Add Compile-Time Error-Checking and Avoid Boundschecking in Slice Expressions

[nordlow]

The goal here is to avoid boundschecking for slice expression whose lower or/and upper bounds can never be outside of [0 .. $]. Further, if a slice index can be proven to be outside of bounds an error is issued.

Step 1:

x[0 .. $]
x[0 .. 0]
x[$ .. $]

Step 2:

x[0 .. $/n]
x[$/n .. $]

where n is a compile-time constant >= 1

Step 3:

x[$/m .. $/n]

where m and n are compile-time constants both >= 1 and m >= n.

Step 4:

x[$*p/q .. $*r/s]

where p, q, r and s are compile-time constants both >= 1 and p/q <= r/s, p <= q, r <= s.

Step 5 (error reporting only):

x[$+o .. $+s]

I put this out in the open in a very early stage to get feedback as soon as possible. This so I don't diverge in a direction that you dislike.

I use a warning for now for debug purpose.

My prel tests seems to show that the current logic holds water and at least doesn't crash DMD :)

Most of my questions are given as TODO comments.

Specifically I'm curious

• Why isn't there a specific class DollarExp instead of VarExp. That would have made isOpDollar trivial.
• If (x->op == TOKdiv) is it guaranteed that x is of type DivExp? This seems like an insecure pattern. I see that DMD has isVarDeclaration so why isn't there corresponding is.*Exp?
• Could any explain what resolveOpDollar is used for. Have any use of it here?

Note that the naming of the variable lowerIsLessThanUpper is misleading as it's value is true iff lwr <= upr. lowerIsLessThanOrEqualToUpper or lowerIsLTEToUpper would be a better name.

Update: Another key issue is whether this should include analysis of immutable slice initializations such as, for instance, line 37 to to 46 in std.ascii.

Destroy and thanks in advance!

[andralex]

looks like

return decl && decl->ident->len == 8 && memcmp(decl->ident->string, "__dollar", decl->ident->len) == 0;

to me

[nordlow]

You're right. I'll wait and see if any more logic has to be added :) If not I'll change it.

[sinkuu]

decl->ident == Id::dollar?

[nordlow]

Ahh! Great.

[yebblies]

a = a || b -> a |= b

[yebblies]

No?

[nordlow]

Ahh, I get it. I misread -> for a pointer member operator :)

According to

https://en.wikipedia.org/wiki/Operators_in_C_and_C%2B%2B#Compound_assignment_operators

this does bitwise logic. But for zeros and ones I guess that's ok right?

[justanotheranonymoususer]

I would use if(lwrRange.imax <= uprRange.imin) this->lowerIsLessThanUpper = true; here.

[yebblies]

this does bitwise logic. But for zeros and ones I guess that's ok right?

Bitwise logic on a bool is boolean logic. It makes sense if you don't think about it too much.

[yebblies]

SliceExp has a member lengthVar which I'm guessing is the __dollar variable, you should probably be checking against that rather than checking the name.

[yebblies]

No comments inside expressions please, move them outside the condition.

[nordlow]

For better reuse I broke out logic into SliceExp::analyzeRelativeBound() that returns a Boundness status. There is now an extra member lowerIsInBounds that is currently not used where corresponding upperIsInBounds is. Do we have any use of SliceExp::lowerIsInBounds? I guess there can be cases where upper cannot be proven to be in bounds when lower is. The current states SliceExp::upperIsInBounds and SliceExp::lowerIsLessThanUpper cannot describe this fact.

AFAIK Step 1, 2, 3 and 4 should now be covered.

You are free to express desire in my namings. They are quite arbitrary.

BTW: What's the policy on using C++ function out parameter references instead of pointers in DMD? I can't find any usage of it anywhere in expression.c at least.

[yebblies]

This doesn't need to be a member function, and if it's private to this file you can also move Boundness out of the header.

[nordlow]

What about lengthVar? How do I get that Without this pointer?

[yebblies]

Pass it to the function.

[nordlow]

Why is lengthVar a member of OpSlice? Shouldn't it be better to have one global instance of it?

[yebblies]

Because each slice has its own length variable. eg x[$-{ return a[$-5..b[$-2]+$/2]; }()].

[nordlow]

Aha.

[yebblies]

BTW: What's the policy on using C++ function out parameter references instead of pointers in DMD? I can't find any usage of it anywhere in expression.c at least.

The policy is don't.

[9rnsr]

I'm really not sure that kind of those heuristic checks will be accepted. In #4209, I'm doing similar implementation, but it's currently pending because it's looks dirty.

[nordlow]

Are there any relevant dollar expressions for Step 5 (more complex than Step 4)?

[nordlow]

BTW: How do I handle signed integer literateral offsets, in my case for example [$-1 .. $] when toInteger() returns an unsigned integer (dinteger_t)?

[nordlow]

BTW: I'm missing Expression try-cast functions such as

• AddExp* isAddExp(Expression* e) { return e->op == TOKadd ? (AddExp*)e : NULL; }
• etc

for simplifying code for pattern matching on subclasses to Expression.

Why hasn't these been added?

Is it ok to add these on demand in this pull?

[yebblies]

BTW: How do I handle signed integer literateral offsets, in my case for example [$-1 .. $] when toInteger() returns an unsigned integer (dinteger_t)?

(sinteger_t)e->toInteger()

[nordlow]

My only conculsion is that something is using a slice bound out of range perhaps in a traits compiles. Infinite range?

[yebblies]

From the type in the error it doesn't look a like an infinite range. I don't know why it's happening.

[nordlow]

@andralex @WalterBright @9rnsr : Do you have any clues to why all 64-bit builds fail but not the 32-bit ones?

[9rnsr]

std.algorithm.map is testing its input by slicing with ulong.max. With this PR, it would fail always. Finally map would have opSlice(uint, uint) even in 64bit platforms, and it would not work with size_t bounds.

Part of MapResult code in std/algorithm/iteration.d:

    static if (hasSlicing!R)
    {
        static if (is(typeof(_input[ulong.max .. ulong.max])))   // <--- 
            private alias opSlice_t = ulong;
        else
            private alias opSlice_t = uint;

        static if (hasLength!R)
        {
            auto opSlice(opSlice_t low, opSlice_t high)
            {
                return typeof(this)(_input[low .. high]);
            }
        }
        else static if (is(typeof(_input[opSlice_t.max .. $])))
        {

[nordlow]

So the natural question now becomes...should we drop bounds checking for these "negative" integer literals or fix Phobos? @andralex ?

[9rnsr]

No. In that case (is(typeof(_input[ulong.max .. ulong.max]))), it's just validating an expression by using is(typeof(exp)) idiom. I can say that the extended bounds check should not work inside typeof.

[yebblies]

Don't we have functions in phobos explicitly for use in is(typeof()) expressions? lvalueOf!T() or something?

[9rnsr]

@yebblies With is(typeof(exp)), exp may be an invalid expression. But, an invalid expression cannot appear in template parameters. As the conclusion, wrapping the idiom by a library template is impossible.

[yebblies]

I mean writing is(typeof(_input[rvalueOf!ulong..rvalueOf!ulong])) instead of using ulong.max, which would prevent these errors from occurring as the actual values wouldn't be known. I assume the expression is really meant to be checking "can _input be sliced with ulong indices" rather than explicitly checking that the value ulong.max works.

[9rnsr]

ulong.max is a valid expression for a slice expression bounds in 64-bit platforms. I argue that we should not break any existing compile-time check code by the enhanced bounds check. It's only useful for actual runtime slicing, so breaking any compile-time checks is definitely unreasonable.

And, I think the std.algorithm.map breaking is definitely a problem of this PR. In the expression is(typeof(_input[ulong.max .. ulong.max])), _input is an instance field of MapResult, so its bounds are clearly unknown at compile time. So _input.length might be ulong.max in 64bit platform. Therefore it's equivalent with is(typeof(_input[$ .. $])) _input[$ .. $] and this PR should not cause errors for the slicing. No?

[nordlow]

What about index bound expressions such as $+1? In what cases would the user want to do that? I always prefer compile-time before run-time checking when possible.

[nordlow]

Both x[0..0] and x[$..$] are allowed by this pull.

Maybe I should add unittests :)

[9rnsr]

If a slice arr[0 .. $+1] is in runtime code, the error detection would be useful. Otherwise it would be useless breaking change. Please don't do it.

[9rnsr]

Also add following case:

if (0)
{
    int[] arr = [1,2,3];
    auto a = arr[size_t.max .. size_t.max];  // should compile
}

[nordlow]

So do you all agree on no compile-time error checking here?

[justanotheranonymoususer]

If a slice arr[0 .. $+1] is in runtime code, the error detection would be useful. Otherwise it would be useless breaking change. Please don't do it.

When is arr[0 .. $+1] going to be a legit code?

[9rnsr]

When is arr[0 .. $+1] going to be a legit code?

If it's inside is(typeof()), yes. But __traits(compiles, arr[0 .. $+1]) can be changed to return false.

[nordlow]

If we follow the convention of being backwards compatible with __traits(compiles) then hardly any additions to the error diagnostics in DMD can be added. This hasn't quite been the case in recent years has it?

[justanotheranonymoususer]

If it's inside is(typeof()), yes. But __traits(compiles, arr[0 .. $+1]) can be changed to return false.

Why would it be valid inside typeof if it doesn't compile?

[9rnsr]

Inside typeof, only the expression type is validated. Bounds check doesn't modify the expression type. Therefore it should not work in typeof.

[ibuclaw]

@nordlow - Status update on this?

[ibuclaw]

I'm going to say 👎 to this. Though I have taken the inspiration for the idea and put it in a new PR #7677.