assume, assert, enforce, @safe
Walter Bright via Digitalmars-d
digitalmars-d at puremagic.com
Wed Jul 30 15:01:25 PDT 2014
I'd like to sum up my position and intent on all this.
1. I can discern no useful, practical difference between the notions of assume
and assert.
2. The compiler can make use of assert expressions to improve optimization, even
in -release mode.
3. Use of assert to validate input is utterly wrong and will not be supported.
Use such constructs at your own risk.
4. An assert failure is a non-recoverable error. The compiler may assume that
execution does not proceed after one is tripped. The language does allow
attempts to shut a program down gracefully after one is tripped, but that must
not be misconstrued as assuming that the program is in a valid state at that point.
5. assert(0); is equivalent to a halt, and the compiler won't remove it.
6. enforce() is meant to check for input errors (environmental errors are
considered input).
7. using enforce() to check for program bugs is utterly wrong. enforce() is a
library creation, the core language does not recognize it.
8. @safe is a guarantee of memory safety. It is not a guarantee that a program
passes all its assert expressions. -release does not disable @safe.
9. -noboundscheck does disable @safe's array bounds checks, however, the
compiler may assume that the array index is within bounds after use, even
without the array bounds check.
I am not terribly good at writing formal legalese specifications for this. I
welcome PR's to improve the specification along these lines, if you find any
Aha! Gotcha! issues in it. Of course, implementation errors for this in DMD
should be reported on bugzilla.
More information about the Digitalmars-d
mailing list