Integer overflow checking #6012
Comments
|
I propose that we follow a prior work here, namely C# Language Specification, 4th edition, section 14.5.13. 14.5.13 The checked and unchecked operators The checked and unchecked operators are used to control the overflow-checking context for integral-type arithmetic operations and conversions. |
|
Note that LLVM has overflow intrinsics which compiles to overflow flag and carry flag (if things are aligned). Mono compiles C# checked operators to LLVM overflow intrinsics when it is using the LLVM backend (as a matter of fact, Mono added these to LLVM for their own use). |
|
This came up at lunch today. I'm led to understand that LLVM has a "check if the last operation overflowed" operation, so we should have a corresponding way (primitive or library) to check for it. Sometimes programmers want their operations to overflow (hashing), and sometimes not (pointer arithmetic) --we should leave that decision to them. |
|
Nominating for Well-Defined. |
|
I don't think it should be part of the language, but a #[check_wrapping] attribute to enable runtime checks could be useful, at least for debugging. |
|
I've implemented intrinsics + traits for overflow checked For |
|
There's now a The built-in integer types are defined as wrapping, but it's now easy to implement an alternate type expanding to a big integer on overflow like the integers in Python. I don't think it makes sense to take any other path, because as long as the type is restricted to fixed-size you need to consider behaviour on overflow. If there is a specific proposal, that can be opened as an issue. There have been many discussions about this with a consistent consensus that overflow checking is too high a cost to pay. The only full solution is an unbounded integer type, and that comes with the baggage of out-of-memory if you aren't checking inputs. |
|
I opened #8635 as a replacement for this issue. |
Downgrade interior_mutable_const lints to warn by default This change updates the two lints in the file non_copy_const.rs to be warn by default rather than deny by default. It also updates the known problems for declare_interior_mutable_const to mention some issues that are affected by the lints. This is a repeat pull request since I botched the first one (rust-lang#6012). Apart from my messing up the commits of that one, I also had a problem where the stderr of the tests didn't change despite me changing both lints to warn by default. Is this normal behaviour for some lints or do I need to adjust the tests to accommodate the change? fixes rust-lang#5863 changelog: none
At various times, the issue of whether we should enable integer overflow checking (meaning that an integer overflow would be a hard failure at runtime rather than silently wrapping around) has come up; most recently, in this mailing list thread. A more specific example (which I'm about to close in favor of this more general bug) is #2470.
We should decide whether we want to address this form of safety in Rust's semantics.
The text was updated successfully, but these errors were encountered: