Prefer static_assert to verify

Although static_assert is C11-specific, and Emacs remains on C99, it
has been backported to older compilers by Gnulib.  Gnulib has already
changed to prefer static_assert, and we can do the same.

* lib-src/asset-directory-tool.c (main_2):
* src/alloc.c (BLOCK_ALIGN, aligned_alloc, lisp_align_malloc)
(vectorlike_nbytes, allocate_pseudovector):
* src/android.c (android_globalize_reference, android_set_dashes):
* src/android.h:
* src/androidfont.c (androidfont_draw, androidfont_text_extents):
* src/androidvfs.c:
* src/bidi.c (BIDI_CACHE_MAX_ELTS_PER_SLOT, bidi_find_bracket_pairs):
* src/buffer.c (init_buffer_once):
* src/casefiddle.c (do_casify_multibyte_string):
* src/dispnew.c (scrolling_window, scrolling):
* src/editfns.c (styled_format):
* src/emacs-module.c (module_extract_big_integer):
* src/fileio.c (Fdo_auto_save):
* src/fns.c (next_almost_prime, hash_string):
* src/fringe.c (init_fringe):
* src/keyboard.h (kbd_buffer_store_event_hold):
* src/keymap.c:
* src/lisp.h (memclear, reduce_emacs_uint_to_hash_hash, modiff_incr):
* src/lread.c (skip_lazy_string):
* src/pdumper.c (dump_bignum, Fdump_emacs_portable)
(dump_do_dump_relocation, pdumper_load):
* src/process.c (make_process, Fmake_process, connect_network_socket):
* src/regex-emacs.c:
* src/sort.c (tim_sort):
* src/sysdep.c (init_random, SSIZE_MAX):
* src/thread.c:
* src/timefns.c (trillion_factor):
* src/unexelf.c:
* src/xterm.c (x_send_scroll_bar_event): Prefer static_assert to Gnulib
verify.  Remove import of verify.h, except when used for other reasons.

lib-src/asset-directory-tool.c

@@ -20,7 +20,7 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.  */
 #include <config.h>
 
 #include <stdio.h>
-#include <verify.h>
+#include <assert.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <byteswap.h>
@@ -236,7 +236,7 @@ main_2 (int fd, struct directory_tree *tree, size_t *offset)
   output[0] = (unsigned int) tree->st_size;
 #endif /* !WORDS_BIGENDIAN */
 
-  verify (sizeof output == 8 && sizeof output[0] == 4);
+  static_assert (sizeof output == 8 && sizeof output[0] == 4);
   if (!need_file_size)
     {
       if (write (fd, output + 1, 4) < 1)

src/alloc.c

@@ -709,7 +709,7 @@ buffer_memory_full (ptrdiff_t nbytes)
    where Emacs would crash if malloc returned a non-GCALIGNED pointer.  */
 enum { LISP_ALIGNMENT = alignof (union { union emacs_align_type x;
 					 GCALIGNED_UNION_MEMBER }) };
-verify (LISP_ALIGNMENT % GCALIGNMENT == 0);
+static_assert (LISP_ALIGNMENT % GCALIGNMENT == 0);
 
 /* True if malloc (N) is known to return storage suitably aligned for
    Lisp objects whenever N is a multiple of LISP_ALIGNMENT.  In
@@ -839,7 +839,7 @@ xfree (void *block)
 /* Other parts of Emacs pass large int values to allocator functions
    expecting ptrdiff_t.  This is portable in practice, but check it to
    be safe.  */
-verify (INT_MAX <= PTRDIFF_MAX);
+static_assert (INT_MAX <= PTRDIFF_MAX);
 
 
 /* Allocate an array of NITEMS items, each of size ITEM_SIZE.
@@ -1076,7 +1076,7 @@ lisp_free (void *block)
 #else  /* !HAVE_UNEXEC */
 # define BLOCK_ALIGN (1 << 15)
 #endif
-verify (POWER_OF_2 (BLOCK_ALIGN));
+static_assert (POWER_OF_2 (BLOCK_ALIGN));
 
 /* Use aligned_alloc if it or a simple substitute is available.
    Aligned allocation is incompatible with unexmacosx.c, so don't use
@@ -1096,11 +1096,11 @@ aligned_alloc (size_t alignment, size_t size)
 {
   /* POSIX says the alignment must be a power-of-2 multiple of sizeof (void *).
      Verify this for all arguments this function is given.  */
-  verify (BLOCK_ALIGN % sizeof (void *) == 0
-	  && POWER_OF_2 (BLOCK_ALIGN / sizeof (void *)));
-  verify (MALLOC_IS_LISP_ALIGNED
-	  || (LISP_ALIGNMENT % sizeof (void *) == 0
-	      && POWER_OF_2 (LISP_ALIGNMENT / sizeof (void *))));
+  static_assert (BLOCK_ALIGN % sizeof (void *) == 0
+		 && POWER_OF_2 (BLOCK_ALIGN / sizeof (void *)));
+  static_assert (MALLOC_IS_LISP_ALIGNED
+		 || (LISP_ALIGNMENT % sizeof (void *) == 0
+		     && POWER_OF_2 (LISP_ALIGNMENT / sizeof (void *))));
   eassert (alignment == BLOCK_ALIGN
 	   || (!MALLOC_IS_LISP_ALIGNED && alignment == LISP_ALIGNMENT));
 
