Use C++ protection features to enforce abstraction boundaries

Comments (7)

1. 

   Dan Bonachea reporter

   This was discussed in the 2019-12-04 Pagoda meeting.

   With regards to the global_ptr fields in particular, John explained that these fields are currently declared public because it simplifies usage internal to the runtime. The consensus was the current "trailing underscore" naming convention is insufficient to universally convey to our end users that these fields are private and unsupported (as evidenced by multiple independent support threads on the forum). It was noted that the behavior of the raw_ptr_ field values is especially surprising to users who don't understand our deliberately undocumented shared memory mappings.

   @john bachan promised to investigate ways to make these fields less "attractive" to end users with smart editors (who usually won't see any comments in the header), and more obviously "danger, these are unsupported and probably don't behave the way you expect".

   Possibilities include:

   1. Renaming the fields with a more obviously "dangerous" naming convention eg global_ptr::danger_private_raw_ptr
   2. Making the fields private and introducing inline accessor methods in the detail namespace for use by the runtime

   • 2019-12-10T01:06:40+00:00
2. 

   Dan Bonachea reporter

   • changed milestone to 2020.9.0 release

   Bulk roll-over of unresolved issues to next milestone

   • 2020-03-13T03:20:00+00:00
3. 

   Dan Bonachea reporter

   • changed milestone to 2021.3.0 release

   Mass roll-over of open issues to next release milestone

   • 2020-11-18T06:21:46+00:00
4. 

   Amir Kamil

   Now that PR #326 has been merged, here are the remaining public members I’ve been able to find:

   global_ptr<const T, KindSet>::check()
   persona::backend_state_
   persona::cuda_state_
   persona::undischarged_n_
   persona::active()
   persona_scope::the_default_dummy_
   persona_scope::next_
   persona_scope::persona_xor_default_
   persona_scope::next_unique_
   persona_scope::tls
   serialization<T>::existence
   serialization<T>::is_serializable
   serialization_traits<T>::static_ubound
   serialization_traits<T>::static_ubound_t
   
   future1::kind_type
   future1::results_type
   future1::impl_type
   future1::clref_results_refs_or_vals_type
   future1::rref_results_refs_or_vals_type
   future1::result_return_select_type
   future1::future1(impl_type)
   future1::then_lazy()
   

   Of these, I think global_ptr::check() and future1::then_lazy() would look the most enticing to users. I’ll look into protecting them (likely with UPCXX_INTERNAL_ONLY for global_ptr::check() and friend declarations for future1::then_lazy()). I’ll also see how much work it would be to protect the persona and persona_scope members.

   • 2021-03-06T21:23:52+00:00
5. 

   Dan Bonachea reporter

   global_ptr::check() is harmless and provides a sanity check that I actually deliberately added that in the public namespace. I view this as an implementation feature that we could optionally document in docs/implementation-defined.md, although possibly not something for the formal spec.

   The persona and persona_scope internals are alot more dangerous and ideally would be protected somehow (but not if it comes at the cost of additional calls).

   • 2021-03-07T00:01:04+00:00
6. 

   Amir Kamil

   OK, I’ll leave global_ptr::check() alone.

   I will likely look at future1::then_lazy() as part of PR #328, since that moves future1 into the detail namespace.

   I’ll look at persona and persona_scope in a separate PR.

   I don’t think I’ll touch serialization or serialization_traits.

   • 2021-03-07T01:18:39+00:00
7. 

   Dan Bonachea reporter

   • changed status to resolved

   PR 326 and PR 328 have now been merged, which resolves the worst offenders using the agreed-upon enforcement mechanisms.

   • 2021-03-17T19:52:25+00:00
8. Log in to comment