Changeset 154fdc8 for doc/rob_thesis/ctordtor.tex

Ignore:
Timestamp:
Apr 19, 2017, 10:15:45 AM (5 years ago)
Branches:
aaron-thesis, arm-eh, cleanup-dtors, deferred_resn, demangler, jacob/cs343-translation, jenkins-sandbox, master, new-ast, new-ast-unique-expr, new-env, no_list, persistent-indexer, resolv-new, with_gc
Children:
cd348e7
Parents:
221c2de (diff), de4ce0e (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Merge branch 'master' of plg.uwaterloo.ca:software/cfa/cfa-cc

File:
1 edited

Legend:

Unmodified
 r221c2de %====================================================================== % TODO: discuss move semantics; they haven't been implemented, but could be. Currently looking at alternative models. (future work) % TODO: as an experiment, implement Andrei Alexandrescu's ScopeGuard http://www.drdobbs.com/cpp/generic-change-the-way-you-write-excepti/184403758?pgno=2 % TODO now: as an experiment, implement Andrei Alexandrescu's ScopeGuard http://www.drdobbs.com/cpp/generic-change-the-way-you-write-excepti/184403758?pgno=2 % doesn't seem possible to do this without allowing ttype on generic structs? % If a Cforall constructor is in scope, C style initialization is % disabled by default. % * initialization rule: if any constructor is in scope for type T, try %   to find a matching constructor for the call. If there are no %   constructors in scope for type T, then attempt to fall back on %   C-style initialization. % + if this rule was not in place, it would be easy to accidentally %   use C-style initialization in certain cases, which could lead to %   subtle errors [2] % - this means we need special syntax if we want to allow users to force %   a C-style initialization (to give users more control) % - two different declarations in the same scope can be implicitly %   initialized differently. That is, there may be two objects of type %   T that are initialized differently because there is a constructor %   definition between them. This is not technically specific to %   constructors. % C-style initializers can be accessed with @= syntax % + provides a way to get around the requirement of using a constructor %   (for advanced programmers only) % - can break invariants in the type => unsafe % * provides a way of asserting that a variable is an instance of a %   C struct (i.e. a POD struct), and so will not be implicitly %   destructed (this can be useful at times, maybe mitigates the need %   for move semantics?) [3] % + can modernize a code base one step at a time % Cforall constructors can be used in expressions to initialize any % piece of memory. % + malloc() { ... } calls the appropriate constructor on the newly %   allocated space; the argument is moved into the constructor call %   without taking its address [4] % - with the above form, there is still no way to ensure that %   dynamically allocated objects are constructed. To resolve this, %   we might want a stronger "new" function which always calls the %   constructor, although how we accomplish that is currently still %   unresolved (compiler magic vs. better variadic functions?) % + This can be used as a placement syntax [5] % - can call the constructor on an object more than once, which could %   cause resource leaks and reinitialize const fields (can try to %   detect and prevent this in some cases) %   * compiler always tries to implicitly insert a ctor/dtor pair for %     non-@= objects. %     * For POD objects, this will resolve to an autogenerated or %       intrinsic function. %     * Intrinsic functions are not automatically called. Autogenerated %       are, because they may call a non-autogenerated function. %     * destructors are automatically inserted at appropriate branches %       (e.g. return, break, continue, goto) and at the end of the block %       in which they are declared. %   * For @= objects, the compiler never tries to interfere and insert %     constructor and destructor calls for that object. Copy constructor %     calls do not count, because the object is not the target of the copy %     constructor. % A constructor is declared with the name ?{} % + combines the look of C initializers with the precedent of ?() being %   the name for the function call operator % + it is possible to easily search for all constructors in a project %   and immediately know that a function is a constructor by seeing the %   name "?{}" % A destructor is declared with the name ^?{} % + name mirrors a constructor's name, with an extra symbol to %   distinguish it % - the symbol '~' cannot be used due to parsing conflicts with the %   unary '~' (bitwise negation) operator - this conflict exists because %   we want to allow users to write ^x{}; to destruct x, rather than %   ^?{}(&x); % The first argument of a constructor must be a pointer. The constructed % type is the base type of the pointer. E.g. void ?{}(T *) is a default % constructor for a T. % + can name the argument whatever you like, so not constrained by %   language keyword "this" or "self", etc. % - have to explicitly qualify all object members to initialize them %   (e.g. this->x = 0, rather than just x = 0) % Destructors can take arguments other than just the destructed pointer % * open research problem: not sure how useful this is % Pointer constructors % + can construct separately compiled objects (opaque types) [6] % + orthogonal design, follows directly from the definition of the first %   argument of a constructor % - may require copy constructor or move constructor (or equivalent) %   for correct implementation, which may not be obvious to everyone % + required feature for the prelude to specify as much behavior as possible %   (similar to pointer assignment operators in this respect) % Designations can only be used for C-style initialization % * designation for constructors is equivalent to designation for any %   general function call. Since a function prototype can be redeclared %   many times, with arguments named differently each time (or not at %   all!), this is considered to be an undesirable feature. We could %   construct some set of rules to allow this behaviour, but it is %   probably more trouble than it's worth, and no matter what we choose, %   it is not likely to be obvious to most people. % Constructing an anonymous member [7] % + same as with calling any other function on an anonymous member %   (implicit conversion by the compiler) % - may be some cases where this is ambiguous => clarify with a cast %   (try to design APIs to avoid sharing function signatures between %   composed types to avoid this) % Default Constructors and Destructors are called implicitly % + cannot forget to construct or destruct an object % - requires special syntax to specify that an object is not to be %   constructed (@=) % * an object will not be implicitly constructed OR destructed if %   explicitly initialized like a C object (@= syntax) % * an object will be destructed if there are no constructors in scope %   (even though it is initialized like a C object) [8] % An object which changes from POD type to non POD type will not change % the semantics of a type containing it by composition % * That is, constructors will not be regenerated at the point where %   an object changes from POD type to non POD type, because this could %   cause a cascade of constructors being regenerated for many other %   types. Further, there is precedence for this behaviour in other %   facets of Cforall's design, such as how nested functions interact. % * This behaviour can be simplified in a language without declaration %   before use, because a type can be classified as POD or non POD %   (rather than potentially changing between the two at some point) at %   at the global scope (which is likely the most common case) % * [9] % Changes to polymorphic type classes % * dtype and ftype remain the same % * forall(otype T) is currently essentially the same as %   forall(dtype T | { @size(T); void ?=?(T *, T); }). %   The big addition is that you can declare an object of type T, rather %   than just a pointer to an object of type T since you know the size, %   and you can assign into a T. %   * this definition is changed to add default constructor and %     destructor declarations, to remain consistent with what type meant %     before the introduction of constructors and destructors. %     * that is, forall(type T) is now essentially the same as %       forall(dtype T | { @size(T); void ?=?(T *, T); %                          void ?{}(T *); void ^?{}(T *); }) %     + this is required to make generic types work correctly in %       polymorphic functions %     ? since declaring a constructor invalidates the autogenerated %       routines, it is possible for a type to have constructors, but %       not default constructors. That is, it might be the case that %       you want to write a polymorphic function for a type which has %       a size, but non-default constructors? Some options: %       * declaring a constructor as a part of the assertions list for %         a type declaration invalidates the default, so %         forall(otype T | { void ?{}(T *, int); }) %         really means %         forall(dtype T | { @size(T); void ?=?(T *, T); %                            void ?{}(T *, int); void ^?{}(T *); }) %       * force users to fully declare the assertions list like the %         above in this case (this seems very undesirable) %       * add another type class with the current desugaring of type %         (just size and assignment) %       * provide some way of subtracting from an existing assertions %         list (this might be useful to have in general) % Implementation issues: % Changes to prelude/autogen or built in defaults? % * pointer ctors/dtors [prelude] %   * other pointer type routines are declared in the prelude, and this %     doesn't seem like it should be any different % * basic type ctors/dtors [prelude] %   * other basic type routines are declared in the prelude, and this %     doesn't seem like it should be any different % ? aggregate types [undecided, but leaning towards autogenerate] %   * prelude %     * routines specific to aggregate types cannot be predeclared in %       the prelude because we don't know the name of every %       aggregate type in the entire program %   * autogenerate %     + default assignment operator is already autogenerated for %       aggregate types %       * this seems to lead us in the direction of autogenerating, %         because we may have a struct which contains other objects %         that require construction [10]. If we choose not to %         autogenerate in this case, then objects which are part of %         other objects by composition will not be constructed unless %         a constructor for the outer type is explicitly defined %       * in this case, we would always autogenerate the appropriate %         constructor(s) for an aggregate type, but just like with %         basic types, pointer types, and enum types, the constructor %         call can be elided when when it is not necessary. %     + constructors will have to be explicitly autogenerated %       in the case where they are required for a polymorphic function, %       when no user defined constructor is in scope, which may make it %       easiest to always autogenerate all appropriate constructors %     - n+2 constructors would have to be generated for a POD type %       * one constructor for each number of valid arguments [0, n], %         plus the copy constructor %         * this is taking a simplified approach: in C, it is possible %           to omit the enclosing braces in a declaration, which would %           lead to a combinatorial explosion of generated constructors. %           In the interest of keeping things tractable, Cforall may be %           incompatible with C in this case. [11] %       * for non-POD types, only autogenerate the default and copy %         constructors %       * alternative: generate only the default constructor and %         special case initialization for any other constructor when %         only the autogenerated one exists %         - this is not very sensible, as by the previous point, these %           constructors may be needed for polymorphic functions %           anyway. %     - must somehow distinguish in resolver between autogenerated and %       user defined constructors (autogenerated should never be chosen %       when a user defined option exists [check first parameter], even %       if full signature differs) (this may also have applications %       to other autogenerated routines?) %     - this scheme does not naturally support designation (i.e. general %       functions calls do not support designation), thus these cases %       will have to be treated specially in either case %   * defaults %     * i.e. hardcode a new set of rules for some "appropriate" default %       behaviour for %     + when resolving an initialization expression, explicitly check to %       see if any constructors are in scope. If yes, attempt to resolve %       to a constructor, and produce an error message if a match is not %       found. If there are no constructors in scope, resolve to %       initializing each field individually (C-style) %     + does not attempt to autogenerate constructors for POD types, %       which can be seen as a space optimization for the program %       binary %     - as stated previously, a polymorphic routine may require these %       autogenerated constructors, so this doesn't seem like a big win, %       because this leads to more complicated logic and tracking of %       which constructors have already been generated %     - even though a constructor is not explicitly declared or used %       polymorphically, we might still need one for all uses of a %       struct (e.g. in the case of composition). %   * the biggest tradeoff in autogenerating vs. defaulting appears to %     be in where and how the special code to check if constructors are %     present is handled. It appears that there are more reasons to %     autogenerate than not. % --- examples % [1] As an example of using constructors polymorphically, consider a % slight modification on the foldl example I put on the mailing list a % few months ago: % context iterable(type collection, type element, type iterator) { %   void ?{}(iterator *, collection); // used to be makeIterator, but can %                             // idiomatically use constructor %   int hasNext(iterator); %   iterator ++?(iterator *); %   lvalue element *?(iterator); % }; % forall(type collection, type element, type result, type iterator %   | iterable(collection, element, iterator)) % result foldl(collection c, result acc, %     result (*reduce)(result, element)) { %   iterator it = { c }; %   while (hasNext(it)) { %     acc = reduce(acc, *it); %     ++it; %   } %   return acc; % } % Now foldl makes use of the knowledge that the iterator type has a % single argument constructor which takes the collection to iterate % over. This pattern allows polymorphic code to look more natural % (constructors are generally preferred to named initializer/creation % routines, e.g. "makeIterator") % [2] An example of some potentially dangerous code that we don't want % to let easily slip through the cracks - if this is really what you % want, then use @= syntax for the second declaration to quiet the % compiler. % struct A { int x, y, z; } % ?{}(A *, int); % ?{}(A *, int, int, int); % A a1 = { 1 };         // uses ?{}(A *, int); % A a2 = { 2, 3 };      // C-style initialization -> no invariants! % A a3 = { 4, 5, 6 };   // uses ?{}(A *, int, int, int); % [3] Since @= syntax creates a C object (essentially a POD, as far as % the compiler is concerned), the object will not be destructed % implicitly when it leaves scope, nor will it be copy constructed when % it is returned. In this case, a memcpy should be equivalent to a move. % // Box.h % struct Box; % void ?{}(Box **, int}; % void ^?{}(Box **); % Box * make_fortytwo(); % // Box.cfa % Box * make_fortytwo() { %   Box *b @= {}; %   (&b){ 42 }; // construct explicitly %   return b; // no destruction, essentially a move? % } % [4] Cforall's typesafe malloc can be composed with constructor % expressions. It is possible for a user to define their own functions % similar to malloc and achieve the same effects (e.g. Aaron's example % of an arena allocator) % // CFA malloc % forall(type T) % T * malloc() { return (T *)malloc(sizeof(T)); } % struct A { int x, y, z; }; % void ?{}(A *, int); % int foo(){ %   ... %   // desugars to: %   // A * a = ?{}(malloc(), 123); %   A * a = malloc() { 123 }; %   ... % } % [5] Aaron's example of combining function calls with constructor % syntax to perform an operation similar to C++'s std::vector::emplace % (i.e. to construct a new element in place, without the need to % copy) % forall(type T) % struct vector { %   T * elem; %   int len; %   ... % }; % ... % forall(type T) % T * vector_new(vector(T) * v) { %   // reallocate if needed %   return &v->elem[len++]; % } % int main() { %   vector(int) * v = ... %   vector_new(v){ 42 };  // add element to the end of vector % } % [6] Pointer Constructors. It could be useful to use the existing % constructor syntax even more uniformly for ADTs. With this, ADTs can % be initialized in the same manor as any other object in a polymorphic % function. % // vector.h % forall(type T) struct vector; % forall(type T) void ?{}(vector(T) **); % // adds an element to the end % forall(type T) vector(T) * ?+?(vector(T) *, T); % // vector.cfa % // don't want to expose the implementation to the user and/or don't % // want to recompile the entire program if the struct definition % // changes % forall(type T) struct vector { %   T * elem; %   int len; %   int capacity; % }; % forall(type T) void resize(vector(T) ** v) { ... } % forall(type T) void ?{}(vector(T) ** v) { %   vector(T) * vect = *v = malloc(); %   vect->capacity = 10; %   vect->len = 0; %   vect->elem = malloc(vect->capacity); % } % forall(type T) vector(T) * ?+?(vector(T) *v, T elem) { %   if (v->len == v->capacity) resize(&v); %   v->elem[v->len++] = elem; % } % // main.cfa % #include "adt.h" % forall(type T | { T ?+?(T, int); } % T sumRange(int lower, int upper) { %   T x;    // default construct %   for (int i = lower; i <= upper; i++) { %     x = x + i; %   } %   return x; % } % int main() { %   vector(int) * numbers = sumRange(1, 10); %   // numbers is now a vector containing [1..10] %   int sum = sumRange(1, 10); %   // sum is now an int containing the value 55 % } % [7] The current proposal is to use the plan 9 model of inheritance. % Under this model, all of the members of an unnamed struct instance % become members of the containing struct. In addition, an object % can be passed as an argument to a function expecting one of its % base structs. % struct Point { %   double x; %   double y; % }; % struct ColoredPoint { %   Point;        // anonymous member (no identifier) %                 // => a ColoredPoint has an x and y of type double %   int color; % }; % ColoredPoint cp = ...; % cp.x = 10.3;    // x from Point is accessed directly % cp.color = 0x33aaff; // color is accessed normally % foo(cp);        // cp can be used directly as a Point % void ?{}(Point *p, double x, double y) { %   p->x = x; %   p->y = y; % } % void ?{}(ColoredPoint *cp, double x, double y, int color) { %   (&cp){ x, y };  // unambiguous, no ?{}(ColoredPoint*,double,double) %   cp->color = color; % } % struct Size { %   double width; %   double height; % }; % void ?{}(Size *s, double w, double h) { %   p->width = w; %   p->height = h; % } % struct Foo { %   Point; %   Size; % } % ?{}(Foo &f, double x, double y, double w, double h) { %   // (&F,x,y) is ambiguous => is it ?{}(Point*,double,double) or %   // ?{}(Size*,double,double)? Solve with a cast: %   ((Point*)&F){ x, y }; %   ((Size*)&F){ w, h }; % } % [8] Destructors will be called on objects that were not constructed. % struct A { ... }; % ^?{}(A *); % { %   A x; %   A y @= {}; % } // x is destructed, even though it wasn't constructed %   // y is not destructed, because it is explicitly a C object % [9] A type's constructor is generated at declaration time using % current information about an object's members. This is analogous to % the treatment of other operators. For example, an object's assignment % operator will not change to call the override of a member's assignment % operator unless the object's assignment is also explicitly overridden. % This problem can potentially be treated differently in Do, since each % compilation unit is passed over at least twice (once to gather % symbol information, once to generate code - this is necessary to % achieve the "No declarations" goal) % struct A { ... }; % struct B { A x; }; % ... % void ?{}(A *);  // from this point on, A objects will be constructed % B b1;           // b1 and b1.x are both NOT constructed, because B %                 // objects are not constructed % void ?{}(B *);  // from this point on, B objects will be constructed % B b2;           // b2 and b2.x are both constructed % struct C { A x; }; % // implicit definition of ?{}(C*), because C is not a POD type since % // it contains a non-POD type by composition % C c;            // c and c.x are both constructed % [10] Requiring construction by composition % struct A { %   ... % }; % // declared ctor disables default c-style initialization of % // A objects; A is no longer a POD type % void ?{}(A *); % struct B { %   A x; % }; % // B objects can not be C-style initialized, because A objects % // must be constructed => B objects are transitively not POD types % B b; // b.x must be constructed, but B is not constructible %      // => must autogenerate ?{}(B *) after struct B definition, %      // which calls ?{}(&b.x) % [11] Explosion in the number of generated constructors, due to strange % C semantics. % struct A { int x, y; }; % struct B { A u, v, w; }; % A a = { 0, 0 }; % // in C, you are allowed to do this % B b1 = { 1, 2, 3, 4, 5, 6 }; % B b2 = { 1, 2, 3 }; % B b3 = { a, a, a }; % B b4 = { a, 5, 4, a }; % B b5 = { 1, 2, a, 3 }; % // we want to disallow b1, b2, b4, and b5 in Cforall. % // In particular, we will autogenerate these constructors: % void ?{}(A *);             // default/0 parameters % void ?{}(A *, int);        // 1 parameter % void ?{}(A *, int, int);   // 2 parameters % void ?{}(A *, const A *);  // copy constructor % void ?{}(B *);             // default/0 parameters % void ?{}(B *, A);          // 1 parameter % void ?{}(B *, A, A);       // 2 parameters % void ?{}(B *, A, A, A);    // 3 parameters % void ?{}(B *, const B *);  // copy constructor % // we will not generate constructors for every valid combination % // of members in C. For example, we will not generate % void ?{}(B *, int, int, int, int, int, int);   // b1 would need this % void ?{}(B *, int, int, int);                  // b2 would need this % void ?{}(B *, A, int, int, A);                 // b4 would need this % void ?{}(B *, int, int, A, int);               // b5 would need this % // and so on % TODO: talk somewhere about compound literals? Since \CFA is a true systems language, it does not provide a garbage collector. As well, \CFA is not an object-oriented programming language, i.e. structures cannot have routine members. As well, \CFA is not an object-oriented programming language, \ie, structures cannot have routine members. Nevertheless, one important goal is to reduce programming complexity and increase safety. To that end, \CFA provides support for implicit pre/post-execution of routines for objects, via constructors and destructors. % TODO: this is old. remove or refactor % Manual resource management is difficult. % Part of the difficulty results from not having any guarantees about the current state of an object. % Objects can be internally composed of pointers that may reference resources which may or may not need to be manually released, and keeping track of that state for each object can be difficult for the end user. % Constructors and destructors provide a mechanism to bookend the lifetime of an object, allowing the designer of a type to establish invariants for objects of that type. % Constructors guarantee that object initialization code is run before the object can be used, while destructors provide a mechanism that is guaranteed to be run immediately before an object's lifetime ends. % Constructors and destructors can help to simplify resource management when used in a disciplined way. % In particular, when all resources are acquired in a constructor, and all resources are released in a destructor, no resource leaks are possible. % This pattern is a popular idiom in several languages, such as \CC, known as RAII (Resource Acquisition Is Initialization). This chapter details the design of constructors and destructors in \CFA, along with their current implementation in the translator. Generated code samples have been edited to provide comments for clarity and to save on space. Generated code samples have been edited for clarity and brevity. \section{Design Criteria} Next, @x@ is assigned the value of @y@. In the last line, @z@ is implicitly initialized to 0 since it is marked @static@. The key difference between assignment and initialization being that assignment occurs on a live object (i.e. an object that contains data). The key difference between assignment and initialization being that assignment occurs on a live object (\ie, an object that contains data). It is important to note that this means @x@ could have been used uninitialized prior to being assigned, while @y@ could not be used uninitialized. Use of uninitialized variables yields undefined behaviour, which is a common source of errors in C programs. % TODO: *citation* Declaration initialization is insufficient, because it permits uninitialized variables to exist and because it does not allow for the insertion of arbitrary code before the variable is live. Many C compilers give good warnings most of the time, but they cannot in all cases. \begin{cfacode} int f(int *);  // never reads the parameter, only writes int g(int *);  // reads the parameter - expects an initialized variable Use of uninitialized variables yields undefined behaviour, which is a common source of errors in C programs. Initialization of a declaration is strictly optional, permitting uninitialized variables to exist. Furthermore, declaration initialization is limited to expressions, so there is no way to insert arbitrary code before a variable is live, without delaying the declaration. Many C compilers give good warnings for uninitialized variables most of the time, but they cannot in all cases. \begin{cfacode} int f(int *);  // output parameter: never reads, only writes int g(int *);  // input parameter: never writes, only reads, // so requires initialized variable int x, y; f(&x);  // okay - only writes to x g(&y);  // will use y uninitialized \end{cfacode} Other languages are able to give errors in the case of uninitialized variable use, but due to backwards compatibility concerns, this cannot be the case in \CFA. In C, constructors and destructors are often mimicked by providing routines that create and teardown objects, where the teardown function is typically only necessary if the type modifies the execution environment. g(&y);  // uses y uninitialized \end{cfacode} Other languages are able to give errors in the case of uninitialized variable use, but due to backwards compatibility concerns, this is not the case in \CFA. In C, constructors and destructors are often mimicked by providing routines that create and tear down objects, where the tear down function is typically only necessary if the type modifies the execution environment. \begin{cfacode} struct array_int { }; struct array_int create_array(int sz) { return (struct array_int) { malloc(sizeof(int)*sz) }; return (struct array_int) { calloc(sizeof(int)*sz) }; } void destroy_rh(struct resource_holder * rh) { Furthermore, even with this idiom it is easy to make mistakes, such as forgetting to destroy an object or destroying it multiple times. A constructor provides a way of ensuring that the necessary aspects of object initialization is performed, from setting up invariants to providing compile-time checks for appropriate initialization parameters. A constructor provides a way of ensuring that the necessary aspects of object initialization is performed, from setting up invariants to providing compile- and run-time checks for appropriate initialization parameters. This goal is achieved through a guarantee that a constructor is called implicitly after every object is allocated from a type with associated constructors, as part of an object's definition. Since a constructor is called on every object of a managed type, it is impossible to forget to initialize such objects, as long as all constructors perform some sensible form of initialization. In \CFA, a constructor is a function with the name @?{}@. Like other operators in \CFA, the name represents the syntax used to call the constructor, \eg, @struct S = { ... };@. Every constructor must have a return type of @void@ and at least one parameter, the first of which is colloquially referred to as the \emph{this} parameter, as in many object-oriented programming-languages (however, a programmer can give it an arbitrary name). The @this@ parameter must have a pointer type, whose base type is the type of object that the function constructs. In C, if the user creates an @Array@ object, the fields @data@ and @len@ are uninitialized, unless an explicit initializer list is present. It is the user's responsibility to remember to initialize both of the fields to sensible values. It is the user's responsibility to remember to initialize both of the fields to sensible values, since there are no implicit checks for invalid values or reasonable defaults. In \CFA, the user can define a constructor to handle initialization of @Array@ objects. This constructor initializes @x@ so that its @length@ field has the value 10, and its @data@ field holds a pointer to a block of memory large enough to hold 10 @int@s, and sets the value of each element of the array to 0. This particular form of constructor is called the \emph{default constructor}, because it is called on an object defined without an initializer. In other words, a default constructor is a constructor that takes a single argument, the @this@ parameter. In \CFA, a destructor is a function much like a constructor, except that its name is \lstinline!^?{}!. A destructor for the @Array@ type can be defined as such. In other words, a default constructor is a constructor that takes a single argument: the @this@ parameter. In \CFA, a destructor is a function much like a constructor, except that its name is \lstinline!^?{}! and it takes only one argument. A destructor for the @Array@ type can be defined as: \begin{cfacode} void ^?{}(Array * arr) { } \end{cfacode} Since the destructor is automatically called at deallocation for all objects of type @Array@, the memory associated with an @Array@ is automatically freed when the object's lifetime ends. The destructor is automatically called at deallocation for all objects of type @Array@. Hence, the memory associated with an @Array@ is automatically freed when the object's lifetime ends. The exact guarantees made by \CFA with respect to the calling of destructors are discussed in section \ref{sub:implicit_dtor}. \end{cfacode} By the previous definition of the default constructor for @Array@, @x@ and @y@ are initialized to valid arrays of length 10 after their respective definitions. On line 3, @z@ is initialized with the value of @x@, while on line @4@, @y@ is assigned the value of @x@. On line 2, @z@ is initialized with the value of @x@, while on line 3, @y@ is assigned the value of @x@. The key distinction between initialization and assignment is that a value to be initialized does not hold any meaningful values, whereas an object to be assigned might. In particular, these cases cannot be handled the same way because in the former case @z@ does not currently own an array, while @y@ does. The first function is called a \emph{copy constructor}, because it constructs its argument by copying the values from another object of the same type. The second function is the standard copy-assignment operator. These four functions are special in that they control the state of most objects. The four functions (default constructor, destructor, copy constructor, and assignment operator) are special in that they safely control the state of most objects. It is possible to define a constructor that takes any combination of parameters to provide additional initialization options. For example, a reasonable extension to the array type would be a constructor that allocates the array to a given initial capacity and initializes the array to a given @fill@ value. For example, a reasonable extension to the array type would be a constructor that allocates the array to a given initial capacity and initializes the elements of the array to a given @fill@ value. \begin{cfacode} void ?{}(Array * arr, int capacity, int fill) { } \end{cfacode} In \CFA, constructors are called implicitly in initialization contexts. \begin{cfacode} Array x, y = { 20, 0xdeadbeef }, z = y; \end{cfacode} In \CFA, constructor calls look just like C initializers, which allows them to be inserted into legacy C code with minimal code changes, and also provides a very simple syntax that veteran C programmers are familiar with. One downside of reusing C initialization syntax is that it isn't possible to determine whether an object is constructed just by looking at its declaration, since that requires knowledge of whether the type is managed at that point. Constructor calls look just like C initializers, which allows them to be inserted into legacy C code with minimal code changes, and also provides a very simple syntax that veteran C programmers are familiar with. One downside of reusing C initialization syntax is that it is not possible to determine whether an object is constructed just by looking at its declaration, since that requires knowledge of whether the type is managed at that point in the program. This example generates the following code Destructors are implicitly called in reverse declaration-order so that objects with dependencies are destructed before the objects they are dependent on. \subsection{Syntax} \label{sub:syntax} % TODO: finish this section \subsection{Calling Syntax} \label{sub:syntax} There are several ways to construct an object in \CFA. As previously introduced, every variable is automatically constructed at its definition, which is the most natural way to construct an object. A * y = malloc();  // copy construct: ?{}(&y, malloc()) ?{}(&x);    // explicit construct x ?{}(y, x);  // explit construct y from x ^?{}(&x);   // explicit destroy x ?{}(&x);    // explicit construct x, second construction ?{}(y, x);  // explit construct y from x, second construction ^?{}(&x);   // explicit destroy x, in different order ^?{}(y);    // explicit destroy y // implicit ^?{}(&x); \end{cfacode} Calling a constructor or destructor directly is a flexible feature that allows complete control over the management of a piece of storage. Calling a constructor or destructor directly is a flexible feature that allows complete control over the management of storage. In particular, constructors double as a placement syntax. \begin{cfacode} \end{cfacode} Finally, constructors and destructors support \emph{operator syntax}. Like other operators in \CFA, the function name mirrors the use-case, in that the first $N$ arguments fill in the place of the question mark. Like other operators in \CFA, the function name mirrors the use-case, in that the question marks are placeholders for the first $N$ arguments. This syntactic form is similar to the new initialization syntax in \CCeleven, except that it is used in expression contexts, rather than declaration contexts. \begin{cfacode} struct A { ... }; Destructor operator syntax is actually an statement, and requires parentheses for symmetry with constructor syntax. One of these three syntactic forms should appeal to either C or \CC programmers using \CFA. \subsection{Constructor Expressions} In \CFA, it is possible to use a constructor as an expression. Like other operators, the function name @?{}@ matches its operator syntax. For example, @(&x){}@ calls the default constructor on the variable @x@, and produces @&x@ as a result. A key example for this capability is the use of constructor expressions to initialize the result of a call to @malloc@. \begin{cfacode} struct X { ... }; void ?{}(X *, double); X * x = malloc(){ 1.5 }; \end{cfacode} In this example, @malloc@ dynamically allocates storage and initializes it using a constructor, all before assigning it into the variable @x@. If this extension is not present, constructing dynamically allocated objects is much more cumbersome, requiring separate initialization of the pointer and initialization of the pointed-to memory. \begin{cfacode} X * x = malloc(); x{ 1.5 }; \end{cfacode} Not only is this verbose, but it is also more error prone, since this form allows maintenance code to easily sneak in between the initialization of @x@ and the initialization of the memory that @x@ points to. This feature is implemented via a transformation producing the value of the first argument of the constructor, since constructors do not themselves have a return value. Since this transformation results in two instances of the subexpression, care is taken to allocate a temporary variable to hold the result of the subexpression in the case where the subexpression may contain side effects. The previous example generates the following code. \begin{cfacode} struct X *_tmp_ctor; struct X *x = ?{}(  // construct result of malloc _tmp_ctor=malloc_T( // store result of malloc sizeof(struct X), _Alignof(struct X) ), 1.5 ), _tmp_ctor; // produce constructed result of malloc \end{cfacode} It should be noted that this technique is not exclusive to @malloc@, and allows a user to write a custom allocator that can be idiomatically used in much the same way as a constructed @malloc@ call. It should be noted that while it is possible to use operator syntax with destructors, destructors invalidate their argument, thus operator syntax with destructors is a statement and does not produce a value. \subsection{Function Generation} In \CFA, every type is defined to have the core set of four functions described previously. In \CFA, every type is defined to have the core set of four special functions described previously. Having these functions exist for every type greatly simplifies the semantics of the language, since most operations can simply be defined directly in terms of function calls. In addition to simplifying the definition of the language, it also simplifies the analysis that the translator must perform. There are several options for user-defined types: structures, unions, and enumerations. To aid in ease of use, the standard set of four functions is automatically generated for a user-defined type after its definition is completed. By auto-generating these functions, it is ensured that legacy C code will continue to work correctly in every context where \CFA expects these functions to exist, since they are generated for every complete type. By auto-generating these functions, it is ensured that legacy C code continues to work correctly in every context where \CFA expects these functions to exist, since they are generated for every complete type. The generated functions for enumerations are the simplest. Since enumerations in C are essentially just another integral type, the generated functions behave in the same way that the builtin functions for the basic types work. % TODO: examples for enums Since enumerations in C are essentially just another integral type, the generated functions behave in the same way that the built-in functions for the basic types work. For example, given the enumeration \begin{cfacode} } void ?{}(enum Colour *_dst, enum Colour _src){ (*_dst)=_src;  // bitwise copy *_dst=_src;  // bitwise copy } void ^?{}(enum Colour *_dst){ } enum Colour ?=?(enum Colour *_dst, enum Colour _src){ return (*_dst)=_src; // bitwise copy return *_dst=_src; // bitwise copy } \end{cfacode} In the future, \CFA will introduce strongly-typed enumerations, like those in \CC. The existing generated routines will be sufficient to express this restriction, since they are currently set up to take in values of that enumeration type. The existing generated routines are sufficient to express this restriction, since they are currently set up to take in values of that enumeration type. Changes related to this feature only need to affect the expression resolution phase, where more strict rules will be applied to prevent implicit conversions from integral types to enumeration types, but should continue to permit conversions from enumeration types to @int@. In this way, it will still be possible to add an @int@ to an enumeration, but the resulting value will be an @int@, meaning that it won't be possible to reassign the value into an enumeration without a cast. In this way, it is still possible to add an @int@ to an enumeration, but the resulting value is an @int@, meaning it cannot be reassigned to an enumeration without a cast. For structures, the situation is more complicated. For a structure @S@ with members @M$_0$@, @M$_1$@, ... @M$_{N-1}$@, each function @f@ in the standard set calls \lstinline{f(s->M$_i$, ...)} for each @$i$@. That is, a default constructor for @S@ default constructs the members of @S@, the copy constructor with copy construct them, and so on. For example given the struct definition Given a structure @S@ with members @M$_0$@, @M$_1$@, ... @M$_{N-1}$@, each function @f@ in the standard set calls \lstinline{f(s->M$_i$, ...)} for each @$i$@. That is, a default constructor for @S@ default constructs the members of @S@, the copy constructor copy constructs them, and so on. For example, given the structure definition \begin{cfacode} struct A { } \end{cfacode} It is important to note that the destructors are called in reverse declaration order to resolve conflicts in the event there are dependencies among members. It is important to note that the destructors are called in reverse declaration order to prevent conflicts in the event there are dependencies among members. In addition to the standard set, a set of \emph{field constructors} is also generated for structures. The field constructors are constructors that consume a prefix of the struct's member list. The field constructors are constructors that consume a prefix of the structure's member-list. That is, $N$ constructors are built of the form @void ?{}(S *, T$_{\text{M}_0}$)@, @void ?{}(S *, T$_{\text{M}_0}$, T$_{\text{M}_1}$)@, ..., @void ?{}(S *, T$_{\text{M}_0}$, T$_{\text{M}_1}$, ..., T$_{\text{M}_{N-1}}$)@, where members are copy constructed if they have a corresponding positional argument and are default constructed otherwise. The addition of field constructors allows structs in \CFA to be used naturally in the same ways that they could be used in C (i.e. to initialize any prefix of the struct), e.g., @A a0 = { b }, a1 = { b, c }@. The addition of field constructors allows structures in \CFA to be used naturally in the same ways as used in C (\ie, to initialize any prefix of the structure), \eg, @A a0 = { b }, a1 = { b, c }@. Extending the previous example, the following constructors are implicitly generated for @A@. \begin{cfacode} \end{cfacode} For unions, the default constructor and destructor do nothing, as it is not obvious which member if any should be constructed. For unions, the default constructor and destructor do nothing, as it is not obvious which member, if any, should be constructed. For copy constructor and assignment operations, a bitwise @memcpy@ is applied. In standard C, a union can also be initialized using a value of the same type as its first member, and so a corresponding field constructor is generated to perform a bitwise @memcpy@ of the object. An alterantive to this design is to always construct and destruct the first member of a union, to match with the C semantics of initializing the first member of the union. An alternative to this design is to always construct and destruct the first member of a union, to match with the C semantics of initializing the first member of the union. This approach ultimately feels subtle and unsafe. Another option is to, like \CC, disallow unions from containing members that are themselves managed types. % This feature works in the \CFA model, since constructors are simply special functions and can be called explicitly, unlike in \CC. % this sentence isn't really true => placement new In \CCeleven, this restriction has been loosened to allow unions with managed members, with the caveat that any if there are any members with a user-defined operation, then that operation is not implicitly defined, forcing the user to define the operation if necessary. In \CCeleven, unions may have managed members, with the caveat that if there are any members with a user-defined operation, then that operation is not implicitly defined, forcing the user to define the operation if necessary. This restriction could easily be added into \CFA once \emph{deleted} functions are added. \subsection{Using Constructors and Destructors} Implicitly generated constructor and destructor calls ignore the outermost type qualifiers, e.g. @const@ and @volatile@, on a type by way of a cast on the first argument to the function. Implicitly generated constructor and destructor calls ignore the outermost type qualifiers, \eg @const@ and @volatile@, on a type by way of a cast on the first argument to the function. For example, \begin{cfacode} Here, @&s@ and @&s2@ are cast to unqualified pointer types. This mechanism allows the same constructors and destructors to be used for qualified objects as for unqualified objects. Since this applies only to implicitly generated constructor calls, the language does not allow qualified objects to be re-initialized with a constructor without an explicit cast. This rule applies only to implicitly generated constructor calls. Hence, explicitly re-initializing qualified objects with a constructor requires an explicit cast. As discussed in Section \ref{sub:c_background}, compound literals create unnamed objects. This mechanism can continue to be used seamlessly in \CFA with managed types to create temporary objects. The object created by a compound literal is constructed using the provided brace-enclosed initializer-list, and is destructed at the end of the scope it is used in. For example, \begin{cfacode} struct A { int x; }; void ?{}(A *, int, int); { int x = (A){ 10, 20 }.x; } \end{cfacode} is equivalent to \begin{cfacode} struct A { int x, y; }; void ?{}(A *, int, int); { A _tmp; ?{}(&_tmp, 10, 20); int x = _tmp.x; ^?{}(&tmp); } \end{cfacode} Unlike \CC, \CFA provides an escape hatch that allows a user to decide at an object's definition whether it should be managed or not. A a2 @= { 0 };  // unmanaged \end{cfacode} In this example, @a1@ is a managed object, and thus is default constructed and destructed at the end of @a1@'s lifetime, while @a2@ is an unmanaged object and is not implicitly constructed or destructed. Instead, @a2->x@ is initialized to @0@ as if it were a C object, due to the explicit initializer. Existing constructors are ignored when \ateq is used, so that any valid C initializer is able to initialize the object. In addition to freedom, \ateq provides a simple path to migrating legacy C code to Cforall, in that objects can be moved from C-style initialization to \CFA gradually and individually. In this example, @a1@ is a managed object, and thus is default constructed and destructed at the start/end of @a1@'s lifetime, while @a2@ is an unmanaged object and is not implicitly constructed or destructed. Instead, @a2->x@ is initialized to @0@ as if it were a C object, because of the explicit initializer. In addition to freedom, \ateq provides a simple path for migrating legacy C code to \CFA, in that objects can be moved from C-style initialization to \CFA gradually and individually. It is worth noting that the use of unmanaged objects can be tricky to get right, since there is no guarantee that the proper invariants are established on an unmanaged object. It is recommended that most objects be managed by sensible constructors and destructors, except where absolutely necessary. When the user declares any constructor or destructor, the corresponding intrinsic/generated function and all field constructors for that type are hidden, so that they will not be found during expression resolution unless the user-defined function goes out of scope. Furthermore, if the user declares any constructor, then the intrinsic/generated default constructor is also hidden, making it so that objects of a type may not be default constructable. This closely mirrors the rule for implicit declaration of constructors in \CC, wherein the default constructor is implicitly declared if there is no user-declared constructor. % TODO: cite C++98 page 186?? When a user declares any constructor or destructor, the corresponding intrinsic/generated function and all field constructors for that type are hidden, so that they are not found during expression resolution until the user-defined function goes out of scope. Furthermore, if the user declares any constructor, then the intrinsic/generated default constructor is also hidden, precluding default construction. These semantics closely mirror the rule for implicit declaration of constructors in \CC, wherein the default constructor is implicitly declared if there is no user-declared constructor \cite[p.~186]{ANSI98:C++}. \begin{cfacode} struct S { int x, y; }; S s0, s1 = { 0 }, s2 = { 0, 2 }, s3 = s2;  // okay { void ?{}(S * s, int i) { s->x = i*2; } S s4;  // error S s5 = { 3 };  // okay S s6 = { 4, 5 };  // error void ?{}(S * s, int i) { s->x = i*2; } // locally hide autogen ctors S s4;  // error, no default constructor S s5 = { 3 };  // okay, local constructor S s6 = { 4, 5 };  // error, no field constructor S s7 = s5; // okay } In this example, the inner scope declares a constructor from @int@ to @S@, which hides the default constructor and field constructors until the end of the scope. When defining a constructor or destructor for a struct @S@, any members that are not explicitly constructed or destructed are implicitly constructed or destructed automatically. When defining a constructor or destructor for a structure @S@, any members that are not explicitly constructed or destructed are implicitly constructed or destructed automatically. If an explicit call is present, then that call is taken in preference to any implicitly generated call. A consequence of this rule is that it is possible, unlike \CC, to precisely control the order of construction and destruction of subobjects on a per-constructor basis, whereas in \CC subobject initialization and destruction is always performed based on the declaration order. A consequence of this rule is that it is possible, unlike \CC, to precisely control the order of construction and destruction of sub-objects on a per-constructor basis, whereas in \CC sub-object initialization and destruction is always performed based on the declaration order. \begin{cfacode} struct A { } \end{cfacode} Finally, it is illegal for a subobject to be explicitly constructed for the first time after it is used for the first time. Finally, it is illegal for a sub-object to be explicitly constructed for the first time after it is used for the first time. If the translator cannot be reasonably sure that an object is constructed prior to its first use, but is constructed afterward, an error is emitted. More specifically, the translator searches the body of a constructor to ensure that every subobject is initialized. More specifically, the translator searches the body of a constructor to ensure that every sub-object is initialized. \begin{cfacode} void ?{}(A * a, double x) { } \end{cfacode} However, if the translator sees a subobject used within the body of a constructor, but does not see a constructor call that uses the subobject as the target of a constructor, then the translator assumes the object is to be implicitly constructed (copy constructed in a copy constructor and default constructed in any other constructor). However, if the translator sees a sub-object used within the body of a constructor, but does not see a constructor call that uses the sub-object as the target of a constructor, then the translator assumes the object is to be implicitly constructed (copy constructed in a copy constructor and default constructed in any other constructor). \begin{cfacode} void ?{}(A * a) { } // z, y, w implicitly destructed, in this order \end{cfacode} If at any point, the @this@ parameter is passed directly as the target of another constructor, then it is assumed that constructor handles the initialization of all of the object's members and no implicit constructor calls are added. % TODO: confirm that this is correct. It might be possible to get subtle errors if you initialize some members then call another constructor... -- in fact, this is basically always wrong. if anything, I should check that such a constructor does not initialize any members, otherwise it'll always initialize the member twice (once locally, once by the called constructor). If at any point, the @this@ parameter is passed directly as the target of another constructor, then it is assumed that constructor handles the initialization of all of the object's members and no implicit constructor calls are added. To override this rule, \ateq can be used to force the translator to trust the programmer's discretion. This form of \ateq is not yet implemented. Despite great effort, some forms of C syntax do not work well with constructors in \CFA. In particular, constructor calls cannot contain designations (see \ref{sub:c_background}), since this is equivalent to allowing designations on the arguments to arbitrary function calls. In C, function prototypes are permitted to have arbitrary parameter names, including no names at all, which may have no connection to the actual names used at function definition. Furthermore, a function prototype can be repeated an arbitrary number of times, each time using different names. \begin{cfacode} // all legal forward declarations in C f(b:10, a:20, c:30);  // which parameter is which? \end{cfacode} In C, function prototypes are permitted to have arbitrary parameter names, including no names at all, which may have no connection to the actual names used at function definition. Furthermore, a function prototype can be repeated an arbitrary number of times, each time using different names. As a result, it was decided that any attempt to resolve designated function calls with C's function prototype rules would be brittle, and thus it is not sensible to allow designations in constructor calls. % Many other languages do allow named arguments, such as Python and Scala, but they do not allow multiple arbitrarily named forward declarations of a function. In addition, constructor calls cannot have a nesting depth greater than the number of array components in the type of the initialized object, plus one. \begin{sloppypar} In addition, constructor calls do not support unnamed nesting. \begin{cfacode} struct B { int x; }; struct C { int y; }; struct A { B b; C c; }; void ?{}(A *, B); void ?{}(A *, C); A a = { { 10 },  // construct B? - invalid }; \end{cfacode} In C, nesting initializers means that the programmer intends to initialize sub-objects with the nested initializers. The reason for this omission is to both simplify the mental model for using constructors, and to make initialization simpler for the expression resolver. If this were allowed, it would be necessary for the expression resolver to decide whether each argument to the constructor call could initialize to some argument in one of the available constructors, making the problem highly recursive and potentially much more expensive. That is, in the previous example the line marked as an error could mean construct using @?{}(A *, B)@ or with @?{}(A *, C)@, since the inner initializer @{ 10 }@ could be taken as an intermediate object of type @B@ or @C@. In practice, however, there could be many objects that can be constructed from a given @int@ (or, indeed, any arbitrary parameter list), and thus a complete solution to this problem would require fully exploring all possibilities. \end{sloppypar} More precisely, constructor calls cannot have a nesting depth greater than the number of array dimensions in the type of the initialized object, plus one. For example, \begin{cfacode} { {14 }, { 15 } }   // a2[1] }; A a3[4] = { { { 11 }, { 12 } },  // error A a3[4] = { // 1 dimension => max depth 2 { { 11 }, { 12 } },  // error, three levels deep { 80 }, { 90 }, { 100 } } \end{cfacode} % TODO: in CFA if the array dimension is empty, no object constructors are added -- need to fix this. The body of @A@ has been omitted, since only the constructor interfaces are important. In C, having a greater nesting depth means that the programmer intends to initialize subobjects with the nested initializer. The reason for this omission is to both simplify the mental model for using constructors, and to make initialization simpler for the expression resolver. If this were allowed, it would be necessary for the expression resolver to decide whether each argument to the constructor call could initialize to some argument in one of the available constructors, making the problem highly recursive and potentially much more expensive. That is, in the previous example the line marked as an error could mean construct using @?{}(A *, A, A)@, since the inner initializer @{ 11 }@ could be taken as an intermediate object of type @A@ constructed with @?{}(A *, int)@. In practice, however, there could be many objects that can be constructed from a given @int@ (or, indeed, any arbitrary parameter list), and thus a complete solution to this problem would require fully exploring all possibilities. It should be noted that unmanaged objects can still make use of designations and nested initializers in \CFA. It is simple to overcome this limitation for managed objects by making use of compound literals, so that the arguments to the constructor call are explicitly typed. \subsection{Implicit Destructors} \label{sub:implicit_dtor} Destructors are automatically called at the end of the block in which the object is declared. In addition to this, destructors are automatically called when statements manipulate control flow to leave a block in which the object is declared, e.g., with return, break, continue, and goto statements. In addition to this, destructors are automatically called when statements manipulate control flow to leave a block in which the object is declared, \eg, with return, break, continue, and goto statements. The example below demonstrates a simple routine with multiple return statements. \begin{cfacode} if (i == 2) return; // destruct x, y } // destruct y } \end{cfacode} %% having this feels excessive, but it's here if necessary % This procedure generates the following code. % \begin{cfacode} % void f(int i){ %   struct A x; %   ?{}(&x); %   { %     struct A y; %     ?{}(&y); %     { %       struct A z; %       ?{}(&z); %       { %         if ((i==0)!=0) { %           ^?{}(&z); %           ^?{}(&y); %           ^?{}(&x); %           return; %         } %       } %       if (((i==1)!=0) { %           ^?{}(&z); %           ^?{}(&y); %           ^?{}(&x); %           return ; %       } %       ^?{}(&z); %     } %     if ((i==2)!=0) { %       ^?{}(&y); %       ^?{}(&x); %       return; %     } %     ^?{}(&y); %   } %   ^?{}(&x); % } % \end{cfacode} } // destruct x \end{cfacode} The next example illustrates the use of simple continue and break statements and the manner that they interact with implicit destructors. \end{cfacode} Since a destructor call is automatically inserted at the end of the block, nothing special needs to happen to destruct @x@ in the case where control reaches the end of the loop. In the case where @i@ is @2@, the continue statement runs the loop update expression and attemps to begin the next iteration of the loop. Since continue is a C statement, which does not understand destructors, a destructor call is added just before the continue statement to ensure that @x@ is destructed. In the case where @i@ is @2@, the continue statement runs the loop update expression and attempts to begin the next iteration of the loop. Since continue is a C statement, which does not understand destructors, it is transformed into a @goto@ statement that branches to the end of the loop, just before the block's destructors, to ensure that @x@ is destructed. When @i@ is @3@, the break statement moves control to just past the end of the loop. Like the previous case, a destructor call for @x@ is inserted just before the break statement. \CFA also supports labelled break and continue statements, which allow more precise manipulation of control flow. Labelled break and continue allow the programmer to specify which control structure to target by using a label attached to a control structure. Unlike the previous case, the destructor for @x@ cannot be reused, so a destructor call for @x@ is inserted just before the break statement. \CFA also supports labeled break and continue statements, which allow more precise manipulation of control flow. Labeled break and continue allow the programmer to specify which control structure to target by using a label attached to a control structure. \begin{cfacode}[emph={L1,L2}, emphstyle=\color{red}] L1: for (int i = 0; i < 10; i++) { A x; L2: for (int j = 0; j < 10; j++) { for (int j = 0; j < 10; j++) { A y; if (j == 0) { continue;    // destruct y } else if (j == 1) { break;       // destruct y } else if (i == 1) { if (i == 1) { continue L1; // destruct y } else if (i == 2) { \end{cfacode} The statement @continue L1@ begins the next iteration of the outer for-loop. Since the semantics of continue require the loop update expression to execute, control branches to the \emph{end} of the outer for loop, meaning that the block destructor for @x@ can be reused, and it is only necessary to generate the destructor for @y@. Break, on the other hand, requires jumping out of the loop, so the destructors for both @x@ and @y@ are generated and inserted before the @break L1@ statement. Since the semantics of continue require the loop update expression to execute, control branches to the end of the outer for loop, meaning that the block destructor for @x@ can be reused, and it is only necessary to generate the destructor for @y@. Break, on the other hand, requires jumping out of both loops, so the destructors for both @x@ and @y@ are generated and inserted before the @break L1@ statement. Finally, an example which demonstrates goto. } \end{cfacode} Labelled break and continue are implemented in \CFA in terms of goto statements, so the more constrained forms are precisely goverened by these rules. All break and continue statements are implemented in \CFA in terms of goto statements, so the more constrained forms are precisely governed by these rules. The next example demonstrates the error case. \subsection{Implicit Copy Construction} \label{s:implicit_copy_construction} When a function is called, the arguments supplied to the call are subject to implicit copy construction (and destruction of the generated temporary), and the return value is subject to destruction. When a value is returned from a function, the copy constructor is called to pass the value back to the call site. Exempt from these rules are intrinsic and builtin functions. Exempt from these rules are intrinsic and built-in functions. It should be noted that unmanaged objects are subject to copy constructor calls when passed as arguments to a function or when returned from a function, since they are not the \emph{target} of the copy constructor call. This is an important detail to bear in mind when using unmanaged objects, and could produce unexpected results when mixed with objects that are explicitly constructed. That is, since the parameter is not marked as an unmanaged object using \ateq, it is be copy constructed if it is returned by value or passed as an argument to another function, so to guarantee consistent behaviour, unmanaged objects must be copy constructed when passed as arguments. These semantics are important to bear in mind when using unmanaged objects, and could produce unexpected results when mixed with objects that are explicitly constructed. \begin{cfacode} struct A; void ^?{}(A *); A f(A x) { return x; A identity(A x) { // pass by value => need local copy return x;       // return by value => make call-site copy } A y, z @= {}; identity(y); identity(z); \end{cfacode} Note that @z@ is copy constructed into a temporary variable to be passed as an argument, which is also destructed after the call. A special syntactic form, such as a variant of \ateq, could be implemented to specify at the call site that an argument should not be copy constructed, to regain some control for the C programmer. identity(y);  // copy construct y into x identity(z);  // copy construct z into x \end{cfacode} Note that unmanaged argument @z@ is logically copy constructed into managed parameter @x@; however, the translator must copy construct into a temporary variable to be passed as an argument, which is also destructed after the call. A compiler could by-pass the argument temporaries since it is in control of the calling conventions and knows exactly where the called-function's parameters live. This generates the following \begin{cfacode} struct A f(struct A x){ struct A _retval_f; ?{}((&_retval_f), x); struct A _retval_f;    // return value ?{}((&_retval_f), x);  // copy construct return value return _retval_f; } struct A y; ?{}(&y); struct A z = { 0 }; struct A _tmp_cp1;     // argument 1 struct A _tmp_cp_ret0; // return value _tmp_cp_ret0=f((?{}(&_tmp_cp1, y) , _tmp_cp1)), _tmp_cp_ret0; ^?{}(&_tmp_cp_ret0);   // return value ^?{}(&_tmp_cp1);       // argument 1 struct A _tmp_cp2;     // argument 1 struct A _tmp_cp_ret1; // return value _tmp_cp_ret1=f((?{}(&_tmp_cp2, z), _tmp_cp2)), _tmp_cp_ret1; ^?{}(&_tmp_cp_ret1);   // return value ^?{}(&_tmp_cp2);       // argument 1 ?{}(&y);                 // default construct struct A z = { 0 };      // C default struct A _tmp_cp1;       // argument 1 struct A _tmp_cp_ret0;   // return value _tmp_cp_ret0=f( (?{}(&_tmp_cp1, y) , _tmp_cp1)  // argument is a comma expression ), _tmp_cp_ret0;         // return value for cascading ^?{}(&_tmp_cp_ret0);     // destruct return value ^?{}(&_tmp_cp1);         // destruct argument 1 struct A _tmp_cp2;       // argument 1 struct A _tmp_cp_ret1;   // return value _tmp_cp_ret1=f( (?{}(&_tmp_cp2, z), _tmp_cp2)  // argument is a common expression ), _tmp_cp_ret1;         // return value for cascading ^?{}(&_tmp_cp_ret1);     // destruct return value ^?{}(&_tmp_cp2);         // destruct argument 1 ^?{}(&y); \end{cfacode} A known issue with this implementation is that the return value of a function is not guaranteed to have the same address for its entire lifetime. Specifically, since @_retval_f@ is allocated and constructed in @f@ then returned by value, the internal data is bitwise copied into the caller's stack frame. A special syntactic form, such as a variant of \ateq, can be implemented to specify at the call site that an argument should not be copy constructed, to regain some control for the C programmer. \begin{cfacode} identity(z@);  // do not copy construct argument // - will copy construct/destruct return value A@ identity_nocopy(A @ x) {  // argument not copy constructed or destructed return x;  // not copy constructed // return type marked @ => not destructed } \end{cfacode} It should be noted that reference types will allow specifying that a value does not need to be copied, however reference types do not provide a means of preventing implicit copy construction from uses of the reference, so the problem is still present when passing or returning the reference by value. A known issue with this implementation is that the argument and return value temporaries are not guaranteed to have the same address for their entire lifetimes. In the previous example, since @_retval_f@ is allocated and constructed in @f@, then returned by value, the internal data is bitwise copied into the caller's stack frame. This approach works out most of the time, because typically destructors need to only access the fields of the object and recursively destroy. It is currently the case that constructors and destructors which use the @this@ pointer as a unique identifier to store data externally will not work correctly for return value objects. Thus is it not safe to rely on an object's @this@ pointer to remain constant throughout execution of the program. It is currently the case that constructors and destructors that use the @this@ pointer as a unique identifier to store data externally do not work correctly for return value objects. Thus, it is currently not safe to rely on an object's @this@ pointer to remain constant throughout execution of the program. \begin{cfacode} A * external_data[32]; } } A makeA() { A x;  // stores &x in external_data return x; } makeA();  // return temporary has a different address than x // equivalent to: //   A _tmp; //   _tmp = makeA(), _tmp; //   ^?{}(&_tmp); \end{cfacode} In the above example, a global array of pointers is used to keep track of all of the allocated @A@ objects. Due to copying on return, the current object being destructed will not exist in the array if an @A@ object is ever returned by value from a function. This problem could be solved in the translator by mutating the function signatures so that the return value is moved into the parameter list. Due to copying on return, the current object being destructed does not exist in the array if an @A@ object is ever returned by value from a function, such as in @makeA@. This problem could be solved in the translator by changing the function signatures so that the return value is moved into the parameter list. For example, the translator could restructure the code like so \begin{cfacode} \end{cfacode} This transformation provides @f@ with the address of the return variable so that it can be constructed into directly. It is worth pointing out that this kind of signature rewriting already occurs in polymorphic functions which return by value, as discussed in \cite{Bilson03}. A key difference in this case is that every function would need to be rewritten like this, since types can switch between managed and unmanaged at different scope levels, e.g. It is worth pointing out that this kind of signature rewriting already occurs in polymorphic functions that return by value, as discussed in \cite{Bilson03}. A key difference in this case is that every function would need to be rewritten like this, since types can switch between managed and unmanaged at different scope levels, \eg \begin{cfacode} struct A { int v; }; A x; // unmanaged A x; // unmanaged, since only trivial constructors are available { void ?{}(A * a) { ... } A z; // unmanaged \end{cfacode} Hence there is not enough information to determine at function declaration to determine whether a type is managed or not, and thus it is the case that all signatures have to be rewritten to account for possible copy constructor and destructor calls. Hence there is not enough information to determine at function declaration whether a type is managed or not, and thus it is the case that all signatures have to be rewritten to account for possible copy constructor and destructor calls. Even with this change, it would still be possible to declare backwards compatible function prototypes with an @extern "C"@ block, which allows for the definition of C-compatible functions within \CFA code, however this would require actual changes to the way code inside of an @extern "C"@ function is generated as compared with normal code generation. Furthermore, it isn't possible to overload C functions, so using @extern "C"@ to declare functions is of limited use. It would be possible to regain some control by adding an attribute to structs which specifies whether they can be managed or not (perhaps \emph{manageable} or \emph{unmanageable}), and to emit an error in the case that a constructor or destructor is declared for an unmanageable type. Ideally, structs should be manageable by default, since otherwise the default case becomes more verbose. Furthermore, it is not possible to overload C functions, so using @extern "C"@ to declare functions is of limited use. It would be possible to regain some control by adding an attribute to structures that specifies whether they can be managed or not (perhaps \emph{manageable} or \emph{unmanageable}), and to emit an error in the case that a constructor or destructor is declared for an unmanageable type. Ideally, structures should be manageable by default, since otherwise the default case becomes more verbose. This means that in general, function signatures would have to be rewritten, and in a select few cases the signatures would not be rewritten. \begin{cfacode} __attribute__((manageable)) struct A { ... };   // can declare constructors __attribute__((unmanageable)) struct B { ... }; // cannot declare constructors struct C { ... };                               // can declare constructors __attribute__((manageable)) struct A { ... };   // can declare ctors __attribute__((unmanageable)) struct B { ... }; // cannot declare ctors struct C { ... };                               // can declare ctors A f();  // rewritten void f(A *); C h();  // rewritten void h(C *); \end{cfacode} An alternative is to instead make the attribute \emph{identifiable}, which states that objects of this type use the @this@ parameter as an identity. This strikes more closely to the visibile problem, in that only types marked as identifiable would need to have the return value moved into the parameter list, and every other type could remain the same. An alternative is to make the attribute \emph{identifiable}, which states that objects of this type use the @this@ parameter as an identity. This strikes more closely to the visible problem, in that only types marked as identifiable would need to have the return value moved into the parameter list, and every other type could remain the same. Furthermore, no restrictions would need to be placed on whether objects can be constructed. \begin{cfacode} __attribute__((identifiable)) struct A { ... };  // can declare constructors struct B { ... };                                // can declare constructors __attribute__((identifiable)) struct A { ... };  // can declare ctors struct B { ... };                                // can declare ctors A f();  // rewritten void f(A *); \end{cfacode} Ultimately, this is the type of transformation that a real compiler would make when generating assembly code. Since a compiler has full control over its calling conventions, it can seamlessly allow passing the return parameter without outwardly changing the signature of a routine. As such, it has been decided that this issue is not currently a priority. Ultimately, both of these are patchwork solutions. Since a real compiler has full control over its calling conventions, it can seamlessly allow passing the return parameter without outwardly changing the signature of a routine. As such, it has been decided that this issue is not currently a priority and will be fixed when a full \CFA compiler is implemented. \section{Implementation} \subsection{Array Initialization} Arrays are a special case in the C type system. Arrays are a special case in the C type-system. C arrays do not carry around their size, making it impossible to write a standalone \CFA function that constructs or destructs an array while maintaining the standard interface for constructors and destructors. Instead, \CFA defines the initialization and destruction of an array recursively. \subsection{Global Initialization} In standard C, global variables can only be initialized to compile-time constant expressions. This places strict limitations on the programmer's ability to control the default values of objects. In standard C, global variables can only be initialized to compile-time constant expressions, which places strict limitations on the programmer's ability to control the default values of objects. In \CFA, constructors and destructors are guaranteed to be run on global objects, allowing arbitrary code to be run before and after the execution of the main routine. By default, objects within a translation unit are constructed in declaration order, and destructed in the reverse order. The default order of construction of objects amongst translation units is unspecified. % TODO: not yet implemented, but g++ provides attribute init_priority, which allows specifying the order of global construction on a per object basis %   https://gcc.gnu.org/onlinedocs/gcc/C_002b_002b-Attributes.html#C_002b_002b-Attributes % suggestion: implement this in CFA by picking objects with a specified priority and pulling them into their own init functions (could even group them by priority level -> map>) and pull init_priority forward into constructor and destructor attributes with the same priority level It is, however, guaranteed that any global objects in the standard library are initialized prior to the initialization