On 5 Feb 2016 at 11:34, Gavin Lambert wrote:

> I think what Sam was trying to get at is that instead of declaring
> things in the boost namespace, your abstraction layer should declare
> things in some unique namespace (mostly as typedefs and usings from
> either std:: or boost:: as appropriate), and then your code that depends
> on this should exclusively use your abstraction layer namespace, not the
> boost namespace.
>
> This will avoid generating any conflicts or warnings even if Boost and
> your emulation are included at the same time. Though the potential
> downside is that in cases where you want it to use the Boost version, it
> might not due to the include order, and you could end up with some
> components using Boost and others not (although that should generate
> link errors).

Regarding the macro namespace collision, it's a fair point, but as I
have said more than once now the semantic meaning of the macros is
the same. So BOOST_RV_REF or whatever means and does the exact same
thing, and the warnings are only occurring because the library is
being configured incorrectly anyway. If you configured it right, no
warnings.

There is also no risk at all of link problems because of the
namespace binds. You may or may not remember Gavin that BindLib does
explicit hard binding of a specific version of a dependent library
into the destination namespace, so when Outcome is configured to use
an emulation of Boost.X, it *always* uses that with no effect nor
consequence on any other use of the real Boost.X in the same
translation unit.

AFIO v1 has a unit test where an AFIO built using emulated Boost is
compiled alongside an AFIO built using real Boost in the same
translation unit. It all compiles and links and passes all unit tests
perfectly.

This stuff is very safe and reliable and coexists happily with all
other code. All the normal assumptions about stuff colliding even in
the same translation unit does not apply for any of the BindLib based
libraries. If the C preprocessor namespace were as configurable as
the C++ namespace, I could prevent the above (probably harmless)
warnings, but the language support just isn't there so we are at
where we are at.

Niall

--
ned Productions Limited Consulting
http://www.nedproductions.biz/
http://ie.linkedin.com/in/nialldouglas/

On Tue, Feb 9, 2016 at 3:41 PM, Gavin Lambert <***@compacsort.com> wrote:

> On 10/02/2016 09:04, Emil Dotchevski wrote:
>
>> The use of error codes in low level APIs is a fact of life, since most of
>> that code is written in C anyway. I wouldn't call it optimal in C++, I
>> personally convert error codes into exceptions at the earliest possible
>> opportunity. As for runtime overhead, like I said already, where it
>> matters
>> it can be easily deleted, by inlining; and, in such contexts you need to
>> inline with or without exception handling: I've never seen a case where I
>> could afford the overhead of a function call but could not afford the
>> exception handling overhead in the same function.
>>
>
> The overhead of exception-handling plumbing that is not actually exercised
> is typically minimal and not worth worrying about unless you're in one of
> those contexts where you begrudge every method call, as you've said.
>
> The overhead of a thrown exception is larger, particularly on those
> systems where throwing an exception also captures a stack trace (which is
> incredibly helpful for debugging, but sadly often quite expensive).
>

True, but I'm yet to encounter a case where I'd care about that overhead.
And I don't particularly care how that time compares to the amount of time
the successful path takes, since both of them typically vary significantly
from one platform to another. Assuming we're dealing with an exceptional
situation (something went wrong), that's not a problem.

Besides, I'd happily agree -- in the presence of profiler evidence -- that
if in a given use case exception handling overhead causes problems which
can not be alleviated by inlining a few functions, it shouldn't be used.
This is not because returning error codes is "better": in some cases we
also do need to resort to writing hand-crafted platform-specific assembly,
but we shouldn't argue that we can't use C++ in general because of overhead.


