Implement c++20 std::chrono::duration subsecond formatting

[matrackif]

Hello,

I have returned with a solution to #2207, after dealing with licensing issues in PR #2554. This time I am 100% the author of the code. The solution is simplified, and could be adapted to use if-constexpr if C++17 is detected at compile-time. In fact, the solution I have proposed is working better than the current MSVC implementation which leads to template overflow when std::atto is used as a precision. I will open an issue there.

1. Subsecond values that are not representable in std::intmax_t (the standard type for chrono tick counts) cause program termination with FMT_ASSERT(). The standard requires us to support up to 18 decimal digits, and std::int64_t can store a maximum value of 9,223,372,036,854,775,807 or, 9.2e+18,. Therefore it can represent all 18 digit numbers. However the following assert test had to be removed:

(void)fmt::format("{:%S}",
                    std::chrono::duration<float, std::atto>(1.79400457e+31f));

2. The decimal point is still not formatted according to the locale but that is a general problem.

[matrackif]

@vitaut Hi could you rerun the CI tests.

Thanks

[matrackif]

@vitaut I locally used -Wconversion instead of -Wsign-converison so line of code still had to be fixed. If you could run the workflow one more time it would be much appreciated.

Thanks

[vitaut]

Thanks for the PR!

[vitaut]

Why is the integral part 00 here?

[matrackif]

According to the spec:

If the number of seconds is less than 10, the result is prefixed with 0

The number of seconds is 0, which is less than 10, hence we write 00.

The MSVC implementation of std::format also interprets the standard this way. The check below passes locally in my instance of Visual Studio 2022

std::format("{:%S}", std::chrono::duration<double, std::nano{-123456789.123456789}) == std::string("-00.123456789")

[vitaut]

Oh, I misread the test case and thought that the integral part 123456789. is seconds rather than nanoseconds. I suggest changing the fractional part to something different to prevent confusion.

[matrackif]

Done

[vitaut]

nit: Please add punctuation (. in the end of the sentence) here and elsewhere.

[matrackif]

Done

[vitaut]

"empty zeros"? I suggest rephrasing this as "zero fractional part" or smth like that.

[matrackif]

Done

[vitaut]

Why change this?

[matrackif]

According to the spec, the decimal point should be printed only if the duration "period" type is more precise than seconds:

If the precision of the input cannot be exactly represented with seconds, then the format is a decimal floating-point number with a fixed format and a precision matching that of the precision of the input

This can be determined statically at compile time and does not depend on runtime values of the duration. The test I modified has seconds precision, so I removed the decimal point.

In my local instance of Visual Studio 2022, the following test passes:

std::format("{:%S}", std::chrono::duration<double>{1.234}) == std::string("01")

[vitaut]

Shall we check that there is no decimal point then?

[vitaut]

Why introduce a template parameter instead of using Rep?

[matrackif]

Rep is currently assumed to be an unsigned type. I wanted the proper type to propagate through the code and be deduced in the template. Otherwise there could be an unsigned to signed conversion here which would lead to a -Wconversion error.

[vitaut]

Rep is currently assumed to be an unsigned type.

I don't think this is correct. Rep is the representation type of a duration and it can be signed (in fact it's normally signed).

[matrackif]

Sorry, lowercase rep is used to store the internal duration value, and rep is unsigned to avoid overflow. At first I wanted to use the existing logic in the write() function to format a duration value of type lowercase rep. This is irrelevant now as I reverted this function to its previous state

[vitaut]

Let's use long long instead of intmax_t because it's a built-in type and can also handle 18 digits of precision.

[matrackif]

As you wish, std::chrono::duration types use std::intmax_t internally that's why I went along with it.

[vitaut]

int -> Int

[matrackif]

Done

[vitaut]

Having a utility struct seems unnecessary. I suggest converting it into a function (e.g. write_fractional_seconds) or merging the logic into write where it is used.

[matrackif]

Done

[matrackif]

@vitaut I have implemented the suggestions you have requested. If you have any further remarks I would gladly hear them. The workflows still need to be run :)

[vitaut]

Let's simplify this:

EXPECT_EQ(value, "40");

Then we don't need a comment because it's clear that we don't emit a decimal point.

[matrackif]

Of course. I recall the size of this string being platform dependent but after the changes in this PR it should always be consistent. Done

[vitaut]

A few more, mostly minor comments.

[vitaut]

nit: amount -> number

[matrackif]

Ok

[vitaut]

I don't think static is needed here (and similarly in a functions below).

[matrackif]

Good point, static made sense when it was a member function, now it is no longer is needed.

[vitaut]

Is returning 6 actually required by the standard? Can we turn it into a compile-time error instead?

[matrackif]

From the standard:

...and a precision matching that of the precision of the input (or to a microseconds precision if the conversion to floating-point decimal seconds cannot be made within 18 fractional digits)

Microseconds precision is 6 digits. The MSVC implementation of std::format also behaves this way.

