-
Notifications
You must be signed in to change notification settings - Fork 738
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong Expects in gsl::at? #1075
Comments
Off the top of my head while on vacation: I thought that having more elements than half the number of addressable locations generally isn't legal or practical anyway (IIRC of iterator requirements, pointer/iterator subtraction, I've paged out the exact reasons). So how about instead adding Edited to add: That is, instead of changing the run-time checks, add a compile-time check to disallow the case that would have other legality problems anyway? Then the run-time checks should be fine I think. Please correct if I missed something! |
- Change `Expects` for `at`: there is no need to convert the size. It is better to check the converted index. - Only support C style array `at` for up to half of the address space. - Add unit tests for `at()`. - Add `#include <exception>` - Add death check for `at()` overload that takes a `gsl::span`.
- Change `Expects` for `at`: there is no need to convert the size. It is better to check the converted index. - Add `static_assert` because we only support C style array `at` for up to half of the address space. - Add `#include <exception>` - Add death check for `at()` overload that takes a `gsl::span`.
Hi @hsutter, Is this your intended change? static_assert(N < std::numeric_limits<std::size_t>::max()/2-1);
Expects(i >= 0 && i < narrow_cast<index>(N));
return arr[narrow_cast<std::size_t>(i)]; Is the static assert therefore effectively checking that If so, I wonder if it makes sense to simply take the suggested implementation of: Expects(i >= 0 && narrow_cast<std::size_t>(i) < N);
return arr[narrow_cast<std::size_t>(i)]; Since this is more straightforward and does not impose a static assertion which can (probably?) never be violated anyways. |
That's the idea, and I would have suggested the above form but I habitually wanted to avoid writing a new mixed unsigned/signed comparison. I generally prefer static assertions where possible... shift-left. It shouldn't ever fire, but if it does it's valuable information. But I think the suggested implementation could be fine too. Let's see what @gdr-at-ms thinks ... I'm happy with whichever he prefers. |
- Change `Expects` for `at`: there is no need to convert the size. It is better to check the converted index. - Add `static_assert` because we only support C style array `at` for up to half of the address space. - Add `#include <exception>` - Add death check for `at()` overload that takes a `gsl::span`.
My PR suggests:
The Regarding the |
- Change `Expects` for `at`: there is no need to convert the size. It is better to check the converted index. - Add `static_assert` because we only support C style array `at` for up to half of the address space. - Add `#include <exception>` - Add death check for `at()` overload that takes a `gsl::span`. - Add `std::` before `size_t`.
@beinhaerter indeed it looks like |
- Change `Expects` for `at`: there is no need to convert the size. It is better to check the converted index. - Add `static_assert` because we only support C style array `at` for up to half of the address space. - Add `#include <exception>` - Add death check for `at()` overload that takes a `gsl::span`. - Add `std::` before `size_t`.
#1075 - Add `static_assert` because we only support C style array `at` for up to half of the address space. - Add `std::` before `size_t`. - tests: - Add `#include <exception>` - Implement `span_tests` `interop_with_gsl_at` like `at_tests` `std_span`
I was just looking at the
gsl::at
overloads and don't understand theExpects
check. For example for the C style array version.Checking that
i
is non-negative makes sense. But why is theni
checked againstnarrow_cast<index>(N)
? For example on a 32 bit platform when having an array with 0xff'ff'ff'ff elements and when accessing elementi==0
why would I want to check thati<narrow_cast<index>(0xff'ff'ff'ff)
which isi<-1
? Wouldn't it make more sense to checknarrow_cast<std::size_t>(i) < N
?The same question applies to the other overloads of
gsl::at
.The text was updated successfully, but these errors were encountered: