From 6ee81c0f1507c91d7030513f1a5411b282cd71a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Henrik=20H=C3=B8rl=C3=BCck=20Berg?=
 <36937807+henrikhorluck@users.noreply.github.com>
Date: Fri, 15 Sep 2023 14:46:53 +0200
Subject: [PATCH] Crash if invariant is broken

---
 fish-rust/src/complete.rs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fish-rust/src/complete.rs b/fish-rust/src/complete.rs
index 8d9b846d3..ea149c9a7 100644
--- a/fish-rust/src/complete.rs
+++ b/fish-rust/src/complete.rs
@@ -174,8 +174,10 @@ impl CompletionReceiver {
     /// \return a new, empty receiver whose limit is our remaining capacity.
     /// This is useful for e.g. recursive calls when you want to act on the result before adding it.
     pub fn subreceiver(&self) -> Self {
-        // XXX: this should not need to be saturating, we have a faulty invariant
-        let remaining_capacity = self.limit.saturating_sub(self.completions.len());
+        let remaining_capacity = self
+            .limit
+            .checked_sub(self.completions.len())
+            .expect("length should never be larger than limit");
         Self::new(remaining_capacity)
     }
 }