165. Bjarne Stroustrup’s talks on safety, WG21 August mailing, Rust

With Gianluca Delfino, Frances Buontempo, Vladimír Arnošt, Ivor Hewitt et al.







Powered by RedCircle

Life advice from Bjarne Stroustrup


  • Don’t overspecialise
  • Have a life and interests outside computing
  • Build a portfolio of skills
  • Be ready for the opportunity and don’t let it go unnoticed


Life is like undefined behaviour no one knows what will happen next.

Approaching C++ safety - Bjarne Stroustrup (CoreCppIL 2023)


  • Goal: type- and resource-safe C++
  • The spooks (NSA) say don’t use C/C++ as it’s unsafe. I sort of agree, I don’t like C/C++, it’s a mythical language which is usually a mess.
  • People choose C++ for a reason. The alternatives are new and shiny, but largely untried, and don’t handle the range of applications that C++ does.
bjarne safety eo 4ZSLn3jc 0001
  • You just have to be careful, but being careful is not good enough.
  • We can’t just "outsource" unsafe parts to another language.
  • "RAII – Resource Acquisition Is Initialization – must be the dumbest name for a great feature. Apologies for that. I was busy."
  • People come and say: "C++ is too complex, I want you to simplify it. By the way, while you’re at it, I want these two features added, I need them yesterday. And whatever you do, don’t break my code!"
  • Safety by subsetting the language doesn’t work because lots of the low-level features aren’t safe.
bjarne safety eo 4ZSLn3jc 0002
  • Superset the language with libraries (STL, GSL) and then subset it.
  • Different domains have different definition of "safety", but basic type and resource safety should be common.
  • Arbitrary C++ code is simply too complex for static analysis.
  • Profile: a coherent set of rules yielding a guarantee: bounds, type, memory etc. Must be visible in code (to indicate intent and to trigger analysis). Similar to Ada’s safety profiles.
  • The hardest problem is mixing profiles.
bjarne safety eo 4ZSLn3jc 0003
  • Suggested initial profiles: type_safety, range, arithmetic.

Hardening C++ (Bjarne Stroustrup, Software Engineering Daily, March 2023)


Don’t use "C/C++" but "try this other language which is not even standardized and has no formal definition, but it’s safe!" — give me a break!

WG21 Mailing, August 2023

Erroneous behaviour for uninitialized reads

P2795R3 by Thomas Köppe

We propose to address the safety problems of reading a default-initialized automatic variable (an “uninitialized read”) by adding a novel kind of behaviour for C++. This new behaviour, called erroneous behaviour, allows us to formally speak about “buggy” (or “incorrect”) code, that is, code that does not mean what it should mean (in a sense we will discuss). This behaviour is both “wrong” in the sense of indicating a programming bug, and also well-defined in the sense of not posing a safety risk.

We propose to change the semantics of reading an uninitialized variable:

Default-initialization of an automatic variable initializes the variable with a fixed value defined by the implementation; however, reading that value is a conceptual error. Implementations are allowed and encouraged to diagnose this error, but they are also allowed to ignore the error and treat the read as valid. Additionally, an opt-out mechanism (in the form of an attribute on a variable definition) is provided to restore the previous behaviour.


In other words, it is still an "wrong" to read an uninitialized value, but if you do read it and the implementation does not otherwise stop you, you get some specific value.

This paper seems like an opposite of the paper P2723 Zero-initialize objects of automatic storage duration. It looks like you can’t have both.


P2821R4 by Jarrad J. Waterloo

This paper proposes the standard adds the at method to std::span class in order to address safety, consistency and PR (public relations) concerns. <…​> If <index> is not within the range of the container, an exception of type std::out_of_range is thrown.

An Attribute-Like Syntax for Contracts

P2935R0 by Joshua Berne

int f(const int x, int y)
    [[ pre : y > 0 ]]
    [[ post : fstate() == x ]] // Parameters referenced in post must be const.
    [[ post r   : r > x ]]     // Postcondition may optionally name return value.
    [[ post (r) : r > y ]]     // Return value may have parenthesis.
    [[ assert : x > 0 ]];
    return x;

Safer Range Access

P2955R0 by Jarrad J. Waterloo


Reference checking

P2878R5 by Jarrad J. Waterloo

More annotations!

Example code

This paper proposes that we allow programmers to provide explicit lifetime dependence information to the compiler for the following reasons:

  • Standardize the documentation of lifetimes of API(s) for developers
  • Standardize the specification of lifetimes for proposals
  • Greatly reduce the dangling of the stack for references

What is being asked for is similar to but not exactly like Rust’s feature called explicit lifetimes.

Considering C++ over Rust


You can’t just place a LISP Rust book on top of an x86 chip and hope that the hardware learns about lambda calculus by osmosis.

 — James Mickens

James20k on Rust vs. C++

I found it irritating that some of the same C devs who have been in denial about C++ for decades now rave about Rust.

Dave Plummer’s stupid C++ tricks

YouTube: https://youtu.be/p-sprvJX07E

Modern C++, not that vintage "orthodox" stuff!

Great anecdotes from the old days of Microsoft and Windows, like this one: at Microsoft they never called BSOD a blue screen of death – only blue screen, or a bugcheck, as it was initiated by calling the kernel function KeBugCheck.

Dave’s Garage YouTube channel

Node.js is moving to a new, faster URL parser called Ada written in modern C++


Putting aside the confusing name which suggests the author didn’t know (or didn’t care) about the Ada language…​

"Written in modern C++" and literally the first lines in ada.h that actually do something are:

#define ADA_ROUNDUP_N(a, n) (((a) + ((n)-1)) & ~((n)-1))
#define ADA_ROUNDDOWN_N(a, n) ((a) & ~((n)-1))

Apparently also memcpy()

C++ in Chromium

Yeees, "Modern". <facepalm>

Why Rust will replace C++ in the future

Article by Roy

This sounds to me like something written by ChatGPT. The irony is that the article was probably generated by code written in C++.

C/C++: well, actually

Predrag Gruevski writes on Mastodon:

Including C/C++ on my resume has been a great way of selecting out people that would be the kind of "well, actually" that I don’t think I’d enjoy working with.

Mastodon: pragma once

By aki-nyan:

if #pragma once is so good where is #pragma twice

Mastodon: clocks

Dare Obasanjo:

A broken clock fixed by taping a working clock over it is a metaphor for every codebase you’ll encounter in your professional career as a software developer.

clock fixed