I'm not a C++ dev, but I wrote Java for about 10 years. Java provides you _some_ additional guarantees when it comes to constructing an object, but there are still easy ways to make mistakes and access uninitialized fields. I _never_ understood what the point of constructors (as seen in Java or C++) is, instead of having a way to construct an object with all field values in a single step. You can't name constructors and have to differentiate them by signatures instead, constructors are complicated to make safe (I think Swift has managed to do so), you can't return a type different from the class (e.g. wrapped in an Optional). It just seems like a bad idea that should be avoided in language design.

sooo smart, until the moment you realize your type is now not compatible with quite some std containers. Default initialization DOES MATTER.

​@@petarpetrov3591 I agree, but not everything should implement a default initialization, it should be tied to an interface.

I don't get it, how is that clever? The invariants will be violated while you are doing the bunch of logic. This is just kicking the problem. The real solution is stop kicking the can and accept that not all constructors need to establish invariants, especially the default constructor. Partially Formed values are ok, and efficient.

@@AlfredoCorrea I don't understand. If an object has an associated invariant and the factory method creates that invariant _and then_ constructs the object, how is the object's invariant ever violated? Either the object exists with the invariant or it doesn't exist. Maybe you're looking at this from a different angle, but in my experience, having invariants associated with types/objects is really nice. Making it impossible/harder to instantiate objects with broken invariants helps a lot. I write a lot of security-critical stuff.

You know what that does to you, right? It makes your software useless if you miss your user's actual user requirements. It's just trading one bug opportunity against another.

...what? ​@@lepidoptera9337

​@@lepidoptera9337 No. It makes all invalid states unreachable, meaning if the not mentioned use case lies within the non invalid cases then you can be absolutely sure that it will work without changes. If it lies within the explicit invalid then it will not work just as it shouldn't. If a new use case lies within the before agreed on "invalid" then it should not be able to exist, without explicit change.

@@onebacon_ It usually doesn't. People use e.g. negative entries in fields that usually expect positive numbers as flags all the time. Or let's say you make an animal class and you only allow "dog, cat, canary", then only small animal vets can use it. A rural vet who treats "horse, cow, sheep, goat" is done for. All of you guys have been over-trained by architects with OCD in this belief that exercising absolute control over the user makes good software. That's total BS. What makes good software is adaptability and resilience. If somebody can compromise your Windows PC because they are allowed to put an arbitrary string into "animal type" rather then selecting from a pulldown-menu, then you didn't do your job correctly. You just showed the entire world that you are poorly educated engineers.

​@@lepidoptera9337having invalid states doesn't mean that the software cannot meet the requirements, just that we have less time representing the technical things and more time making the requirements

the thing is that thats quite irrelevant in larger code bases. when using rust to write my game engine with vulkan for example the invariants to control for are so large and expansive that everything has to unsafe anyway. having an api that is provably safe when your memory isnt cache coherent and asynchronously in flight is virtually impossible. also people dont actually give a shit about it. every other crate i open from crates io leaks undefined behavior into safe rust. and that one compromise it all that it takes to compromise all of your rust codes safety.

@@gideonunger7284 um sweaty, just spend 3 years writing a safe wrapper for vulkan and use that instead.

​@@gideonunger7284I just don't know enough about GPU/Vulkan programming to meaningfully comment on the first part, but I just thought, isn't the point that's (kinda) made in this video that you need to design your API very carefully, creating very small abstractions and such components, in order to be able to minimise the invariant space around unsafe code? Ie., it's a very big effort, but not necessarily impossible? I don't know if it's _literally_ every other crate (maybe you just have very different usage patterns than me, lol), but yeah, there is a problem of a lot of crates using unsafe while not properly analysing it. It would be great if there was a common expected standard for analysis of unsafe, such that it'd be easier to see if the effort had been made, at the very least. To aid in that, but I don't know if this is feasible, it would be great if the compiler had an "invariant/UB analyser" that could look into and at least recommend invariants to check for and modes of UB that might arise from a particular use of unsafe.

​@@gideonunger7284 the fact that writting memory safe code is hard doesnt mean it is impossible tho, with enough time that is.

