Change 'unsafe_*' to 'unchecked_*', and recommend discard instead of 'as void'

For replacing 'unsafe_*': Thanks to Redditor @tialaramex for their suggestion here, presuasively citing Rust's naming style (and thanks to the Rust designers too for the inspiration):
https://www.reddit.com/r/cpp/comments/1euacbu/cpp2_is_looking_absolutely_great_will_convert/liy6g8r/

For replacing 'as void': Thanks to @Velocirobtor and @JohelEGP for their suggestions on improving this diagnostic in the hsutter#1279 comment thread.

Author: hsutter

docs/cpp2/expressions.md

@@ -186,20 +186,20 @@ Here are some `as` casts with their Cpp1 equivalents. In this table, uppercase n
 > Note: `as` unifies a variety of differently-named Cpp1 language and library casts and conversions under one syntax, and supports only the type-safe ones.
 
 
-### <a id="unsafe-casts"></a> Unsafe casts
+### <a id="unchecked-casts"></a> Unchecked (explicitly type-unsafe) casts
 
-Unsafe casts must always be explicit.
+Casts that are not known to be type-safe at compile time must always be explicit.
 
-To perform a numeric narrowing cast, such as `i32` to `i16` or `u32`, use `unsafe_narrow<To>(from)`. For example:
+To perform a numeric narrowing cast, such as `i32` to `i16` or `u32`, use `unchecked_narrow<To>(from)`. Otherwise, if you must perform any other type-unsafe cast, use `unchecked_cast<To>(from)`. For example:
 
-``` cpp title="Unsafe narrowing and casts must be explicit" hl_lines="2 3 6 7"
+``` cpp title="Type-unsafe narrowing and casts must be explicit" hl_lines="2 3 6 7"
 f: (i: i32, inout s: std::string) = {
     // j := i as i16;                     // error, maybe-lossy narrowing
-    j := unsafe_narrow<i16>(i);           // ok, 'unsafe' is explicit
+    j := unchecked_narrow<i16>(i);           // ok, 'unchecked' is explicit
 
     pv: *void = s&;
-    // pi := pv as *std::string;          // error, unsafe cast
-    pi := unsafe_cast<*std::string>(pv);  // ok, 'unsafe' is explicit
+    // pi := pv as *std::string;          // error, type-unsafe cast
+    pi := unchecked_cast<*std::string>(pv);  // ok, 'unchecked' is explicit
 }
 ```
 
@@ -383,4 +383,3 @@ std::cout << "now x+2 is (x+2)$\n";
 ```
 
 A string literal capture can include a `:suffix` where the suffix is a [standard C++ format specification](https://en.cppreference.com/w/cpp/utility/format/spec). For example, `#!cpp (x.price(): <10.2f)$` evaluates `x.price()` and converts the result to a string with 10-character width, 2 digits of precision, and left-justified.
-

docs/cpp2/metafunctions.md

@@ -337,7 +337,7 @@ Unlike C `#!cpp union`, this `@union` is safe to use because it always ensures o
 
 Unlike C++11 `std::variant`, this `@union` is easier to use because its alternatives are anonymous, and safer to use because each union type is a distinct type. [^variant]
 
-Each `@union` type has its own type-safe name, has clear and unambiguous named members, and safely encapsulates a discriminator to rule them all. Sure, it uses unsafe casts in the implementation, but they are fully encapsulated, where they can be tested once and be safe in all uses.
+Each `@union` type has its own type-safe name, has clear and unambiguous named members, and safely encapsulates a discriminator to rule them all. It uses type-unsafe casts in the implementation, but they are fully encapsulated, where they can be tested once and be safe in all uses.
 
 Because a `@union type` is still a `type`, it can naturally have other things normal types can have, such as template parameter lists and member functions:
 

docs/welcome/overview.md

@@ -25,7 +25,7 @@ main: () = {
 
 We can't make an improvement that large to C++ via gradual evolution to today's syntax, because some important changes would require changing the meaning of code written in today's syntax. For example, we can never change a language feature default in today's syntax, not even if the default creates a security vulnerability pitfall, because changing a default would break vast swathes of existing code. Having a distinct alternative syntax gives us a "bubble of new code" that doesn't exist today, and have:
 
-- **Freedom to make any desired improvement, without breaking any of today's code.** Cpp2 is designed to take all the consensus C++ best-practices guidance we already teach, and make them the default when using "syntax 2." Examples: Writing unsafe type casts is just not possible in Cpp2 syntax; and Cpp2 can change language defaults to make them simpler and safer. You can always "break the glass" when needed to violate the guidance, but you have to opt out explicitly to write unsafe code, so if the program has a bug you can grep for those places to look at first. For details, see [Design note: unsafe code](https://github.com/hsutter/cppfront/wiki/Design-note%3A-Unsafe-code).
+- **Freedom to make any desired improvement, without breaking any of today's code.** Cpp2 is designed to take all the consensus C++ best-practices guidance we already teach, and make them the default when using "syntax 2." Examples: Writing type-unsafe casts is just not possible in Cpp2 syntax; and Cpp2 can change language defaults to make them simpler and safer. You can always "break the glass" when needed to violate the guidance, but you have to opt out explicitly to write type-unsafe code (usually using the word `unchecked`), so if the program has a bug you can grep for those places to look at first. For details, see [Design note: unsafe code](https://github.com/hsutter/cppfront/wiki/Design-note%3A-Unsafe-code).
 
 - **Perfect link compatibility always on, perfect source compatibility always available (but you pay for it only if you use it).** Any type/function/object/namespace written in either syntax is always still just a normal C++ type/function/object/namespace, so any code or library written in either Cpp2 or today's C++ syntax ("Cpp1" for short) can seamlessly call each other, with no wrapping/marshaling/thunking. You can write a "mixed" source file that has both Cpp2 and Cpp1 code and get perfect backward C++ source compatibility (even SFINAE and macros), or you can write a "pure" all-Cpp2 source file and write code in a 10x simpler syntax.
 

include/cpp2regex.h

@@ -690,14 +690,14 @@ template <typename Iter> match_return<Iter>::match_return(){}
         if (cpp2::impl::cmp_greater_eq(group,max_groups) || !(CPP2_ASSERT_IN_BOUNDS(groups, group).matched)) {
             return 0; 
         }
-        return cpp2::unsafe_narrow<int>(std::distance(begin, CPP2_ASSERT_IN_BOUNDS(groups, group).end)); 
+        return cpp2::unchecked_narrow<int>(std::distance(begin, CPP2_ASSERT_IN_BOUNDS(groups, group).end)); 
     }
 #line 85 "cpp2regex.h2"
     template <typename CharT, typename Iter, int max_groups> [[nodiscard]] auto match_context<CharT,Iter,max_groups>::get_group_start(auto const& group) const& -> int{
         if (cpp2::impl::cmp_greater_eq(group,max_groups) || !(CPP2_ASSERT_IN_BOUNDS(groups, group).matched)) {
             return 0; 
         }
-        return cpp2::unsafe_narrow<int>(std::distance(begin, CPP2_ASSERT_IN_BOUNDS(groups, group).start)); 
+        return cpp2::unchecked_narrow<int>(std::distance(begin, CPP2_ASSERT_IN_BOUNDS(groups, group).start)); 
     }
 #line 91 "cpp2regex.h2"
     template <typename CharT, typename Iter, int max_groups> [[nodiscard]] auto match_context<CharT,Iter,max_groups>::get_group_string(auto const& group) const& -> std::string{
@@ -1109,7 +1109,7 @@ template<typename CharT, bool negate> [[nodiscard]] auto word_boundary_token_mat
         template <typename CharT, typename matcher_wrapper> template <typename Iter> regular_expression<CharT,matcher_wrapper>::search_return<Iter>::search_return(cpp2::impl::in<bool> matched_, context<Iter> const& ctx_, Iter const& pos_)
             : matched{ matched_ }
             , ctx{ ctx_ }
-            , pos{ cpp2::unsafe_narrow<int>(std::distance(ctx_.begin, pos_)) }{
+            , pos{ cpp2::unchecked_narrow<int>(std::distance(ctx_.begin, pos_)) }{
 
 #line 693 "cpp2regex.h2"
         }

include/cpp2regex.h2

@@ -80,13 +80,13 @@ match_context: <CharT, Iter, max_groups: int> type =
         if group >= max_groups || !groups[group].matched {
             return 0;
         }
-        return cpp2::unsafe_narrow<int>( std::distance(begin, groups[group].end) );
+        return cpp2::unchecked_narrow<int>( std::distance(begin, groups[group].end) );
     }
     get_group_start:  (in this, group) -> int = {
         if group >= max_groups || !groups[group].matched {
             return 0;
         }
-        return cpp2::unsafe_narrow<int>( std::distance(begin, groups[group].start) );
+        return cpp2::unchecked_narrow<int>( std::distance(begin, groups[group].start) );
     }
     get_group_string: (in this, group) -> std::string = {
         if group >= max_groups || !groups[group].matched {
@@ -689,7 +689,7 @@ regular_expression: <CharT, matcher_wrapper> type =
         operator=:(out this, matched_: bool, ctx_: context<Iter>, pos_: Iter) = {
             matched = matched_;
             ctx = ctx_;
-            pos = unsafe_narrow<int>(std::distance(ctx_.begin, pos_));
+            pos = unchecked_narrow<int>(std::distance(ctx_.begin, pos_));
         }
 
         group_number: (this)         = ctx..size();

include/cpp2util.h

@@ -2290,12 +2290,12 @@ class finally_presuccess
 
 //-----------------------------------------------------------------------
 //
-//  An implementation of GSL's narrow_cast with a clearly 'unsafe' name
+//  An implementation of GSL's narrow_cast with a clearly 'unchecked' name
 //
 //-----------------------------------------------------------------------
 //
 template <typename C, typename X>
-constexpr auto unsafe_narrow( X x ) noexcept 
+constexpr auto unchecked_narrow( X x ) noexcept 
     -> decltype(auto)
     requires (
         impl::is_narrowing_v<C, X>
@@ -2310,7 +2310,7 @@ constexpr auto unsafe_narrow( X x ) noexcept
 
 
 template <typename C, typename X>
-constexpr auto unsafe_cast( X&& x ) noexcept 
+constexpr auto unchecked_cast( X&& x ) noexcept 
     -> decltype(auto)
 {
     return static_cast<C>(CPP2_FORWARD(x));
@@ -2364,7 +2364,7 @@ struct args
     constexpr auto end()    const -> iterator       { return iterator{ argc, argv, argc }; }
     constexpr auto cbegin() const -> iterator       { return begin(); }
     constexpr auto cend()   const -> iterator       { return end(); }
-    constexpr auto size()   const -> std::size_t    { return cpp2::unsafe_narrow<std::size_t>(ssize()); }
+    constexpr auto size()   const -> std::size_t    { return cpp2::unchecked_narrow<std::size_t>(ssize()); }
     constexpr auto ssize()  const -> std::ptrdiff_t { return argc; }
 
     constexpr auto operator[](int i) const {
@@ -2496,7 +2496,7 @@ class range
                     return curr;
                 }
                 else {
-                    return unsafe_narrow<T>(curr);
+                    return unchecked_narrow<T>(curr);
                 }
             }
             else { 
@@ -2518,7 +2518,7 @@ class range
                     return curr + i;
                 }
                 else {
-                    return unsafe_narrow<T>(curr + i);
+                    return unchecked_narrow<T>(curr + i);
                 }
             }
             else {
@@ -2548,7 +2548,7 @@ class range
     constexpr auto end()    const -> const_iterator { return iterator{ first, last, last }; }
     constexpr auto begin()        -> iterator       { return iterator{ first, last, first }; }
     constexpr auto end()          -> iterator       { return iterator{ first, last, last }; }
-    constexpr auto size()   const -> std::size_t    { return unsafe_narrow<std::size_t>(ssize()); }
+    constexpr auto size()   const -> std::size_t    { return unchecked_narrow<std::size_t>(ssize()); }
     constexpr auto ssize()  const -> std::ptrdiff_t { return last - first; }
     constexpr auto empty()  const -> bool           { return first == last; }
 
@@ -2558,7 +2558,7 @@ class range
             return first;
         }
         else {
-            return unsafe_narrow<T>(first);
+            return unchecked_narrow<T>(first);
         }
     }
 
