You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* [Adobe open source](http://www.adobe.com/open-source.html)
15619
15637
* [Poco libraries](http://pocoproject.org/)
15638
+
* Sutter's Mill?
15639
+
* ???
15620
15640
15621
15641
## <a name="SS-vid"></a>RS.video: Videos about "modern C++"
15622
15642
@@ -15647,7 +15667,9 @@ Thanks to the many people who contributed rules, suggestions, supporting informa
15647
15667
* Zhuang, Jiangang (Jeff)
15648
15668
* Sergey Zubkov
15649
15669
15650
-
# <a name="S-profile"></a>Profiles
15670
+
and see the contributor list on the github.
15671
+
15672
+
# <a name="S-profile"></a>PRO: Profiles
15651
15673
15652
15674
A "profile" is a set of deterministic and portably enforceable subset rules (i.e., restrictions) that are designed to achieve a specific guarantee. "Deterministic" means they require only local analysis and could be implemented in a compiler (though they don't need to be). "Portably enforceable" means they are like language rules, so programmers can count on enforcement tools giving the same answer for the same code.
15653
15675
@@ -15659,22 +15681,46 @@ Profiles summary:
15659
15681
* [Pro.bounds: Bounds safety](#SS-bounds)
15660
15682
* [Pro.lifetime: Lifetime safety](#SS-lifetime)
15661
15683
15662
-
## <a name="SS-type"></a>Type safety profile
15684
+
In the future, we expect to define many more profiles and add morechecks to existing profiles.
15685
+
Candidates include:
15663
15686
15664
-
This profile makes it easier to construct code that uses types correctly and avoids inadvertent type punning. It does so by focusing on removing the primary sources of type violations, including unsafe uses of casts and unions.
15687
+
* narrowing arithmetic promotions/conversions (likely part of a separate safe-arithmetic profile)
15688
+
* arithmetic cast from negative floating point to unsigned integral type (ditto)
15689
+
* selected undefined behavior: ??? start with Gaby's UB list
15690
+
* selected unspecified behavior: ??? a portability concern?
15691
+
* `const` violations
15665
15692
15666
-
For the purposes of this section, type-safety is defined to be the property that a program does not use a variable as a type it is not. Memory accessed as a type `T` should not be valid memory that actually contains an object of an unrelated type `U`. (Note that the safety is intended to be complete when combined also with [Bounds safety](#SS-bounds) and [Lifetime safety](#SS-lifetime).)
15693
+
To suppress enforcement of a profile check, place a `suppress` annotation on a language contract. For example:
15667
15694
15668
-
The following are under consideration but not yet in the rules below, and may be better in other profiles:
15695
+
[[suppress(bounds)]] char* raw_find(char* p, int n, char x) // find x in p[0]..p[n-1]
15696
+
{
15697
+
// ...
15698
+
}
15669
15699
15670
-
* narrowing arithmetic promotions/conversions (likely part of a separate safe-arithmetic profile)
15671
-
* arithmetic cast from negative floating point to unsigned integral type (ditto)
15672
-
* selected undefined behavior: ??? this is a big bucket, start with Gaby's UB list
15673
-
* selected unspecified behavior: ??? would this really be about safety, or more a portability concern?
15674
-
* constness violations? if we rely on it for safety
15700
+
Now `raw_find()` can scramble memory to its heart's content.
15701
+
Obviously, suppression should be very rare.
15702
+
15703
+
## <a name="SS-type"></a>PRO.safety: Type safety profile
15704
+
15705
+
This profile makes it easier to construct code that uses types correctly and avoids inadvertent type punning.
15706
+
It does so by focusing on removing the primary sources of type violations, including unsafe uses of casts and unions.
15707
+
15708
+
For the purposes of this section,
15709
+
type-safety is defined to be the property that a variable is not used in a way that doesn't obey the rules for the type of its definition.
15710
+
Memory accessed as a type `T` should not be valid memory that actually contains an object of an unrelated type `U`.
15711
+
Note that the safety is intended to be complete when combined also with [Bounds safety](#SS-bounds) and [Lifetime safety](#SS-lifetime).
15675
15712
15676
15713
An implementation of this profile shall recognize the following patterns in source code as non-conforming and issue a diagnostic.
15677
15714
15715
+
Type safety profile summary:
15716
+
15717
+
* [Type.1: Don't use `reinterpret_cast`](#Pro-type-reinterpretcast)
15718
+
* [Type.2: Don't use `static_cast` downcasts. Use `dynamic_cast` instead](#Pro-type-downcast)
15719
+
* [Type.3: Don't use `const_cast` to cast away `const` (i.e., at all)](#Pro-type-constcast)
15720
+
* [Type.4: Don't use C-style `(T)expression` casts that would perform a `static_cast` downcast, `const_cast`, or `reinterpret_cast`](#Pro-type-cstylecast)
15721
+
* [Type.5: Don't use a variable before it has been initialized](#Pro-type-init)
15722
+
* [Type.6: Always initialize a member variable](#Pro-type-memberinit)
15723
+
15678
15724
### <a name="Pro-type-reinterpretcast"></a>Type.1: Don't use `reinterpret_cast`.
15679
15725
15680
15726
##### Reason
@@ -16188,6 +16234,8 @@ If code is using an unmodified standard library, then there are still workaround
# <a name="S-gsl"></a>GSL: Guideline support library
16192
16240
16193
16241
The GSL is a small library of facilities designed to support this set of guidelines.
@@ -16199,7 +16247,20 @@ The GSL is header only, and can be found at [GSL: Guideline support library](htt
16199
16247
The support library facilities are designed to be extremely lightweight (zero-overhead) so that they impose no overhead compared to using conventional alternatives.
16200
16248
Where desirable, they can be "instrumented" with additional functionality (e.g., checks) for tasks such as debugging.
16201
16249
16202
-
These Guidelines assume a `variant` type, but this is not currently in GSL because the design is being actively refined in the standards committee.
16250
+
These Guidelines assume a `variant` type, but this is not currently in GSL.
16251
+
Eventually, use [the one voted into C++17](http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2016/p0088r3.html).
16252
+
16253
+
Summary of GSL components:
16254
+
16255
+
* [GSL.view: Views](#SS-views)
16256
+
* [GSL.owner](#Ownership pointers)
16257
+
* [GSL.assert: Assertions](#SS-assertions)
16258
+
* [GSL.util: Utilities](#SS-utilities)
16259
+
* [GSL.concept: Concepts](#SS-gsl-concepts)
16260
+
16261
+
We plan for a "ISO C++ standard style" semi-formal specification of the GSL.
16262
+
16263
+
We rely on the ISO C++ standard library and hope for parts of the GSL to be absorbed into the standard library.
16203
16264
16204
16265
## <a name="SS-views"></a>GSL.view: Views
16205
16266
@@ -16238,7 +16299,7 @@ If something is not supposed to be `nullptr`, say so:
16238
16299
* `not_null<T>` // `T` is usually a pointer type (e.g., `not_null<int*>` and `not_null<owner<Foo*>>`) that may not be `nullptr`.
16239
16300
`T` can be any type for which `==nullptr` is meaningful.
16240
16301
16241
-
* `span<T>` // \[`p`:`p+n`), constructor from `{p, q}` and `{p, n}`; `T` is the pointer type
16302
+
* `span<T>` // `[`p`:`p+n`), constructor from `{p, q}` and `{p, n}`; `T` is the pointer type
16242
16303
* `span_p<T>` // `{p, predicate}` \[`p`:`q`) where `q` is the first element for which `predicate(*p)` is true
16243
16304
* `string_span` // `span<char>`
16244
16305
* `cstring_span` // `span<const char>`
@@ -16273,7 +16334,10 @@ Use `not_null<zstring>` for C-style strings that cannot be `nullptr`. ??? Do we
16273
16334
// `Expect` in under control of some options (enforcement, error message, alternatives to terminate)
16274
16335
* `Ensures` // postcondition assertion. Currently placed in function bodies. Later, should be moved to declarations.
16275
16336
16276
-
These assertions is currently macros (yuck!) pending standard commission decisions on contracts and assertion syntax.
16337
+
These assertions is currently macros (yuck!) and must appear in function definitions (only)
16338
+
pending standard commission decisions on contracts and assertion syntax.
16339
+
See [the contract proposal](http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2016/p0380r1.pdf) uses the attribute syntax,
16340
+
for example, `Expects(p!=nullptr)` will become`[[expects: p!=nullptr]]`.
16277
16341
16278
16342
## <a name="SS-utilities"></a>GSL.util: Utilities
16279
16343
@@ -16297,16 +16361,16 @@ Most of the concepts below are defined in [the Ranges TS](http://www.open-std.or
16297
16361
* `String` // ???
16298
16362
* `Number` // ???
16299
16363
* `Sortable`
16300
-
* `Pointer` // A type with `*`, `->`, `==`, and default construction (default construction is assumed to set the singular "null" value) [see smartptrconcepts](#Rr-smartptrconcepts)
16301
-
* `Unique_ptr` // A type that matches `Pointer`, has move (not copy), and matches the Lifetime profile criteria for a `unique` owner type [see smartptrconcepts](#Rr-smartptrconcepts)
16302
-
* `Shared_ptr` // A type that matches `Pointer`, has copy, and matches the Lifetime profile criteria for a `shared` owner type [see smartptrconcepts](#Rr-smartptrconcepts)
16364
+
* `Pointer` // A type with `*`, `->`, `==`, and default construction (default construction is assumed to set the singular "null" value); see [smart pointers](#Rr-smartptrconcepts)
16365
+
* `Unique_ptr` // A type that matches `Pointer`, has move (not copy), and matches the Lifetime profile criteria for a `unique` owner type; see [smart pointers](#Rr-smartptrconcepts)
16366
+
* `Shared_ptr` // A type that matches `Pointer`, has copy, and matches the Lifetime profile criteria for a `shared` owner type; see [smart pointers](#Rr-smartptrconcepts)
16303
16367
* `EqualityComparable` // ???Must we suffer CaMelcAse???
16304
16368
* `Convertible`
16305
16369
* `Common`
16306
16370
* `Boolean`
16307
16371
* `Integral`
16308
16372
* `SignedIntegral`
16309
-
* `SemiRegular`
16373
+
* `SemiRegular` // ??? Copyable?
16310
16374
* `Regular`
16311
16375
* `TotallyOrdered`
16312
16376
* `Function`
@@ -16345,7 +16409,12 @@ Naming and layout rules:
16345
16409
* [NL.25: Don't use `void` as an argument type](#Rl-void)
16346
16410
16347
16411
Most of these rules are aesthetic and programmers hold strong opinions.
16348
-
IDEs also tend to have defaults and a range of alternatives. These rules are suggested defaults to follow unless you have reasons not to.
16412
+
IDEs also tend to have defaults and a range of alternatives.
16413
+
These rules are suggested defaults to follow unless you have reasons not to.
16414
+
16415
+
We have had comments to the effect that naming and layout are so personal and/or arbitrary that we should not try to "legislate" them.
16416
+
We are not "legislating" (see the previous paragraph).
16417
+
However, we have had many requests for a set of naming and layout conventions to use when there are no external constraints.
16349
16418
16350
16419
More specific and detailed rules are easier to enforce.
0 commit comments