P1105R1
Leaving no room for a lower-level language: A C++ Subset

1. Revision History

1.1. r0 -> r1

throw statements now call std::terminate, rather than cause UB. std::terminate was the approach with the least opposition.

typeid(type) now allowed.

Added sections discussing ABI ramifications of changes.

Changed thread-safe statics feature test macro.

Clarifying if constexpr comments. catch blocks will still help determine auto return types.

Added description of potential virtual destructor implementation.

Added frequently raised arguments section.

Added design alternative for program termination.

1.1.1. SG14 telecon polls (July 11, 2018)

Poll 1: get rid of freestanding
0/1/2/9/11

Poll 2: modify freestanding along the lines of the paper, encouragement for further work, agree with most of it
5/13/4/0/0

1.1.2. SG14 post-telecon online poll (July 11-15, 2018)

Poll 3: noexcept should behave differently in environments without exceptions, along the lines of the paper
0/4/3/5/0

Poll 4: make throw UB when exceptions aren’t available
0/3/6/3/1

Poll 5: make throw ill-formed when exceptions aren’t available
1/3/1/5/3

Poll 6: make throw call std::terminate when exceptions aren’t available
0/4/7/2/0

1.1.3. SG14 cppcon meeting (Sep 26, 2018)

2. Introduction

It is my intent that this be the least bad form of dialect, the proper subset. All valid freestanding libraries should be valid hosted libraries with compatible semantics.

This paper proposes making the following features optional: exceptions, parts of the <exception> header, dynamic RTTI, default heap storage, thread local storage, floating point, the atexit family of functions, locked atomics, and thread-safe static initialization.

In [P0829], I propose adding library features to freestanding mode that should work everywhere. This paper covers the removal and modification of features that don’t work everywhere. There is already standards precedent in support.signal for avoiding portions of all the features that I am making optional.

There are years, if not decades of field experience using C++ subsets similar to what I am proposing ([OSR], [APPLE_KERNEL]). The workarounds and compiler switches are mostly available today. The main places where this paper innovates is in places where we can keep more features than current compiler based switches allow.

In theory, this paper would result in large scale code breaks for existing freestanding users. In practice, there are almost no existing freestanding users because the current definition is not serving the stated purpose of working "without the benefit of an operating system". Existing implementations already provide mechanisms for disabling many of the features that this paper proposes to make optional. Updating these implementations to conform to this proposal would leave existing users largely unaffected, except that they would now be using a truly compliant C++ implementation.

I believe that the embedded and kernel C++ community is better served by making features optional, rather than providing conforming, but low quality, highly unsatisfactory implementations. Missing functionality sends a clear signal to library writers, where low quality implementations provide an easier to miss message.

Note that freestanding implementations can (and should) make available all the features that are implementable on their target environment. For example, there are many embedded systems where floating point operations are desirable, but heap allocations are not. Each cluster of features will get its own feature test macro. This has the effect of making all implementations compliant that are "between" the bare minimum freestanding and the full hosted implementation.

3. Value of standardization

First, I will answer those questions with another question: Why bring any proposal into the standard? Presumably the authors of those proposals could get work done without the proposal. Proposal authors are resourceful people, and can probably implement their papers in a fork of an existing compiler or standard library. Yet they go through the hassle and expense of presenting papers to WG21 anyway.

By making freestanding useful, I will be providing a target for toolchain and library authors. Library authors that wish to make their libraries as portable as possible will have a standardized lowest common denominator to write against. Purchasers will be better able to make requests of their vendors for freestanding compliant products. Educators will be better able to teach about the requirements of kernel and embedded programming. Tool vendors can better prioritize work on conforming compiler modes, and possibly reject new, ad-hoc non-conforming modes. Users can get uniform behavior on what is currently an inconsistent set of vendor extensions.

4. Before-and-after tables

4.1. No-change, implementation defined

//namespace scope
struct Obj {
    Obj();
    ~Obj();
};
Obj dynamic_default_init;
int value_init = 42;
int zero_init;

4.2. Well-formed

void caller() {
    try {foo();}
    catch(const std::exception &e) {
        log_exception(e.what());
        throw;
    }
}

typeid(int);

struct B {virtual ~B() {} };
void foo() {B b;}

4.3. Potentially ill-formed

struct B {virtual void f() {}};
struct D : B {virtual void f() {}};
D *func(B *b) {
    return dynamic_cast<D*>(b);
}

#include <typeinfo>
struct B {virtual void f() {}};
const bool func(B &b) {
    return typeid(b) == typeid(int);
}

int foo() {
    thread_local int x = 0;
    ++x;
    return x;
}

double doubler(double x) {
    return x * 2.0;
}

void handler();
void foo() {
    atexit(handler);
}

struct Obj {Obj();};
void foo() {
    static Obj obj;
}

struct BigData {
    int d[16];
};

void foo(
    std::atomic<BigData> &lhs,
    const BigData &rhs)
{lhs = rhs;}

5. Features going optional

The feature macros are somewhat backwards from how the macros are normally defined. The macros are defined when the paper is adopted and the feature is missing. We can’t define the macros in the past to say the features are present. Testing for the "non-feature" macros is a safer and more backwards compatible way of determining whether the following features are present.

5.1. Exceptions

This section applies to "dynamic" exceptions. In other words, the exceptions we have had since C++98. [P0709] could add "static" exceptions. I am keeping static exceptions in mind with this design, but I’m not providing any wording against that proposal.

5.1.1. Why make this optional?

Even when exceptions aren’t thrown, there is a large space cost. Table based exception costs grow roughly in proportion to the size and complexity of the program, and not in the number of throw sites, catch sites, or frames traversed in an exception throw. Since table based exception costs grows with program size, rather than how much it is used, it is not zero overhead. setjmp / longjmp exception size costs are similar in these regards.

See [P0709] for further discussion on the problems with exceptions.

5.1.2. What isn’t changing?

A rethrow without an active exception currently calls std::terminate.

5.1.3. What am I changing (and why)?

Evaluating a throw expression in an environment without exception support calls std::terminate. We allow the programmer to compile with a throw to allow exception neutral code to be shared between freestanding and hosted implementations. The throw should never be evaluated, since we shouldn’t be able to get into a catch block.

We allow throw expressions so that programmers in environments with exceptions can catch the exception, and either translate the exception to another type of exception, rethrow the exception in a "Lippincott" function, or handle the exception some other way. In these cases, we have the expectation that the code will never run in the exceptionless environment.

Implementations are encouraged to produce warnings on any throw expression with operands, as well as allow suppressions for informing the compiler when those throws are actually there for exception translation purposes.

5.1.4. Alternative designs

1. throw UB vs. ill-formed vs. std::terminate

We could make some or all throw expressions ill-formed. The benefit is that compilers could more reliably produce diagnostics. The cost is that it would be more difficult to share exception neutral code between hosted and freestanding. We have experience with this choice in the GCC and clang world with -fno-exceptions.

We could make throw statements UB. UB likely optimizes better than std::terminate. Compilers would be able to remove any code that leads to the UB, reducing overall binary size. We have experience with this choice in the Visual Studio world, when exceptions are disabled.

We have library experience in libc++, libstdc++, and the Visual Studio STL with turning throws into varying forms of terminates.

2. try and catch allowed vs. ill-formed

If we made try and catch ill-formed, we would severely impact the portability of libraries across the exception and non-exception worlds. However, this is basically the status quo today, so we have experience with this pain.

If we adopt everything else in this paper, while banning try and catch, we would be able to claim that freestanding C++ is signal safe C++.

3. Only allow catch(...) and throw;

Logging exceptions and translating exceptions are less common use cases than simple catch and rethrow use cases. Allowing catch(type) takes us down the path of pulling in std::exception, as well as making it difficult to diagnose inappropriate throw obj; statements. Pulling in std::exception means that we must also remove the hard dependency of virtual destructor’s on ::operator delete (see §5.4 Default heap storage).

5.1.5. ABI impact

If an exception is thrown from exception-enabled code, across exception-disabled code, the results are undefined. Structure sizes and mangled names of entities should be unaffected.

5.2. Parts of <exception> header

5.2.1. What isn’t changing?

std::terminate will still be available. Various language features, most recently contracts, rely on std::terminate. Freestanding will keep std::terminate rather than respecify how all those features signal unrecoverable errors.

5.2.2. What am I changing?

• terminate_handler, get_terminate_handler and set_terminate_handler

• uncaught_exceptions

• exception_ptr, current_exception, rethrow_exception, and make_exception_ptr

• bad_exception and nested_exception

• throw_with_nested and rethrow_if_nested

5.2.3. Why?

uncaught_exceptions relies on thread-local storage (see §5.6 Thread local storage). Hard coding a return value of zero would work for existing implementations, but it would close off potential future designs (see §6.1 [P0709] Zero-overhead deterministic exceptions).

