C++ vs Rust vs Go?

Posted Jun 11, 2016 4:27 UTC (Sat) by cryptoknight (guest, #108170)
In reply to: C++ vs Rust vs Go? by josh
Parent article: Grover: Why Rust for Low-level Linux programming?

Actually, the subset of C++14 that most people will want to use and the guidelines for its safe use are already well on their way to being defined, thanks to the original creator of C++ and several other well known members of the Modern C++ community: http://isocpp.github.io/CppCoreGuidelines/CppCoreGuidelines

By following the guidelines, which can be verified statically at compile time, the same kind of safeties provided by Rust can be had from C++, and with less annotation effort. Or so they claim, at least. I've not had much experience with using them yet (or Rust for that matter) but am eagerly looking forward to applying them to my next project.

C++ vs Rust vs Go?

Posted Jun 11, 2016 4:47 UTC (Sat) by viro (subscriber, #7872) [Link] (1 responses)

Umm... According to you, those guidelines "can be verified statically at compile time, the same kind of safeties provided by Rust can be had from C++". OTOH, according to Stroustrup et.al., right on the page you are refering to, "The sets of rules have not been thoroughly checked for completeness, consistency, or enforceability". Both are direct quotes, and no offense, but I suspect that the authors of those guidelines have better idea concerning their state...

IOW, it sounds interesting, but you seem to be seriously overselling that.

C++ vs Rust vs Go?

Posted Jun 11, 2016 7:36 UTC (Sat) by cryptoknight (guest, #108170) [Link]

As I said, I don't have much experience with the guidelines personally yet, but the section you quoted sounds like a pretty standard disclaimer for a work in progress. My statements concerning safety guarantees mainly come from watching the CppCon 2015 presentations from Bjarne Stroustrup and Herb Sutter where the guidelines effort was first announced. The safety guarantees provided by the guidelines were the main topic of those talks, and they were compared directly to those provided by Rust. Given the circumstances, of course, it is certainly possible that the authors/speakers were doing a bit of selling of their own. Also, both the Visual Studio and Clang teams have begun implementing checkers for the guidelines. So, while they may not be complete or 100% foolproof yet, they seem to be heading in a worthwhile direction.

C++ vs Rust vs Go?

Posted Jun 11, 2016 11:53 UTC (Sat) by roc (subscriber, #30627) [Link] (1 responses)

The promise "the same kind of safeties provided by Rust can be had from C++, and with less annotation effort" is vapourware until a complete set of static checking rules is published, along with an argument that enforcing those rules guarantees safety.

I'm skeptical it can be done at all. Their approach is based on requiring use of unique_ptr and shared_ptr and disallowing unchecked casts and array access, but that's nowhere near enough. Consider for example
unique_ptr<int> p;
void f1(int& foo) { p = nullptr; foo = 7; }
void f2() { f1(*p); }
The basic problem here is multiple aliases to the same data. Rust *and its libraries* were designed from the ground up to control aliasing (including features like lifetime parameters that C++ doesn't have). The last I saw of the CppCon proposal, the authors were just invoking the panacea of "alias analysis" to catch such errors without explaining how that will work. I wrote a PhD thesis on alias analysis and trust me, it's no panacea.

Even if such static checking rules and a soundness argument are eventually published, the question remains whether the subset of C++ allowed by the rules looks anything like actual C++ code. For example if the solution to the above problem is to disallow use of references, that would be crippling and I would argue that subset of C++ is not useful.

C++ vs Rust vs Go?

Posted Jun 30, 2016 22:40 UTC (Thu) by mcortese (guest, #52099) [Link]

Isn't this example violating the guidelines itself, by using a mutable global? I assume that a possible static checker would emit a warning against rule I.2 of the guidelines.

C++ vs Rust vs Go?

Posted Jun 11, 2016 15:29 UTC (Sat) by sourcejedi (guest, #45153) [Link]

No. I don't believe they have, or will do.

Safe Rust provides memory safety even with threads, because it also provides thread safety. But outside of threading, it fixes the iterator invalidation problem. Which has caused real security flaws in Firefox. Iteration invalidation is still on the TODO list for the C++ guidelines.

It's not possible to prevent iterator invalidation without run-time checks, when you allow mutable aliases. An aliased reference to the container can invalidate the iterator.

Rust just bans mutable aliases. You can't share a mutable reference to an object (shared_ptr). Within a shared object graph, if you want mutability you have to wrap types with RefCell. It allows one, and only one, mutable reference to be created. This is a run-time check.

I mean, I'm sure there are ways to retrofit alias checking to C++. But the C++ people haven't said _anything_ about it, they're just treating shared_ptr as safe. Because it's a massive break, foreign to both C++ _and_ the widespread safe languages such as those used by their employer.

The safe languages rely on run-time checks in the iterator (garbage collection probably helps make it easier as well).

You can't just safety-check C++ iterators because the same applies to any reference.

struct A {
unique_ptr<B> b;
};

A& f(A& a1, A& a2)
{
a1->b = make_ptr(b());
return a2->b; /* returns dangling reference if &a1==&a2 */
}