<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><div><font class="Apple-style-span" color="#0000FF" face="'Gill Sans'"><span class="Apple-style-span" style="font-size: medium;">It will stay in ThreadF.</span></font></div><div><font class="Apple-style-span" color="#0000FF" face="'Gill Sans'"><span class="Apple-style-span" style="font-size: medium;"><br></span></font></div><div><span class="Apple-style-span" style="font-size: medium; ">On 13 Sep 2009, at 16:30, Mika Nystrom wrote:</span></div></span></span></span></span></span></span></span></span></div></span></div></span></div><div><br class="Apple-interchange-newline"><blockquote type="cite"><div><br>ThreadF.MyId is something I have used in otherwise perfectly safe code,<br>hope it doesn't go away! It's very nice to be able to distinguish <br>threads from each other without extra effort from the programmer. Is<br>this something that is sometimes hard to provide?<br><br> Mika<br><br><br>Tony Hosking writes:<br><blockquote type="cite"><br></blockquote><blockquote type="cite">--Apple-Mail-18--321278784<br></blockquote><blockquote type="cite">Content-Type: text/plain;<br></blockquote><blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre"> </span>charset=US-ASCII;<br></blockquote><blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre"> </span>format=flowed;<br></blockquote><blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre"> </span>delsp=yes<br></blockquote><blockquote type="cite">Content-Transfer-Encoding: 7bit<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Safe code can't do anything with a value of type ADDRESS except pass <br></blockquote><blockquote type="cite">it around. It must use unsafe operations (NARROW) to turn it into <br></blockquote><blockquote type="cite">something usable.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I think you misunderstood ThreadF in the first place. It has always <br></blockquote><blockquote type="cite">been logically unsafe, if not UNSAFE. I don't want ThreadF ever to <br></blockquote><blockquote type="cite">come to be something that people outside the runtime system rely on. <br></blockquote><blockquote type="cite">The Id type and MyId function is simply a convenience, but not and <br></blockquote><blockquote type="cite">never has been part of the standard interfaces.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Can we please just revert back to the way it has always been?<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">On 13 Sep 2009, at 09:51, Jay K wrote:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite">The functions are meant to be unsafe either way.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">ThreadF.i3 clearly had a safety hole before, but not due to the <br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">functions "in question".<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Good point about passing in ADDRESSes..but I'm not entirely sure I <br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">understand/agree.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Can safe code ("directly") generate any ADDRESSes at all? Or only <br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">get them from<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">unsafe code in the first place?<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">ADDRESS only comes from ADR, right? And ADR isn't allowed in safe? <br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">I'll check.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">IF safe code CAN generate ADDRESSes, then this was a hole:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">PROCEDURE SetCurrentHandlers(h: ADDRESS);<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">and perhaps these:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">PROCEDURE SuspendOthers ();<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">(* Suspend all threads except the caller's *)<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">PROCEDURE ResumeOthers ();<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Though probably not the second, since safe code can trivially hang/ <br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">deadlock on its own.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">The public safe ThreadF.i3 now just:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">(*-------------------------------------------------- showthreads <br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">support ---*)<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">TYPE<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> State = {<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> alive (* can run *),<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> waiting (* waiting for a condition via Wait *),<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> locking (* waiting for a mutex to be unlocked *),<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> pausing (* waiting until some time is arrived *),<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> blocking (* waiting for some IO *),<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> dying (* done, but not yet joined *),<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> dead (* done and joined *)<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> };<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">(*-------------------------------------------------------------- <br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">identity ---*)<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">TYPE<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> Id = INTEGER;<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">PROCEDURE MyId(): Id RAISES {};<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">(* return Id of caller *)<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Everything else I moved to the non-public ThreadInternal.i3.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">But in Modula-3 whether an interface is unsafe or not *is* a <br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">boolean.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Understood, but I still think even in unsafe code, LOOPHOLE should <br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">be minimized.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">C and C++ programmers are often taught to minimize casts, esp. <br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">reinterpret_cast.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">I think that guidance carries over to Modula's LOOPHOLE, even if you <br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">are already unsafe<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">for other reasons.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> - Jay<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">To: <a href="mailto:jay.krell@cornell.edu">jay.krell@cornell.edu</a><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">CC: <a href="mailto:m3devel@elegosoft.com">m3devel@elegosoft.com</a><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Subject: Re: [M3devel] RC merge<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Date: Sun, 13 Sep 2009 02:44:50 -0700<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">From: <a href="mailto:mika@async.async.caltech.edu">mika@async.async.caltech.edu</a><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Jay K writes:<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">...<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Imagine you are a somewhat prolific fairly happy C or C++ <br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">programmer. The w=<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">hole world is unsafe=2C but recieves a fair amount of static <br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">checking and i=<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">s therefore largely correct and perhaps doesn't even suffer much <br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">from the l=<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">ack of safety.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">=20<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">void* GetFoo(void)=3B=20<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">void* GetBar(void)=3B=20<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">=20<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">or<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">=20<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Foo_t* GetFoo(void)=3B=20<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Bar_t* GetBar(void)=3B=20<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">=20<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">?<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">=20<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Definitely the second.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">=20<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Perhaps perhaps perhaps perhaps a function should be able to be <br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">declared to=<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">return an UNTRACED REF Foo.Something=2C without actually <br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">importing Foo or =<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">defining Something?<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">=20<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Clearly the safety of an /interface/ is more subtle than a boolean.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Some functions may be safe and others unsafe.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Even some uses of functions.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Imagine for example:<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">=20<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">PROCEDURE GetFoo(): UNTRACED REF Foo.Something=3B<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">=20<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Perhas a safe function could call this function=2C as long as it <br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">only compa=<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">res the return value to NIL?