On Saturday, 30 April 2016 at 23:11:20 UTC, Laeeth Isharc wrote:
All the design/discussion/implementation of this scheme for
handling integer overflow would be wasted if it didn’t actually
find any bugs in practice. I personally have had quite a few
bugs found nearly as I write them, with expressions like
cmp::max(x - y, z) (they never hit the internet, so no links
for them), especially when combined with testing infrastructure
like quickcheck.
The overflow checks have found bugs through out the ecosystem;
for instance, (not exhaustive!)
the standard library
the compiler
the built-in benchmark harness
Servo
image
url
webrender
Beyond Rust, there’s a lot of evidence for the dangers of
integer overflow and desire for detecting/protecting against
them. It was on the CWE/SANS list of top 25 errors in 2011,
languages like Swift will unconditionally check for overflow,
and others like Python 3 and Haskell will avoid overflow
entirely by default, via arbitrary precision integers.
Furthermore, in C, several compilers have options to both make
signed overflow defined as two’s complement wrapping (-fwrapv)
and to catch it when it does happen
(-fsanitize=signed-integer-overflow).
http://huonw.github.io/blog/2016/04/myths-and-legends-about-integer-overflow-in-rust/
I wonder if Rust uses the built-in "LLVM integer overflow
checking". Recently this has been posted to r/programming:
http://blog.regehr.org/archives/1384
Since LLVM is used as backend the Rust article might talk exactly
about the same thing. (to be verified, actually I know nothing
about Rust).
