Most active commenters
  • codedokode(6)
  • genrilz(3)

←back to thread

Matt Godbolt sold me on Rust by showing me C++

(www.collabora.com)
611 points LorenDB | 12 comments | 06 May 25 17:51 UTC | HN request time: 0.001s | source | bottom
Show context
codedokode ◴[06 May 25 19:45 UTC] No.43908897[source]
What about catching integer overflow? Free open-source languages still cannot do it unlike they commercial competitors like Swift?
replies(5): >>43908922 #>>43909326 #>>43909444 #>>43910683 #>>43912986 #
lytedev ◴[06 May 25 19:48 UTC] No.43908922[source]
I'm not sure if this is what you mean, exactly, but Rust indeed catches this at compile time.

https://play.rust-lang.org/?version=stable&mode=debug&editio... https://play.rust-lang.org/?version=stable&mode=debug&editio...

replies(1): >>43909313 #
1. codedokode ◴[06 May 25 20:28 UTC] No.43909313[source]
I meant panic if during any addition (including in runtime) an overflow occurs.
replies(3): >>43909686 #>>43909733 #>>43913823 #
2. trealira ◴[06 May 25 21:11 UTC] No.43909686[source]
You can set a flag for that: https://doc.rust-lang.org/rustc/codegen-options/index.html#o...

By default, they're on during debug mode and off in release mode.

replies(1): >>43913716 #
3. genrilz ◴[06 May 25 21:15 UTC] No.43909733[source]
If you obscure the implementation a bit, you can change GP's example to a runtime overflow [0]. Note that by default the checks will only occur when using the unoptimized development profile. If you want your optimized release build to also have checks, you can put 'overflow-checks = true' in the '[profile.release]' section of your cargo.toml file [1].

  [0]: https://play.rust-lang.org/?version=stable&mode=debug&edition=2024&gist=847dc401e16fdff14ecf3724a3b15a93
  [1]: https://doc.rust-lang.org/cargo/reference/profiles.html
replies(1): >>43913709 #
4. codedokode ◴[07 May 25 09:32 UTC] No.43913709[source]
This is bad because the program behaves different depending on build flags. What's the point of having "use unsafe addition" flag, and having it enabled by default?

Rust developers made a poor choice. They should have made a special function for unchecked addition and have "+" operator always panic on overflow.

replies(1): >>43916003 #
5. codedokode ◴[07 May 25 09:34 UTC] No.43913716[source]
The choice doesn't make sense because you want the program to always behave correctly and not only during development.
replies(1): >>43916558 #
6. tialaramex ◴[07 May 25 09:55 UTC] No.43913823[source]
Why do you want a panic? Shift left. Overflow can be rejected at compile time for a price that you might be able to afford - generality.

Just insist that the programmer prove that overflow can't occur, and reject programs where the programmer couldn't or wouldn't do this.

replies(2): >>43918680 #>>43918718 #
7. genrilz ◴[07 May 25 14:16 UTC] No.43916003{3}[source]
The point I'm sure was to prevent the checks from incurring runtime overhead in production. Even in release mode, the overflow will only wrap rather than trigger undefined behavior, so this won't cause memory corruption unless you are writing unsafe code that ignores the possibility of overflow.

The checks being on in the debug config means your tests and replications of bug reports will catch overflow if they occur. If you are working on some sensitive application where you can't afford logic bugs from overflows but can afford panics/crashes, you can just turn on checks in release mode.

If you are working on a library which is meant to do something sensible on overflow, you can use the wide variety of member functions such as 'wrapping_add' or 'checked_add' to control what happens on overflow regardless of build configuration.

Finally, if your application can't afford to have logic bugs from overflows and also can't panic, you can use kani [0] to prove that overflow never happens.

All in all, it seems to me like Rust supports a wide variety of use cases pretty nicely.

[0]: https://github.com/model-checking/kani

8. lytedev ◴[07 May 25 14:55 UTC] No.43916558{3}[source]
Eh, maybe. There's a performance tradeoff here and maintainers opted for performance. I'm sure many folks would agree with you that it was the wrong choice, and I'm sure many folks would disagree with you that it was the wrong choice.

There are also specific methods for doing *erflow-checked arithmetic if you like.

replies(1): >>43918689 #
9. ◴[07 May 25 17:50 UTC] No.43918680[source]
10. codedokode ◴[07 May 25 17:51 UTC] No.43918689{4}[source]
Why should there be a performance tradeoff? Because Intel CPU doesn't have add-with-overflow-check instruction, we make our languages less safe?
replies(1): >>43920644 #
11. codedokode ◴[07 May 25 17:54 UTC] No.43918718[source]
Programmer has other things to do. Computer or CPU should do the checks.
12. genrilz ◴[07 May 25 21:17 UTC] No.43920644{5}[source]
Actually, the x86 'ADD' instruction automagically sets the 'OF' and 'CF' flags for you for signed and unsigned overflow respectively [0]. So all you need to do to panic would be to follow that with an 'JO' or 'JB' instruction to the panic handling code. This is about as efficient as you could ask for, but a large sequence of arithmetic operations is still going to gum up the branch predictor, resulting in more pipeline stalls.

[0]: https://www.felixcloutier.com/x86/add