@@MarteenHobbu yes it does in certain cases. i write a lot of rust code and a lot of safe abstractions over unsafe code. and some abstractions, with how rust works, are per definition impossible. also the set of safe code as considered by rust is not the same as the set of safe code. so there is a lot of "correct and safe" code that you opt out by using rust. and some of that code you opt out of is very performant. which if you work on games for example can be a hard requirement for what you are doing so you will have to write it in unsafe rust.

Interesting. But what's the point of having Option in this case ? Can't you just keep a u8 and check if it's not 0 when you need to ? Better readability and type safety I guess because then you can never accidentally devide by 0 if you forgot to check (but you can never forget to check Option for None). Is that all ?

​@@tombenham9458 the NonZero types are often used for optimizations. If your type contains one anyehere in it, Option will have the same shape as T. The other use is semantics. Sure you "could just check that its not zero" when you use it, but that means putting those checks all over your code and more possibility to forget them. If you use this type it pushes the check to one place in the code (the factory new function) and everywhere else the invariant is guaranteed by the type system without having to put any more checks. So it's both harder to get wrong (correctness) and more performant (less checks needed). When working in Rust I find I pretty commonly create these sorts of restricted "Semantic Types" in places where in other languages I might just use a plain int or string.

@@tombenham9458 @tombenham9458 You can also only check it once and then pass around bare NonZeroU8. The compiler would not let you get NonZeroU8 without checking, so in all the other places of your code you can be sure you don't need any checks. With a u8 you would have to remember at which exact points of your code it has already been checked and at which it wasn't.

​@tombenham9458 With Option, you don't necessarily have to check for None. That can be done via the many helper functions that Option has. 'map', for instance, becomes a no-op if the value is None. You have 'is_some_and' function too for doing some boolean check on the value, which defaults to false with None. Option is such a useful type.

@@tombenham9458 encapsulating this in the type system means that even when you pass this object to some other library or get a value passed by another library, you will not need to explicitly check for it to be non-zero. Furthermore, the compiler cannot know if a u8 is nonzero just by looking at it. With a proper type, the compiler can know this however. Type-safety in this case means to represent possible values by your type system, meaning if you pass the correct type, it is valid by design. For a randomly picked u8 value, we do not know if this is nonzero. Thus representing a NonZeroU8 value as u8 is not type-safe.

Yes, exceptions - like much of C++'s lunacy - are actually in the language for a good reason. Also there's a great CPPCon talk "expect the expected" that talks about many types of error handling and their issues/strengths. Exceptions in particular provide a lot of strengths. You can do centralised error handling, transport lots of information about the error, and they're very performant for situations where the "unhappy case" is rare - as you would hope it is.

Exceptions should only be used in exceptional circumstances. Even if they were free from a performance standpoint, using them for flow control just makes a maintainability mess.

Unfortunately there's no other (sane) way to signal failure from a constructor, which is why they're mentioned in this video. And for something like NonZeroU8, having the failure case be expensive really reduces the number of places that type can be used (compared to the rust version which is zero-cost)

I think the `pub` keyword is omitted for the purposes of keeping the example code in the video concise and focused on what is being demonstrated. Similarly, in real code, some of the functions should ideally be marked as `const`, but that isn't relevant to the video topic. Anyway, still a useful reminder.

@@shrootskyi815 thanks for your reply. The main point that I was trying to convey is that if one has a struct with invariants, they should take steps to ensure that the struct only gets created using their designated 'factory functions' and its fields won't be manipulated directly. This typically means putting the struct in a module and declaring the factory functions and other potentially mutating functions as 'pub'.

Yeah that's a good example how C++ is hard to learn. I knew of both already but that took years of learning. This is unexpected to someone just picking it up. But good compiler warnings go a long way on this too.

Friends over at the pony language call these passkeys "object capabilities"; you create a type such that only code you trust may receive and instance of that type, and you then use this trust to gate away features of your library

What is the pony language?

​@@LunaDragofelisJust Google it?

