Contracts, Undefined Behavior, and Defensive,Programming
Dukc
ajieskola at gmail.com
Mon Jun 15 16:06:13 UTC 2020
On Monday, 15 June 2020 at 12:45:56 UTC, Paul Backus wrote:
> Well, the compiler has an option specifically for in contracts,
> `-checkaction=in=[on|off]`, so probably what should be done is
> to give that option a `safeonly` value like what `-boundscheck`
> has.
This is not acceptable. The canonical way to use `assert`s is to
assume they will not negatively affect the performance of the
final build. Your proposal would break that assumption.
I personally see two options:
1: Simply disallowing the compiler for assuming that asserts hold.
2: Letting the compiler to assume most things like now, but
disallow eliding array bound checks. In this case, there should
also be a way for the user to add code that may not be elided by
the optimizer, unless bounds checking is off. Something like:
```
@trusted auto readIndex(CustomIntArray arr, size_t i)
pragma(integritycheck, true) in (i < arr.length)
{ return arr[i];
}
```
Code with such a pragma could not be elided by trusting a regular
assert (nor by trusting `enum` to have a valid value for
example). It could still be elided by trusting another integrity
critical assert, though.
More information about the Digitalmars-d
mailing list