Posted in reply to Paul Backus


Reply

On Sunday, 25 September 2022 at 12:03:08 UTC, Paul Backus wrote:

>

D has made a lot of progress recently on memory safety with -preview=dip1000, thanks in no small part to [the work of Dennis Korpel][1]. This progress has in turn enabled the creation of [SafeRefCounted][2] by Ate Eskola, which will hopefully be available in the next release of Phobos.

[...]

Couldn't it be @safe iff the particular allocator's deallocate is @safe (or missing)?

April 14, 2023
Gravatar of Paul BackusPosted by Paul Backus
in reply to Atila Neves		Reply
Paul Backus
Gravatar of Paul Backus
Posted in reply to Atila Neves


Reply

On Friday, 14 April 2023 at 13:42:15 UTC, Atila Neves wrote:

>

On Sunday, 25 September 2022 at 12:03:08 UTC, Paul Backus wrote:

>

D has made a lot of progress recently on memory safety with -preview=dip1000, thanks in no small part to [the work of Dennis Korpel][1]. This progress has in turn enabled the creation of [SafeRefCounted][2] by Ate Eskola, which will hopefully be available in the next release of Phobos.

[...]

Couldn't it be @safe iff the particular allocator's deallocate is @safe (or missing)?

Yes. The obvious follow-up question is, "what does it take to make a deallocate method @safe?" And the answer is: it takes isolated, or some other way to restrict aliasing in @safe code.

As Timon [1] and others [2][3] has helpfully explained, now that we have @system variables from DIP 1035, it is possible to do this without adding new language features, although the UX is not ideal.

So, the current next step on the TODO list is to design a new allocator API that takes advantage of these techniques to make deallocate @safe.

[1] https://forum.dlang.org/post/tr9j1h$1fvd$1@digitalmars.com
[2] https://forum.dlang.org/post/xggosoodlcegitocruwf@forum.dlang.org
[3] https://forum.dlang.org/post/gdkikaklqyvxdyklvmug@forum.dlang.org

April 14, 2023
Gravatar of DukcPosted by Dukc
in reply to Atila Neves		Reply
Dukc
Gravatar of Dukc
Posted in reply to Atila Neves


Reply

On Friday, 14 April 2023 at 13:42:15 UTC, Atila Neves wrote:

>

On Sunday, 25 September 2022 at 12:03:08 UTC, Paul Backus wrote:

>

D has made a lot of progress recently on memory safety with -preview=dip1000, thanks in no small part to [the work of Dennis Korpel][1]. This progress has in turn enabled the creation of [SafeRefCounted][2] by Ate Eskola, which will hopefully be available in the next release of Phobos.

[...]

Couldn't it be @safe iff the particular allocator's deallocate is @safe (or missing)?

An interesting question. In principle, you COULD make @safe allocator that allocates out of a static memory block. You are only getting and returning void[] slices, which in itself isn't @system. What makes it dangerous is that those void slices are them used as storage for arbitrary types. So if your @safe allocator doesn't do what it's supposed to you can end up overwriting live pointers, because the allocation machinery does @trusted casts that rely on the custom allocator behaving right.

In practice it's probably going to be a problem. Maybe the allocator should instead return some wrapper type over void[] that can only be created or destructed in @system code.

« First   ‹ Prev
1 2
Next ›   Last »