<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><div><span class="Apple-style-span" style="font-size: medium;"><font class="Apple-style-span" color="#0000FF" face="'Gill Sans'">Safe code can't do anything with a value of type ADDRESS except pass it around. It must use unsafe operations (NARROW) to turn it into something usable.</font></span></div><div><font class="Apple-style-span" color="#0000FF" face="'Gill Sans'"><span class="Apple-style-span" style="font-size: medium;"><br></span></font></div><div><font class="Apple-style-span" color="#0000FF" face="'Gill Sans'"><span class="Apple-style-span" style="font-size: medium;">I think you misunderstood ThreadF in the first place. It has always been logically unsafe, if not UNSAFE. I don't want ThreadF ever to come to be something that people outside the runtime system rely on. The Id type and MyId function is simply a convenience, but not and never has been part of the standard interfaces.</span></font></div><div><font class="Apple-style-span" color="#0000FF" face="'Gill Sans'"><span class="Apple-style-span" style="font-size: medium;"><br></span></font></div><div><font class="Apple-style-span" color="#0000FF" face="'Gill Sans'"><span class="Apple-style-span" style="font-size: medium;">Can we please just revert back to the way it has always been?</span></font></div></span></span></span></span></span></span></span></span></div></span></div></span> </div><br><div><div>On 13 Sep 2009, at 09:51, Jay K wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class="hmmessage" style="font-size: 10pt; font-family: Verdana; ">The functions are meant to be unsafe either way.<br>ThreadF.i3 clearly had a safety hole before, but not due to the functions "in question".<br><br>Good point about passing in ADDRESSes..but I'm not entirely sure I understand/agree.<br>Can safe code ("directly") generate any ADDRESSes at all? Or only get them from<br>unsafe code in the first place?<br>ADDRESS only comes from ADR, right? And ADR isn't allowed in safe? I'll check.<br><br>IF safe code CAN generate ADDRESSes, then this was a hole:<br>PROCEDURE SetCurrentHandlers(h: ADDRESS);<br><br>and perhaps these:<br>PROCEDURE SuspendOthers ();<br>(* Suspend all threads except the caller's *)<br><br>PROCEDURE ResumeOthers ();<br><br>Though probably not the second, since safe code can trivially hang/deadlock on its own.<br><br>The public safe ThreadF.i3 now just:<br><br>(*-------------------------------------------------- showthreads support ---*)<br><br>TYPE<br> State = {<br> alive (* can run *),<br> waiting (* waiting for a condition via Wait *),<br> locking (* waiting for a mutex to be unlocked *),<br> pausing (* waiting until some time is arrived *),<br> blocking (* waiting for some IO *),<br> dying (* done, but not yet joined *),<br> dead (* done and joined *)<br> };<br><br>(*-------------------------------------------------------------- identity ---*)<br><br>TYPE<br> Id = INTEGER;<br><br>PROCEDURE MyId(): Id RAISES {};<br>(* return Id of caller *)<br><br><br>Everything else I moved to the non-public ThreadInternal.i3.<br><br><br>> But in Modula-3 whether an interface is unsafe or not *is* a boolean.<br><br>Understood, but I still think even in unsafe code, LOOPHOLE should be minimized.<br>C and C++ programmers are often taught to minimize casts, esp. reinterpret_cast.<br>I think that guidance carries over to Modula's LOOPHOLE, even if you are already unsafe<br>for other reasons.<br><br> - Jay<br><br><br>> To:<span class="Apple-converted-space"> </span><a href="mailto:jay.krell@cornell.edu">jay.krell@cornell.edu</a><br>> CC:<span class="Apple-converted-space"> </span><a href="mailto:m3devel@elegosoft.com">m3devel@elegosoft.com</a><br>> Subject: Re: [M3devel] RC merge<span class="Apple-converted-space"> </span><br>> Date: Sun, 13 Sep 2009 02:44:50 -0700<br>> From:<span class="Apple-converted-space"> </span><a href="mailto:mika@async.async.caltech.edu">mika@async.async.caltech.edu</a><br>><span class="Apple-converted-space"> </span><br>> Jay K writes:<br>> ...<br>> ><br>> >Imagine you are a somewhat prolific fairly happy C or C++ programmer. The w=<br>> >hole world is unsafe=2C but recieves a fair amount of static checking and i=<br>> >s therefore largely correct and perhaps doesn't even suffer much from the l=<br>> >ack of safety.<br>> ><br>> >=20<br>> ><br>> > void* GetFoo(void)=3B=20<br>> ><br>> > void* GetBar(void)=3B=20<br>> ><br>> >=20<br>> ><br>> >or<br>> ><br>> >=20<br>> ><br>> > Foo_t* GetFoo(void)=3B=20<br>> ><br>> > Bar_t* GetBar(void)=3B=20<br>> ><br>> >=20<br>> ><br>> >?<br>> ><br>> >=20<br>> ><br>> >Definitely the second.<br>> ><br>> >=20<br>> ><br>> >Perhaps perhaps perhaps perhaps a function should be able to be declared to=<br>> > return an UNTRACED REF Foo.Something=2C without actually importing Foo or =<br>> >defining Something?<br>> ><br>> >=20<br>> ><br>> >Clearly the safety of an /interface/ is more subtle than a boolean.<br>> ><br>> >Some functions may be safe and others unsafe.<br>> ><br>> >Even some uses of functions.<br>> ><br>> >Imagine for example:<br>> ><br>> >=20<br>> ><br>> >PROCEDURE GetFoo(): UNTRACED REF Foo.Something=3B<br>> ><br>> >=20<br>> ><br>> >Perhas a safe function could call this function=2C as long as it only compa=<br>> >res the return value to NIL?<br>> ><br>> >Actually storing it in a variable would require IMPORT Foo=2C and if FOO is=<br>> > declared UNSAFE=2C then that would<br>> ><br>> >pollute the caller. Or maybe merely declaring a variable of UNTRACED is eno=<br>> >ugh to wreck safety?<br>><span class="Apple-converted-space"> </span><br>> But in Modula-3 whether an interface is unsafe or not *is* a boolean.<br>> It's very clearly defined what it means in the Green Book.<br>><span class="Apple-converted-space"> </span><br>> If you don't declare your GetFoo as UNSAFE you can write<br>><span class="Apple-converted-space"> </span><br>> VAR x := GetFoo; BEGIN (* manipulate fields of x *) END<br>><span class="Apple-converted-space"> </span><br>> in safe code.<br>><span class="Apple-converted-space"> </span><br>> Declaring GetFoo to return ADDRESS won't let you do that. Hence,<br>> it's safer, if there's a safety problem with manipulating the fields.<br>><span class="Apple-converted-space"> </span><br>> An interface can hardly assume that it is the only one injecting objects<br>> of type ADDRESS into the "safe world" so if you're allowing the safe world<br>> to pass these objects back in your interface you have to sanity-check<br>> them anyhow. You do not, however, need to worry about the fields having<br>> been changed by the safe code.<br>><span class="Apple-converted-space"> </span><br>> If you need some more subtle properties than that you probably ought<br>> to be writing UNSAFE code in the first place. Or is there some trickery<br>> you can do along the lines of what we came up with for small integers<br>> in pointers?<br>><span class="Apple-converted-space"> </span><br>> Mika<br></div></span></blockquote></div><br></body></html>