How to best fix this old Random API bug?

Jens · March 13, 2020, 10:30pm

Hi!

Almost two years ago I started a thread about a design issue in the Random API. A couple of fixes were discussed: One wasn't really solving the problem, one was AFAICS forgotten and one was pitched as a fix but turned out to be source breaking and not motivated.

Although the old thread and related links contain all the background, I will try to give a complete description of the situation here.

This program

struct MyGenerator : RandomNumberGenerator {}
var generator = MyGenerator()
print(Int.random(in: 1 ... 6, using: &generator))

will (somewhat unexpectedly) compile fine, but it will crash at runtime (debug build) or execute forever at 100% CPU (release build).

This is because the Random API defines a default implementation of its only requirement, and this default implementation ends up calling that same requirement.

RandomNumberGenerator is a very simple protocol:

public protocol RandomNumberGenerator {
  /// Returns a value from a uniform, independent distribution of binary data.
  mutating func next() -> UInt64
}

And as far as I can see, this requirement was never meant to have a default implementation (why should it?). It seems to have ended up being there by accident, and is now a cause of (at least mild) confusion/inconvenience, that is: Anyone who writes a custom pseudorandom number generator in Swift will be slightly surprised and/or annoyed that the usual compile time error and "Do you want to add protocol stubs?" won't be there, and then they might wonder why the API has been designed this way, etc.

The following (self contained) program demonstrates the issue in a reduced form and makes it easy for anyone to quickly try out the solutions below.

// Corresponding stdlib code here: https://github.com/apple/swift/blob/master/stdlib/public/core/Random.swift
protocol Rng {
    mutating func next() -> UInt64
}
extension Rng {
    public mutating func next<T>() -> T
        where T : FixedWidthInteger & UnsignedInteger
    {
        return T._random(using: &self)
    }
}

// Corresponding stdlib code here: https://github.com/apple/swift/blob/d0af9eee9611046bc70094f6af437a4a0f733ecd/stdlib/public/core/Integers.swift#L3359
extension FixedWidthInteger {
    static func _random<R: Rng>(using generator: inout R) -> Self {
        if bitWidth <= UInt64.bitWidth {
            return Self(truncatingIfNeeded: generator.next())
        }
        fatalError("support for type \(self) has been cut out from this demo")
    }
}

// We'd like to implement a simple pseudo random number generator:
struct SplitMix64 : Rng {
    // But here, we notice that the type unexpectedly just conforms,
    // ie no error and no "add protocol stubs", just unexpected acceptance.
}

Solution / workaround 1:

I'd say no, because this wouldn't solve the design error, and as already mentioned above:

which means that the next fix is:

Solution 2:

This, IMHO, is both the simplest and best solution that has been proposed.

Solution 3

Trying to use the new RandomNumberGenerator protocol

We could also add a dummy parameter to next<T>() with a default value:
mutating func next<T>(of type: T.Type = T.self) -> T where T: FixedWidthInteger & UnsignedInteger
This currently prevents the compiler from matching it to the requirement, while code such as r.next() as UInt will continue to work as originally intended. (Although I'm not sure if that's a bug...)

This seems to work, or does work, in current Swift, but it is an open bug that makes it work:

Solution 4:

But:

The core team discussed this and while the motivation is sound, this would be a source-breaking change so not sufficiently motivated. The issue with accidental infinite recursion occurs in other APIs and can't be fixed so easily in those cases, so ideally we'd find a way of enhancing the language to help users avoid this situation in a more general way.

Question:

Is there any reason why solution 2 won't work?

Alejandro · March 13, 2020, 10:34pm

Unfortunately renaming a protocol requirement breaks ABI

Jens · March 13, 2020, 10:36pm

I was afraid that was the case : /

Joe_Groff · March 13, 2020, 10:38pm

We don't have the feature yet, but it would be reasonable to have an attribute to allow a declaration to have a different ABI name from its source level name.

Alejandro · March 13, 2020, 10:38pm

Although, perhaps I could suggest another solution that (could?) potentially work. We could rename the generic version (will cause source breakage), but add a new attribute that mangles the function to its old ABI name. Looks like @Joe_Groff beat me to it. Edit: perhaps with this new attribute we could instead just rename the requirement.

xwu · March 13, 2020, 10:44pm

I agree with the core team's appraisal here that you quoted above. There are a variety of situations where naturally we would have a non-generic requirement and a generic API with a default implementation based on that requirement, where the more logical name for both would be the same.

It would be nice if, even as a private underscored attribute for now, we could mark such situations so that the compiler could diagnose it (to throw out a name for ease of reference: @_requiresConcreteImplementation). I would think it suboptimal to have to rename one or the other API just because the compiler doesn't do the right thing currently, since that is a surmountable problem. I think it'd be even more suboptimal to have source-breaking changes for that reason (or, for that matter, to invent a new attribute to allow ABI-compatible source-breaking renamings when the alternative is to invent a new attribute not to have to rename things at all).

In the meantime, we could improve the documentation to call out this potential pitfall; there is already a section titled "Conforming to the RandomNumberGenerator Protocol," and that should absolutely tell users what they need to do. It isn't enough but it's an imminently doable first step that hasn't been done yet.

xwu · March 14, 2020, 5:07pm

github.com/apple/swift

Add '@_requiresConcreteImplementation' and use it

apple:main ← xwu:requires-concrete-impl

opened 04:42PM - 14 Mar 20 UTC

xwu

+125 -6

This PR adds a new attribute, `@_requiresConcreteImplementation`, and adopts it …for the one protocol requirement in `RandomNumberGenerator`. ### Motivation The motivation for adding this facility is a scenario as follows— * Protocol `P` has a requirement `func frobnicate(_: Int)`. * Protocol `P` can offer a protocol extension method `func frobnicate<T>(_: T)` which is implemented by calling `frobnicate(_: Int)`. Currently, the type checker regards the protocol extension method as a valid witness for the protocol requirement, causing a recursive default implementation. Users implementing `P` are misled, thinking that they have implemented all necessary protocol requirements, only to be faced with a runtime error. A concrete example of this problem [exists in the standard library](https://forums.swift.org/t/trying-to-use-the-new-randomnumbergenerator-protocol/12919): `RandomNumberGenerator` has a requirement `next() -> UInt64` which is unwittingly witnessed by a protocol extension method `next<T: FixedWidthInteger & UnsignedInteger>() -> T`. Conforming types that do not supply a concrete implementation of the non-generic method will compile but cause crashes at runtime. It should not be necessary to name two semantically identical methods differently just to work around this problem. As the core team stated in apple/swift-evolution#912: > The issue with accidental infinite recursion occurs in other APIs and can't be fixed so easily in those cases, so ideally we'd find a way of enhancing the language to help users avoid this situation in a more general way. > See also: https://forums.swift.org/t/how-to-best-fix-this-old-random-api-bug/34526 ### Solution The current solution takes inspiration from existing attributes such as `@_nonoverride` and `@_implements`. The new attribute does what it says on the tin. It can be used on any (non-`associatedtype`) protocol requirement so that Sema rejects an implementation in a protocol extension as an acceptable witness. Unfortunately, it appears that we are running out of numbers to serialize attributes. I have had to twiddle with `DeclTypeRecordNodes.def` in order to make room; there's now room for a handful more attributes, but this is clearly not sustainable—nor am I certain about the implications of renumbering all decl type record nodes for attributes in this way. --- There is an additional (aspirational) goal for this solution which is interesting to consider: It is permitted to add a requirement to a resilient protocol, but only if a default implementation is also provided. One may envision scenarios where a default implementation for such a requirement is _possible_ for all conforming types but greatly _suboptimal_. It would be ideal to support scenarios where the default implementation can be made available for all existing clients (i.e., for resiliency purposes), but nonetheless to require all new conformances going forward to provide concrete implementations. The `@_requiresConcreteImplementation` attribute could enable this possibility. I am not nimble enough in the inner workings of the compiler but suspect that the implementation presented here would not be sufficient to enable this use case as-is. It would be necessary to record a default implementation as a valid witness for runtime purposes but invalid at compile time conformance checking. Something like this must already be present in the codebase for availability annotations.