diff options
Diffstat (limited to 'gl/idx.h')
-rw-r--r-- | gl/idx.h | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/gl/idx.h b/gl/idx.h new file mode 100644 index 0000000..23020b7 --- /dev/null +++ b/gl/idx.h | |||
@@ -0,0 +1,134 @@ | |||
1 | /* A type for indices and sizes. | ||
2 | Copyright (C) 2020-2023 Free Software Foundation, Inc. | ||
3 | This file is part of the GNU C Library. | ||
4 | |||
5 | The GNU C Library is free software; you can redistribute it and/or | ||
6 | modify it under the terms of the GNU Lesser General Public | ||
7 | License as published by the Free Software Foundation; either | ||
8 | version 2.1 of the License, or (at your option) any later version. | ||
9 | |||
10 | The GNU C Library is distributed in the hope that it will be useful, | ||
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
13 | Lesser General Public License for more details. | ||
14 | |||
15 | You should have received a copy of the GNU Lesser General Public | ||
16 | License along with the GNU C Library; if not, see | ||
17 | <https://www.gnu.org/licenses/>. */ | ||
18 | |||
19 | #ifndef _IDX_H | ||
20 | #define _IDX_H | ||
21 | |||
22 | /* Get ptrdiff_t. */ | ||
23 | #include <stddef.h> | ||
24 | |||
25 | /* Get PTRDIFF_MAX. */ | ||
26 | #include <stdint.h> | ||
27 | |||
28 | /* The type 'idx_t' holds an (array) index or an (object) size. | ||
29 | Its implementation promotes to a signed integer type, | ||
30 | which can hold the values | ||
31 | 0..2^63-1 (on 64-bit platforms) or | ||
32 | 0..2^31-1 (on 32-bit platforms). | ||
33 | |||
34 | Why a signed integer type? | ||
35 | |||
36 | * Security: Signed types can be checked for overflow via | ||
37 | '-fsanitize=undefined', but unsigned types cannot. | ||
38 | |||
39 | * Comparisons without surprises: ISO C99 § 6.3.1.8 specifies a few | ||
40 | surprising results for comparisons, such as | ||
41 | |||
42 | (int) -3 < (unsigned long) 7 => false | ||
43 | (int) -3 < (unsigned int) 7 => false | ||
44 | and on 32-bit machines: | ||
45 | (long) -3 < (unsigned int) 7 => false | ||
46 | |||
47 | This is surprising because the natural comparison order is by | ||
48 | value in the realm of infinite-precision signed integers (ℤ). | ||
49 | |||
50 | The best way to get rid of such surprises is to use signed types | ||
51 | for numerical integer values, and use unsigned types only for | ||
52 | bit masks and enums. | ||
53 | |||
54 | Why not use 'size_t' directly? | ||
55 | |||
56 | * Because 'size_t' is an unsigned type, and a signed type is better. | ||
57 | See above. | ||
58 | |||
59 | Why not use 'ssize_t'? | ||
60 | |||
61 | * 'ptrdiff_t' is more portable; it is standardized by ISO C | ||
62 | whereas 'ssize_t' is standardized only by POSIX. | ||
63 | |||
64 | * 'ssize_t' is not required to be as wide as 'size_t', and some | ||
65 | now-obsolete POSIX platforms had 'size_t' wider than 'ssize_t'. | ||
66 | |||
67 | * Conversely, some now-obsolete platforms had 'ptrdiff_t' wider | ||
68 | than 'size_t', which can be a win and conforms to POSIX. | ||
69 | |||
70 | Won't this cause a problem with objects larger than PTRDIFF_MAX? | ||
71 | |||
72 | * Typical modern or large platforms do not allocate such objects, | ||
73 | so this is not much of a problem in practice; for example, you | ||
74 | can safely write 'idx_t len = strlen (s);'. To port to older | ||
75 | small platforms where allocations larger than PTRDIFF_MAX could | ||
76 | in theory be a problem, you can use Gnulib's ialloc module, or | ||
77 | functions like ximalloc in Gnulib's xalloc module. | ||
78 | |||
79 | Why not use 'ptrdiff_t' directly? | ||
80 | |||
81 | * Maintainability: When reading and modifying code, it helps to know that | ||
82 | a certain variable cannot have negative values. For example, when you | ||
83 | have a loop | ||
84 | |||
85 | int n = ...; | ||
86 | for (int i = 0; i < n; i++) ... | ||
87 | |||
88 | or | ||
89 | |||
90 | ptrdiff_t n = ...; | ||
91 | for (ptrdiff_t i = 0; i < n; i++) ... | ||
92 | |||
93 | you have to ask yourself "what if n < 0?". Whereas in | ||
94 | |||
95 | idx_t n = ...; | ||
96 | for (idx_t i = 0; i < n; i++) ... | ||
97 | |||
98 | you know that this case cannot happen. | ||
99 | |||
100 | Similarly, when a programmer writes | ||
101 | |||
102 | idx_t = ptr2 - ptr1; | ||
103 | |||
104 | there is an implied assertion that ptr1 and ptr2 point into the same | ||
105 | object and that ptr1 <= ptr2. | ||
106 | |||
107 | * Being future-proof: In the future, range types (integers which are | ||
108 | constrained to a certain range of values) may be added to C compilers | ||
109 | or to the C standard. Several programming languages (Ada, Haskell, | ||
110 | Common Lisp, Pascal) already have range types. Such range types may | ||
111 | help producing good code and good warnings. The type 'idx_t' could | ||
112 | then be typedef'ed to a range type that is signed after promotion. */ | ||
113 | |||
114 | /* In the future, idx_t could be typedef'ed to a signed range type. | ||
115 | The clang "extended integer types", supported in Clang 11 or newer | ||
116 | <https://clang.llvm.org/docs/LanguageExtensions.html#extended-integer-types>, | ||
117 | are a special case of range types. However, these types don't support binary | ||
118 | operators with plain integer types (e.g. expressions such as x > 1). | ||
119 | Therefore, they don't behave like signed types (and not like unsigned types | ||
120 | either). So, we cannot use them here. */ | ||
121 | |||
122 | /* Use the signed type 'ptrdiff_t'. */ | ||
123 | /* Note: ISO C does not mandate that 'size_t' and 'ptrdiff_t' have the same | ||
124 | size, but it is so on all platforms we have seen since 1990. */ | ||
125 | typedef ptrdiff_t idx_t; | ||
126 | |||
127 | /* IDX_MAX is the maximum value of an idx_t. */ | ||
128 | #define IDX_MAX PTRDIFF_MAX | ||
129 | |||
130 | /* So far no need has been found for an IDX_WIDTH macro. | ||
131 | Perhaps there should be another macro IDX_VALUE_BITS that does not | ||
132 | count the sign bit and is therefore one less than PTRDIFF_WIDTH. */ | ||
133 | |||
134 | #endif /* _IDX_H */ | ||