Most active commenters
  • codedokode(9)
  • genrilz(4)

←back to thread

Matt Godbolt sold me on Rust by showing me C++

(www.collabora.com)
611 points LorenDB | 25 comments | 06 May 25 17:51 UTC | HN request time: 1.928s | source | bottom
1. codedokode ◴[06 May 25 19:45 UTC] No.43908897[source]
What about catching integer overflow? Free open-source languages still cannot do it unlike they commercial competitors like Swift?
replies(5): >>43908922 #>>43909326 #>>43909444 #>>43910683 #>>43912986 #
2. lytedev ◴[06 May 25 19:48 UTC] No.43908922[source]
I'm not sure if this is what you mean, exactly, but Rust indeed catches this at compile time.

https://play.rust-lang.org/?version=stable&mode=debug&editio... https://play.rust-lang.org/?version=stable&mode=debug&editio...

replies(1): >>43909313 #
3. codedokode ◴[06 May 25 20:28 UTC] No.43909313[source]
I meant panic if during any addition (including in runtime) an overflow occurs.
replies(3): >>43909686 #>>43909733 #>>43913823 #
4. z_open ◴[06 May 25 20:29 UTC] No.43909326[source]
assembly catches integer overflow. You just need to check the flag.
5. kelnos ◴[06 May 25 20:44 UTC] No.43909444[source]
Rust does have checked arithmetic operations (that return Result), but you have to explicitly opt in to them, of course, and they're not as ergonomic to use as regular arithmetic.
replies(2): >>43909660 #>>43913722 #
6. trealira ◴[06 May 25 21:09 UTC] No.43909660[source]
But, by default, normal arithmetic operations trap on overflow in debug mode, although they wrap with optimizations on.
7. trealira ◴[06 May 25 21:11 UTC] No.43909686{3}[source]
You can set a flag for that: https://doc.rust-lang.org/rustc/codegen-options/index.html#o...

By default, they're on during debug mode and off in release mode.

replies(1): >>43913716 #
8. genrilz ◴[06 May 25 21:15 UTC] No.43909733{3}[source]
If you obscure the implementation a bit, you can change GP's example to a runtime overflow [0]. Note that by default the checks will only occur when using the unoptimized development profile. If you want your optimized release build to also have checks, you can put 'overflow-checks = true' in the '[profile.release]' section of your cargo.toml file [1].

  [0]: https://play.rust-lang.org/?version=stable&mode=debug&edition=2024&gist=847dc401e16fdff14ecf3724a3b15a93
  [1]: https://doc.rust-lang.org/cargo/reference/profiles.html
replies(1): >>43913709 #
9. thesuperbigfrog ◴[06 May 25 23:22 UTC] No.43910683[source]
Ada has had overflow checks for decades:

https://learn.adacore.com/courses/intro-to-ada/chapters/stro...

And there is an Ada implementation that is part of GCC:

https://www.gnu.org/software/gnat/

10. ultimaweapon ◴[07 May 25 07:06 UTC] No.43912986[source]
Rust is the only language I can easily control how integer overflow should behave. I can use `var1.wrapping_add(var2)` if I want the result to be wrapped or `var1.checked_add(var2)` if I don't want it to overflow.
replies(1): >>43913695 #
11. codedokode ◴[07 May 25 09:30 UTC] No.43913695[source]
The functions are so verbose and inconvenient that even Rust developers themselves do not use them. For example, in this code [1] they used a wrapping addition instead of "checked_add" because it is faster to write.

For comparison, Swift uses "+" for checked addition and as a result, majority of developers use checked addition by default. And in Rust due to its poor design choices most developers use wrapping addition even where a checked addition should be used.

[1] https://doc.rust-lang.org/src/alloc/vec/mod.rs.html#2010

replies(2): >>43913890 #>>43917535 #
12. codedokode ◴[07 May 25 09:32 UTC] No.43913709{4}[source]
This is bad because the program behaves different depending on build flags. What's the point of having "use unsafe addition" flag, and having it enabled by default?

Rust developers made a poor choice. They should have made a special function for unchecked addition and have "+" operator always panic on overflow.

replies(1): >>43916003 #
13. codedokode ◴[07 May 25 09:34 UTC] No.43913716{4}[source]
The choice doesn't make sense because you want the program to always behave correctly and not only during development.
replies(1): >>43916558 #
14. codedokode ◴[07 May 25 09:35 UTC] No.43913722[source]
As a result, Rust developers themselves use wrapping addition where a checked addition should be used: https://doc.rust-lang.org/src/alloc/vec/mod.rs.html#2010
replies(1): >>43913937 #
15. tialaramex ◴[07 May 25 09:55 UTC] No.43913823{3}[source]
Why do you want a panic? Shift left. Overflow can be rejected at compile time for a price that you might be able to afford - generality.

Just insist that the programmer prove that overflow can't occur, and reject programs where the programmer couldn't or wouldn't do this.

replies(2): >>43918680 #>>43918718 #
16. ultimaweapon ◴[07 May 25 10:04 UTC] No.43913890{3}[source]
Checked addition by default will have too much overhead and it will hurt performance, which unacceptable in Rust since it was designed as a system language. Swift can use checked add by default since it was designed for application software.

Your example code is not because it is faster to write, it is because it is impossible for its to overflow on that line.

replies(1): >>43918595 #
17. tialaramex ◴[07 May 25 10:09 UTC] No.43913937{3}[source]
That's not a wrapping addition, that addition will never overflow so it has no overflow behaviour.

This line could only overflow after we need to grow the container, so immediately this means the type T isn't a ZST as the Vec for ZSTs doesn't need storage and so it never grows.

Because its not a ZST the maximum capacity in Rust is never bigger than isize::MAX which is an entire binary order of magnitude smaller than usize::MAX, as a result len + 1 can't overflow the unsigned type, so this code is correct as written.

18. genrilz ◴[07 May 25 14:16 UTC] No.43916003{5}[source]
The point I'm sure was to prevent the checks from incurring runtime overhead in production. Even in release mode, the overflow will only wrap rather than trigger undefined behavior, so this won't cause memory corruption unless you are writing unsafe code that ignores the possibility of overflow.

The checks being on in the debug config means your tests and replications of bug reports will catch overflow if they occur. If you are working on some sensitive application where you can't afford logic bugs from overflows but can afford panics/crashes, you can just turn on checks in release mode.

If you are working on a library which is meant to do something sensible on overflow, you can use the wide variety of member functions such as 'wrapping_add' or 'checked_add' to control what happens on overflow regardless of build configuration.

Finally, if your application can't afford to have logic bugs from overflows and also can't panic, you can use kani [0] to prove that overflow never happens.

All in all, it seems to me like Rust supports a wide variety of use cases pretty nicely.

[0]: https://github.com/model-checking/kani

19. lytedev ◴[07 May 25 14:55 UTC] No.43916558{5}[source]
Eh, maybe. There's a performance tradeoff here and maintainers opted for performance. I'm sure many folks would agree with you that it was the wrong choice, and I'm sure many folks would disagree with you that it was the wrong choice.

There are also specific methods for doing *erflow-checked arithmetic if you like.

replies(1): >>43918689 #
20. genrilz ◴[07 May 25 16:14 UTC] No.43917535{3}[source]
The reason '+ 1' is fine in the example you gave is that length is always less than or equal to capacity. If you follow 'grow_one' which was earlier in the function to grow the capacity by one if needed, you will find that it leads to the checked addition in [0], which returns an error that [1] catches and turns into a panic. So using '+1' prevents a redundant check in release mode while still adding the check in debug mode in case future code changes break the 'len <= capacity' invariant.

Of course, if you don't trust the standard library, you can turn on overflow checks in release mode too. However, the standard library is well tested and I think most people would appreciate the speed from eliding redundant checks.

  [0]: https://doc.rust-lang.org/src/alloc/raw_vec.rs.html#651
  [1]: https://doc.rust-lang.org/src/alloc/raw_vec.rs.html#567
21. codedokode ◴[07 May 25 17:42 UTC] No.43918595{4}[source]
Why should checked addition have any overhead? You should just use checked addition instruction (on architectures that support it) instead of wrapping addition.

Or just because on Intel CPUs it has overhead, we must forget about writing safer code?

22. ◴[07 May 25 17:50 UTC] No.43918680{4}[source]
23. codedokode ◴[07 May 25 17:51 UTC] No.43918689{6}[source]
Why should there be a performance tradeoff? Because Intel CPU doesn't have add-with-overflow-check instruction, we make our languages less safe?
replies(1): >>43920644 #
24. codedokode ◴[07 May 25 17:54 UTC] No.43918718{4}[source]
Programmer has other things to do. Computer or CPU should do the checks.
25. genrilz ◴[07 May 25 21:17 UTC] No.43920644{7}[source]
Actually, the x86 'ADD' instruction automagically sets the 'OF' and 'CF' flags for you for signed and unsigned overflow respectively [0]. So all you need to do to panic would be to follow that with an 'JO' or 'JB' instruction to the panic handling code. This is about as efficient as you could ask for, but a large sequence of arithmetic operations is still going to gum up the branch predictor, resulting in more pipeline stalls.

[0]: https://www.felixcloutier.com/x86/add