|
|
|
|
|
|
by pcwalton
3044 days ago
|
|
|
> An integer that has wrapped gets passed into a piece of unsafe Rust code that was otherwise bullet proof, exposing a vulnerability where otherwise the program would have abended much earlier when the overflow happened. In that case, that piece of unsafe code would have a bug, which would be a bug regardless of whether overflow happened. The contract of unsafe code is that it must not expose undefined behavior. For example, vector indexing is implemented with unsafe code, but the unsafe code performs bounds checks, so it doesn't matter whether an overflowed integer was passed in as the index. > Btw, Swift seems to get this right, I wonder what their secret sauce is. Their "secret sauce" is not having the same performance goals (which is not a criticism of Swift). |
|
|