|
| 1 | +- Start Date: 2014-10-28 |
| 2 | +- RFC PR: (leave this empty) |
| 3 | +- Rust Issue: (leave this empty) |
| 4 | + |
| 5 | +# Summary |
| 6 | + |
| 7 | +Allow control of unspecified behaviour via compiler flags |
| 8 | + |
| 9 | +# Motivation |
| 10 | + |
| 11 | +Several things in Rust shouldn't have a well-defined result. However, |
| 12 | +safety and debugging, would like some well-defined option. |
| 13 | + |
| 14 | +# Detailed design |
| 15 | + |
| 16 | +There are several things in Rust that don't have a well-specified behaviour. |
| 17 | +Among them are: |
| 18 | + |
| 19 | + - Signed Integer arithmetic overflow |
| 20 | + - Shift amount overflow |
| 21 | + - Checked Array OOB indexing |
| 22 | + - Divide-by-Zero |
| 23 | + - LLVM UB in unsafe intrinsics |
| 24 | + - Unchecked Array OOB indexing (if we take #392 or some variant) |
| 25 | + |
| 26 | +In these cases, there are several things we could want to do – the primary |
| 27 | +options are task failure^H^H^H^H^H^H^Hpanic, aborting, undefined behaviour |
| 28 | +(which is unsafe except in the first 4 cases), and (in the former 2) |
| 29 | +returning a not-entirely-correct result (actually, with shift overflow, |
| 30 | +there are *2* such results – either x86-style masking of the shift count, |
| 31 | +or "correctly" returning 0/-1). |
| 32 | + |
| 33 | +Add a compiler flag that controls the choice, -S TYPE=ACTION |
| 34 | + |
| 35 | +Where TYPE is one of `signed_overflow`, `shift_overflow`, |
| 36 | +`checked_oob`, `divide_by_zero`, `unsafe_intrinsic`, `unsafe_oob` (and |
| 37 | +maybe more), and ACTION is one of "default", "fail", "undefined", |
| 38 | +or (with the first 2 options) "wraparound". Add "all" and "unsafe_all" flags |
| 39 | +to control the defaults (note that actually it is the safe options that |
| 40 | +allow unsafety in safe code, which can be confusing). Have the default |
| 41 | +be the current choice (currently we have `signed_overflow=wrap`, |
| 42 | +`shift_overflow=undefined`, `checked_oob=fail`, `divide_by_zero=fail`, |
| 43 | +`unsafe_intrinsic=undefined` and probably `unsafe_oob=undefined`) unless |
| 44 | +we make some different decision. |
| 45 | + |
| 46 | +For example, if we're debugging and want fail-fast, we could have |
| 47 | +`-S all=fail`, and until we do something with shift amounts people could want |
| 48 | +`-S shift_overflow=wrap`. |
| 49 | + |
| 50 | +# Drawbacks |
| 51 | + |
| 52 | +This would tempt people could use `-S checked_oob=undefined` and get 0wned. |
| 53 | + |
| 54 | +# Alternatives |
| 55 | + |
| 56 | +Also allow this on attributes. This would make it more likely to be |
| 57 | +mis-used. |
| 58 | + |
| 59 | +# Unresolved questions |
| 60 | + |
| 61 | +None currently. |
| 62 | + |
0 commit comments