Boundary checking in operator[]

[marton78]

Hi,

I saw you removed boundary checking in operator[], but later you undid that change. What is your rationale of either adding or removing it?

My view is, that the general C++ philosophy of zero-cost abstractions and "don't pay for what you don't use" is violated by performing bounds checking when indexing. Indexing should be unchecked, if the user desires boundary checking behaviour, she can always opt-in by using the at() member function.

This is the general consensus in the STL, e.g. in std::vector and std::array.

What do you think?

Thanks,
Márton

[martinmoene]

span is part of the GSL Bounds safety profile.

Quoting:

Bounds.1: Don't use pointer arithmetic. Use span instead.
Reason
Pointers should only refer to single objects, and pointer arithmetic is fragile and easy to get wrong. span is a bounds-checked, safe type for accessing arrays of data.

Microsoft's GSL indeed performs the check in:

#include <gsl.h>
#include <iostream>

int use( gsl::span<int> s, int i ) 
{
    return s[i];
}

int main()
{
    int arr[] = { 1, 2, 3, };

    try
    {
        (void) use( arr, 0 );
        (void) use( arr, 1 );
        (void) use( arr, 2 );
        (void) use( arr, 3 );
    }
    catch( std::exception const & e )
    {
        std::cout << "Error: " << e.what();
    }
}

Compile (g++ (GCC) 5.2.0) and run (M-GSL):

prompt> g++ -Wall -std=c++14 -DGSL_THROW_ON_CONTRACT_VIOLATION -I../../M-GSL/include -o main.exe main.cpp && main.exe
Error: GSL: Precondition failure at ../../M-GSL/include/span.h: 388

Compile (g++ (GCC) 5.2.0) and run (gsl-lite):

prompt> g++ -Wall -std=c++14 -DGSL_THROW_ON_CONTRACT_VIOLATION -I../../gsl-lite/include -o main.exe main.cpp && main.exe
Error: GSL: Precondition failure at ../../gsl-lite/include/gsl/gsl-lite.h: 835