@stysner4580 Rust is great. But at work I use C++ so I have to be good at it

Yeah, that way you can have multiple constructors that init to different values. If NSDMI took precedence then you couldn't use the initializer list to has per constructor values assigned in the initializer list

the std uses a "box" keyword that avoids this problem while preventing stable rust code from using it. very annoying

​@@kaga2922 that keyword no longer exists - even within std. Box::new is now implemented with a special attribute.

@@kaga2922actually it's now been replaced by an arcane rustc attribute called #[rustc_box]. this problem does need fixing but its a much smaller problem than the tarpit C++ finds itself in imo - essentially we need a more ergonomic and safe equivalent of out pointers that doesnt involve using MaybeUninit which is very easy to misuse, whereas some sort of &out reference that *must* be fully initialized by the time the function returns would be much better

placement new is wip from what know. in the mean time you do: vec![0u8; 10000000].into_boxed_slice()

Absolutely true that placement new is badly needed in stable Rust. My preference would just be stronger guarantees about move elision, rather than a special attribute or `box` syntax or `&out` parameter type of thing. Since Rust controls its own calling convention, it would be amazing if `Foo::bar([0u8; 10_000_000])` could just initialize the 'prvalue' array directly wherever `Foo::bar` moves it to. In a perfect world this could be done without introducing anything like the incredible amount of complexity C++ has around value categories.

I'm quoting this on my CS final.

C++ classes are a mess in general. Like why the fuck do I have to write a custom destructor, copy-constructor, and a copy assignment operator just to be able to properly handle pointers. At least the only real footgun in Rust (in this context) is the `Drop` trait implementation.

all of c++ is a mess

No not really

​@@oserodal2702 and unless you're managing custom resources (raw files, raw memory allocations, etc) or want drop for your type to have side-effects, you mostly don't need to implement drop either!

It definitely has some similarities to Pimpl, and you could definitely set up your class architecture get the implementation hiding benefits of Pimpl and the initialization benefits of CString::M in one swoop if you chose to. I do want to point out that in the form I showed in the video, CString::M should actually be utterly transparent to the compiler; I doubt there would be any indirection overhead at all, even in unoptimized builds.

@@_noisecode I tend to agree. The main issue I see with your inner-struct suggestion is that I think it doesn't handle inheritance elegantly

It would be reasonable to use the success or failure of Rust's NonZeroU8::new as actual regular control flow in your code (say you have an unknown u8 and it's not necessarily an error if it's 0, you just want to take a different code path), whereas it would not be reasonable or wise to do so with a try/catch and a throwing constructor in C++. That's the insight at the heart of my argument that exceptions are too expensive for this simple low-level task. The noexcept trick actually sounds more like safe Rust than unsafe: it guarantees a crash (safe) instead of forging ahead with UB (unsafe). As for code bases that aren't prepared to handle exceptions, sure, everyone should just git gud, but the fact that the language doesn't force you contend with them (the invisible code path argument) means this is always going to be an uphill battle. Structuring your code to put failure in the type system with std::optional (or std::expected in the future) gets the type system on your side about requiring you to think about error cases.

@@_noisecode Well if it's "not necessarily an error" then it's not a use-case for exceptions, and you're right that "it would not be reasonable or wise to do so with a try/catch and a throwing constructor in C++". That's the whole point. There's no "insight at the heart" of your argument, because your "insight" just describes the industry standard for using exceptions. That doesn't make constructors "broken" in any way, nor it is an argument against exceptions. The thing with C++ is that it allows (as in doesn't restrict) you to implement the machinery for your desired usage yourself. "the language doesn't force you contend with [exceptions]" Well it can't realistically. Again, that's the whole point with exceptions. When you can't reasonably handle a certain error within a certain code-local path, you throw it to handle elsewere without needing to painstakingly restructure the whole code path. When you can handle it locally, you don't use exceptions. That's it. "everyone should just git gud" If that's your job and you're paid for it - yes, you should. We also have tooling to deal with human error.

@stysner4580 "Exceptions themselves aren't safe either" Well I never said they're the ultimate solution to guarantee safety in C++. They're not. But it's a perfectionist fallacy to dismiss them because they're not 100% safe. My original post was never intended to say that exceptions somehow make C++ as safe as Rust. Exceptions in C++ are just a solution to make it saf-ER in a way that's reasonable within a context of language's history. "there is no UB unless you've introduced it yourself in an unsafe block" Unless you've introduced it. Or your coworker has introduced it and you're using safe API provided by them. Or the library you're using introduced it. That fundamentally makes rust not 100% safe, it's safety relies on unsafe code being written correctly, which is in itself error-prone. That however doesn't make Rust as unsafe as C or C++, I recognize the benefit the safe/unsafe distinction provides for safety. For the same reason I recognize that exceptions provides benefits to safety in comparison with exceptionless C++.

@stysner4580 "you lost me" Couldn't care less tbh since you seem to be more interested having a debate with imaginary opponent without comprehending what's being said. Just because I'm replying anyway I will address some of the things you said, but I'm no longer interested to have a conversation with you. "The whole point is avoiding invalid states and UB" UB in C++ terminology is an invalid state of the whole program. Exceptions and RAII are the tools (that can be misused) to help preserve valid state of the objects as long as there is no UB (as long as the program state is valid). This is good enough in comparison with 0 safety mechanisms at all. In C++ it is a responsibility of a programmer to avoid UB, it is known to experienced C++ users and should be taught to inexperienced users instead of creating strawman arguments and sh*tt*ng on the language. We also have tooling to help. "misses the point of the video" As opposed to your belief I'm not trying to deboonk the video, I'm not trying to say C++ is safer than Rust or whatever you think, I'm addressing a specific problem in reasoning. "People will not hold to the same standard because C++ has an infinite number of standards. It's fine if you like that..." I'm not sure you understand what you're talking about. By "industry standard" I'm referring to a developed and widely adopted set of best practices in companies or groups of ppl that actually care about safety and actually understand how to use the tools they have. If someone decides to ignore these best practices or doesn't care to learn of them - generally speaking they're wrong and it's their fault, not the fault of the language. And yes, it's fine to only use a sub-dialect of a programming language when it makes sense for the use-case.

Exceptions are a lazy and dumb way to handle errors. They are worse than "goto" when it comes to managing program flow. It's simply a fact that C++ doesn't provide an elegant way of handling object construction failure.

Exactly.

you do but not directly when u r working with structures

Real

​@@programmingpillars6805 they aren't really constructos, I mean, if you are stretching the definition that much then "int x = 69" is using an int constructor to define x, which is a bit of a stretch IMO

@@lolcat69 yes it is a constructor ... i dont see why this is stretching of the definition ? just in cpp you can make more types and determine how they will behave in more detailed way by the constructors .

@@anon8510 Yes, it does. But that doesn't mean that all potentially unsafe errors happen there. As in this very example: let x=0; let y= unsafe{NonZeroU8::new_unchecked(x)}; The actual mistake happens on the line above the unsafe block, where x was supposed to be set to 1, not in the unsafe block itself. (It is not difficult to imagine that figuring out the value of x could be much more complicated, for instance dependent on input that isn't sanitised when it should be, or set with some crazy math expression that's not quite correctly coded.) Which is to say, you can't JUST grep for and look at the unsafe blocks. You have to inspect all the surrounding code as well.

The point is that you can always be sure that the breakage of the invariant happened in an unsafe block. But the thing that breaks the invariant might have initialized outside of it. Safe/unsafe rust does not promise anything else and this is already a lot better than having no safe subset.

Isn't std::mem::drop just a function with an empty body?

My favourite part is traits if you're working with a library that works with a specific struct, you often end up awkwardly calling a custom function that takes in the struct and spits some value or does some crap several times across your codebase. You can instead just implement a trait for the struct to make your life easier and code cleaner.

@@kuhluhOG exactly, it just consumes the value ) pub fn drop(_x: T) {}

@@senzmaki The ability to slap a trait in almost anything to extend its functionality is so great.

Here’s another line of code that’s equivalent to “std::mem::drop(x)” - “x;”. Just the variable and a semicolon. Because everything is a statement, “x” means you’re trying to pass x, and adding a semicolon means you aren’t returning anything. So you’re just passing x into the void, and the deconstructor is immediately called.

Indeed, and it can be annoying with libraries.

much legacy code are using old style C++ which forces you to use the old semantics for much of the stuff. When you work on a system that has code from the previous millennium, then you would know. And most of the time, it is not an option to rewrite all the code.

@@oysteinsoreide4323 if it ain't broke don't fix it - there's nothing inherently wrong with a constructor based approach when it's working properly. But new code in such a legacy code base certainly should consider the more robust approach - the two styles can coexist just fine

@@orterves Yes, in some instances, then using a better invariant on objects is good. But I'm not sure if I would use the factory approach. I would rather have an exception in the constructor, and ensure that the exception is handled. It will be much less code in the classes, and the validity of objects will be equally safe. The most important thing is to have good invariants, and that is often lacking in old programming style, and that is much worse. And something that is much more difficult to just write yourself out of when the code is complex. So there are much code where there is no clear invariant. So in that case how thigns are constructed is far less important. You would need to fix the invariants first.

You can do that in C++ with casting.

but at least the lang is simple enough that most everyone reading that understands that that's what's going on.

I would call this an 'abstract factory', since an 'image' is abstract

​@@sus7801But... would you call it an AbstractImageFactoryFactory? 😏

See: OOP Design Patterns. You might not be wrong, but others have decided this well before you.

Be aware that a lot of comparison of rust to C++ can be misleading. Most things rust does are not unique to rust. And C++ has quite a few odd things unique to it. One could do a similar comparison of C++ to other languages and notice the same differences. Languages borrow heavily from what comes before it and try to skip things noticed to be problematic.

Was about to suggest the same. I thought that's where he was headed...

Well I gotta keep you on your toes, don't I? That's definitely the other valid approach, but I prefer M because it's less typing (don't have to spam out and maintain that constructor that's pure boilerplate), and you get to use designated initializers when creating it in the factory. If C++ had reflection and we could auto-generate the boilerplate constructor, I'd be much more attracted to that approach. One of these days....

@@_noisecode what about macros or cpp2 @'s

Maybe I misunderstand here, but c++ absolutely has read-only fields. You mark them const. Its different from rust in both the not being the default and the meaning behind being const, but it is totally a thing.

@@username7763 Ah, yes you're right! Haven't thought of that. Didn't know they could still be initialized if they were const fields. That's great then

I love stuff like this. Can you give some examples where normal constructor use might be leading me to willy nilly allocations that I'm overlooking/could be avoiding?

In case of generics (templates in C++) types may have different number of constructor arguments, the particular constructor used is determined when the template is instantiated, e.g. vector.emplace_back(args...); will accept any number of arguments if the handled type has a constructor that accepts that combination of arguments.

@stysner4580 you can program safely in many languages. You cannot ride all horses at once though. We have for instance a ton of old code in c++ which has to be maintained.

@stysner4580 the valid state has to be made somehow though. If you want to have 100% valid state, then you must do a whole lot of validation in your code regardless of language and methods.

@stysner4580 you cannot be banned if you still can comment.

Yes, but the thing is you might do the right thing but your colleague might not...

​@@Evan490BC the argument can go all the way on every little things. safety is nice but it has cost, so it become risk assessment and trade-off consideration for specific situation. all i am saying is i have considered the risks and concluded it is not that beneficial to have further safety rail guards like unsafe keyword or prevent "spaces" in constructors in my situation/code base. There are no one-size-fits-all gloves.

What was the first general purpose OOP? I thought Simula was the first one. It maybe never became big though.

It sounds it is more use of metaclass programming.

@@oysteinsoreide4323 I would say Smalltalk, as Simula was specifically for simulation.

@@darrennew8211 Well, you can use Simula for general things. Yes, it has a simulation library, but it still is useful for general things. Well useful, is a wide term here. Simula is not much used these days. Has mostly been used in Universities. And it was the inspiration for Bjarne Strostrup that made C++. Smalltalk is probably more popular. But I still Simula as the first object oriented language.

@@darrennew8211 The Simula of 67 was made for general purpose. In 62 it was mostly for simulations. The 67 version was the version I used at university back in 1993 to -95.

Thanks for the correction! You're right.

I relate to this. I used to take pride in knowing all the little subtle or esoteric stuff in C++ and thought it was a good use of my brain cycles. I took some time away from C++ and now that I'm using it again, I'm like... man, dealing with all this complexity is mostly just a waste of our precious time on this earth.

God.. I’m felling upset 😞😞😞 I do love c++ It hurt me to hear that!!

tbf, the language concept of "moving" stuff (instead of just copying all the time) was added to the language after about 30 years (and still before Rusts came into being; what do you think where they got it from?)

The C++ committee is full of brilliant people doing their absolute best, but yeah backwards compatibility is the real killer. C++11 tried really hard to simplify initialization with uniform initialization, but it wasn't perfect (ahem std::initializer_list), and now we are stuck with its warts forever, and the sum total is that uniform initialization permanently added complexity instead of simplifying.

When C++ was created, people just didn't have decades of experience with this sort of things. I guess technically you can call this lack of foresight, but I think no one can be expected to have that level of foresight.

​@@__christopher__ the thing is that C++ tries to be 100% backwards compatible, the lack of foresight back then could've been justifiable if the language were to later undergo some fundamental change; but it didn't, and that's why it can be a pain in the ass to use nowadays. It doesn't seem like it'll ever be any different, and at this point maybe it's better to let it slowly die off and be replaced by Rust or even Go.

Spoiler alert, in 20 years people will say that [xyz] is such a better system than borrow checking and how come the Rust developers had such little foresight to build such a silly language. I mean personally I think that Val's system looks nicer to me than Rust even today. In any case, making programming languages is hard. Maintaining a programming language so that it stays relevant for decades is even harder.

Yeah, this problem alone probably won't cause many issues, but this is a nice example of how Rust (and some other languages) do things in a somewhat familiar, but also significantly different (and imo better) way. I've been writing a lof rust for around a year now, and it's really changed the way i write code in other languages as well. I think there are a lot of very valuable lessons to be learned from "the rust way" of programming, this just being one of them.

@user-li2yv5je5e, could you give us an example?

So you haven't even begun computing, yet, but you have already introduced seventy possible program terminating error opportunities. I don't even want to know what you are doing in the actual code. :-)

Something I might not have made clear enough in the video is that it's quite often that I WANT to be able to take the failure path. It's useful to have an unknown u8 value, and use the success or failure of constructing a NonZeroU8 from it as normal control flow. Exceptions are this strange form of control flow mechanism that you hope never actually takes the unhappy path--precisely because it's so expensive. I think that's a strange tool to use when there are simpler, more type-safe, and dirt cheap alternatives. Here's a quick microbenchmark where exceptions are over a thousand times slower for a simple piece of control flow that takes the failure path. quick-bench.com/q/KDEPFXLc7746GdbKRbyIuPghLe0 I stand by my claim that this is unacceptably expensive just for a fallible constructor of a low-level primitive like NonZeroU8.

@@_noisecode I did not expect it to be 1000x slower, the "common knowledge" was that it is about 20x slower than error checking. I guess I'll only use exceptions in cases where errors are truly exceptional, like IO operations. Thanks for the answer.

I guess simpler is in the eye of the beholder. :) Could be a neat idea. It still requires that all your members be default constructible (and ideally cheaply) so that they can be constructed before the opening curly brace and then assigned later.

Because he wants to use designated initialisers, so that he can always initialise data members in the right order.

While I agree in the end, if you do have to have constructors in your language (say, for backward compatibility with a previous language, or familiarity to intended programmer audience), you can do what Swift did and make fallible constructors possible and language-supported.

@@PthariensFlame Yes! That's also a good option.

@@PthariensFlame I dunno... I think I'd cry if C++ became any more convoluted.

