AMDG On 11/15/2013 01:58 PM, Niall Douglas wrote:
On 15 Nov 2013 at 13:34, Steven Watanabe wrote:
Let me clarify myself, as I've suddenly realised I was being unclear:
Let there be a DLL exporting function:
struct Foo { ... }; struct MoreFoo : Foo { ... };
MoreFoo &convert(Foo &in) { return static_cast
(in); // upcast to more derived type } Let there be another DLL in which we do:
MoreFoo a; auto b=convert(a); // legal Foo c; auto d=convert(c); // not legal
Where I was coming from was the case of the first DLL: there the compiler cannot know if the inbound Foo & originally came from a MoreFoo or not. It simply must proceed as if it did.
This doesn't prevent miscompiles when you do an illegal cast. The compiler doesn't have to prove that you're doing something illegal to miscompile your code. All it has to do is to say "This code is only legal if condition X holds, therefore I can assume that X is true and optimize accordingly."
That's what I meant by a very common idiom - we write code like the first DLL all the time where we cannot possibly know if we are doing undefined behaviour, because that's on the caller, not us. The shared library boundary makes avoiding this impossible.
Who is "we"? If you write a downcast like this, then the conditions that make it legal have to be considered a precondition of your function. This doesn't obviate the need for the types in the cast to be correct, it just changes who is responsible for it.
If we implement C++ Modules, then it all gets much more interesting, and that's what I was referring to about this idiom being a problem for future C++ features.
In Christ, Steven Watanabe