[vitaut]

This doesn't need to be static because it's just an int.

[matrackif]

Good point, lightweight integral types probably do not need to be static, even if constexpr

[vitaut]

One more static to remove here.

[vitaut]

Removed in a follow-up commit.

[vitaut]

Merged, thanks!

[vitaut]

A fuzzer has discovered a UB which seems to be introduced by this PR:

fmt::print("{:%S}", std::chrono::duration<long double, std::ratio<1, 1000000> >(-1.7591538808701083784E+4865L));

% c++ test.cc -std=c++11 -I include src/format.cc -fsanitize=undefined
% ./a.out
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/c++/v1/chrono:906:28: runtime error: 1.75915e+4859 is outside the range of representable values of type 'long long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 

[matrackif]

Subseconds are always an integral value no longer than 18 digits. The implementation will cast all values to a long long. If the value is not representable by a long long like this huge double UBsan will report this error.

It is not clear how to handle values not representable by intmax_t/long long, the spec doesn't seem to mention what to do. I guess it's up to the implementation how to truncate such values.

[vitaut]

I think we should add a range check when converting from an FP number.

[matrackif]

And throw an exception if the value is out of range? What method do you propose for range checking floats. I assume such checks exist already in the codebase

[vitaut]

I implemented a fix for the UB in 784e2a7.

[matrackif]

I implemented a fix for the UB in 784e2a7.

This commit does not work. I believe it can be safely reverted because currently the above example throws an exception "invalid value". If exceptions are disabled then we need an alternative approach.

fmt::print("{:%S}\n", std::chrono::duration<double, std::milli >(1.0)); correctly prints 00.001

Whereas if we change the type to long double then it incorrectly prints 00.000

The offending line is here

detail::abs(d) - std::chrono::duration_cast<sec>(d) where sec is std::chrono::duration<long double> will subtract away the subsecond part which we want to keep. The integer cast to std::chrono::seconds was intentional in the implementation exactly for this reason.

Link to a godbolt example

Also the commit addresses only long double, but doesn't the undefined behavior problem exist with other floating point types such as float, and double?

[vitaut]

Could you provide a PR with a better workaround for the UB?

[matrackif]

At first I thought of the following solution:

1. Check if the duration type is floating_point and if it is greater than max_value<long long>

a. If yes, then cast it to its seconds representation, and truncate it. This way we don't subtract away the valuable subsecond part of the number. Something like this:

detail::abs(d) - Duration{std::trunc(std::chrono::duration_cast<std::chrono::duration<typename Duration::rep>>(d).count())}

b. If not, then cast to std::chrono::seconds as before and call it a day.

But then I realized that in practice such code will never be reached because

uint32_or_64_or_128_t<long long> n = to_unsigned(to_nonnegative_int(subseconds, max_value<long long>()));

Will thrown an exception if the value is larger than max_value<long long> anyways. The simple code suddenly becomes much more complicated if we want to handle floating point values in the range: (max_value<long long>, max_value<long double>]

A possible workaround would be to avoid using detail::count_digits() to count the number of digits for floating point types and simply delegate the work to the fmt floating point formatter and specifying precision to be equal to num_fractional_digits:

Any thoughts?

[vitaut]

A possible workaround would be to avoid using detail::count_digits() to count the number of digits for floating point types and simply delegate the work to the fmt floating point formatter and specifying precision to be equal to num_fractional_digits

This sounds reasonable. We can always optimize this path later and correctness is more important.

[matrackif]

Ok, I am trying to format floating point subsecond values using the floating point formatter, but as always there are issues :).

If the duration type is floating point, then we do our calculations using floating point arithmetic. Let's say we calculate the subseconds remaining to be std::chrono::duration<double, std::micro>(123.456). We call:

format_to(out, "{:{}.{}f}", subseconds, num_fractional_digits, num_fractional_digits);, but this yields 123.456000 which is not what we want. We want the result to be simply 123, because we don't care about the fractional part of the subseconds themselves. After calling std::trunc() on the value we obtain 123.000000, still doesn't help because all std::trunc() did was zero out the fractional part.

So we could cast to an integral type to remove the fractional part, but then we end up with the same problem that we started with, since some floating point values are not representable by integral types and we get UB.

In other words, how can we remove the fractional part of floating point numbers without casting to an integral type? Or how can we format a FP number without its fractional part (and decimal point), using existing facilities?

[matrackif]

The easy way out would be to simply throw an exception if the formatted value is larger than max_value<long long>. Then the code would technically be correct and there would be no UB, the downside is that floating point values larger than max_value<long long> would not be supported by the facility.

[vitaut]

I think we should format integral and fractional parts together. I took a stab at this as part of fixing another UB in d9f045f but improvements are welcome.

[matrackif]

I am a fan of this approach. We simply format the duration using the floating point formatting facility, otherwise we use the integral implementation.