Rust piece on integer safety
Laeeth Isharc via Digitalmars-d-learn
digitalmars-d-learn at puremagic.com
Sat Apr 30 16:11:20 PDT 2016
All the design/discussion/implementation of this scheme for
handling integer overflow would be wasted if it didn’t actually
find any bugs in practice. I personally have had quite a few bugs
found nearly as I write them, with expressions like cmp::max(x -
y, z) (they never hit the internet, so no links for them),
especially when combined with testing infrastructure like
quickcheck.
The overflow checks have found bugs through out the ecosystem;
for instance, (not exhaustive!)
the standard library
the compiler
the built-in benchmark harness
Servo
image
url
webrender
Beyond Rust, there’s a lot of evidence for the dangers of integer
overflow and desire for detecting/protecting against them. It was
on the CWE/SANS list of top 25 errors in 2011, languages like
Swift will unconditionally check for overflow, and others like
Python 3 and Haskell will avoid overflow entirely by default, via
arbitrary precision integers. Furthermore, in C, several
compilers have options to both make signed overflow defined as
two’s complement wrapping (-fwrapv) and to catch it when it does
happen (-fsanitize=signed-integer-overflow).
http://huonw.github.io/blog/2016/04/myths-and-legends-about-integer-overflow-in-rust/
More information about the Digitalmars-d-learn
mailing list