Fix underflow in core::str::Searcher::new #16590
Conversation
nham
changed the title
|
Could you add a test for this as well? |
|
@alexcrichton this change only effects which internal algorithm is used to perform a search. If the underlying algorithms are correct (they're not), it should not effect the correctness, so in a sense this can't be tested. |
|
This states that #16589 is fixed, so couldn't a test for that be added? |
|
@alexcrichton sure, but it's more accurate to say the bug has been hidden by it.
|
|
@alexcrichton I meant that while this technically resolves #16589, the real problem is that |
|
In the D programming language every now and then someone comes to the newsgroup saying "I have this strangest bug, this is working wrong", only to get the answer "you are comparing a signed int with an unsigned one". This happens because array lengths are also unsigned ints there. Be prepared to have these bugs and get similar questions from people using Rust. In my opinion, it makes sense that the length of a vector or an array is unsigned (it can't be negative), but if you make it a signed integer it isn't a big drawback and you will never have these kinds of bugs. C#'s Array.length is signed: http://msdn.microsoft.com/en-us/library/system.array.length(v=vs.110).aspx Java's Array length (and other types) are also ints (well, I think they don't have unsigned types). I never heard anyone running into these bugs in Python, Ruby, Javascript, etc., either. This program has an unexpected answer: fn main() {
let a = [1, 2, 3];
println!("{}", a.len() > -1);
}(and, as a side note, this program crashes the compiler:) fn main() {
println!("{}", [].len() > -1);
}Please, consider using unsigned ints as least as possible. Thanks :-) |
|
@nham, tests such as this are normally added as unit tests, but the core tests are in the |
|
@alexcrichton Done. |
|
It is correct to use unsigned types for array lengths. Changing array lengths to be signed is the wrong solution. The right solution is to just warn against things like |
|
But in this issue the line was this: needle.len() > haystack.len() - 20I don't think the compiler can warn against that... |
|
shouldn't integer overflow (either signed or unsigned) be trapped by a safe language which rust aims to be? |
|
@imbaczek I thought the same. But maybe Rust only aims to be a memory-safe language, not a non bug-prone language. |
|
@imbaczek: Rust aims to be competitive in performance with C and C++, and it wouldn't be if it branched on every integer operation. The complexity of the borrow checking and ownership don't make much sense if you have far bigger performance issues. It does expose intrinsics for efficient checked overflow and you could make checked types solely using those. In practice, not many people are going to use them. If you don't know the bounds it makes more sense to use a big integer. |
|
This was discussed on /r/rust, and it was pointed out that this still contains a bug if |
…stic-fix, r=Veykril fix: Fix false positives for "unnecessary else" diagnostic Completes rust-lang/rust-analyzer#16567 by `@ShoyuVanilla` (see rust-lang/rust-analyzer#16567 (comment)) Fixes rust-lang#16556
This incidentally fixes #16589, because it will cause
MatchIndicesto useNaiveSearcherinstead ofTwoWaySearcher, but I'm not sure #16589 should be closed until the underlying problem inTwoWaySearcheris found.