source: doc/theses/mike_brooks_MMath/intro.tex @ 74cbaa3

Last change on this file since 74cbaa3 was 520fa9e, checked in by Peter A. Buhr <pabuhr@…>, 3 weeks ago

proofread background chapter, and other small changes

  • Property mode set to 100644
File size: 12.2 KB
Line 
1\chapter{Introduction}
2
3All modern programming languages provide three high-level containers (collections): array, linked-list, and string.
4Often array is part of the programming language, while linked-list is built from (recursive) pointer types, and string from a combination of array and linked-list.
5For all three types, languages and/or their libraries supply varying degrees of high-level mechanisms for manipulating these objects at the bulk and component level, such as copying, slicing, extracting, and iterating among elements.
6
7This work looks at extending these three foundational container types in the programming language \CFA, which is a new dialect of the C programming language.
8A primary goal of \CFA~\cite{Cforall} is 99\% backward compatibility with C, while maintaining a look and feel that matches with C programmer experience and intuition.
9This goal requires ``thinking inside the box'' to engineer new features that ``work and play'' with C and its massive legacy code-base.
10An equally important goal is balancing good performance with safety.
11
12The thesis describes improvements made to the \CFA language design, both syntax and semantics, to support the container features, and the source code created within the \CFA compiler, libraries, and runtime system to implement these features.
13This work leverages preexisting work within the compiler's type and runtime systems generated by prior graduate students working on the \CFA project.
14
15
16\section{Array}
17\label{s:ArrayIntro}
18
19An array provides a homogeneous container with $O(1)$ access to elements using subscripting.
20Higher-level operations like array slicing (single or multidimensional) may have significantly higher cost, but provide a better programmer experience.
21The array size can be static, dynamic but fixed after creation, or dynamic and variable after creation.
22For static and dynamic-fixed, an array can be stack allocated, while dynamic-variable requires the heap.
23Because array layout has contiguous components, subscripting is a computation (some form of pointer arithmetic).
24
25C provides a simple array type as a language feature.
26However, it adopts the controversial language position of treating pointer and array as duals, leading to multiple problems.
27
28
29\section{Linked list}
30
31A linked-list provides a homogeneous container often with $O(log N)$ or $O(N)$ access to elements using successor and predecessor operations that normally involve pointer chasing.
32Subscripting by value (rather than position or location as for array) is sometimes available, \eg hash table.
33Linked types are normally dynamically sized by adding and removing nodes using link fields internal or external to the elements (nodes).
34If a programming language allows pointers to stack storage, linked-list nodes can be allocated on the stack and connected with stack addresses (pointers);
35otherwise, elements are heap allocated with internal or external link fields.
36
37C provides a few simple, polymorphic, library data-structures (@glibc@):
38\begin{itemize}
39\item
40singly-linked lists, singly-linked tail queues, lists, and tail queues (@<sys/queue.h>@) \see{\VRef{s:PreexistingLinked-ListLibraries}}
41\item
42hash search table consisting of a key (string) with associated data (@<search.h>@)
43\end{itemize}
44Because these libraries are simple, awkward to use, and unsafe, C programmers commonly build linked-list behaviours into their bespoke data structures.
45
46
47\section{String}
48
49A string provides a dynamic array of homogeneous elements, where the elements are (often) some form of human-readable characters.
50What differentiates a string from other types in that many of its operations work on groups of elements for scanning and changing, \eg @index@ and @substr@.
51While subscripting individual elements is usually available, working at the individual character level is considered poor practise, \ie underutilizing the powerful string operations.
52Therefore, the cost of a string operation is usually less important than the power of the operation to accomplish complex text manipulation, \eg search, analysing, composing, and decomposing string text.
53The dynamic nature of a string means storage is normally heap allocated but often implicitly managed, even in unmanaged languages.
54In some cases, string management is separate from heap management, \ie strings roll their own heap.
55
56The C string type requires user storage-management of a language-provided character array.
57The character array uses the convention of marking its (variable) array length by placing the 0-valued control character at the end (null-terminated).
58The C standard library includes a number of high-level operations for working with this representation.
59
60
61\section{Iterator}
62
63As a side issue to complex structured-types is iterating through them.
64Some thought has been given to \emph{general} versus specific iteration capabilities as part of of this work.
65However, the general iteration work is only a sketch for others as future work.
66Nevertheless, sufficed work was done to write out the ideas that developed and how they should apply in the main context of this work.
67
68
69\section{Motivation}
70
71The primary motivation for this work is two fold:
72\begin{enumerate}[leftmargin=*]
73\item
74These three aspects of C are difficult to understand, teach, and get right because they are correspondingly low level.
75Providing higher-level, feature-rich versions of these containers in \CFA is a major component of the primary goal.
76\item
77These three aspects of C cause the greatest safety issues because there are few or no safe guards when a programmer misunderstands or misuses these features~\cite{Elliott18, Blache19, Ruef19, Oorschot23}.
78Estimates suggest 50\%~\cite{Mendio24} of total reported open-source vulnerabilities occurring in C result from errors using these facilities (memory errors), providing the major hacker attack-vectors.
79\end{enumerate}
80Both White House~\cite{WhiteHouse24} and DARPA~\cite{DARPA24} recently released a recommendation to move away from C and \CC, because of cybersecurity threats exploiting vulnerabilities in these older languages.
81Hardening these three types goes a long way to make the majority of C programs safer.
82
83
84While multiple new languages purport to be systems languages replacing C, the reality is that rewriting massive C code-bases is impractical and a non-starter if the new runtime uses garage collection.
85Furthermore, new languages must still interact with the underlying C operating system through fragile, type-unsafe, interlanguage-communication.
86Switching to \CC is equally impractical as its complex and interdependent type-system (\eg objects, overloading, inheritance, templates) means idiomatic \CC code is difficult to use from C, and C programmers must expend significant effort learning \CC.
87Hence, rewriting and retraining costs for these languages can be prohibitive for companies with a large C software-base (Google, Apple, Microsoft, Amazon, AMD, Nvidia).
88
89
90\section{C?}
91
92Like many established programming languages, C has a standards committee and multiple ANSI/\-ISO language manuals~\cite{C99,C11,C18,C23}.
93However, most programming languages are only partially explained by their standard's manual(s).
94When it comes to explaining how C works, the definitive source is the @gcc@ compiler, which is mimicked by other C compilers, such as Clang~\cite{clang}.
95Often other C compilers must mimic @gcc@ because a large part of the C library (runtime) system (@glibc@ on Linux) contains @gcc@ features.
96Some key aspects of C need to be explained and understood by quoting from the language reference manual.
97However, to illustrate actual program semantics, this thesis constructs multiple small programs whose behaviour exercises a particular point and then confirms the behaviour by running the program using multiple @gcc@ compilers.
98These example programs show
99\begin{itemize}
100        \item if the compiler accepts or rejects certain syntax,
101        \item prints output to buttress a behavioural claim,
102        \item or executes without triggering any embedded assertions testing pre/post-assertions or invariants.
103\end{itemize}
104These programs are tested across @gcc@ versions 8--14 and clang versions 10--14 running on ARM, AMD, and Intel architectures.
105Any discovered anomalies among compilers, versions, or architectures is discussed.
106In general, it is never clear whether the \emph{truth} lies in the C standard or the compiler(s), which may be true for other programming languages.
107
108
109\section{Contributions}
110
111Overall, this work has produced significant syntactic and semantic improvements to C's arrays, linked-lists and string types.
112As well, a strong plan for general iteration has been sketched out.
113The following are the detailed contributions, where performance and safety were always the motivating factors.
114
115\subsection{Array}
116
117This work's array improvements are:
118\begin{enumerate}[leftmargin=*]
119\item
120Introduce a small number of subtle changes to the typing rules for the C array, while still achieving significant backwards compatibility
121\item
122Create a new polymorphic mechanism into the \CFA @forall@ clause for specifying array dimension values, similar to a fixed-typed parameter in a \CC \lstinline[language=C++]{template}.
123\item
124Construct a new standard-library array-type, available through @#include <array.hfa>@.
125\end{enumerate}
126The new array type, enabled by prior features, defines an array with guaranteed runtime bound checks (often optimizer-removable) and implicit (guaranteed accurate) inter-function length communication.
127Leveraging the preexisting \CFA type-system to achieve this length-related type checking is an original contribution.
128Furthermore, the new array incorporates multidimensional capabilities typical of scientific/machine-learning languages, made to coexist with the C raw-memory-aware tradition in a novel way.
129The thesis includes a performance evaluation that shows \CFA arrays perform comparably with C arrays in many programming cases.
130
131
132\subsection{Linked list}
133
134The linked list is a new runtime library, available through @#include <dlist.hfa>@.
135The library offers a novel combination of the preexisting \CFA features: references, inline inheritance, polymorphism, and declaration scoping.
136A programmer's experience using the list data-types within the type system is novel.
137The list's runtime representation follows the established design pattern of intrusive link-fields for performance reasons, especially in concurrent programs.
138The thesis includes a performance evaluation that shows the list performing comparably with other C-family intrusive lists, and notably better than the \CC standard list.
139
140
141\subsection{String}
142
143The string is a new runtime library, available through @#include <string.hfa>@.
144The library offers a type where basic usage is comparable to the \CC @string@ type, including analogous coexistence with raw-character pointers.
145Its implementation, however, follows different principles, enabling programs to work with strings by value, without incurring excessive copying.
146Mutability is retained.
147Substrings are supported, including the ability for overlapping ranges to share edits transparently.
148Ultimately, the implementation is a set of strings rolled into their own specialized heap.
149
150The string library includes writing and reading strings via the preexisting \CFA I/O stream library.
151Enabling transparent reading (of unknown length into a managed allocation) included revision of the stream library's existing handling of character arrays.
152All reasonable stream manipulators are supported, \eg width, justification (left/right), printing characters as their numeric values, and complex input scanning to isolate strings.
153
154
155\subsection{Iterator}
156
157Some advanced iterator prototyping now exists, available in the \CFA standard library.
158Specifically, a family of iterator styles is provided, with cheap iterators that are robust to being misused, plus full-featured iterators that observe structural modifications without becoming invalid.
159Hence, the infamous \CC bug of iterator invalidation, where structural changes cause legitimate operations to fail, \eg iterator over a list and deleting each element.
160
161Further design provides a home for Liskov-style iterators in \CFA.
162This design extends a preexisting proposal to adapt the \CFA (fixed) for-each loop to be more user-pluggable, and builds upon preexisting \CFA coroutines.
163Overall, it simplifies the work a programmer must do to leverage the suspended-state abstraction during iteration.
Note: See TracBrowser for help on using the repository browser.