> The overhead of dealing with error return codes for uncommon failures is
> also fairly large, with the risk of ignoring them and ending up in weird
> states.
>
> The trick is to find the balance between them, with the complication that
> it may not be known at the library level which failures are exceptional and
> which are expected. As an example, I can imagine that most applications
> don't want a "delete file" method to throw an exception if the file is
> already absent -- but there might be some transactional systems in which
> that would be a serious problem, and checking for existence beforehand
> might not be sufficient as it would still be a race condition.
>

This reasoning is completely orthogonal to the error reporting design -- it
has to do with correctly defining the postconditions of the function, which
as you point out is domain-specific. Exceptions are used specifically to
enforce postconditions. If the correct postcondition of delete_file is "the
file does not exist", then it is incorrect to throw if the file was missing
to begin with.


> This sort of thing could be a good argument for "degrees of success",
> where eg. the above delete call returns success in both cases but can also
> indicate that the file was already missing and it did nothing. (Which is
> trivial in this case since it can be done with a simple bool return value,
> but you can probably imagine other cases where it might make sense to
> return both a T and a non-error status value of some kind.)


Assuming the correct postcondition for delete_file is "the file does not
exist", and assuming that knowing if the file existed is either important
or trivial for delete_file to detect, the correct interface of that
function is:

//Postconditions: the specified file does not exist.
//Returns: true if the file was actually deleted, false if it did not exist
//Throws: delete_file_error
bool delete_file( char const * name );

This is not "degrees of success", as the condition in which the file did
not exist is not an error.

Emil

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost

On Wed, Feb 10, 2016 at 10:57 AM, Niall Douglas <***@nedprod.com>
wrote:

> On 9 Feb 2016 at 12:04, Emil Dotchevski wrote:
>
> > It feels strange to have to defend the use of exceptions for reporting
> > errors in C++, on the boost development board of all places. There are
> many
> > other advantages, for example when returning errors there is no such
> thing
> > as error-neutral contexts in your program, which increases coupling. Yes,
> > in some contexts one can't afford to use exceptions, but all general
> > complains that exception handling causes performance or any other
> problems
> > are theoretical, at best.
>
> I've noticed a lot of people taking issue with the overhead of
> exceptions really mean to say they take issue with the
> *indeterminacy* introduced by exceptions, and even that often is
> really a proxy for the phrase "indirect/implicit/hidden/non-obvious
> use of malloc() or free()" which is the main source of unpredictable
> exception throws.
>
> In other words, people don't mind predictable exceptions anything
> like as much as potential unpredictable unknowable overheads.
>
> My current contract has my coworkers highly surprised that fixed
> worst case latency code can be easily written using the STL. They had
> assumed that games and audio development banned use of the STL and
> exceptions due to unpredictable execution times. They are not wrong,
> you just need to learn off which bits of the STL could call malloc or
> have worse than linear execution times and which bits never will, and
> only use the latter in hot code paths. That's really a
> training/familiarity(/maintenance) problem in the end.
>

If such tricky code targets multiple platforms, you should assume that any
standard C or C++ or OS function may allocate memory. Keep in mind that the
standard guarantees overall complexity, rather than the performance of a
specific call. For example, while std::sort is generally O(n log n), it may
allocate memory, and while the speed of that specific allocation is
independent of the number of elements you're sorting, it might be O(n^2)
for some other (possibly much larger) n.

I'd argue that in such tricky use cases you should be more concerned about
asynchronous events like memory allocations and unpredictable OS hitches
than about exception handling overhead. It's true that in some specific
case throwing an exception may be "too slow", but it'd be too slow as a
matter of fact (because the profiler said so) not because of some general
reasoning; and the solution is to not throw in that case, rather than to
avoid exception handling in principle.


