Span improvements (refactoring)

Jun 24, 2020

https://github.com/bitcoin/bitcoin/pull/18468

Host: sipa - PR author: sipa

The PR branch HEAD was 26acc8dd at the time of this review club meeting.

Note: The PR being discussed (#18468: Span Improvements) originally included commit Support conversion between Spans of compatible types that was merged as part of #18591: Add C++17 build to Travis. We will be discussing the changes in that commit as well, as they functionally belong together.

Notes

Today’s PR is the recently merged #18468: Span Improvements. It brings our Span type closer to the functionality of C++20’s proposed std::span and then demonstrates some of its uses by simplifying code that uses it in various places.
A Span can be thought of as a pair composed of a pointer to a data type together with a length, identifying a range of contiguous elements in memory. In many ways it acts like a vector, but it doesn’t own any data — which means no copying of the actual data is involved. It is an extremely lightweight object, but it does come with a cost: higher-level code is responsible for guaranteeing that the pointed-to data is still available.
std::span is a new data type that will likely be part of the upcoming C++20 standard (see the cppreference.com page on std::span). While Bitcoin Core won’t switch to that standard any time soon (we’re currently on C++11 and will be transitioning to C++17 over the next 2 releases), it is a remarkably useful and simple abstraction, which is why we have our own backported version that is compatible with C++11. Span isn’t quite as powerful as std::span, but today’s PR brings it a lot closer.
The gist of the changes is introducing implicit construction of Span objects from range-like objects (arrays, std::array, std::vector, prevector, std::string, etc.) and automatic conversion between Span of compatible member types. Implicit construction and conversion is a powerful but dangerous C++ feature that should be used cautiously. Most of the complexity in the code changes is in making sure these operations cannot be used in dangerous or unexpected ways.
Several other PRs have been merged and proposed that make use of Span. Looking over those may give an intuition for why this data type is so useful:

Questions

Did you review the PR? Concept ACK, approach ACK, tested ACK, or NACK? (You’re always encouraged to put your PR review on GitHub, even after the PR has been merged.)
Do you think Span is a useful abstraction? Can you think of more places where it could be used to simplify existing code?
When reviewing the PR, did you compare with the proposed std::span interface? What differences did you notice?
What condition is imposed on converting Span<T1> into a Span<T2>? Why is it useful to permit such conversion, and what are the risks in doing so unconditionally?
Why is MakeSpan useful? Can’t it be replaced with just invoking the Span::Span constructor?
What are some other examples of features from future C++ versions that have been backported as utility features in the Bitcoin Core codebase?

Meeting Log

13:00

<jnewbery> #startmeeting

13:00

<fjahr> hi

13:00

<felixweis> hi

13:00

<willcl_ark> hi

13:00

<gimballock> hi

13:00

<jnewbery> welcome to review club everyone! Feel free to say hi to let everyone know you're here.

13:00

<hashbasher> 'ello

13:00

<jnewbery> (or just lurk. lurkers welcome here too)

13:00

<emzy> hi

13:00

<michaelfolkson> hi

13:01

<jnewbery> Today we're looking at PR 18468 (Span improvements), although I expect the discussion might touch on other aspects of Spans that aren't specifically in that PR.

13:01

<jnewbery> Notes and questions are in the usual place: https://bitcoincore.reviews/18468.html

13:01

<jkczyz> hi

13:01

<jnewbery> sipa has very kindly offered to host today. He also contributed all of our Span implementation in Bitcoin Core, so he should be able to answer at least some of our questions :)

13:01

<jnewbery> Over to you, sipa

13:01

<raj_> hi

13:01

<sipa> hi

13:02

<sipa> so, today is a bit of an unusual review club, as there is very little bitcoin-specific knowledge involved

13:02

<troygiorshev> hi

13:02

<nehan_> hi

13:02

<sipa> but that's well compensated by needing some nitty gritty details of C++ templates instead...

13:02

<sipa> so, who has had a chance to review the PR?

