[RFC] Add pure fail-fast assertMalloc, assertCalloc, assertRealloc

[n8sh]

These functions achieve purity by aborting the program on failure so errno is never observed to change. This PR also changes pureMalloc etc. to templates so they work in betterC.

The idea was suggested by @ZombineDev at dlang/phobos#6660 (comment) and #2268 (comment). The sole difference is that instead of adding a boolean template parameter to pureMalloc I instead named the new variant differently. I felt that assertMalloc(100) has a more obvious meaning than pureMalloc!true(100) which gives no hint as to whether it's the one that aborts on failure or the one that saves and restores errno.

[dlang-bot]

Thanks for your pull request, @n8sh!

Bugzilla references

Your PR doesn't reference any Bugzilla issue.

If your PR contains non-trivial changes, please reference a Bugzilla issue or create a manual changelog.

Testing this PR locally

If you don't have a local development environment setup, you can use Digger to test this PR:

dub fetch digger
dub run digger -- build "master + druntime#2276"

[JinShil]

@WalterBright has made the decision that we should be using assert(0) (preferably assert(false)) for both -betterC and non-betterC builds.

[n8sh]

Got it.

[wilzbach]

Also it would be better to use version (D_Exceptions) to check whether exceptions can be thrown as LDC/GDC allow to disable them selectively (and e.g. WebAssembly might not defined -betterC, but still not support exceptions.)

[JinShil]

fakePureErrno is mangled to fakePureErrnoImpl which is not a template. Therefore this won't work until fakePureErrnoImpl is made into a template, or some other solution is devised.

Edit: I mean it won't work in -betterC until fakePureErrnoImpl is made into a template, or some other solution is devised

[n8sh]

Should be fixed now.

[JinShil]

I think this comment needs updating.

[n8sh]

I kept the mention of the possibility so if we later change to using onOutOfMemoryError no one will be blindsided. Do you think it's better to remove it because that's too unlikely?

[JinShil]

No need to change anything immediately, IMO. We can wait to see how the review goes. It just eventually needs to reflect the final implementation.

[JinShil]

Will this implementation work in non-betterC builds? Can't we use this implementation for both -betterC and non-betterC builds?

[n8sh]

It would work. The purpose of the version branch is so outside code that assumes fakePureErroImpl exists and tries to link to it will not break.

[PetarKirov]

I would argue that OOM is not a logical error on the programmer side, rather it is an exception from the program environment, albeit a non-recoverable from one. IMO, we should continue calling onOutOfMemoryError as it is provides for a bit more systematic way of handling this type of exception, just make sure it has a fallback for version (D_Exceptions) { } { /* ... */ } .

P.S. Thanks a lot for working on this guys, I would prefer to do the work myself instead of just talking, but sadly I have very limited free time these days.

[n8sh]

@ZombineDev That makes sense.

[JinShil]

I would argue that OOM is not a logical error on the programmer side, rather it is an exception from the program environment, albeit a non-recoverable from one. IMO, we should continue calling onOutOfMemoryError as it is provides for a bit more systematic way of handling this type of exception

I'm not terribly partial to either one, but @WalterBright has spoken. We need to come to some consensus about this and apply it consistently.

Edit: I will add that it'd be kind of nice if both -betterC and non-betterC behaved the same whenever possible.

[JinShil]

Sorry! Wrong button.

[n8sh]

I'm not terribly partial to either one, but @WalterBright has spoken.

I took your summary to mean that he was okay with using assert but not that he was mandating it. Did I get the wrong idea?

@WalterBright has already affirmed to me (twice actually) in private e-mail exchange that he is OK replacing Errors with asserts even in non-betterC code.

[JinShil]

I took your summary to mean that he was okay with using assert but not that he was mandating it. Did I get the wrong idea?

@WalterBright will have to speak for himself, but my interpretation is that he preferred us to use asserts. It's very unlike him to mandate anything, from my experience.

[JinShil]

I'm OK with this, but the DDoc comments still need updating.

[JinShil]

We still need to come to some consensus about Errors vs asserts. Once that decision is made, this should be updated to reflect it.

[WalterBright]

Since realloc() free's memory, it cannot ever be considered pure.

[aG0aep6G]

Since realloc() free's memory, it cannot ever be considered pure.

We have a pureFree, and GC.free is also marked as pure.

pure functions are allowed to modify their parameters. Freeing is never @safe, but in what way is it less pure than other forms of mutation?

[n8sh]

There is also already a pureRealloc.

druntime/src/core/memory.d

Lines 840 to 847 in db2910e

	/// ditto
	void* pureRealloc(void* ptr, size_t size) @system pure @nogc nothrow
	{
	const errnosave = fakePureErrno();
	void* ret = fakePureRealloc(ptr, size);
	fakePureErrno() = errnosave;
	return ret;
	}