> > > With just a little extra libclang tooling (some
> > > of which I plan to write) this style idiom ought to be mathematically
> > > provable as correct in the functional programming sense, which would
> > > be cool, not least for those programming nuclear reactors etc.
> >
> > Could you prove anything mathematically in the presence of side effects
> and
> > pointers?
>
> It's not my field so everything I'm about to say next is hearsay, but
> back during the nuclear reactors certification for QNX (which is
> written in C) I noticed you must always assume that functions you
> call behave as specified and the only goal is to prove the current
> function you are proving is no worse than the things it calls. From
> what I saw, you can't prove a program, but you can prove a program if
> you assume everything it calls is correct and you don't do a long
> list of things in C which would break the proof. They had LLVM based
> tooling which generated the proofs from the AST or flagged code where
> you were doing something not permitted, it appeared to work very
> well.
>
> Obviously C++ is orders of magnitude harder, but with a restrictive
> enough list of things you can't do I'm sure it's achievable. Whether
> such a program would still qualify as C++ is an open question.
>

I'm told that to this day some programs written in Fortran outperform
equivalent C programs, and that's because in the presence of pointers and
side effects it is impossible for the C optimizer to find all possible ways
a piece of memory can change. So, you can reason all you want about errors,
but if your program is in C, you must test; and testing the error path of
the code is extremely tricky. If you don't use exceptions, you're admitting
the possibility for logic errors every time you call a function that may
fail.

Logically, the only thing exception handling does is automatically check
for failures every time you call a function. It's a way to get the compiler
to automatically write if( error ) return error for you. This is a Good
Thing.

Emil

_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost

On 2/11/2016 5:47 AM, Niall Douglas wrote:
> outcome<int> _foo; // contains some value
> int foo;
> if(_foo) foo=_foo.get();
> foo=_foo.get_or(5); // also works

I'm not convinced.

I ran a comparison of a trivial implementation of result with your test
code versus your implementation.
The results weren't pretty.

Here's my test code:
http://ideone.com/JYsSYc

Here's the results (VC2015 /O2 /Ob2)

Trivial:

int main()
{
00007FF7B7053530 sub rsp,48h
00007FF7B7053534 mov rax,qword ptr [__security_cookie
(07FF7B705D020h)]
00007FF7B705353B xor rax,rsp
00007FF7B705353E mov qword ptr [rsp+38h],rax
result<int> _foo = bar();
00007FF7B7053543 lea rcx,[_foo]
00007FF7B7053548 call bar (07FF7B7051172h)
int foo = 0;
00007FF7B705354D xor eax,eax
if ( _foo ) {
00007FF7B705354F lea rcx,[instance (07FF7B705D000h)]
00007FF7B7053556 cmp qword ptr [rsp+30h],rcx
00007FF7B705355B cmove eax,dword ptr [_foo]
foo = _foo.get();
}
return foo;
}
00007FF7B7053560 mov rcx,qword ptr [rsp+38h]
00007FF7B7053565 xor rcx,rsp
00007FF7B7053568 call __security_check_cookie (07FF7B70512A3h)
00007FF7B705356D add rsp,48h
00007FF7B7053571 ret


Boost.Outcome

int main()
{
00007FF6E25C2BB0 mov rax,rsp
00007FF6E25C2BB3 push rbp
00007FF6E25C2BB4 lea rbp,[rax-58h]
00007FF6E25C2BB8 sub rsp,150h
00007FF6E25C2BBF mov qword ptr [rbp-38h],0FFFFFFFFFFFFFFFEh
00007FF6E25C2BC7 mov qword ptr [rax+8],rbx
00007FF6E25C2BCB movaps xmmword ptr [rax-18h],xmm6
00007FF6E25C2BCF mov rax,qword ptr [__security_cookie
(07FF6E25CC010h)]
00007FF6E25C2BD6 xor rax,rsp
00007FF6E25C2BD9 mov qword ptr [rbp+30h],rax
result<int> _foo = bar();
00007FF6E25C2BDD lea rcx,[rbp-50h]
00007FF6E25C2BE1 call bar (07FF6E25C109Bh)
00007FF6E25C2BE6 nop
int foo = 0;
00007FF6E25C2BE7 xor ebx,ebx
if ( _foo ) {
00007FF6E25C2BE9 movzx ecx,byte ptr [rbp-40h]
00007FF6E25C2BED cmp cl,1
00007FF6E25C2BF0 sete al
00007FF6E25C2BF3 test al,al
00007FF6E25C2BF5 je main+267h (07FF6E25C2E17h)
foo = _foo.get();
00007FF6E25C2BFB test cl,cl
00007FF6E25C2BFD setne al
00007FF6E25C2C00 test al,al
00007FF6E25C2C02 jne main+119h (07FF6E25C2CC9h)
00007FF6E25C2C08 mov dword ptr [rsp+20h],2
00007FF6E25C2C10 call boost::outcome::v1_std_std::monad_category
(07FF6E25C10DCh)
00007FF6E25C2C15 mov qword ptr [rsp+28h],rax
00007FF6E25C2C1A movaps xmm0,xmmword ptr [rsp+20h]
00007FF6E25C2C1F movdqa xmmword ptr [rsp+20h],xmm0
00007FF6E25C2C25 lea rdx,[rbp-10h]
00007FF6E25C2C29 lea rcx,[rsp+20h]
foo = _foo.get();
00007FF6E25C2C2E call std::error_code::message (07FF6E25C1190h)
00007FF6E25C2C33 cmp qword ptr [rax+18h],10h
00007FF6E25C2C38 jb main+8Dh (07FF6E25C2C3Dh)
00007FF6E25C2C3A mov rax,qword ptr [rax]
00007FF6E25C2C3D lea rcx,[std::exception::`vftable'
(07FF6E25C9D68h)]
00007FF6E25C2C44 mov qword ptr [rsp+58h],rcx
00007FF6E25C2C49 xor ecx,ecx
00007FF6E25C2C4B mov qword ptr [rsp+60h],rcx
00007FF6E25C2C50 mov qword ptr [rsp+68h],rcx
00007FF6E25C2C55 mov qword ptr [rbp-80h],rax
00007FF6E25C2C59 mov byte ptr [rbp-78h],1
00007FF6E25C2C5D lea rdx,[rsp+60h]
00007FF6E25C2C62 lea rcx,[rbp-80h]
00007FF6E25C2C66 call qword ptr [__imp___std_exception_copy
(07FF6E25CE1C0h)]
00007FF6E25C2C6C lea rax,[std::logic_error::`vftable'
(07FF6E25C9DA0h)]
00007FF6E25C2C73 mov qword ptr [rsp+58h],rax
00007FF6E25C2C78 mov r8,qword ptr [rbp+8]
00007FF6E25C2C7C cmp r8,10h
00007FF6E25C2C80 jb main+0E2h (07FF6E25C2C92h)
00007FF6E25C2C82 inc r8
00007FF6E25C2C85 mov rdx,qword ptr [rbp-10h]
00007FF6E25C2C89 lea rcx,[rbp-10h]
00007FF6E25C2C8D call std::_Wrap_alloc<std::allocator<char>
>::deallocate (07FF6E25C126Ch)
00007FF6E25C2C92 mov qword ptr [rbp+8],0Fh
00007FF6E25C2C9A mov qword ptr [rbp],rbx
00007FF6E25C2C9E mov byte ptr [rbp-10h],bl
00007FF6E25C2CA1 lea
rax,[boost::outcome::v1_std_std::monad_error::`vftable' (07FF6E25C9F08h)]
00007FF6E25C2CA8 mov qword ptr [rsp+58h],rax
00007FF6E25C2CAD movaps xmm0,xmmword ptr [rsp+20h]
00007FF6E25C2CB2 movups xmmword ptr [rsp+70h],xmm0
00007FF6E25C2CB7 lea
rdx,[_TI3?***@v1_std_std@***@boost@@ (07FF6E25CBAB0h)]
00007FF6E25C2CBE lea rcx,[rsp+58h]
00007FF6E25C2CC3 call _CxxThrowException (07FF6E25C4DDEh)
00007FF6E25C2CC8 int 3
00007FF6E25C2CC9 cmp cl,2
00007FF6E25C2CCC sete al
00007FF6E25C2CCF test al,al
00007FF6E25C2CD1 jne main+137h (07FF6E25C2CE7h)
00007FF6E25C2CD3 sub cl,2
00007FF6E25C2CD6 cmp cl,1
00007FF6E25C2CD9 ja main+264h (07FF6E25C2E14h)
00007FF6E25C2CDF test al,al
00007FF6E25C2CE1 je main+264h (07FF6E25C2E14h)
00007FF6E25C2CE7 mov qword ptr [rbp-18h],0Fh
00007FF6E25C2CEF mov qword ptr [rbp-20h],rbx
00007FF6E25C2CF3 mov byte ptr [rbp-30h],bl
00007FF6E25C2CF6 xor r8d,r8d
00007FF6E25C2CF9 lea rdx,[string "" (07FF6E25C9E5Ch)]
00007FF6E25C2D00 lea rcx,[rbp-30h]
00007FF6E25C2D04 call
std::basic_string<char,std::char_traits<char>,std::allocator<char>
>::assign (07FF6E25C1037h)
00007FF6E25C2D09 nop
00007FF6E25C2D0A mov qword ptr [rbp-58h],0Fh
00007FF6E25C2D12 mov qword ptr [rbp-60h],rbx
00007FF6E25C2D16 mov byte ptr [rbp-70h],0
00007FF6E25C2D1A or r9,0FFFFFFFFFFFFFFFFh
00007FF6E25C2D1E xor r8d,r8d
00007FF6E25C2D21 lea rdx,[rbp-30h]
00007FF6E25C2D25 lea rcx,[rbp-70h]
00007FF6E25C2D29 call
std::basic_string<char,std::char_traits<char>,std::allocator<char>
>::assign (07FF6E25C1159h)
00007FF6E25C2D2E movups xmm6,xmmword ptr [rbp-50h]
00007FF6E25C2D32 movups xmmword ptr [rsp+20h],xmm6
00007FF6E25C2D37 lea r8,[rbp-70h]
00007FF6E25C2D3B lea rdx,[rsp+20h]
00007FF6E25C2D40 lea rcx,[rbp+10h]
00007FF6E25C2D44 call std::_System_error::_Makestr
(07FF6E25C11E0h)
00007FF6E25C2D49 cmp qword ptr [rax+18h],10h
00007FF6E25C2D4E jb main+1A3h (07FF6E25C2D53h)
00007FF6E25C2D50 mov rax,qword ptr [rax]
00007FF6E25C2D53 lea rcx,[std::exception::`vftable'
(07FF6E25C9D68h)]
00007FF6E25C2D5A mov qword ptr [rsp+30h],rcx
00007FF6E25C2D5F xor ecx,ecx
00007FF6E25C2D61 mov qword ptr [rsp+38h],rcx
00007FF6E25C2D66 mov qword ptr [rsp+40h],rcx
00007FF6E25C2D6B mov qword ptr [rsp+20h],rax
00007FF6E25C2D70 mov byte ptr [rsp+28h],1
00007FF6E25C2D75 lea rdx,[rsp+38h]
00007FF6E25C2D7A lea rcx,[rsp+20h]
00007FF6E25C2D7F call qword ptr [__imp___std_exception_copy
(07FF6E25CE1C0h)]
00007FF6E25C2D85 lea rax,[std::runtime_error::`vftable'
(07FF6E25C9DC0h)]
00007FF6E25C2D8C mov qword ptr [rsp+30h],rax
00007FF6E25C2D91 mov r8,qword ptr [rbp+28h]
00007FF6E25C2D95 cmp r8,10h
00007FF6E25C2D99 jb main+1FBh (07FF6E25C2DABh)
00007FF6E25C2D9B inc r8
00007FF6E25C2D9E mov rdx,qword ptr [rbp+10h]
00007FF6E25C2DA2 lea rcx,[rbp+10h]
00007FF6E25C2DA6 call std::_Wrap_alloc<std::allocator<char>
>::deallocate (07FF6E25C126Ch)
00007FF6E25C2DAB mov qword ptr [rbp+28h],0Fh
00007FF6E25C2DB3 mov qword ptr [rbp+20h],rbx
00007FF6E25C2DB7 mov byte ptr [rbp+10h],0
00007FF6E25C2DBB lea rax,[std::_System_error::`vftable'
(07FF6E25C9E28h)]
00007FF6E25C2DC2 mov qword ptr [rsp+30h],rax
00007FF6E25C2DC7 movups xmmword ptr [rsp+48h],xmm6
00007FF6E25C2DCC mov r8,qword ptr [rbp-18h]
00007FF6E25C2DD0 cmp r8,10h
00007FF6E25C2DD4 jb main+236h (07FF6E25C2DE6h)
00007FF6E25C2DD6 inc r8
00007FF6E25C2DD9 mov rdx,qword ptr [rbp-30h]
00007FF6E25C2DDD lea rcx,[rbp-30h]
00007FF6E25C2DE1 call std::_Wrap_alloc<std::allocator<char>
>::deallocate (07FF6E25C126Ch)
00007FF6E25C2DE6 mov qword ptr [rbp-18h],0Fh
00007FF6E25C2DEE mov qword ptr [rbp-20h],rbx
00007FF6E25C2DF2 mov byte ptr [rbp-30h],0
00007FF6E25C2DF6 lea rax,[std::system_error::`vftable'
(07FF6E25C9E48h)]
00007FF6E25C2DFD mov qword ptr [rsp+30h],rax
00007FF6E25C2E02 lea rdx,[_TI4?***@std@@
(07FF6E25CB9C8h)]
00007FF6E25C2E09 lea rcx,[rsp+30h]
00007FF6E25C2E0E call _CxxThrowException (07FF6E25C4DDEh)
00007FF6E25C2E13 int 3
00007FF6E25C2E14 mov ebx,dword ptr [rbp-50h]
}
return foo;
00007FF6E25C2E17 mov eax,ebx
}
00007FF6E25C2E19 mov rcx,qword ptr [rbp+30h]
00007FF6E25C2E1D xor rcx,rsp
00007FF6E25C2E20 call __security_check_cookie (07FF6E25C12DFh)
00007FF6E25C2E25 mov rbx,qword ptr [rsp+160h]
00007FF6E25C2E2D movaps xmm6,xmmword ptr [rsp+140h]
00007FF6E25C2E35 add rsp,150h
00007FF6E25C2E3C pop rbp
00007FF6E25C2E3D ret


