On 8/28/21 7:12 AM, Bruno Haible wrote:
Or maybe the cause is the line
assume (0 <= inlen);
At the entry point of a public function, it is better to use 'assert' than
'assume', IMO. 'assume' means "feel free to crash or press the red button
if there is an invalid argument".
'assume' was the intent. A negative idx_t arg is an error as serious as
an out-of-range index in an array, and so should be undefined behavior.
We shouldn't sprinkle 'assert's all over the place for this: it should
be something builtin to the compiler and/or runtime system when one
enables runtime checking.
I put in the 'assume' only to help GCC generate better code (to let it
choose unsigned or signed division, whichever it thinks is faster).
That's overkill here and the 'assume's are evidently dust magnets so I
removed the 'assume's in the patch I recently installed.
