Comment by scott_w

9 days ago

Not really because it's not possible for SQLite written in Rust to pass SQLite's checks. See https://www.sqlite.org/whyc.html

9 comments

scott_w

jodrellblank 9 days ago

That doesn't seem to support your claim; guessing you mean:

> "2. Safe languages insert additional machine branches to do things like verify that array accesses are in-bounds. In correct code, those branches are never taken. That means that the machine code cannot be 100% branch tested, which is an important component of SQLite's quality strategy."

'Safe' languages don't need to do that, if they can verify the array access is always in bounds at compile time then they don't need to emit any code to check it. That aside, it seems like they are saying:

    for (int i=0; i<10; i++) {
        foo(array[i]);
    }

in C might become the equivalent of:

    for (int i=0; i<10; i++) {
        if (i >= array_lower && i < array_higher) {
            foo(array[i]);
        } else {
            ??? // out of bounds, should never happen
        }
    }

in a 'safe' language, and i will always be in inside the array bounds so there is no way to test the 'else' branch?

But that can't be in SQLite's checks as you claim, because the C code does not have a branch there to test?

Either way it seems hard to argue that a bounds test which can never fail makes the code less reliable and less trustworthy than the same code without a bounds test, using the argument that "you can't test the code path where the bounds check which can never fail, fails" - because you can use that same argument "what if the C code for array access which is correct, sometimes doesn't run correctly, you can't test for that"?

scott_w 9 days ago
Correct, that's what I mean. I trust SQLite's devs to know more about this, so I trust what they wrote. There are parts of Rust code that are basically:
do_thing().expect(...);
This branch is required by the code, even if it can't be reached, because the type system requires it. It's not possible to test this branch, therefore 100% coverage is impossible in those cases.
- viraptor 9 days ago
  
  You normally count/test branches at the original language level, not the compiled one. Otherwise we'd get VERY silly results like:
  - counting foo().except() as 2 branches
  - counting a simple loop as a missed branch, because it got unrolled and you didn't test it with 7,6,5,4,3,2,1 items
  - failing on unused straight implementation of memcpy because your CPU supports SIMD and chose that alternative
  Etc. The compiled version will be full of code you'll never run regardless of language.
  
  4 replies →
- Philpax 9 days ago
  
  The type system does not require that. You can just discard the result:
  let _ = do_thing();
  
  1 reply →