Menu
Search

Forums

Forum Index

April 30, 2016
Gravatar of Laeeth IsharcPosted by Laeeth IsharcReply
Laeeth Isharc
Gravatar of Laeeth Isharc


Reply
All the design/discussion/implementation of this scheme for handling integer overflow would be wasted if it didn’t actually find any bugs in practice. I personally have had quite a few bugs found nearly as I write them, with expressions like cmp::max(x - y, z) (they never hit the internet, so no links for them), especially when combined with testing infrastructure like quickcheck.

The overflow checks have found bugs through out the ecosystem; for instance, (not exhaustive!)

    the standard library
    the compiler
    the built-in benchmark harness
    Servo
    image
    url
    webrender

Beyond Rust, there’s a lot of evidence for the dangers of integer overflow and desire for detecting/protecting against them. It was on the CWE/SANS list of top 25 errors in 2011, languages like Swift will unconditionally check for overflow, and others like Python 3 and Haskell will avoid overflow entirely by default, via arbitrary precision integers. Furthermore, in C, several compilers have options to both make signed overflow defined as two’s complement wrapping (-fwrapv) and to catch it when it does happen (-fsanitize=signed-integer-overflow).

http://huonw.github.io/blog/2016/04/myths-and-legends-about-integer-overflow-in-rust/
April 30, 2016
Gravatar of EdPosted by Ed
in reply to Laeeth Isharc		Reply
Ed
Gravatar of Ed
Posted in reply to Laeeth Isharc


Reply
On Saturday, 30 April 2016 at 23:11:20 UTC, Laeeth Isharc wrote:
> All the design/discussion/implementation of this scheme for handling integer overflow would be wasted if it didn’t actually find any bugs in practice. I personally have had quite a few bugs found nearly as I write them, with expressions like cmp::max(x - y, z) (they never hit the internet, so no links for them), especially when combined with testing infrastructure like quickcheck.
>
> The overflow checks have found bugs through out the ecosystem; for instance, (not exhaustive!)
>
>     the standard library
>     the compiler
>     the built-in benchmark harness
>     Servo
>     image
>     url
>     webrender
>
> Beyond Rust, there’s a lot of evidence for the dangers of integer overflow and desire for detecting/protecting against them. It was on the CWE/SANS list of top 25 errors in 2011, languages like Swift will unconditionally check for overflow, and others like Python 3 and Haskell will avoid overflow entirely by default, via arbitrary precision integers. Furthermore, in C, several compilers have options to both make signed overflow defined as two’s complement wrapping (-fwrapv) and to catch it when it does happen (-fsanitize=signed-integer-overflow).
>
> http://huonw.github.io/blog/2016/04/myths-and-legends-about-integer-overflow-in-rust/

I wonder if Rust uses the built-in "LLVM integer overflow checking". Recently this has been posted to r/programming:

http://blog.regehr.org/archives/1384

Since LLVM is used as backend the Rust article might talk exactly about the same thing. (to be verified, actually I know nothing about Rust).