@@ -1221,7 +1221,7 @@ lisp_align_malloc (size_t nbytes, enum mem_type type)
 #endif
 
 #ifdef USE_ALIGNED_ALLOC
-      verify (ABLOCKS_BYTES % BLOCK_ALIGN == 0);
+      static_assert (ABLOCKS_BYTES % BLOCK_ALIGN == 0);
       abase = base = aligned_alloc (BLOCK_ALIGN, ABLOCKS_BYTES);
 #else
       base = malloc (ABLOCKS_BYTES);
@@ -3048,7 +3048,7 @@ enum { VECTOR_BLOCK_SIZE = 4096 };
 enum { roundup_size = COMMON_MULTIPLE (LISP_ALIGNMENT, word_size) };
 
 /* Verify assumption described above.  */
-verify (VECTOR_BLOCK_SIZE % roundup_size == 0);
+static_assert (VECTOR_BLOCK_SIZE % roundup_size == 0);
 
 /* Round up X to nearest mult-of-ROUNDUP_SIZE --- use at compile time.  */
 #define vroundup_ct(x) ROUNDUP (x, roundup_size)
@@ -3062,7 +3062,7 @@ enum {VECTOR_BLOCK_BYTES = VECTOR_BLOCK_SIZE - vroundup_ct (sizeof (void *))};
 /* The current code expects to be able to represent an unused block by
    a single PVEC_FREE object, whose size is limited by the header word.
    (Of course we could use multiple such objects.)  */
-verify (VECTOR_BLOCK_BYTES <= (word_size << PSEUDOVECTOR_REST_BITS));
+static_assert (VECTOR_BLOCK_BYTES <= (word_size << PSEUDOVECTOR_REST_BITS));
 
 /* Size of the minimal vector allocated from block.  */
 
@@ -3319,7 +3319,7 @@ vectorlike_nbytes (const union vectorlike_header *hdr)
 	  ptrdiff_t word_bytes = (bool_vector_words (bv->size)
 				  * sizeof (bits_word));
 	  ptrdiff_t boolvec_bytes = bool_header_size + word_bytes;
-	  verify (header_size <= bool_header_size);
+	  static_assert (header_size <= bool_header_size);
 	  nwords = (boolvec_bytes - header_size + word_size - 1) / word_size;
         }
       else
@@ -3699,7 +3699,7 @@ allocate_pseudovector (int memlen, int lisplen,
   /* Catch bogus values.  */
   enum { size_max = (1 << PSEUDOVECTOR_SIZE_BITS) - 1 };
   enum { rest_max = (1 << PSEUDOVECTOR_REST_BITS) - 1 };
-  verify (size_max + rest_max <= VECTOR_ELTS_MAX);
+  static_assert (size_max + rest_max <= VECTOR_ELTS_MAX);
   eassert (0 <= tag && tag <= PVEC_TAG_MAX);
   eassert (0 <= lisplen && lisplen <= zerolen && zerolen <= memlen);
   eassert (lisplen <= size_max);

src/android.c

@@ -2969,7 +2969,7 @@ android_globalize_reference (jobject handle)
   (*android_java_env)->SetLongField (android_java_env, global,
 				     handle_class.handle,
 				     (jlong) global);
-  verify (sizeof (jlong) >= sizeof (intptr_t));
+  static_assert (sizeof (jlong) >= sizeof (intptr_t));
   return (intptr_t) global;
 }
 
@@ -3521,7 +3521,7 @@ android_set_dashes (struct android_gc *gc, int dash_offset,
       /* Copy the list of segments into both arrays.  */
       for (i = 0; i < n; ++i)
 	gc->dashes[i] = dash_list[i];
-      verify (sizeof (int) == sizeof (jint));
+      static_assert (sizeof (int) == sizeof (jint));
       (*android_java_env)->SetIntArrayRegion (android_java_env,
 					      array, 0, n,
 					      (jint *) dash_list);

src/android.h

@@ -103,7 +103,7 @@ extern ssize_t android_readlinkat (int, const char *restrict, char *restrict,
 extern double android_pixel_density_x, android_pixel_density_y;
 extern double android_scaled_pixel_density;
 
-verify (sizeof (android_handle) == sizeof (jobject));
+static_assert (sizeof (android_handle) == sizeof (jobject));
 #define android_resolve_handle(handle) ((jobject) (handle))
 
 extern unsigned char *android_lock_bitmap (android_drawable,

src/androidfont.c

@@ -654,7 +654,7 @@ androidfont_draw (struct glyph_string *s, int from, int to,
   /* Maybe initialize the font driver.  */
   androidfont_check_init ();
 
-  verify (sizeof (unsigned int) == sizeof (jint));
+  static_assert (sizeof (unsigned int) == sizeof (jint));
   info = (struct androidfont_info *) s->font;
 
   gcontext = android_resolve_handle (s->gc->gcontext);
@@ -932,7 +932,7 @@ androidfont_text_extents (struct font *font, const unsigned int *code,
       memory_full (0);
     }
 
-  verify (sizeof (unsigned int) == sizeof (jint));
+  static_assert (sizeof (unsigned int) == sizeof (jint));
 
   /* Always true on every Android device.  */
   (*android_java_env)->SetIntArrayRegion (android_java_env,

src/androidvfs.c

@@ -259,7 +259,7 @@ struct android_special_vnode
   Lisp_Object special_coding_system;
 };
 
-verify (NIL_IS_ZERO); /* special_coding_system above.  */
+static_assert (NIL_IS_ZERO); /* special_coding_system above.  */
 
 enum android_vnode_type
   {

src/bidi.c

@@ -566,7 +566,7 @@ bidi_copy_it (struct bidi_it *to, struct bidi_it *from)
    RTL characters in the offending line of text.  */
 /* Do we need to allow customization of this limit?  */
 #define BIDI_CACHE_MAX_ELTS_PER_SLOT 50000
-verify (BIDI_CACHE_CHUNK < BIDI_CACHE_MAX_ELTS_PER_SLOT);
+static_assert (BIDI_CACHE_CHUNK < BIDI_CACHE_MAX_ELTS_PER_SLOT);
 static ptrdiff_t bidi_cache_max_elts = BIDI_CACHE_MAX_ELTS_PER_SLOT;
 static struct bidi_it *bidi_cache;
 static ptrdiff_t bidi_cache_size = 0;
@@ -2626,7 +2626,7 @@ bidi_find_bracket_pairs (struct bidi_it *bidi_it)
       ptrdiff_t pairing_pos;
       int idx_at_entry = bidi_cache_idx;
 
-      verify (MAX_BPA_STACK >= 100);
+      static_assert (MAX_BPA_STACK >= 100);
       bidi_copy_it (&saved_it, bidi_it);
       /* bidi_cache_iterator_state refuses to cache on backward scans,
 	 and bidi_cache_fetch_state doesn't bring scan_dir from the

src/buffer.c

@@ -27,8 +27,6 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.  */
 #include <stdlib.h>
 #include <unistd.h>
 
-#include <verify.h>
-
 #include "lisp.h"
 #include "intervals.h"
 #include "process.h"
@@ -4860,7 +4858,7 @@ init_buffer_once (void)
      The local flag bits are in the local_var_flags slot of the buffer.  */
 
   /* Nothing can work if this isn't true.  */
-  { verify (sizeof (EMACS_INT) == word_size); }
+  { static_assert (sizeof (EMACS_INT) == word_size); }
 
   Vbuffer_alist = Qnil;
   current_buffer = 0;

src/casefiddle.c

@@ -285,7 +285,7 @@ do_casify_multibyte_string (struct casing_context *ctx, Lisp_Object obj)
      representation of the character is at the beginning of the
      buffer.  This is why we don’t need a separate struct
      casing_str_buf object, and can write directly to the destination.  */
-  verify (offsetof (struct casing_str_buf, data) == 0);
+  static_assert (offsetof (struct casing_str_buf, data) == 0);
 
   ptrdiff_t size = SCHARS (obj), n;
   USE_SAFE_ALLOCA;

src/character.h

@@ -23,7 +23,6 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.  */
 #ifndef EMACS_CHARACTER_H
 #define EMACS_CHARACTER_H
 
-#include <verify.h>
 #include "lisp.h"
 
 INLINE_HEADER_BEGIN

src/decompress.c

@@ -27,8 +27,6 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.  */
 #include "composite.h"
 #include "md5.h"
 
-#include <verify.h>
-
 #ifdef WINDOWSNT
 # include <windows.h>
 # include "w32common.h"

src/dispnew.c

@@ -4667,7 +4667,7 @@ scrolling_window (struct window *w, int tab_line_p)
      13, then next_almost_prime_increment_max would be 14, e.g.,
      because next_almost_prime (113) would be 127.  */
   {
-    verify (NEXT_ALMOST_PRIME_LIMIT == 11);
+    static_assert (NEXT_ALMOST_PRIME_LIMIT == 11);
     enum { next_almost_prime_increment_max = 10 };
     ptrdiff_t row_table_max =
       (min (PTRDIFF_MAX, SIZE_MAX) / (3 * sizeof *row_table)
@@ -5118,8 +5118,8 @@ scrolling (struct frame *frame)
   int free_at_end_vpos = height;
   struct glyph_matrix *current_matrix = frame->current_matrix;
   struct glyph_matrix *desired_matrix = frame->desired_matrix;
-  verify (sizeof (int) <= sizeof (unsigned));
-  verify (alignof (unsigned) % alignof (int) == 0);
+  static_assert (sizeof (int) <= sizeof (unsigned));
+  static_assert (alignof (unsigned) % alignof (int) == 0);
   unsigned *old_hash;
   USE_SAFE_ALLOCA;
   SAFE_NALLOCA (old_hash, 4, height);

src/editfns.c

@@ -46,7 +46,6 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.  */
 #include <c-ctype.h>
 #include <intprops.h>
 #include <stdlib.h>
-#include <verify.h>
 
 #include "composite.h"
 #include "intervals.h"
@@ -3408,7 +3407,7 @@ styled_format (ptrdiff_t nargs, Lisp_Object *args, bool message)
    SPRINTF_BUFSIZE = (sizeof "-." + (LDBL_MAX_10_EXP + 1)
 		      + USEFUL_PRECISION_MAX)
   };
-  verify (USEFUL_PRECISION_MAX > 0);
+  static_assert (USEFUL_PRECISION_MAX > 0);
 
   ptrdiff_t n;		/* The number of the next arg to substitute.  */
   char initial_buffer[1000 + SPRINTF_BUFSIZE];

src/emacs-module.c

@@ -94,7 +94,6 @@ To add a new module function, proceed as follows:
 #include "thread.h"
 
 #include <intprops.h>
-#include <verify.h>
 
 /* We use different strategies for allocating the user-visible objects
    (struct emacs_runtime, emacs_env, emacs_value), depending on
@@ -1034,10 +1033,10 @@ import/export overhead on most platforms.
 
 /* Verify that emacs_limb_t indeed has unique object
    representations.  */
-verify (CHAR_BIT == 8);
-verify ((sizeof (emacs_limb_t) == 4 && EMACS_LIMB_MAX == 0xFFFFFFFF)
-        || (sizeof (emacs_limb_t) == 8
-            && EMACS_LIMB_MAX == 0xFFFFFFFFFFFFFFFF));
+static_assert (CHAR_BIT == 8);
+static_assert ((sizeof (emacs_limb_t) == 4 && EMACS_LIMB_MAX == 0xFFFFFFFF)
+	       || (sizeof (emacs_limb_t) == 8
+		   && EMACS_LIMB_MAX == 0xFFFFFFFFFFFFFFFF));
 
 static bool
 module_extract_big_integer (emacs_env *env, emacs_value arg, int *sign,
@@ -1084,7 +1083,7 @@ module_extract_big_integer (emacs_env *env, emacs_value arg, int *sign,
          suffice.  */
       EMACS_UINT u;
       enum { required = (sizeof u + size - 1) / size };
-      verify (0 < required && +required <= module_bignum_count_max);
+      static_assert (0 < required && +required <= module_bignum_count_max);
       if (magnitude == NULL)
         {
           *count = required;
@@ -1104,7 +1103,7 @@ module_extract_big_integer (emacs_env *env, emacs_value arg, int *sign,
         u = (EMACS_UINT) x;
       else
         u = -(EMACS_UINT) x;
-      verify (required * bits < PTRDIFF_MAX);
+      static_assert (required * bits < PTRDIFF_MAX);
       for (ptrdiff_t i = 0; i < required; ++i)
         magnitude[i] = (emacs_limb_t) (u >> (i * bits));
       MODULE_INTERNAL_CLEANUP ();

src/eval.c

@@ -1252,7 +1252,7 @@ usage: (catch TAG BODY...)  */)
    eassert (E) when E contains variables that might be clobbered by a
    longjmp.  */
 
-#define clobbered_eassert(E) verify (sizeof (E) != 0)
+#define clobbered_eassert(E) static_assert (sizeof (E) != 0)
 
 void
 pop_handler (void)

src/fileio.c

@@ -3906,7 +3906,7 @@ union read_non_regular
   } s;
   GCALIGNED_UNION_MEMBER
 };
-verify (GCALIGNED (union read_non_regular));
+static_assert (GCALIGNED (union read_non_regular));
 
 static Lisp_Object
 read_non_regular (Lisp_Object state)
@@ -6316,7 +6316,7 @@ A non-nil CURRENT-ONLY argument means save only current buffer.  */)
 	      continue;
 
 	    enum { growth_factor = 4 };
-	    verify (BUF_BYTES_MAX <= EMACS_INT_MAX / growth_factor);
+	    static_assert (BUF_BYTES_MAX <= EMACS_INT_MAX / growth_factor);
 
 	    set_buffer_internal (b);
 	    if (NILP (Vauto_save_include_big_deletions)

src/fns.c

@@ -4631,7 +4631,7 @@ check_hash_table (Lisp_Object obj)
 EMACS_INT
 next_almost_prime (EMACS_INT n)
 {
-  verify (NEXT_ALMOST_PRIME_LIMIT == 11);
+  static_assert (NEXT_ALMOST_PRIME_LIMIT == 11);
   for (n |= 1; ; n += 2)
     if (n % 3 != 0 && n % 5 != 0 && n % 7 != 0)
       return n;
@@ -5367,7 +5367,7 @@ hash_string (char const *ptr, ptrdiff_t len)
       /* String is shorter than an EMACS_UINT.  Use smaller loads.  */
       eassume (p <= end && end - p < sizeof (EMACS_UINT));
       EMACS_UINT tail = 0;
-      verify (sizeof tail <= 8);
+      static_assert (sizeof tail <= 8);
 #if EMACS_INT_MAX > INT32_MAX
       if (end - p >= 4)
 	{

src/fringe.c

@@ -1813,7 +1813,7 @@ init_fringe (void)
 
   fringe_bitmaps = xzalloc (max_fringe_bitmaps * sizeof *fringe_bitmaps);
 
-  verify (NIL_IS_ZERO);
+  static_assert (NIL_IS_ZERO);
   fringe_faces = xzalloc (max_fringe_bitmaps * sizeof *fringe_faces);
 }
 

src/keyboard.h

@@ -497,8 +497,8 @@ INLINE void
 kbd_buffer_store_event_hold (struct input_event *event,
 			     struct input_event *hold_quit)
 {
-  verify (alignof (struct input_event) == alignof (union buffered_input_event)
-	  && sizeof (struct input_event) == sizeof (union buffered_input_event));
+  static_assert (alignof (struct input_event) == alignof (union buffered_input_event)
+		 && sizeof (struct input_event) == sizeof (union buffered_input_event));
   kbd_buffer_store_buffered_event ((union buffered_input_event *) event,
 				   hold_quit);
 }

src/keymap.c

@@ -518,7 +518,7 @@ union map_keymap
   } s;
   GCALIGNED_UNION_MEMBER
 };
-verify (GCALIGNED (union map_keymap));
+static_assert (GCALIGNED (union map_keymap));
 
 static void
 map_keymap_char_table_item (Lisp_Object args, Lisp_Object key, Lisp_Object val)

src/lisp.h

@@ -140,7 +140,7 @@ typedef unsigned char bits_word;
 # define BITS_WORD_MAX ((1u << BOOL_VECTOR_BITS_PER_CHAR) - 1)
 enum { BITS_PER_BITS_WORD = BOOL_VECTOR_BITS_PER_CHAR };
 #endif
-verify (BITS_WORD_MAX >> (BITS_PER_BITS_WORD - 1) == 1);
+static_assert (BITS_WORD_MAX >> (BITS_PER_BITS_WORD - 1) == 1);
 
 /* Use pD to format ptrdiff_t values, which suffice for indexes into
    buffers and strings.  Emacs never allocates objects larger than
@@ -281,14 +281,14 @@ DEFINE_GDB_SYMBOL_END (VALMASK)
    emacs_align_type union in alloc.c.
 
    Although these macros are reasonably portable, they are not
-   guaranteed on non-GCC platforms, as the C standard does not require support
-   for alignment to GCALIGNMENT and older compilers may ignore
-   alignment requests.  For any type T where garbage collection
-   requires alignment, use verify (GCALIGNED (T)) to verify the
-   requirement on the current platform.  Types need this check if
-   their objects can be allocated outside the garbage collector.  For
-   example, struct Lisp_Symbol needs the check because of lispsym and
-   struct Lisp_Cons needs it because of STACK_CONS.  */
+   guaranteed on non-GCC platforms, as the C standard does not require
+   support for alignment to GCALIGNMENT and older compilers may ignore
+   alignment requests.  For any type T where garbage collection requires
+   alignment, use static_assert (GCALIGNED (T)) to verify the
+   requirement on the current platform.  Types need this check if their
+   objects can be allocated outside the garbage collector.  For example,
+   struct Lisp_Symbol needs the check because of lispsym and struct
+   Lisp_Cons needs it because of STACK_CONS.  */
 
 #define GCALIGNED_UNION_MEMBER char alignas (GCALIGNMENT) gcaligned;
 #if HAVE_STRUCT_ATTRIBUTE_ALIGNED
@@ -865,7 +865,7 @@ struct Lisp_Symbol
     GCALIGNED_UNION_MEMBER
   } u;
 };
-verify (GCALIGNED (struct Lisp_Symbol));
+static_assert (GCALIGNED (struct Lisp_Symbol));
 
 /* Declare a Lisp-callable function.  The MAXARGS parameter has the same
    meaning as in the DEFUN macro, and is used to construct a prototype.  */
@@ -1480,7 +1480,7 @@ struct Lisp_Cons
     GCALIGNED_UNION_MEMBER
   } u;
 };
-verify (GCALIGNED (struct Lisp_Cons));
+static_assert (GCALIGNED (struct Lisp_Cons));
 
 INLINE bool
 (NILP) (Lisp_Object x)
@@ -1610,7 +1610,7 @@ struct Lisp_String
     GCALIGNED_UNION_MEMBER
   } u;
 };
-verify (GCALIGNED (struct Lisp_String));
+static_assert (GCALIGNED (struct Lisp_String));
 
 INLINE bool
 STRINGP (Lisp_Object x)
@@ -2025,10 +2025,11 @@ gc_aset (Lisp_Object array, ptrdiff_t idx, Lisp_Object val)
 }
 
 /* True, since Qnil's representation is zero.  Every place in the code
-   that assumes Qnil is zero should verify (NIL_IS_ZERO), to make it easy
-   to find such assumptions later if we change Qnil to be nonzero.
-   Test iQnil and Lisp_Symbol instead of Qnil directly, since the latter
-   is not suitable for use in an integer constant expression.  */
+   that assumes Qnil is zero should static_assert (NIL_IS_ZERO), to make
+   it easy to find such assumptions later if we change Qnil to be
+   nonzero.  Test iQnil and Lisp_Symbol instead of Qnil directly, since
+   the latter is not suitable for use in an integer constant
+   expression.  */
 enum { NIL_IS_ZERO = iQnil == 0 && Lisp_Symbol == 0 };
 
 /* Clear the object addressed by P, with size NBYTES, so that all its
@@ -2037,7 +2038,7 @@ INLINE void
 memclear (void *p, ptrdiff_t nbytes)
 {
   eassert (0 <= nbytes);
-  verify (NIL_IS_ZERO);
+  static_assert (NIL_IS_ZERO);
   /* Since Qnil is zero, memset suffices.  */
   memset (p, 0, nbytes);
 }
@@ -2240,7 +2241,7 @@ union Aligned_Lisp_Subr
     struct Lisp_Subr s;
     GCALIGNED_UNION_MEMBER
   };
-verify (GCALIGNED (union Aligned_Lisp_Subr));
+static_assert (GCALIGNED (union Aligned_Lisp_Subr));
 
 INLINE bool
 SUBRP (Lisp_Object a)
@@ -2281,11 +2282,11 @@ enum char_table_specials
   };
 
 /* Sanity-check pseudovector layout.  */
-verify (offsetof (struct Lisp_Char_Table, defalt) == header_size);
-verify (offsetof (struct Lisp_Char_Table, extras)
-	== header_size + CHAR_TABLE_STANDARD_SLOTS * sizeof (Lisp_Object));
-verify (offsetof (struct Lisp_Sub_Char_Table, contents)
-	== header_size + SUB_CHAR_TABLE_OFFSET * sizeof (Lisp_Object));
+static_assert (offsetof (struct Lisp_Char_Table, defalt) == header_size);
+static_assert (offsetof (struct Lisp_Char_Table, extras)
+	       == header_size + CHAR_TABLE_STANDARD_SLOTS * sizeof (Lisp_Object));
+static_assert (offsetof (struct Lisp_Sub_Char_Table, contents)
+	       == header_size + SUB_CHAR_TABLE_OFFSET * sizeof (Lisp_Object));
 
 /* Return the number of "extra" slots in the char table CT.  */
 
@@ -2819,7 +2820,7 @@ SXHASH_REDUCE (EMACS_UINT x)
 INLINE hash_hash_t
 reduce_emacs_uint_to_hash_hash (EMACS_UINT x)
 {
-  verify (sizeof x <= 2 * sizeof (hash_hash_t));
+  static_assert (sizeof x <= 2 * sizeof (hash_hash_t));
   return (sizeof x == sizeof (hash_hash_t)
 	  ? x
 	  : x ^ (x >> (8 * (sizeof x - sizeof (hash_hash_t)))));
@@ -3214,7 +3215,7 @@ struct Lisp_Float
       GCALIGNED_UNION_MEMBER
     } u;
   };
-verify (GCALIGNED (struct Lisp_Float));
+static_assert (GCALIGNED (struct Lisp_Float));
 
 INLINE bool
 (FLOATP) (Lisp_Object x)
@@ -4201,7 +4202,7 @@ modiff_incr (modiff_count *a, ptrdiff_t len)
   /* Increase the counter more for a large modification and less for a
      small modification.  Increase it logarithmically to avoid
      increasing it too much.  */
-  verify (PTRDIFF_MAX <= ULLONG_MAX);
+  static_assert (PTRDIFF_MAX <= ULLONG_MAX);
   int incr = len == 0 ? 1 : elogb (len) + 1;
   bool modiff_overflow = ckd_add (a, a0, incr);
   eassert (!modiff_overflow && *a >> 30 >> 30 == 0);
@@ -4346,7 +4347,7 @@ extern void tim_sort (Lisp_Object, Lisp_Object, Lisp_Object *, const ptrdiff_t,
   ARG_NONNULL ((3));
 
 /* Defined in floatfns.c.  */
-verify (FLT_RADIX == 2 || FLT_RADIX == 16);
+static_assert (FLT_RADIX == 2 || FLT_RADIX == 16);
 enum { LOG2_FLT_RADIX = FLT_RADIX == 2 ? 1 : 4 };
 int double_integer_scale (double);
 #ifndef HAVE_TRUNC

src/lread.c

@@ -3649,7 +3649,7 @@ skip_lazy_string (Lisp_Object readcharfun)
 	 and record where in the file it comes from.  */
 
       /* First exchange the two saved_strings.  */
-      verify (ARRAYELTS (saved_strings) == 2);
+      static_assert (ARRAYELTS (saved_strings) == 2);
       struct saved_string t = saved_strings[0];
       saved_strings[0] = saved_strings[1];
       saved_strings[1] = t;

src/nsgui.h

@@ -29,8 +29,6 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.  */
 #define Cursor FooFoo
 #endif  /* NS_IMPL_COCOA */
 
-#undef verify
-
 #import <AppKit/AppKit.h>
 
 #ifdef NS_IMPL_COCOA
@@ -44,10 +42,6 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.  */
 
 #endif /* __OBJC__ */
 
-#undef verify
-#undef _GL_VERIFY_H
-#include <verify.h>
-
 /* Emulate XCharStruct.  */
 typedef struct _XCharStruct
 {

src/pdumper.c

@@ -99,11 +99,11 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.  */
    are the same size and have the same layout, and where bytes have
    eight bits --- that is, a general-purpose computer made after 1990.
    Also require Lisp_Object to be at least as wide as pointers.  */
-verify (sizeof (ptrdiff_t) == sizeof (void *));
-verify (sizeof (intptr_t) == sizeof (ptrdiff_t));
-verify (sizeof (void (*) (void)) == sizeof (void *));
-verify (sizeof (ptrdiff_t) <= sizeof (Lisp_Object));
-verify (sizeof (ptrdiff_t) <= sizeof (EMACS_INT));
+static_assert (sizeof (ptrdiff_t) == sizeof (void *));
+static_assert (sizeof (intptr_t) == sizeof (ptrdiff_t));
+static_assert (sizeof (void (*) (void)) == sizeof (void *));
+static_assert (sizeof (ptrdiff_t) <= sizeof (Lisp_Object));
+static_assert (sizeof (ptrdiff_t) <= sizeof (EMACS_INT));
 
 static size_t
 divide_round_up (size_t x, size_t y)
@@ -276,15 +276,15 @@ enum
    DUMP_RELOC_OFFSET_BITS = DUMP_OFF_WIDTH - DUMP_RELOC_TYPE_BITS
   };
 
-verify (RELOC_DUMP_TO_EMACS_LV + 8 < (1 << DUMP_RELOC_TYPE_BITS));
-verify (DUMP_ALIGNMENT >= GCALIGNMENT);
+static_assert (RELOC_DUMP_TO_EMACS_LV + 8 < (1 << DUMP_RELOC_TYPE_BITS));
+static_assert (DUMP_ALIGNMENT >= GCALIGNMENT);
 
 struct dump_reloc
 {
   unsigned int raw_offset : DUMP_RELOC_OFFSET_BITS;
   ENUM_BF (dump_reloc_type) type : DUMP_RELOC_TYPE_BITS;
 };
-verify (sizeof (struct dump_reloc) == sizeof (dump_off));
+static_assert (sizeof (struct dump_reloc) == sizeof (dump_off));
 
 /* Set the type of a dump relocation.
 
@@ -2244,7 +2244,7 @@ dump_bignum (struct dump_context *ctx, Lisp_Object object)
 #endif
   const struct Lisp_Bignum *bignum = XBIGNUM (object);
   START_DUMP_PVEC (ctx, &bignum->header, struct Lisp_Bignum, out);
-  verify (sizeof (out->value) >= sizeof (struct bignum_reload_info));
+  static_assert (sizeof (out->value) >= sizeof (struct bignum_reload_info));
   dump_field_fixup_later (ctx, out, bignum, xbignum_val (object));
   dump_off bignum_offset = finish_dump_pvec (ctx, &out->header);
   if (ctx->flags.dump_object_contents)
@@ -4248,11 +4248,11 @@ types.  */)
                         O_RDWR | O_TRUNC | O_CREAT, 0666);
   if (ctx->fd < 0)
     report_file_error ("Opening dump output", filename);
-  verify (sizeof (ctx->header.magic) == sizeof (dump_magic));
+  static_assert (sizeof (ctx->header.magic) == sizeof (dump_magic));
   memcpy (&ctx->header.magic, dump_magic, sizeof (dump_magic));
   ctx->header.magic[0] = '!'; /* Note that dump is incomplete.  */
 
-  verify (sizeof (fingerprint) == sizeof (ctx->header.fingerprint));
+  static_assert (sizeof (fingerprint) == sizeof (ctx->header.fingerprint));
   for (int i = 0; i < sizeof fingerprint; i++)
     ctx->header.fingerprint[i] = fingerprint[i];
 
@@ -5522,7 +5522,7 @@ dump_do_dump_relocation (const uintptr_t dump_base,
       {
         struct Lisp_Bignum *bignum = dump_ptr (dump_base, reloc_offset);
         struct bignum_reload_info reload_info;
-        verify (sizeof (reload_info) <= sizeof (*bignum_val (bignum)));
+	static_assert (sizeof (reload_info) <= sizeof (*bignum_val (bignum)));
         memcpy (&reload_info, bignum_val (bignum), sizeof (reload_info));
         const mp_limb_t *limbs =
           dump_ptr (dump_base, reload_info.data_location);
@@ -5713,7 +5713,7 @@ pdumper_load (const char *dump_filename, char *argv0)
     }
 
   err = PDUMPER_LOAD_VERSION_MISMATCH;
-  verify (sizeof (header->fingerprint) == sizeof (fingerprint));
+  static_assert (sizeof (header->fingerprint) == sizeof (fingerprint));
   unsigned char desired[sizeof fingerprint];
   for (int i = 0; i < sizeof fingerprint; i++)
     desired[i] = fingerprint[i];

src/process.c

@@ -95,7 +95,6 @@ static struct rlimit nofile_limit;
 #include <flexmember.h>
 #include <nproc.h>
 #include <sig2str.h>
-#include <verify.h>
 
 #endif	/* subprocesses */
 
@@ -922,7 +921,7 @@ make_process (Lisp_Object name)
     p->open_fd[i] = -1;
 
 #ifdef HAVE_GNUTLS
-  verify (GNUTLS_STAGE_EMPTY == 0);
+  static_assert (GNUTLS_STAGE_EMPTY == 0);
   eassert (p->gnutls_initstage == GNUTLS_STAGE_EMPTY);
   eassert (NILP (p->gnutls_boot_parameters));
 #endif
@@ -1913,7 +1912,7 @@ usage: (make-process &rest ARGS)  */)
 
 #ifdef HAVE_GNUTLS
   /* AKA GNUTLS_INITSTAGE(proc).  */
-  verify (GNUTLS_STAGE_EMPTY == 0);
+  static_assert (GNUTLS_STAGE_EMPTY == 0);
   eassert (XPROCESS (proc)->gnutls_initstage == GNUTLS_STAGE_EMPTY);
   eassert (NILP (XPROCESS (proc)->gnutls_cred_type));
 #endif
@@ -2143,7 +2142,7 @@ enum
     EXEC_MONITOR_OUTPUT
   };
 
