Compiling with no bounds checking for vectors?

classic Classic list List threaded Threaded
61 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Steve Klabnik
> Why isn't there a compiler flag like 'noboundscheck' which would disable all bounds checking for vectors? It would make it easier to have those language performance benchmarks (which people are bound to make with no bounds checking in C++ at least) be more apples-to-apples comparisons. Also, knowing there's a flag in case you need one would put performance-critical people's mind

A flag that removes safety is pretty antithical to the goals of the
language, IMHO.

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Tommi Tissari
On 27 Mar 2014, at 22:17, Steve Klabnik <steve at steveklabnik.com> wrote:

>> Why isn't there a compiler flag like 'noboundscheck' which would disable all bounds checking for vectors? It would make it easier to have those language performance benchmarks (which people are bound to make with no bounds checking in C++ at least) be more apples-to-apples comparisons. Also, knowing there's a flag in case you need one would put performance-critical people's mind
>
> A flag that removes safety is pretty antithical to the goals of the
> language, IMHO.

Yes, I agree it's not the official Rust way of things. But not providing the option seems quite totalitarian. An example use case might be a company that runs its code on 100,000 servers, and has do so for many years without a hiccup. They realize they could save millions of dollars a year in electricity bill by disabling bounds checking, and that's what they decide to do. At this point they would really like to have that compiler flag.


Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Matthew McPherrin
I think your hypothetical situation of saving millions by disabling
bounds checks is absurd:  To save $10 per machine, assuming $0.20 per
kilowatt-hour, and saving 50 nanojoules per bounds check, you'd need
to be avoiding about 10^14 check.  That's equivalent to avoiding 1
million bounds checks every second.  Even if you had hundreds of CPU
cores running at full processing power, I would posit that there are
bigger problems, and you're probably spending way more power on cache
misses or something.

On Thu, Mar 27, 2014 at 1:42 PM, Tommi <rusty.gates at icloud.com> wrote:

> On 27 Mar 2014, at 22:17, Steve Klabnik <steve at steveklabnik.com> wrote:
>
>>> Why isn't there a compiler flag like 'noboundscheck' which would disable all bounds checking for vectors? It would make it easier to have those language performance benchmarks (which people are bound to make with no bounds checking in C++ at least) be more apples-to-apples comparisons. Also, knowing there's a flag in case you need one would put performance-critical people's mind
>>
>> A flag that removes safety is pretty antithical to the goals of the
>> language, IMHO.
>
> Yes, I agree it's not the official Rust way of things. But not providing the option seems quite totalitarian. An example use case might be a company that runs its code on 100,000 servers, and has do so for many years without a hiccup. They realize they could save millions of dollars a year in electricity bill by disabling bounds checking, and that's what they decide to do. At this point they would really like to have that compiler flag.
>
> _______________________________________________
> Rust-dev mailing list
> Rust-dev at mozilla.org
> https://mail.mozilla.org/listinfo/rust-dev

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Corey Richardson
In reply to this post by Tommi Tissari
Alternatively, in this future where people are deploying Rust
applications to hundreds of thousands of servers, we could be using
Intel's Memory Protection Extensions for much cheaper bounds checking
etc. Which surely other applications will be using once bounds checks
are nearly free. Rust will still have the advantage of only needing
bounds checking for vectors and not *every* pointer like they are
integrating into GCC.

On Thu, Mar 27, 2014 at 4:42 PM, Tommi <rusty.gates at icloud.com> wrote:

> On 27 Mar 2014, at 22:17, Steve Klabnik <steve at steveklabnik.com> wrote:
>
>>> Why isn't there a compiler flag like 'noboundscheck' which would disable all bounds checking for vectors? It would make it easier to have those language performance benchmarks (which people are bound to make with no bounds checking in C++ at least) be more apples-to-apples comparisons. Also, knowing there's a flag in case you need one would put performance-critical people's mind
>>
>> A flag that removes safety is pretty antithical to the goals of the
>> language, IMHO.
>
> Yes, I agree it's not the official Rust way of things. But not providing the option seems quite totalitarian. An example use case might be a company that runs its code on 100,000 servers, and has do so for many years without a hiccup. They realize they could save millions of dollars a year in electricity bill by disabling bounds checking, and that's what they decide to do. At this point they would really like to have that compiler flag.
>
> _______________________________________________
> Rust-dev mailing list
> Rust-dev at mozilla.org
> https://mail.mozilla.org/listinfo/rust-dev



--
http://octayn.net/

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Lee Braiden
In reply to this post by Matthew McPherrin
I think the point is that the compiler should not be forcing people to
do things, but enabling people to do things, with sensible defaults.

Personally, whilst I would advocate MORE bounds checking in rust for
debugging / prototyping purposes, I don't think bounds checking is even
ideal.  It's a useful tool WHILST prototyping software, but if you
really want to ensure quality, you do a full QA process, examining all
boundary and corner cases closely.  When that's been done, then bounds
checks become both unnecessary, and inefficient.  No, not massively
unnecessary or inefficient, but unnecessary and inefficient, all the same.


--
Lee


On 27/03/14 23:09, Matthew McPherrin wrote:

> I think your hypothetical situation of saving millions by disabling
> bounds checks is absurd:  To save $10 per machine, assuming $0.20 per
> kilowatt-hour, and saving 50 nanojoules per bounds check, you'd need
> to be avoiding about 10^14 check.  That's equivalent to avoiding 1
> million bounds checks every second.  Even if you had hundreds of CPU
> cores running at full processing power, I would posit that there are
> bigger problems, and you're probably spending way more power on cache
> misses or something.
>
> On Thu, Mar 27, 2014 at 1:42 PM, Tommi <rusty.gates at icloud.com> wrote:
>> On 27 Mar 2014, at 22:17, Steve Klabnik <steve at steveklabnik.com> wrote:
>>
>>>> Why isn't there a compiler flag like 'noboundscheck' which would disable all bounds checking for vectors? It would make it easier to have those language performance benchmarks (which people are bound to make with no bounds checking in C++ at least) be more apples-to-apples comparisons. Also, knowing there's a flag in case you need one would put performance-critical people's mind
>>> A flag that removes safety is pretty antithical to the goals of the
>>> language, IMHO.
>> Yes, I agree it's not the official Rust way of things. But not providing the option seems quite totalitarian. An example use case might be a company that runs its code on 100,000 servers, and has do so for many years without a hiccup. They realize they could save millions of dollars a year in electricity bill by disabling bounds checking, and that's what they decide to do. At this point they would really like to have that compiler flag.
>>
>> _______________________________________________
>> Rust-dev mailing list
>> Rust-dev at mozilla.org
>> https://mail.mozilla.org/listinfo/rust-dev
> _______________________________________________
> Rust-dev mailing list
> Rust-dev at mozilla.org
> https://mail.mozilla.org/listinfo/rust-dev


Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Corey Richardson
It's not about debugging, it's about memory safety. It'd be ridiculous
to disable bounds checking just because you've done QA. How many
security exploits are over- or under-flows?

On Thu, Mar 27, 2014 at 7:16 PM, Lee Braiden <leebraid at gmail.com> wrote:

> I think the point is that the compiler should not be forcing people to do
> things, but enabling people to do things, with sensible defaults.
>
> Personally, whilst I would advocate MORE bounds checking in rust for
> debugging / prototyping purposes, I don't think bounds checking is even
> ideal.  It's a useful tool WHILST prototyping software, but if you really
> want to ensure quality, you do a full QA process, examining all boundary and
> corner cases closely.  When that's been done, then bounds checks become both
> unnecessary, and inefficient.  No, not massively unnecessary or inefficient,
> but unnecessary and inefficient, all the same.
>
>
> --
> Lee
>
>
>
> On 27/03/14 23:09, Matthew McPherrin wrote:
>>
>> I think your hypothetical situation of saving millions by disabling
>> bounds checks is absurd:  To save $10 per machine, assuming $0.20 per
>> kilowatt-hour, and saving 50 nanojoules per bounds check, you'd need
>> to be avoiding about 10^14 check.  That's equivalent to avoiding 1
>> million bounds checks every second.  Even if you had hundreds of CPU
>> cores running at full processing power, I would posit that there are
>> bigger problems, and you're probably spending way more power on cache
>> misses or something.
>>
>> On Thu, Mar 27, 2014 at 1:42 PM, Tommi <rusty.gates at icloud.com> wrote:
>>>
>>> On 27 Mar 2014, at 22:17, Steve Klabnik <steve at steveklabnik.com> wrote:
>>>
>>>>> Why isn't there a compiler flag like 'noboundscheck' which would
>>>>> disable all bounds checking for vectors? It would make it easier to have
>>>>> those language performance benchmarks (which people are bound to make with
>>>>> no bounds checking in C++ at least) be more apples-to-apples comparisons.
>>>>> Also, knowing there's a flag in case you need one would put
>>>>> performance-critical people's mind
>>>>
>>>> A flag that removes safety is pretty antithical to the goals of the
>>>> language, IMHO.
>>>
>>> Yes, I agree it's not the official Rust way of things. But not providing
>>> the option seems quite totalitarian. An example use case might be a company
>>> that runs its code on 100,000 servers, and has do so for many years without
>>> a hiccup. They realize they could save millions of dollars a year in
>>> electricity bill by disabling bounds checking, and that's what they decide
>>> to do. At this point they would really like to have that compiler flag.
>>>
>>> _______________________________________________
>>> Rust-dev mailing list
>>> Rust-dev at mozilla.org
>>> https://mail.mozilla.org/listinfo/rust-dev
>>
>> _______________________________________________
>> Rust-dev mailing list
>> Rust-dev at mozilla.org
>> https://mail.mozilla.org/listinfo/rust-dev
>
>
> _______________________________________________
> Rust-dev mailing list
> Rust-dev at mozilla.org
> https://mail.mozilla.org/listinfo/rust-dev



--
http://octayn.net/

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Lee Braiden
a) I think Rust is making a mistake by considering boundary checks only
on memory accesses

b) No, it really wouldn't be ridiculous, if you've checked it properly
at a QA stage.  By definition, it's ridiculous to KEEP checking it, once
it's already been checked thoroughly, as a proper QA process would do.


On 27/03/14 23:16, Corey Richardson wrote:

> It's not about debugging, it's about memory safety. It'd be ridiculous
> to disable bounds checking just because you've done QA. How many
> security exploits are over- or under-flows?
>
> On Thu, Mar 27, 2014 at 7:16 PM, Lee Braiden <leebraid at gmail.com> wrote:
>> I think the point is that the compiler should not be forcing people to do
>> things, but enabling people to do things, with sensible defaults.
>>
>> Personally, whilst I would advocate MORE bounds checking in rust for
>> debugging / prototyping purposes, I don't think bounds checking is even
>> ideal.  It's a useful tool WHILST prototyping software, but if you really
>> want to ensure quality, you do a full QA process, examining all boundary and
>> corner cases closely.  When that's been done, then bounds checks become both
>> unnecessary, and inefficient.  No, not massively unnecessary or inefficient,
>> but unnecessary and inefficient, all the same.
>>
>>
>> --
>> Lee
>>
>>
>>
>> On 27/03/14 23:09, Matthew McPherrin wrote:
>>> I think your hypothetical situation of saving millions by disabling
>>> bounds checks is absurd:  To save $10 per machine, assuming $0.20 per
>>> kilowatt-hour, and saving 50 nanojoules per bounds check, you'd need
>>> to be avoiding about 10^14 check.  That's equivalent to avoiding 1
>>> million bounds checks every second.  Even if you had hundreds of CPU
>>> cores running at full processing power, I would posit that there are
>>> bigger problems, and you're probably spending way more power on cache
>>> misses or something.
>>>
>>> On Thu, Mar 27, 2014 at 1:42 PM, Tommi <rusty.gates at icloud.com> wrote:
>>>> On 27 Mar 2014, at 22:17, Steve Klabnik <steve at steveklabnik.com> wrote:
>>>>
>>>>>> Why isn't there a compiler flag like 'noboundscheck' which would
>>>>>> disable all bounds checking for vectors? It would make it easier to have
>>>>>> those language performance benchmarks (which people are bound to make with
>>>>>> no bounds checking in C++ at least) be more apples-to-apples comparisons.
>>>>>> Also, knowing there's a flag in case you need one would put
>>>>>> performance-critical people's mind
>>>>> A flag that removes safety is pretty antithical to the goals of the
>>>>> language, IMHO.
>>>> Yes, I agree it's not the official Rust way of things. But not providing
>>>> the option seems quite totalitarian. An example use case might be a company
>>>> that runs its code on 100,000 servers, and has do so for many years without
>>>> a hiccup. They realize they could save millions of dollars a year in
>>>> electricity bill by disabling bounds checking, and that's what they decide
>>>> to do. At this point they would really like to have that compiler flag.
>>>>
>>>> _______________________________________________
>>>> Rust-dev mailing list
>>>> Rust-dev at mozilla.org
>>>> https://mail.mozilla.org/listinfo/rust-dev
>>> _______________________________________________
>>> Rust-dev mailing list
>>> Rust-dev at mozilla.org
>>> https://mail.mozilla.org/listinfo/rust-dev
>>
>> _______________________________________________
>> Rust-dev mailing list
>> Rust-dev at mozilla.org
>> https://mail.mozilla.org/listinfo/rust-dev
>
>


Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Tony Arcieri
On Thu, Mar 27, 2014 at 4:51 PM, Lee Braiden <leebraid at gmail.com> wrote:

> b) No, it really wouldn't be ridiculous, if you've checked it properly at
> a QA stage.  By definition, it's ridiculous to KEEP checking it, once it's
> already been checked thoroughly, as a proper QA process would do.