<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Actually storing it in a variable would require IMPORT Foo=2C and <br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">if FOO is=<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">declared UNSAFE=2C then that would<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">pollute the caller. Or maybe merely declaring a variable of <br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">UNTRACED is eno=<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">ugh to wreck safety?<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">But in Modula-3 whether an interface is unsafe or not *is* a <br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">boolean.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">It's very clearly defined what it means in the Green Book.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">If you don't declare your GetFoo as UNSAFE you can write<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">VAR x := GetFoo; BEGIN (* manipulate fields of x *) END<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">in safe code.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Declaring GetFoo to return ADDRESS won't let you do that. Hence,<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">it's safer, if there's a safety problem with manipulating the <br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">fields.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">An interface can hardly assume that it is the only one injecting <br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">objects<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">of type ADDRESS into the "safe world" so if you're allowing the <br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">safe world<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">to pass these objects back in your interface you have to sanity- <br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">check<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">them anyhow. You do not, however, need to worry about the fields <br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">having<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">been changed by the safe code.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">If you need some more subtle properties than that you probably ought<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">to be writing UNSAFE code in the first place. Or is there some <br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">trickery<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">you can do along the lines of what we came up with for small <br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">integers<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">in pointers?<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Mika<br></blockquote></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">--Apple-Mail-18--321278784<br></blockquote><blockquote type="cite">Content-Type: text/html;<br></blockquote><blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre"> </span>charset=US-ASCII<br></blockquote><blockquote type="cite">Content-Transfer-Encoding: quoted-printable<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =<br></blockquote><blockquote type="cite">-webkit-line-break: after-white-space; "><div =<br></blockquote><blockquote type="cite">apple-content-edited=3D"true"><span class=3D"Apple-style-span" =<br></blockquote><blockquote type="cite">style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =<br></blockquote><blockquote type="cite">Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =<br></blockquote><blockquote type="cite">font-weight: normal; letter-spacing: normal; line-height: normal; =<br></blockquote><blockquote type="cite">orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; =<br></blockquote><blockquote type="cite">white-space: normal; widows: 2; word-spacing: 0px; =<br></blockquote><blockquote type="cite">-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =<br></blockquote><blockquote type="cite">0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =<br></blockquote><blockquote type="cite">auto; -webkit-text-stroke-width: 0; "><div style=3D"word-wrap: =<br></blockquote><blockquote type="cite">break-word; -webkit-nbsp-mode: space; -webkit-line-break: =<br></blockquote><blockquote type="cite">after-white-space; "><span class=3D"Apple-style-span" =<br></blockquote><blockquote type="cite">style=3D"border-collapse: separate; -webkit-border-horizontal-spacing: =<br></blockquote><blockquote type="cite">0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); =<br></blockquote><blockquote type="cite">font-family: Helvetica; font-size: 12px; font-style: normal; =<br></blockquote><blockquote type="cite">font-variant: normal; font-weight: normal; letter-spacing: normal; =<br></blockquote><blockquote type="cite">line-height: normal; -webkit-text-decorations-in-effect: none; =<br></blockquote><blockquote type="cite">text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; =<br></blockquote><blockquote type="cite">orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><div =<br></blockquote><blockquote type="cite">style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =<br></blockquote><blockquote type="cite">-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =<br></blockquote><blockquote type="cite">style=3D"border-collapse: separate; -webkit-border-horizontal-spacing: =<br></blockquote><blockquote type="cite">0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); =<br></blockquote><blockquote type="cite">font-family: Helvetica; font-size: 12px; font-style: normal; =<br></blockquote><blockquote type="cite">font-variant: normal; font-weight: normal; letter-spacing: normal; =<br></blockquote><blockquote type="cite">line-height: normal; -webkit-text-decorations-in-effect: none; =<br></blockquote><blockquote type="cite">text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; =<br></blockquote><blockquote type="cite">orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><span =<br></blockquote><blockquote type="cite">class=3D"Apple-style-span" style=3D"border-collapse: separate; =<br></blockquote><blockquote type="cite">-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =<br></blockquote><blockquote type="cite">0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =<br></blockquote><blockquote type="cite">font-style: normal; font-variant: normal; font-weight: normal; =<br></blockquote><blockquote type="cite">letter-spacing: normal; line-height: normal; =<br></blockquote><blockquote type="cite">-webkit-text-decorations-in-effect: none; text-indent: 0px; =<br></blockquote><blockquote type="cite">-webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =<br></blockquote><blockquote type="cite">white-space: normal; widows: 2; word-spacing: 0px; "><span =<br></blockquote><blockquote type="cite">class=3D"Apple-style-span" style=3D"border-collapse: separate; =<br></blockquote><blockquote type="cite">-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =<br></blockquote><blockquote type="cite">0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =<br></blockquote><blockquote type="cite">font-style: normal; font-variant: normal; font-weight: normal; =<br></blockquote><blockquote type="cite">letter-spacing: normal; line-height: normal; =<br></blockquote><blockquote type="cite">-webkit-text-decorations-in-effect: none; text-indent: 0px; =<br></blockquote><blockquote type="cite">-webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =<br></blockquote><blockquote type="cite">white-space: normal; widows: 2; word-spacing: 0px; "><span =<br></blockquote><blockquote type="cite">class=3D"Apple-style-span" style=3D"border-collapse: separate; =<br></blockquote><blockquote type="cite">-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =<br></blockquote><blockquote type="cite">0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =<br></blockquote><blockquote type="cite">font-style: normal; font-variant: normal; font-weight: normal; =<br></blockquote><blockquote type="cite">letter-spacing: normal; line-height: normal; =<br></blockquote><blockquote type="cite">-webkit-text-decorations-in-effect: none; text-indent: 0px; =<br></blockquote><blockquote type="cite">-webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =<br></blockquote><blockquote type="cite">white-space: normal; widows: 2; word-spacing: 0px; "><span =<br></blockquote><blockquote type="cite">class=3D"Apple-style-span" style=3D"border-collapse: separate; =<br></blockquote><blockquote type="cite">-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =<br></blockquote><blockquote type="cite">0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =<br></blockquote><blockquote type="cite">font-style: normal; font-variant: normal; font-weight: normal; =<br></blockquote><blockquote type="cite">letter-spacing: normal; line-height: normal; =<br></blockquote><blockquote type="cite">-webkit-text-decorations-in-effect: none; text-indent: 0px; =<br></blockquote><blockquote type="cite">-webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =<br></blockquote><blockquote type="cite">white-space: normal; widows: 2; word-spacing: 0px; "><span =<br></blockquote><blockquote type="cite">class=3D"Apple-style-span" style=3D"border-collapse: separate; =<br></blockquote><blockquote type="cite">-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =<br></blockquote><blockquote type="cite">0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =<br></blockquote><blockquote type="cite">font-style: normal; font-variant: normal; font-weight: normal; =<br></blockquote><blockquote type="cite">letter-spacing: normal; line-height: normal; =<br></blockquote><blockquote type="cite">-webkit-text-decorations-in-effect: none; text-indent: 0px; =<br></blockquote><blockquote type="cite">-webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =<br></blockquote><blockquote type="cite">white-space: normal; widows: 2; word-spacing: 0px; "><span =<br></blockquote><blockquote type="cite">class=3D"Apple-style-span" style=3D"border-collapse: separate; =<br></blockquote><blockquote type="cite">-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =<br></blockquote><blockquote type="cite">0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =<br></blockquote><blockquote type="cite">font-style: normal; font-variant: normal; font-weight: normal; =<br></blockquote><blockquote type="cite">letter-spacing: normal; line-height: normal; =<br></blockquote><blockquote type="cite">-webkit-text-decorations-in-effect: none; text-indent: 0px; =<br></blockquote><blockquote type="cite">-webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =<br></blockquote><blockquote type="cite">white-space: normal; widows: 2; word-spacing: 0px; "><span =<br></blockquote><blockquote type="cite">class=3D"Apple-style-span" style=3D"border-collapse: separate; =<br></blockquote><blockquote type="cite">-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =<br></blockquote><blockquote type="cite">0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =<br></blockquote><blockquote type="cite">font-style: normal; font-variant: normal; font-weight: normal; =<br></blockquote><blockquote type="cite">letter-spacing: normal; line-height: normal; =<br></blockquote><blockquote type="cite">-webkit-text-decorations-in-effect: none; text-indent: 0px; =<br></blockquote><blockquote type="cite">-webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =<br></blockquote><blockquote type="cite">white-space: normal; widows: 2; word-spacing: 0px; "><div><span =<br></blockquote><blockquote type="cite">class=3D"Apple-style-span" style=3D"font-size: medium;"><font =<br></blockquote><blockquote type="cite">class=3D"Apple-style-span" color=3D"#0000FF" face=3D"'Gill Sans'">Safe =<br></blockquote><blockquote type="cite">code can't do anything with a value of type ADDRESS except pass it =<br></blockquote><blockquote type="cite">around. It must use unsafe operations (NARROW) to turn it into =<br></blockquote><blockquote type="cite">something usable.</font></span></div><div><font class=3D"Apple-style-span"=<br></blockquote><blockquote type="cite">color=3D"#0000FF" face=3D"'Gill Sans'"><span class=3D"Apple-style-span" =<br></blockquote><blockquote type="cite">style=3D"font-size: medium;"><br></span></font></div><div><font =<br></blockquote><blockquote type="cite">class=3D"Apple-style-span" color=3D"#0000FF" face=3D"'Gill Sans'"><span =<br></blockquote><blockquote type="cite">class=3D"Apple-style-span" style=3D"font-size: medium;">I think you =<br></blockquote><blockquote type="cite">misunderstood ThreadF in the first place. It has always been =<br></blockquote><blockquote type="cite">logically unsafe, if not UNSAFE. I don't want ThreadF ever to come =<br></blockquote><blockquote type="cite">to be something that people outside the runtime system rely on. =<br></blockquote><blockquote type="cite"> The Id type and MyId function is simply a convenience, but not and =<br></blockquote><blockquote type="cite">never has been part of the standard =<br></blockquote><blockquote type="cite">interfaces.</span></font></div><div><font class=3D"Apple-style-span" =<br></blockquote><blockquote type="cite">color=3D"#0000FF" face=3D"'Gill Sans'"><span class=3D"Apple-style-span" =<br></blockquote><blockquote type="cite">style=3D"font-size: medium;"><br></span></font></div><div><font =<br></blockquote><blockquote type="cite">class=3D"Apple-style-span" color=3D"#0000FF" face=3D"'Gill Sans'"><span =<br></blockquote><blockquote type="cite">class=3D"Apple-style-span" style=3D"font-size: medium;">Can we please =<br></blockquote><blockquote type="cite">just revert back to the way it has always =<br></blockquote><blockquote type="cite">been?</span></font></div></span></span></span></span></span></span></span>=<br></blockquote><blockquote type="cite"></span></div></span></div></span> </div><br><div><div>On 13 Sep 2009, at =<br></blockquote><blockquote type="cite">09:51, Jay K wrote:</div><br =<br></blockquote><blockquote type="cite">class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><span =<br></blockquote><blockquote type="cite">class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =<br></blockquote><blockquote type="cite">rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: =<br></blockquote><blockquote type="cite">normal; font-variant: normal; font-weight: normal; letter-spacing: =<br></blockquote><blockquote type="cite">normal; line-height: normal; orphans: 2; text-align: auto; text-indent: =<br></blockquote><blockquote type="cite">0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =<br></blockquote><blockquote type="cite">0px; -webkit-border-horizontal-spacing: 0px; =<br></blockquote><blockquote type="cite">-webkit-border-vertical-spacing: 0px; =<br></blockquote><blockquote type="cite">-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =<br></blockquote><blockquote type="cite">auto; -webkit-text-stroke-width: 0px; "><div class=3D"hmmessage" =<br></blockquote><blockquote type="cite">style=3D"font-size: 10pt; font-family: Verdana; ">The functions are =<br></blockquote><blockquote type="cite">meant to be unsafe either way.<br>ThreadF.i3 clearly had a safety hole =<br></blockquote><blockquote type="cite">before, but not due to the functions "in question".<br><br>Good point =<br></blockquote><blockquote type="cite">about passing in ADDRESSes..but I'm not entirely sure I =<br></blockquote><blockquote type="cite">understand/agree.<br>Can safe code ("directly") generate any ADDRESSes =<br></blockquote><blockquote type="cite">at all? Or only get them from<br>unsafe code in the first =<br></blockquote><blockquote type="cite">place?<br>ADDRESS only comes from ADR, right? And ADR isn't allowed in =<br></blockquote><blockquote type="cite">safe? I'll check.<br><br>IF safe code CAN generate ADDRESSes, then this =<br></blockquote><blockquote type="cite">was a hole:<br>PROCEDURE SetCurrentHandlers(h: ADDRESS);<br><br>and =<br></blockquote><blockquote type="cite">perhaps these:<br>PROCEDURE SuspendOthers ();<br>(* Suspend all threads =<br></blockquote><blockquote type="cite">except the caller's *)<br><br>PROCEDURE ResumeOthers ();<br><br>Though =<br></blockquote><blockquote type="cite">probably not the second, since safe code can trivially hang/deadlock on =<br></blockquote><blockquote type="cite">its own.<br><br>The public safe ThreadF.i3 now =<br></blockquote><blockquote type="cite">just:<br><br>(*-------------------------------------------------- =<br></blockquote><blockquote type="cite">showthreads support ---*)<br><br>TYPE<br> State =3D =<br></blockquote><blockquote type="cite">{<br> alive =<br></blockquote><blockquote type="cite">(* can run *),<br> =<br></blockquote><blockquote type="cite">waiting (* waiting for a condition via Wait =<br></blockquote><blockquote type="cite">*),<br> locking (* =<br></blockquote><blockquote type="cite">waiting for a mutex to be unlocked =<br></blockquote><blockquote type="cite">*),<br> pausing (* =<br></blockquote><blockquote type="cite">waiting until some time is arrived =<br></blockquote><blockquote type="cite">*),<br> blocking (* waiting =<br></blockquote><blockquote type="cite">for some IO *),<br> =<br></blockquote><blockquote type="cite">dying (* done, but not yet joined =<br></blockquote><blockquote type="cite">*),<br> =<br></blockquote><blockquote type="cite">dead (* done and joined *)<br> =<br></blockquote><blockquote type="cite">};<br><br>(*--------------------------------------------------------------=<br></blockquote><blockquote type="cite">identity ---*)<br><br>TYPE<br> Id =3D INTEGER;<br><br>PROCEDURE =<br></blockquote><blockquote type="cite">MyId(): Id RAISES {};<br>(* return Id of caller *)<br><br><br>Everything =<br></blockquote><blockquote type="cite">else I moved to the non-public ThreadInternal.i3.<br><br><br>> But in =<br></blockquote><blockquote type="cite">Modula-3 whether an interface is unsafe or not *is* a =<br></blockquote><blockquote type="cite">boolean.<br><br>Understood, but I still think even in unsafe code, =<br></blockquote><blockquote type="cite">LOOPHOLE should be minimized.<br>C and C++ programmers are often taught =<br></blockquote><blockquote type="cite">to minimize casts, esp. reinterpret_cast.<br>I think that guidance =<br></blockquote><blockquote type="cite">carries over to Modula's LOOPHOLE, even if you are already unsafe<br>for =<br></blockquote><blockquote type="cite">other reasons.<br><br> - Jay<br><br><br>> To:<span =<br></blockquote><blockquote type="cite">class=3D"Apple-converted-space"> </span><a =<br></blockquote><blockquote type="cite">href=3D"<a href="mailto:jay.krell@cornell.edu">mailto:jay.krell@cornell.edu</a>"><a href="mailto:jay.krell@cornell.edu">jay.krell@cornell.edu</a></a><br>> =<br></blockquote><blockquote type="cite">CC:<span class=3D"Apple-converted-space"> </span><a =<br></blockquote><blockquote type="cite">href=3D"<a href="mailto:m3devel@elegosoft.com">mailto:m3devel@elegosoft.com</a>"><a href="mailto:m3devel@elegosoft.com">m3devel@elegosoft.com</a></a><br>> =<br></blockquote><blockquote type="cite">Subject: Re: [M3devel] RC merge<span =<br></blockquote><blockquote type="cite">class=3D"Apple-converted-space"> </span><br>> Date: Sun, 13 Sep =<br></blockquote><blockquote type="cite">2009 02:44:50 -0700<br>> From:<span =<br></blockquote><blockquote type="cite">class=3D"Apple-converted-space"> </span><a =<br></blockquote><blockquote type="cite">href=3D"<a href="mailto:mika@async.async.caltech.edu">mailto:mika@async.async.caltech.edu</a>"><a href="mailto:mika@async.async.caltech.edu">mika@async.async.caltech.edu</a><=<br></blockquote><blockquote type="cite">/a><br>><span class=3D"Apple-converted-space"> </span><br>> =<br></blockquote><blockquote type="cite">Jay K writes:<br>> ...<br>> ><br>> >Imagine you are a =<br></blockquote><blockquote type="cite">somewhat prolific fairly happy C or C++ programmer. The w=3D<br>> =<br></blockquote><blockquote type="cite">>hole world is unsafe=3D2C but recieves a fair amount of static =<br></blockquote><blockquote type="cite">checking and i=3D<br>> >s therefore largely correct and perhaps =<br></blockquote><blockquote type="cite">doesn't even suffer much from the l=3D<br>> >ack of =<br></blockquote><blockquote type="cite">safety.