Abstract: This discusses safespan and nspan.

Motive: It's easy to forget to check the size of an array and containers.
Ex 1:
if (argv[i] == '-o') outfile = argc[i+1]; //oops, out of bounds
Ex 2:
while(left<end) {
    if (sz[left] == '\\')
        switch (sz[left+1]) { //oops
            case 'n': output.push('\n');

We can avoid this with safespan. The rules for safespan
1. Must be constructed with a valid pointer when length > 0
2. Subscript operator may only accept
    A. Literal known to be within bounds
    B. A (loop) variable that has been checked against the length
3. Invalidates rule 2 when modified

Let us rewrite the first example

Ex 3:
int main(int argc, char *argv[]) {
    std::string outfile;
    std::safespan<char*> args{argv, argc};
    while(args.size()) {
        if (args[0][0] == '-' && args.size() > 1) {
            if (args[0][1] == 'o') { //char* isn't safespan so bounds are not checked
                outfile = args[1]; //ok, checked above
                args=args.slice(2) //ok, 2 may put this to the end which means args is empty
                continue;

- args is initialized with a valid pointer and length
- Because args.size() only enters the loop when size > 0 we may access args[0]
- args.size() > 1 in the if, it unlocks args[1] inside the second if
- 'args=args.slice(2)' modifies the object, so subscript is illegal until size/bounds is checked again

Ex 4:
  for (int i=0; i<args.size(); i++) {
    auto arg = args[i] //ok

Example 4 uses rule 2b. Since i has been init to 0 (or greater), only incremented by a positive literal (i++ is the same as i += 1) and is checked against the size it is allowed to be used as an index.

Compilers may include additional logic for better bounds detection (ex int i = sqrt(args.size()) ) but it shall be non-standard and should include a compile flag to enable

nspan has the same idea of safespan except the length is known at compile time. We don't use span because present day code uses it differently. For example you can not pass span into a function with the same type but smaller length.
The rules for nspan are
- Minimum length is known at compile time
- The implementation must use a single pointer which may be optimized out
- May be implicitly converted to a nspan of same or smaller size but never larger
- Follows the same rules as safespan

Ex 5:

bool IsPNGHeader(const std::nspan<char, 8> data);
void test() {
    char valid_png_header[] = ...
    assert(IsPNGHeader(valid_png_header));
}
int test_file(std::string filename) {
    std::safespan<char> file = LoadFile(filename);
    if (file.size() < 1234)
        return
    assert(IsPNGHeader(file))

- IsPNGHeader wants a pointer to a char type with at least 8 elements
- valid_png_header is a constant known to be 8 bytes so the compiler allows an implicit conversion
- No bounds check happens in test() or IsPNGHeader
- LoadFile may return a 0 length pointer so nspan can not be used (length isn't known at compile time)
- Since file is a safespan type, the compiler pays attention that the if statement compares to a literal and returns. After the return statement, the compiler can reason that file.size() >= 1234
- Since 1234 is > 8 the compiler may cast the data pointer as a nspan<char, 8>, where the rest of the code doesn't do any runtime length checks
- test_file does exactly one size check It's done with safespan which contains both pointer and length. There's no way a compiler can know the length of a file created and accessed in the future at runtime.

Ex 6:

check8(const std::nspan<char, 8> data) { /* empty*/ }
check36(const std::nspan<char, 36> data) {
    check8(data); 
    check8(data.slice(20)); //creates nspan<char, 16>
}
check4096(const std::nspan<char, 4096> data) { check36(data) }
int main() {
    char buf[4096]={0};
    check4096(buf)
}

Here the program requires 0 runtime bounds checking. Because it is useful to have implicit conversions it should be ambiguous to use function overloading when the nspan parameter is the only difference