On Thu Nov 17 10:31:38 2022 +0000, Giovanni Mascellani wrote:
I don't see a real difference between violating an invariant by accident or by cosmic ray. To me any program configuration either can be reached for some user input (which is legitimate, i.e., not considered to cause undefined behavior) or it can't. In the first case an error message must be outputted, in the second case an assertion must be triggered (and `vkd3d_unreachable()` is just a better `assert(0)`). Just my two cents, though.
To me, the difference is: invariants which might be violated by accident deserve to be written in the code to remind the reader of the invariant, and they deserve a warning to be printed if they're violated. By contrast, invariants which can only be violated via memory corruption should, in theory, not even be written in the code—simply because memory corruption can happen anywhere and it's a waste of time to write those assertions. In my opinion the only reason we have vkd3d_unreachable() in things like switch default cases is that the compiler would warn otherwise.
I did forget that vkd3d_unreachable() actually effectively includes an assert, though; I thought it was always equivalent to __builtin_unreachable().
Maybe both types should be vkd3d_unreachable(), though, as it is. I.e. if you're a user who trusts the programmer to not violate their own invariants, and you want the most efficient code...