On Tue, 8 Oct 2024 20:40:38 -0500
Lynn McGuire <[email protected]> wrote:

"Safe C++ is A new Proposal to Make C++ Memory-Safe"
https://www.infoq.com/news/2024/10/safe-cpp-proposal/

"The goal of the Safe C++ proposal is extending C++ by defining a
superset of the language that can be used to write code with the
strong safety guarantees similarly to code written in Rust. The key
to its approach is introducing a new safe context where only a
rigorously safe subset of C++ is allowed."

"The Safe C++ proposal, set forth by Sean Baxter and Christian
Mazakas, originates from the growing awareness that C++ memory
unsafety lies at the root of a large part of vulnerabilities and
memory exploits. The only existing safe language, say Baxter and
Mazakas, is Rust,

Journalists are so journalists! Even when, like Sergio De Simone, they
claim that they are software engineers.

Of course, Baxter and Mazakas never said anything like that. Their
statement is much more reasonable: "There’s only one popular systems level/non-garbage collected language that provides rigorous memory
safety. That’s the Rust language."
I am not sure that I agree with Baxter and Mazakas, but at least
their statement is not as obviously and blatantly wrong as it sound in "translation" of De Simone.

but their design differences limit
interoperability, thus making it hard to migrate from one language to
the other. For example, Rust lacks function overloading, templates, inheritance, and exceptions, while C++ lacks traits, relocation, and
borrow checking."

Lynn

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 9 Oct 2024 15:02:54 -0500
Lynn McGuire <[email protected]> wrote:

On 10/8/2024 8:40 PM, Lynn McGuire wrote:

"Safe C++ is A new Proposal to Make C++ Memory-Safe"
�� https://www.infoq.com/news/2024/10/safe-cpp-proposal/

"The goal of the Safe C++ proposal is extending C++ by defining a
superset of the language that can be used to write code with the
strong safety guarantees similarly to code written in Rust. The key
to its approach is introducing a new safe context where only a
rigorously safe subset of C++ is allowed."

"The Safe C++ proposal, set forth by Sean Baxter and Christian
Mazakas, originates from the growing awareness that C++ memory
unsafety lies at the root of a large part of vulnerabilities and
memory exploits. The only existing safe language, say Baxter and
Mazakas, is Rust, but their design differences limit
interoperability, thus making it hard to migrate from one language
to the other. For example, Rust lacks function overloading,
templates, inheritance, and exceptions, while C++ lacks traits,
relocation, and borrow checking."

Lynn

And what the heck is relocation, traits, and borrow checking ?

Lynn

Traits and borrow checking can't be explained in few words, nor in few
dozens of words.
Ownership model+borrow checker happens to be the main feature that distinguishes the Rust from the Rest.

'Relocation' does not appear to be an established Rust term.
It seems that Sean Baxter and Christian Mazakas use word 'relocation'
to describe a mechanism use in Rust by default when object that
contains embedded pointers or is of variable size is assigned to
another object. Rust docs call it 'move'.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 9 Oct 2024 23:46:05 +0300
Michael S <[email protected]> boring babbled:

On Wed, 9 Oct 2024 15:02:54 -0500
Lynn McGuire <[email protected]> wrote:

And what the heck is relocation, traits, and borrow checking ?
=20
Lynn
=20

Traits and borrow checking can't be explained in few words, nor in few
dozens of words.

Borrow checking is just a fancy way of compile time checking a pointer/object will still be valid after being used previously. Eg: If C had borrow checking the compiler would error at the printf().

void func(char **ptr)
{
*ptr = NULL;
}


int main()
{
char *ptr = "hello";
func(&ptr);
printf("%c\n",*ptr);
return 0;
}


--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 10 Oct 2024 08:34:55 -0000 (UTC)
[email protected] wrote:

On Wed, 9 Oct 2024 23:46:05 +0300
Michael S <[email protected]> boring babbled:

On Wed, 9 Oct 2024 15:02:54 -0500
Lynn McGuire <[email protected]> wrote:

And what the heck is relocation, traits, and borrow checking ?
=20
Lynn
=20

Traits and borrow checking can't be explained in few words, nor in
few dozens of words.

Borrow checking is just a fancy way of compile time checking a
pointer/object will still be valid after being used previously. Eg:
If C had borrow checking the compiler would error at the printf().

void func(char **ptr)
{
*ptr = NULL;
}

int main()
{
char *ptr = "hello";
func(&ptr);
printf("%c\n",*ptr);
return 0;
}

Do you think that your explanation is sufficient for Lynn McGuire?
Consider that he probably doesn't know what Rust people have in mind
when they talk about ownership. And you can be sure that he doesn't know
the rusty meaning of 'borrow'.
Even I am not 100% sure that I understand the later, although it seem
to me that in their dialect 'borrow' means 'make a reference'.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 10 Oct 2024 10:20:07 -0000 (UTC)
[email protected] wrote:

On Thu, 10 Oct 2024 12:51:57 +0300
Michael S <[email protected]> boring babbled:

On Thu, 10 Oct 2024 08:34:55 -0000 (UTC)
[email protected] wrote:

On Wed, 9 Oct 2024 23:46:05 +0300
Michael S <[email protected]> boring babbled:

On Wed, 9 Oct 2024 15:02:54 -0500
Lynn McGuire <[email protected]> wrote:

And what the heck is relocation, traits, and borrow checking ?
=20
Lynn
=20

Traits and borrow checking can't be explained in few words, nor in
few dozens of words.

Borrow checking is just a fancy way of compile time checking a
pointer/object will still be valid after being used previously. Eg:
If C had borrow checking the compiler would error at the printf().

void func(char **ptr)
{
*ptr = NULL;
}


int main()
{
char *ptr = "hello";
func(&ptr);
printf("%c\n",*ptr);
return 0;
}

Do you think that your explanation is sufficient for Lynn McGuire?

No idea.

Consider that he probably doesn't know what Rust people have in mind
when they talk about ownership. And you can be sure that he doesn't
know the rusty meaning of 'borrow'.
Even I am not 100% sure that I understand the later, although it seem
to me that in their dialect 'borrow' means 'make a reference'.

I think its just their way of checking if something could have been
altered before use in a way that might crash the program or introduce
bugs.

