Programming: To the Limit

A blog about in-depth analysis and understanding of programming, with a focus on C++.

Tuesday, July 21, 2009

Concepts, C++0x, and the Limit

By now, I'm sure you have heard the news. The C++ Working Group has decided to remove Concepts from the C++0x specification. The first question you might have is this: what are Concepts?

This is pretty simple, and I'll explain by way of analogy. Object Oriented Programming (class hierarchies with virtual functions) and Generic Programming (templates) are the prime language-based C++ mechanisms for allowing old code to call new code. Having new code use old code is easy; you call a function. Having old code call code that has not yet been written is harder.

OOP does this by using prototypes, explicit constructors/destructors and function pointers (under the hood, of course). You provide a prototype (your class), explicitly defining which functions can and cannot be changed in derived classes. Under the hood, the compiler creates a small struct for each class that contains the virtual table: the list of function pointers that this class uses. When you derive a new class and override other virtual functions, the struct that your new class uses is created by copying the base class and then overwriting any overridden function pointers.

The important part of this is that it is all very explicit. Everything is directly spelled out for both the compiler and the user. B derives from A, so anything that takes a pointer/reference to A can also take B. End of story.

Generic programming is very implicit. A templated function imposes some requirement on the type of the object that it uses. However, that requirement is never spelled out anywhere. It is defined entirely based on how that template function, and any template functions it calls, uses the type. This interface doesn't even have to be on the type itself; a template can do odd things like require that there be a free function that will take this type as a parameter. If the type you pass in has the appropriate interface, then everyone's happy. If it doesn't, you get a compiler error.

Now, the problem with this is that compiler error. Somewhere deep in the bowels of some template function, something tries to make a call or perform an operation that the type can't handle. That, according to C++, is where the error happened. The compiler now must unroll the call hierarchy, listing each and every function, template type, and so forth along the way, until they reach the cite where the error really happened: the place where you instantiated the template.

Also, the error message itself is usually not something as clear as "the type X you used in template Y needs operation Z that is not available on that type." It is usually obtuse and involves a lot of text about innumerable template types and expansions. It even exposes some of the implementation details of the template you may be using.

Concepts are a proposed way to create a functioning, explicit interface for template parameters. If you're using a template that has a Concept, attempting to use a type that does not conform to the Concept will cause an immediate compiler error, with a reasonable error message explaining that the type doesn't conform to the Concept. It also helps in writing templates. Before, you could do anything with a template parameter and the code had to assume it'd work until someone tried to instantiate it. If a parameter has a Concept constraint on it, then attempting to perform an operation not listed in that Concept will provoke a compile error in the template itself.

All in all, it sounds like a great contract idea. And it had been built up as one of the major selling features of C++0x.

So why'd they ditch it?

Well, first of all, it just wasn't maturing. ConceptGCC, an implementation of some of the older forms of the various Concepts proposals, stopped being developed. The C++ working group has no resources to spend on keeping this thing fairly up and running.

The Standard Library was also becoming a problem with Concepts. Obviously, the library would have been Conceptualized, but there was no clear idea on how to do that. And without a functioning implementation, all the C++ WG could do was argue about one way vs. another.

And all of this non-advancement started mucking up C++0x's schedule. The 0x is supposed to mean pre-2010. Faced with the possibility of C++0x being dramatically delaid (numbers like 2012-2013 were being thrown around), the WG decided to chuck the dead-weight and leave Concepts for the next standard.

Was this the right choice?

Absolutely! And here's why.

Despite all of the hype around Concepts, we are talking about a feature that exists primarily to make error messages nicer. The Concepts proposal does have some interesting adaptation features, that allows one to write a mapping object from an explicit type to a Concept. This object would be used, thus allowing you to make something that doesn't entirely conform to a Concept to do so. But even that isn't such a huge feature, as you can write wrapper classes to get similar functionality (though you must then explicitly use them).

For me, it comes down to day-to-day utility. Concepts won't make my code faster; r-value references will. Concepts won't make using standard algorithms that much easier; lambdas will. Concepts won't decrease the number of times I have to type out a typename; "auto" (like "var" in C#) will. And so on.

