1/* A type for indices and sizes.
2 Copyright (C) 2020-2022 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4
5 The GNU C Library is free software; you can redistribute it and/or
6 modify it under the terms of the GNU Lesser General Public
7 License as published by the Free Software Foundation; either
8 version 2.1 of the License, or (at your option) any later version.
9
10 The GNU C Library is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Lesser General Public License for more details.
14
15 You should have received a copy of the GNU Lesser General Public
16 License along with the GNU C Library; if not, see
17 <https://www.gnu.org/licenses/>. */
18
19#ifndef _IDX_H
20#define _IDX_H
21
22/* Get ptrdiff_t. */
23#include <stddef.h>
24
25/* Get PTRDIFF_MAX. */
26#include <stdint.h>
27
28/* The type 'idx_t' holds an (array) index or an (object) size.
29 Its implementation promotes to a signed integer type,
30 which can hold the values
31 0..2^63-1 (on 64-bit platforms) or
32 0..2^31-1 (on 32-bit platforms).
33
34 Why a signed integer type?
35
36 * Security: Signed types can be checked for overflow via
37 '-fsanitize=undefined', but unsigned types cannot.
38
39 * Comparisons without surprises: ISO C99 § 6.3.1.8 specifies a few
40 surprising results for comparisons, such as
41
42 (int) -3 < (unsigned long) 7 => false
43 (int) -3 < (unsigned int) 7 => false
44 and on 32-bit machines:
45 (long) -3 < (unsigned int) 7 => false
46
47 This is surprising because the natural comparison order is by
48 value in the realm of infinite-precision signed integers (ℤ).
49
50 The best way to get rid of such surprises is to use signed types
51 for numerical integer values, and use unsigned types only for
52 bit masks and enums.
53
54 Why not use 'size_t' directly?
55
56 * Because 'size_t' is an unsigned type, and a signed type is better.
57 See above.
58
59 Why not use 'ptrdiff_t' directly?
60
61 * Maintainability: When reading and modifying code, it helps to know that
62 a certain variable cannot have negative values. For example, when you
63 have a loop
64
65 int n = ...;
66 for (int i = 0; i < n; i++) ...
67
68 or
69
70 ptrdiff_t n = ...;
71 for (ptrdiff_t i = 0; i < n; i++) ...
72
73 you have to ask yourself "what if n < 0?". Whereas in
74
75 idx_t n = ...;
76 for (idx_t i = 0; i < n; i++) ...
77
78 you know that this case cannot happen.
79
80 Similarly, when a programmer writes
81
82 idx_t = ptr2 - ptr1;
83
84 there is an implied assertion that ptr1 and ptr2 point into the same
85 object and that ptr1 <= ptr2.
86
87 * Being future-proof: In the future, range types (integers which are
88 constrained to a certain range of values) may be added to C compilers
89 or to the C standard. Several programming languages (Ada, Haskell,
90 Common Lisp, Pascal) already have range types. Such range types may
91 help producing good code and good warnings. The type 'idx_t' could
92 then be typedef'ed to a range type that is signed after promotion. */
93
94/* In the future, idx_t could be typedef'ed to a signed range type.
95 The clang "extended integer types", supported in Clang 11 or newer
96 <https://clang.llvm.org/docs/LanguageExtensions.html#extended-integer-types>,
97 are a special case of range types. However, these types don't support binary
98 operators with plain integer types (e.g. expressions such as x > 1).
99 Therefore, they don't behave like signed types (and not like unsigned types
100 either). So, we cannot use them here. */
101
102/* Use the signed type 'ptrdiff_t'. */
103/* Note: ISO C does not mandate that 'size_t' and 'ptrdiff_t' have the same
104 size, but it is so on all platforms we have seen since 1990. */
105typedef ptrdiff_t idx_t;
106
107/* IDX_MAX is the maximum value of an idx_t. */
108#define IDX_MAX PTRDIFF_MAX
109
110/* So far no need has been found for an IDX_WIDTH macro.
111 Perhaps there should be another macro IDX_VALUE_BITS that does not
112 count the sign bit and is therefore one less than PTRDIFF_WIDTH. */
113
114#endif /* _IDX_H */
115

source code of glibc/include/idx.h