-verify (PROCESS_OPEN_FDS == EXEC_MONITOR_OUTPUT + 1);
+static_assert (PROCESS_OPEN_FDS == EXEC_MONITOR_OUTPUT + 1);
 
 static void
 create_process (Lisp_Object process, char **new_argv, Lisp_Object current_dir)
@@ -3540,9 +3539,9 @@ connect_network_socket (Lisp_Object proc, Lisp_Object addrinfos,
 		 structures, but the standards don't guarantee that,
 		 so verify it here.  */
 	      struct sockaddr_in6 sa6;
-	      verify ((offsetof (struct sockaddr_in, sin_port)
-		       == offsetof (struct sockaddr_in6, sin6_port))
-		      && sizeof (sa1.sin_port) == sizeof (sa6.sin6_port));
+	      static_assert ((offsetof (struct sockaddr_in, sin_port)
+			      == offsetof (struct sockaddr_in6, sin6_port))
+			     && sizeof (sa1.sin_port) == sizeof (sa6.sin6_port));
 #endif
 	      DECLARE_POINTER_ALIAS (psa1, struct sockaddr, &sa1);
 	      if (getsockname (s, psa1, &len1) == 0)

src/regex-emacs.c

@@ -1290,7 +1290,7 @@ typedef int regnum_t;
 /* Macros for the compile stack.  */
 
 typedef long pattern_offset_t;
-verify (LONG_MIN <= -(MAX_BUF_SIZE - 1) && MAX_BUF_SIZE - 1 <= LONG_MAX);
+static_assert (LONG_MIN <= -(MAX_BUF_SIZE - 1) && MAX_BUF_SIZE - 1 <= LONG_MAX);
 
 typedef struct
 {

src/sort.c

@@ -1113,7 +1113,7 @@ tim_sort (Lisp_Object predicate, Lisp_Object keyfunc,
 	{
 	  /* Fill with valid Lisp values in case a GC occurs before all
 	     keys have been computed.  */
-	  verify (NIL_IS_ZERO);
+	  static_assert (NIL_IS_ZERO);
 	  keys = allocated_keys = xzalloc (length * word_size);
 	}
 

src/sysdep.c

@@ -2248,7 +2248,7 @@ init_random (void)
   /* FIXME: Perhaps getrandom can be used here too?  */
   success = w32_init_random (&v, sizeof v) == 0;
 #else
-  verify (sizeof v <= 256);
+  static_assert (sizeof v <= 256);
   success = getrandom (&v, sizeof v, 0) == sizeof v;
 #endif
 
@@ -2742,16 +2742,16 @@ emacs_fchmodat (int fd, const char *path, mode_t mode, int flags)
 #ifndef SSIZE_MAX
 # define SSIZE_MAX TYPE_MAXIMUM (ssize_t)
 #endif
-verify (MAX_RW_COUNT <= PTRDIFF_MAX);
-verify (MAX_RW_COUNT <= SIZE_MAX);
-verify (MAX_RW_COUNT <= SSIZE_MAX);
+static_assert (MAX_RW_COUNT <= PTRDIFF_MAX);
+static_assert (MAX_RW_COUNT <= SIZE_MAX);
+static_assert (MAX_RW_COUNT <= SSIZE_MAX);
 
 #ifdef WINDOWSNT
 /* Verify that Emacs read requests cannot cause trouble, even in
    64-bit builds.  The last argument of 'read' is 'unsigned int', and
    the return value's type (see 'sys_read') is 'int'.  */
-verify (MAX_RW_COUNT <= INT_MAX);
-verify (MAX_RW_COUNT <= UINT_MAX);
+static_assert (MAX_RW_COUNT <= INT_MAX);
+static_assert (MAX_RW_COUNT <= UINT_MAX);
 #endif
 
 /* Read from FD to a buffer BUF with size NBYTE.

src/thread.c

@@ -43,7 +43,7 @@ union aligned_thread_state
   struct thread_state s;
   GCALIGNED_UNION_MEMBER
 };
-verify (GCALIGNED (union aligned_thread_state));
+static_assert (GCALIGNED (union aligned_thread_state));
 
 static union aligned_thread_state main_thread
   = {{

src/timefns.c

@@ -105,7 +105,7 @@ trillion_factor (Lisp_Object hz)
       if (!FIXNUM_OVERFLOW_P (TRILLION))
 	return false;
     }
-  verify (TRILLION <= INTMAX_MAX);
+  static_assert (TRILLION <= INTMAX_MAX);
   intmax_t ihz;
   return integer_to_intmax (hz, &ihz) && TRILLION % ihz == 0;
 }

src/unexelf.c

@@ -181,10 +181,9 @@ typedef struct {
 /* The code often converts ElfW (Half) values like e_shentsize to ptrdiff_t;
    check that this doesn't lose information.  */
 #include <intprops.h>
-#include <verify.h>
-verify ((! TYPE_SIGNED (ElfW (Half))
-	 || PTRDIFF_MIN <= TYPE_MINIMUM (ElfW (Half)))
-	&& TYPE_MAXIMUM (ElfW (Half)) <= PTRDIFF_MAX);
+static_assert ((! TYPE_SIGNED (ElfW (Half))
+		|| PTRDIFF_MIN <= TYPE_MINIMUM (ElfW (Half)))
+	       && TYPE_MAXIMUM (ElfW (Half)) <= PTRDIFF_MAX);
 
 #ifdef UNEXELF_DEBUG
 # define DEBUG_LOG(expr) fprintf (stderr, #expr " 0x%"PRIxMAX"\n", \

src/xterm.c

@@ -15585,7 +15585,7 @@ x_send_scroll_bar_event (Lisp_Object window, enum scroll_bar_part part,
   XClientMessageEvent *ev = &event.xclient;
   struct window *w = XWINDOW (window);
   struct frame *f = XFRAME (w->frame);
-  verify (INTPTR_WIDTH <= 64);
+  static_assert (INTPTR_WIDTH <= 64);
 
   /* Don't do anything if too many scroll bar events have been
      sent but not received.  */