C++0x is a lot more than just Concepts. C++0x has productivity enhancements (auto, lambda), performance enhancements (r-value references), and just flat out cool stuff (uniform initialization, user-defined literals). Delaying all of that stuff just to get nicer error messages for template misuse would have been a crime.

I wish C++0x could have had Concepts in it. But getting the rest of the stuff out to the public is far, far more important.

A tip of the hat to the C++ Working Group on sacrificing one of their sacred cows for the betterment of the rest. We'll see Concepts come back for the next standard.

Thursday, September 04, 2008

Modular Programming and the Push Model

Thus far, we've talked often about the low-level details of code. We've basically been operating on the function level and what goes inside them. This article will thus be the first to deal with the entire structure of code.

I practice what I (and probably others) call "Modular" programming. That is, when working on a project of any real size, the project is broken down into a set of discrete modules (built as C++ static libraries). Each module represents code that does a single, specific thing. That is the most important aspect of module design: modules should be as focused and minimal as reasonable.

Note that it is "as reasonable," not "as possible." And there is a good reason for this. The more modules you have, the harder it is to find a problem. Bugs can be local to a module, or they can arise through interactions between modules. The more modules you have, the more interactions you have to debug through. So there is tension between having specific modules and ease of debugging.

Keeping modules minimal is key to making this work. One of the primary benefits of modular programming is code reuse: if you code is broken down into discrete, atomic bits, it is much easier to use later. The bigger and more complicated the module, the less likely that it will be a good fit for your later needs.

One big problem with modules is interdependency. There will be modules that depend on the presence of certain other code. In many cases, this is an intrinsic need, but sometimes it is not. The real problem come with telling when a module truly needs another module.

The reason this is a problem is that the more dependent modules are on one another, the less likely you are to reuse that module.

Let's say you're writing a music player application, ala WinAMP or Foobar. Breaking it up into modules, you need at least the following modules:

  • Music playing. Takes a file and plays music, with various controls to stop, get the current time, etc.

  • Tag identification. Takes a file and determines the various tag bits in the file.

  • Playlist manager. Has a list of files in an order, can re-order them, has one that is "current", etc.



  • This is hardly comprehensive, but it will do for now. The question is this: does the playlist manager need the tag identifier module? Yes, but only if the playlist manager module includes the code for drawing the playlist. If it instead just a wrapper around a std::vector (or more likely, a std::list) of filenames, no. Some other code will be responsible for drawing the list and processing user input/output: a module who will be dependent on both the playlist manager and the tag identifier. The proper modulaization of this is to make the playlist low-level, and provide a higher level module that understands the GUI module and so forth.

    If this sounds similar to the old UNIX philosophy of "do one thing, do it well," then you're right. However, this is applied to code rather than executables, since code can more easily communicate with other code than executables with other executables.

    The fundamental key to all this is what I call the "Push Model". The Push Model describes how modules interface with other modules, as well as how modules internally work. If module B calls any function from module A, then module B is dependent on module A. If module A is dependent on module C, then B is also dependent on C, but indirectly.

    Also, the Push Model says that the results of a function call should be based only on the function parameters, the state of the class being called, some module-global state, and the module-global state of any module that is directly or indirectly dependent on this module. There are exceptions, of course (resources, input systems, errors, etc), but that's the general rule.

    The Push Model ensures that a module is truly modular.

    However, this is all nice in theory. There are always problems. We'll get to that in another article, though.

    Tuesday, December 04, 2007

    Interface my Code

    Once upon a time, I talked about Pimpl. Basically, its a way of hiding the implementation details from external code. The primary benefit is improved compile times, since header files do not have to include a bunch of code that nobody cares about, and only the internals of a system need recompiling when external code changes.

    As the primary example for Pimpl, I used what I described as "entity from a game system". The example brings up a specific problem, one that is not unique to games. That is, of the "fat interface" object, the object that needs to know about everything, everywhere.

    Here is that example again, pre-Pimpl:

    class GameEntity
    {
    public:
    GameEntity();
    virtual ~GameEntity();

    private:
    boost::shared_ptr<Render::MeshClass> m_Mesh;
    boost::shared_ptr<Anim::AnimSystem> m_AnimationSystem;
    std::vector<boost::shared_ptr<Audio::Sounds> > m_SoundList;
    std::vector<boost::shared_ptr<Coll::CollisionMesh> > m_CollList;
    boost::shared_ptr<Physics::PhysicalObject> m_PhysicsObj;
    };


    Now, the Pimpl version does a great job of hiding the internals:

    class GameEntityImpl;

    class GameEntity
    {
    public:
    GameEntity();
    virtual ~GameEntity();

    private:
    boost::shared_ptr m_Impl;
    };


    Now, the only #include that the external system needs to do is with boost/shared_ptr. That's all well and good, but there's something missing... the interface. GameEntity isn't terribly useful without its interface. And while we no longer expose numerous classes from the internals, the interface would force us to do so:

    class GameEntityImpl;

    class GameEntity
    {
    public:
    GameEntity();
    virtual ~GameEntity();

    void EnumerateCollisionVolumes(boost::function<void(boost::shared_ptr<const Physics::CollisionVolume>)>) const;
    void EnumerateMeshes(boost::function<void(boost::shared_ptr<const Render::Mesh>)>) const;
    boost::shared_ptr<Ai::AiController> GetAI();
    boost::shared_ptr<const Ai::AiController> GetAI() const;
    void PlayAnimation(boost::shared_ptr<const Anim::Animation> pTheAnim);

    void SetPosition(const Position &thePos);
    void SetOrientation(const Orientation &theOrientation);

    private:
    boost::shared_ptr<GameEntityImpl> m_Impl;
    };


    This is really no better than before. Oh, it still gets rid of certain implementation details, like the use of std::vector and such. But that's all; the user still needs the definition of a lot of classes.

    Also, there is the problem of having fat interfaces. What I depicted is the tip of the iceberg; it is not uncommon for the core entity classes to have hundreds of member functions.

    There is a way to solve all of these problems at once. Basically, you use your Pimpl differently.

    Pimpl has a publicly available interface class, but also a private implementation class. The solution is to, instead of having one public interface class, have many. One for different uses of the class.

    So, in this case, GameEntity objects would be created through some global function interface. The code that creates a GameEntity needs to know about all the different bits, so you can't avoid that one. But what is created is the private implementation, which is stored by boost::shared_ptr in a list accessible by a unique name. It would also create the primary public interface class, called GameEntity, which is returned to the user.

    GameEntity would have a number of functions that would return different interfaces. So, there would be a physics interface, rendering interface, sound interface, etc. These all expose functions and classes that much of the game code can freely ignore. All of them have shared_ptrs back to the private implementation.

    So, your GameEntity looks like:

    class GameEntityImpl;
    class PhysicsEntity;
    class RenderEntity;
    class AiEntity;
    class AnimEntity;

    class GameEntity
    {
    public:
    virtual ~GameEntity();

    //Interface retrieval
    boost::shared_ptr<PhysicsEntity> GetPhysicsEntity();
    boost::shared_ptr<const PhysicsEntity> GetPhysicsEntity() const;
    boost::shared_ptr<RenderEntity> GetRenderEntity();
    boost::shared_ptr<const RenderEntity> GetRenderEntity() const;
    boost::shared_ptr<AiEntity> GetAiEntity();
    boost::shared_ptr<const AiEntity> GetAiEntity() const;
    boost::shared_ptr<AnimEntity> GetAnimEntity();
    boost::shared_ptr<const AnimEntity> GetAnimEntity() const;

    std::string GetEntityName() const;

    void SetPosition(const Position &thePos);
    void SetOrientation(const Orientation &theOrientation);

    private:
    GameEntity();

    boost::shared_ptr m_Impl;

    This works perfectly. It hides everything from prying eyes, while creating interfaces for specific kinds of tasks. Because all of the interfaces point to the same object, they can call any internal code they wish. So the generic GameEntity interface can have expose functions like SetPosition which operate on the physics object (the ultimate source of the position) without having to go to the PhysicsEntity to do so. The PhysicsEntity will expose it of course, but it will also expose other functions.

    Also, if the necessary objects for a certain kind of interface don't exist for a particular GameEntity, then the interface retrieval function will simply return NULL. It forces the user to check if the GameEntity, for example, has an AI before calling AI function.

    I call this "Interface-based Programming". The data is perfectly hidden behind specific views into that data, with each view being categorized for specific functions and purposes.

    Thursday, September 20, 2007

    Parsing, C++ Style. Part 1

    I'm going to let you in on a secret: I hate rote busywork programming. I can't stand boring, trivial code. Oh, I know it needs to be done, but if I've done it 20 times before, odds are I'm going to find a way to keep from having to do it a 21st time. That's one of the things that's nice about using C++.

    One task I detest with a passion is writing a parser. We've all had to do it. Load a text file, tokenize it based on some pattern or whatever, look for the data you're interested in, check for errors in formatting, etc. It's easy and boring. And, more importantly, highly error prone.

    The latter is a real sticking point. The only thing I hate more than writing a praser is having to debug one. Adding to that is the fact that debugging a parser is not like unit testing or something of that nature; it's a totally input driven process. If you forget a particular case, or didn't anticipate something, it will come back to bite you.

    Fact is, I shouldn't have to parse code manually. I should have some API or library or something that I can apply to a text file and read it. Worst case, I should be able to define the format of the file, run the file through the parser with that format, and get a parse tree representation of the file, or an error if the file is not formatted properly. Best case, instead of a parse tree, my code simply gets called during the act of parsing the file in question.

    Now, there are two utilities in particular that I personally rely upon for 95% or more of my parsing needs. The first is LibXML2. It's a C-based library (though there's an unpleasant C++ front end with an obnoxious license available, if you really need it), so it doesn't qualify as C++ Limit Science.

    So, I lean on XML a lot. However, though XML is a nice language for the person writing the document, it's not particularly nice for the person reading it. Even with LibXML2, you have to do a lot of rote parsing work.

    For formats that tend to be generated from code rather than by an external user, I prefer a combination of Lua and Luabind. Lua is a very easy to use scripting language, but the origin of Lua was in configuration languages. As such, Lua makes a handy file format. All you do is have the Lua script store its data as a large table, likely with nesting. Imagine a gigantic arbitrary struct with any data you can imagine. It can be passed around as plain text, but it can also be compiled into Lua bytecode for size purposes. And thanks to Luabind (a C++ library), actually accessing the contents of the object is much easier than with the Lua C API. It is very easy to generate files and it is likewise easy to read them. And if someone wrote the file in a syntactically erroneous way, Lua will simply report an error at compile time.

    Taken together, they cover most of my parsing needs. XML is used for things the user will modify or create, and Lua is used for most everything else.

    But then comes the big problem. What do you do when you have no control over the file format?

    This is more likely than you might think at first glance. HTML and XML may be derived from the same source (SGML), but they are not compatible. And HTML certainly isn't Lua. Or maybe you're trying to write a scripting system yourself. Unless you're going to force your users to script in XML (yuck), you will need to write a parser of some kind. Or maybe you need to be able to parse some simple strings that the user enters, such as for a text adventure or some such.

    And that's where Boost comes in. Or rather, Boost.Spirit.

    Spirit is a very large, header-only library, but it's founded on a simple predicate: make text parsing easy. It is designed for low-to-medium scale parsing; high scale parsing, as for a highly grammatically complex language like C++, is at the very far end of Spirit's capabilities. It can do it, but you will certainly not like what it does to your compile times.

    This is to contrast Spirit with it's primary alternatives, the preprocessing-based Lex/Yacc and Flex/Bison. These alternatives require the user to write a grammar in a special syntax and add specialized preprocessing commands into their build pipeline to generate C files for doing the parsing. They're functional, but rather arcane, requiring external executables and so forth.

    Spirit, by contrast, leverages a preprocessor that you already have: your C++ template preprocessor. Spirit is a template metaprogramming library that allows the user to define a grammar using a syntax that is not unlike Enhanced Backus Naur Form. It also allows the user to provide semantic actions, functions that will be called when a certain parsed element is reached.