13:03

<raj_> y

13:03

<fjahr> y

13:03

<troygiorshev> n

13:03

<nehan_> n

13:03

<willcl_ark> y

13:03

<jkczyz> n - mostly lurking today but find the topic interesting

13:03

<emzy> y/n

13:03

<jnewbery> y

13:03

<felixweis> n still looking at the history of span

13:04

<sipa> perhaps some additional last-minute reference material: https://github.com/bitcoin/bitcoin/pull/19367

13:04

<sipa> inspired by things pointed out in the PR, as well as explaining some of its uses

13:05

<sipa> so the first real question: Do you think Span is a useful abstraction? Can you think of more places where it could be used to simplify existing code?

13:05

<amiti> I found 19367 very helpful. thanks for adding!

13:05

<fjahr> Definitely useful but I couldn't come up with good places to use it yet. Anything where we read a lot of data from disk I suspect.

13:06

<jnewbery> +1 19367 is very helpful

13:06

<nehan_> I'd like to understand when a span is better than a pointer or reference to the original datastructure

13:06

<michaelfolkson> Can we quickly first just confirm the motivation for Span? We are concerned with buffer overflows right? And including a size with a pointer ensures these don't occur?

13:06

<willcl_ark> I couldn't tell if Span was improving program performance, or just providing a friendlier interface for the programmer

13:07

<raj_> I am still tumbling over the usefulness part. Can someone explain how is it better than other collection types?

13:07

<jnewbery> willcl_ark: I had the same question. Is the motivation code clarity/safety or performance

13:07

<sipa> raj_: that one is easy to answer: a Span is not a collection!

13:07

<sipa> raj_: it is a reference to a range of elements, but it's cheap to copy/modify/pass around

13:08

<sipa> in a way, it's an alternative (in some cases) to always passing around a pointer/length pair, or a begin iterator/end iterator pair

13:08

<sipa> so when compared to that, i'd say it's a better interface, that's more readable and less prone to errors

13:08

<sipa> but as it's literally just encapsulating a pointer and a length, there is no performance difference to doing that instead

13:09

<jnewbery> right, it doesn't own the data, so it's up to the programmer to not shoot themself in the foot by doing something like using after free

13:09

<willcl_ark> ok, thanks

13:09

<nehan_> sipa: when is it important to have the length/end iterator?

13:09

<andrewtoth> so it is similar to a tuple in other languages?

13:09

<sipa> andrewtoth: no

13:09

<sipa> that'd be std::tuple

13:09

<nehan_> it reminds me a little of a slice in go

13:09

<andrewtoth> ahh thanks

13:09

<sipa> nehan_: i believe it is similar to that

13:10

<sipa> i've seen C++ codebases that had their own span like type named Slice

13:10

<nehan_> however it's super scary because updates to the original object might invalidate the span

13:10

<sipa> as a motivation, let me link to this: https://github.com/bitcoin/bitcoin/pull/19326

13:10

<jnewbery> it could also be called a view

13:11

<sipa> just scrolling through it, you can see dozens of places where we compute a begin and end iterator, and pass both into a function that hashes

13:11

<jnewbery> (in fact, I think the original c++ proposal was called array_view)

13:11

<raj_> +1 jnewbery view seems like a better name to express its nature. specially the scarry parts.

13:12

<sipa> there is a "const char" specific span like object too introduced in c++17, called string_view

13:12

<sipa> which is very similar, but has some string-like operations on it defined for convenience

13:13

<emzy> jnewbery: array_view builds a better image im my mind as slice or sapn. tnx.

13:13

<sipa> michaelfolkson: i wouldn't say that preventing buffer overdlows is the primary motivation... indirectly i expect that more readable code for working with ranges of objects reduces the chance of that, but i'd say readability is the goal

13:14

<willcl_ark> seems also (a little bit!) like a Python memoryview in that case, although not only for streams

13:14

<sipa> fjahr: unsure what disk access has to do with it, as spans always refer to ranges of elements *in memory*

13:15

<hashbasher> +1 nehan's question, when's it important to know the lenght/end iterator?

13:16

<emzy> span is very generic, for every object type?

13:16

<sipa> emzy: indeed

13:16

<michaelfolkson> sipa: Thanks. So is this use case of making the script interpreter independent from CScript possible without Span? Span just makes it easier due to more readable code?

13:16

<sipa> michaelfolkson: exactly

13:16

<michaelfolkson> Cool

13:16

<sipa> for example look at https://github.com/bitcoin/bitcoin/blob/master/src/script/interpreter.cpp#L1525L1558

13:17

<sipa> the script interpreter for witness scripts, it has to deal with a range of elements that are the actual stack, and then a final one that is the script

13:17

<willcl_ark> It certainly seems handy for the experienced programmer, but also seems to introduce some "hidden" pitfalls (which are described in #19367) that you might be more inclined to consider with a pointer/length pair.

13:17

<sipa> instead of code that does iterator arithmetic to keep track of everything

13:18

<willcl_ark> Does it improve performance at all avoiding computing begin/end iterators?

13:18

<fjahr> sipa: I was just thinking of at which points we might want to handle data efficiently and I thought it might be connect with data that gets saved to disk sometimes. But yes, it does not directly make the case to use a span.

13:18

<sipa> you build a span of all the elements, and then extract subspans

13:18

<sipa> hashbasher: say you have an array of 20 bytes, and want to hash them

13:18

<jnewbery> ok, here's an attempt at motivation. sipa, let me know if this is off:

13:19

<sipa> the typical way would be to call a hash function, which you pass a pointer to the beginning of the array, plus the length

13:19

<jnewbery> Often, we'll have data stored in continguous range-like contains (arrays, vactors, ...). There are functions that we want to call with that data, but those functions don't want to care about the specifics of the container, so currently they take a pointer and a size, which the caller needs to fish out of the container.

13:19

<jnewbery> With a Span, and implicit conversion from those containers to Span, the function can just take a Span, the caller can pass any of those range-like containers, and the conversion will take care of it for you.

13:19

<sipa> jnewbery: yeah, good to bring that up - it's a great use case but not the only one

13:19

<sipa> it's a way of writing functions that operate generically on whatever type of container your data is stored in

13:20

<sipa> and an anti-pattern that sometimes emerges is "oh, let's make the function only accept a vector, and if someone has it in some other form, they can construct a vector with a copy of the data" - which is obviously wasteful

13:21

<jnewbery> wasteful and wouldn't work if you wanted to do something non-const with the data

13:21

<sipa> with a span you'd write the function once, and it'll work when called with a vector, or an array, or an std::array, or a prevector, or a uint256, or a CPubKey (the latter two also being types that act as ranges bytes!)

13:22

<willcl_ark> OK that's definitely useful

13:22

<hashbasher> +1 makes much more sense to me now

13:22

<nehan_> sipa: why span instead of generics?

13:23

<sipa> nehan_: by generics you mean templates?

13:23

<nehan_> yes

13:23

<sipa> good question

13:23

<sipa> one is that it forces instantiation at compile time for every type you invoke it with

100

13:24

<sipa> which may be worth it, but in many cases it's also not: if literally all your function needs is a range, there is no reason to instantiate it for vector and prevector and array and ...

101

13:24

<sipa> another is that spans support range-like operations, like subspans

102

13:24

<sipa> which is e.g. heavily relied on in the descriptor parsing code

103

13:25

<sipa> which passes down smaller and smaller spans to the string to be parsed, as it gets dissected

104

13:25

<jnewbery> the downside of instatiating for all types is marginally longer compile times and marginally larger binary size? Anything else?

105

13:26

<sipa> you couldn't do that with templated functions - you'd still need to create copies any time you want to pass down a substring

106

13:26

<sipa> jnewbery: yeah

107

13:26

<sipa> also forcing everything to be in headers

108

13:26

<jnewbery> ah yes

109

13:26

<MarcoFalke> sipa: You could (in theory) put all template instantiations in the cpp file

110

13:26

<MarcoFalke> But that requires knowing them upfront

111

13:26

<sipa> MarcoFalke: yes, yuck :)

112

13:27

<sipa> and as said, that doesn't cover all use cases

113

13:28

<sipa> so perhaps it's reasonable to state it as: a more lightweight alternative to making functions templated over various input types, in case all they need is a range of elements... while simultaneously also supporting passing down sub-ranges

114

13:28

<sipa> perhaps it's time for the next question?

