ansaurus

Question

Const-correctness and immutable allocated objects

Answer 1

+3 A:

If the object is truly immutable, why give the user the pointer to it and risk an opportunity of corrupt object? Keep the object address in the table, return an opaque handle (an integer table index?) to the user and accept that handle in your library routines.

Nikolai N Fetissov 2010-10-22 18:57:26

Direct pointer references are more efficient.

Keith Randall 2010-10-22 19:15:12

Not using a library or even an OS and running directly on the hardware is even more efficient :)

Nikolai N Fetissov 2010-10-22 19:38:20

also, using an address table either limits the number of allocatable objects or adds complexity for managing table resizing; but yes, this is a valid alternative

Christoph 2010-10-22 19:39:53

Or just cast or `typedef` the address to some `my_secret_handle_type` and return it.

Nikolai N Fetissov 2010-10-22 20:00:21

Yes, if you're going to obscure the reference to p, might as well return (uintptr_t)p, adding an indirection table provides no additional benefit.

Keith Randall 2010-10-22 21:20:40

I can think of some benefits a layer of indirection can provide - permissions gates, virtual dispatch, state changes, whatever. The table itself does not have to be static either.

Nikolai N Fetissov 2010-10-22 22:54:25

Sure, there are plenty of reasons to use an indirection table. Solving the OP's problem isn't one of them.

Keith Randall 2010-10-25 17:44:15

Answer 2

+3 A:

I don't read the same thing in 6.3.2.3. That paragraph is about conversions that happen implicitly and that don't need a casts. So an implicit conversion from a pointer-to-const object may be not permitted, but this says nothing about explicit casts.

Casts are handled in 6.5.4, and I don't see anything that would constrain you from a cast of any pointer-to-const that is by itself not const qualified with (void*). In the contrary it says

Conversions that involve pointers, other than where permitted by the constraints of 6.5.16.1, shall be specified by means of an explicit cast.

So I read there that if you do things explicitly, they are permitted.

So I think the following is completely valid

char const *p = malloc(1);
free((void*)p);

What 6.5.4 forbits would be the following

char *const p = malloc(1);
free((void*)p); /* expression of cast is const qualified */

As a side note, for your second line of thoughts, a library that returns a pointer-to-const qualified object that then is to be placed in the responsibility of the caller, makes not much sense to me. Either

the library returns a pointer to an internal object, then it should qualify it pointer-to-const to have some weak protection that the caller doesn't change it, or
the library returns a freshly allocated object that falls in the responsibility of the caller. Then it shouldn't care much of whether the caller changes it, so it may return a pointer-to-unqualified object. If the caller then wants to ensure that the contents is not accidentally overwritten or something he might assign it to a const pointer, for his use.

Jens Gustedt 2010-10-22 21:00:02

you're right, casting away `const` on function arguments is perfectly valid; I thought of a pointer-to-`const` parameter as a promise to the compiler that the function won't modified the pointed-to object, allowing additional optimizations on the calling side; however, this is only true if the parameter is `restrict`-qualified as well; a plain pointer-to-`const` parameter has no benefit over a non-`const` version in terms of optimization

Christoph 2010-10-23 07:43:27

@schot: ok, I'll try to rephrase.

Jens Gustedt 2010-10-23 14:25:38

Answer 3

A:

If you return a const-qualified pointer, the semantics are that the caller of your function is not permitted to modify the object in any way. That includes freeing it, or passing it to any function in your library that would in turn free it. Yes I'm aware that you could cast away the const qualifier, but then you're breaking the contract that const implies.

R.. 2010-10-23 08:12:54

that's what I came to think as well, but actually, there is no such contract as long as the pointer isn't `restrict`-qualified; as far as I can tell, modifying a non-`const` object (which all allocated objects are) through a pointer-to-`const` by discarding the qualifier is a well-defined operation; this also means that in the past, I should have used `restrict` far more liberally...

Christoph 2010-10-23 09:13:22

Read the last sentence of my answer. As far as I can tell, the cast is valid C and a compiler cannot reject it. But there are lots of things that are valid C but violate the implied contract of `const`. For instance I could make a `strcpy` function that takes `const char *` for both its source and destination arguments and casts away the `const` from the destination to write to it. As long as you only pass modifiable objects, this will work, but it's idiotic. Wherever a `const` pointer is passed, pointers to nonmodifiable objects should be valid in any context where the pointer gets used.

R.. 2010-10-23 19:29:54

@R..: but this contract is not enforced by the C language, ie the contract you speak of is not between you and the compiler (as is the case when declaring `const` objects or `restrict`-qualifying pointers), but between you and the users of your code; this means anything goes as long as it's properly documented; also, in case of opaque types (ie the object definition is hidden), the user can't pass an invalid value to the custom deallocation function by mistake, so I don't really see your point...

Christoph 2010-10-23 20:25:27

I agree, but I still consider it an extremely bad practice to use `const` in ways contrary to its normal contractual meaning, and pretty much equivalent to my `strcpy` example.

R.. 2010-10-24 01:32:09

ansaurus

tags:

views:

answers:

Const-correctness and immutable allocated objects

related questions