From 4e5103a980765633a72a90b9f616bcc055306aa0 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Fri, 22 May 2026 17:19:33 -0700
Subject: Document PTRDIFF_MAX <= SIZE_MAX assumption

* src/alloc.c: New static_assert.
---
 src/alloc.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/alloc.c b/src/alloc.c
index 1f4e5434e74..d6f11d06766 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -638,6 +638,14 @@ static_assert (LISP_ALIGNMENT % GCALIGNMENT == 0);
 enum { MALLOC_IS_LISP_ALIGNED = alignof (max_align_t) % LISP_ALIGNMENT == 0 };
 static_assert (MALLOC_IS_LISP_ALIGNED);
 
+/* Most of Emacs does not assume PTRDIFF_MAX <= SIZE_MAX, and may use
+   expressions like min (PTRDIFF_MAX, SIZE_MAX) to port even to
+   theoretical platforms where the assumption does not hold.
+   However, some parts of Emacs pass nonnegative ptrdiff_t values to
+   allocator functions like xmalloc that expect size_t.
+   This is portable in practice; check it here to document the assumption.  */
+static_assert (PTRDIFF_MAX <= SIZE_MAX);
+
 #define MALLOC_PROBE(size)			\
   do {						\
     if (profiler_memory_running)		\
-- 
cgit v1.3