|
|
Subscribe / Log in / New account

Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Posted Nov 1, 2023 1:08 UTC (Wed) by rahulsundaram (subscriber, #21946)
In reply to: Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack) by IanKelling
Parent article: Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

> "powers" are not the same thing as "features" that I and the parent commenter were talking about.

Neither you or the parent has listed what specific features in Rust you are calling unsafe. Can you elaborate?

to post comments

Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Posted Nov 1, 2023 3:57 UTC (Wed) by IanKelling (subscriber, #89418) [Link] (10 responses)

It isn't that hard to figure out, the top parent said string_view and ranges. I don't know C++, but I looked them up and they are both standard library functions, well, really each is a set of a dozen a few dozen. I'm not sure which ones specifically are unsafe, but it doesn't matter for this specific discussion. Okay, so I just cloned rust, went into a standard library folder, stdarch, grep -r 'pub unsafe fn' | wc -l: 9519. Ok, lets go back a bit, git log --before 2020-01-01, checkout that commit, grep -r 'unsafe fn' | wc -l: 2064. Ok, so a standard library in rust implemented 7455 unsafe functions in the last 2.9 years.

I'm not trying to draw any big conclusions about any language, but the argument presented was: "C++ this days give even more ways to produce subtle memory safety bugs with things likes ranges and string_view. So I do not understand why Bjarne continues to believe that C++ can be fixed", and also a reference to 8 years time. I've barely written a line of rust or C++, but I'm pretty confident that does not make sense.

Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Posted Nov 1, 2023 10:25 UTC (Wed) by excors (subscriber, #95769) [Link] (2 responses)

Rust's std::arch is mostly SIMD intrinsics, and its whole public API is marked `unsafe` because it's a low-level library that doesn't automatically check if the CPU supports a given SIMD instruction before calling it (and if not supported it will simply crash; it's not a memory safety problem). Regular programmers should rarely use std::arch directly - you'll almost always rely on auto-vectorisation for SIMD, and if not then use something higher-level like std::simd or the `wide` crate, which provide a safe API (based on compile-time flags stating what instructions the target CPU supports; preventing installation on an unsupported CPU is outside Rust's scope). If you really want to use std::arch, you'll have to call it in `unsafe {...}` blocks, which are a big sign that it needs careful code review.

C++'s std::string_view is designed to be used directly by regular programmers. It's basically a `struct { const char *s; size_t len; }` and its purpose is to replace std::string in situations where you don't want to memcpy the string, for performance. Unlike Rust's `unsafe` APIs, it doesn't do anything to make itself look unusually scary or dangerous. Yet it invites subtle memory safety bugs in trivial cases like:

std::string s = "Undefined";
std::string_view sv = s + "behaviour\n";
std::cout << sv;

(which creates a view of a temporary string, then destroys the temporary, then prints it).

I don't think those are even slightly equivalent situations.

Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Posted Nov 2, 2023 9:47 UTC (Thu) by adobriyan (subscriber, #30858) [Link] (1 responses)

Example is bad: why are you creating string_view only to print it when you can print the string (original and temporary):

std::string s = "Undefined";
std::cout << (s + "behaviour\n");

I think it is even guaranteed that temporary will outlive "operator<<".

Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Posted Nov 2, 2023 19:07 UTC (Thu) by roc (subscriber, #30627) [Link]

The example is a little unnatural, but there are very similar examples that are more natural, e.g. using 'sv' twice.

Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Posted Nov 1, 2023 10:41 UTC (Wed) by mb (subscriber, #50428) [Link] (6 responses)

>Ok, so a standard library in rust implemented 7455 unsafe functions in the last 2.9 years.

And that's actually a good thing. It improves memory safety.

The majority of unsafe interfaces are eventually wrapped in safe interfaces.
That is how Rust works.
The programmer almost never comes in contact with unsafe interfaces. Even on embedded systems it's really rare to have unsafe blocks.
And that is *because* all these unsafe blocks exist in core, std or other special wrapper crates that take care of providing a safe interface.
It's just that if you *don't* have such a safe wrapper with unsafe internals in std/core or somewhere else, then you have to make your own. That is the risky and hard part.

Writing unsafe code in Rust is hard. It is much harder than writing C or C++ code.
Because you must take care of all the checks and things you know from C/C++ and in addition to that you have to ensure that the safe interface to your code can never trigger UB.
Therefore, it's a good thing to have this hard to write code in central places like core/std. The more unsafe code there is in core/std, the less unsafe code there is in the applications.

Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Posted Nov 1, 2023 11:26 UTC (Wed) by farnz (subscriber, #17727) [Link] (5 responses)

To nitpick ever so slightly; writing unsafe code in Rust is no harder than writing safe C or C++ code. The difficulty is that the Rust community expects that you will write safe code, whereas the C and C++ communities understand that all code is unsafe, and accept the risks inherent in this.

Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Posted Nov 1, 2023 16:35 UTC (Wed) by smurf (subscriber, #17840) [Link]

> and accept the risks inherent in this.

s/accept/ignores/. Or worse.

Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Posted Nov 2, 2023 19:09 UTC (Thu) by roc (subscriber, #30627) [Link]

Writing unsafe code in Rust *is* harder than writing safe C and C++ code, because the aliasing rules you must follow are more complicated (and not even fully defined yet, although clear enough that it's possible to write code that is definitely OK).

This is OK for everyone who has to write little or no unsafe Rust code, which is almost everyone.

Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Posted Nov 2, 2023 19:22 UTC (Thu) by khim (subscriber, #9252) [Link] (2 responses)

> writing unsafe code in Rust is no harder than writing safe C or C++ code.

It's actually much harder but for social, not technical, reason and for very good reason.

In C/C++ it's Ok to write some piece of code and only document some “happy and nice” way to use said code. Corner cases, that invariably exist, are left as an exercise for the future generations.

In Rust you have to think about use of your code which C/C++ developers would just declare “you are holding it wrong” case.

One simple example: std::stable_sort and Vec::sort_by.

What happens if comparison function actually changes elements? In Rust that's compile-time error if interior mutability is not in use (the majority of cases) or “random permutation in output” (if it's in use) in C++ that's UB…

What happens if comparison function is not generating total order? In Rust that's some “random permutation in output”, in C++ that UB…

Thus yes, writing unsafe is much harder than in C++… but for very good reason.

Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Posted Nov 3, 2023 11:14 UTC (Fri) by farnz (subscriber, #17727) [Link] (1 responses)

See, I would say that if you document the "happy and nice" way to use said code, you've not written safe C or C++; you've written unsafe C or C++ and documented the preconditions that apply. If you're actually writing safe C or C++, in the same sense as "safe Rust", then it becomes as hard to write as unsafe Rust, because you're aiming to uphold the same guarantees as Rust requires.

Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Posted Nov 3, 2023 16:43 UTC (Fri) by khim (subscriber, #9252) [Link]

> If you're actually writing safe C or C++, in the same sense as "safe Rust", then it becomes as hard to write as unsafe Rust, because you're aiming to uphold the same guarantees as Rust requires.

If you try to write code in C or C++ that is “safe in the same sense as “safe Rust”” then you immediately hit the wall: language rules are perfectly Ok with pointers being uninitialized and references that are pointing to memory which is not yet a valid object, but touching them is instant UB thus, practically speaking, you always have some preconditions in addition to what compiler requires.

Which preconditions are are Ok for “safe C/C++” and which are not Ok for “safe C/C++” is always subject for massive debate and different, perfectly reasonable, people disagree on that subject often.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds