{"id":5779,"date":"2019-09-18T15:23:22","date_gmt":"2019-09-18T15:23:22","guid":{"rendered":"https:\/\/www.modernescpp.com\/index.php\/c-core-guidelines-type-safety-per-design\/"},"modified":"2023-08-11T16:04:00","modified_gmt":"2023-08-11T16:04:00","slug":"c-core-guidelines-type-safety-per-design","status":"publish","type":"post","link":"https:\/\/www.modernescpp.com\/index.php\/c-core-guidelines-type-safety-per-design\/","title":{"rendered":"C++ Core Guidelines: Type Safety by Design"},"content":{"rendered":"

What does that mean: type safety by design. Type safety by design just means that you always initialize your variables, use std:<\/span>:variant instead of a union, or prefer variadic templates and fold expressions to va_arg<\/span>‘s.<\/p>\n

<\/p>\n

\"abseiling<\/p>\n

As in my first post to type safety C++ Core Guidelines: Type Safety<\/a>, I will name the four missing types of type safety and add additional information, if necessary. Here we are:<\/p>\n

Type Safety<\/a><\/h2>\n

Type.5: Don\u2019t use a variable before it has been initialized<\/h3>\n

The rules on which object will be initialized are quite difficult to get in C++. Here is a simple example.<\/p>\n