@@ -2569,7 +2569,7 @@ class range
             return --ret;
         }
         else {
-            auto ret = unsafe_narrow<T>(last);
+            auto ret = unchecked_narrow<T>(last);
             return --ret;
         }
     }
@@ -2581,7 +2581,7 @@ class range
                 return first + i;
             }
             else {
-                return unsafe_narrow<T>(first + i);
+                return unchecked_narrow<T>(first + i);
             }
         }
         else { 
@@ -2745,7 +2745,7 @@ CPP2_FORCE_INLINE constexpr auto cmp_mixed_signedness_check() -> void
         //  static_assert to reject the comparison is the right way to go.
         static_assert(
             program_violates_type_safety_guarantee<T, U>,
-            "mixed signed/unsigned comparison is unsafe - prefer using .ssize() instead of .size(), consider using std::cmp_less instead, or consider explicitly casting one of the values to change signedness by using 'as' or 'cpp2::unsafe_narrow'"
+            "mixed signed/unsigned comparison is unsafe - prefer using .ssize() instead of .size(), consider using std::cmp_less instead, or consider explicitly casting one of the values to change signedness by using 'as' or 'cpp2::unchecked_narrow'"
             );
     }
 }
@@ -2842,14 +2842,14 @@ constexpr auto as_( auto&& x ) -> decltype(auto)
     if constexpr (is_narrowing_v<C, CPP2_TYPEOF(x)>) {
         static_assert(
             program_violates_type_safety_guarantee<C, CPP2_TYPEOF(x)>,
-            "'as' does not allow unsafe possibly-lossy narrowing conversions - if you're sure you want this, use 'unsafe_narrow<T>' to explicitly force the conversion and possibly lose information"
+            "'as' does not allow unsafe possibly-lossy narrowing conversions - if you're sure you want this, use 'unchecked_narrow<T>' to explicitly force the conversion and possibly lose information"
         );
     }
     else if constexpr (is_unsafe_pointer_conversion_v<C, CPP2_TYPEOF(x)>)
     {
         static_assert(
             program_violates_type_safety_guarantee<C, CPP2_TYPEOF(x)>,
-            "'as' does not allow unsafe pointer conversions - if you're sure you want this, use `unsafe_cast<T>()` to explicitly force the unsafe cast"
+            "'as' does not allow unsafe pointer conversions - if you're sure you want this, use `unchecked_cast<T>()` to explicitly force the cast"
             );
     }
     else if constexpr( std::is_same_v< CPP2_TYPEOF(as<C>(CPP2_FORWARD(x))), nonesuch_ > ) {
@@ -2869,7 +2869,7 @@ constexpr auto as_() -> decltype(auto)
         if constexpr( std::is_same_v< CPP2_TYPEOF((as<C, x>())), nonesuch_ > ) {
             static_assert(
                 program_violates_type_safety_guarantee<C, CPP2_TYPEOF(x)>,
-                "'as' does not allow unsafe possibly-lossy narrowing conversions - if you're sure you want this, use `unsafe_narrow<T>()` to explicitly force the conversion and possibly lose information"
+                "'as' does not allow unsafe possibly-lossy narrowing conversions - if you're sure you want this, use `unchecked_narrow<T>()` to explicitly force the conversion and possibly lose information"
                 );
         }
     }

regression-tests/pure2-regex_01_char_matcher.cpp2

@@ -84,7 +84,7 @@ create_result: (resultExpr: std::string, r) -> std::string = {
 
         if next* == '-'  || next* == '+' {
           i := 0;
-          while i < cpp2::unsafe_narrow<int>(r.group_number()) next i++ {
+          while i < cpp2::unchecked_narrow<int>(r.group_number()) next i++ {
             pos := 0;
             if next* == '-' {
               pos = r.group_start(i);

regression-tests/pure2-regex_02_ranges.cpp2

@@ -84,7 +84,7 @@ create_result: (resultExpr: std::string, r) -> std::string = {
 
         if next* == '-'  || next* == '+' {
           i := 0;
-          while i < cpp2::unsafe_narrow<int>(r.group_number()) next i++ {
+          while i < cpp2::unchecked_narrow<int>(r.group_number()) next i++ {
             pos := 0;
             if next* == '-' {
               pos = r.group_start(i);

regression-tests/pure2-regex_03_wildcard.cpp2

@@ -84,7 +84,7 @@ create_result: (resultExpr: std::string, r) -> std::string = {
 
         if next* == '-'  || next* == '+' {
           i := 0;
-          while i < cpp2::unsafe_narrow<int>(r.group_number()) next i++ {
+          while i < cpp2::unchecked_narrow<int>(r.group_number()) next i++ {
             pos := 0;
             if next* == '-' {
               pos = r.group_start(i);

regression-tests/pure2-regex_04_start_end.cpp2

@@ -84,7 +84,7 @@ create_result: (resultExpr: std::string, r) -> std::string = {
 
         if next* == '-'  || next* == '+' {
           i := 0;
-          while i < cpp2::unsafe_narrow<int>(r.group_number()) next i++ {
+          while i < cpp2::unchecked_narrow<int>(r.group_number()) next i++ {
             pos := 0;
             if next* == '-' {
               pos = r.group_start(i);