> Mmmhm. Go look in the docs for std::span and see how long it takes to find "The behaviour is undefined if idx is out of range" or similar.
It is regrettable and under fix but:
- You generally do have your own implementation with more advance bound check for safety-critical implementation.
- We do have our own where I work right now.
- Google has its own in abseil.
- span allows the usage for range-for loop which combined with subspan() makes possible to avoid pointer arithmetic all together.
When you are already in a deep hole, it's a good idea to stop digging.
How much time did it took you to understand all this? What chances does a beginner has to understand these subtle differences and learn the particular way your codebase uses std::span and not footgun themselves? How much productivity is lost to the sheer terror of such footguns - not actual bugs, but time and effort lost that did not move the product forward?
And most importantly, what is the point of accepting that huge cost instead of writing in a language where unsafe data access is impossible?
> And most importantly, what is the point of accepting that huge cost instead of writing in a language where unsafe data access is impossible?
Because the world is a place where billions of lines of code have been written. And these will never be rewritten, but can be modernized.
That the reality, and that's why your web browser right now and most of your OS is still written in unsafe language right now. And will still be for the next 15years at least.
Surely "nails in the coffin of C/C++" does not imply an all out effort to rewrite all this existing and working software from scratch.
The beast will die in the same sense Fortran or Cobol are dead: an outdated language that has no noticeable strengths in the modern world, used by a bunch of (difficult to hire) old timers to fix legacy systems.
> Surely "nails in the coffin of C/C++" does not imply an all out effort to rewrite all this existing and working software from scratch.
Or you use the evolutionary approach: remove the unsafe part from C/C++ bit by bit. And do code migration (Carbon style) when you can do it. This is what some C and C++ committee members try to do and fortunately they are there.
Because that is way more likely to happen in a reasonable time frame (next 15 years) than rewrite Chrome, Linux, OpenSSL, Office and all the other 10 of billions of proprietary code we have around in Rust.
You cannot do that without breaking backward compatibility. If you maintain compatibility, what results is a sprawling meta-language with a large learning burden that has the theoretical ability to emulate a safe language, and which in practice will be used to mix both safe and unsafe idioms depending on the experience and discipline of the programmer, in an unholy mess that no static analyzer can prove as correct and no programmer can say they really fully understand.
Maybe I'm mistaken, I've last programmed in C++ a good number of years ago, but I have not encountered a (C++ programming paradigm, static linter) doublet that can prove data integrity and thread safety to an extent even close to the Rust compiler. And it would be useless for existing codebases anyhow.
It is regrettable and under fix but:
- You generally do have your own implementation with more advance bound check for safety-critical implementation. - We do have our own where I work right now. - Google has its own in abseil.
- span allows the usage for range-for loop which combined with subspan() makes possible to avoid pointer arithmetic all together.