Integer overflow semantics

[arielb1]

Currently, the semantics of integer overflow are well-defined in arithmetic operations, are an "undefined value" in shifts, and trigger failure in divisions.

The "undefined value" situation is quite weird – certainly it can't be undefined behaviour (otherwise, fn main() { 1u<<1000u; } would be an unsafe program), but it is not defined. The "modular arithmetic" definition of integer overflow is not unsafe, but can harm program analysis. These probably need to be defined before 1.0.

First, intrinsics should be provided for undefined semantics, and for wrapping semantics in case of arithmetic operations. This will allow code that explicitly wants some semantics (e.g. crypto code) to use them via an explicit newtype and impl.

Second, there needs to be a proper decision involving the built-in shift operators (personally, I prefer (a : uN)<<b to be intrinsics::uN_unchecked_shift_right(a, b&((1<<N)-1)) etc. - it's zero-cost on constants, the default on x86, and quite fast on variable-length shifts on other architectures, but this can be discussed).

[ben0x539]

otherwise, fn main() { 1u<<1000u; } would be an unsafe program

see rust-lang/rust#10183, btw

[pnkfelix]

a lot of this is covered by #560 ; I need to read over the items in the description and in the RFC more carefully to see if they all are covered.

[alexcrichton]

I think that we've since basically covered all the bases here, so closing. Feel free to reopen though if something has slipped through the cracks!