FFI call semantics #1554
Comments
|
What precisely do you mean when you say "this behavior"? Do you mean "preserve the internal state of But this script would print the same number three times: Even if we restrict ourselves to a single-module-load assumption, it would be tricky to make particular guarantees about the order in which multiple calls to This is a rather contrived example, but this issue could arise in more subtle ways. For instance, if you are lazily evaluating an infinite sequence, the order of evaluation might determine whether This is all to say: I don't think we are planning to deliberately change the behavior of the Cryptol FFI to make something like a |
|
In a nutshell, should I choose to include C functions that are stateful, what I want to know is what semantics can I depend on into the future. You point out that the state is not preserved over module reloads. Good to know, and of course, it makes a lot of sense. Lack of commitment to evaluation order when calling stateful C functions also makes sense. In the case in which one is producing pseudo random numbers, it may be okay that there is no a commitment to an explicit order. If there is no parallelism, can a user depend on reproducibility? Finally, when there is parallelism, one obviously cannot depend on reproducibility. May a user depend on the fact that calls to C code are atomic? Inquiring minds want to know. |
|
My gut feeling is that one should not do this sort of thing. The way I decide what's a "good" FFI function is if the same function could be implemented in Cryptol in some way (no matter how inefficient). If yes, then it's good, otherwise questionable. Of course, nothing prevents one from using questionable functions, and that might work OK for a paritcular configuration (e.g., fixed version of Cryptol/hardware/compilers etc), but this is threading on thin ice. Btw, if the persistent state is not large, one option would be to modify the C function to pass it around (e.g., the seed for the random number generator). |
|
As a long time advocate of pure functional programming, this sort of thing is abhorrent to me too. But you know people are going to do this. The manual should let users know what they can depend on and emphasize the world of hurt they are entering into if they are not careful. |
|
I agree that we should document the pitfalls of using impure functions in the FFI somewhere. I'm not sure if we want to guarantee anything about the behavior of impure FFI functions at this point, other than a generic "you are on your own" disclaimer. |
RyanGlScott
added
the
docs
This is a disclaimer that while you _can_ use impure functions in the Cryptol FFI, we make no guarantees about the precise behavior of the side effects that they functions may perform. Fixes #1554.
|
I've submitted #1558 with a clarification to the reference manual. |
This is a disclaimer that while you _can_ use impure functions in the Cryptol FFI, we make no guarantees about the precise behavior of the side effects that they functions may perform. Fixes #1554.
The FFI is supposed to be used with stateless C functions so as to ensure referential transparency. However, there is a use case in which one wants to use a stateful C routine to generate a sequence of random values by repeatedly calling the C function with a call of the same form. Here is an example.
Suppose you load the K&R rand function that is available on the net with:
Currently, in the interpreter, if one types
rand ()repeatedly, one gets different values.Where
rand.batisAre future versions of cryptol guaranteed to preserve this behavior?
The text was updated successfully, but these errors were encountered: