From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] [PATCH 01/12] avutil/avassert: Add av_unreachable and av_assume() macros
Date: Sun, 26 May 2024 02:59:35 +0200
Message-ID: <AS8P250MB07446531F7C731D681882DCA8FF72@AS8P250MB0744.EURP250.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <20240526002239.GG2821752@pb2>
Michael Niedermayer:
> Hi
>
> On Fri, May 24, 2024 at 11:58:21PM +0200, Andreas Rheinhardt wrote:
>> Useful to let the compiler and static analyzers know that
>> something is unreachable without adding an av_assert
>> (which would be either dead for the compiler or add runtime
>> overhead) for this.
>>
>> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
>> ---
>> I can add more macros if it is desired to differentiate between
>> ASSERT_LEVEL == 1 and ASSERT_LEVEL > 1.
>>
>> doc/APIchanges | 3 +++
>> libavutil/avassert.h | 33 +++++++++++++++++++++++++++++++++
>> 2 files changed, 36 insertions(+)
>>
>> diff --git a/doc/APIchanges b/doc/APIchanges
>> index 60f056b863..5a3ae37999 100644
>> --- a/doc/APIchanges
>> +++ b/doc/APIchanges
>> @@ -2,6 +2,9 @@ The last version increases of all libraries were on 2024-03-07
>>
>> API changes, most recent first:
>>
>> +2024-05-24 - xxxxxxxxxx - lavu 59.xx.100 - avassert.h
>> + Add av_unreachable and av_assume() macros.
>> +
>> 2024-05-23 - xxxxxxxxxx - lavu 59.20.100 - channel_layout.h
>> Add av_channel_layout_ambisonic_order().
>>
>> diff --git a/libavutil/avassert.h b/libavutil/avassert.h
>> index 1895fb7551..41e29c7687 100644
>> --- a/libavutil/avassert.h
>> +++ b/libavutil/avassert.h
>> @@ -31,6 +31,7 @@
>> #ifdef HAVE_AV_CONFIG_H
>> # include "config.h"
>> #endif
>> +#include "attributes.h"
>> #include "log.h"
>> #include "macros.h"
>>
>> @@ -68,6 +69,38 @@
>> #define av_assert2_fpu() ((void)0)
>> #endif
>>
>> +/**
>> + * Asserts that are used as compiler optimization hints depending
>> + * upon ASSERT_LEVEL and NBDEBUG.
>> + *
>> + * Undefined behaviour occurs if execution reaches a point marked
>> + * with av_unreachable or if a condition used with av_assume()
>> + * is false.
>> + *
>> + * The condition used with av_assume() should not have side-effects
>> + * and should be visible to the compiler.
>> + */
>
> this feels wrong
>
> We have 3 assert functions
>
> one for security relevant code or other things we always want to check and not play around
>
> one for speed relevant code where we dont want to check in production code. But may want
> to do checks if we are debuging.
>
> and one for the cases between
>
>
> What is an assert ? Its a statement about a condition that is true unless the code
> is broken. Its never correct to use an assert to check for a condition that is known
> to be false for some input.
> So a assert really already is either
>
> A. Check, print, abort
> or
> B. undefined if false
>
> But if an assert already is "undefined if false" then what you add is not
> usefull, just add the compiler specific "assume" code to the disabled asserts
1. So you want me to change the disabled asserts into a "if (!(cond))
__builtin_unreachable();" (like dav1d does)? This is problematic,
because asserts (as they are used right now) contain no requirement at
all that the condition be visible to the compiler; it may contain
function calls that the compiler cannot elide (unless it is an LTO
compiler, but even they stop at library boundaries). While we could of
course look through our own asserts and change them, we must not simply
do so for our users.
(The PutBits API has checks for the buffer being too small:
av_log(NULL, AV_LOG_ERROR, "Internal error, put_bits buffer
too small\n");
av_assert2(0);
If the av_assert2 is changed into an __builtin_unreachable() in case the
latter assert is disabled, then this defeats the purpose of this check.
This shows that all our asserts need to be checked and be potentially
changed to be consistent with using them as optimization hints.)
2. It is useful, it is just a different usecase: Here the focus is not
on correctness, but on telling the compiler something that is presumed
to be beneficial for performance.
> This would also keep the API simpler
IMO using av_unreachable instead of av_assertX(0) expresses the intent
better (so for me the current usage feels wrong). Same for av_assume
(see 2. for the intent).
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2024-05-26 0:59 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-24 21:58 Andreas Rheinhardt
2024-05-24 22:04 ` [FFmpeg-devel] [PATCH 02/12] avcodec/amrwbdec: Mark default switch as unreachable Andreas Rheinhardt
2024-05-24 22:04 ` [FFmpeg-devel] [PATCH 03/12] avcodec/proresenc_anatoliy: Mark impossible case " Andreas Rheinhardt
2024-05-24 22:04 ` [FFmpeg-devel] [PATCH 04/12] all: Use put_bytes_output() instead of put_bits_ptr - pb->buf Andreas Rheinhardt
2024-05-24 22:04 ` [FFmpeg-devel] [PATCH 05/12] avcodec/mpeg4videodec: Mark impossible switch case as unreachable Andreas Rheinhardt
2024-05-24 22:04 ` [FFmpeg-devel] [PATCH 06/12] avcodec/pcm-dvdenc: Mark unreachable default cases " Andreas Rheinhardt
2024-05-24 22:04 ` [FFmpeg-devel] [PATCH 07/12] avcodec/vlc: Make code more readable with av_unreachable Andreas Rheinhardt
2024-05-24 22:04 ` [FFmpeg-devel] [PATCH 08/12] avcodec/utvideoenc: Remove always-false pixel format check Andreas Rheinhardt
2024-05-24 22:04 ` [FFmpeg-devel] [PATCH 09/12] avcodec/dolby_e_parse: Use av_unreachable instead of av_assert0(0) Andreas Rheinhardt
2024-05-24 22:04 ` [FFmpeg-devel] [PATCH 10/12] avcodec/put_bits: Allow to mark places where PutBitContext is flushed Andreas Rheinhardt
2024-05-24 22:04 ` [FFmpeg-devel] [PATCH 11/12] avcodec/e?ac3enc: Inform compiler about PutBitContext being blank Andreas Rheinhardt
2024-05-24 22:04 ` [FFmpeg-devel] [PATCH 12/12] avcodec/speedhqenc: Use av_unreachable for unreachable condition Andreas Rheinhardt
2024-05-25 0:48 ` [FFmpeg-devel] [PATCH 13/16] avcodec/wmaenc: Move transient PutBitContext from Context to stack Andreas Rheinhardt
2024-05-25 0:48 ` [FFmpeg-devel] [PATCH 14/16] avcodec/wma: Mark ff_wma_end() as av_cold Andreas Rheinhardt
2024-05-25 0:48 ` [FFmpeg-devel] [PATCH 15/16] avcodec/wmaenc: Use av_unreachable to mark unreachable codepath Andreas Rheinhardt
2024-05-25 0:48 ` [FFmpeg-devel] [PATCH 16/16] avcodec/wmaenc: Don't unnecessarily reset AVPacket.size Andreas Rheinhardt
2024-05-26 0:22 ` [FFmpeg-devel] [PATCH 01/12] avutil/avassert: Add av_unreachable and av_assume() macros Michael Niedermayer
2024-05-26 0:59 ` Andreas Rheinhardt [this message]
2024-05-26 17:55 ` Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AS8P250MB07446531F7C731D681882DCA8FF72@AS8P250MB0744.EURP250.PROD.OUTLOOK.COM \
--to=andreas.rheinhardt@outlook.com \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git