[M3devel] RC merge
Tony Hosking
hosking at cs.purdue.edu
Mon Sep 14 00:07:05 CEST 2009
It will stay in ThreadF.
On 13 Sep 2009, at 16:30, Mika Nystrom wrote:
>
> ThreadF.MyId is something I have used in otherwise perfectly safe
> code,
> hope it doesn't go away! It's very nice to be able to distinguish
> threads from each other without extra effort from the programmer. Is
> this something that is sometimes hard to provide?
>
> Mika
>
>
> Tony Hosking writes:
>>
>> --Apple-Mail-18--321278784
>> Content-Type: text/plain;
>> charset=US-ASCII;
>> format=flowed;
>> delsp=yes
>> Content-Transfer-Encoding: 7bit
>>
>> Safe code can't do anything with a value of type ADDRESS except pass
>> it around. It must use unsafe operations (NARROW) to turn it into
>> something usable.
>>
>> I think you misunderstood ThreadF in the first place. It has always
>> been logically unsafe, if not UNSAFE. I don't want ThreadF ever to
>> come to be something that people outside the runtime system rely on.
>> The Id type and MyId function is simply a convenience, but not and
>> never has been part of the standard interfaces.
>>
>> Can we please just revert back to the way it has always been?
>>
>> On 13 Sep 2009, at 09:51, Jay K wrote:
>>
>>> The functions are meant to be unsafe either way.
>>> ThreadF.i3 clearly had a safety hole before, but not due to the
>>> functions "in question".
>>>
>>> Good point about passing in ADDRESSes..but I'm not entirely sure I
>>> understand/agree.
>>> Can safe code ("directly") generate any ADDRESSes at all? Or only
>>> get them from
>>> unsafe code in the first place?
>>> ADDRESS only comes from ADR, right? And ADR isn't allowed in safe?
>>> I'll check.
>>>
>>> IF safe code CAN generate ADDRESSes, then this was a hole:
>>> PROCEDURE SetCurrentHandlers(h: ADDRESS);
>>>
>>> and perhaps these:
>>> PROCEDURE SuspendOthers ();
>>> (* Suspend all threads except the caller's *)
>>>
>>> PROCEDURE ResumeOthers ();
>>>
>>> Though probably not the second, since safe code can trivially hang/
>>> deadlock on its own.
>>>
>>> The public safe ThreadF.i3 now just:
>>>
>>> (*-------------------------------------------------- showthreads
>>> support ---*)
>>>
>>> TYPE
>>> State = {
>>> alive (* can run *),
>>> waiting (* waiting for a condition via Wait *),
>>> locking (* waiting for a mutex to be unlocked *),
>>> pausing (* waiting until some time is arrived *),
>>> blocking (* waiting for some IO *),
>>> dying (* done, but not yet joined *),
>>> dead (* done and joined *)
>>> };
>>>
>>> (*--------------------------------------------------------------
>>> identity ---*)
>>>
>>> TYPE
>>> Id = INTEGER;
>>>
>>> PROCEDURE MyId(): Id RAISES {};
>>> (* return Id of caller *)
>>>
>>>
>>> Everything else I moved to the non-public ThreadInternal.i3.
>>>
>>>
>>>> But in Modula-3 whether an interface is unsafe or not *is* a
>>> boolean.
>>>
>>> Understood, but I still think even in unsafe code, LOOPHOLE should
>>> be minimized.
>>> C and C++ programmers are often taught to minimize casts, esp.
>>> reinterpret_cast.
>>> I think that guidance carries over to Modula's LOOPHOLE, even if you
>>> are already unsafe
>>> for other reasons.
>>>
>>> - Jay
>>>
>>>
>>>> To: jay.krell at cornell.edu
>>>> CC: m3devel at elegosoft.com
>>>> Subject: Re: [M3devel] RC merge
>>>> Date: Sun, 13 Sep 2009 02:44:50 -0700
>>>> From: mika at async.async.caltech.edu
>>>>
>>>> Jay K writes:
>>>> ...
>>>>>
>>>>> Imagine you are a somewhat prolific fairly happy C or C++
>>> programmer. The w=
>>>>> hole world is unsafe=2C but recieves a fair amount of static
>>> checking and i=
>>>>> s therefore largely correct and perhaps doesn't even suffer much
>>> from the l=
>>>>> ack of safety.
>>>>>
>>>>> =20
>>>>>
>>>>> void* GetFoo(void)=3B=20
>>>>>
>>>>> void* GetBar(void)=3B=20
>>>>>
>>>>> =20
>>>>>
>>>>> or
>>>>>
>>>>> =20
>>>>>
>>>>> Foo_t* GetFoo(void)=3B=20
>>>>>
>>>>> Bar_t* GetBar(void)=3B=20
>>>>>
>>>>> =20
>>>>>
>>>>> ?
>>>>>
>>>>> =20
>>>>>
>>>>> Definitely the second.
>>>>>
>>>>> =20
>>>>>
>>>>> Perhaps perhaps perhaps perhaps a function should be able to be
>>> declared to=
>>>>> return an UNTRACED REF Foo.Something=2C without actually
>>> importing Foo or =
>>>>> defining Something?
>>>>>
>>>>> =20
>>>>>
>>>>> Clearly the safety of an /interface/ is more subtle than a
>>>>> boolean.
>>>>>
>>>>> Some functions may be safe and others unsafe.
>>>>>
>>>>> Even some uses of functions.
>>>>>
>>>>> Imagine for example:
>>>>>
>>>>> =20
>>>>>
>>>>> PROCEDURE GetFoo(): UNTRACED REF Foo.Something=3B
>>>>>
>>>>> =20
>>>>>
>>>>> Perhas a safe function could call this function=2C as long as it
>>> only compa=
>>>>> res the return value to NIL?
>>>>>
>>>>> Actually storing it in a variable would require IMPORT Foo=2C and
>>> if FOO is=
>>>>> declared UNSAFE=2C then that would
>>>>>
>>>>> pollute the caller. Or maybe merely declaring a variable of
>>> UNTRACED is eno=
>>>>> ugh to wreck safety?
>>>>
>>>> But in Modula-3 whether an interface is unsafe or not *is* a
>>> boolean.
>>>> It's very clearly defined what it means in the Green Book.
>>>>
>>>> If you don't declare your GetFoo as UNSAFE you can write
>>>>
>>>> VAR x := GetFoo; BEGIN (* manipulate fields of x *) END
>>>>
>>>> in safe code.
>>>>
>>>> Declaring GetFoo to return ADDRESS won't let you do that. Hence,
>>>> it's safer, if there's a safety problem with manipulating the
>>> fields.
>>>>
>>>> An interface can hardly assume that it is the only one injecting
>>> objects
>>>> of type ADDRESS into the "safe world" so if you're allowing the
>>> safe world
>>>> to pass these objects back in your interface you have to sanity-
>>> check
>>>> them anyhow. You do not, however, need to worry about the fields
>>> having
>>>> been changed by the safe code.
>>>>
>>>> If you need some more subtle properties than that you probably
>>>> ought
>>>> to be writing UNSAFE code in the first place. Or is there some
>>> trickery
>>>> you can do along the lines of what we came up with for small
>>> integers
>>>> in pointers?
>>>>
>>>> Mika
>>
>>
>> --Apple-Mail-18--321278784
>> Content-Type: text/html;
>> charset=US-ASCII
>> Content-Transfer-Encoding: quoted-printable
>>
>> <html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode:
>> space; =
>> -webkit-line-break: after-white-space; "><div =
>> apple-content-edited=3D"true"><span class=3D"Apple-style-span" =
>> style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-
>> family: =
>> Helvetica; font-size: 12px; font-style: normal; font-variant:
>> normal; =
>> font-weight: normal; letter-spacing: normal; line-height: normal; =
>> orphans: 2; text-align: auto; text-indent: 0px; text-transform:
>> none; =
>> white-space: normal; widows: 2; word-spacing: 0px; =
>> -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-
>> spacing: =
>> 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-
>> adjust: =
>> auto; -webkit-text-stroke-width: 0; "><div style=3D"word-wrap: =
>> break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
>> after-white-space; "><span class=3D"Apple-style-span" =
>> style=3D"border-collapse: separate; -webkit-border-horizontal-
>> spacing: =
>> 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); =
>> font-family: Helvetica; font-size: 12px; font-style: normal; =
>> font-variant: normal; font-weight: normal; letter-spacing: normal; =
>> line-height: normal; -webkit-text-decorations-in-effect: none; =
>> text-indent: 0px; -webkit-text-size-adjust: auto; text-transform:
>> none; =
>> orphans: 2; white-space: normal; widows: 2; word-spacing: 0px;
>> "><div =
>> style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
>> -webkit-line-break: after-white-space; "><span class=3D"Apple-style-
>> span" =
>> style=3D"border-collapse: separate; -webkit-border-horizontal-
>> spacing: =
>> 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); =
>> font-family: Helvetica; font-size: 12px; font-style: normal; =
>> font-variant: normal; font-weight: normal; letter-spacing: normal; =
>> line-height: normal; -webkit-text-decorations-in-effect: none; =
>> text-indent: 0px; -webkit-text-size-adjust: auto; text-transform:
>> none; =
>> orphans: 2; white-space: normal; widows: 2; word-spacing: 0px;
>> "><span =
>> class=3D"Apple-style-span" style=3D"border-collapse: separate; =
>> -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-
>> spacing: =
>> 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =
>> font-style: normal; font-variant: normal; font-weight: normal; =
>> letter-spacing: normal; line-height: normal; =
>> -webkit-text-decorations-in-effect: none; text-indent: 0px; =
>> -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =
>> white-space: normal; widows: 2; word-spacing: 0px; "><span =
>> class=3D"Apple-style-span" style=3D"border-collapse: separate; =
>> -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-
>> spacing: =
>> 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =
>> font-style: normal; font-variant: normal; font-weight: normal; =
>> letter-spacing: normal; line-height: normal; =
>> -webkit-text-decorations-in-effect: none; text-indent: 0px; =
>> -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =
>> white-space: normal; widows: 2; word-spacing: 0px; "><span =
>> class=3D"Apple-style-span" style=3D"border-collapse: separate; =
>> -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-
>> spacing: =
>> 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =
>> font-style: normal; font-variant: normal; font-weight: normal; =
>> letter-spacing: normal; line-height: normal; =
>> -webkit-text-decorations-in-effect: none; text-indent: 0px; =
>> -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =
>> white-space: normal; widows: 2; word-spacing: 0px; "><span =
>> class=3D"Apple-style-span" style=3D"border-collapse: separate; =
>> -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-
>> spacing: =
>> 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =
>> font-style: normal; font-variant: normal; font-weight: normal; =
>> letter-spacing: normal; line-height: normal; =
>> -webkit-text-decorations-in-effect: none; text-indent: 0px; =
>> -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =
>> white-space: normal; widows: 2; word-spacing: 0px; "><span =
>> class=3D"Apple-style-span" style=3D"border-collapse: separate; =
>> -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-
>> spacing: =
>> 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =
>> font-style: normal; font-variant: normal; font-weight: normal; =
>> letter-spacing: normal; line-height: normal; =
>> -webkit-text-decorations-in-effect: none; text-indent: 0px; =
>> -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =
>> white-space: normal; widows: 2; word-spacing: 0px; "><span =
>> class=3D"Apple-style-span" style=3D"border-collapse: separate; =
>> -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-
>> spacing: =
>> 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =
>> font-style: normal; font-variant: normal; font-weight: normal; =
>> letter-spacing: normal; line-height: normal; =
>> -webkit-text-decorations-in-effect: none; text-indent: 0px; =
>> -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =
>> white-space: normal; widows: 2; word-spacing: 0px; "><span =
>> class=3D"Apple-style-span" style=3D"border-collapse: separate; =
>> -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-
>> spacing: =
>> 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =
>> font-style: normal; font-variant: normal; font-weight: normal; =
>> letter-spacing: normal; line-height: normal; =
>> -webkit-text-decorations-in-effect: none; text-indent: 0px; =
>> -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; =
>> white-space: normal; widows: 2; word-spacing: 0px; "><div><span =
>> class=3D"Apple-style-span" style=3D"font-size: medium;"><font =
>> class=3D"Apple-style-span" color=3D"#0000FF" face=3D"'Gill
>> Sans'">Safe =
>> code can't do anything with a value of type ADDRESS except pass it =
>> around. It must use unsafe operations (NARROW) to turn it
>> into =
>> something usable.</font></span></div><div><font class=3D"Apple-
>> style-span"=
>> color=3D"#0000FF" face=3D"'Gill Sans'"><span class=3D"Apple-style-
>> span" =
>> style=3D"font-size: medium;"><br></span></font></div><div><font =
>> class=3D"Apple-style-span" color=3D"#0000FF" face=3D"'Gill
>> Sans'"><span =
>> class=3D"Apple-style-span" style=3D"font-size: medium;">I think you =
>> misunderstood ThreadF in the first place. It has always been =
>> logically unsafe, if not UNSAFE. I don't want ThreadF ever to
>> come =
>> to be something that people outside the runtime system rely on. =
>> The Id type and MyId function is simply a convenience, but
>> not and =
>> never has been part of the standard =
>> interfaces.</span></font></div><div><font class=3D"Apple-style-
>> span" =
>> color=3D"#0000FF" face=3D"'Gill Sans'"><span class=3D"Apple-style-
>> span" =
>> style=3D"font-size: medium;"><br></span></font></div><div><font =
>> class=3D"Apple-style-span" color=3D"#0000FF" face=3D"'Gill
>> Sans'"><span =
>> class=3D"Apple-style-span" style=3D"font-size: medium;">Can we
>> please =
>> just revert back to the way it has always =
>> been?</span></font></div></span></span></span></span></span></
>> span></span>=
>> </span></div></span></div></span> </div><br><div><div>On 13 Sep
>> 2009, at =
>> 09:51, Jay K wrote:</div><br =
>> class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><span =
>> class=3D"Apple-style-span" style=3D"border-collapse: separate;
>> color: =
>> rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-
>> style: =
>> normal; font-variant: normal; font-weight: normal; letter-spacing: =
>> normal; line-height: normal; orphans: 2; text-align: auto; text-
>> indent: =
>> 0px; text-transform: none; white-space: normal; widows: 2; word-
>> spacing: =
>> 0px; -webkit-border-horizontal-spacing: 0px; =
>> -webkit-border-vertical-spacing: 0px; =
>> -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
>> auto; -webkit-text-stroke-width: 0px; "><div class=3D"hmmessage" =
>> style=3D"font-size: 10pt; font-family: Verdana; ">The functions are =
>> meant to be unsafe either way.<br>ThreadF.i3 clearly had a safety
>> hole =
>> before, but not due to the functions "in question".<br><br>Good
>> point =
>> about passing in ADDRESSes..but I'm not entirely sure I =
>> understand/agree.<br>Can safe code ("directly") generate any
>> ADDRESSes =
>> at all? Or only get them from<br>unsafe code in the first =
>> place?<br>ADDRESS only comes from ADR, right? And ADR isn't allowed
>> in =
>> safe? I'll check.<br><br>IF safe code CAN generate ADDRESSes, then
>> this =
>> was a hole:<br>PROCEDURE SetCurrentHandlers(h: ADDRESS);<br><br>and =
>> perhaps these:<br>PROCEDURE SuspendOthers ();<br>(* Suspend all
>> threads =
>> except the caller's *)<br><br>PROCEDURE ResumeOthers
>> ();<br><br>Though =
>> probably not the second, since safe code can trivially hang/
>> deadlock on =
>> its own.<br><br>The public safe ThreadF.i3 now =
>> just:<br><br>(*-------------------------------------------------- =
>> showthreads support ---*)<br><br>TYPE<br> State =3D =
>> {<br>
>> alive =
>> (* can run *),<br> =
>> waiting (* waiting for a condition via Wait =
>> *),<br> locking (* =
>> waiting for a mutex to be unlocked =
>> *),<br> pausing (* =
>> waiting until some time is arrived =
>> *),<br> blocking (*
>> waiting =
>> for some IO *),<br> =
>> dying (* done, but not yet joined =
>> *),<br> =
>> dead (* done and joined
>> *)<br> =
>> };<
>> br
>> >
>> <br>(*--------------------------------------------------------------=
>> identity ---*)<br><br>TYPE<br> Id =3D
>> INTEGER;<br><br>PROCEDURE =
>> MyId(): Id RAISES {};<br>(* return Id of caller
>> *)<br><br><br>Everything =
>> else I moved to the non-public ThreadInternal.i3.<br><br><br>>
>> But in =
>> Modula-3 whether an interface is unsafe or not *is* a =
>> boolean.<br><br>Understood, but I still think even in unsafe code, =
>> LOOPHOLE should be minimized.<br>C and C++ programmers are often
>> taught =
>> to minimize casts, esp. reinterpret_cast.<br>I think that guidance =
>> carries over to Modula's LOOPHOLE, even if you are already
>> unsafe<br>for =
>> other reasons.<br><br> - Jay<br><br><br>> To:<span =
>> class=3D"Apple-converted-space"> </span><a =
>> href=3D"mailto:jay.krell at cornell.edu">jay.krell at cornell.edu</
>> a><br>> =
>> CC:<span class=3D"Apple-converted-space"> </span><a =
>> href=3D"mailto:m3devel at elegosoft.com">m3devel at elegosoft.com</
>> a><br>> =
>> Subject: Re: [M3devel] RC merge<span =
>> class=3D"Apple-converted-space"> </span><br>> Date: Sun, 13
>> Sep =
>> 2009 02:44:50 -0700<br>> From:<span =
>> class=3D"Apple-converted-space"> </span><a =
>> href=3D"mailto:mika at async.async.caltech.edu">mika at async.async.caltech.edu
>> <=
>> /a><br>><span class=3D"Apple-converted-space"> </
>> span><br>> =
>> Jay K writes:<br>> ...<br>> ><br>> >Imagine you are
>> a =
>> somewhat prolific fairly happy C or C++ programmer. The
>> w=3D<br>> =
>> >hole world is unsafe=3D2C but recieves a fair amount of static =
>> checking and i=3D<br>> >s therefore largely correct and
>> perhaps =
>> doesn't even suffer much from the l=3D<br>> >ack of =
>> safety.<br>> ><br>> >=3D20<br>> ><br>> >
>> void* =
>> GetFoo(void)=3D3B=3D20<br>> ><br>> > void* =
>> GetBar(void)=3D3B=3D20<br>> ><br>> >=3D20<br>> =
>> ><br>> >or<br>> ><br>> >=3D20<br>>
>> ><br>> =
>> > Foo_t* GetFoo(void)=3D3B=3D20<br>> ><br>> > Bar_t* =
>> GetBar(void)=3D3B=3D20<br>> ><br>> >=3D20<br>> =
>> ><br>> >?<br>> ><br>> >=3D20<br>>
>> ><br>> =
>> >Definitely the second.<br>> ><br>> >=3D20<br>> =
>> ><br>> >Perhaps perhaps perhaps perhaps a function should
>> be =
>> able to be declared to=3D<br>> > return an UNTRACED REF =
>> Foo.Something=3D2C without actually importing Foo or =3D<br>> =
>> >defining Something?<br>> ><br>> >=3D20<br>> =
>> ><br>> >Clearly the safety of an /interface/ is more
>> subtle =
>> than a boolean.<br>> ><br>> >Some functions may be safe
>> and =
>> others unsafe.<br>> ><br>> >Even some uses of =
>> functions.<br>> ><br>> >Imagine for example:<br>> =
>> ><br>> >=3D20<br>> ><br>> >PROCEDURE GetFoo(): =
>> UNTRACED REF Foo.Something=3D3B<br>> ><br>>
>> >=3D20<br>> =
>> ><br>> >Perhas a safe function could call this
>> function=3D2C as =
>> long as it only compa=3D<br>> >res the return value to =
>> NIL?<br>> ><br>> >Actually storing it in a variable
>> would =
>> require IMPORT Foo=3D2C and if FOO is=3D<br>> > declared
>> UNSAFE=3D2C=
>> then that would<br>> ><br>> >pollute the caller. Or
>> maybe =
>> merely declaring a variable of UNTRACED is eno=3D<br>> >ugh
>> to =
>> wreck safety?<br>><span =
>> class=3D"Apple-converted-space"> </span><br>> But in
>> Modula-3 =
>> whether an interface is unsafe or not *is* a boolean.<br>> It's
>> very =
>> clearly defined what it means in the Green Book.<br>><span =
>> class=3D"Apple-converted-space"> </span><br>> If you don't =
>> declare your GetFoo as UNSAFE you can write<br>><span =
>> class=3D"Apple-converted-space"> </span><br>> VAR x :=3D
>> GetFoo; =
>> BEGIN (* manipulate fields of x *) END<br>><span =
>> class=3D"Apple-converted-space"> </span><br>> in safe =
>> code.<br>><span class=3D"Apple-converted-space"> </
>> span><br>> =
>> Declaring GetFoo to return ADDRESS won't let you do that.
>> Hence,<br>> =
>> it's safer, if there's a safety problem with manipulating the =
>> fields.<br>><span class=3D"Apple-converted-space"> </
>> span><br>>=
>> An interface can hardly assume that it is the only one injecting =
>> objects<br>> of type ADDRESS into the "safe world" so if you're =
>> allowing the safe world<br>> to pass these objects back in your =
>> interface you have to sanity-check<br>> them anyhow. You do not, =
>> however, need to worry about the fields having<br>> been changed
>> by =
>> the safe code.<br>><span =
>> class=3D"Apple-converted-space"> </span><br>> If you need
>> some =
>> more subtle properties than that you probably ought<br>> to be =
>> writing UNSAFE code in the first place. Or is there some =
>> trickery<br>> you can do along the lines of what we came up with
>> for =
>> small integers<br>> in pointers?<br>><span =
>> class=3D"Apple-converted-space"> </span><br>> =
>> Mika<br></div></span></blockquote></div><br></body></html>=
>>
>> --Apple-Mail-18--321278784--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://m3lists.elegosoft.com/pipermail/m3devel/attachments/20090913/be544f09/attachment-0002.html>
More information about the M3devel
mailing list