Wrong Expects in gsl::at? #1075
Comments
|
Off the top of my head while on vacation: I thought that having more elements than half the number of addressable locations generally isn't legal or practical anyway (IIRC of iterator requirements, pointer/iterator subtraction, I've paged out the exact reasons). So how about instead adding Edited to add: That is, instead of changing the run-time checks, add a compile-time check to disallow the case that would have other legality problems anyway? Then the run-time checks should be fine I think. Please correct if I missed something! |
- Change `Expects` for `at`: there is no need to convert the size. It is better to check the converted index. - Only support C style array `at` for up to half of the address space. - Add unit tests for `at()`. - Add `#include <exception>` - Add death check for `at()` overload that takes a `gsl::span`.
- Change `Expects` for `at`: there is no need to convert the size. It is better to check the converted index. - Add `static_assert` because we only support C style array `at` for up to half of the address space. - Add `#include <exception>` - Add death check for `at()` overload that takes a `gsl::span`.
|
Hi @hsutter, Is this your intended change? static_assert(N < std::numeric_limits<std::size_t>::max()/2-1);
Expects(i >= 0 && i < narrow_cast<index>(N));
return arr[narrow_cast<std::size_t>(i)];Is the static assert therefore effectively checking that If so, I wonder if it makes sense to simply take the suggested implementation of: Expects(i >= 0 && narrow_cast<std::size_t>(i) < N);
return arr[narrow_cast<std::size_t>(i)];Since this is more straightforward and does not impose a static assertion which can (probably?) never be violated anyways. |
That's the idea, and I would have suggested the above form but I habitually wanted to avoid writing a new mixed unsigned/signed comparison. I generally prefer static assertions where possible... shift-left. It shouldn't ever fire, but if it does it's valuable information. But I think the suggested implementation could be fine too. Let's see what @gdr-at-ms thinks ... I'm happy with whichever he prefers. |
- Change `Expects` for `at`: there is no need to convert the size. It is better to check the converted index. - Add `static_assert` because we only support C style array `at` for up to half of the address space. - Add `#include <exception>` - Add death check for `at()` overload that takes a `gsl::span`.
|
My PR suggests: The Regarding the |
- Change `Expects` for `at`: there is no need to convert the size. It is better to check the converted index. - Add `static_assert` because we only support C style array `at` for up to half of the address space. - Add `#include <exception>` - Add death check for `at()` overload that takes a `gsl::span`. - Add `std::` before `size_t`.
|
@beinhaerter indeed it looks like |
- Change `Expects` for `at`: there is no need to convert the size. It is better to check the converted index. - Add `static_assert` because we only support C style array `at` for up to half of the address space. - Add `#include <exception>` - Add death check for `at()` overload that takes a `gsl::span`. - Add `std::` before `size_t`.
#1075 - Add `static_assert` because we only support C style array `at` for up to half of the address space. - Add `std::` before `size_t`. - tests: - Add `#include <exception>` - Implement `span_tests` `interop_with_gsl_at` like `at_tests` `std_span`
I was just looking at the
gsl::atoverloads and don't understand theExpectscheck. For example for the C style array version.Checking that
iis non-negative makes sense. But why is thenichecked againstnarrow_cast<index>(N)? For example on a 32 bit platform when having an array with 0xff'ff'ff'ff elements and when accessing elementi==0why would I want to check thati<narrow_cast<index>(0xff'ff'ff'ff)which isi<-1? Wouldn't it make more sense to checknarrow_cast<std::size_t>(i) < N?The same question applies to the other overloads of
gsl::at.The text was updated successfully, but these errors were encountered: