<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 13, 2017 at 6:56 PM, Andrew Trick <span dir="ltr"><<a href="mailto:atrick@apple.com" target="_blank">atrick@apple.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><br><div><blockquote type="cite"><span class=""><div>On Jul 12, 2017, at 12:16 PM, Taylor Swift via swift-evolution <<a href="mailto:swift-evolution@swift.org" target="_blank">swift-evolution@swift.org</a>> wrote:</div><br class="m_7627022841191771449Apple-interchange-newline"></span><div><div class="h5"><div><div dir="ltr"><p>Hi all, I’ve written up a proposal to modify the unsafe pointer API for greater consistency, safety, and ease of use.</p><p>~~~<br></p><p>Swift currently offers two sets of pointer types — singular pointers such as <code>UnsafeMutablePointer</code>, and vector (buffer) pointers such as <code>UnsafeMutable</code><b><code>Buffer</code></b><code>Pointer</code>. This implies a natural separation of tasks the two kinds of pointers are meant to do. For example, buffer pointers implement <code>Collection</code> conformance, while singular pointers do not.</p><p>However, some aspects of the pointer design contradict these implied
roles. It is possible to allocate an arbitrary number of instances from a
type method on a singular pointer, but not from a buffer pointer. The
result of such an operation returns a singular pointer, even though a
buffer pointer would be more appropriate to capture the information
about the <i>number</i> of instances allocated. It’s possible to subscript into a singular pointer, even though they are not real <code>Collection</code>s. Some parts of the current design turn UnsafePointers into downright <i>Dangerous</i>Pointers, leading users to believe that they have allocated or freed memory when in fact, they have not.</p><p>This proposal seeks to iron out these inconsistencies, and offer a
more convenient, more sensible, and less bug-prone API for Swift
pointers.</p><p><<a href="https://gist.github.com/kelvin13/a9c033193a28b1d4960a89b25fbffb06" target="_blank">https://gist.github.com/<wbr>kelvin13/<wbr>a9c033193a28b1d4960a89b25fbffb<wbr>06</a>></p><p>~~~<br></p></div></div></div></div></blockquote><br></div><div><div>Thanks for taking time to write this up.</div><div><br></div><div>General comments:</div><div><br></div><div>UnsafeBufferPointer is an API layer on top of UnsafePointer. The role</div><div>of UnsafeBufferPointer is direct memory access sans lifetime</div><div>management with Collection semantics. The role of UnsafePointer is</div><div>primarily C interop. Those C APIs should be wrapped in Swift APIs that</div><div>take UnsafeBufferPointer whenever the pointer represents a C array. I</div><div>suppose making UnsafePointer less convenient would push developers</div><div>toward UnsafeBufferPointer. I don't think that's worth outright</div><div>breaking source, but gradual deprecation of convenience methods, like</div><div>`susbscript` might be acceptable.</div></div></div></blockquote><br></div><div class="gmail_quote">Gradual deprecation is exactly what I am proposing. As the <a href="https://gist.github.com/kelvin13/a9c033193a28b1d4960a89b25fbffb06#proposed-solution">document states</a>, the only methods which should be marked immediately as unavailable are the `<span style="font-family:monospace,monospace">deallocate(capacity:)</span>` methods, for safety and source compatibility reasons. Removing `<span style="font-family:monospace,monospace">deallocate(capacity:)</span>` now and forcing a loud compiler error prevents catastrophic *silent* source breakage in the future, or worse, from having to *support our own bug*.<br></div><div class="gmail_quote"> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div><div><br></div><div>I have mixed feelings about stripping UnsafePointer of basic</div><div>functionality. Besides breaking source, doing that would be</div><div>inconsistent with its role as a lower API layer. The advantage would</div><div>just be descreasing API surface area and forcing developers to use a</div><div>higher-level API.</div></div></div></blockquote><div><br></div><div>UnsafePointer is as much a high level API as UnsafeBufferPointer is. You wouldn’t create a buffer pointer of length 1 just so you can “stick with the high level API”. UnsafePointer and UnsafeBufferPointer are two tools that do related but different things and they can exist at whatever abstract level you need them at. After all, UnsafeBufferPointer is nothing but an UnsafePointer? with a length value attached to it. If you’re allocating more than one instance of memory, you almost certainly need to track the length of the buffer anyway.<br> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div><div>The additive changes you propose are fairly obvious. See [SR-3088]</div><div>UnsafeMutableBufferPointer doesn't have an allocating init.</div><div><br></div><div>I haven't wanted to waste review cycles on small additive</div><div>changes. It may make sense to batch them up into one coherent</div><div>proposal. Here are a few more to consider.</div><div><br></div><div>- [SR-3929] UnsafeBufferPointer should have init from mutable</div><div>- [SR-4340] UnsafeBufferPointer needs a withMemoryRebound method</div><div>- [SR-3087] No way to arbitrarily initialise an Array's storage</div></div></div></blockquote><div><br></div><div>The feature requests you mention are all very valuable, however with Michael’s point about fixing the memorystate API’s, the size of this proposal has already grown to encompass dozens of methods in five types. I think this says a lot about just how broken the current system is, but I think it’s better to try to fix one class of problems at a time, and save the less closely-related issues for separate proposals.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div><div><br></div><div>Point by point:</div><div><br></div><div>> drop the capacity parameter from UnsafeMutablePointer.allocate(<wbr>) and deallocate().</div><div><br></div><div>I do not agree with removing the capacity parameter and adding a</div><div>single-instance allocation API. UnsafePointer was not designed for</div><div>single instances, it was primarily designed for C-style arrays. I</div><div>don't see the value in providing a different unsafe API for single</div><div>vs. multiple values.</div></div></div></blockquote><div><br></div><div>Although it’s common to *receive* Unsafe__Pointers from C API’s, it’s rare to *create* them from the Swift side. 95% of the time your Swift data lives in a Swift Array, and you use withUnsafePointer(_:) to send them to the C API, or just pass them directly with Array bridging. <br><br></div><div>The only example I can think of where I had to allocate memory from the Swift side to pass to a C API is when I was using the Cairo C library and I wanted the Swift code to own the image buffer backing the Cairo C structs and I wanted to manage the memory manually to prevent the buffer backing from getting deallocated prematurely. I think I ended up using UnsafeMutableBufferPointer and extracting baseAddresses to manage the memory. This proposal tries to mitigate that pain of extracting baseAddresses by giving buffer pointers their own memory management methods.<br></div><div><br></div><div>As for the UnsafePointers you get from C APIs, they almost always come with a size (or you specify it beforehand with a parameter) so you’re probably going to be turning them into UnsafeBufferPointers anyway.<br><br></div><div>I also have to say it’s not common to deallocate something in Swift that you didn’t previously allocate in Swift. <br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div><div><br></div><div>I agree the primary allocation API should be</div><div>UnsafeMutableBufferPointer.<wbr>allocate(capacity:). There is an argument</div><div>to be made for removing UnsafeMutablePointer.allocate(<wbr>capacity:)</div><div>entirely. But, as Michael Ilseman pointed out, that would involve</div><div>reevaluating several other members of the UnsafePointer API. I think</div><div>it's reasonable for UnsafePointer to retain all its functionality as a</div><div>lower level API.</div><div><br></div></div></div></blockquote><div><br></div><div>I think duplication of functionality is something to be avoided if possible.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div><div></div><div>I don't understand what is misleading about</div><div>UnsafePointer.deallocate(<wbr>capacity:). It *is* inconvenienent for the</div><div>user to keep track of memory capacity. Presumably that was done so</div><div>either the implementation can move away from malloc/free or some sort</div><div>of memory tracking can be implemented on the standard library</div><div>side. Obviously, UnsafeBufferPointer.<wbr>deallocate() would be cleaner in</div><div>most cases.</div></div></div></blockquote><div><br></div><div>It’s misleading because it plain doesn’t deallocate `capacity` instances. It deletes the whole memory block regardless of what you pass in the capacity argument. If the implementation is ever “fixed” so that it actually deallocates `capacity` instances, suddenly every source that uses `deallocate(capacity:)` will break, and *no one will know* until their app starts mysteriously crashing. If the method is not removed, we will have to support this behavior to avoid breaking sources, and basically say “yes the argument label says it deallocates a capacity, but what it *really* does is free the whole block and we can’t fix it because existing code assumes this behavior”.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div><div><br></div><div>> add an allocate(count:) type method to UnsafeMutableBufferPointer</div><div><br></div><div>`capacity` should be used for allocating uninitialized memory not</div><div>`count`. `count` should only refer to a number of initialized objects!</div></div></div></blockquote><div><br></div><div>We can decide on what the correct term should be, but the current state of Swift pointers is that *neither* convention is being followed. Just look at the API for UnsafeMutableRawPointer. It’s a mess. This proposal at the minimum establishes a consistent convention. It can be revised if you feel `capacity` is more appropriate than `count`. If what you mean is that it’s important to maintain the distinction between “initialized counts” and “uninitialized counts”, well that can be revised in too.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div><div>> add a deallocate() instance method to UnsafeMutableBufferPointer</div><div><br></div><div>Yes, of course! I added a mention of that in SR-3088.</div><div><br></div><div>> remove subscripts from UnsafePointer and UnsafeMutablePointer</div><div><br></div><div>It's often more clear to perform arithmetic on C array indices rather</div><div>than pointers. That said, I'm happy to push developers to use</div><div>UnsafeBufferPointer whenever that have a known capacity. To me, this</div><div>is a question of whether the benefit of making a dangerous thing less</div><div>convenient is worth breaking source compatibility.</div></div></div></blockquote><div><br></div><div>Again, I think this is more about what the real use patterns are. If you are subscripting into a C array with integers, then UnsafeBufferPointer is the tool for the job, since it give you Collection conformance. If you can’t make an UnsafeBufferPointer, it’s probably because you don’t know the length of the array, and so you’re probably iterating through it one element at a time. UnsafeMutablePointer.successor() is perfect for this job. If you want to extract or set fields at fixed but irregular offsets, UnsafeRawPointer is the tool for the job. But I’m hard-pressed to think of a use case for random access into a singular typed pointer.<br></div></div><br></div></div>