The exception_ptr and throw_with_nested facilities require heap allocations and/or thread-local storage.

5.2.4. Alternative designs

1. Omit std::exception and its children.

This alternative would make it so that clients could only catch(...) and catch their own client defined types. This removes the ability of those clients to log or translate exceptions. However, it would likely require less work on the implementation side, seeing as the current exception classes don’t work in kernel and embedded environments.

2. Omit the entire <exception> header.

In addition to the issues in the above alternative, we would also need to ensure that all the other library features and core language features didn’t call std::terminate in freestanding mode.

5.3. Dynamic RTTI

"Dynamic" RTTI is RTTI that requires some form of dynamic dispatch to resolve. In particular, this covers dynamic_cast expressions and typeid(expr) expressions that involve classes with virtual functions. typeid(type) expressions can be resolved without indirection.

5.3.1. What isn’t changing?

5.3.2. What am I changing?

5.3.3. Why?

The slot in the vtable itself is also a place where space is wasted.

If typeid(expr) and dynamic_cast can’t be called, implementations can safely remove the type_info objects, saving space. Some ABIs will even permit reclaiming the vtable slot.

typeid(expr) can throw if used on a null pointer. Since we aren’t allowing typeid(expr), this isn’t a concern.

5.3.4. Alternative designs

5.3.5. ABI impact

An object created in an RTTI-enabled implementation can be passed to a no-RTTI implementation, and the RTTI implementation can use it without any ill-effects. A no-RTTI implementation can create an object, and pass it to an RTTI-enabled implementation, and everything will work fine, so long as typeid and dynamic_cast are not used on the object.

A no-RTTI class can inherit from an RTTI class with no ill-effects. An RTTI-enabled class cannot universally inherit from a no-RTTI class.

typeid(type) across RTTI boundaries can cause trouble on some ABIs. The Microsoft ABI eagerly emits type_info objects and falls back to string comparisons for type_info objects, so it gets by just fine. The Itanium ABI doesn’t always emit type_info objects in each TU, so some cross RTTI-boundary cases will result in missing symbols.

5.4. Default heap storage

5.4.1. What isn’t changing?

5.4.2. What am I changing?

5.4.3. Why?

Many kernel systems have multiple pools of memory, none of which is suitable as a default. In the Microsoft Windows kernel, developers have the choice of paged pool, which is plentiful and dangerous; and non-paged pool, which is safe and scarce. The National Instruments codebase has had experience using each of those options as a default, and both have proven problematic. The Microsoft Visual Studio compiler switch /kernel already implements the lack of default allocation functions. [kernel_switch]

5.4.4. ABI impact

5.5. Virtual destructors

5.5.1. What isn’t changing?

5.5.2. What am I changing?

5.5.3. Why?

5.5.4. How could this virtual destructor ODR-use change be implemented?

Existing linkers already have the ability to take multiple identical virtual table implementations and pick one for use in the final binary. A potential implementation strategy is for compilers and linkers to support a new "weaker" linkage. When the default heap is disabled, the compiler would emit a vtable with a nullptr or pure virtual function in the virtual destructor slot. When new is called, a "stronger" linkage vtable would be emitted that has the deleting destructor in the virtual destructor slot. The linker would then select a vtable with the strongest linkage available. Today’s linkage would be considered "stronger". Only partially filled vtables would have "weaker" linkage.

5.5.5. ABI impact

Shared libraries are trickier. Vtables aren’t always emitted into every translation unit. Take shared library "leaf" that has a default heap. It depends upon shared library "root" that does not have a default heap. If a class with a virtual destructor is defined in "root", along with its "key function", then a call to new on the class in "leaf" will generate an object with a partial vtable. Calling delete on that object will cause UB (usually crashes).

Lack of a default heap should generally be considered a trait of the platform. Mixing this configuration shouldn’t be a common occurrence.

5.6. Thread local storage

5.6.1. What am I changing?

5.6.2. Why?

For embedded platforms, there may not be an operating system. Implementing thread local storage on those platforms would be extra runtime overhead.

For kernel platforms, and drivers in particular, the operating system may be owned by a third party. The third party may not provide arbitrary thread local storage for plugins. Neither Linux, Microsoft Windows, Apple OSX, FreeBSD, nor OpenRTOS support arbitrary thread local storage in the kernel.

5.6.3. ABI impact

Disabling TLS should have no direct effect on the ABI. In programs with mixed TLS settings, the no-TLS code should have no effect on the allocation or use of TLS in the TLS-enabled parts of the code.

If a TLS-enabled function communicates information to callers or callees via TLS, then TLS-disabled code would not be capable of using that communication channel.

5.7. Floating point

5.7.1. What am I changing?

<cfloat> is not required to be present in environments without floating point support. numeric_limits<floating point type> is not required to be present in environments without floating point support.

5.7.2. Why?

In kernel environments, floating point operations are avoided. The system call interface from user mode to kernel mode normally does a partial context switch, where it saves off the old values of registers, so that they can be restored when returning to user mode. In order to make user / kernel transitions fast, operating systems usually don’t automatically save or restore the floating point state. This means that carelessly using floating point in the kernel ends up corrupting the user mode program’s floating point state.

5.7.3. ABI impact

Environments where floating point support is prohibited may need to use different implementations of some common functions. For example, in many environments, memcpy will use vectorized instructions that touch floating point registers. In an environment where floating point is prohibited (like many OS kernels), the implementation of memcpy will need to avoid using floating point registers.

5.8. Program start-up and termination

• __cpp_freestanding_no_static_initialization.

• __cpp_freestanding_no_dynamic_initialization.

• __cpp_freestanding_no_termination.

5.8.1. What isn’t changing

std::abort and std::terminate will remain in the library. _Exit will be in the library assuming [P0829] is accepted.

5.8.2. Rationalization for the status quo

All code which runs before the user’s code could be considered unwanted overhead in some applications. All code that runs after the user’s code could also be considered unwanted overhead. Also, the "early" code that does initialization needs to be written in some language, and if we require zero initialization to happen before anything else, then that excludes C++ from being used to write early startup code.

In practice, I expect zero initialization and static initialization to be the most used freestanding extension.

std::abort and _Exit do not call global destructors, global registration functions, or flush file I/O. std::terminate does not call destructors or flush file I/O, but it does call a global registration function. §5.2 Parts of <exception> header makes the getters and setters for the global registration function optional, so a freestanding std::terminate doesn’t necessarily have a registration function either. That leaves these as three functions that will end the program in an implementation defined way.

5.8.3. What am I changing?

5.8.4. Why?

5.8.5. Alternative designs

If we removed these functions, we would have no way to signal any kind of fatal error. We would need to evaluate what that means for throw statements, contracts, and other language facilities.

We could potentially use technology similar to replaceable ::operator new and ::operator delete. Hosted implementations could provide a replaceable default terminate handler that could be replaced by a user-provided default terminate handler at build time. Freestanding implementations would not provide a default implementation. Usages of facilities that call std::terminate would be ill formed if a default terminate handler were not provided.

5.8.6. ABI impact

Mixing TUs with different startup / termination settings may cause confusion ("Why do some globals get constructed but not others?"), but I do not foresee any ABI problems.

5.9. Language mandated blocking synchronization

• __cpp_freestanding_no_locked_atomics.

• __cpp_freestanding_no_non_global_dynamic_static_init. This implies that __cpp_threadsafe_static_init is undefined.

5.9.1. What am I changing?

In practice, this won’t require changes from toolchain vendors. On unknown environments, the C++ runtime functions necessary to implement locked atomics and dynamic initialization of function statics generally aren’t provided. This results in linker errors, satisfying the ill-formed requirement. This change will make such a toolchain conforming.

This change would break code migrating from C++98 to C++Next, as it will remove function static initialization that previously worked. That same code would likely break in the C++98 to C++11 migration, as the function static initialization would require facilities not present in the environment. Implementations would likely continue to provide compiler flags to aid the migration.

5.9.2. Why?

On a system without an OS, your main blocking choices are disabling interrupts and spin locks. Spin locks are needed to synchronize among multiple hardware threads, and disabling interrupts is required when synchronizing a processor with itself. Neither blocking technique is universally applicable, even when limited to the realm of OS-less systems.

In the Windows kernel, there are multiple types of locks. No one lock type is appropriate in all situations.

The CRECT RTOS [CRECT] doesn’t have independent locks like many other OSes do. All locks are explicitly associated with a particular resource. Jobs must list all resources they use so that scheduling priorities can be calculated at compile-time. This effectively means that a CRECT application has N distinct lock types, used only by that application. None of these locks are known to the maintainers of CRECT, and none of them are known to the C++ runtime. Current compiler ABIs do not provide the C++ runtime with information about the type or address of the function static being initialized.

Some OSes and applications are trying to meet hard real time guarantees. Spin locks and disabled interrupts can add potentially unbounded jitter and latency to time critical operations, even when the operation isn’t performed on a time critical code path.

Some OSes aren’t scheduled in a time-sliced manner. Spin locks on these systems are a bad idea. You could get in the middle of static initialization, get an interrupt that causes you to change threads, then get stuck on the initialization of the same static. Forward progress will be halted until another interrupt happens at some indeterminate point in the future.

All of these concerns are also concerns with regards to signals. support.signal already calls out that locked atomics result in UB when invoked from a signal. Dynamic initialization of a static variable is also UB when invoked from a signal. If we are willing to make special rules for signals, shouldn’t we be willing to make special rules for embedded and kernel... especially if the rules are largely the same?

5.9.3. ABI impact

If this paper had reverted thread-safe statics back to thread-unsafe statics, then there would be typical ODR problems. Making the functions ill-formed avoids that problem though.

6. Related works in progress, and future work

6.1. [P0709] Zero-overhead deterministic exceptions

Efforts were made to not design out static exceptions. If we were to ignore static exceptions and other potential implementations of exceptions, we could provide an implementation of uncaught_exceptions that always returned 0. This would enable scope_success and scope_failure out of [P0052].

6.2. [P0784] Standard containers and constexpr

One possible avenue for the std::allocator special case is for the implementation to provide declarations of all the methods, but provide no implementations. The declarations may prove sufficient for the constexpr use case, while triggering linker errors in the runtime case.

Or maybe, this could be tackled with conditionally constexpr! functions...

6.3. [P1073] constexpr! functions

6.4. [P1066] How to catch an exception_ptr without even try-ing

6.5. Explicit control of program startup and termination

7. Common QoI issues

7.1. Pure virtual functions

7.2. Symbol name length

The C++ standard does not govern name mangling, and this paper makes no concrete recommendations. Implementations should strive to allow users to make useful tradeoffs between symbol name length, legibility, and ABI compatibility.

8. Frequently raised arguments

8.1. C++ doesn’t standardize subsets

support.signal identifies a subset of the language that is usable in signal handlers.

constexpr expressions are a subset of the language and library, with the additional burden of syntax.

Most of <cstdint> is optional. random_device is optionally useful. native_handle functions and native_handle_type typedefs are optional.

8.2. A subset will fracture the C++ user base

8.3. This doesn’t propose one subset, it defines many subsets

This paper proposes one lowest common denominator implementation. Users can rely on that lowest common denominator to exist. This is the one subset the paper defines.

Vendors are allowed to provide hosted features that aren’t in the minimal freestanding subset. This paper provides feature test macros and scoping of the feature test macros. This paper doesn’t go into depth about the interaction of the various hosted features. This paper hints at these many subsets. None of the subsets that are between freestanding and hosted can be relied upon in a standards compliant portable manner. If a user relies on a freestanding implementation that also provides dynamic RTTI (for example), then there is no guarantee that another vendor will provide a subset with the same set of features.

8.4. A dialect will be burdensome to vendors

Vendors are only required to provide one conforming mode. If a vendor doesn’t have a user base that is interested in freestanding, they won’t be forced to provide it in order to be conforming. Conversely, if a vendor’s clients only care about freestanding, those vendors won’t be forced to provide a hosted implementation in order to be conforming.

This proposal does expand the amount of potential work for vendors. A vendor could choose to try and provide a full hosted toolchain, a minimal freestanding toolchain, and many different sets of features in between hosted and minimal freestanding. Which subsets to implement is left to the discretion of the vendor.

8.5. Everybody wants a different subset

8.6. This doesn’t agree with common style guides, like MISRA

8.7. A subset will be burdensome for the committee

On the language front, we should be striving for freestanding compatible in the first place. Language features that are not freestanding compatible are likely not zero-cost abstractions.

On the library front, we should watch for library features that naturally lend themselves to being freestanding, and encourage the authors to design their library as such. Some library features don’t naturally lend themselves to being freestanding though, and that’s fine. I/O facilities and dynamically sized containers are examples of facilities that can safely ignore freestanding mode.

My expectation is that we spend more time worrying about ABI compatibility than we do about what is in freestanding and what isn’t.

9. Acknowledgments