[M3devel] [M3commit] CVS Update: cm3

Tue Jul 6 08:22:50 CEST 2010

Programmers are notorious for making mistakes.

When you write VAR a:INTEGER;
you make the human proofreading your code have to work much harder
to do the data/control flow analysis to make sure you didn't
use the uninitialized value.

Using the a := 0 value might still be "wrong", but is it at least consistent
and the penalty for getting it wrong is generally less severe.

Now, I don't want there to be a bug either way, but I feel that a consistent 0 is much "safer"
than uninitialized. Either is typesafe, sure, but type safe is just the bare minimum expectation
for my code. It must not only be type safe, but act correctly.

Again, compiler isn't generally a program proofer, but the little it can do, let it do.

Here is how I write C code:

void function_with_two_temporary_buffers()
{
  void* p = { 0 };
  void* q = { 0 };

  if (!(p = malloc(...)))
    goto exit;

  if (!(q = malloc(...)))

    goto exit;

...

exit:
   free(p);
   free(q);
}

or
void function_that_returns_two_buffers(void** a, void** b)
{
  void* p = { 0 };
  void* q = { 0 };

  *a = p;
  *b = q;

  if (!(p = malloc(...))
   goto Exit;

  if (!(q = malloc(...))

   goto Exit;

    ....
  *a = p;
   p = 0;
   *b = q;
   q = 0;

Exit: 
  free(p);
  free(q);

}

In reality malloc is generally a function that returns an integer, negative for success.
So it is more like:
#define CHECK(expr) do { if ((status = (expr)) < 0) goto Exit; } while(0)

  CHECK(MemoryAlloc(..., &q));

See, the style is written to be easy for a human to verify the correctness of.
Locals are always initialized. Ownership of resources is always clear.

This is contrast with other styles:

 if (p = malloc(...))
  {
      ...
     if (q = malloc(...))
    {
         ...
        free(q);
    }
   free(p);
}

where one has to follow the ever further indented blob of ifs.
It doesn't scale. Every resource allocation makes the code incrementally harder for a human to read.
Whereas the style that includes initializing all locals has no such incremental cost.

(And this hard to read style is in fact somewhat encouraged by the "with" feature of Modula-3.
C++'s equivalent -- declaring variables anywhere -- doesn't suggest ever increasing indentation.
)

 - Jay

----------------------------------------
> To: jay.krell at cornell.edu
> Date: Mon, 5 Jul 2010 22:58:33 -0700
> From: mika at async.async.caltech.edu
> CC: m3devel at elegosoft.com
> Subject: Re: [M3devel] [M3commit] CVS Update: cm3
>
>
> As I've said before,
>
> When I write:
>
> VAR
> a : INTEGER;
> BEGIN
>
> ...
>
> .... a := .. ...
>
> ...
>
> END
>
> that means I am putting you, the reader, on notice that I have no
> particularly meaningful idea of what a's initial value is.
>
> If I were to write
>
> VAR
> a := 0;
> BEGIN
> ...
> END
>
> I would mislead you into thinking that 0 is a somehow important
> initial value. Which it's not. It's just garbage, and it better
> not show up in the computation!
>
> Programs are mainly meant to be read by humans, not computers.
>
> Mika
>
>
> Jay K writes:
> >--_d2468f3b-9666-4291-98b5-5414421f54d9_
> >Content-Type: text/plain; charset="iso-8859-1"
> >Content-Transfer-Encoding: quoted-printable
> >
> >
> >We are going in circles.