100 points by todsacerdoti 3 days ago | 41 comments
Animats 3 days ago
The idea here is simply that if the whole call tree can be examined, rather than only looking at one module at a time, less annotation is needed. That's reasonable enough, although it may result in long compile times.
What I don't see here is:
- How are circular references handled?
- C++ objects implicitly have links from parent to child and child to parent. So there's built-in circularity. How does that work?
- What about interior mutability?
Examining the whole call tree is useful. It allows catching mutex deadlocks where a thread locks against itself and stalls. It may be possible to replace something like Rust's RefCell with something, perhaps "SafeCell", that supports the same .borrow() and .borrow_mut operations, checking them at compile time for overlapping borrow scopes.
aw1621107 3 days ago
My (high-level) understanding is that this is a response to some feedback [1, 2] to the author's previous paper [0] which (very generally speaking) adds some Rust-like systems/semantics to C++ to achieve memory safety. Some commenters voiced disapproval of the need for lifetime annotations and expressed a desire to find a solution that doesn't require them. I think this paper is an exploration of that idea to see what can be achieved without lifetime annotations.
[0]: https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2024/p34...
[1]: https://old.reddit.com/r/cpp/comments/1ffgz49/safe_c_languag...
[2]: https://old.reddit.com/r/cpp/comments/1fiuhb7/the_empire_of_...
j16sdiz 3 days ago
Can you elaborate? In my understand, the parent/child relation are on the class not the object itself.
Animats 3 days ago
carlmr 3 days ago
jcelerier 3 days ago
Animats 3 days ago
Back references are really hard in Rust. You can do them with Rc, RefCell, and Weak, but there's a lot of run-time checking involved. More static analysis could eliminate most of that run-time checking. .borrow(), .borrow_mut(), and .upgrade().unwrap() panic if they ever fail. So you really want to prove they can't fail. If you can do that, you don't need the run-time checks. In that direction lies the solution to Rust's limited data structure problems.
messe 3 days ago
bregma 2 days ago
gpderetta 2 days ago
https://godbolt.org/z/MKx6oTE63
I can't recite chapter and verse, but I'm pretty sure that's mandated by the standard and it mirrors the behaviour in the constructor.Or you meant something else?
112233 2 days ago
nemetroid 2 days ago
einpoklum 2 days ago
Just remember that WG21 papers are their authors' position/claims, not the committee's or the community's, unless accepted. I think, or rather hope, this is not accepted.
fallingsquirrel 3 days ago
It seems like this proposal just chooses a general set of constraints and forces it everywhere? Under these rules you couldn't e.g., have a regex object with a match method that takes a string and returns a reference to that same string. Seems too limiting to be practical.
leni536 3 days ago
aw1621107 3 days ago
ndesaulniers 3 days ago
> Explain the infeasibility of making legacy lvalue- and rvalue-references memory safe.
> Relocation must replace move semantics
He advocates for adding lots of things to the language, but that point is a massive change to the language IMO. I definitely think move semantics are awful; as is the hierarchy of rvalues (xvalues and glvalues) is nuts, but at this point can they be removed from the language? Or do I misinterpret the point? Perhaps this is different between unsafe blocks (vs default safe blocks)?
pjmlp 3 days ago
Most folks at WG21 think profiles will magically solve the problem, even though many of the ideas are only available on paper, not a random C++ compiler.
The biggest issue is that while a language like Ada also has profiles, the safety culture is much different, and they are part of the ecosystem since Ada83, not something that was added later.
jeffreygoesto 3 days ago
Trying to keep the legacy code alive through compatibility introduces more than two languages in one, as all the combinations must be understood as well. Wrapping legacy code into bigger "unsafe" blocks and guarding the perimeter of that block is not a bad idea, it creates less mix to reason about.
Would allowing only safe references in safety code really hinder adoption?
AlotOfReading 2 days ago
blub 3 days ago
pjmlp 3 days ago
See "Product Security Bad Practices" from CISA and FBI, published last week.
https://www.cisa.gov/resources-tools/resources/product-secur...
=> "Software manufacturers should build products in a manner that systematically prevents the introduction of memory safety vulnerabilities, such as by using a memory safe language or hardware capabilities that prevent memory safety vulnerabilities. Additionally, software manufacturers should publish a memory safety roadmap by January 1, 2026."
rfoo 2 days ago
Heh, now I do believe that my partially-memory-corruption-based side job may be in danger. If it was just "by using a memory safe language" I do not care, but if they want to boost hardware assisted mitigations (better and ubiquitous memory tagging etc) it's going to have significant impact.
steveklabnik 2 days ago
pjmlp 2 days ago
"A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interests of efficiency on production runs. Unanimously, they urged us not to--they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980 language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law."
-- C.A.R Hoare's "The 1980 ACM Turing Award Lecture"
It is only taking a couple of decades to get there.
By the way I know you already are aware of this, more for those that don't.
gpderetta 2 days ago
I don't know how to break it to you, but the Eighties were 40 years ago :(
In any case I was wondering if Hoare, in addition to bound checkings, felt as strongly about the so called temporal safety, but his words are unambiguous: he is not just rejecting any form of Undefined Behaviour, he wants anything that passes static checking to have useful valid semantics, reminiscent of the "well typed programs can't go wrong" maxim.
pjmlp 2 days ago
That maximum is usually the approach to UB in sane systems languages, literally meaning undefined and that is it, possibly having traps or similar enabled by default.
It isn't the wildcard for any kind of optimisations are allowed, aka "please go wild dear optimiser".
blub 2 days ago
pjmlp 2 days ago
Except that back then, it mostly failed due to the prices of compilers adjusted to goverment level contracts, the few UNIX vendors like Sun that sold such compilers it was extra not part of the regular UNIX SDK, the cost of hardware to run modern Ada compilers (Rational started as a Ada Machine company), so it was dropped as requirement, and thus stuff like JPL, MISRA, AUTOSAR, F-35 C++ (what a success this one),... that allowed cheaper development with guiderails.
Now that exploits have money placed on them, in fixing CVEs, pushing fixes into devices, insurances paying for downtime,.... goverments and companies burning that money, have reached the conclusion that software is now critical infrastructure, and must be dealt accordingly like everything else that is criticial in modern societies.
This is not going to be Ada again, as much some folks wish for.
account42 2 days ago