idea: postfix pointer-dereference operator #10011
Comments
I am interested, could you elaborate on this? |
|
Rich Hickey points out in http://www.infoq.com/presentations/Simple-Made-Easy that all bugs in shipped software got past the type checker and the unit tests. Automatic array bounds checks and other run-time checks limit the damage of some additional problems. Security holes are bugs that are exploitable. They could come about due to memory safety problems, trusting externally-supplied data, numeric overflow, underlying OS and network flaws, etc. Something I learned in an IEEE Reliability Society talk is the path to reliability is eliminating as many failure modes as possible. Their example was automotive: Rather than diddle with the probability of A/C hoses rusting out, just use a material that doesn't corrode. |
|
I'd like to see a Rust example where this is actually a possibility. Between autoderef and the type checker, I'm not sure if it's possible to introduce an actual bug. I mean, sure, there probably is some case, but I can't think of one that is caused purely by operator precedence mistakes. If you do I'm closing this as unproductive, with no obvious advantage beyond "don't have to worry about operator precedence in this one case where it probably doesn't matter anyway", I can't see this happening. If you can provide a compelling example, this issue can be re-opened. |
|
Fair enough. [ I don't have a compelling example, and consistent use of autoderef avoids the problem. Maybe if "Closed" is fine. Sorry for the digression. |
Yes |
…dnet Fix test function checker in `unwrap_used`, `expect_used` After rust-lang#9686 , `unwrap` and `expect` in integration tests and raw test functions won't be allowed. fixes rust-lang#10011 fixes rust-lang#10238 fixes rust-lang#10264 --- changelog: Fix: [`expect_used`], [`unwrap_used`], [`dbg_macro`], [`print_stdout`], [`print_stderr`]: No longer lint in test functions, if the related configuration is set [rust-lang#10391](rust-lang/rust-clippy#10391) <!-- changelog_checked -->
This is something of a wild idea: Use a postfix operator to dereference a pointer (as in Pascal) for fewer mistakes:
(*rect).area()becomesrect~.area()That reads left-to-right with nary a precedence mistake.
Although Rust’s auto-dereference feature and type checker will sometimes catch the mistaken
*rect.area(), it's good to just fix the failure mode. (All security holes in the field got past the type checker and the unit tests.)The disadvantages are (1) the changeover work, and (2) being different than C/C++. C defined it that way to reuse the expression parser to help fit the compiler on a 16-bit CPU.
David Piepgrass points out that if pointer dereference were a suffix operator, it would have to be changed from * to (e.g.) ~. Why? Because if
foo*means "dereference foo" then it becomes ambiguous whetherfoo * - barmeans(foo*)-bar"dereference foo and subtract bar" orfoo*(-bar)"multiply foo by negated bar". Due to this ambiguity, it is difficult for a language to simultaneously haveTo avoid the ambiguity, one can introduce an operator like ~ that is prefix or suffix but never infix.
The text was updated successfully, but these errors were encountered: