Restrict unsafe_narrow, add unsafe_cast

Closes #1191

Restrict `unsafe_narrow` to narrowing cases and arithmetic types

Make `as` diagnose unsafe pointer casts, with a message to use `unsafe_cast` instead

Allow both `unsafe_narrow` and `unsafe_cast` to be used without `cpp2::` qualification in Cpp2 code

Add a new "unsafe casts" doc section

Remove some uses of `unsafe_narrow` in cppfront's own code that weren't actually narrowing

Example:

f: (i: i32, inout s: std::string) = {
    // j := i as i16;                     // error, maybe-lossy narrowing
    j := unsafe_narrow<i16>(i);           // ok, 'unsafe' is explicit

    pv: *void = s&;
    // pi := pv as *std::string;          // error, unsafe cast
    ps := unsafe_cast<*std::string>(pv);  // ok, 'unsafe' is explicit
    ps* = "plugh";
}

main: () = {
    str: std::string = "xyzzy";
    f( 42, str );
    std::cout << str;                     // prints: plush
}

Author: hsutter

docs/cpp2/expressions.md

@@ -99,7 +99,9 @@ _ = vec.emplace_back(1,2,3);
 For details, see [Design note: Explicit discard](https://github.com/hsutter/cppfront/wiki/Design-note%3A-Explicit-discard). In Cpp2, data is always initialized, data is never silently lost, data flow is always visible. Data is precious, and it's always safe.
 
 
-## <a id="is"></a> `is` — safe type/value queries
+## Type/value queries and casts
+
+### <a id="is"></a> `is` — safe type/value queries
 
 An `x is C` expression allows safe type and value queries, and evaluates to `#!cpp true` if `x` matches constraint `C`. It supports both static and dynamic queries, including customization, with support for standard library dynamic types like `std::variant`, `std::optional`, `std::expected`, and `std::any` provided out of the box.
 
@@ -147,7 +149,7 @@ Here are some `is` queries with their Cpp1 equivalents. In this table, uppercase
 > Note: `is` unifies a variety of differently-named Cpp1 language and library queries under one syntax, and supports only the type-safe ones.
 
 
-## <a id="as"></a> `as` — safe casts and conversions
+### <a id="as"></a> `as` — safe casts and conversions
 
 An `x as T` expression allows safe type casts. `x` must be an object or expression, and `T` must be a type. Like `is`, `as` supports both static and dynamic typing, including customization, with support for standard library dynamic types like `std::variant`, `std::optional`, `std::expected`, and `std::any` provided out of the box. For example:
 
@@ -184,6 +186,24 @@ Here are some `as` casts with their Cpp1 equivalents. In this table, uppercase n
 > Note: `as` unifies a variety of differently-named Cpp1 language and library casts and conversions under one syntax, and supports only the type-safe ones.
 
 
+### <a id="unsafe-casts"></a> Unsafe casts
+
+Unsafe casts must always be explicit.
+
+To perform a numeric narrowing cast, such as `i32` to `i16` or `u32`, use `unsafe_narrow<To>(from)`. For example:
+
+``` cpp title="Unsafe narrowing and casts must be explicit" hl_lines="2 3 6 7"
+f: (i: i32, inout s: std::string) = {
+    // j := i as i16;                     // error, maybe-lossy narrowing
+    j := unsafe_narrow<i16>(i);           // ok, 'unsafe' is explicit
+
+    pv: *void = s&;
+    // pi := pv as *std::string;          // error, unsafe cast
+    pi := unsafe_cast<*std::string>(pv);  // ok, 'unsafe' is explicit
+}
+```
+
+
 ## <a id="inspect"></a> `inspect` — pattern matching
 
