←back to thread

Pitfalls of Safe Rust

(corrode.dev)
168 points pjmlp | 7 comments | 04 Apr 25 17:55 UTC | HN request time: 1.513s | source | bottom
Show context
woah ◴[06 Apr 25 17:56 UTC] No.43603395[source]
Is "as" an uneccesary footgun?
replies(4): >>43603560 #>>43603887 #>>43603998 #>>43605135 #
whytevuhuni ◴[06 Apr 25 18:15 UTC] No.43603560[source]
That was my first impression as well. So much of Rust’s language and standard library enforces correctness, that gaps start to feel way more visible.

“as” is a good example. Floats are pretty much the only reason PartialEq exists, so why can’t we have a guaranteed-not-NaN-nor-inf type in std and use that everywhere? Why not make wrapping integers a panic even in release mode? Why not have proper dependent types (e.g. to remove bound checks), and proper linear types (to enforce that object destructors always run)?

It’s easy to forget that Rust is not an ideal language, but rather a very pragmatic one, and sometimes correctness loses in favour of some other goals.

replies(6): >>43603934 #>>43604031 #>>43604722 #>>43604743 #>>43605449 #>>43609077 #
1. int_19h ◴[06 Apr 25 22:20 UTC] No.43605449[source]
Some of these don't strike me as particularly pragmatic. E.g. are overflow checks really that expensive, given that it's a well-known footgun that is often exploitable? Sure, you don't want, say, 10% overhead in your number-crunching codec or whatever, but surely it's better to have those cases opt in for better perf as needed, as opposed to a default behavior that silently produces invalid results?
replies(1): >>43606593 #
2. mustache_kimono ◴[07 Apr 25 01:31 UTC] No.43606593[source]
> Some of these don't strike me as particularly pragmatic. E.g. are overflow checks really that expensive

Did you read the article? Rust includes overflow checks in debug builds, and then about a dozen methods (checked_mul, checked_add, etc.) which explicitly provide for checks in release builds.

Pragmatism, for me, is this help when you need it approach.

TBF Rust forces certain choices on one in other instances, like SipHash as the default Hasher for HashMap. But again opting out, like opting in, isn't hard.

replies(1): >>43607313 #
3. bobbylarrybobby ◴[07 Apr 25 03:23 UTC] No.43607313[source]
I'd prefer for Rust to opt for correctness/bug-freeness over performance, even in release builds. If you are doing number crunching you should have to opt out of these checks.
replies(1): >>43608490 #
4. mustache_kimono ◴[07 Apr 25 06:38 UTC] No.43608490{3}[source]
> I'd prefer for Rust to opt for correctness/bug-freeness over performance, even in release builds. If you are doing number crunching you should have to opt out of these checks.

You can turn those checks on, in release mode, of course: https://doc.rust-lang.org/rustc/codegen-options/index.html#o...

But I think the behavior on overflow is to "panic!()" (terminate immediately)? So -- I guess from my POV I wouldn't in release mode. I just think that tradeoff isn't generally worth it, but again, you can turn that behavior on.

replies(1): >>43611712 #
5. steveklabnik ◴[07 Apr 25 14:08 UTC] No.43611712{4}[source]
panics do not terminate immediately; they unwind the stack, and if they’re not caught, they terminate the current thread, not the process.
replies(1): >>43612007 #
6. mustache_kimono ◴[07 Apr 25 14:35 UTC] No.43612007{5}[source]
> panics do not terminate immediately; they unwind the stack, and if they’re not caught, they terminate the current thread, not the process.

I don't disagree though this point is a little pedantic. I suppose the docs also need an update? See: https://doc.rust-lang.org/std/macro.panic.html

    "This allows a *program to terminate immediately* and provide feedback to the caller of the program."
Now, I don't think so, because program death is usually what this type of panic means.

And my point remains, without more, this probably isn't the behavior one wants in release mode. But, yes, also perhaps an even better behavior is turning on checks, catching the panic, and logging it with others.

replies(1): >>43612222 #
7. steveklabnik ◴[07 Apr 25 14:53 UTC] No.43612222{6}[source]
I don't disagree that it could use revising, but it's technically correct: it allows but does not require. If you've configured panic=abort, it will abort the program instead of unwind, but that's not the default.