of any object in the user program. This feature is implemented in the \CFA translator by grouping every global constructor call into a function with the GCC attribute \emph{constructor}, which performs most of the heavy lifting. % CITE: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#Common-Function-Attributes It is, however, guaranteed that any global objects in the standard library are initialized prior to the initialization of any object in a user program. This feature is implemented in the \CFA translator by grouping every global constructor call into a function with the GCC attribute \emph{constructor}, which performs most of the heavy lifting \cite[6.31.1]{GCCExtensions}. A similar function is generated with the \emph{destructor} attribute, which handles all global destructor calls. At the time of writing, initialization routines in the library are specified with priority \emph{101}, which is the highest priority level that GCC allows, whereas initialization routines in the user's code are implicitly given the default priority level, which ensures they have a lower priority than any code with a specified priority level. This mechanism allows arbitrarily complicated initialization to occur before any user code runs, making it possible for library designers to initialize their modules without requiring the user to call specific startup or teardown routines. This mechanism allows arbitrarily complicated initialization to occur before any user code runs, making it possible for library designers to initialize their modules without requiring the user to call specific startup or tear-down routines. For example, given the following global declarations. \end{cfacode} %   https://gcc.gnu.org/onlinedocs/gcc/C_002b_002b-Attributes.html#C_002b_002b-Attributes % suggestion: implement this in CFA by picking objects with a specified priority and pulling them into their own init functions (could even group them by priority level -> map>) and pull init_priority forward into constructor and destructor attributes with the same priority level GCC provides an attribute @init_priority@ in \CC, which allows specifying the relative priority for initialization of global objects on a per-object basis. A similar attribute can be implemented in \CFA by pulling marked objects into global constructor/destructor-attribute functions with the specified priority. For example, \begin{cfacode} struct A { ... }; void ?{}(A *, int); void ^?{}(A *); __attribute__((init_priority(200))) A x = { 123 }; \end{cfacode} would generate \begin{cfacode} A x; __attribute__((constructor(200))) __init_x() { ?{}(&x, 123);  // construct x with priority 200 } __attribute__((destructor(200))) __destroy_x() { ?{}(&x);       // destruct x with priority 200 } \end{cfacode} \subsection{Static Local Variables} In standard C, it is possible to mark variables that are local to a function with the @static@ storage class. Unlike normal local variables, a @static@ local variable is defined to live for the entire duration of the program, so that each call to the function has access to the same variable with the same address and value as it had in the previous call to the function. % TODO: mention dynamic loading caveat?? Much like global variables, in C @static@ variables must be initialized to a \emph{compile-time constant value} so that a compiler is able to create storage for the variable and initialize it before the program begins running. Unlike normal local variables, a @static@ local variable is defined to live for the entire duration of the program, so that each call to the function has access to the same variable with the same address and value as it had in the previous call to the function. Much like global variables, @static@ variables can only be initialized to a \emph{compile-time constant value} so that a compiler is able to create storage for the variable and initialize it at compile-time. Yet again, this rule is too restrictive for a language with constructors and destructors. Instead, \CFA modifies the definition of a @static@ local variable so that objects are guaranteed to be live from the time control flow reaches their declaration, until the end of the program, since the initializer expression is not necessarily a compile-time constant, but can depend on the current execution state of the function. Since standard C does not allow access to a @static@ local variable before the first time control flow reaches the declaration, this restriction does not preclude any valid C code. Since the initializer expression is not necessarily a compile-time constant and can depend on the current execution state of the function, \CFA modifies the definition of a @static@ local variable so that objects are guaranteed to be live from the time control flow reaches their declaration, until the end of the program. Since standard C does not allow access to a @static@ local variable before the first time control flow reaches the declaration, this change does not preclude any valid C code. Local objects with @static@ storage class are only implicitly constructed and destructed once for the duration of the program. The object is constructed when its declaration is reached for the first time. Construction of @static@ local objects is implemented via an accompanying @static bool@ variable, which records whether the variable has already been constructed. A conditional branch checks the value of the companion @bool@, and if the variable has not yet been constructed then the object is constructed. The object's destructor is scheduled to be run when the program terminates using @atexit@, and the companion @bool@'s value is set so that subsequent invocations of the function will not reconstruct the object. The object's destructor is scheduled to be run when the program terminates using @atexit@ \footnote{When using the dynamic linker, it is possible to dynamically load and unload a shared library. Since glibc 2.2.3 \cite{atexit}, functions registered with @atexit@ within the shared library are called when unloading the shared library. As such, static local objects can be destructed using this mechanism even in shared libraries on Linux systems.}, and the companion @bool@'s value is set so that subsequent invocations of the function do not reconstruct the object. Since the parameter to @atexit@ is a parameter-less function, some additional tweaking is required. First, the @static@ variable must be hoisted up to global scope and uniquely renamed to prevent name clashes with other global objects. Second, a function is built which calls the destructor for the newly hoisted variable. If necessary, a local structure may need to be hoisted, as well. Second, a function is built that calls the destructor for the newly hoisted variable. Finally, the newly generated function is registered with @atexit@, instead of registering the destructor directly. Since @atexit@ calls functions in the reverse order in which they are registered, @static@ local variables are guaranteed to be destructed in the reverse order that they are constructed, which may differ between multiple executions of the same program. Extending the previous example \begin{cfacode} \end{cfacode} \subsection{Constructor Expressions} In \CFA, it is possible to use a constructor as an expression. Like other operators, the function name @?{}@ matches its operator syntax. For example, @(&x){}@ calls the default constructor on the variable @x@, and produces @&x@ as a result. The significance of constructors as expressions rather than as statements is that the result of a constructor expression can be used as part of a larger expression. A key example is the use of constructor expressions to initialize the result of a call to standard C routine @malloc@. \begin{cfacode} struct X { ... }; void ?{}(X *, double); X * x = malloc(sizeof(X)){ 1.5 }; \end{cfacode} In this example, @malloc@ dynamically allocates storage and initializes it using a constructor, all before assigning it into the variable @x@. If this extension is not present, constructing dynamically allocated objects is much more cumbersome, requiring separate initialization of the pointer and initialization of the pointed-to memory. \begin{cfacode} X * x = malloc(sizeof(X)); x{ 1.5 }; \end{cfacode} Not only is this verbose, but it is also more error prone, since this form allows maintenance code to easily sneak in between the initialization of @x@ and the initialization of the memory that @x@ points to. This feature is implemented via a transformation produceing the value of the first argument of the constructor, since constructors do not themslves have a return value. Since this transformation results in two instances of the subexpression, care is taken to allocate a temporary variable to hold the result of the subexpression in the case where the subexpression may contain side effects. The previous example generates the following code. \begin{cfacode} struct X *_tmp_ctor; struct X *x = ?{}((_tmp_ctor=((_tmp_cp_ret0= malloc(sizeof(struct X))), _tmp_cp_ret0))), 1.5), _tmp_ctor); \end{cfacode} It should be noted that this technique is not exclusive to @malloc@, and allows a user to write a custom allocator that can be idiomatically used in much the same way as a constructed @malloc@ call. It is also possible to use operator syntax with destructors. Unlike constructors, operator syntax with destructors is a statement and thus does not produce a value, since the destructed object is invalidated by the use of a destructor. For example, \lstinline!^(&x){}! calls the destructor on the variable @x@. \subsection{Polymorphism} As mentioned in section \ref{sub:polymorphism}, \CFA currently has 3 type-classes that are used to designate polymorphic data types: @otype@, @dtype@, and @ftype@. In previous versions of \CFA, @otype@ was syntactic sugar for @dtype@ with known size/alignment information and an assignment function. That is, \begin{cfacode} forall(otype T) void f(T); \end{cfacode} was equivalent to \begin{cfacode} forall(dtype T | sized(T) | { T ?=?(T *, T); }) void f(T); \end{cfacode} This allows easily specifying constraints that are common to all complete object-types very simply. Now that \CFA has constructors and destructors, more of a complete object's behaviour can be specified than was previously possible. As such, @otype@ has been augmented to include assertions for a default constructor, copy constructor, and destructor. That is, the previous example is now equivalent to \begin{cfacode} forall(dtype T | sized(T) | { T ?=?(T *, T); void ?{}(T *); void ?{}(T *, T); void ^?{}(T *); }) void f(T); \end{cfacode} These additions allow @f@'s body to create and destroy objects of type @T@, and pass objects of type @T@ as arguments to other functions, following the normal \CFA rules. A point of note here is that objects can be missing default constructors (and eventually other functions through deleted functions), so it is important for \CFA programmers to think carefully about the operations needed by their function, as to not over-constrain the acceptable parameter types and prevent potential reuse.