Closed asoffer closed 2 years ago
+1 for ensuring string literals are null-terminated.
Closing this as a decision is made. The extra byte seems worth the cost for ease of interacting with C-APIs. We will want strong static analysis determining the presence of null terminator. We'll also want to be careful about specification. For example it can't be illegal to access data through a slice even if that data is not contained inside the slice (because the null terminator won't be).
So it would need to be legal to do something like:
s ::= "hello world"
my_slice := slice(s.data, 5)
my_slice[7] // We don't have to allow this syntax, but we do have to allow access through the slice in this way.
I'm confident we can make this work without too much trouble.
The obvious benefit here is being able to pass a "hello".data to a C API without thinking about it. However, Since the advent of
std::string_view
in C++ (which is effectively identical to our[]char
, we see many instances where people access the data pointer incorrectly.Another option is, if we have compile-time verifiable preconditions, building a "provably null-terminated" precondition on most C APIs.