Now you're talking about meaning of 'borrow checker'.
Before we go that far we have to dig up the meaning of 'borrow'.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 10 Oct 2024 13:44:59 +0300
Michael S <[email protected]> boring babbled:

On Thu, 10 Oct 2024 10:20:07 -0000 (UTC)
[email protected] wrote:

I think its just their way of checking if something could have been
altered before use in a way that might crash the program or introduce
bugs.

Now you're talking about meaning of 'borrow checker'.
Before we go that far we have to dig up the meaning of 'borrow'.

Since when do programming language keywords always mean the exact same as
the english equivalent? Last time I looked "for" didn't mean "loop" in english.

Frankly borrow-checking can mean whatever they want it to mean this week, but in general its what I said above.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 10 Oct 2024 12:51:57 +0300
Michael S <[email protected]> boring babbled:

On Thu, 10 Oct 2024 08:34:55 -0000 (UTC)
[email protected] wrote:

On Wed, 9 Oct 2024 23:46:05 +0300
Michael S <[email protected]> boring babbled:

On Wed, 9 Oct 2024 15:02:54 -0500
Lynn McGuire <[email protected]> wrote:

And what the heck is relocation, traits, and borrow checking ?
=20
Lynn
=20

Traits and borrow checking can't be explained in few words, nor in
few dozens of words.

Borrow checking is just a fancy way of compile time checking a
pointer/object will still be valid after being used previously. Eg:
If C had borrow checking the compiler would error at the printf().

void func(char **ptr)
{
*ptr = NULL;
}


int main()
{
char *ptr = "hello";
func(&ptr);
printf("%c\n",*ptr);
return 0;
}

Do you think that your explanation is sufficient for Lynn McGuire?

No idea.

Consider that he probably doesn't know what Rust people have in mind
when they talk about ownership. And you can be sure that he doesn't know
the rusty meaning of 'borrow'.
Even I am not 100% sure that I understand the later, although it seem
to me that in their dialect 'borrow' means 'make a reference'.

I think its just their way of checking if something could have been altered before use in a way that might crash the program or introduce bugs.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 10 Oct 2024 10:50:05 -0000 (UTC)
[email protected] wrote:

On Thu, 10 Oct 2024 13:44:59 +0300
Michael S <[email protected]> boring babbled:

On Thu, 10 Oct 2024 10:20:07 -0000 (UTC)
[email protected] wrote:

I think its just their way of checking if something could have been
altered before use in a way that might crash the program or
introduce bugs.

Now you're talking about meaning of 'borrow checker'.
Before we go that far we have to dig up the meaning of 'borrow'.

Since when do programming language keywords always mean the exact
same as the english equivalent? Last time I looked "for" didn't mean
"loop" in english.

Well, I don't know how it feels for native English speakers, but for me
meaning of 'loop' in programming is not equivalent to its meaning in
the rest of English language.

Frankly borrow-checking can mean whatever they want it to mean this
week, but in general its what I said above.

Neither 'borrow' nor 'borrow checker' are Rust keywords. They are
abstract (more or less) concepts used in Rust manuals. And it seems
logical that it would be easier to explain the later if we explain the
former first.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 10 Oct 2024 14:10:47 +0300
Michael S <[email protected]> boring babbled:

On Thu, 10 Oct 2024 10:50:05 -0000 (UTC)
[email protected] wrote:

On Thu, 10 Oct 2024 13:44:59 +0300
Michael S <[email protected]> boring babbled:

On Thu, 10 Oct 2024 10:20:07 -0000 (UTC)
[email protected] wrote:

I think its just their way of checking if something could have been
altered before use in a way that might crash the program or
introduce bugs.

Now you're talking about meaning of 'borrow checker'.
Before we go that far we have to dig up the meaning of 'borrow'.

Since when do programming language keywords always mean the exact
same as the english equivalent? Last time I looked "for" didn't mean
"loop" in english.

Well, I don't know how it feels for native English speakers, but for me >meaning of 'loop' in programming is not equivalent to its meaning in
the rest of English language.

Something thats circular(ish) or goes around in a circle. Its close enough.

Frankly borrow-checking can mean whatever they want it to mean this
week, but in general its what I said above.

Neither 'borrow' nor 'borrow checker' are Rust keywords. They are
abstract (more or less) concepts used in Rust manuals. And it seems
logical that it would be easier to explain the later if we explain the
former first.

Presumably the borrow means something "borrowed" the pointer, and checker means checking the pointer is still valid. Doesn't seem complicated to me.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 10 Oct 2024 13:11:24 -0000 (UTC)
[email protected] wrote:

On Thu, 10 Oct 2024 14:10:47 +0300
Michael S <[email protected]> boring babbled:

On Thu, 10 Oct 2024 10:50:05 -0000 (UTC)
[email protected] wrote:

On Thu, 10 Oct 2024 13:44:59 +0300
Michael S <[email protected]> boring babbled:

On Thu, 10 Oct 2024 10:20:07 -0000 (UTC)
[email protected] wrote:

I think its just their way of checking if something could have
been altered before use in a way that might crash the program or
introduce bugs.

Now you're talking about meaning of 'borrow checker'.
Before we go that far we have to dig up the meaning of 'borrow'.

Since when do programming language keywords always mean the exact
same as the english equivalent? Last time I looked "for" didn't
mean "loop" in english.

Well, I don't know how it feels for native English speakers, but for
me meaning of 'loop' in programming is not equivalent to its meaning
in the rest of English language.

Something thats circular(ish) or goes around in a circle. Its close
enough.

Frankly borrow-checking can mean whatever they want it to mean this
week, but in general its what I said above.

Neither 'borrow' nor 'borrow checker' are Rust keywords. They are
abstract (more or less) concepts used in Rust manuals. And it seems
logical that it would be easier to explain the later if we explain
the former first.

Presumably the borrow means something "borrowed" the pointer, and
checker means checking the pointer is still valid. Doesn't seem
complicated to me.

May be, for people that are used to smart pointers in C++, for people
that move their private parts from unique_ptr to shared_ptr to weak_ptr
forth, back and sideways, may be for these people Rust ownership and
borrowing business is not complicated. For me it is.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Michael S <[email protected]> writes:

[suggested explanation of borrow checking]

Do you think that your explanation is sufficient for Lynn McGuire?
Consider that he probably doesn't know what Rust people have in mind
when they talk about ownership. And you can be sure that he doesn't
know the rusty meaning of 'borrow'.

