Rust piece on integer safety

Laeeth Isharc via Digitalmars-d-learn digitalmars-d-learn at puremagic.com
Sat Apr 30 16:11:20 PDT 2016


All the design/discussion/implementation of this scheme for 
handling integer overflow would be wasted if it didn’t actually 
find any bugs in practice. I personally have had quite a few bugs 
found nearly as I write them, with expressions like cmp::max(x - 
y, z) (they never hit the internet, so no links for them), 
especially when combined with testing infrastructure like 
quickcheck.

The overflow checks have found bugs through out the ecosystem; 
for instance, (not exhaustive!)

     the standard library
     the compiler
     the built-in benchmark harness
     Servo
     image
     url
     webrender

Beyond Rust, there’s a lot of evidence for the dangers of integer 
overflow and desire for detecting/protecting against them. It was 
on the CWE/SANS list of top 25 errors in 2011, languages like 
Swift will unconditionally check for overflow, and others like 
Python 3 and Haskell will avoid overflow entirely by default, via 
arbitrary precision integers. Furthermore, in C, several 
compilers have options to both make signed overflow defined as 
two’s complement wrapping (-fwrapv) and to catch it when it does 
happen (-fsanitize=signed-integer-overflow).

http://huonw.github.io/blog/2016/04/myths-and-legends-about-integer-overflow-in-rust/



More information about the Digitalmars-d-learn mailing list