Should (p - q) be disallowed in @safe code?
Richard (Rikki) Andrew Cattermole
richard at cattermole.co.nz
Fri Jan 2 00:42:23 UTC 2026
On 02/01/2026 10:53 AM, Walter Bright wrote:
> What the proposal in this thread is about is extending the @safe
> semantics to not just be about memory safety, but about checking for
> common bugs where rewriting the code slightly to avoid it is practical.
That sounds a little like you're wanting to make safety designate which
functions need static analysis.
However in this case it isn't required to make it disallow the operation:
``for (auto q = &array[0]; p - q; ++q)``
If ``p - q`` is a /signed/ integer that cannot implicitly cast to
unsigned, it will never iterate.
Both ``size_t`` and ``ptrdiff_t`` should be built in types that cannot
implicitly cast off them. Making them aliases was a mistake.
Note: @safe even with this upgrade does not track aliasing or
not-aliasing. So if it is positive there is no way to know if it is the
same object.
More information about the Digitalmars-d
mailing list