\n
struct<\/span> T1 {};\nclass<\/span> T2<\/span>{\n public:<\/span>\n    T2() {} \n};\n\nint<\/span> n;                 \/\/ OK<\/span>\n\nint<\/span> main<\/span>(){\n  int<\/span> n2;              \/\/ ERROR<\/span>\n  std::<\/span>string s;       \/\/ OK<\/span>\n  T1 t1;               \/\/ OK<\/span>\n  T2 t2;               \/\/ OK                  <\/span>\n}\n<\/pre>\n<\/div>\n
 <\/p>\n
n<\/span> is a global variable; therefore, it is initialized to 0. This initialization will not hold for n2<\/span> because it is a local variable and is, therefore, not initialized. But they are initialized if you use a user-defined type such as std::string, T1, or T2 in a global or local scope.<\/p>\n
If that is too difficult for you, I have a simple fix. Use auto.<\/span> The c ompiler can not guess from an expression auto a<\/span> what type a<\/span> has to be. Now, you can not forget to initialize the variable. You are forced to initialize your variables.<\/p>\n
\n
struct<\/span> T1 {};\nclass<\/span> T2<\/span>{\n public:<\/span>\n    T2() {}\n};\n\nauto<\/span> n =<\/span> 0<\/span>;\n\nint<\/span> main<\/span>(){\n  auto<\/span> n2 =<\/span> 0<\/span>;\n  auto<\/span> s =<\/span> \"\"<\/span>s;      \n  auto<\/span> t1 =<\/span> T1();               \n  auto<\/span> t2 =<\/span> T2();\n}\n<\/pre>\n<\/div>\n
Type.6: Always initialize a member variable<\/h3>\n
In this case, I can make it short. I have already written in my post C++ Core Guidelines: More Non-Rules and Myths<\/a>, about the initialization of member variables.<\/p>\n
Type.7: Avoid naked union<\/h3>\n
First of all: What is a union? A union is a user-defined type that can hold one of its members at a time.<\/p>\n
“Naked” unions are error-prone because you must keep track of the underlying type.<\/p>\n
<\/p>\n
\n
\/\/ nakedUnion.cpp<\/span>\n\n#include <iostream><\/span>\n\nunion<\/span> Value {\n    int<\/span> i;\n    double<\/span> d;\n};\n\nint<\/span> main<\/span>(){\n  \n  std::<\/span>cout <<<\/span> std::<\/span>endl;\n\n  Value v;\n  v.d =<\/span> 987.654<\/span>;  \/\/ v holds a double<\/span>\n  std::<\/span>cout <<<\/span> \"v.d: \"<\/span> <<<\/span> v.d <<<\/span> std::<\/span>endl;     \n  std::<\/span>cout <<<\/span> \"v.i: \"<\/span> <<<\/span> v.i <<<\/span> std::<\/span>endl;      \/\/ (1)<\/span>\n\n  std::<\/span>cout <<<\/span> std::<\/span>endl;\n\n  v.i =<\/span> 123<\/span>;     \/\/ v holds an int<\/span>\n  std::<\/span>cout <<<\/span> \"v.i: \"<\/span> <<<\/span> v.i <<<\/span> std::<\/span>endl;\n  std::<\/span>cout <<<\/span> \"v.d: \"<\/span> <<<\/span> v.d <<<\/span> std::<\/span>endl;      \/\/ (2)<\/span>\n  \n  std::<\/span>cout <<<\/span> std::<\/span>endl;\n\n}\n<\/pre>\n<\/div>\n
 <\/p>\n
 The union holds int the first iteration a double<\/span> and in the second iteration an int <\/span>value. You get undefined behavior if you read a double as an int (1) or an int as a double (2).<\/p>\n
\"nakedUnion\"<\/p>\n
std::variant<\/span><\/h3>\n
A std::variant<\/span> is, in contrast, a type-safe union. We have had it since C++17. An instance of std::variant<\/span> has a value from one of its types. The type must not be a reference, array, or void.<\/span> A default-initialized std::variant<\/span> will be initialized with its first type. In this case, the first type must have a default constructor. Here is a simple example based on cppreference.com.<\/a><\/p>\n
\n
\/\/ variant.cpp<\/span>\n\n#include <variant><\/span>\n#include <string><\/span>\n \nint<\/span> main<\/span>(){\n\n  std::<\/span>variant<<\/span>int<\/span>, float<\/span>><\/span> v, w;       \/\/ (1)<\/span>\n  v =<\/span> 12<\/span>;                    <\/span>\n  int<\/span> i =<\/span> std::<\/span>get<<\/span>int<\/span>><\/span>(v);\n  w =<\/span> std::<\/span>get<<\/span>int<\/span>><\/span>(v);                \/\/ (2)<\/span>\n  w =<\/span> std::<\/span>get<<\/span>0<\/span>><\/span>(v);                  \/\/ (2)<\/span><\/span>\n  w =<\/span> v;                               \/\/ (2)<\/span><\/span>\n \n  \/\/  std::get<double>(v);   \/\/ error: no double in [int, float] (3)<\/span>\n  \/\/  std::get<3>(v);        \/\/ error: valid index values are 0 and 1 (4)<\/span>\n \n  try{\n    std::<\/span>get<<\/span>float<\/span>><\/span>(w);                \/\/ (5)<\/span><\/span>   <\/span>\n  }\n  catch<\/span> (std::<\/span>bad_variant_access&<\/span>) {}\n \n  std::<\/span>variant<<\/span>std::<\/span>string><\/span> v2(\"abc\"<\/span>); \/\/ (6)<\/span><\/span><\/span><\/span>\n  v2 =<\/span> \"def\"<\/span>;                          \/\/ (7)<\/span><\/span><\/span><\/span>\n\n}\n<\/pre>\n<\/div>\n
 <\/p>\n
I define in line (1) both variants v<\/span> and w<\/span>. Both can have an int<\/span> and a float<\/span> value. <\/span> std::get<int>(v)<\/span> returns the value. In line (2), you see three possibilities to assign the variant v<\/span> to the variant w.<\/span> But you have to keep a few rules in mind. You can ask for the value of a variant by type (line 3) or index (line 4). The type must be unique and the index valid. On line (5), the variant w<\/span> holds an int<\/span> value. Therefore, I get a std::bad_variant_access<\/span> exception. A conversion can occur if the constructor call or assignment call is unambiguous. That is the reason that it’s possible to construct a std::variant<std::string><\/span> in line (6) with a C-string or assign a new C-string to the variant (line 7).<\/p>\n
Type.8: Avoid varargs<\/h3>\n
Variadic functions include std::printf<\/span> which can take an arbitrary number of arguments. The issue is that you must assume that the correct types were passed. Of course, this assumption is very error-prone and relies on the programmer’s discipline. <\/p>\n
Here is a small example to understand the implicit danger of variadic functions.<\/p>\n
\n
\/\/ vararg.cpp<\/span>\n\n#include <iostream><\/span>\n#include <cstdarg><\/span>\n\nint<\/span> sum<\/span>(int<\/span> num, ... ){\n  \n    int<\/span> sum{};\n      \n    va_list<\/span> argPointer;\n    va_start(argPointer, num );\n    for<\/span>( int<\/span> i =<\/span> 0<\/span>; i <<\/span> num; i++<\/span> )\n        sum +=<\/span> va_arg(argPointer, int<\/span> );\n    va_end(argPointer);\n      \n    return<\/span> sum;\n}\n \nint<\/span> main<\/span>(){\n    \n    std::<\/span>cout <<<\/span> \"sum(1, 5): \"<\/span> <<<\/span> sum(1<\/span>, 5<\/span>) <<<\/span> std::<\/span>endl;\n    std::<\/span>cout <<<\/span> \"sum(3, 1, 2, 3): \"<\/span> <<<\/span> sum(3<\/span>, 1<\/span>, 2<\/span>, 3<\/span>) <<<\/span> std::<\/span>endl;\n    std::<\/span>cout <<<\/span> \"sum(3, 1, 2, 3, 4): \"<\/span> <<<\/span> sum(3<\/span>, 1<\/span>, 2<\/span>, 3<\/span>, 4<\/span>)  <<<\/span> std::<\/span>endl; \/\/ (1)<\/span>\n    std::<\/span>cout <<<\/span> \"sum(3, 1, 2, 3.5): \"<\/span> <<<\/span> sum(3<\/span>, 1<\/span>, 2<\/span>, 3.5<\/span>) <<<\/span> std::<\/span>endl;    \/\/ (2)<\/span>\n\n}\n<\/pre>\n<\/div>\n
 <\/p>\n
sum<\/span> is a variadic function. Its first argument is the number of arguments that should be summed up. I will only provide so much info to the varargs macros so you can understand the program. For more information, read cppreference.com<\/a>.<\/p>\n