Rust supports wrapping, saturating, and checked operations, which allows you to precisely define the behavior you want from your math operations, and avoiding ever hitting an (unchecked) overflow.
I saw something where you can wrap a function around an operation to say how to handle overflow, but that seems like a mistake. Modular (wrapping), saturating (sometimes useful), and checked (standard arithmetic within the machine bounds) are all good, but they should be conveyed in the datatype. Particularly, the default integer datatypes (i32, i64) should be checked. Unchecked arithmetic (including wrapping around when the application is written as if the ints were unbounded) is simply unsafe, like unchecked array subscripts.
It’s ok if there is an optimization pragma to enable this for performance when necessary. Ada does it the right way, and implementations I know of have such a pragma available for when you want it. Also, while this is a matter of tooling rather than language, Ada currently has better facilities (SPARK) for statically verifying that integer arithmetic in a program doesn’t overflow.
I’m not trying to bash Rust or get into a Rust vs Ada war, but am noting the differences that I see.
Wrapping and Saturating are available as data types in std. Checked can’t be a (useful) data type as-is because it by definition changes the type of the return value of operations (Option<T> instead of T). But you can trivially add a noisy/signalling wrapper yourself if you wish to (basically doing checked ops and unwrapping all results). An example of something offering a noisy interface is a crate named noisy_float.
Checked arithmetic failing should raise an exception like it does in Ada. What happens if you use an out of range array subscript a[n]? Does that always return an option type? Really, these types of errors are rare enough that it’s unfeasible to program defensively around the possibility all the time. But they are frequent enough (especially with malicious input) that we’ve had 50 years of buffer overruns in C, leading to the invention of Rust among other things.
Wrapping and saturating are for special purposes: wrapping for when you’re explicitly dealing with computer words (as in bit operations or cryptography) and saturating in some media applications and the like. It’s amusing that C in a certain sense is more correct than Rust or Java in this way. Signed arithmetic overflow in C is UB, so the compiler is at least permitted to always check the arithmetic and signal on overflow (use -ftrapv for this). C doesn’t have a way to check unsigned overflow. Things were muddled in the 1970s when C was designed ;).
I think it would be an improvement to Rust to fix its arithmetic to work like Ada’s.
What happens if you use an out of range array subscript a[n]? Does that always return an option type?
It never returns an option type. This Index interface happens to be actually noisy as implemented for some std types. Although you can implement it however you like for your own data types (including ones just wrapping the std ones). And we have checked access (example) and unchecked access (example) as methods.
It’s actually astonishing the lengths you’re taking to NOT learn anything, to the point of just imagining things about Rust that are supposedly done wrong compared to Ada.
What happens if you use an out of range array subscript a[n]? Does that always return an option type?
I think that you would be surprised by the amount you would learn if you spent five minutes actually trying to answer your own questions, instead of treating them as proof that you just made a relevant point merely by asking them.
Rust supports wrapping, saturating, and checked operations, which allows you to precisely define the behavior you want from your math operations, and avoiding ever hitting an (unchecked) overflow.
I saw something where you can wrap a function around an operation to say how to handle overflow, but that seems like a mistake. Modular (wrapping), saturating (sometimes useful), and checked (standard arithmetic within the machine bounds) are all good, but they should be conveyed in the datatype. Particularly, the default integer datatypes (i32, i64) should be checked. Unchecked arithmetic (including wrapping around when the application is written as if the ints were unbounded) is simply unsafe, like unchecked array subscripts.
It’s ok if there is an optimization pragma to enable this for performance when necessary. Ada does it the right way, and implementations I know of have such a pragma available for when you want it. Also, while this is a matter of tooling rather than language, Ada currently has better facilities (SPARK) for statically verifying that integer arithmetic in a program doesn’t overflow.
I’m not trying to bash Rust or get into a Rust vs Ada war, but am noting the differences that I see.
Wrapping and Saturating are available as data types in std. Checked can’t be a (useful) data type as-is because it by definition changes the type of the return value of operations (
Option<T>instead ofT). But you can trivially add a noisy/signalling wrapper yourself if you wish to (basically doing checked ops and unwrapping all results). An example of something offering a noisy interface is a crate named noisy_float.Checked arithmetic failing should raise an exception like it does in Ada. What happens if you use an out of range array subscript a[n]? Does that always return an option type? Really, these types of errors are rare enough that it’s unfeasible to program defensively around the possibility all the time. But they are frequent enough (especially with malicious input) that we’ve had 50 years of buffer overruns in C, leading to the invention of Rust among other things.
Wrapping and saturating are for special purposes: wrapping for when you’re explicitly dealing with computer words (as in bit operations or cryptography) and saturating in some media applications and the like. It’s amusing that C in a certain sense is more correct than Rust or Java in this way. Signed arithmetic overflow in C is UB, so the compiler is at least permitted to always check the arithmetic and signal on overflow (use -ftrapv for this). C doesn’t have a way to check unsigned overflow. Things were muddled in the 1970s when C was designed ;).
I think it would be an improvement to Rust to fix its arithmetic to work like Ada’s.
It never returns an option type. This
Indexinterface happens to be actually noisy as implemented for some std types. Although you can implement it however you like for your own data types (including ones just wrapping the std ones). And we have checked access (example) and unchecked access (example) as methods.It’s actually astonishing the lengths you’re taking to NOT learn anything, to the point of just imagining things about Rust that are supposedly done wrong compared to Ada.
I think that you would be surprised by the amount you would learn if you spent five minutes actually trying to answer your own questions, instead of treating them as proof that you just made a relevant point merely by asking them.