> On Jun 23, 2014, at 7:16 PM, John Regehr <reg...@cs.utah.edu> wrote:
>
>> I do think Rust should exposed either `checked { }` or operators for
>> checked arithmetic along with an opt-in lint to deny the unchecked
>> operators. You can opt-out of a lint for a function/impl/module after
>> opting into it at a higher scope.
>>
>> I'm just making it clear that doing this by default would make Rust
>> slower than Java by default, and I think that would kill off interest in
>> the language. I know I wouldn't be interested anymore.
>
> Sure, I think there are a lot of reasonable options here, and I agree that
> speed and predictability are super important for Rust.
>
> One thing I personally think is very important (not for 1.0, but eventually)
> is to make it possible -- no need for this to be mandatory -- to get overflow
> checking for the default integer type. I'm happy to use a special compiler
> flag or whatever to get this. The only controversial thing this requires
> from the core language is a way for me to tell the compiler which integers (a
> tiny subset, typically) should have wrapping behavior.
If the compiler option to have integer overflow checking were available, I'm
99% sure that we'd require having it enabled for Servo and all of its
dependencies. We would probably only relax that requirement within the
equivalent of an `unsafe` block where the performance had shown up as an issue,
leaving it clearly labeled so that we could easily identify any code that
touches it.
> I realize that safe integers are available and that operator overloading goes
> a lot ways towards making these palatable, but the fact is that everyone is
> an optimist when it comes to integer overflow bugs. People just do not think
> they're going to get bitten.
At a quick glance, in Mozilla's bugzilla there were 88 public browser bugs
resolved/verified related to integer overflow issues + 14 currently under
investigation. I don't have access to the tippy-top secret databases of
security vulnerabilities, but I'd be pretty shocked if there weren't a few that
would get past Rust's memory safety model (e.g., because they're passed down to
WebCL, WebRTC libraries, a graphics driver, etc.). A quick glance at the WebKit
bugzilla showed 11 similarly resolved bugs and a couple currently under
investigation.
While that isn't a lot, if I have to choose between the Servo team spending
time casually optimizing corner cases or adding an LLVM pass (in ways we
already know - this isn't "A Sufficiently Smart Compiler"-level hackery here)
vs. handling panicked high-priority security issues in a browser we are trying
to claim is "safe," I'll pick the former every time.
- Lars
_______________________________________________
Rust-dev mailing list
Rust-dev@mozilla.org
https://mail.mozilla.org/listinfo/rust-dev