_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost

On 11 Feb 2016 at 15:20, Emil Dotchevski wrote:

> Niall's motivation is to make code like this safer without resorting to
> exceptions. But the best way such code is made safe is by using exceptions.

Sorry, I have to correct you here as this is an incorrect statement,
and it's my own fault for me not correcting an earlier reply to a
post of mine where you got a false understanding of my position.

Fixed: I *like* exceptions, a lot. Indeed I default to them, as I did
in AFIO v1 for handling all unexpected outcomes. In any new general
purpose C++ I write either now or in the future will exclusively use
exceptions.

However, some of the AFIO v1 peer reviewers wanted a hard semantic
distinction between catastrophic errors and benign failures (I can
see a point here). Other peer reviewers wanted no more than a few
hundred cycles overhead around the raw syscall (I think this daft
personally). Quite a few took issue with the use of shared_ptr to
manage lifetimes (also a daft criticism), and the more insightful
reviewers took particular issue with the high number of allocations
and free per operation performed due to the many stages of type
erasure (I very much agree).

Even though AFIO v2 probably won't go in for peer review on it own, I
have implemented almost all of the peer review feedback. v2 throws no
exceptions, allocates and frees exactly one malloc per operation,
uses no threads and therefore doesn't need shared_ptr, and yes there
are even less than a few hundred cycles overhead around the syscalls
on Windows (not so on POSIX, AIO is shockingly awful and you need to
spend a ton of cycles to make it sane). All possible outcomes from
any AFIO v2 function are as tightly specified as POSIX itself right
down to every potential error emitted.

