Perl, has a "strict mode which turns off certain language features considered undesirable or obsolete. This idea is worth borrowing for. A make "strict mode" for c offers a way to tighten up the language for new work without breaking existing code. The specific goal of "strict mode" is to eliminate, as much as possible, "undefined behavior" of programs. The goal is not stylistic. Features disabled in strict mode should be limited to those which, under the existing C definition, result in crash-type undefined behavior. Auto, as defined above, is an "always-on" feature. Once we have auto, we need very few additional restrictions to achieve memory safety for pointer operations: new and delete are unavailable.
The keyword is used so seldom that this won't break much, if any, code, and if it does, a compile time error is generated. Strict mode Almost all the programming languages which postdate c are "memory-safe". In such languages, data objects are protected from being overstored from code which should not be able to write to them. Lisp was the first language to have this property. Java, perl, python, and C all have. C and C do not. The usual observation is that programming is easier in memory-safe languages, primarily because debugging is much easier. But there is usually a penalty in run-time performance. Perl, like the C/C family, started out as a non-object oriented language but acquired objects later in life.
That error gets caught at compile time. There's no additional run time overhead for auto scoped objects; it's entirely a compile time check, like const. The built-in arithmetic operations remain defined for non-auto pointers, but don't accept "auto" arguments. And conversion from non-auto to auto is defined, but auto to non-auto conversion is prohibited. Pointer arithmetic on auto scoped pointers is thus prohibited. "auto" scope allows intermixing auto and raw pointers in the same program, allowing compatibility. This interpretation of auto is simple to implement in compilers and useful in its own right, as a way to tighten up existing smart pointer libraries. Auto should have these semantics all the time.
12.3 — virtual destructors, virtual assignment, and
SomeType* bad1 r; / error - auto passed to non-auto smart_ptr someType t r; / ok - smart pointer assignment bumps ref count fn1(r / ok - smart pointer converts to "auto" raw ptr. someType innerobj; / a local instance auto someType* innerq innerobj; / ok - passed to lesser scope q resume innerobj; / error - assigned pointer to inner object to outer scope. Smart_ptr s smart_new / smart pointer in inner scope q s; / error - assigned pointer to inner object to outer scope. the implications of auto are subtle, but powerful. Programs can use both raw pointers and smart pointers without risk of breaking the smart pointer system. Smart pointers and auto scoped pointers play well together.
Smart pointer implementations can be safe, provided they return only auto scoped pointers when needed, because the lifetime of the contents of an auto scoped pointer has been limited. Note especially that last q s;. This is the auto scope mechanism protecting a smart pointer. At the end of the inner block, s will be deallocated, and the heap object it points to will go away because its reference count goes. " q " would have been a dangling pointer.
The underutilized auto keyword seems appropriate. The basic concept is that pointers and references explicitly declared as auto can't be used in ways that would let the data they contain outlive the scope of the auto variable. Specifically, auto data items cannot be assigned values of scope less than the auto data item. This is the key restriction. Auto data items must be initialized to some valid value. The built-in arithmetic operations on pointers which return pointer results (,- - etc.) are to be defined as taking non- auto arguments, thus disallowing pointer arithmetic on auto pointers.
Non- auto pointers can be assigned to auto pointers, but auto pointers cannot be assigned to non-auto pointers. Auto is permitted as an attribute on function arguments. This allows smart pointers implemented via templates to protect themselves. Whenever a smart pointer implementation needs to return a raw pointer, it should return an auto value. The rules for auto prevent the returned value from outliving the scope of the expression from which it was obtained, preventing dangling pointers. Some sample code: void fn1(auto someType* p / takes auto arg void fn2(someType* p / takes non-auto arg void fn3(auto someType* p) auto someType* q p; / ok fn1(p / ok fn2(p / error - auto passed to non-auto / Use of some smart pointer. This is illustrative only smart_ptr someType r smart_new someType / create new obj and smart ptr to it q r; / ok - smart pointer converts to "auto" raw ptr.
Unique_ptr:get - c reference
If better integrated with the language, it can be made safe. That is the essence of japanese this proposal. Many c smart pointer implementations exist. They share a common weakness. Using a smart pointer requires obtaining a raw pointer from the smart pointer. Once a raw pointer has been obtained, it can be used in ways that break the smart pointer system. This is a language-level problem and cannot be fixed effectively through class libraries alone. The minimal change required to the language is the addition of a new data attribute that provides the necessary protection.
This proposal is for the next generation of c, targeted for the next major revision cycle of the language. This is a very early draft for comment. After a go-round with the online c community, the proposal has been simplified considerably. This is round. The proposed approach is a small number of changes to the c language which enable the safe encapsulation of pointer operations. The suggested encapsulation involves "smart pointers" and a version of the stl with subscript and iterator checking. Smart pointer safety, reference counting has a good track record with c, in the form of "smart pointers".
null pointers, or different representations for pointers to different types? 5.18 Is a run-time integral value of 0, cast to a pointer, guaranteed to be a null pointer? 5.19 How can i access an interrupt vector located at the machine's location 0? If I set a pointer to 0, the compiler might translate it to some nonzero internal null pointer value. 5.20 What does a run-time null pointer assignment error mean? How can I track it down? Top about this faq list about eskimo search feedback copyright Hosted by). Strict mode for c - early draft proposal.
5.9, if null and 0 are equivalent as null pointer constants, which should i use? 5.10, but wouldn't it be better to resume use null (rather than 0 in case the value of null changes, perhaps on a machine with nonzero internal null pointers? 5.11, i once used a compiler that wouldn't work unless null was used. 5.12, i use the preprocessor macro define nullptr(type) (type 0 to help me build null pointers of the correct type. 5.13, this is strange. Null is guaranteed to be 0, but the null pointer is not? Why is there so much confusion surrounding null pointers? Why do these questions come up so often?
15.3 — move constructors and move assignment learn
Null pointers.1, what is this infamous null pointer, anyway? 5.2, how do i get a null pointer in my programs? 5.3, is the abbreviated pointer comparison if(p to test for homework non-null pointers valid? What if the internal representation for null pointers is nonzero? 5.4, what is null and how is it defined? 5.5, how should null be defined on a machine which uses a nonzero bit pattern as the internal representation of a null pointer? 5.6, if null were defined as follows: define null (char 0) wouldn't that make function calls which pass an uncast null work? My vendor provides header files that define null. 5.8, is null valid for pointers to functions?