I think you misunderstand. In C++ "struct" and "class" are the same. The default for struct is public and class is private. And when you declare it, you have to be consistent with the declarations (don't mix struct and class). But that is absolutely all. Everything else about struct is the same as a C++ class including having member functions, constructors and destructors, and templates. In no way was this solving it via a "C struct". It was simply another C++ class that just defaulted to public.

The "default constructor of int" bit was somewhat of a simplification in service of my not wanting to dive into all the C++ initialization complexity like I said. But to be more precise, yeah--ints don't have "default constructors" per se, but if you don't mention them in the initializer list, they do undergo _default initialization_, which, for ints, is defined as doing precisely nothing. Default initialization is the same type of initialization performed by the syntax `std::array xs;`. In this case, since std::array is a class type, default initialization calls its implicitly declared trivial default constructor, which does nothing, and we end up with an array of uninitialized ints. The syntax `std::array xs{};` on the other hand does _value initialization_, which has the difference that it zero-initializes primitive types (and aggregates thereof), so you end up with an array of all zeroes.

​@@_noisecodeThanks for replying! I've never actually read the C++ Standard myself, all I know is from specialized books and from experience working in the language. Your comment clarified things a bit. And it's a great video that explains in a very accessible manner why in modern PLs like Rust there are no constructors as we know them.

Templates: When Arne Stroustrup shouts "Jump!" you yell back "How high? Sir! Yes, Sir!". Seriously. One does not have to take every bit of bad language design for anything other than an intellectual joke. Templates surely fall into that category. Never used them. Never will.

@@lepidoptera9337 An unlike in an opinionated programming language, you don't have to. I've worked in code that didn't use templates. Not what I would have chosen, but that is a good thing about C++, you can do your own thing.

@ Yes, you can. What seems to be nearly impossible is to write a program that compiles to begin with. But let's say you manage that, it's entirely impossible to write one that doesn't crash mysteriously. OK, I am a crappy programmer, I admit that, but even I have managed to write a piece of software that has now been on sale for 18 years (without any modification) and that has 100% uptime and no known bugs. It's written in pure C and makes very conservative choices in memory allocation and program logic (it's based entirely on state machines and all state is declared global). In other words, I must have done something right at least once in my life and I am not a total loser as far as computers are concerned. Be that as it may, I have not managed to get any mileage out of C++. It's just too quirky. It tries to be too many things at once. It's more like one man's failed experiment in language design than anything else. Admittedly, it is still far better than Java, but that's not a major feat. It's not even that I don't appreciate some of the basic ideas, but the restrictions on the syntax and implementation of the language (as a preprocessor based text transformer?) may have screwed it up the most. Why not just add a meta-language to C that takes care of e.g. autogenerated interfaces? I did that once or twice in Python. You write Python, Python writes high performance C for you. Done. Still far less screwy IMHO. Although... I would not stick that monstrosity of mine into an autopilot, either.

​@lepidoptera9337 "Impossible" what? What are you, fresh graduate that barely saw any C++ code before? The epitome of very basic skill issues. There are many whole codebases of millions of lines written in C++. Right now you are reading this in a JS engine completely written in C++. Learn real programming first, then you will get your first C++ basic program to compile 🤣

godbolt.org/z/KP5j711aP GCC generates 2 strlen calls, even cranked to -O3. Clang too. The problem is that it can't prove that operator new[] doesn't touch touch any memory that aliases `*in`, so it can't prove that the two calls won't return different answers.

At the opening brace, all data members have been constructed. The S object still doesn't technically exist. You can prove it by throwing an exception out of the constructor: all of S's data members' destructors will be called (because their construction finished), but S's destructor won't (because it never fully came into existence so it doesn't need to be destroyed). I would argue that needing to perform extra business logic in the curly braces to ensure everything is "how we want it" strongly implies that S's invariants are not yet fully established by the time of the opening curly brace, requiring additional logic to be executed. This means that S is not yet "valid" per the definition I gave at the beginning, meaning reading from `*this` as though it's an S is potentially still just as dangerous as using it before members' constructors have run.

Optional and variant do both support in-place construction which can give you RVO if you do things correctly/carefully. The WithResultOf/“Superconstructing Super Elider” I mention near the end can help with this, I’d recommend checking that out in more depth.