 An `inspect expr -> Type = { /* alternatives */ }` expression allows pattern matching using `is`.
@@ -353,3 +373,4 @@ std::cout << "now x+2 is (x+2)$\n";
 ```
 
 A string literal capture can include a `:suffix` where the suffix is a [standard C++ format specification](https://en.cppreference.com/w/cpp/utility/format/spec). For example, `#!cpp (x.price(): <10.2f)$` evaluates `x.price()` and converts the result to a string with 10-character width, 2 digits of precision, and left-justified.
+

include/cpp2regex.h

@@ -3111,7 +3111,7 @@ size_t i{0};
                 auto number {0}; 
                 if (!(string_util::string_to_int(group, number, 8))) {return ctx.error("Could not convert octal to int."); }
 
-                char number_as_char {unsafe_narrow<char>(cpp2::move(number))}; 
+                char number_as_char {cpp2::unsafe_narrow<char>(cpp2::move(number))}; 
 
                 auto token {CPP2_UFCS_TEMPLATE(cpp2_new<char_token>)(cpp2::shared, number_as_char, ctx.get_modifiers().has(expression_flags::case_insensitive))}; 
                 (*cpp2::impl::assert_not_null(token)).set_string("\\" + cpp2::to_string(string_util::int_to_string<8>(cpp2::impl::as_<int>(cpp2::move(number_as_char)))) + "");
@@ -3462,7 +3462,7 @@ template<typename CharT, int group, bool case_insensitive> [[nodiscard]] auto gr
     if (!(string_util::string_to_int(cpp2::move(number_str), number, 16))) {return ctx.error("Could not convert hexadecimal to int."); }
 
     // TODO: Change for unicode.
-    char number_as_char {unsafe_narrow<char>(cpp2::move(number))}; 
+    char number_as_char {cpp2::unsafe_narrow<char>(cpp2::move(number))}; 
 
     std::string syntax {string_util::int_to_string<16>(cpp2::impl::as_<int>(number_as_char))}; 
     if (cpp2::move(has_brackets)) {
@@ -3605,7 +3605,7 @@ template<typename CharT, bool positive> [[nodiscard]] auto lookahead_token_match
     if (!(string_util::string_to_int(cpp2::move(number_str), number, 8))) {return ctx.error("Could not convert octal to int."); }
 
     // TODO: Change for unicode.
-    char number_as_char {unsafe_narrow<char>(cpp2::move(number))}; 
+    char number_as_char {cpp2::unsafe_narrow<char>(cpp2::move(number))}; 
 
     std::string syntax {"\\o{" + cpp2::to_string(string_util::int_to_string<8>(cpp2::impl::as_<int>(number_as_char))) + "}"}; 
     auto r {CPP2_UFCS_TEMPLATE(cpp2_new<char_token>)(cpp2::shared, cpp2::move(number_as_char), ctx.get_modifiers().has(expression_flags::case_insensitive))}; 
@@ -3981,7 +3981,7 @@ template<typename CharT, bool negate> [[nodiscard]] auto word_boundary_token_mat
         template <typename CharT, typename matcher_wrapper> template <typename Iter> regular_expression<CharT,matcher_wrapper>::search_return<Iter>::search_return(cpp2::impl::in<bool> matched_, context<Iter> const& ctx_, Iter const& pos_)
             : matched{ matched_ }
             , ctx{ ctx_ }
-            , pos{ unsafe_narrow<int>(std::distance(ctx_.begin, pos_)) }{
+            , pos{ cpp2::unsafe_narrow<int>(std::distance(ctx_.begin, pos_)) }{
 
 #line 2633 "cpp2regex.h2"
         }

include/cpp2util.h

@@ -1681,6 +1681,7 @@ inline constexpr auto is( X const& x, bool (*value)(X const&) ) -> bool {
 
 //  The 'as' cast functions are <To, From> so use that order here
 //  If it's confusing, we can switch this to <From, To>
+
 template< typename To, typename From >
 inline constexpr auto is_narrowing_v =
     // [dcl.init.list] 7.1
@@ -1694,7 +1695,20 @@ inline constexpr auto is_narrowing_v =
     (std::is_integral_v<From> && std::is_integral_v<To> && sizeof(From) > sizeof(To)) ||
     (std::is_enum_v<From> && std::is_integral_v<To> && sizeof(From) > sizeof(To)) ||
     // [dcl.init.list] 7.5
-    (std::is_pointer_v<From> && std::is_same_v<To, bool>);
+    (std::is_pointer_v<From> && std::is_same_v<To, bool>)
+    ;
+
+template< typename To, typename From >
+inline constexpr auto is_unsafe_pointer_conversion_v =
+    std::is_pointer_v<To>
+    && std::is_pointer_v<From>
+// Work around Clang <= 15 C++20 mode not conforming to C++20 P0929
+#if (defined(__clang_major__) && __clang_major__ <= 15)
+    && !std::is_same_v<std::remove_cvref_t<To>, void*>
+#else
+    && !requires (To t, From f) { t = f; }
+#endif
+    ;
 
 template <typename... Ts>
 inline constexpr auto program_violates_type_safety_guarantee = sizeof...(Ts) < 0;
@@ -1807,6 +1821,12 @@ auto as(auto&& x CPP2_SOURCE_LOCATION_PARAM_WITH_DEFAULT_AS) -> decltype(auto)
     {
         return Dynamic_cast<C>(CPP2_FORWARD(x));
     }
+    else if constexpr (
+        is_unsafe_pointer_conversion_v<C, CPP2_TYPEOF(x)>
+        )
+    {
+        return nonesuch;
+    }
     else if constexpr (requires { C{CPP2_FORWARD(x)}; }) {
         //  Experiment: Recognize the nested `::value_type` pattern for some dynamic library types
         //  like std::optional, and try to prevent accidental narrowing conversions even when
@@ -2242,7 +2262,23 @@ class finally_presuccess
 //-----------------------------------------------------------------------
 //
 template <typename C, typename X>
-constexpr auto unsafe_narrow( X&& x ) noexcept -> decltype(auto)
+constexpr auto unsafe_narrow( X x ) noexcept 
+    -> decltype(auto)
+    requires (
+        impl::is_narrowing_v<C, X>
+        || (
+            std::is_arithmetic_v<C>
+            && std::is_arithmetic_v<X>
+            )
+            )
+{
+    return static_cast<C>(x);
+}
+
+
+template <typename C, typename X>
+constexpr auto unsafe_cast( X&& x ) noexcept 
+    -> decltype(auto)
 {
     return static_cast<C>(CPP2_FORWARD(x));
 }
@@ -2291,16 +2327,16 @@ struct args
         int    curr;
     };
 
-    auto begin()  const -> iterator    { return iterator{ argc, argv, 0    }; }
-    auto end()    const -> iterator    { return iterator{ argc, argv, argc }; }
-    auto cbegin() const -> iterator    { return begin(); }
-    auto cend()   const -> iterator    { return end(); }
-    auto size()   const -> std::size_t { return cpp2::unsafe_narrow<std::size_t>(ssize()); }
-    auto ssize()  const -> int         { return argc; }
+    auto begin()  const -> iterator       { return iterator{ argc, argv, 0    }; }
+    auto end()    const -> iterator       { return iterator{ argc, argv, argc }; }
+    auto cbegin() const -> iterator       { return begin(); }
+    auto cend()   const -> iterator       { return end(); }
+    auto size()   const -> std::size_t    { return cpp2::unsafe_narrow<std::size_t>(ssize()); }
+    auto ssize()  const -> std::ptrdiff_t { return argc; }
 
     auto operator[](int i) const {
-        if (0 <= i && i < ssize())     { return std::string_view{ argv[i] }; }
-        else                           { return std::string_view{}; }
+        if (0 <= i && i < ssize())        { return std::string_view{ argv[i] }; }
+        else                              { return std::string_view{}; }
     }
 
     mutable int        argc = 0;        //  mutable for compatibility with frameworks that take 'int& argc'
@@ -2704,9 +2740,16 @@ inline constexpr auto as_( auto&& x ) -> decltype(auto)
     if constexpr (is_narrowing_v<C, CPP2_TYPEOF(x)>) {
         static_assert(
             program_violates_type_safety_guarantee<C, CPP2_TYPEOF(x)>,
-            "'as' does not allow unsafe narrowing conversions - if you're sure you want this, use `unsafe_narrow<T>()` to force the conversion"
+            "'as' does not allow unsafe possibly-lossy narrowing conversions - if you're sure you want this, use 'unsafe_narrow<T>' to explicitly force the conversion and possibly lose information"
         );
     }
+    else if constexpr (is_unsafe_pointer_conversion_v<C, CPP2_TYPEOF(x)>)
+    {
+        static_assert(
+            program_violates_type_safety_guarantee<C, CPP2_TYPEOF(x)>,
+            "'as' does not allow unsafe pointer conversions - if you're sure you want this, use `unsafe_cast<T>()` to explicitly force the unsafe cast"
+            );
+    }
     else if constexpr( std::is_same_v< CPP2_TYPEOF(as<C>(CPP2_FORWARD(x))), nonesuch_ > ) {
         static_assert(
             program_violates_type_safety_guarantee<C, CPP2_TYPEOF(x)>,
@@ -2724,8 +2767,8 @@ inline constexpr auto as_() -> decltype(auto)
         if constexpr( std::is_same_v< CPP2_TYPEOF((as<C, x>())), nonesuch_ > ) {
             static_assert(
                 program_violates_type_safety_guarantee<C, CPP2_TYPEOF(x)>,
-                "Literal cannot be narrowed using 'as' -  if you're sure you want this, use 'unsafe_narrow<T>()' to force the conversion"