115

13:28

<sipa> When reviewing the PR, did you compare with the proposed std::span interface? What differences did you notice?

116

13:29

<sipa> https://en.cppreference.com/w/cpp/container/span for reference

117

13:29

<jnewbery> ashamed to say that I did not, even though that question was a pretty strong hint I probably should have

118

13:29

<raj_> It doesn't have rbegin, rend and empty.

119

13:29

<fjahr> Extent/size is not a template parameter and we don't have rbegin or rend

120

13:29

<sipa> very good

121

13:29

* sipa fishes for more

122

13:30

<willcl_ark> based on some of the PR comments, it seems like Bitcoin::Span is a subset of std::span

123

13:30

<sipa> indeed

124

13:30

<sipa> let's have a look at the constructors

125

13:30

<sipa> https://en.cppreference.com/w/cpp/container/span/span

126

13:30

<sipa> in particular the first 2

127

13:32

<sipa> they take iterators as arguments

128

13:32

<jnewbery> we don't have a ctor from an iterator?

129

13:32

<sipa> indeed

130

13:32

<sipa> any guess why not?

131

13:32

<jnewbery> Because it's hard to implement without std::address_of

132

13:32

<sipa> as wumpus just discovered in https://github.com/bitcoin/bitcoin/pull/19373 it'd be pretty useful to have iterator-based constructors

133

13:33

<jnewbery> according to a code comment I read somewhere :)

134

13:33

<sipa> what would be the problem with just doing template<typename It> Span(It begin, It end) { return Span<...>(&*begin, &*end); }

135

13:34

<instagibbs> guess: you're de-reffing out of bounds memory location in &*end?

136

13:34

<sipa> instagibbs: bingo

137

13:34

<sipa> end is likely an iterator to the end of an object, which may not be dereferencable

138

13:35

<sipa> std::address_of is added in C++20 that lets you get a pointer to the element an iterator refers to, which deferencing it

139

13:35

<MarcoFalke> Then, why wouldn't Span<...>(&*begin, end-begin) work ( assuming operator& is not overriden)?

140

13:35

<sipa> MarcoFalke: what if begin is not dereferencable?

141

13:36

<MarcoFalke> hm :)

142

13:37

<sipa> you can start special casing the situation where begin==end, and then return a Span(nullptr, 0), and otherwise return Span(&*begin, end-begin)

143

13:37

<sipa> but that leads to more pitfalls, as the span.data() that comes out would be wrong

144

13:38

<sipa> anyone have more comments around this? or anything else we've been discussing?

145

13:38

<willcl_ark> so the difficult case here is an empty array/vector?

146

13:39

<sipa> willcl_ark: or a span at the end of one (e.g. if you have a vector<int> vec{1,2,3}, then span(vec.end(), vec.end()) is expected to be legal

147

13:39

<willcl_ark> ah ok

148

13:39

<raj_> why we are not doing rbegin and rend? or empty by checking if size=0?

149

13:40

<michaelfolkson> I'm assuming if/when Core updates to C++ 20 these differences won't pose a problem? It will just be unusued functionality?

150

13:40

<sipa> raj_: why not rbegin/rend? simply because we haven't encountered a use

151

13:40

<troygiorshev> When would begin not be dereferenceable? naively that doesn't sound like a very useful iterator

152

13:40

<sipa> troygiorshev: just gave an example Span<...>(vec.end(), vec.end()) is expected to be legal

153

13:40

<sipa> and begin here is the vector's end

154

13:41

<MarcoFalke> michaelfolkson: I'd presume when (and if) we upgrade to C++10, then span.h will get deleted and replaced by std::span

155

13:41

<troygiorshev> sipa: ah thx

156

13:41

<MarcoFalke> *C++20

157

13:41

<hashbasher> sipa: can you list a few functional areas of bitcoin core that this change benefits?

158

13:41

<sipa> michaelfolkson, MarcoFalke: exactly

159

13:41

<michaelfolkson> MarcoFalke: And it would just slot in easily right?

160

13:41

<sipa> hashbasher: i've given a list of PRs that make use of Span in the notes

161

13:41

<sipa> hashbasher: probably best to look at those

162

13:42

<MarcoFalke> michaelfolkson: jup, because Span claims to be a subset of std::span

163

13:42

<hashbasher> oh ok, i saw that, didn't go through them

164

13:42

<sipa> michaelfolkson: yes, it should pretty much be a drop in replacement

165

13:42

<sipa> ok, next question

166

13:42

<sipa> What condition is imposed on converting Span<T1> into a Span<T2>? Why is it useful to permit such conversion, and what are the risks in doing so unconditionally?

167

13:42

<sipa> this is probably the most advanced C++ question in the series

168

13:43

<sipa> but feel free to guess

169

13:43

<jnewbery> std::is_convertible<T (*)[], C (*)[]

170

13:43

<raj_> if the underlying types are convertible then we do it?

171

13:43

<sipa> which means?

172

13:43

<fjahr> if implicit conversion between the types is possible we can convert, not sure exactly what can go wrong

173

13:43

<jnewbery> can you implicitly convert from a pointer to an array of type T to a pointer to an array of type C

174

13:43

<sipa> not exactly

175

13:43

<sipa> indeed!

176

13:44

<sipa> from *an array* of T to *an array* of C

177

13:44

<sipa> why does this matter? why not just permitting it when a pointer to T can be converted to a pointer to C?

178

13:44

<jnewbery> important because that implicit conversion means that the objects are of the same size and so pointer arithmetic works as you'd expect

179

13:44

<sipa> exactly

180

13:44

<sipa> if you have a parent class A, and a child class B

181

13:45

<sipa> then pointers to B can be converted to pointers to A

182

13:45

<sipa> but A and B may not have the same size, so after converting, pointer arithmetic may end up in the middle of B's elements

183

13:46

<sipa> but why do we want such conversion in the first place?

184

13:46

<jnewbery> I spent a long time scratching my head over the template definitions of the constructors before seeing the comment a few lines below about "pointers to arrays" https://github.com/bitcoin/bitcoin/blob/205b87d2f6bd01285de50ba742e32e4ab1298b13/src/span.h#L53-L57

185

13:46

<MarcoFalke> So array conversion implies implicit conversion?

186

13:46

<sipa> MarcoFalke: yeah, this matches the criterion in std::span, which makes me confident there aren't edge cases left

187

13:47

<sipa> if it's possible to treat an array of T as an array of C (e.g. if you have an array of ints, you can treat it as an array of const ints), then converting a Span of C to a Span of T is also possible

188

13:47

<willcl_ark> well the code comment-given example of converting to const seems reasonable, but I'm not sure about converting to another child class

189

13:48

<sipa> willcl_ark: less useful, but i believe it also permits adding a volatile qualifier

190

13:49

<jnewbery> The commit log confused me: "This prevents constructing a Span<A> given two pointers into an array of B (where B is a subclass of A), at least without explicit cast to pointers to A." I think it is possible to construct Span<A> (as long as those pointers to arrays are implicitly convertible)

191

13:49

<sipa> so if you have an array "B arr[5];"

192

13:50

<sipa> then Span<A>(arr, arr+5) should not work

193

13:50

<jnewbery> or is it literally just conversions between cv-qualifiers?

194

13:50

<sipa> because if you have a function that accepts an array of A, you can't pass it an array of B

195

13:50

<sipa> jnewbery: i haven't come across other useful examples, to be honest

196

13:51

<MarcoFalke> Would "A arr[5]; Span<B>(arr, arr+5);" compile?

197

13:51

<sipa> MarcoFalke: no

198

13:51

<sipa> but B arr[5]; Span<A>((A*)arr, (A*)(arr+5)) will

199

13:51

<jnewbery> ah. "Given two pointers into an array". I think I get it now

200

13:52

<sipa> if you do the pointer casting yourself you bypass the protection (and get garbage)

201

13:52

<MarcoFalke> oh. I guess it might be useful when we want to (e.g.) pass a span of validation interfaces

202

13:52

<sipa> this is an interesting question, why std::span uses 'convertible array' as criterion instead of 'add cv qualifiers'. i don't know the answer

203

13:53

<sipa> MarcoFalke: i'm not sure that'd work

204

13:53

<MarcoFalke> Span<CValidationInterface>{(CValidationInterface*) wallet_array, (CValidationInterface*) (wallet_array+5)};

205

13:53

<fjahr> sorry, was the answer to the risks that the elements could have a different size or was there something else? i think i misunderstood the question that there was something else

206

13:53

<sipa> fjahr: indeed

207

13:53

<fjahr> tyt

208

13:53

<fjahr> ty

209

13:54

<sipa> Why is MakeSpan useful? Can’t it be replaced with just invoking the Span::Span constructor?

210

13:55

<sipa> (and as we're running out of time, a hint: why does C++20 not have an equivalent std::make_span)

211

13:55

<sipa> i guess that's more an extra question than a hint, ignore me!

212

13:56

<petterhs> 0,

213

13:56

<michaelfolkson> It constructs a Span of the right type automatically

214

13:56

<sipa> yep

215

13:56

<MarcoFalke> but why can't the constructor do that?

216

13:56

<willcl_ark> does ::Span not do that?

217

13:57

<sipa> not in C++11

218

13:57

<michaelfolkson> No idea why not in C++20. It isn't, I checked

219

13:57

<sipa> you cannot construct a data type without specifying its template parameters

220

13:57

<sipa> if you try Span(std::vector<int>{1,2,3}) it will complain about missing template

221

13:58

<sipa> however, since C++17, there exists something called deduction guides

222

13:58

<sipa> which are rules that a type can specify to figure out the template argument based on a constructor's arguments

223

13:59

<jnewbery> https://en.cppreference.com/w/cpp/language/class_template_argument_deduction

224

13:59

<sipa> so std::span, which is in C++20, uses those to avoid the need for a make_span

225

13:59

<sipa> and there you can just replace all uses of MakeSpan with calling the constructor directly

226

13:59

<sipa> without specifying the template argument

227

13:59

<sipa> jnewbery: indeed

228

13:59

<MarcoFalke> so on master the verbose version Span<int>(std::vector<int>{1,2,3}) would compile?

229

13:59

<sipa> MarcoFalke: indeed

230

14:00

<sipa> MakeSpan is just convenience to avoid needing to specify the <int>

231

14:00

<sipa> ok, any very last minute comments/insights/questions?

232

14:00

<willcl_ark> so it will make the scripted diff when we use std::span smaller :)

233

14:01

<sipa> yeah

234

14:01

<jnewbery> that was really informative. I learned a lot

235

14:01

<sipa> nothing?

236

14:01

<sipa> ok!

237

14:02

<sipa> thank you all for attending

238

14:02

<jnewbery> Thanks for hosting, sipa!

239

14:02

<fjahr> sipa: thanks!

240

14:02

<troygiorshev> thx sipa!

241

14:02

<raj_> thanks sipa. Lot to digest..

242

14:02

<felixweis> thanks sipa!

243

14:02

<andrewtoth> thanks sipa!

244

14:02

<michaelfolkson> Yeah thanks sipa, that was great

245

14:02

<emzy> Thanks sipa!

246

14:02

<MarcoFalke> thx. TIL about CTAD

247

14:02

<gimballock> (y) thanks

248

14:03

<willcl_ark> thanks Sipa!

249

14:03

<jnewbery> #endmeeting

250

14:03

<instagibbs> thanks sipa!