Thinking about how to make Go memory safe without using atomics everywhere: 1. Double bounds check slice indexing: i.e. store length of backing store on heap and check it. 2. Box interface types on heap. 3. Implement maps in Go with no unsafe. I think this works?
-
Show this thread
-
Double bounds check could be implemented with cmp/cmovle/cmp to avoid an extra branch, though it will be extremely well predicted anyway.
2 replies 0 retweets 2 likesShow this thread -
-
Replying to @BrendanEich
So slices are stored inline as (ptr, len, capacity) triples. This is not memory safe because if thread 1 is overwriting a slice value (ptrA, lenA, capA) to point somewhere else, there is a point in time which thread 2 could read (ptrB, lenA, capA).
2 replies 0 retweets 1 like -
Replying to @pcwalton @BrendanEich
This is an arbitrary read/write primitive and is as bad as it sounds. So double check would fix this because the size of the underlying allocation could be found from the pointer *alone*, to prevent OOB read/write.
1 reply 0 retweets 3 likes -
Replying to @pcwalton @BrendanEich
This does mean that anything sliceable needs some heap metadata. This might be too difficult in practice. So an alternate solution is to make the (ptr, len, cap) triple immutable.
1 reply 0 retweets 1 like -
Replying to @pcwalton @BrendanEich
If you were creating Go-like slices in Java, double check is what you would effectively be doing, because the JVM enforces bounds checks on arrays by consulting the underlying allocation.
1 reply 0 retweets 2 likes -
Replying to @pcwalton
Thanks. Is capacity computable from length for certain size classes? I should go read the impl, but in similar cases I've seen, there's a way to shrink the state to two words.
2 replies 0 retweets 1 like -
-
Replying to @pcwalton @BrendanEich
.NET has Span<T> which in the optimized (read: intrinsic) case is an interior pointer and a length, unoptimized it's like a Go slice. It's a stack only type to prevent any issues with struct tearing.
1 reply 0 retweets 2 likes
Cool! I miss the days when people actually cared about little things like memory safety :\
-
-
Replying to @pcwalton @BrendanEich
Span<T> is very recent! Stack restriction makes it memory safe, so some still care?
1 reply 0 retweets 1 like -
Replying to @NinoFloris @BrendanEich
I know you all do :) I’m mostly just grousing about recent popular languages…
0 replies 0 retweets 3 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.