yggdrasil/ring
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add note about casting to STYLE.md.

Browse Source
This commit is contained in:
Brian Smith 2016-02-22 09:30:40 -10:00
parent 063985413e
commit fb9931b576
1 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
STYLE.md
View File

@ -13,6 +13,60 @@ When creating a slice from the start of a indexable value, use `x[..n]`, not
`x[0..n]`. Similarly, use `x[n..]`, not `x[n..x.len()]` for creating a slice
from a specific point to the end of the value.
## Casting (`as`) and Conversions.
Avoid using the `as` operator. When using `as` seems necessary, see if there is
already a safer function for doing the conversion in
[ring::polyfill](src/polyfill.rs). If not, add one to `ring::polyfill`.
The C code generally uses the C `int` type as a return value, where 1 indicates
success and 0 indicates failure. Sometimes the C code has functions that return
pointers, and a NULL pointer indicates failure. The module
[ring::bssl](src/bssl.rs) contains some utilities for mapping these return
values to `Result<(), ()>` and Result<*mut T, ()>, respectively. They should be
used as in the following example (note the placement of `unsafe`):
```rust
fn foo() -> Result<(), ()> {
try!(bssl::map_result(unsafe {
unsafe_fn2(when, the, entire, thing, does, not, fit, on, a, single,
line)
}));
try!(bssl::map_result(unsafe {
unsafe_fn1() // Use the same style even when the call fits on one line.
}));
let ptr = try!(bssl::map_ptr_result(unsafe {
unsafe_fn_returning_pointer()
}));
// The return value of `foo` will be the mapped result of calling
// `unsafe_fn3`.
bssl::map_result(unsafe {
unsafe_fn3()
})
}
```
## Arithmetic and Overflows
In general, prefer using unsigned types over signed types, and prefer using
checked arithmetic (e.g. `x.checked_add(y)`, `x.checked_mul(y)`, etc.) over
unchecked arithmetic. Prefer using checked arithmetic over explicit bounds
checks. Example:
```rust
fn good_example(a: u64, b: u64) -> Result<u64, ()> {
let n = a.checked_add(b).ok_or(());
}
fn bad_example(a: u64, b: u64) -> Result<u64, ()> {
if (usize::max_value() - a > b) {
return Err(())
}
a + b
}
```
## Unsafe
In general, avoid using `unsafe` whenever it is practical to do so. The *ring*