Even I am not 100% sure that I understand the later, although it
seem to me that in their dialect 'borrow' means 'make a reference'.

Just a minor note here.. the word latter is spelled with two t's.

(fwiw I too have been frustrated by the inadequacy of descriptions
of Rust's features and concepts.)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10.10.2024 16:54, Michael S wrote:

On Thu, 10 Oct 2024 13:11:24 -0000 (UTC)
[email protected] wrote:

On Thu, 10 Oct 2024 14:10:47 +0300
Michael S <[email protected]> boring babbled:

On Thu, 10 Oct 2024 10:50:05 -0000 (UTC)
[email protected] wrote:

On Thu, 10 Oct 2024 13:44:59 +0300
Michael S <[email protected]> boring babbled:

On Thu, 10 Oct 2024 10:20:07 -0000 (UTC)
[email protected] wrote:

I think its just their way of checking if something could have
been altered before use in a way that might crash the program or
introduce bugs.

Now you're talking about meaning of 'borrow checker'.
Before we go that far we have to dig up the meaning of 'borrow'.

Since when do programming language keywords always mean the exact
same as the english equivalent? Last time I looked "for" didn't
mean "loop" in english.

Well, I don't know how it feels for native English speakers, but for
me meaning of 'loop' in programming is not equivalent to its meaning
in the rest of English language.

Something thats circular(ish) or goes around in a circle. Its close
enough.

Frankly borrow-checking can mean whatever they want it to mean this
week, but in general its what I said above.

Neither 'borrow' nor 'borrow checker' are Rust keywords. They are
abstract (more or less) concepts used in Rust manuals. And it seems
logical that it would be easier to explain the later if we explain
the former first.

Presumably the borrow means something "borrowed" the pointer, and
checker means checking the pointer is still valid. Doesn't seem
complicated to me.

May be, for people that are used to smart pointers in C++, for people
that move their private parts from unique_ptr to shared_ptr to weak_ptr forth, back and sideways, may be for these people Rust ownership and borrowing business is not complicated. For me it is.

From what I have understood, Rust borrowing is more related to
std::move() and rvalue references in C++. But yes, one thing which can
be moved around this way is indeed std::unique_ptr.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10.10.2024 18:37, wij wrote:

Lots of 'high level concept' invention are around the assembly "mov A,B" What's for?

Assembler "mov" is a misnamed "copy". So, no relation.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 10 Oct 2024 07:56:39 -0700
Tim Rentsch <[email protected]> wrote:

Michael S <[email protected]> writes:

[suggested explanation of borrow checking]

Do you think that your explanation is sufficient for Lynn McGuire?
Consider that he probably doesn't know what Rust people have in mind
when they talk about ownership. And you can be sure that he doesn't
know the rusty meaning of 'borrow'.

Even I am not 100% sure that I understand the later, although it
seem to me that in their dialect 'borrow' means 'make a reference'.

Just a minor note here.. the word latter is spelled with two t's.

Thank you. I would try to remember.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 10 Oct 2024 18:08:48 +0300
Paavo Helde <[email protected]> wrote:

On 10.10.2024 16:54, Michael S wrote:

On Thu, 10 Oct 2024 13:11:24 -0000 (UTC)
[email protected] wrote:

On Thu, 10 Oct 2024 14:10:47 +0300
Michael S <[email protected]> boring babbled:

On Thu, 10 Oct 2024 10:50:05 -0000 (UTC)
[email protected] wrote:

On Thu, 10 Oct 2024 13:44:59 +0300
Michael S <[email protected]> boring babbled:

On Thu, 10 Oct 2024 10:20:07 -0000 (UTC)
[email protected] wrote:

I think its just their way of checking if something could have
been altered before use in a way that might crash the program
or introduce bugs.

Now you're talking about meaning of 'borrow checker'.
Before we go that far we have to dig up the meaning of 'borrow'.

Since when do programming language keywords always mean the exact
same as the english equivalent? Last time I looked "for" didn't
mean "loop" in english.

Well, I don't know how it feels for native English speakers, but
for me meaning of 'loop' in programming is not equivalent to its
meaning in the rest of English language.

Something thats circular(ish) or goes around in a circle. Its close
enough.

Frankly borrow-checking can mean whatever they want it to mean
this week, but in general its what I said above.

Neither 'borrow' nor 'borrow checker' are Rust keywords. They are
abstract (more or less) concepts used in Rust manuals. And it
seems logical that it would be easier to explain the later if we
explain the former first.

Presumably the borrow means something "borrowed" the pointer, and
checker means checking the pointer is still valid. Doesn't seem
complicated to me.

May be, for people that are used to smart pointers in C++, for
people that move their private parts from unique_ptr to shared_ptr
to weak_ptr forth, back and sideways, may be for these people Rust ownership and borrowing business is not complicated. For me it is.

From what I have understood, Rust borrowing is more related to
std::move() and rvalue references in C++. But yes, one thing which
can be moved around this way is indeed std::unique_ptr.

My understanding is an opposite.
Borrowing is the case when the ownership is *not* moved by creation of
the reference. Something akin to shared_ptr in C++ and to
reference-counted object in Swift or may be even in Python. With the
major difference that in Rust references are counted by static analyzer
in compile time rather than by language runtime system (Swift) or by
the library (C++) in run time.

But then, not counting examples from tutorial, I wrote only one
full program in Rust and this program was rather simple. So it is
possible that I misunderstood.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/8/24 21:40, Lynn McGuire wrote:

"Safe C++ is A new Proposal to Make C++ Memory-Safe"
   https://www.infoq.com/news/2024/10/safe-cpp-proposal/

"The goal of the Safe C++ proposal is extending C++ by defining a
superset of the language that can be used to write code with the strong safety guarantees similarly to code written in Rust. The key to its
approach is introducing a new safe context where only a rigorously safe subset of C++ is allowed."

"The Safe C++ proposal, set forth by Sean Baxter and Christian Mazakas, originates from the growing awareness that C++ memory unsafety lies at
the root of a large part of vulnerabilities and memory exploits. The
only existing safe language, say Baxter and Mazakas, is Rust, but their design differences limit interoperability, thus making it hard to
migrate from one language to the other. For example, Rust lacks function overloading, templates, inheritance, and exceptions, while C++ lacks
traits, relocation, and borrow checking."

Lynn

For some definition of safe.

A lot of the problem is logically most stuff is treat as if
it was all move or copy by value. That's not feasible for
large data structures or where storage requirements aren't
known at compile time. So references get used and that's
problemantic since 2 references can share all or some of
their memory. So it looks like Rust does a lot of work
on detecting or managing aliasing.

Also there's ownership, responsibility to run the dtor,
deallocate heap storage, etc... RAII take care of a lot
of that but problems can occur when concurrency enters
the picture. Language architects and standards committees
don't have a very good understanding of concurrency and
tend to architect some really sub-optimal stuff from a
concurrent programming point of view. Just look at
rustaceans trying to explain how ARC ownership works.
There's no formal ownership mechanism there, it just
gets swept under the Rust rug of unsafe.

Rust unsafe is how they punt on the issue. Basically
you use unsafe to code stuff Rust doesn't have the
mechanisms for but the authors of said code have to
guarantee their code meets Rust safety at the api
level. Do you feel lucky?

Also it's very telling that restaceans claim that
Rust is super fast and yet promote reference counting
as the way to share objects when reference counting
is one of the least performant ways of doing that.


Traits are nice. Nothing to do with safety AFAIK. They are sort
of like Java interfaces or C++ abstract methods except they can
be defined outside of the class definition. I would have
really liked something like that in Java. Shouldn't be too
hard to add to C++, though it would be nice that if the type
was known at compile time they avoid the virtual method
vtables and inline where possible and feasible.

Joe Seigh

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/10/2024 18:11, Michael S wrote:

On Thu, 10 Oct 2024 18:08:48 +0300
Paavo Helde <[email protected]> wrote:

On 10.10.2024 16:54, Michael S wrote:

On Thu, 10 Oct 2024 13:11:24 -0000 (UTC)
[email protected] wrote:

On Thu, 10 Oct 2024 14:10:47 +0300
Michael S <[email protected]> boring babbled:

On Thu, 10 Oct 2024 10:50:05 -0000 (UTC)
[email protected] wrote:

On Thu, 10 Oct 2024 13:44:59 +0300
Michael S <[email protected]> boring babbled:

On Thu, 10 Oct 2024 10:20:07 -0000 (UTC)
[email protected] wrote:

I think its just their way of checking if something could have >>>>>>>> been altered before use in a way that might crash the program
or introduce bugs.

Now you're talking about meaning of 'borrow checker'.
Before we go that far we have to dig up the meaning of 'borrow'. >>>>>>>

Since when do programming language keywords always mean the exact
same as the english equivalent? Last time I looked "for" didn't
mean "loop" in english.

Well, I don't know how it feels for native English speakers, but
for me meaning of 'loop' in programming is not equivalent to its
meaning in the rest of English language.

Something thats circular(ish) or goes around in a circle. Its close
enough.

Frankly borrow-checking can mean whatever they want it to mean
this week, but in general its what I said above.

Neither 'borrow' nor 'borrow checker' are Rust keywords. They are
abstract (more or less) concepts used in Rust manuals. And it
seems logical that it would be easier to explain the later if we
explain the former first.

Presumably the borrow means something "borrowed" the pointer, and
checker means checking the pointer is still valid. Doesn't seem
complicated to me.

May be, for people that are used to smart pointers in C++, for
people that move their private parts from unique_ptr to shared_ptr
to weak_ptr forth, back and sideways, may be for these people Rust
ownership and borrowing business is not complicated. For me it is.

From what I have understood, Rust borrowing is more related to
std::move() and rvalue references in C++. But yes, one thing which
can be moved around this way is indeed std::unique_ptr.

My understanding is an opposite.
Borrowing is the case when the ownership is *not* moved by creation of
the reference. Something akin to shared_ptr in C++ and to
reference-counted object in Swift or may be even in Python. With the
major difference that in Rust references are counted by static analyzer
in compile time rather than by language runtime system (Swift) or by
the library (C++) in run time.

But then, not counting examples from tutorial, I wrote only one
full program in Rust and this program was rather simple. So it is
possible that I misunderstood.

Without having used Rust myself, I think you are closer to the right
concept.

But I wonder if it is better to think of it as a kind of "locking".
Basically, if you have an object, then take a reference to the object or
a sub-object (such as an item in a container), then that "locks" the
object and makes it immutable until the reference is dead or out of scope.

Borrowing in Rust is only partially checked at unit compile time.
AFAIUI you also need to use a "borrow checker" after compilation to make
sure that cross-module borrows are safe.


(The concept of this kind of larger scale correctness analysis is not
actually new. If you have ever looked at the XMOS microcontrollers,
they are often programmed in a language called "XC" that amongst other
things has analysis to limit the access to data by different threads so
that you know there are no race conditions.)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 09/10/2024 02:40, Lynn McGuire wrote:

"Safe C++ is A new Proposal to Make C++ Memory-Safe"
   https://www.infoq.com/news/2024/10/safe-cpp-proposal/

"The goal of the Safe C++ proposal is extending C++ by defining a
superset of the language that can be used to write code with the strong safety guarantees similarly to code written in Rust. The key to its
approach is introducing a new safe context where only a rigorously safe subset of C++ is allowed."

"The Safe C++ proposal, set forth by Sean Baxter and Christian Mazakas, originates from the growing awareness that C++ memory unsafety lies at
the root of a large part of vulnerabilities and memory exploits. The
only existing safe language, say Baxter and Mazakas, is Rust, but their design differences limit interoperability, thus making it hard to
migrate from one language to the other. For example, Rust lacks function overloading, templates, inheritance, and exceptions, while C++ lacks
traits, relocation, and borrow checking."

Lynn

I hiccuped at this point:

a superset of the language

This means it has everything that C++ has, and some more stuff as well.
I'm pretty sure they mean a subset.

Andy

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 20 Oct 2024 12:37:45 +0100
Vir Campestris <[email protected]d> wrote:

On 09/10/2024 02:40, Lynn McGuire wrote:

"Safe C++ is A new Proposal to Make C++ Memory-Safe"
�� https://www.infoq.com/news/2024/10/safe-cpp-proposal/

"The goal of the Safe C++ proposal is extending C++ by defining a
superset of the language that can be used to write code with the
strong safety guarantees similarly to code written in Rust. The key
to its approach is introducing a new safe context where only a
rigorously safe subset of C++ is allowed."

"The Safe C++ proposal, set forth by Sean Baxter and Christian
Mazakas, originates from the growing awareness that C++ memory
unsafety lies at the root of a large part of vulnerabilities and
memory exploits. The only existing safe language, say Baxter and
Mazakas, is Rust, but their design differences limit
interoperability, thus making it hard to migrate from one language
to the other. For example, Rust lacks function overloading,
templates, inheritance, and exceptions, while C++ lacks traits,
relocation, and borrow checking."

Lynn

I hiccuped at this point:

a superset of the language

This means it has everything that C++ has, and some more stuff as
well. I'm pretty sure they mean a subset.

Andy

Ignore clueless Sergio De Simone. His article couses nothing but misunderstanding.
Go straight to the proposal. https://safecpp.org/P3390R0.html#relocation-object-model

"The goal of this proposal is to advance a superset of C++ with a
rigorously safe subset."

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 20 Oct 2024 14:46:55 +0300
Michael S <[email protected]> boring babbled:

On Sun, 20 Oct 2024 12:37:45 +0100
Vir Campestris <[email protected]d> wrote:

On 09/10/2024 02:40, Lynn McGuire wrote:

"Safe C++ is A new Proposal to Make C++ Memory-Safe"
=A0=A0 https://www.infoq.com/news/2024/10/safe-cpp-proposal/
=20
"The goal of the Safe C++ proposal is extending C++ by defining a=20
superset of the language that can be used to write code with the
strong safety guarantees similarly to code written in Rust. The key
to its approach is introducing a new safe context where only a
rigorously safe subset of C++ is allowed."
=20
"The Safe C++ proposal, set forth by Sean Baxter and Christian
Mazakas, originates from the growing awareness that C++ memory
unsafety lies at the root of a large part of vulnerabilities and
memory exploits. The only existing safe language, say Baxter and
Mazakas, is Rust, but their design differences limit
interoperability, thus making it hard to migrate from one language
to the other. For example, Rust lacks function overloading,
templates, inheritance, and exceptions, while C++ lacks traits,
relocation, and borrow checking."
=20
Lynn
=20

I hiccuped at this point:
=20

a superset of the language =20

=20
This means it has everything that C++ has, and some more stuff as
well. I'm pretty sure they mean a subset.
=20
Andy

Ignore clueless Sergio De Simone. His article couses nothing but >misunderstanding.
Go straight to the proposal. >https://safecpp.org/P3390R0.html#relocation-object-model

"The goal of this proposal is to advance a superset of C++ with a
rigorously safe subset."

Why bother. All thats needed is a new keyword, perhaps "safe".

Trivial example:

safe
{
int i[10];
int j = 10;
cout << i[j];
};

This would fail to compile or if the check couldn't be done at compile time
any invalid memory accesses within the "safe" block could runtime abort with a useful error instead of just ploughing ahead and crashing or corrupting the code later anyway with the expense of runtime checking costs.

Possibly even a handler function could be set for this eventuality (no, catching a SIGSEGV/BUS isn't the same as you don't know whats been corrupted
so can't do anything useful in the sig handler anyway).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/8/24 21:40, Lynn McGuire wrote:

"Safe C++ is A new Proposal to Make C++ Memory-Safe"
   https://www.infoq.com/news/2024/10/safe-cpp-proposal/

"The goal of the Safe C++ proposal is extending C++ by defining a
superset of the language that can be used to write code with the strong safety guarantees similarly to code written in Rust. The key to its
approach is introducing a new safe context where only a rigorously safe subset of C++ is allowed."

"The Safe C++ proposal, set forth by Sean Baxter and Christian Mazakas, originates from the growing awareness that C++ memory unsafety lies at
the root of a large part of vulnerabilities and memory exploits. The
only existing safe language, say Baxter and Mazakas, is Rust, but their design differences limit interoperability, thus making it hard to
migrate from one language to the other. For example, Rust lacks function overloading, templates, inheritance, and exceptions, while C++ lacks
traits, relocation, and borrow checking."

Lynn

Dealing with nullable pointers. Apparently some get really
freaked out by NPEs. Could be worse. I worked on platforms
where address 0 was readable without causing a segfault or
protection exception right away. You'd get a core dump but
with no indication of what code loaded the null ptr without
checking or why. Fortunately, on this platform you could
run an instruction trace to the terminal and wait for it
to stop. You'd then just go backward thru the trace until
the ip matched actual code. Anyway ...

You create a new nullable attribute for pointers. That
would make the pointer behave like void* instead of T*.
You could move, copy, and compare, but you could not
dereference them. If you wanted to dereference them
you would have to apply a special not_null unary predicate
to them. What makes it special is the boolean result
is only valid inside a conditional expression. It's
not copyable or referencable. You could have 1 or
more of these in a conditional expression along with
ordinary predicates with the restriction that the
expression has to be formed such that if any of the
not_null terms are false, the expression has to
evaluate as false.

The other thing that makes not_null is that inside
if the conditional statements true blocks, the
nullable pointer gets it T* properties back, so
you can dereference it, but again only in the
true blocks. So for example

nullable T* p = &something;

T p2 = *p; // invalid, compiler thinks you are trying
// do dereference void*

not_null(p); // invalid, not inside conditional expression

if (not_null(p)
p2 = *p; // valid
else
p2 = *p; // invalid


Traversing a linked list would look like

T* p = head;
while (not_null(p)) {
...
p = p->next; // valid, inside while true block
}

not_null would look like
__predicate_bool not_null(T *&)
It would make a const copy of T*, test that,
cast to T*, use it for the true block.

So no NPEs possible for pointer with this
attribute.

AFAICT, you can't do this with templates.

Joe Seigh

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/27/24 19:09, jseigh wrote:

On 10/8/24 21:40, Lynn McGuire wrote:

Traversing a linked list would look like

T* p = head;
while (not_null(p)) {
  ...
  p = p->next;    // valid, inside while true block
}

I should add, the p->next is also nullable so the
assignment to p makes it nullable again. The
goal is to make the code look like normal code
while ensuring null pointer safety.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/28/24 00:18, Chris M. Thomasson wrote:

On 10/27/2024 6:22 PM, wij wrote:

On Sun, 2024-10-27 at 20:40 -0400, jseigh wrote:

On 10/27/24 19:09, jseigh wrote:

On 10/8/24 21:40, Lynn McGuire wrote:

Traversing a linked list would look like

T* p = head;
while (not_null(p)) {
    ...
    p = p->next;    // valid, inside while true block
}

I should add, the p->next is also nullable so the
assignment to p makes it nullable again.  The
goal is to make the code look like normal code
while ensuring null pointer safety.