Outcome is a very large part of achieving this very lightweight AFIO
v2 whilst leveraging as much of the power of C++ as possible in doing
so. I personally speaking think such lightweightness is overkill for
the use cases as file i/o is enormously heavy, but I defer to Boost
peer review judgement. You'll get what you collectively asked for. I
don't personally agree with it, but if one *has* to write this sort
of lightweight C++, then I think Outcome a great help in doing so.

Niall

--
ned Productions Limited Consulting
http://www.nedproductions.biz/
http://ie.linkedin.com/in/nialldouglas/

On 2/11/2016 5:20 PM, Emil Dotchevski wrote:
> On Wed, Feb 10, 2016 at 11:19 PM, Michael Marcin <***@gmail.com>
> wrote:
>
>> On 2/9/2016 3:16 AM, Niall Douglas wrote:
>>
>>>
>>> Something missing from the discussion so far is that
>>> expected/result/outcome MUST throw exceptions! If you try to fetch a
>>> value from a result and it contains an error, there is no alternative
>>> to throwing an exception. This fact is why I don't worry about static
>>> function initialisers and just go ahead and use
>>> error-code-via-system_error throwing constructors, ultimately you
>>> need try...catch in there one way or another.
>>>
>>>
>> There most certainly is an alternative!
>> I certainly don't want this behavior.
>>
>> There's no way that accessing the value of a result<T> without checking
>> for an error is not a programming error.
>> It should be a precondition that to access the value it needs to not
>> contain an error.
>> It should *not* be throwing an exception because you cannot fail to
>> satisfy the postcondition until you meet the preconditions.
>>
>> Undefined-behavior is the appropriate specification for accessing a value
>> from a result that contains an error.
>
>
> It depends what's your goal. If you want to avoid logic errors in error
> handling code (as you should), then you don't want accessing the result
> without checking for error to be undefined behavior.
>
> Consider the following C code:
>
> int * p=(int *)malloc(sizeof(int));
> *p=42;
>
> Of course the correct code is:
>
> int * p=(int *)malloc(sizeof(int));
> if( !p )
> return error;
> *p=42;
>
> Niall's motivation is to make code like this safer without resorting to
> exceptions. But the best way such code is made safe is by using exceptions.
> In C++ you can write:
>
> int * p=new int;
> *p=42;
>
> without invoking undefined behavior, because the compiler will
> automatically generate code that effectively does:
>
> int * p=new int;
> if( !p )
> return error;
> *p=42;

I disagree with your premise that throwing exceptions avoids logic
errors or makes code "safe".

To borrow from Andrzej's blog:
--
One thing that I want to point out is that just checking every possible
“invalid function input” and throwing an exception on it does not
necessarily make the program more correct or safe. It only prevents
crashes, but not bugs. Bugs, in turn, are a sort of UB on the higher
level of abstraction.
--


You likely routinely use "unsafe" code that can lead to UB in the
presence of programming errors.

Do you use std::vector operator[] in your code?
Do you use std::vector iterators?

Maybe you always use std::vector at() to access elements.
If so then I understand your reluctance to deal specify UB.

Writing high performance code requires you to *think*.
In C++ we embrace UB when it is "The Right Thing".

You can certainly add a debug layer to result that can help diagnose
problems (mark if the result was tested for containing a value or error
is some way and assert if it was accessed without such a test).
Much as Microsoft's STL debug iterators are a helpful tool.

But I don't want to pay for them in retail builds.

There's no way I'm going to throw an exception because a raytrace hit an
intersection limit when I need to maintain a consistent 90hz stereo
rendering or risk making my users literally ill. Still it's an error and
needs to be handled gracefully.

If I can't the interface and implementation I want and need out of a
standard or pseudo standard library then I'll have to roll my own but
it's a shame how often I have to do that. It's a large part of why STL
and Boost have terrible reputation in my industry and are outright
banned in many companies.


_______________________________________________
Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost