From 8c51d0f29c76743abf9ba70e92045f7d071ffd98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fernando=20Jos=C3=A9=20=7C=20=EF=BE=8C=EF=BD=AA=EF=BE=99?= =?UTF-8?q?=EF=BE=85=EF=BE=9D=EF=BE=84=EF=BE=9E=20=EF=BE=8E=EF=BD=BE?= Date: Sat, 29 Mar 2025 15:51:02 +0900 Subject: [PATCH 1/2] Add about overflow-checks flag in release mode --- src/coding-guidelines/types-and-traits.rst | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/coding-guidelines/types-and-traits.rst b/src/coding-guidelines/types-and-traits.rst index 8ef1e7e..bd7d590 100644 --- a/src/coding-guidelines/types-and-traits.rst +++ b/src/coding-guidelines/types-and-traits.rst @@ -16,8 +16,8 @@ Types and Traits :scope: module :tags: numerics - Code must not rely on Rust's implicit integer wrapping behavior that occurs in release builds. - Instead, explicitly handle potential overflows using the standard library's checked, + Code must not rely on Rust's implicit integer wrapping behavior that may occur in release + builds. Instead, explicitly handle potential overflows using the standard library's checked, saturating, or wrapping operations. .. rationale:: @@ -25,8 +25,12 @@ Types and Traits :status: draft In debug builds, Rust performs runtime checks for integer overflow and will panic if detected. - However, in release builds (with optimizations enabled), integer operations silently wrap - around on overflow, creating potential for silent failures and security vulnerabilities. + However, in release builds (with optimizations enabled), unless the flag overflow-checks is + turned on, integer operations silently wrap around on overflow, creating potential for silent + failures and security vulnerabilities. Note that overflow-checks only brings the default panic + behavior from debug into release builds, avoiding potential silent wrap arounds. Nonetheless, + abrupt program termination is usually not suitable and, therefore, turning this flag on must + not be used as a substitute of explicit handling. Safety-critical software requires consistent and predictable behavior across all build configurations. Explicit handling of potential overflow conditions improves code clarity, From 1b5d74f6742ca9f7449797e97e170c2152b5dc4a Mon Sep 17 00:00:00 2001 From: "Fernando J. Iglesias Garcia" Date: Wed, 30 Apr 2025 11:21:41 +0900 Subject: [PATCH 2/2] Add links --- src/coding-guidelines/types-and-traits.rst | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/coding-guidelines/types-and-traits.rst b/src/coding-guidelines/types-and-traits.rst index bd7d590..e44ce28 100644 --- a/src/coding-guidelines/types-and-traits.rst +++ b/src/coding-guidelines/types-and-traits.rst @@ -25,12 +25,17 @@ Types and Traits :status: draft In debug builds, Rust performs runtime checks for integer overflow and will panic if detected. - However, in release builds (with optimizations enabled), unless the flag overflow-checks is + However, in release builds (with optimizations enabled), unless the flag `overflow-checks`_ is turned on, integer operations silently wrap around on overflow, creating potential for silent failures and security vulnerabilities. Note that overflow-checks only brings the default panic behavior from debug into release builds, avoiding potential silent wrap arounds. Nonetheless, abrupt program termination is usually not suitable and, therefore, turning this flag on must - not be used as a substitute of explicit handling. + not be used as a substitute of explicit handling. Furthermore, the behavior in release mode is + under consideration by the The Rust Language Design Team and in the future overflow checking + may be turned on by default in release builds (it is a `frequently requested change`_). + + .. _overflow-checks: https://github.com/rust-lang/rust/blob/master/src/doc/rustc/src/codegen-options/index.md#overflow-checks + .. _frequently requested change: https://lang-team.rust-lang.org/frequently-requested-changes.html#numeric-overflow-checking-should-be-on-by-default-even-in-release-mode Safety-critical software requires consistent and predictable behavior across all build configurations. Explicit handling of potential overflow conditions improves code clarity,