C++ is an object oriented language.
In C++, programming in C concept makes little sense.

Well, sometimes for some exotic algorithms we can steal a bit and say
this is a null (the bit is set) even though its not equal to nullptr.
It's null but it still points to a node. This can be called a so-called
dummy node, sometimes. The logic with dummy nodes can be beneficial.

The whole nullable pointer thing was a unrelated spin off of a
solution I did for addressing pointer provenance as discussed in https://lwn.net/Articles/993484/ in the comments.

The nullable pointer solution I proposed is not super clear
as it depends on behavior not presently in c++ so hard to
show how the solution would work.

At any rate, I don't have problems with nullable pointers or
dealing with pointer provenance, and I don't have spare
cycles to implement solutions for the latter, solutions I
don't need.

Joe Seigh

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/28/24 12:25, jseigh wrote:
...

The whole nullable pointer thing was a unrelated spin off of a
solution I did for addressing pointer provenance as discussed in https://lwn.net/Articles/993484/ in the comments.

The nullable pointer solution I proposed is not super clear
as it depends on behavior not presently in c++ so hard to
show how the solution would work.

At any rate, I don't have problems with nullable pointers or
dealing with pointer provenance, and I don't have spare
cycles to implement solutions for the latter, solutions I
don't need.

I worked on this some more so I've gotten a better idea of
what they mean by pointer provenance. I don't think will
solve all the issues they think it will. I can come up
with some pretty trivial examples that will break their
proposed solutions. I think they are unicorn hunting here.

One of the issues they brought up is the ABA problem. Yet
C/C++ has abjectly refused to support 50 year old hardware
features that would help for some ABA issues. Kind of hard
to take the pointer provenance problem seriously.

Joe Seigh

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/30/24 15:50, Chris M. Thomasson wrote:

On 10/30/2024 9:56 AM, jseigh wrote:

On 10/28/24 12:25, jseigh wrote:
...

The whole nullable pointer thing was a unrelated spin off of a
solution I did for addressing pointer provenance as discussed in
https://lwn.net/Articles/993484/ in the comments.

The nullable pointer solution I proposed is not super clear
as it depends on behavior not presently in c++ so hard to
show how the solution would work.

At any rate, I don't have problems with nullable pointers or
dealing with pointer provenance, and I don't have spare
cycles to implement solutions for the latter, solutions I
don't need.

I worked on this some more so I've gotten a better idea of
what they mean by pointer provenance.  I don't think will
solve all the issues they think it will.  I can come up
with some pretty trivial examples that will break their
proposed solutions.  I think they are unicorn hunting here.

One of the issues they brought up is the ABA problem.  Yet
C/C++ has abjectly refused to support 50 year old hardware
features that would help for some ABA issues.  Kind of hard
to take the pointer provenance problem seriously.

Are you referring to DWCAS? There has to be a compiler out there that
can handle it wrt it being, always lock-free ala:
__________________
​0​ for the built-in atomic types that are never lock-free,
1 for the built-in atomic types that are sometimes lock-free,
2 for the built-in atomic types that are always lock-free.
__________________

Damn it! ;^/

No. AFAIK everyone uses assembler. gcc has a builtin that
calls a library function which uses locks because soemwhere
in a museum there is an x86 computer that doesn't have
cmpxchg16b and in theory it someone port new versions of
linux and gcc to it, it wouldn't work. It sound stupid
because it is stupid.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

jseigh <[email protected]> writes:

[...]

You create a new nullable attribute for pointers. That
would make the pointer behave like void* instead of T*.
You could move, copy, and compare, but you could not
dereference them. If you wanted to dereference them
you would have to apply a special not_null unary predicate
to them. What makes it special is the boolean result
is only valid inside a conditional expression. It's
not copyable or referencable. You could have 1 or
more of these in a conditional expression along with
ordinary predicates with the restriction that the
expression has to be formed such that if any of the
not_null terms are false, the expression has to
evaluate as false.

The other thing that makes not_null is that inside
if the conditional statements true blocks, the
nullable pointer gets it T* properties back, so
you can dereference it, but again only in the
true blocks. So for example

nullable T* p = &something;

T p2 = *p; // invalid, compiler thinks you are trying
// do dereference void*

not_null(p); // invalid, not inside conditional expression

if (not_null(p)
p2 = *p; // valid
else
p2 = *p; // invalid

Traversing a linked list would look like

T* p = head;
while (not_null(p)) {
...
p = p->next; // valid, inside while true block
}

not_null would look like
__predicate_bool not_null(T *&)
It would make a const copy of T*, test that,
cast to T*, use it for the true block.

So no NPEs possible for pointer with this
attribute.

A few comments.

An "attribute" should be placed like a qualifier, next
to the pointer, rather than before the type specifier.

The sense of the attribute should be "never null" rather
than "nullable". Ordinary pointers are nullable; what
is needed is a way to indicate that a particular pointer
(either a variable or the return value of a function) will
never be null.

I expect there are implications for pointers to never-null
pointers, but I haven't tried to work out what they need
to be. Example: 'T *nevernull *p;'. What are the rules
for assigning to p?

Ordinary pointers can (sometimes) be determined to be
non-null using data flow analysis (like what you say in
the followup post for the linked list example).

There is no need for not_null(). If we see

if(p){ ... }

or

while(p){ ... }

we know that p will not be null inside the controlled
statement (subject to change if there is an assignment
to p, per the data flow remark above).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 8 Nov 2024 15:40:49 -0800
"Chris M. Thomasson" <[email protected]> gabbled:

On 11/8/2024 3:13 PM, wij wrote:

I need examples to understand what you mean. I have not touched thread >issues for many years
, but hope I can help.

iirc, it was a base class that called its pure virtual thread entry
function _before_ its derived class had a chance to fully complete its
ctor. It's been a while since I have encountered this nasty scenario.

Its such an old and well known C++ problem it often comes up in interview questions.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Chris M. Thomasson" <[email protected]> writes:

On 11/8/2024 4:19 PM, wij wrote:

class BaseThread {
public:
BaseThread(Func func);
virtual ~BaseThread();
};

class Thread : BaseThread {
public:
Thread(Func func) {
// init vars.
::pthread_create(...func...); // the last line
};
// ....
}

You just have to make sure that the thread is created after class Thread
is ready for it. I have had to debug horror shows with threads created
in ctors before...

It's really very simple. Use a two-phase approach. The run thread
is created and immediately waits on a condition variable. When the
most derived constructor completes initialization, it signals the
condition variable before running the virtual 'run' function.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Chris M. Thomasson" <[email protected]> writes:

On 11/9/2024 8:23 AM, Scott Lurndal wrote:

"Chris M. Thomasson" <[email protected]> writes:

On 11/8/2024 4:19 PM, wij wrote:

class BaseThread {
public:
BaseThread(Func func);
virtual ~BaseThread();
};

class Thread : BaseThread {
public:
Thread(Func func) {
// init vars.
::pthread_create(...func...); // the last line
};
// ....
}

You just have to make sure that the thread is created after class Thread >>> is ready for it. I have had to debug horror shows with threads created
in ctors before...

It's really very simple. Use a two-phase approach. The run thread
is created and immediately waits on a condition variable. When the
most derived constructor completes initialization, it signals the
condition variable before running the virtual 'run' function.

Humm... Why not just make sure everything a thread needs is fully
constructed before you "launch" it? No condvars, mutexes necessary. This
is only on thread creation.

The idea is that your class inherits from the thread class ahead of
any other classes which encapsulates the thread creation in the
thread class constructor, which is the natural place to look for
it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10.11.2024 01:23, Scott Lurndal wrote:

"Chris M. Thomasson" <[email protected]> writes:

On 11/9/2024 8:23 AM, Scott Lurndal wrote:

"Chris M. Thomasson" <[email protected]> writes:

On 11/8/2024 4:19 PM, wij wrote:

class BaseThread {
public:
BaseThread(Func func);
virtual ~BaseThread();
};

class Thread : BaseThread {
public:
Thread(Func func) {
// init vars.
::pthread_create(...func...); // the last line
};
// ....
}

You just have to make sure that the thread is created after class Thread >>>> is ready for it. I have had to debug horror shows with threads created >>>> in ctors before...

It's really very simple. Use a two-phase approach. The run thread
is created and immediately waits on a condition variable. When the
most derived constructor completes initialization, it signals the
condition variable before running the virtual 'run' function.

Humm... Why not just make sure everything a thread needs is fully
constructed before you "launch" it? No condvars, mutexes necessary. This
is only on thread creation.

The idea is that your class inherits from the thread class ahead of
any other classes which encapsulates the thread creation in the
thread class constructor, which is the natural place to look for
it.

This would require a delayed startup as you describe earlier, which
makes things more complicated and cumbersome. I have adopted another way:

1. Never derive from std::thread.

2. If std::thread is a class member, it must be the last member.

3. Start it up by passing a lambda which calls the thread function
with needed parameters explicitly, no need to design a virtual Run()
function with a fixed rigid signature.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 9 Nov 2024 12:39:19 -0800
"Chris M. Thomasson" <[email protected]> boring babbled:

On 11/9/2024 4:01 AM, [email protected] wrote:

On Fri, 8 Nov 2024 12:40:36 -0800
"Chris M. Thomasson" <[email protected]> gabbled:

On 11/8/2024 6:54 AM, [email protected] wrote:

https://en.wikipedia.org/wiki/ABA_problem

Why's it a problem? Its why mutexes exist.

What if one did not want to use a mutex?

Then put up with the faff of semaphores or atomics and risk creating some
edge case race conditions.

Using lock/wait/obstruction-free algorithms is not about creating race >conditions... :^)

3 level locking generally solves most problems IME. C++ didn't have until 2017 when shared_mutex came along even though pthreads has had it forever and was
a reason people kept using pthreads in C++.

Not sure what you mean here... It's all about minimizing slow-paths, and >maximizing fast-paths. :^)

Fast paths are no use if the thread doesn't have anything else to do anyway.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/30/24 12:56, jseigh wrote:

On 10/28/24 12:25, jseigh wrote:
...

The whole nullable pointer thing was a unrelated spin off of a
solution I did for addressing pointer provenance as discussed in
https://lwn.net/Articles/993484/ in the comments.

The nullable pointer solution I proposed is not super clear
as it depends on behavior not presently in c++ so hard to
show how the solution would work.

At any rate, I don't have problems with nullable pointers or
dealing with pointer provenance, and I don't have spare
cycles to implement solutions for the latter, solutions I
don't need.

I worked on this some more so I've gotten a better idea of
what they mean by pointer provenance.  I don't think will
solve all the issues they think it will.  I can come up
with some pretty trivial examples that will break their
proposed solutions.  I think they are unicorn hunting here.

One of the issues they brought up is the ABA problem.  Yet
C/C++ has abjectly refused to support 50 year old hardware
features that would help for some ABA issues.  Kind of hard
to take the pointer provenance problem seriously.

I did come up with an interesting solution. It should work
on top of the proxy stuff but is not integral to it. But
I need to finish porting the proxy stuff to c++.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Lynn McGuire <[email protected]> writes:

On 10/30/2024 11:56 AM, jseigh wrote:

On 10/28/24 12:25, jseigh wrote:
...

The whole nullable pointer thing was a unrelated spin off of a
solution I did for addressing pointer provenance as discussed in
https://lwn.net/Articles/993484/ in the comments.

The nullable pointer solution I proposed is not super clear
as it depends on behavior not presently in c++ so hard to
show how the solution would work.

At any rate, I don't have problems with nullable pointers or
dealing with pointer provenance, and I don't have spare
cycles to implement solutions for the latter, solutions I
don't need.

I worked on this some more so I've gotten a better idea of
what they mean by pointer provenance.  I don't think will
solve all the issues they think it will.  I can come up
with some pretty trivial examples that will break their
proposed solutions.  I think they are unicorn hunting here.

One of the issues they brought up is the ABA problem.  Yet
C/C++ has abjectly refused to support 50 year old hardware
features that would help for some ABA issues.  Kind of hard
to take the pointer provenance problem seriously.

Joe Seigh

What is the ABA problem ?

Lynn

https://en.wikipedia.org/wiki/ABA_problem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 08 Nov 2024 14:48:16 GMT
[email protected] (Scott Lurndal) boring babbled:

Lynn McGuire <[email protected]> writes:

On 10/30/2024 11:56 AM, jseigh wrote:

On 10/28/24 12:25, jseigh wrote:
...

The whole nullable pointer thing was a unrelated spin off of a
solution I did for addressing pointer provenance as discussed in
https://lwn.net/Articles/993484/ in the comments.

The nullable pointer solution I proposed is not super clear
as it depends on behavior not presently in c++ so hard to
show how the solution would work.

At any rate, I don't have problems with nullable pointers or
dealing with pointer provenance, and I don't have spare
cycles to implement solutions for the latter, solutions I
don't need.

I worked on this some more so I've gotten a better idea of
what they mean by pointer provenance.  I don't think will
solve all the issues they think it will.  I can come up
with some pretty trivial examples that will break their
proposed solutions.  I think they are unicorn hunting here.

One of the issues they brought up is the ABA problem.  Yet
C/C++ has abjectly refused to support 50 year old hardware
features that would help for some ABA issues.  Kind of hard
to take the pointer provenance problem seriously.

Joe Seigh

What is the ABA problem ?

Lynn

https://en.wikipedia.org/wiki/ABA_problem

Why's it a problem? Its why mutexes exist. Why would anyone expect non synchronised RW memory access to work? The exact same problem occurs
in databases with dirty reads.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 11/7/24 21:14, Lynn McGuire wrote:

On 10/30/2024 11:56 AM, jseigh wrote:

On 10/28/24 12:25, jseigh wrote:
...

The whole nullable pointer thing was a unrelated spin off of a
solution I did for addressing pointer provenance as discussed in
https://lwn.net/Articles/993484/ in the comments.

The nullable pointer solution I proposed is not super clear
as it depends on behavior not presently in c++ so hard to
show how the solution would work.

At any rate, I don't have problems with nullable pointers or
dealing with pointer provenance, and I don't have spare
cycles to implement solutions for the latter, solutions I
don't need.

I worked on this some more so I've gotten a better idea of
what they mean by pointer provenance.  I don't think will
solve all the issues they think it will.  I can come up
with some pretty trivial examples that will break their
proposed solutions.  I think they are unicorn hunting here.

One of the issues they brought up is the ABA problem.  Yet
C/C++ has abjectly refused to support 50 year old hardware
features that would help for some ABA issues.  Kind of hard
to take the pointer provenance problem seriously.

Joe Seigh

What is the ABA problem ?

Things like using single word compare and swap to pop something
off a stack where the stack was modified between the initial
load of the stack head and the top of stack is same but
the item after it is different.

Stack at initial load
x -> a -> b ...

Stack before cas of x from a to b for pop operation
because it changed.
x -> a -> c ...

Stack after pop
x -> b (b having possibly unknown memory state)

System370 has cds (double wide cas) to avoid the ABA problem
in the 70's.

Supporting DWCAS in C/C++ is NOT a technical problem.

Joe Seigh

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Chris M. Thomasson" <[email protected]> writes:

On 11/8/2024 3:09 PM, wij wrote:

The fun part about std::atomic and std::thread is that they are all in
one standard. POSIX requires a compliant compiler and system. Iirc, >std::atomic is not 100% guaranteed to work with PThreads. It does with >std::threads...

If you're using pthreads, use POSIX synchronization APIs. If you're using C/C++ standard threads, use synchronization APIs defined by the standard.

It's highly likely that on linux/unix systems, both sets of APIs
are implemented using the same operating system primitives.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 11 Nov 2024 13:36:53 -0800
"Chris M. Thomasson" <[email protected]> boring babbled:

On 11/11/2024 1:56 AM, [email protected] wrote:

On Sat, 9 Nov 2024 12:39:19 -0800
"Chris M. Thomasson" <[email protected]> boring babbled:

On 11/9/2024 4:01 AM, [email protected] wrote:

On Fri, 8 Nov 2024 12:40:36 -0800
"Chris M. Thomasson" <[email protected]> gabbled:

On 11/8/2024 6:54 AM, [email protected] wrote:

https://en.wikipedia.org/wiki/ABA_problem

Why's it a problem? Its why mutexes exist.

What if one did not want to use a mutex?

Then put up with the faff of semaphores or atomics and risk creating some >>>> edge case race conditions.

Using lock/wait/obstruction-free algorithms is not about creating race
conditions... :^)

3 level locking generally solves most problems IME. C++ didn't have until >2017
when shared_mutex came along even though pthreads has had it forever and was >> a reason people kept using pthreads in C++.

Not sure what you mean by 3 level locking. Are you talking about

Seriously?

PTHREAD_MUTEX_RECURSIVE? ohhh. I have had to debug some very nasty
conditions that used recursive locks. Ouch.

No, I'm talking about read locks vs read-write locks.

Fast paths are no use if the thread doesn't have anything else to do anyway. >>

If a thread has nothing to do, it can wait, for something to do. ;^)

Think of an empty queue condition. A thread can just wait on it...

Sure, but then who needs a "fast path"? Just sit on the mutex/condition variable.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/8/24 21:40, Lynn McGuire wrote:

"Safe C++ is A new Proposal to Make C++ Memory-Safe"
   https://www.infoq.com/news/2024/10/safe-cpp-proposal/

"The goal of the Safe C++ proposal is extending C++ by defining a
superset of the language that can be used to write code with the strong safety guarantees similarly to code written in Rust. The key to its
approach is introducing a new safe context where only a rigorously safe subset of C++ is allowed."

"The Safe C++ proposal, set forth by Sean Baxter and Christian Mazakas, originates from the growing awareness that C++ memory unsafety lies at
the root of a large part of vulnerabilities and memory exploits. The
only existing safe language, say Baxter and Mazakas, is Rust, but their design differences limit interoperability, thus making it hard to
migrate from one language to the other. For example, Rust lacks function overloading, templates, inheritance, and exceptions, while C++ lacks
traits, relocation, and borrow checking."

Lynn

I did figure out how to do Rust style locking in C++ while working on
some deferred reclamation stuff. It's fairly simple to implement.
I'm not masochistic enough to want to use it though.

Joe Seigh

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)