Unreachable

tauoverpi · March 22, 2024, 3:19pm

Then, before building for production, all I need to do is a quick find or grep for unreachable and then decide how to handle the errors.

This means you did not design for handling errors and you’re instead treating them as exceptional cases which is another issue in itself.

they give me the impression of a highly restricted use of this part of the language, pretty much removing its usefulness in the develop → test → debug phase.

The issue is that that’s exactly the case with unreachable as it’s asserting that the path may not be reached allowing the compiler to play tetris if it ever happens. unreachable for switch prongs is completely fine as long as you guarantee they really are unreachable by either preconditions for the function or checks above the switch. Other uses of unreachable within switch is a wrong use of the tool (this is an absolute due to what it communicates to the compiler). Using it to “discard” was the issue as unreachable is taken as a guarantee that it won’t happen thus if mayFail() actually fails then it could start playing tetris, fire all missles, write a song, and so on as it’s undefined what happens after. Safety checked undefined behaviour doesn’t change that it’s undefined behaviour even if it may feel convenient when prototyping.

A large number of cases in std need to be checked (e.g there’s open discussion on handle impossible errors from the kernel with error.Unexpected instead of unreachable · Issue #6389 · ziglang/zig · GitHub and linked tickets) as quite a few cases may not be unreachable thus std cannot really be used as a quality guide until the process of auditing it has completed (even after there may be issues).

dude_the_builder · March 22, 2024, 3:52pm

Can this happen in Debug or ReleaseSafe? If not, then this Doc clearly covers this in the first bullet point of its intro.

Calder-Ty · March 22, 2024, 4:02pm

Sounds like unreachable is like unsafe in rust, where you are asserting to the compiler some invariants that the compiler can’t itself prove.

Calder-Ty · March 22, 2024, 4:09pm

pub fn func(min: u8, max: u8) u8 {
    // same as `if (min > max) unreachable;`
    std.debug.assert(min <= max);

    var byte: u8 = 0;
    while (byte <= max) : (byte += 1) {
        if (byte >= min) {
            return byte;
        }
    }

    // explicit `unreachable` is required to avoid the error:
    // "function with non-void return type 'u8' implicitly returns"
    unreachable;
}

I’m not sure if I think this is terribly bad, I actually think it illustrates the idea of unreachable being used to assert invariants the compiler can’t/doesn’t keep track of. However it is a recursive use of unreachable. The Second unreachable is only true because there is a previous case (in the assert) where a state was asserted as unreachable. In unsafe release modes, your second assertion would not necessarily be true, and open you up to UB. Would this example be as clear, illustrate the idea, and not contain a hidden problem:

pub fn func(min: u8, max: u8) u8 {
    // same as `if (min > max) unreachable;`
    if (max < min) { 
        @panic("Min can not be greater than max") 
    };

    var byte: u8 = 0;
    while (byte <= max) : (byte += 1) {
        if (byte >= min) {
            return byte;
        }
    }

    // explicit `unreachable` is required to avoid the error:
    // "function with non-void return type 'u8' implicitly returns"
    unreachable;
}

dude_the_builder · March 22, 2024, 4:11pm

Agreed. I think this kind of use is due to the lack of an unimplemented kind of mechanism in the language. Maybe the best alternative is to just:

@compileError("unimplemented");

tauoverpi · March 22, 2024, 4:44pm

The mayFail() catch unreachable text is wrong no matter what the intro says. Including it will have beginners go down the wrong path regardless of the intro as it doesn’t make it any more “correct”. unreachable being reached is illegal behaviour and not an alternative to @panic("this should never fail").

I don’t think communication is working here so I’ll just give up.

github.com/ziglang/zig

terminology update: use the phrase "detectable illegal behavior" rather than "safety-checked undefined behavior"

opened 09:39PM - 01 May 19 UTC

andrewrk

proposal accepted docs

The language reference makes use of the phrase "safety-checked undefined behavio…r" to mean "that which is undefined behavior in ReleaseFast and ReleaseSmall modes but will panic in Debug and ReleaseSafe modes". This is a bit problematic because in the safe build modes, it's actually completely well-defined behavior. It will call the panic handler. Further, it will cause confusion because many people see "undefined behavior" and think it's a weakness of the language, when really it's the opposite - e.g. catching integer overflow bugs wouldn't be possible if it were always defined to be two's complement wraparound arithmetic. I think a better phrase would be "illegal behavior". Illegal Behavior is always Undefined Behavior in the unsafe build modes. Illegal behavior at compile time is always a compile error. In safe build modes, runtime safety checks attempt to detect illegal behavior, but not all kinds of illegal behavior can be detected. Detected illegal behavior is well-defined and calls the panic handler. Undetected illegal behavior is undefined behavior, even in the safe build modes. Instead of "safety-checked undefined behavior" the docs would say "detectable illegal behavior". Related: #1966 #2301

github.com/ziglang/zig

Discussion and better documentation for undefined behavior

opened 12:20AM - 02 Jun 19 UTC

closed 10:29PM - 05 Jun 19 UTC

Paul-Andre

#2402 and #1966 are good. I like the decision to explicitly state that certain o…perations are illegal. Some more things to add to the documentation that would be nice: Defining "undefined behavior" and specifying what the practical implications are. (Can the compiler assume that illegal operations never happen and propagate such assumptions throughout the program leading to unintuitive consequences? Can there be "retroactive" undefined behavior?) Adding some info on Zig's philosophy regarding illegal operations and undefined behavior. (Some of my guesses: Zig allows to encode more assumptions and intentions into the program than C, so detecting illegal behavior in debug mode is good because it forces you to state what you want. And if assumptions are properly stated there shouldn't be that much illegal behavior happening so full on undefined behavior in release mode isn't that bad.) Are all instances of illegal operations bugs? Are there things that are said to cause undefined behavior you'd want to do nonetheless? (I'm guessing yes. Then there should be a distinction between illegal operations and operations that access the underlying platform for which the compiler gives no guarantees.) Finally, and this is more of a question about the design of Zig to Andrew, why make illegal operation cause undefined behavior in release mode instead of some less radical choices? Like simply specifying the behavior (like Rust does for integer overflow in release mode) or having platform-dependent specified behavior (do whatever operation make most sense on the platform) or returning an undefined value. I'm guessing the main argument is to allow as much optimizations as possible. Could you envision a "boringReleaseFast" mode that replaces most occurrences of UB by these other possibilities?

github.com/ziglang/zig

use case: ability to recover from illegal behavior in safe build modes

opened 05:02PM - 23 Oct 19 UTC

mogud

use case

In my situation, most game servers I designed so far use `service` as an abstrac…tion of everything. And millions of service could be in only a single process. For the purpose of robustness, `service` manager catches errors/exceptions from all running services and chooses proper operations to them(kill service or just ignore it). It seems zig will panic at runtime when something like division by zero occurs, and it's not recoverable. So is it possible to add an option for this situation? As far as I know, `nim` has many compiler check switches to make these edge errors as runtime exceptions. `rust` can do `catch_unwind` after a panic. `go` has a `recover()` buitin funtion.

Sze · March 22, 2024, 5:35pm

I don’t like the func example because it seems contrived, the while loop seems unnecessary, isn’t this the same?:

pub fn func(min: u8, max: u8) u8 {
    std.debug.assert(min <= max);
    return min;
}

I think the function always (asserts / hits undefined behavior) or returns min.

Sze · March 22, 2024, 6:02pm

Can be used to indicate that certain, or remaining, switch cases cannot happen.

I think that solves the discussion about the switch cases?
The programmer states/promises/asserts to the compiler that those cases can’t happen.
“be handled” seems like it implies that they could happen just can’t be handled, but in that case you would use @panic.

dude_the_builder · March 22, 2024, 6:16pm

The Language Reference has an example when talking about inline. Maybe it can be used instead.

fn withFor(any: AnySlice) usize {
    const Tag = @typeInfo(AnySlice).Union.tag_type.?;
    inline for (@typeInfo(Tag).Enum.fields) |field| {
        // With `inline for` the function gets generated as
        // a series of `if` statements relying on the optimizer
        // to convert it to a switch.
        if (field.value == @intFromEnum(any)) {
            return @field(any, field.name).len;
        }
    }
    // When using `inline for` the compiler doesn't know that every
    // possible case has been handled requiring an explicit `unreachable`.
    unreachable;
}

tensorush · March 23, 2024, 9:12am

Thanks everyone for your input! I tried to incorporate all of it. Please feel free to point out anything else.

Sze · March 23, 2024, 7:08pm

Thank you, I think it now is very well written!
Also thank you to everyone contributing!

tauoverpi · March 24, 2024, 3:42pm

Last note, catch unreachable can be used when you statically know that an error will not occur for that call. That is, mayFail() catch unreachable cannot fail due to an implementation detail you know about but cannot communicate to the compiler. It’s not ideal (better to add a function which asserts success) but it’s a valid case.

LucasSantos91 · March 24, 2024, 6:04pm

The catch unreachable already is the assertion.

tauoverpi · March 24, 2024, 11:55pm

Think of list.appendAssumeCapacity() which asserts a specific thing rather than “cannot fail”. Intent is clear and less likely to be violated over future updates to the codebase.