Beruflich Dokumente
Kultur Dokumente
Bjarne Stroustrup
Morgan Stanley, Columbia University
www.stroustrup.com
Guidelines project
Please help!
Technical specifications
Shipping
in wide-spread production work
and more facilities well in the works
C++1*
Now!
Without inventing a new language
100% compatibility compile with current compilers
Coding guidelines
Dont sacrifice
Generality
Performance
Simplicity
Portability across platforms
Stroustrup - Guidelines - CppCon'15
I cant do it alone
No individual can
No single company can
Please help!
Available
MIT License
*
rules
*Usual caveats
and thanks
10
Coding
*
rules
Are outdated
*Usual caveats
Are specialized
11
Coding guidelines
Lets build a good set!
Comprehensive
Browsable
Supported by tools (from many sources)
Suitable for gradual adoption
Prescriptive
Not punitive
Teachable
Flexible
Non-proprietary
12
High-level rules
Provide a conceptual framework
Primarily for humans
13
Lower-level rules
Provide enforcement
Some complete
Some heuristics
Many rely on static analysis
Some beyond our current tools
Often easy to check mechanically
14
15
Subset of superset
Simple sub-setting doesnt work
STL
Use:
C++
GSL
Dont use
Then subset
16
STL
GSL
17
Simplify
18
Static analysis
Support library (tiny)
Reinforce the type system
Stroustrup - Guidelines - CppCon'15
19
Core Rules
Some people will not be able to apply all rules
At least initially
Gradual adoption will be very common
No leaks
No dangling pointers
No type violations through pointers
Stroustrup - Guidelines - CppCon'15
20
No resource leaks
We know how
vector<T>
string
ifstream
unique_ptr<T>
shared_ptr<T>
RAII
No naked new
No naked delete
21
void g()
{
X* q = new X;
// looks innocent enough
f(q);
// do a lot of work here
q->use();
// Ouch! Read/scramble random memory
}
Stroustrup - Guidelines - CppCon'15
22
Dangling pointers
We must eliminate dangling pointers
Or type safety is compromised
Or memory safety is compromised
Or resource safety is compromised
23
Call stack
pointer
Object
pointer
Object
owner
owner
pointer
24
Dangling pointers
Ensure that no pointer outlives the object it points to
void f(X* p)
{
//
delete p;
}
void g()
{
X* q = new X;
// bad: assign object to non-owner
f(q);
// do a lot of work here
q->use();
// Make sure we never get here
}
Stroustrup - Guidelines - CppCon'15
25
Note
References
Containers of pointers
Smart pointers
..
26
27
GSL: owner<T>
How do we implement ownership abstractions?
template<SemiRegular T>
class vector {
owner<T*> elem;
T* space;
T* end;
//
};
28
GSL: owner<T>
How about code we cannot change?
void foo(owner<int*>);
A static analysis tool can tell us where our code mishandles ownership
Stroustrup - Guidelines - CppCon'15
29
30
31
32
33
vector<int*> f(int* p)
{
int x = 4;
owner<int*> q = new int{7};
vector<int*> res = {p, &x, q};
vector<owner<int*>> r2 = {p, &x, q};
return res;
}
34
Other problems
Other ways of misusing pointers
Other ways of breaking the type system (beyond the scope of this talk)
Unions
Casts
35
GSL - array_view<T>
Common style
Better
void f(array_view<int> a)
{
a[7] = 9;
for (int& x : a) x = 7;
}
36
GSL - array_view<T>
Common style
Better
void f(array_view<int> a)
int a[100];
//
f(array_view<int>{a});
f(a);
f({a,1000}); // easily checkable
37
nullptr problems
Mixing nullptr and pointers to objects
Causes confusion
Requires (systematic) checking
Caller
void f(char*);
f(nullptr);
Implementer
// OK?
void f(char* p)
{
if (p==nullptr)
// necessary?
//
}
Can you trust the documentation?
Compilers dont read manuals, or comments
Complexity, errors, and/or run-time cost
38
GSL - not_null<T>
Caller
void f(not_null<char*>);
Implementer
void f(not_null<char*> p)
{
// if (p==nullptr) // not necessary
//
}
Stroustrup - Guidelines - CppCon'15
39
GSL - not_null<T>
not_null<T>
40
To summarize
Type and resource safety:
Logic errors
Performance bugs
Maintenance hazards
Verbosity
41
E.g., shared_ptr
For OO interfaces
When we need to change the object referred to
Stroustrup - Guidelines - CppCon'15
42
void f(T*);
void f(unique_ptr<T>);
void f(shared_ptr<T*>);
Is familiar
Is simple, general, and common
Is cheaper than passing a smart pointer (usually)
Doesnt lead to dangling pointers
Doesnt lead to replicated versions of a function for different shared pointers
In terms of tradeoffs with smart pointers, other simple object designators are
equivalent to T*
iterators, references, array_view, etc.
43
void f(X*);
// just uses X; no ownership transfer or sharing good
void g(shared_ptr<X>);
// just uses X bad
unique_ptr<X> h(unique_ptr<X>);
// just uses X bad (give pointer back to prevent destruction)
void use()
{
auto p = make_shared<X>{};
f(p.get());
g(p);
auto q = h(make_unique<X>(p.get()));
}
q.release();
44
45
46
Rule classification
P: Philosophy
I: Interfaces
F: Functions
C: Classes and class hierarchies
Enum: Enumerations
ES: Expressions and statements
E: Error handling
R: Resource management
T: Templates and generic programming
CP: Concurrency
The Standard library
SF: Source files
CPL: C-style programming
GSL: Guideline support library
Supporting sections
NL: Naming and layout
PER: Performance
N: Non-Rules and myths
RF: References
Appendix A: Libraries
Appendix B: Modernizing code
Appendix C: Discussion
To-do: Unclassified proto-rules
47
No range errors
No use of uninitialized objects
No misuse of
Casts
Unions
We think we can do it
At scale
Zero-overhead principle
48
Not everybody will agree what the code should look like
Not all code should look the same
We think there can be a common core
We need discussion, feedback, and a variety of tools
Help wanted!
49
Current status
Available
We need help
Review of rules
Continuous development
forever
50
51
Questions
P: Philosophy
I: Interfaces
F: Functions
C: Classes and class hierarchies
Enum: Enumerations
ES: Expressions and statements
E: Error handling
R: Resource management
T: Templates and generic programming
CP: Concurrency
The Standard library
SF: Source files
CPL: C-style programming
GSL: Guideline support library
Supporting sections
NL: Naming and layout
PER: Performance
N: Non-Rules and myths
RF: References
Appendix A: Libraries
Appendix B: Modernizing code
Appendix C: Discussion
To-do: Unclassified proto-rules
Stroustrup - Guidelines - CppCon'15
52
53
Coding guidelines
54
Non-aims
Create the one true C++ subset
55
Philosophy
Attack hard problems
Be prescriptive
Give rationale
Subset of superset
56