My 2c: The world is finally becoming security-conscious, so I think it is a only matter of time before architectures that implement zero-cost integer overflow checking appear. I think we should be ready for it when this happens. So I would propose the following practical solution (I think Gabor is also leaning in favor of something like this):
1. Declare that regular int types (i8, u8, i32, u32, ...) are non-wrapping. Check them for overflow in debug builds, maybe even in optimized builds on platforms where the overhead is not too egregious. There should probably be a per-module performance escape hatch that disables overflow checks in optimized builds on all platforms. On zero-cost overflow checking platforms, the checks would of course always be on. Also, since we are saving LLVM IR in rlibs for LTO, it may even be possible to make this a global (i.e. not just for the current crate) compile-time decision. 2. Introduce new wrapping counterparts of the above for cases when wrapping is actually desired. If we don't do this now, it will be much more painful later, when large body of Rust code will have been written that does not make the distinction between wrapping and non-wrapping ints. Vadim
_______________________________________________ Rust-dev mailing list Rust-dev@mozilla.org https://mail.mozilla.org/listinfo/rust-dev