    Higher-level Spirit functions, built on the base functionality described above, allow for the creation of an entire parse tree of the document, defined by special semantic actions. And of course, Spirit has the Phoenix functional programming library in it (which it uses internally), which makes it easier to build semantic actions for various bits of functionality.

    The core foundation of Spirit isn't really a parser per se: it is a tokenizer and recognizer. It is, in essence, a schema language. It takes a string and a grammar and returns true if the string fits the grammar and false otherwise. Along the way, it will call various user-defined functions on the parsed text if it matches.

    Here is a very simple example of a Spirit parser:
    using boost::spirit;

    bool RecognizeNumberSequence(const char *strInput)
    {
    return parse(strInput, real_p >> *(',' >> real_p), space_p).full;
    }

    This will return true if strInput is a comma-separated list of real numbers.

    The second input to the function is a Spirit parser. The expression real_p >> *(',' >> real_p) produces a parser object that can be used as input to the parse function. The variable real_p is a predefined Spirit parser that parses real numbers in all of their various forms.

    The object space_p is a parser recognizing spaces. Used as the third argument to boost::spirit::parse(), it represents the "skip parser". This parser tells the parse function how to tokenize the input. That is, what to ignore when parsing. This keeps the main grammar cleaner.

    Let us break down the main parser expression, "real_p >> *(',' >> real_p)". The '>>' operator means that the operand on the left will occur before the one on the right. The '()' means what it seems like; the grouping operator. The '*' operator (C++'s dereference, not multiply) means that the operand will be repeated zero or more times.

    So, this parser means that there will be a real number, followed by zero or more repetitions of a comma followed by a real number. Basically, a comma-separated list of real numbers. And the space_p skip parser means that spaces can occur between any of these elements, but not within a real number.

    As mentioned, this is not a terribly useful function, as it does not actually do anything with what it parses. It simply detects whether the input is well-formed as stipulated by the two parsers. In the next part, we will deal with actually doing something while parsing.

    Cast in Gold

    Casting. Casts are that dirty little thing that everyone knows not to use but everyone uses it more often than ought to.

    C introduced us to one kind of cast. You have a thing of type A, and you can try to turn it into a thing of type B. Simple construct for a simple language.

    C++ created more casts. But there's a funny thing about C++ casts; nobody likes them. Articles have been written about why they should be avoided and why they were a bad idea for the language. Few C++ programmers prefer them over C-style casts.

    This article will explain what these C++-style casts are and why you should use them a lot more often that you probably do.

    All of these casts share a common syntax. It reads like, cast_name<TypeToConvertTo>(expressionToCast); No matter how small "cast_name" is, it will always be bigger than the nothing that C-style casts use. C++-style casts draw attention to themselves by being large and ugly.

    This was supposedly done intensionally as a way to discourage their use. Unfortunately, it worked; that's why most everybody just uses C-style casts. The idea was that it would discourage the use of casting in general, but that was madness.

    There are 4 kinds of C++ casts. There is the static_cast, const_cast, reinterpret_cast, and dynamic_cast. Each of them is meant to be used under specific circumstances.

    The easiest two to defend are reinterpret and dynamic. This is because neither of them have a direct analog with C-style casts.

    If you have a 32-bit float value, and you want to get it's bit-pattern as an unsigned 32-bit integer, in C, you have to do this:
    unsigned int32_t iFloatBits = *(unsigned int32_t *)&fValue;

    Not only is this somewhat obtuse as to what's happening (you're pretending a float-pointer is an integer pointer), it requires that fValue have a memory address, since you have to dereference it. This is highly unnecessary; what you're really asking is for the compiler to bring fValue's bits from a float register into an int register. This is very simple and just about every CPU can do it. But in C, you can't actually say it like that.

    In C++, you have:
    unsigned int32_t iFloatBits = reinterpret_cast<unsigned int32_t>(fValue);

    The only downside is the sheer length of the expression. But it's a lot more obvious what's going on, so long as the reader understands what C++ casts do.

    As for dynamic_cast, there is no C analog because C doesn't have inheritance. The purpose of this operation is to take a pointer to a base class and turn it into a derived class. Now, of course, that particular base class instance may not actually be that particular derived class. So a regular C-style cast operation is right out, since they are compile-time operations.

    See, dynamic_cast isn't a cast at all really; it's a function call. One that can fail. That is, a particular cast can return NULL if the cast operation cannot work on the specific instance. A dynamic cast is what allows some degree of runtime-type identification. You use it when you need to break the OOP contract and consider a base class to be a derived class.

    So, it is obvious that both of these are superior to their C analogs (and one doesn't even have a C analog, so it is a priori superior to nothing). However, what of the other two?

    Well, the main advantage of using const_cast is just error checking. A const cast can only add or remove const-ness from a type. As such, you cannot accidentally convert the type to something else by entering the wrong type. This is useful.

    Also, removing const-ness (which is 99.9% of all const_cast uses, since adding const-ness is implicit) is rather rare. It usually happens when interfacing with code that you did not write. Indeed, doing this kind of cast suggests a design flaw or that something ought to be made mutable. Outside of that, the times when this kind of cast is truly needed are few indeed. So the larger size of the conversion expression is not a substantial problem.

    Which brings us to static_cast. This is the cast that I can recommend the least. It gives protection from accidentally doing something that reinterpret or const casts should be used for, but that's about it. And so long as we assume that the programmer is intelligent, and therefore is not going to arbitrarily be doing these kinds of conversions, then we should assume that each static cast operation is actually necessary. And if the programmer actually is not intelligent, the ugliness of static_cast will not be a deterrent, since they can always use C-style casts anyway.

    So, either way, it generally better to use C-style casts when you might use a static_cast.

    Wednesday, September 12, 2007

    One RAII to Rule Them All

    RAII: Resource Acquisition Is Initialization.

    Perhaps the most useless acronym ever.

    Why? Because it only tells you half of what it is. Perhaps even less.

    The part of RAII that is in the name is the concept of wrapping all resources in objects. Specifically, the constructor of objects.

    What the name misses is the basic construct of RAII.

    Consider the following code:
    char *LoadAndProcessData(const char *strFilename)
    {
    FILE *pFile = fopen(strFilename, "rb");
    if(!pFile)
    return NULL;

    char *pFileData = new char[50];

    fread(pFileData, 50, pFile);
    fclose(pFile);

    ProcessData(pFileData);

    return pFileData;
    }

    The points of failure in that code are legion. 'fopen' could fail, returning NULL. 'fread' could fail, returning NULL. Even 'new' could fail, either returning NULL or doing everybody's favorite: throwing an exception.

    The first point, the function handles. Presumably, the calling function will look at the return value, check for NULL, and if it sees NULL, then it will do something useful.

    The second point, however, gives rise to an unhandled error. If 'fread' fails, the function 'ProcessData' will get uninitialized (or partially initialized) memory. It may fail, throw an exception, or silently succeed but have bad data. None of these are good answers.

    If 'new' fails, throwing an exception means that we fail. Granted, 'new' will only throw if we are actually out of memory, which isn't a terribly recoverable error. But if it does throw, we will immediately leave the function, without calling 'fclose'. That's bad.

    File handles from a process tend to be cleaned up OK by the OS, mainly because so many programs are bad about doing it themselves. But it could have been a global resource, like a piece of memory to be shared between two processes (say, the clipboard). Throwing an exception would keep us from properly filling that memory out. Or closing the handle correctly, resulting in a leak. And so on.

    It is precisely here where C-in-C++ programmers give up on exceptions entirely. After all, if 'new' didn't throw, we wouldn't have a problem.

    However, there is a much more useful solution to this, one that doesn't turn its back on useful language features. The reasoning behind wanting to preserve exceptions has been discussed. What we will focus on is the technique that allows us to avoid abandoning exceptions. As well as giving us so much in return.

    The reason that the acronym RAII is wrongheaded is that it isn't really the resource acquisition that's the issue; it's controlling when the resource is released. After all, 'fopen' does it's job; it creates a file handle well enough. The problem has always been that 'fclose' isn't guaranteed to be called.

    The C++ specification dictates that, when an exception is caught, the stack will be unwound. All stack variables will have their destructor called, and it will be called in the proper order. Since this coincides with the exact moment we want to destroy the file handle, it makes sense to put the file handle on the stack.

    RAII principles are as follows:
    1. Constructors are required to do actual work. Any and all things that could be deemed resource acquisition will only be done in object constructors.
    2. Any and all resource releasing will be done in object destructors.
    3. RAII-style objects must have appropriate copy constructors and copy assignment operators, if the object is copyable. If it is not, then it should forcibly be made non-copyable (by deriving from boost::non_copyable, for example).
    4. If there is a resource that cannot be created directly by a constructor, it must be created and immediately stored in an object with a destructor that will release the resource properly.
    A few simple rules create a fundamentally different coding style.

    What qualifies as "resource acquisition"? At a bare minimum, a resource is something you need to have cleaned up. Hence the backwards acronym; we define resources by wanting to get rid of them, not by how we acquire them.

    Immediately, it becomes obvious that the value returned by operator 'new' qualifies. After all, memory is most definitely something we need to have cleaned up. So as per rule #4, the results of 'new' under RAII programming style must be store din something that will guaranteably call 'delete' when it is finished. We have already seen such an object: boost::shared_ptr. Shared pointers are reference counted, which doesn't qualify in terms of the guarantee, since circular references will prevent the resource from being collected. But they're close enough. There are also std::auto_ptr's and a few others.

    So dynamically allocated memory is a resource. Files are resources. The GUI system windows, drawing tools, etc, are resources. And so on.

    However, RAII is actually quite viral. Unless your entire codebase operates under RAII principles (or the non-RAII portions exist in isolated chunks at the bottom of the stack. Leaf-code), exceptions cannot be entirely safe. For our simple example of file openning, we can easily make it perfectly safe by creating a File object that acts as a RAII wrapper over the C FILE handle. The constructor opens the file, throwing an exception on failure, and the destructor closes it. For the simple case, it works just fine.

    However, if you use that object in a non-RAII fashion (allocate it dynamically and store a pointer on the stack), you lose the guarantee. Which means that your entire codebase must hold everything allocated in a RAII fashion to be perfectly safe in throwing exceptions.

    There is an implicit 5th rule as well. Because constructors are the only place where resource acquisition is to happen, they also must throw exceptions if the acquisition fails. That is the only way to signal the non-creation of an object. Generally, releasing a resource can't provoke a failure, so it is not much of an issue.

    This is generally where the C-in-C++ programmers who stuck around decide to leave, as it requires a new coding style.

    What gets lost are the benefits. After all, if you're being forced to use shared_ptr everywhere, memory leaks will be a lot less likely. Circular references may happen, but that is what weak_ptr is for. Your code will generally be very difficult to break from a resource perspective.

    Also, exceptions are a very useful piece of functionality. They can be used as a complex piece of flow control (but only sparingly, and only when it really matters). And, as mentioned earlier, they have a vital role in reporting certain kinds of errors.

    In general, it is a more rigid programming style, requiring, particularly for shared_ptr relationships, a degree of forethought in the design phase. But it can save a lot of time dealing with errors, memory leaks, and other concerns.

    Sunday, July 22, 2007

    Errors, Exceptions, and Limit Science

    As it currently stands, there are basically two kinds of C++ programmers. The distinctions can be more subtle than those I'm about to describe, but it works well enough for these purposes.

    First, there are the C++ programmers who pretend that C++ is really just C with classes. They're wary of any form of templates, RAII, and so forth. And exception handling is right out for these people. They solve problems as a programmer would with C, though they may dabble in some C++-isms. The STL is looked on with a wary eye, if for no other reason than that it does not do things the C way.

    The other kind of C++ programmer are those more like myself. They see C++ as a fundamentally different beast from C. They solve problems in C++ by using C++ wherever reasonable. They tend to avoid C-isms like function pointers. Some of these people overindulge in certain aspects of C++, but in general, they're trying to use the language as it is meant to be used rather than merely taking the most obviously useful features and ignoring the rest.

    And nowhere is the difference more clear than in the way that they deal with erroneous conditions. The C-in-C++ style programmer has only two real tools to handle error conditions: call exit() or some other form of immediate program termination (asserts, etc), or return an error code and let the user handle it.

    Quick side note. The reason the C-in-C++ programmer refuses to use exceptions tends to be because they abhor RAII. You can't really use one without the other; you can't feel safe about letting exceptions unwind the stack unless you can guarantee that everything will get cleaned up. And you can't do that without embracing RAII fully. And then, if you're not throwing exceptions, you can't really use RAII, because exceptions are the only way to signal a constructor error. Thus it is a vicious circle; one must have either both or neither. "Do, or do not; there is no try."

    In any case, the programmer who embraces C++ has more than just two options. Which is fortunate, as there are multiple different kinds of errors, and many C-style C++ doesn't recognize.

    The first kind of error is the most obvious. Some piece of code has detected a condition so horrific that it feels that the program simply cannot continue. It must die, and do so immediately. It does not consult other code, and nobody has any way of preventing this. C handles this through exit(), but the C++ way is through std::terminate. In either case, they both mean the same thing: the program must die right now.

    Of course, C++ didn't add std::terminate just because. You can actually set up a generic termination function that will be called by std::terminate. Now, this code really ought not throw any exceptions (or do things like allocate memory that might throw), because that's really bad inside of terminate. But outside of that, everything else is pretty much OK.

    These kinds of errors are the kind you don't expect to get, but which may happen in the course of development. Asserts are another common way of dealing with them.

    Next up is an error that is considered recoverable by the code that detects the error. What constitutes "recoverable" differs even from person to person (personally, I think throwing in the event of an out-of-memory error is absolutely wrong. The program should die immediately if not sooner). But in general, it is something that the code thinks that the calling code should be informed of.

    C-style C++ has only one way of doing this: an error code. A return value from a function that the user code then detects and acts on.

    There are basically two types of error codes: the kind that the calling code is supposed to ignore and the kind that it isn't. This corresponds to two basic subtypes of the recoverable error: "recover or die" and "recover or live".

    What I mean by "recover or die" is that the calling code should either detect the error or the program's execution should halt. That is, the error, while being recoverable, requires action on the user's part. The error cannot be recovered from by pretending it didn't happen; someone external to the code must do something.

    "Recover or live" is the opposite. It's OK if the user does not detect that the error happened. Everything is considered in a good enough state that the program can continue operating as normal. If the programmer wants to detect the error and do something, fine, but the program can continue as normal.

    One big question a programmer has to decide when detecting a recoverable error is which kind it is. If you're writing a file, is it a recover-or-die or recover-or-live error? Technically, it could be the latter, but would a programmer appreciate that?

    In any case, C-style C++ doesn't give the programmer the ability to handle "recover or die". After all, you can completely ignore any return value you wish, so error codes are meaningful only if the programmer using the code chooses to make them meaningful. The lower-level programmer has no way of forcing the higher-level code to handle the error.

    In C++, exceptions provide a way to require testing the error code. However, there's another interesting way to force error testing that doesn't require some of the verbosity of exceptions. Exceptions allow any code in the callstack to handle the exception. The alternative method must be handled immediately at the call site. However, it does force the user to handle it, unlike error codes.

    C-style C++ users do use this quite a bit themselves. Many functions that return a meaningful value (say, GetObjectType(x)) will return NULL in the event of a recoverable error. It is not a "recover-or-live" error, because the program will eventually reference NULL, thus causing death. But of course, this doesn't work on non-pointer types.

    Thanks once again to the Boost library, we have Boost.Optional. Basically, a boost::optional<typename> object has either a (presumably valid) value of the typename or nothing. In order to use the optional value, the user must call a get function, which will assert in debug builds and do other unpleasant things in release builds. In either case, the user of the code is forced to at least think about the fact that the function may return nothing, since they have to store the boost::optional return value.

    It is a weaker form than exceptions, but it is better and much less verbose in many cases. Particularly so if it is semantically OK for it to return nothing.

    Real C++ style still can use errorcodes for "recover or live" errors. But it is good that C++ has ways of forcing the user to handle errors or the program will crash.