<br>> ><br>> >=3D20<br>> ><br>> > void* =<br></blockquote><blockquote type="cite">GetFoo(void)=3D3B=3D20<br>> ><br>> > void* =<br></blockquote><blockquote type="cite">GetBar(void)=3D3B=3D20<br>> ><br>> >=3D20<br>> =<br></blockquote><blockquote type="cite">><br>> >or<br>> ><br>> >=3D20<br>> ><br>> =<br></blockquote><blockquote type="cite">> Foo_t* GetFoo(void)=3D3B=3D20<br>> ><br>> > Bar_t* =<br></blockquote><blockquote type="cite">GetBar(void)=3D3B=3D20<br>> ><br>> >=3D20<br>> =<br></blockquote><blockquote type="cite">><br>> >?<br>> ><br>> >=3D20<br>> ><br>> =<br></blockquote><blockquote type="cite">>Definitely the second.<br>> ><br>> >=3D20<br>> =<br></blockquote><blockquote type="cite">><br>> >Perhaps perhaps perhaps perhaps a function should be =<br></blockquote><blockquote type="cite">able to be declared to=3D<br>> > return an UNTRACED REF =<br></blockquote><blockquote type="cite">Foo.Something=3D2C without actually importing Foo or =3D<br>> =<br></blockquote><blockquote type="cite">>defining Something?<br>> ><br>> >=3D20<br>> =<br></blockquote><blockquote type="cite">><br>> >Clearly the safety of an /interface/ is more subtle =<br></blockquote><blockquote type="cite">than a boolean.<br>> ><br>> >Some functions may be safe and =<br></blockquote><blockquote type="cite">others unsafe.<br>> ><br>> >Even some uses of =<br></blockquote><blockquote type="cite">functions.<br>> ><br>> >Imagine for example:<br>> =<br></blockquote><blockquote type="cite">><br>> >=3D20<br>> ><br>> >PROCEDURE GetFoo(): =<br></blockquote><blockquote type="cite">UNTRACED REF Foo.Something=3D3B<br>> ><br>> >=3D20<br>> =<br></blockquote><blockquote type="cite">><br>> >Perhas a safe function could call this function=3D2C as =<br></blockquote><blockquote type="cite">long as it only compa=3D<br>> >res the return value to =<br></blockquote><blockquote type="cite">NIL?<br>> ><br>> >Actually storing it in a variable would =<br></blockquote><blockquote type="cite">require IMPORT Foo=3D2C and if FOO is=3D<br>> > declared UNSAFE=3D2C=<br></blockquote><blockquote type="cite">then that would<br>> ><br>> >pollute the caller. Or maybe =<br></blockquote><blockquote type="cite">merely declaring a variable of UNTRACED is eno=3D<br>> >ugh to =<br></blockquote><blockquote type="cite">wreck safety?<br>><span =<br></blockquote><blockquote type="cite">class=3D"Apple-converted-space"> </span><br>> But in Modula-3 =<br></blockquote><blockquote type="cite">whether an interface is unsafe or not *is* a boolean.<br>> It's very =<br></blockquote><blockquote type="cite">clearly defined what it means in the Green Book.<br>><span =<br></blockquote><blockquote type="cite">class=3D"Apple-converted-space"> </span><br>> If you don't =<br></blockquote><blockquote type="cite">declare your GetFoo as UNSAFE you can write<br>><span =<br></blockquote><blockquote type="cite">class=3D"Apple-converted-space"> </span><br>> VAR x :=3D GetFoo; =<br></blockquote><blockquote type="cite">BEGIN (* manipulate fields of x *) END<br>><span =<br></blockquote><blockquote type="cite">class=3D"Apple-converted-space"> </span><br>> in safe =<br></blockquote><blockquote type="cite">code.<br>><span class=3D"Apple-converted-space"> </span><br>> =<br></blockquote><blockquote type="cite">Declaring GetFoo to return ADDRESS won't let you do that. Hence,<br>> =<br></blockquote><blockquote type="cite">it's safer, if there's a safety problem with manipulating the =<br></blockquote><blockquote type="cite">fields.<br>><span class=3D"Apple-converted-space"> </span><br>>=<br></blockquote><blockquote type="cite">An interface can hardly assume that it is the only one injecting =<br></blockquote><blockquote type="cite">objects<br>> of type ADDRESS into the "safe world" so if you're =<br></blockquote><blockquote type="cite">allowing the safe world<br>> to pass these objects back in your =<br></blockquote><blockquote type="cite">interface you have to sanity-check<br>> them anyhow. You do not, =<br></blockquote><blockquote type="cite">however, need to worry about the fields having<br>> been changed by =<br></blockquote><blockquote type="cite">the safe code.<br>><span =<br></blockquote><blockquote type="cite">class=3D"Apple-converted-space"> </span><br>> If you need some =<br></blockquote><blockquote type="cite">more subtle properties than that you probably ought<br>> to be =<br></blockquote><blockquote type="cite">writing UNSAFE code in the first place. Or is there some =<br></blockquote><blockquote type="cite">trickery<br>> you can do along the lines of what we came up with for =<br></blockquote><blockquote type="cite">small integers<br>> in pointers?<br>><span =<br></blockquote><blockquote type="cite">class=3D"Apple-converted-space"> </span><br>> =<br></blockquote><blockquote type="cite">Mika<br></div></span></blockquote></div><br></body></html>=<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">--Apple-Mail-18--321278784--<br></blockquote></div></blockquote></div><br></body></html>