Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Posted Nov 1, 2023 10:35 UTC (Wed) by farnz (subscriber, #17727)
In reply to: Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack) by vadim
Parent article: Bjarne Stroustrup’s Plan for Bringing Safety to C++ (The New Stack)

Converting your existing code to Rust in one go is definitely a tall order; but using something like cxx.rs to allow a gradual conversion to Rust is entirely practical. It makes it a lot like the codebases I've worked on that mix FORTRAN 77 with C++03 and Python - there's the legacy FORTRAN 77, which isn't worth rewriting yet, because the effort is high for the reward, there's the C++03 for things that are performance-critical and not in FORTRAN any more, and there's Python for the bits that aren't performance critical.

I have, however, worked with C++ static analysis tools that can warn on many constructs that cannot be proven to have UB at compile time; these certainly used to exist (but weren't free - the one I used was $50 per developer per month). The trouble with them is that when you take a codebase that has never been attacked by serious static analysis before, you get a huge amount of issues to look into, some of which are (by the nature of Rice's Theorem) false positives; I saw something on the order of one static analysis warning per line of code when I applied it to a pre-existing 100K line C++ project. Obviously, some lines were clean, but others had multiple warnings that applied, all of which would have to be examined, and fixed, if you want a tool-checked UB-free codebase.

And that static analysis experience is why I'm sceptical of attempts to make C++ "safe"; competent C++ developers write code that cannot easily and mechanically be proven safe all the time, and mostly get the safety preconditions correct. It's a big deal when they don't, and it happens often enough to be a problem, but nobody is willing to pay the cost of rewriting ~400K lines of C++ into Safe C++ (by adding static analysis annotations) today, and I don't see that changing just because the annotations become an optional part of the language standard.