The Ferrocene Language Specification has two serious problems: there are very large gaps in it, and what's present is very buggy.
If you pick a small part and look at it in isolation it typically looks quite plausible, but if you try to follow the definitions it very often just falls apart.
A year or so ago I read through one smallish section (basically function calls) and filed issues for the problems I found that were easy to write up crisply.
I know I'm late to the party, but I still wanted to answer this. Disclosure: I am one of the Managing Directors at Ferrous Systems
I believe you're falling victim ot a common misconception about what the FLS is and what it aims to be. It is - at least as of now - a description of the language that is good enough to certify the compiler. It was never intended to be a spec that describes Rust in completeness - for example, the FLS is absolutely insufficient to implement a Rust compiler. As such, we have no aspirations to completeness in any shape or form. While we get a lot of feedback about pieces that people consider falling short of their expectations, it is expected that there are gaps that Ferrous Systems will never try to fill. The FLS in its current shape is good enough for us.
Now that the Rust project adopted the FLS as the initial nucleus of a spec, I hope that others can contribute and fill the gaps that they need filled.
From experience with these kinds of specs, one might be better off clearly stating things that are left to the compiler implementation (and thus should have no impact -?-on the verifiability of the spec).
It seems to me that the part about unsafe operations is pretty much still unspecified. It's currently just a short paragraph saying it may cause undefined behaviour and a list of high-level descriptions of those unsafe operations. But what's the exact semantics of those operations? When is it undefined?
Part of the reason is that this is the most difficult part to define, and part is that this is very much an area of active research and improvement.
For example, what would a language specification say about the behavior and consequences of calling an unsafe function? It can only point to the function documentation, as the function could do anything. It might be reasonably well-behaved, for example `Vec::get_unchecked(index)` returns the item at `index` if index is a valid index, and does whatever your platform, chosen allocator and overzealous LLVM optimizations do on invalid pointer access. A different function might be complete chaos, since the unsafe function could contain any code.
"Dereferencing a value of a raw pointer type" would be easier to define, but then you get down the whole pointer provenance rabbit hole. Saying "well, that might do anything" isn't that unreasonable of a stance for a specification, as long as you properly specify the pointer-provenance-aware route once it has been stabilized. Documentation on the other hand should be more helpful than that (and sadly often isn't), telling you when dereferencing a pointer does what you expect, when it doesn't, and what the pitfalls are.
This is much bigger news than I think people realise. With the push for more secure systems programming language, having a formal model will enable much more powerful tooling and theorem proving that will help spot, model, or identify vulnerabilities. (There will still be a class of vulnerabilities from when the implementation does not match the specification).
While I agree with the huge adoption improvements, there is also a dose of reality check required.
There are several domains where C++ never managed to displace C, and likewise the same seems bound to happen with Rust towards C and C++, regardless of safety improvements.
Khronos API definitions, the whole GPGPU ecosystem including vendor tooling, all major runtimes and compiler frameworks, consoles devkits, are few domains where Rust has yet to have a presence.
Rust seems tailor made for a compiler framework. The issue is how often do new ones come along?
In 40 years, we have GCC and LLvM. How long until something comes along to displace them in any language? Nobody is really trying to “rewrite it in Rust” the LLVM platform (even though Rust itself relies on it). There is Cranelift of course but it is not really trying to be LLVM.
Sort of. Last time I looked, about a year ago, there were a bunch and all of the ones I looked at/tried seemed really awkward to use. I don’t love Qt either, but in C++ land it’s a pretty reliable way to slap together a simple UI that doesn’t require a whole lot of ceremony.
Global mutable state is difficult to handle correctly and Rust forces you to think through the consequences. There's no shortage of patterns for safely working with it, but you can't take the easy (and unsafe!) way out.
Not really, there’s two models that work. The react model and the immediate model. The whole class inherits widget hellscape is not, no loss there. That route inevitably leads to bugs that are hard to find and fix because of all the weird state buried in inherited types.
I really like egui. People talk about it not being professional because it is raster graphics and doesn't have native widgets, but neither of those things are anywhere on my customer's priority list.
> The demands for memory safety are not unreasonable, in fact, I consider them too feeble for the long term, so responding to the demands is in the interest of C++
> The sky isn’t falling, but unless we act now and get C++ onto a track supporting a flexible framework of profiles (supporting various forms of safety), we risk a painful decline.
He's simply making the case for profiles and trying to rally the people he works with around that as a necessary goal. That's something that any leadership has to do from time to time. That's also something he's done before when he warned everyone about proposing a bunch of incompatible features with no clear vision. Nothing unexpected here, in no way is this "panicking".
If you pick a small part and look at it in isolation it typically looks quite plausible, but if you try to follow the definitions it very often just falls apart.