[Review] SE-0176: Enforce Exclusive Access to Memory

Concern: `swap` is quoted a lot for a method that would break under this rule, but as it happens, `swap` with the same value on both sides is (should be) a no-op. Is there a way to not trip the static or dynamic checkers in well-defined cases like that one? Is there any way to check that two inout parameters refer to the same value?

The only reasonable way to do this is statically, and why would you call 'swap' statically with the same l-value for both arguments?

When static analysis can determine that a swap is always a noop, I can’t see any reason not to flag it as an error.

But Félix’s question was also about the runtime case. And he has a good point.

Here’s a compelling example where allowing the noop swap would make sense:

    extension Array {
      mutating func shuffle() {
        for i in indices {
          let j = i + Int(arc4random_uniform(UInt32(count - i)))
          swap(&self[i], &self[j])
        }
      }
    }

Isn’t this issue already solved by the introduction of swapAt ?

···

Le 7 mai 2017 à 03:54, Paul Cantrell via swift-evolution <swift-evolution@swift.org> a écrit :

On May 6, 2017, at 12:36 PM, John McCall via swift-evolution <swift-evolution@swift.org <mailto:swift-evolution@swift.org>> wrote:

On May 6, 2017, at 1:11 PM, Félix Cloutier via swift-evolution <swift-evolution@swift.org <mailto:swift-evolution@swift.org>> wrote:

In this code:

It’s necessary to allow j to sometimes equal i to get a uniform distribution of random permutations.
Static analysis can’t determine that the noop occurs sometimes but not always.
Adding a check for i == j adds a branch condition to a tight loop. More importantly, it’s easy to forget this check since static analysis won’t flag it. It’s just a hidden land mine, which seems contrary to Swift’s “safety first” aesthetic.

Putting all that together, it would probably be more Swift-like to have swap() be safe, and if necessary add an unsafeSwap() func that fails on the noop case and thus avoids the cost of the check in optimized code.

Note that the code above fails even under Swift 3, which explicitly disallows swapping with a runtime check (“fatal error: swapping a location with itself is not supported”). So nothing here to undermine the SE-0176; the proposal isn’t introducing a problem that doesn’t already exist.

Cheers, P

John.

Le 2 mai 2017 à 13:07, Ben Cohen via swift-evolution <swift-evolution@swift.org <mailto:swift-evolution@swift.org>> a écrit :

Hello Swift community,

The review of SE-0176: "Enforce Exclusive Access to Memory" begins now and runs through May 8, 2017.

The proposal is available here:

https://github.com/apple/swift-evolution/blob/master/proposals/0176-enforce-exclusive-access-to-memory.md
Reviews are an important part of the Swift evolution process. All reviews should be sent to the swift-evolution mailing list at:

https://lists.swift.org/mailman/listinfo/swift-evolution
or, if you would like to keep your feedback private, directly to the review manager.

When replying, please try to keep the proposal link at the top of the message:

Proposal link:

https://github.com/apple/swift-evolution/blob/master/proposals/0176-enforce-exclusive-access-to-memory.md
Reply text

Other replies

<GitHub - apple/swift-evolution: This maintains proposals for changes and user-visible enhancements to the Swift Programming Language.;
What goes into a review?

The goal of the review process is to improve the proposal under review through constructive criticism and, eventually, determine the direction of Swift. When writing your review, here are some questions you might want to answer in your review:

What is your evaluation of the proposal?
Is the problem being addressed significant enough to warrant a change to Swift?
Does this proposal fit well with the feel and direction of Swift?
If you have used other languages or libraries with a similar feature, how do you feel that this proposal compares to those?
How much effort did you put into your review? A glance, a quick reading, or an in-depth study?
More information about the Swift evolution process is available at:

https://github.com/apple/swift-evolution/blob/master/process.md

Thanks,
Ben Cohen
Review Manager

_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org <mailto:swift-evolution@swift.org>
https://lists.swift.org/mailman/listinfo/swift-evolution

_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org <mailto:swift-evolution@swift.org>
https://lists.swift.org/mailman/listinfo/swift-evolution

_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org <mailto:swift-evolution@swift.org>
https://lists.swift.org/mailman/listinfo/swift-evolution

_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org
https://lists.swift.org/mailman/listinfo/swift-evolution

Ah, indeed, you’re quite right: I see that SE-0173 removes the “different elements” precondition for swapAt().

