Hi Bruno,
thanks for replying so quickly.
Let's assume I have a procedure
void *foo_create (size_t n)
{
void *foo = malloc (a + n * b);
if (foo == NULL) ...;
...
return foo;
}
I want 'foo_create' to handle possible overflows. To me, it seems that should use the xsize module for this and to replace 'a + n * b' accordingly because I have no easy local control over "-ftrapv". This seems to force, however, that the 'n' parameter of the 'foo_create' has to be a size_t and not an idx_t. Unless I want possibly unsafe casts in my program, this forces the code interacting with 'foo_create' to use 'size_t' instead of 'idx_t' as well, which somewhat seems to forfeit the advantages of 'idx_t'.
That's why I am wondering whether it makes sense to have an xsize module that uses idx_t instead of size_t.
PS Another question related to idx_t: Often I code something like:
void f (size_t n, size_t i)
{
assure (i < n);
...
}
Now if I replaced unsigned by signed ints, I guess I should write
void f (idx_t n, idx_t i)
{
assure (i < n);
assure (0 <= i);
...
}
But this makes the code more complicated... :(