-            );
+                "'as' does not allow unsafe possibly-lossy narrowing conversions - if you're sure you want this, use `unsafe_narrow<T>()` to explicitly force the conversion and possibly lose information"
+                );
         }
     }
     else {

regression-tests/pure2-unsafe.cpp2

@@ -0,0 +1,16 @@
+
+f: (i: i32, inout s: std::string) = {
+    // j := i as i16;                     // error, maybe-lossy narrowing
+    j := unsafe_narrow<i16>(i);           // ok, 'unsafe' is explicit
+
+    pv: *void = s&;
+    // pi := pv as *std::string;          // error, unsafe cast
+    ps := unsafe_cast<*std::string>(pv);  // ok, 'unsafe' is explicit
+    ps* = "plugh";
+}
+
+main: () = {
+    str: std::string = "xyzzy";
+    f( 42, str );
+    std::cout << str;
+}

regression-tests/test-results/clang-12-c++20/pure2-unsafe.cpp.execution

@@ -0,0 +1 @@
+plugh

regression-tests/test-results/gcc-10-c++20/pure2-unsafe.cpp.execution

@@ -0,0 +1 @@
+plugh

regression-tests/test-results/gcc-14-c++2b/mixed-bugfix-for-ufcs-non-local.cpp.output

@@ -1,41 +1,41 @@
 In file included from mixed-bugfix-for-ufcs-non-local.cpp:6:
 ../../../include/cpp2util.h:2100:1: error: lambda-expression in template parameter type
- 2100 | constexpr auto is( std::optional<U> const& x ) -> bool
+ 2100 | //
       | ^
 ../../../include/cpp2util.h:2137:59: note: in expansion of macro ‘CPP2_UFCS_’
- 2137 | //
+ 2137 |     //  Value case
       |                                                           ^         
 mixed-bugfix-for-ufcs-non-local.cpp2:13:12: note: in expansion of macro ‘CPP2_UFCS_NONLOCAL’
 mixed-bugfix-for-ufcs-non-local.cpp2:13:36: error: template argument 1 is invalid
 ../../../include/cpp2util.h:2100:1: error: lambda-expression in template parameter type
- 2100 | constexpr auto is( std::optional<U> const& x ) -> bool
+ 2100 | //
       | ^
 ../../../include/cpp2util.h:2137:59: note: in expansion of macro ‘CPP2_UFCS_’
- 2137 | //
+ 2137 |     //  Value case
       |                                                           ^         
 mixed-bugfix-for-ufcs-non-local.cpp2:21:12: note: in expansion of macro ‘CPP2_UFCS_NONLOCAL’
 mixed-bugfix-for-ufcs-non-local.cpp2:21:36: error: template argument 1 is invalid
 ../../../include/cpp2util.h:2100:1: error: lambda-expression in template parameter type
- 2100 | constexpr auto is( std::optional<U> const& x ) -> bool
+ 2100 | //
       | ^
 ../../../include/cpp2util.h:2137:59: note: in expansion of macro ‘CPP2_UFCS_’
- 2137 | //
+ 2137 |     //  Value case
       |                                                           ^         
 mixed-bugfix-for-ufcs-non-local.cpp2:31:12: note: in expansion of macro ‘CPP2_UFCS_NONLOCAL’
 mixed-bugfix-for-ufcs-non-local.cpp2:31:36: error: template argument 1 is invalid
 ../../../include/cpp2util.h:2100:1: error: lambda-expression in template parameter type
- 2100 | constexpr auto is( std::optional<U> const& x ) -> bool
+ 2100 | //
       | ^
 ../../../include/cpp2util.h:2137:59: note: in expansion of macro ‘CPP2_UFCS_’
- 2137 | //
+ 2137 |     //  Value case
       |                                                           ^         
 mixed-bugfix-for-ufcs-non-local.cpp2:33:12: note: in expansion of macro ‘CPP2_UFCS_NONLOCAL’
 mixed-bugfix-for-ufcs-non-local.cpp2:33:36: error: template argument 1 is invalid
 ../../../include/cpp2util.h:2100:1: error: lambda-expression in template parameter type
- 2100 | constexpr auto is( std::optional<U> const& x ) -> bool
+ 2100 | //
       | ^
 ../../../include/cpp2util.h:2137:59: note: in expansion of macro ‘CPP2_UFCS_’
- 2137 | //
+ 2137 |     //  Value case
       |                                                           ^         
 mixed-bugfix-for-ufcs-non-local.cpp2:21:12: note: in expansion of macro ‘CPP2_UFCS_NONLOCAL’
 mixed-bugfix-for-ufcs-non-local.cpp2:21:36: error: template argument 1 is invalid

regression-tests/test-results/gcc-14-c++2b/pure2-unsafe.cpp.execution

@@ -0,0 +1 @@
+plugh

regression-tests/test-results/msvc-2022-c++latest/pure2-unsafe.cpp.execution

@@ -0,0 +1 @@
+plugh

regression-tests/test-results/msvc-2022-c++latest/pure2-unsafe.cpp.output

@@ -0,0 +1 @@
+pure2-unsafe.cpp