It’s not hard to imagine analogous situations involving data structures other than arrays, so presumably Félix’s point still stands in principle for the original swap(). But I notice that SE-0173 says swap() will be deprecated & removed in the future?! Surprising, but well of topic: SE-0176 would allow the implementation of swapAt-like methods for other data structures, so no new concerns about this proposal as it stands.

Cheers, P

···

On May 7, 2017, at 6:01 AM, Jean-Daniel <mailing@xenonium.com> wrote:

Le 7 mai 2017 à 03:54, Paul Cantrell via swift-evolution <swift-evolution@swift.org <mailto:swift-evolution@swift.org>> a écrit :

On May 6, 2017, at 12:36 PM, John McCall via swift-evolution <swift-evolution@swift.org <mailto:swift-evolution@swift.org>> wrote:

On May 6, 2017, at 1:11 PM, Félix Cloutier via swift-evolution <swift-evolution@swift.org <mailto:swift-evolution@swift.org>> wrote:

Concern: `swap` is quoted a lot for a method that would break under this rule, but as it happens, `swap` with the same value on both sides is (should be) a no-op. Is there a way to not trip the static or dynamic checkers in well-defined cases like that one? Is there any way to check that two inout parameters refer to the same value?

The only reasonable way to do this is statically, and why would you call 'swap' statically with the same l-value for both arguments?

When static analysis can determine that a swap is always a noop, I can’t see any reason not to flag it as an error.

But Félix’s question was also about the runtime case. And he has a good point.

Here’s a compelling example where allowing the noop swap would make sense:

    extension Array {
      mutating func shuffle() {
        for i in indices {
          let j = i + Int(arc4random_uniform(UInt32(count - i)))
          swap(&self[i], &self[j])
        }
      }
    }

Isn’t this issue already solved by the introduction of swapAt ?

Actually, `swapAt` does have a precondition that the elements differ.

···

On Sun, May 7, 2017 at 09:41 Paul Cantrell via swift-evolution < swift-evolution@swift.org> wrote:

On May 7, 2017, at 6:01 AM, Jean-Daniel <mailing@xenonium.com> wrote:

Le 7 mai 2017 à 03:54, Paul Cantrell via swift-evolution < > swift-evolution@swift.org> a écrit :

On May 6, 2017, at 12:36 PM, John McCall via swift-evolution < > swift-evolution@swift.org> wrote:

On May 6, 2017, at 1:11 PM, Félix Cloutier via swift-evolution < > swift-evolution@swift.org> wrote:

Concern: `swap` is quoted a lot for a method that would break under this
rule, but as it happens, `swap` with the same value on both sides is
(should be) a no-op. Is there a way to not trip the static or dynamic
checkers in well-defined cases like that one? Is there any way to check
that two inout parameters refer to the same value?

The only reasonable way to do this is statically, and why would you call
'swap' statically with the same l-value for both arguments?

When static analysis can determine that a swap is *always* a noop, I
can’t see any reason not to flag it as an error.

But Félix’s question was also about the runtime case. And he has a good
point.

Here’s a compelling example where allowing the noop swap would make sense:

    extension Array {
      mutating func shuffle() {
        for i in indices {
          let j = i + Int(arc4random_uniform(UInt32(count - i)))
          swap(&self[i], &self[j])
        }
      }
    }

Isn’t this issue already solved by the introduction of swapAt ?

Ah, indeed, you’re quite right: I see that SE-0173 removes the “different
elements” precondition for swapAt().

It’s not hard to imagine analogous situations involving data structures
other than arrays, so presumably Félix’s point still stands in principle
for the original swap(). But I notice that SE-0173 says swap() will be
deprecated & removed in the future?! Surprising, but well of topic: SE-0176
would allow the implementation of swapAt-like methods for other data
structures, so no new concerns about this proposal as it stands.

Cheers, P

_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org
https://lists.swift.org/mailman/listinfo/swift-evolution

Concern: `swap` is quoted a lot for a method that would break under this rule, but as it happens, `swap` with the same value on both sides is (should be) a no-op. Is there a way to not trip the static or dynamic checkers in well-defined cases like that one? Is there any way to check that two inout parameters refer to the same value?

The only reasonable way to do this is statically, and why would you call 'swap' statically with the same l-value for both arguments?

When static analysis can determine that a swap is always a noop, I can’t see any reason not to flag it as an error.

But Félix’s question was also about the runtime case. And he has a good point.

Here’s a compelling example where allowing the noop swap would make sense:

    extension Array {
      mutating func shuffle() {
        for i in indices {
          let j = i + Int(arc4random_uniform(UInt32(count - i)))
          swap(&self[i], &self[j])
        }
      }
    }

Isn’t this issue already solved by the introduction of swapAt ?

Ah, indeed, you’re quite right: I see that SE-0173 removes the “different elements” precondition for swapAt().

It’s not hard to imagine analogous situations involving data structures other than arrays, so presumably Félix’s point still stands in principle for the original swap().

swapAt is an operation on MutableCollection, not just on Array.

The key thing I think you may be missing here is that swapAt is needed because enforcement will otherwise prohibit two mutating accesses to the containing data structure. We can't reliably poke a hole in that just for swap.

John.

···

On May 7, 2017, at 10:41 AM, Paul Cantrell <cantrell@pobox.com> wrote:

On May 7, 2017, at 6:01 AM, Jean-Daniel <mailing@xenonium.com <mailto:mailing@xenonium.com>> wrote:

Le 7 mai 2017 à 03:54, Paul Cantrell via swift-evolution <swift-evolution@swift.org <mailto:swift-evolution@swift.org>> a écrit :

On May 6, 2017, at 12:36 PM, John McCall via swift-evolution <swift-evolution@swift.org <mailto:swift-evolution@swift.org>> wrote:

On May 6, 2017, at 1:11 PM, Félix Cloutier via swift-evolution <swift-evolution@swift.org <mailto:swift-evolution@swift.org>> wrote:

But I notice that SE-0173 says swap() will be deprecated & removed in the future?! Surprising, but well of topic: SE-0176 would allow the implementation of swapAt-like methods for other data structures, so no new concerns about this proposal as it stands.

Cheers, P

Looking at the source code
<https://github.com/apple/swift/blob/master/stdlib/public/core/MutableCollection.swift&gt;,
the “swapAt” method is documented to have no effect when the indices are
equal:

/// Exchange the values at indices `i` and `j`.
///
/// Has no effect when `i` and `j` are equal.
mutating func swapAt(_ i: Index, _ j: Index)

Furthermore, the default implementation simply returns early when given the
same index twice:

extension MutableCollection {
  @_inlineable
  public mutating func swapAt(_ i: Index, _ j: Index) {
    guard i != j else { return }
    let tmp = self[i]
    self[i] = self[j]
    self[j] = tmp
  }
}

Contrast that with “swap” (found here
<https://github.com/apple/swift/blob/master/stdlib/public/core/Sort.swift&gt;\)
which is documented with “Precondition: `a` and `b` do not alias each
other.” And the implementation enforces that (at least in debug builds)
with:

_debugPrecondition(p1 != p2, "swapping a location with itself is not
supported")

So it looks like the precondition is only found on “swap”, and “swapAt”
should work properly (by doing nothing) when asked to exchange a single
index with itself.

Nevin

···

On Sun, May 7, 2017 at 2:04 PM, Xiaodi Wu via swift-evolution < swift-evolution@swift.org> wrote:

Actually, `swapAt` does have a precondition that the elements differ.