Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding a FAQ section #59

Draft
wants to merge 1 commit into
base: develop
Choose a base branch
from
Draft

Adding a FAQ section #59

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 78 additions & 0 deletions proposal/draft.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2789,6 +2789,84 @@ Everything in this proposal took about 18 months to design and implement in Circ

An earlier version of this work was presented to SG23 at the St Louis 2024 ISO meeting, with the closing poll "We should promise more committee time on borrow checking?" --- SF: 20, WF: 7, N: 1, WA: 0, SA: 0.

# FAQ

* [What is the goal?](#what-is-the-goal)
* [Will Safe C++ break my code?](#will-safe-c-break-my-code)
* [Why does this proposal introduce a whole new standard library (std2)?](#why-does-this-proposal-introduce-a-whole-new-standard-library-std2)
* [Why do we need to borrow Rust's borrow checker?](#why-do-we-need-to-borrow-rusts-borrow-checker)
* [Why not use Hylo's approach?](#why-not-use-hylos-approach)
* [Why not use safety profiles?](#why-not-use-safety-profiles)
* [Why do the safe language alternatives to unsafe c++ language constructs use Rust names rather than existing C++ names?](#why-do-the-safe-language-alternatives-to-unsafe-c-language-constructs-use-rust-names-rather-than-existing-c-names)
* [I do not like the proposed syntax, why is it so ugly?](#i-do-not-like-the-proposed-syntax-why-is-it-so-ugly)
* [Why is `std::*` missing from `std2`?](#why-is-std-missing-from-std2)
* [Won't `std2` lead to an extreme function coloring problem?](#wont-std2-lead-to-an-extreme-function-coloring-problem)
* [Are there runtime checks?](#are-there-runtime-checks)
* [There's promising research that could yield a solution that is both more simple and more elegant than rust-style borrow checking. Why not wait?](#theres-promising-research-that-could-yield-a-solution-that-is-both-more-simple-and-more-elegant-than-rust-style-borrow-checking.-why-not-wait)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* [There's promising research that could yield a solution that is both more simple and more elegant than rust-style borrow checking. Why not wait?](#theres-promising-research-that-could-yield-a-solution-that-is-both-more-simple-and-more-elegant-than-rust-style-borrow-checking.-why-not-wait)
* [Aren’t there some other promising experiments supposedly on the horizon that could yield a simpler and more-elegant solution than Rust-style borrow checking. Why not wait?](#arent-there-some-other-promising-experiments-supposedly-on-the-horizon-that-could-yield-a-simpler-and-more-elegant-solution-than-rust-style-borrow-checking-why-not-wait)

* [Why are lifetimes annotated using `/` rather than `'`?](#why-are-lifetimes-annotated-using-rather-than)
* [Can Safe C++ make my program safer just by recompiling existing code?](#can-safe-c-make-my-program-safer-just-by-recompiling-existing-code)
* [What is the difference between `cpy x` and `T(const T&)`?](#what-is-the-difference-between-cpy-x-and-tconst-t)
* [What is the difference between `drp x` and `~T()`?](#what-is-the-difference-between-drp-x-and-t)
* [What is the difference between `unsafe_cell` and `const_cast`?](#what-is-the-difference-between-unsafe_cell-and-const_cast)

### What is the goal?

The goal is to add to C++ the ability to incrementally opt into zero-overhead memory safety without loss of expressiveness. This ability will enable developers to get rid of various classes of bugs that fall into four categories of safety : lifetime safety, type safety, thread safety and spatial safety. It will also address valid concerns put forward by the security community through the NSA, the CISA, the NCSI and the White house with regards to memory safe languages.

### Will Safe C++ break my code?

No. Safe C++ requires explicit opt-in by developers. And even after opting in, Safe C++ is designed to facilitate incremental adoption within large codebases.

### Why does this proposal introduce a whole new standard library (std2)?

The existing STL is not memory safe. Making it memory safe would require changes to the API which is a non-starter with regards to the goal of making existing code stay the same.

### Why do we need to borrow Rust's borrow checker?

The borrow checker is the best fit that is production-ready to meet our goals. It is a compile time solution that leads to zero overhead. It is a mature and proven technology. It is the safest path to guarantee a successful outcome.

### Why not use Hylo's approach?

Hylo's approach uses a borrow checker. Mutable Value Semantics (MVS) then eliminates the need for explicit lifetimes, but that is still a work in progress and is not considered production-ready.

### Why not use safety profiles?

Safety profiles is still a work in progress. The lifetime safety profile is the one furthest along. But it still falls well short of what borrow checking can provide. It only adresses one of the four categories of memory safety that this proposal aims to achieve and even within that single category, it doesn't address all potential issues (i.e.: it cannot catch all iterator invalidation cases).

### Why do the safe language alternatives to unsafe c++ language constructs use Rust names rather than existing C++ names?

The safe language alternatives are used in very different ways compared to their unsafe counterparts. For example, while `union` looks like a `struct` that has a single active member, a `choice` can only be interrogated by using a match-expression, guaranteeing safe access to its content.

### I do not like the proposed syntax, why is it so ugly?

Bikeshedding isn't a priority at this stage. The current syntax is the one used by the reference implementation so far.

### Why is `std::*` missing from `std2`?

This proposal is a healthy beginning but it’s not comprehensive treatment.

### Won't `std2` lead to an extreme function coloring problem?

It won't be: `safe` code can wrap unsafe calls within `unsafe` blocks and `unsafe` code can call `safe` code. Same goes for `std2` and `std` library components.

### Are there runtime checks?

Yes, there are dynamic bound checks for spatial safety.

### There's promising research that could yield a solution that is both more simple and more elegant than rust-style borrow checking. Why not wait?

The security community and regulators are actively pushing developers towards memory safe languages with official guidance since 2022. Does C++ stay on the do-not-use list or does C++ become a memory safe language?
Comment on lines +2856 to +2858
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### There's promising research that could yield a solution that is both more simple and more elegant than rust-style borrow checking. Why not wait?
The security community and regulators are actively pushing developers towards memory safe languages with official guidance since 2022. Does C++ stay on the do-not-use list or does C++ become a memory safe language?
### Aren’t there some other promising experiments supposedly on the horizon that could yield a simpler and more-elegant solution than Rust-style borrow checking. Why not wait?
There are no other experiments on the horizon. And in the meantime, government organizations and others continue to publish document such as the [CISA “Product Security Bad Practices” guidance](https://www.cisa.gov/resources-tools/resources/product-security-bad-practices) containing statements like this:
> _For existing products that are written in memory-unsafe languages, not having a published memory safety roadmap by January 1, 2026 is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety._
So, we don’t have the luxury of being able to wait around for other people to eventually appear with hypothetically “better” solutions. And so the question is: What concretely can we be working on together right now to make sure that C++ gets on the _“has a published memory safety roadmap”_ by January 2026 at the latest?


### Why are lifetimes annotated using `/` rather than `'`?

C supports multi-character literals. This cursed feature, in which literals like 'abcd' evaluate to constants of type int, makes lexing Rust-style lifetime arguments very messy.


### Can Safe C++ make my program safer just by recompiling existing code?
### What is the difference between `cpy x` and `T(const T&)`?
### What is the difference between `drp x` and `~T()`?
### What is the difference between `unsafe_cell` and `const_cast`?

---
references:
- id: nsa-guidance
Expand Down