I'm not sure what your QA process normally entails, but can it guarantee a
build that is free of errors with *zero margin for failure*?

Anything less is a step back from what Rust currently provides, IMO.

--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140327/cd3b4945/attachment.html>

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Daniel Micay
In reply to this post by Lee Braiden
On 27/03/14 07:16 PM, Lee Braiden wrote:

> I think the point is that the compiler should not be forcing people to
> do things, but enabling people to do things, with sensible defaults.
>
> Personally, whilst I would advocate MORE bounds checking in rust for
> debugging / prototyping purposes, I don't think bounds checking is even
> ideal.  It's a useful tool WHILST prototyping software, but if you
> really want to ensure quality, you do a full QA process, examining all
> boundary and corner cases closely.  When that's been done, then bounds
> checks become both unnecessary, and inefficient.  No, not massively
> unnecessary or inefficient, but unnecessary and inefficient, all the same.

You're free to opt-in to non-checked indexing on a case-by-case basis
where you are reasonably sure it is correct. Rust already has the
necessary unsafe indexing support in the standard library.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140327/8489f4de/attachment.sig>

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Daniel Micay
In reply to this post by Tommi Tissari
On 27/03/14 04:42 PM, Tommi wrote:
>
>> A flag that removes safety is pretty antithical to the goals of the
>> language, IMHO.
>
> Yes, I agree it's not the official Rust way of things. But not providing the option seems quite totalitarian. An example use case might be a company that runs its code on 100,000 servers, and has do so for many years without a hiccup. They realize they could save millions of dollars a year in electricity bill by disabling bounds checking, and that's what they decide to do. At this point they would really like to have that compiler flag.

Rust already provides unchecked indexing. You're free to make use of it
whenever you want. It makes zero sense to disable the bounds checks for
the index operators that are considered safe. What does the unsafe
keyword even mean for a project using that flag? Just because something
is *possible* does not somehow make it "totalitarian" to not support it.
Rust should not add flags creating incompatible dialects of the
language, and that's exactly what this would do.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140327/ed9d7ed0/attachment.sig>

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Tommi Tissari
Compiling with that flag would figuratively speaking wrap everything inside an unsafe block and then omit vector bounds checking. The flag wouldn't be allowed for library builds.

What I find a bit totalitarian about this situation is that the language forces a decision which the programmer should be allowed to make for himself. A bit like someone dictating my hair style.


> On 28 Mar 2014, at 02:05, Daniel Micay <danielmicay at gmail.com> wrote:
>
>> On 27/03/14 04:42 PM, Tommi wrote:
>>
>>> A flag that removes safety is pretty antithical to the goals of the
>>> language, IMHO.
>>
>> Yes, I agree it's not the official Rust way of things. But not providing the option seems quite totalitarian. An example use case might be a company that runs its code on 100,000 servers, and has do so for many years without a hiccup. They realize they could save millions of dollars a year in electricity bill by disabling bounds checking, and that's what they decide to do. At this point they would really like to have that compiler flag.
>
> Rust already provides unchecked indexing. You're free to make use of it
> whenever you want. It makes zero sense to disable the bounds checks for
> the index operators that are considered safe. What does the unsafe
> keyword even mean for a project using that flag? Just because something
> is *possible* does not somehow make it "totalitarian" to not support it.
> Rust should not add flags creating incompatible dialects of the
> language, and that's exactly what this would do.
>

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Daniel Micay
On 27/03/14 09:02 PM, Tommi Tissari wrote:
> Compiling with that flag would figuratively speaking wrap everything inside an unsafe block and then omit vector bounds checking. The flag wouldn't be allowed for library builds.
>
> What I find a bit totalitarian about this situation is that the language forces a decision which the programmer should be allowed to make for himself. A bit like someone dictating my hair style.

What would be the meaning in `unsafe` in that new dialect of Rust? We
already lint on redundant unsafe blocks, and *all* unsafe blocks would
be redundant in that case. It might as well just consider everything to
be inside one...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140327/908f7dca/attachment.sig>

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Daniel Micay
In reply to this post by Tommi Tissari
On 27/03/14 09:02 PM, Tommi Tissari wrote:
>
> the language forces a decision which the programmer should be allowed to make for himself.

This also isn't true. Rust provides unsafe indexing, and you can opt-in
to using it. It also provides a concept of safety as part of the
language, and I don't see why it should ignore it for bounds checking
while still enforcing a now meaningless separation elsewhere.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140327/64846d5a/attachment.sig>

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Jeffery Olson
In reply to this post by Tommi Tissari
On Thursday, March 27, 2014, Tommi Tissari <rusty.gates at icloud.com> wrote:

> Compiling with that flag would figuratively speaking wrap everything
> inside an unsafe block and then omit vector bounds checking. The flag
> wouldn't be allowed for library builds.
>
> What I find a bit totalitarian about this situation is that the language
> forces a decision which the programmer should be allowed to make for
> himself. A bit like someone dictating my hair style.


Yes. Rust is just like hair salon that forbids you from setting your own
hair on fire.



>
>
> > On 28 Mar 2014, at 02:05, Daniel Micay <danielmicay at gmail.com<javascript:;>>
> wrote:
> >
> >> On 27/03/14 04:42 PM, Tommi wrote:
> >>
> >>> A flag that removes safety is pretty antithical to the goals of the
> >>> language, IMHO.
> >>
> >> Yes, I agree it's not the official Rust way of things. But not
> providing the option seems quite totalitarian. An example use case might be
> a company that runs its code on 100,000 servers, and has do so for many
> years without a hiccup. They realize they could save millions of dollars a
> year in electricity bill by disabling bounds checking, and that's what they
> decide to do. At this point they would really like to have that compiler
> flag.
> >
> > Rust already provides unchecked indexing. You're free to make use of it
> > whenever you want. It makes zero sense to disable the bounds checks for
> > the index operators that are considered safe. What does the unsafe
> > keyword even mean for a project using that flag? Just because something
> > is *possible* does not somehow make it "totalitarian" to not support it.
> > Rust should not add flags creating incompatible dialects of the
> > language, and that's exactly what this would do.
> >
> _______________________________________________
> Rust-dev mailing list
> Rust-dev at mozilla.org <javascript:;>
> https://mail.mozilla.org/listinfo/rust-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140327/25a49d06/attachment.html>

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Tommi Tissari
In reply to this post by Daniel Micay
Oh, ok, well in that case I suppose the flag should cause all indexing operations to become their unsafe variants instead, all functions that call those to become unsafe, etc. propagating the unsafety where it's needed to make the code compile.


> On 28 Mar 2014, at 03:15, Daniel Micay <danielmicay at gmail.com> wrote:
>
>> On 27/03/14 09:02 PM, Tommi Tissari wrote:
>> Compiling with that flag would figuratively speaking wrap everything inside an unsafe block and then omit vector bounds checking. The flag wouldn't be allowed for library builds.
>>
>> What I find a bit totalitarian about this situation is that the language forces a decision which the programmer should be allowed to make for himself. A bit like someone dictating my hair style.
>
> What would be the meaning in `unsafe` in that new dialect of Rust? We
> already lint on redundant unsafe blocks, and *all* unsafe blocks would
> be redundant in that case. It might as well just consider everything to
> be inside one...
>

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Tommi Tissari
In reply to this post by Daniel Micay
Opting in case by case is not the same thing as having a compiler flag which you can toggle without modifying the source.

Perhaps bounds checking is the only safety measure which has runtime penalty? (Not sure about that)  But that would explain why it would be a separate flag.

By the way, D is memory safe (although it's opt-in) and it has this noboundscheck flag. So I don't see what the problem is.

> On 28 Mar 2014, at 03:17, Daniel Micay <danielmicay at gmail.com> wrote:
>
>> On 27/03/14 09:02 PM, Tommi Tissari wrote:
>>
>> the language forces a decision which the programmer should be allowed to make for himself.
>
> This also isn't true. Rust provides unsafe indexing, and you can opt-in
> to using it. It also provides a concept of safety as part of the
> language, and I don't see why it should ignore it for bounds checking
> while still enforcing a now meaningless separation elsewhere.
>

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Daniel Micay
On 27/03/14 10:04 PM, Tommi Tissari wrote:
> Opting in case by case is not the same thing as having a compiler flag which you can toggle without modifying the source.

A case-by-case basis preserves the safety guarantees of the language and
doesn't introduce a new dialect. It also means you can deal with this on
a case-by-case basis with careful auditing rather than assuming the
entire program is correct. It's not even viewed as *wrong* to do an
out-of-bounds index at the moment - it causes failure, not an abort.

> Perhaps bounds checking is the only safety measure which has runtime penalty? (Not sure about that)  But that would explain why it would be a separate flag.

There's also dynamic borrow checking on RefCell, and many functions
check for integer overflow when it would cause memory unsafety.
Lifetimes permit only a subset of the valid uses for references. Do you
want a flag to turn off lifetime checking too? That would mean 4
language dialects (no_bounds_check, no_bounds_check+no_lifetime_check,
no_lifetime_check, rust). Should the entire test suite (excluding
intentionally changed ones) be run for each supported language subset?
I'm sure we have at least one test checking for bounds-checking failure.

> By the way, D is memory safe (although it's opt-in) and it has this noboundscheck flag. So I don't see what the problem is.

D is *not* memory-safe, with or without the noboundscheck flag... the
flag makes it less memory safe than it already is, of course. If you're
counting the crippled subset of the language available in functions
marked safe, then sure - but that's not anything like Rust.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140327/8d82aa3e/attachment-0001.sig>

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

SiegeLord
In reply to this post by Tommi Tissari
On 03/27/2014 10:04 PM, Tommi Tissari wrote:
> By the way, D is memory safe (although it's opt-in) and it has this noboundscheck flag. So I don't see what the problem is.

Rust takes a very different stance to safety than to D (e.g. making it
safe by default). In the D community my perception was that for any
benchmark written in D it has been the suggestion to turn on that
noboundscheck flag in order to get extra speed, forming a perception
that D is only fast if you turn off this safety feature completely. Not
only is Rust's approach more fine grained (although it is possible to do
unsafe array access in specific locations in D as well), but it also
encourages Rust to be fast /despite/ the safety features.

A big reason for Rusts existence is that it wants to provides C++-level
performance while /at the same time/ providing safety. If the only way a
Rust user can match C++ speed is by using 'unsafe' everywhere, then Rust
will have failed, in my opinion. I didn't look at how the shootout
benchmarks are implemented, but if I had any say, I'd forbid them to use
any unsafe code (except for FFI where absolutely necessary) to prove the
above point.

There are many ways you can avoid bounds checks in safe Rust code. For
example, if you restrict yourself to using iterators instead of indexing
operators, there will be no bounds checks. You can also code up
abstractions (like I did in my matrix library) so that you don't need to
pay the bounds check cost as much as well. I really don't think this is
a real concern.

-SL

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Tommi Tissari
In reply to this post by Jeffery Olson
On 28 Mar 2014, at 03:41, Jeffery Olson <olson.jeffery at gmail.com> wrote:

>> forces a decision which the programmer should be allowed to make for himself. A bit like someone dictating my hair style.
>  
> Yes. Rust is just like hair salon that forbids you from setting your own hair on fire.
>
>  
> Yes. Rust is just like hair salon that forbids you from setting your own hair on fire.

I rather feel like Rust lets me use only dull scissors so that I don't accidentally cut myself.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140328/7ce41808/attachment.html>

Reply | Threaded
Open this post in threaded view
|

Compiling with no bounds checking for vectors?

Clark Gaebel-2
If you want sharp scissors, use unsafe indexing. You generally don't need
it everywhere, just in your inner loop.

Profile, then optimize. Rust gives you the tools needed to optimize where
things get hot, but we also like safety by default.

  - Clark


On Thu, Mar 27, 2014 at 10:31 PM, Tommi Tissari <rusty.gates at icloud.com>wrote:

> On 28 Mar 2014, at 03:41, Jeffery Olson <olson.jeffery at gmail.com> wrote:
>
> forces a decision which the programmer should be allowed to make for
>> himself. A bit like someone dictating my hair style.
>
>
> Yes. Rust is just like hair salon that forbids you from setting your own
> hair on fire.
>
>
> I rather feel like Rust lets me use only dull scissors so that I don't
> accidentally cut myself.
>
>
> _______________________________________________
> Rust-dev mailing list
> Rust-dev at mozilla.org
> https://mail.mozilla.org/listinfo/rust-dev
>
>


--
Clark.

Key ID     : 0x78099922
Fingerprint: B292 493C 51AE F3AB D016  DD04 E5E3 C36F 5534 F907
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/rust-dev/attachments/20140327/f7e7e495/attachment.html>

1234