Appreciate you watching! Big fan of your channel!

Because you already have the pointer to uninitialized this hanging around. C++ officially says that the only way to make an instance of a class (or a struct, for that matter) is to call a constructor. Aggregate initialization is just a default constructor that takes an initializer list.

@emilyyyylime- I really wish you could, but having private data members disables aggregate initialization for your type (even from inside a place with full visibility like a static member function, which is a shame IMHO). Using the nested struct gives us aggregate initialization for M, since M's members are all public even though M itself is private inside CString. So we create M through aggregate initialization, and then just need a proper CString private constructor that moves it into the private `m` member.

This is a really good question! So, since the unsafe code can only execute in the branch where we know it's not zero (we checked with the match{} statement), the unsafe block is actually known to be safe. This is the correct way of using unsafe blocks in Rust: carefully check that the preconditions are all satisfied, and then open the unsafe block. (In that way, 'unsafe {}' is a bit paradoxical--the keyword should really be like `i_have_checked_that_this_unsafe_operation_is_safe_in_this_case { foo() }`). This is really the essence of the interplay between safe and unsafe Rust. We have low-level operations that are generally unsafe, and then we write safe APIs on top of them by wrapping them in structures that check or otherwise enforce the unsafe operations' preconditions. If you have _bugs_ in those safe wrappers (like if we screwed up the match{} statement), then yes, you can cause safe code to have UB. This is generally regarded as a very serious bug in Rust, and so you'll usually see a lot of care and pains taken around unsafe blocks that are in safe code (like huge comment blocks explaining the reasoning why it's safe).

@@_noisecode Thanks!

Yep, you're describing [Named] Return Value Optimization (a.k.a. copy/move elision), and it's not only allowed by the C++ standard, but it's actually required in many cases as of C++17.

@@_noisecode huh, nice

If I'm not misunderstanding what you're talking about, I think have to disagree. When "making" a struct by filling in all of it's fields, you statically allocate that memory on the stack. You can also choose to dynamically allocate on the heap by using something like Box. Inside a function, once a struct is created, you can move it out of the function which, as far as i know, is always (or at least in 99.9% of cases) basically a zero cost operation. A type is only copied when explicitly calling `.clone()` on it, or when that type is `Copy` (true for most primitives).

@@potatomaaan1757 I think you are misunderstanding. To clarify, the issues are kinda twofold. One is that because objects (in the generic sense of "entities", not objecs in the C++ sense) are created inside of a function that has to return them, there's no idiomatic way in the language to construct on object off-stack: your struct is created on stack and then moved off the stack into a Box or wherever else if that's what you want. You could make a specialized new function that lets the caller pass memory in, but that isn't standard in the ecosystem, so you have to rely on compiler optimizations to eliminate that copying step, which are not reliable (this is an acknowledged issue inside of the Rust project, and there's slow-but-ongoing work to improve things), whereas in C++, because allocation and initialization are separated, the caller can decide to allocate the memory itself and use placement new to create the object, or use a custom allocator, even if additional allocations occur during the creation process. Rust additionally doesn't handle allocation failure very well and doesn't have support for custom allocators yet. And to be clear both the all-on-stack allocations and the lacking support for custom allocators are seen as limitations in Rust-Custom allocators are in nightly right now, but because Rust uses factory functions to create objects, support will have to be specifically added to any datastructure that performs an allocation. As for the copy-out issue, work is being done to make the optimization consistent and there's been discussion of a language feature to allow for functions to explicitly request/demand the optimization, but that's all still WIP. I'm hoping this all does get resolved, but it is definitely a challenge with the design Rust chose here. There are a lot of issues with C++'s design, but the video covers those and they're discussed a lot more generally.

Also 12:58 you can call lib::is_ascii() on "in" array and it wont be a problem with reordering is_ascii.

Thanks for the comment. :) I believe in the video I did mention that delegating constructors (like you have here) were a possible solution for the double strlen / wanting local variables for member initializer lists. The immediately invoked lambda is nice for the initialization of buf, good idea!