Deprecate implicit conversion between signed and unsigned integers
Paul Backus
snarwin at gmail.com
Tue Feb 18 04:11:38 UTC 2025
On Tuesday, 18 February 2025 at 00:33:27 UTC, Walter Bright wrote:
> On 2/17/2025 7:07 AM, Paul Backus wrote:
>> Dividing an integer by zero is UB according to the D spec [1],
>> and it is allowed in @safe code.
>>
>> [1] https://dlang.org/spec/expression.html#division
>
> That's correct. But it's not memory corruption, and requiring
> casts doesn't address it.
>
> The usual result is a signal is generated. These can be
> intercepted at the user's discretion.
An optimizing compiler (like LDC or GDC) is allowed to generate
code that produces memory corruption if a division by zero would
occur. So this is absolutely a hole in @safe.
If the compiler could guarantee that a signal would be generated
on division by zero, that would be sufficient to close the safety
hole.
> The compiler will flag an error if it can statically determine
> that the divisor is zero. Runtime checks could be added, but
> since other languages don't do that, it would put D at a
> competitive disadvantage.
An alternative solution that does not require giving up any
runtime performance would be to require @safe code to use
std.checkedint for dividing integers.
More information about the dip.ideas
mailing list