Should (p - q) be disallowed in @safe code?
Walter Bright
newshound2 at digitalmars.com
Thu Jan 1 22:14:52 UTC 2026
> 1/1/2026 12:57 PM, Timon Gehr wrote:
> It's one question whether you have to mark it `@trusted` for it to type check,
> it's another question whether you are allowed to mark it `@trusted` (i.e.,
> whether it is actually memory safe).
@trusted only applies to the interface, not the code itself.
> In C, I think adding an integer to a pointer aiming to get a result that points
> to a different memory object entirely would just be UB.
You're right.
> I.e., there is some potential for `q+(p-q)` to do something other than give you
> `p` unless glue code and backends are careful to handle it as intended.
My proposal would not affect that - the frontend would diagnose p-q as an error
in @safe code.
> As far as I can tell, such nuances are not documented in the D spec and so it
> would be defensible for GDC and LDC to assume it's just supposed to mimic C
> behavior. Whether the backends actually do end up breaking assumptions like they
> would be allowed to is still another question.
I designed the semantics of D fully aware of the reality that the usable
backends (including mine) were designed for C, and that to not do so would be
language suicide.
(And it's not just the backends, there are the debuggers, etc.)
More information about the Digitalmars-d
mailing list