Page "Cyclone (programming language)" Paragraph 36

This tells the Cyclone compiler that the argument to should never be, avoiding the aforementioned undefined behavior.

The simple change of to saves the programmer from having to write checks and the operating system from having to trap pointer dereferences.

This extra limit, however, can be a rather large stumbling block for most C programmers, who are used to being able to manipulate their pointers directly with arithmetic.

Although this is desirable, it can lead to buffer overflows and other " off-by-one "- style mistakes.

To avoid this, the pointer type is delimited by a known bound, the size of the array.

Although this adds overhead due to the extra information stored about the pointer, it improves safety and security.

Take for instance a simple ( and naïve ) function, written in C: