As an Ada programmer for almost 10 years ( mainly the 1990's) Ada had some serious flaws. #1 was the time it took to write and compile and #2 rendezvous , whilst a good idea had HORRENDOUS overheads for any real time system, #3 variant records, quite mad. Causes random errors however days or weeks after running. And finally #5 Exceptions. The worst and slowest exceptions of any language. Any real time embedded system had to ban the use of exceptions, and possibly have a try catch in EVERY function. Nice things. 1# very strict typing (too strict sometimes) #2 Can print out enum value names, #3 no inheritance until someone added into Ada95. Ada Tasks were very sensible. The best feature was that you could add C code -- This is how I learnt C and still use it to this day.

@ t might have gotten better since the 90s. its been updated several times, is now part of gcc. and variant records rock!

@ Unfair comparisons. 1. Sounds like you were using a bad compiler. GCC GNAT builds as fast as the C++ version. 2. Never heard of rendezvous. 3. Variant records or discriminated unions have been adopted in other languages, including Rust and Swift as optionals and or parameterized enum types, and C++ through templating. It's a powerful construct and elegantly solves a lot of problems. 4. Sounds like bad programming or again a really bad compiler. 5. Exceptions work fine, but are not recommended for resource constraints devices. In any language, including C++, exceptions handling across function calls are costly. Oddly enough, C, your favorite language doesn't even support it. Ada isn't perfect, but most of the criticisms levied against it are made by lazy, undisciplined, poorly trained, cowboy programmers who write shoddy code. It is a comprehensive language well ahead of its time with lots of bells and whistles for addressing a wide range of domains. It's one of the many reasons it survived along with its safety and reliability. It's not the sexiest language, but it runs satellites, airplanes, nuclear power plants, air traffic control systems, and medical devices.

Ada did some of this very well, but it never really caught on. And it's probably a worse successor to C++ than Rust is.

I have to agree. The real strength of Ada, is the strict compiler and type safety. - and readability of the code. What about SPARK? Both should receive renewed attention when it comes to safety of software.

Can't have memory errors if you never allocate memory. *taps forehead*

​​@@Orion2349memory errors are possible in C/C++ even without allocating memory, just write beyond límits of statically defined array, or assign arbitrary value to s pointer and write to it.

THIS !!!

@@Orion2349 can't have memory errors if the hardware features memory tagging either, intel and amd missed that boat

LOL...not they won't. 1. The VAST majority of software written in both the Public and Private Sectors has been implemented in GC'ed languages for the last 30+ years. 2. Having worked in and out of IT Security for the US Government I can assure you that there is already approved lists of programming languages that are allowed for software implementation.....that getting an exemption for is nearly impossible. 3. No one is going to be re-writing anything that is non-trivial in scope and size...especially if it is "mission critical". The best you could hope for is implementation of secure code practices for any further maintenance and feature additions.

@@thecollector6746 the world doesn't change on a dime, and rewriting "hardened" systems is unrealistic. however, in this age of interconnectedness and near-constant state of "cyber siege" by hostile state-sponsored attacks, this is an increasing concern.

Generics are cool and all and should be there, but in my experience they tend to be most useful for library/framework type code, which most of us aren't writing day to day(we're using libraries and frameworks).. now the committee is doing a ton of work to do compile metaprogramming, again mostly useful for specific things that most of us don't do..

Rust for example doesn't do dependent types. Affine types do the job just fine.

dependent types are massive overkill, even for functional languages / programs. The juice ain't worth the squeeze.

@@bryanedds8922 They're as simple as system F if you want them to be, you don't need to formally prove every property you care about. It's a strict upgrade that gives you more power where you need it, but gets out of the way when you don't.

@FluffyFluff-yj8tg Affine types help, but why not have both? Idris has both, so it's certainly possible.

What are these dependant types you mention?

What were you hoping for?

@toby9999 Change, maybe.

​​@@c2ashmanMy main gripe is the whole C++ is dangerous mentality. Yeah, so are cars, power saws and knives. Lets have cars that never crash and knives that are never sharp. I've worked for a multinational as a C++ developer for 25 years, including assisting support and product mantainance... it's safe to that 99%+ of bugs are logic errors, not memory issues. Rust and Zig aren't going to fix that.

@@toby9999 I am developing C++ for about 20 years. But you are OK with no automatic out of bounds checks? Or using your analogy, even if cars could be made crash safe, you would still vote for cars that could crash and kill people? Just using your analogy.

@@c2ashman I think C++ requires a level of scrutiny and testing beyond what other languages and paradigms do. I'm happy to do bounds checking for testing purposes but in production, performance matters.

I got interested in D for a bit and thought it was quite interesting but the "programming bros" that I showed it to just weren't the slightest bit interested. I don't understand WHY no one else was interested but one thing I can be sure is that most people just don't like D. :(

C++ changes all the time. C does too. The compilers change things, then the "standard" retroactively covers the changes and makes them "official". No one is writing C89.

It does not change, you can write C++ 1998 if you like, it got enormous additions of syntax and features. This community is just awesome. Most of them are much cleverer than me and i have a high salary living thanks to them and the internet. I contribute to free open source to say thanks to all of them.

@@zantrua The nature of C is a language close to metal: this characteristic will not change.

@@zantrua This is why I avoid C++; all of these different ways of using it are just too confusing. I'm working in Rust and find it to be a much sounder design.

@ What metal is C close to? Do you run a PDP-11, because that's what C was designed for. C looks absolutely nothing like how CPUs work now. Also, if you want to talk to the CPU, just use assembly(which you end up doing in C anyway) and bypass all the complexity of C.

Sean Baxter's whole thing is to try to destroy C++, lol. He didn't "reach this conclusion", he preordained it.

Of course he "concluded" that, his entire goal is to destroy C++.

@isodoublet yeah, a guy who built his own compiler of C++ must really wanna destroy it

Burroughs machines from the 1960s.

Zig has a release mode with safety checks: ReleaseSafe.

From what I understand some UB is necessary in order to reach all possible hardware targets. There's not much software can do when the hardware has edge cases.

@@jameskingcodes Zig is adding UB where even C doesn't have it.

@@scorpia3215 Well, then Zig has to decide, either it's about as fast as C/C++/Rust/C3/Odin and is unsafe, or Zig runs with safety on and is not competitive with them. 1. Unsafe and fast 2. Safe but slower than the alternatives Pick one.

@@christofferlerno2633 Actually, you can pick both. You can set safety on a function by function basis. So you can choose for the most critical parts of your code to be as fast as possible with no runtime checks, then turn the full set of runtime checks on for the parts of your code dealing with untrusted data. Zig doesn't have to decide, it gives users the tools to decide.

And it's atomically thread safe, and operations order safe.

@rawpointer 100%

Speaks volumes to the magnitude of the C++ safety issue. It's all well and good to have safe options in C++, but if they aren't enforced they're largely pointless.

@@BowBeforeTheAlgorithm It's not so simple (of course nothing is simple in C++). There are cases in which weak_ptrs can keep the object alive even if all shared_ptrs are gone. Not to mention that due to C++ move semantics you can still get use-after-frees (or rather nullptr derefs) from unique_ptrs (and shared_ptrs too I think).

@@dminik9196 @dminik9196 weak_ptr is designed to check whether the shared_ptr it refrences is valid before accessing. After accessing, it can ensure that its shared_ptr remains valid during the access. After the access ends, the shared pointer, if there are no other references to it, is cleaned up.That's the point of weak_ptr... Use after free errors with move in unique pointer? Your assertion is ust wrong. The standard explicitly states that if I std::move a unique_ptr (example up2 = std::move(up1)) then up1.get() will return nullptr after the move. So the only way we're getting an error is if we blindly use up1 without checking its validity first. Unique pointer doesn't exempt us from needing to check the validity of pointers before using them.

It's responsible for 70% of the bugs at Microsoft and Google. It's a huge problem. There's several entire classes of bug that are unique to C/C++ becuse they have manual memory management, and they're super common(use after free, double free, etc). Anyone who believes they can write correct manual memory management code either has a very simple program or believes they're smarter than the combined forces of Google, Microsoft, and the Linux Foundation, all of which have had major bugs caused entirely by failing to manage memory correctly. If you want to see what it takes to actually get correct output from a C program, look at seL4, it's the only C program I know of that actually comes with a top to bottom proof of correctness

It's a huge problem across all software, it's 70% of the bugs in Chrome for instance.

It's a big problem actually, but much of it boils down to things we already have an answer for in C++, but which just aren't used; buffer overflows and such. Use-after-free is perhaps an issue that is not totally solved, but proper use of smart pointers goes a long way. (btw. use-after-free also still happens in Rust)

Great recommendation. Thanks for sharing.

Bounds checking is not the norm for arrays, std::vector or std::array. Not clear that std::span should be different (and go slower) than those.

@@nigelstewart9982 the at method of std::vector::at() does have bounds checking

@nigelstewart9982: but we have at() with bounds checking for all of those container types. Performance cost is not an issue if you have a choice to use operator[]. Why then should std::span be different and not have at()? Even std::string_view, which is conceptually similar to std::span, has this accessor.

@@naur82 Ah, indeed. at() is there for string and vector bounds checking. Thanks for the correction. Alas for performance reasons we tend to avoid and discourage the use of (built-in) bounds checking. I don't mind that it's there, but it feels vaguely like garbage collection - a hidden cost. In debug mode, sure. In production, no.

it is correct to say vector.at() is the range checker ;)

thats not a good comparison. the risks that make memory safety an issue were not clear when C and C++ were created. They were made in good faith with the limitations of the time.

Yup!!!

This is why software testing (with extra-checked debug builds) with coverage reports is important. But in a released production environment all these features will slow down execution.

Exactly. It's trivial to make a correct solution fast compared to making a fast one correct.

@@TanzinulIslam I'm not against debug builds for specific reasons but as you pointed out performance changes in production. And it is production where you really care because it is... Production. So in the scenario you describe, the debug builds will only "tell" you so much because it isn't the true runtime system. Better to get confidence in the design rather than extrapolations from debug builds.

Safety and correctness aren't the same thing; you can write sound software using unsafe constructs. That being said, you can also correctly shave your beard with a steak knife. You might do it right the first 1,000 times but it only takes one mistake to regret your choices.

@titfortat4405 Exactly. And when you're in the business of making shaving kits that up to 8 billion people across the whole planet could be using, 1 in a 1000 tends to happen a lot of times....

All the "real time" ones...

@juliantinao8278 which are... ?

​@@xpusostomoskiller drones, terminator t-900, unmanned flying chainsaws and etc.

drivers and OS kernels

Complex videogames

The reason I think you are wrong is because I don't trust anyone including Bjarne to consistently write C++ in a memory safe way even if it's theoretically possible. And the larger the codebase the less I trust the developers to do so. This is why in practice 70% of the highest impact security issues are still to this day memory safety issues.

@@romangeneral23 Bjarne of course says that - he's been sticking his head in the sand for a good while now.

That is the question... I thought it was a white house report talking about Rust? That carried no legislative weight. Not actually an existential threat from the NSA, the NSA just made recommendations (and fair enough they must see some shit). Same time that report came out the white house was also having it's arm twisted into accepting blockchain scams, which might explain a lot.

Sigh, did you actually watch the video? The presenter quoted multiple reasons -- policy makers are sending signals about memory-unsafe languages, Google/Microsoft are writing/porting safety critical code in/to Rust, among others. You can blindfold yourself and keep thinking "I do not think there is an existential threat to C++", but the world does not revolve around your beliefs, and in fact, if anything, things are changing, and not in the way you think is going.

Zig could never. Yoda is clueless deluxe as always 🤣

*Eiffel joins the party* (of established memory-safe higher-level languages without serious hope to get traction in C++ circles)

Biggest question is the quality of community edition GNAT, otherwise, you are dependent on a private company, AdaCore, which puts you in the same position as Swift and Go.

@@ZenoLee0 There are other Ada vendors, notably PTC (ObjectAda)

Nobody knows what Ada is 😂

​@@RustIsWinning 😅

Yep, but won't Rust force you to use mutual exclusion while c++ would not ?

Not Arc and Mutex, Rc and Refcell are enough depending on the threading model, and way cheaper than shared_ptr that is necessarily thread-safe. Rust - by being strict here - also encourage other patterns that are inherently safer. And more costly to implement and maintain. But still safer, and that’s the context here.

C++ is C with more facilities; C is a portable assembly language. Nothing will change. It will be a new language if someone tries to change it; this creates a new programming language.

"C is a portable assembly languafe" totally agree. And let it be just that.

Totally agree.

“Memory Safety” is more than a “personal like”, is is an essential property of a modern programming language. A property that C++ does not have. As an engineer, that should not offend you.

"is is an essential property " In your opinion.

Life in a democracy gives citizens the freedom to do nearly anything, even if if means being able to do the wrong things for the wrong reasons. C++ is a statically typed language. It's already enforcing most of the "thou shalt nots" from the 10 commandments. If you use the Modern C++ subset, you never even touch malloc/free. If you use RAII you never have uninitialized variables. C++ is not the wild west with no sheriff in town. It has rules, but the rules are rather Libertarian. It doesn't prevent you from owning a gun merely because you can hurt yourself by owning a gun. Many governments do prevent their citizens from owning most types of guns. Most of the modern tutorials *do* start by teaching the almost entirely memory-safe Modern C++ idiom.

Programmers are not capable of writing correct manual memory management code. Saying "skill issue" doesn't explain how Google, Microsoft, and Linux all regularly fail to correctly implement memory management and have security bugs as a result. People's brains did not evolve to verify the correctness of millions of lines of abstract logic, but we made computers specifically for that task.

Nobody asked guaraf teipal 😂

Use brave

Get premium mr broke

*Boeing 737 Max has entered the chat

@mileselam641 A comparison between apples and oranges has entered the chat.

@@mileselam641 the boeing 737 MAX was not a code issue, it was a design issue. the program worked perfectly, it just was made to do something stupid

@@khhnator I couldn't have said it any better myself. I should have been nicer and explained, but I was feeling a bit snarky at that moment.

This is a little-endian Intel and AMD problem, Power and ARM have memory tagging extensions. Of course the keys for tagging then become the target, but it's not the software engineer failing at that point and the CPU manufacturer needs to fix it.

It's relevant to anyone who wants to write code that other people will use. If you're the only one who will use your code, then sure. Go crazy with those segfaults to your heart's content.

Haha, another UFO- like programmer...please don't.

@@titfortat4405 I am already not the only one using my code. My passion project currently has 19 stars on GitHub despite concerning niche research. 1/2

@@titfortat4405 I am already not the only one using my code. Also my code is high-quality, so there were no segfault issues so far. I would provide details but YT censorship prevents it.

@@titfortat4405 I am not the only one using my code. Furthermore, it is high-quality. There were no segfault issues in my open-source passion project detected by others so far in several years.

The changes will create a new language. C, C++ will ever be a language close to the processors.

Unless you're running on a PDP-11 C (or C++ for that matter) isn't really close to how your CPU works. Funilly enough C isn't even specced based around real hardware. It's specced to run on an abstract machine.

@@CN_SFY_General As @dminik9196 wrote, the machine architecture model embedded in C and C++ languages is not, even remotely, related to modern CPUs, and I would dare to say that it is obsolete and no longer pertinent in this regard. Take LLVM as an example of how a lot of "less low level" languages would compilte to identical machine code, unless you take great care to write for a specific architecture.

This isn't anything new. There's been dozens of "hard realistic looks" on C++ since the rustaceans created Twitter accounts. It's a tired talk frankly.

@@dminik9196 C is not based on real metal, but it's very close to it: transferring C codes directly to the assembly languages of real metals in an almost one-to-one relationship is easy.

you shouldn't learn only one language

I mean, billions of lines of code wont disappear over a decade, it really depends do you plan to get a job in 5, 10, 15, 20, 25, or 30 years if you are aiming for +20 then maybe, but there is no guarantee that Rust will be the next successor either at those time scales

the thing is that you should learn to program, not a language. languages will always change, heck C++ itself is not the same language it was long ago; what programming is has however remained the same. learning your first language is just your first step. once you get good at programming, you will be learning new languages easily. because they all do the same thing, just in different ways.

No you should not.

C++ is still the best programming language in terms of elegance and efficiency, and it will probably stay this way for a long time, now that people focus on memory-safe designs (which are ugly/restrictive). But C++ is really hard to master. Are you intrinsically motivated to learn it, e.g. because you wish to write the most excellent code some day? You should only abandon it if that is not the case (and you just want to make money, or similar).

Because you can't go 200 cycles without hitting library code, and the existing libraries out there are not using your safe subset. Many actively dismiss the safe subset option, forever claiming the problems highlighted here and elsewhere are just "skill issues". Then there's the issue of "best practices" in C++ being far too subjective and disjointed in the community. As the author of Circle eventually found, it's a LOT easier to migrate to a safe language than retrofit C++ (and its community!) to meet modern safety standards.

Can you reliably draw a circle around the supposed "safe subset" of the C++? Can you create a compiler that enforces use of only that subset unless a desire for opt-out is indicated. It's great that people follow all those "best practices". I cannot fathom why they would not want a compiler to do a lot of that tedious checking work for them.

You guys are nerding out too much. I just addressed the argument that opt-in safety would not be viable in general because people wouldn't want to use it.

Yeah, there are trade-offs in engineering, Rust is making impossible promises I think. At least Python, Java and C# do not pretend to be smaller or faster than they are. The size of Rust executables gets silly (I never hear Rust proponents mention this) so I question how it will make serious inroads to embedded applications.

If a convenient safe subset existed, then people would probably use it. But according to the speaker this would require a new standard library among other things.

I hope one day you'll find out that C# is just Microsoft Java, a corporate invention, or should I say rip-off, at a time a lot of people were convinced that speed of execution was guaranteed by Moore's law. Misguided individuals.

This is so blatantly false. C++ and Rust are on par in terms of performance, no question about it. Rust has stronger guarantees and enables optimizations that C++ can't. And for multithreading even more false, it tells me you barely touched Rust.

Use of reference counted pointers is not garbage collection. Data is freed as soon as it is no longer in use, it does not hang around like garbage waiting for some collector to clean it up. Of course you can have safe and fast. As a long time user of C and C++ one other the first things I did in Rust was implement a bunch of codes in Rust that I had previously written in C or C++, just to convince myself I could reach similar performance in Rust as C/C++- I managed it easily.

you are right, using Arc everywhere is just Garbage collection but worse. that's why you don't. if you are putting everything in your program in a Arc, you have a design issue that would blow in your face in C++ or any language as well.

It's like the saying, choose any two: speed, reliability, security

@@NotherPleb " And for multithreading even more false' Nope, multithreading is precisely where Rust's model shows itself to be a cruel joke. Easiest parallel program in the world: take a vector of doubles, compute the square root of each one. Now do it in parallel. _Trivial_ in C++, you better _beg_ the borrow checker in Rust. Rust puts the "embarrassing" in "embarrassingly parallel". No easy feat.

Clueless 😂

Given the statistics on security vulnerabilities published by Microsoft, Google and others (as shown in this vid) showing that around 70% of security issues are traced to mistakes in memory usage (buffer overflows, use of uninitialised, use after free, etc, etc) then I think "No". The NSA is thinking about all that. they realise that to make progress on security we need to get stricter all around. Hence the request to use memory safe languages. Also, this statistics I mentioned above (also this vid) are about memory misses issues in closed source code by MS and others. So I don't think the NSA can sensibly have more of a nightmare over Open Source.

@@Heater-v1.0.0 Yeah, and then you actually read those CVEs, and realize none of that code looks like code I would write, or allow any of my teammates to write, and realize that Microsoft, Google et al have a critical competency problem and this whole safety thing is barking up entirely the wrong tree.

@@isodoublet Now read the CVE's of all the non- MS/Google etc software cause by mistakes in memory usage. That "critical competency" problem is everywhere. I have never worked for an MS or Google but having worked in many companies in a few different countries over decades that is what I have seen. Other than critical fields like avionics or military software where extreme effort is taken to ensure correctness. You are making the "perfect programmer argument", which is fine but such programmers and teams are few and far between.

@@Heater-v1.0.0 It's not about programmers being "perfect". It's about programmers not being critically incompetent. These places are hiring some of the worst programmers out there and letting them loose with zero oversight. It's obvious that'll cause problems. I don't need to move to a worse language because of them.

@@isodoublet Anyone who thinks they can write manual memory management code better than Linus Torvalds, Microsoft, and Google is so far beyond arrogant it's actually funny. "I never make mistakes in millions of lines of abstract logic, it's not a problem of human brains being bad at this task they didn't evolve for, it's just that those specific programmers are bad"

Meds

What a naive and poorly thought through reason ? Why would a government bother with trying to introduce backdoors that are clearly visible to every other government ? There are so many easier more obscure ways to introduce backdoors elsewhere. This reason may be well intentioned, but poorly thought through.

Every year they find new vulnerabilities in code that was written and reviewed by the most top notch experts. This is not a skill issue. Humans make mistakes - always.

You don't need seatbelts, just increase your skills in not crashing your car.

@@vytah If there is a maximum speed of 20 km/h no serious accident will ever happen. Safe languages come at a cost. C++ requires skill; without that other languages are better suited indeed. C++ can be made safe by allowing only a specific subset but one will pay a performance fee.

@@gast128 So you're in favour of official C++ licenses that would be required to legally program in C++?

@@vytah Family of Cathy Newman? You should not program if you are not competent. If you don't know modern C++ stick to Python; C# etc.

It's a commonly used phrase. Citing Wikipedia: In the C programming community, undefined behavior may be humorously referred to as "nasal demons", after a comp.std.c post that explained undefined behavior as allowing the compiler to do anything it chooses, even "to make demons fly out of your nose".

@@SVVV97 Thanks, that's a new one for me.

I thought I was mishearing.... if U.B. can actually lead to demonic infestation up yer nose... then we really really do need to look out for it.

The number of local only apps is dwindling, just about everything consumer facing uses Internet now

Think Stuxnet. Not everything that thinks it's airgapped is actually safe. And reliability is its own security issue. You don't need a network connection to fall over due to use-after-free bugs.

@@mileselam641 Except use-after-frees are extremely uncommon in practice (when using the already available tools) and it's silly to jump hoops trying to avoid them while making _other_ types of bugs more likely by making the language harder to use.

'Ostrich' security gets you things like TempleOS: God told him networking was a sin. The inputs were all too dangerous.

@@isodoublet 36% of Chrome's security bugs were caused by use-after-free specifically. It goes up to 70% if you include other manual memory management bugs.

How is it doing nowadays? I used to love it up until 2015 or so, but Embarcadero made a mess of the language and I sadly had to let it go.

@@carlosleyva-calistenia6400 Its very good now. The IDE is very good. You can write your program, and the program can deploy to your Phone, PC, or to a Android , Apple phone, Mac computer, Just by telling the IDE what you want to deploy to. Just my one setting. NO REWRITEING CODE!!

Don’t forget to “just” rewrite the standard library while you’re at it…. And all the legacy code that depends on pointers and pointer arithmetic. Or maybe just use Rust.

@@DomainObject I don’t think people realize how much work has gone into the c standard library. A couple of months ago I was messing around in x86 trying to see how things work and I started looking at the library code for the first time and I was blown away by the sheer amount of work in there

Go is really productive and fast as well! If your program does a lot of network I/O, then its lightweight goroutine model could potentially outperform a naive use of one thread per connection in C or C++. Sure, it is not thread safe, but you can compile with go build -race and ship it into production and have it trap whenever a race occurs, so at least you won’t run into undefined behavior. The Go toolchain is amazing with builtin support for testing, cross compilation, profiling, coverage and fuzzing. The language is small and really easy to learn. My team became really productive in less than two weeks. I’m currently learning Elixir which runs on Erlangs BEAM VM. It is functional and performs really well. Worth considering if if your application does a lot of I/O and networking.

Zig mitigates a lot of risks (probably more so than Rust with "unsafe") but is unlikely to be considered "memory safe" for the purposes of any coming regulation

@ Exactly. Zig doesn’t claim to be fully memory safe, but it sure is a good upgrade for programs written in C. What I lack with the Zig toolchain is integration with ASAN and TSAN. Valgrind is too slow and covers a smaller scope than ASAN/TSAN/UBSAN.

Go is a great language for writing web services. It's good for situations where the input is hostile; at least better than trying to do this in C++. Anything with a garbage collector in the core isn't good for real-time code. That's where people move to Rust. Rust is way way harder to use than Go, but you don't have so many problems parsing hostile input. Even C++ could be saved by sticking to subsets and using theorem proving. So much more for garbage-collected languages. But Rust proves a point that you should not make garbage collection required in the core of the language. Any language that can be manipulated well with an AI, makes it easier to do TLA+ like modelling, and GOOD libraries for handling hostile inputs. It's really really serious that if you use C/C++, C++ will die if handling hostile input does not improve. Some scripting languages like PHP are not so good for dealing with hostile input (due to type-guessing); so it's not just about raw pointers. Maybe Mojo. It does the borrow checking like Rust, and it does data paralleism; one of the things that pushes people into C++. It's strange for the government to use language as the way to regulate safety. I thought the free market will chase the best options, given that everybody has to pass the same sort of safety standards.

@@robfielding8566 ”Anything with a garbage collector isn’t good for real time code” Depends on what you mean by real time and if you mean hard real time or soft real time. In some real time applications like games or video streaming it is not fatal to drop a frame once in a while. Erlang has a GC and it was used to create demanding systems like telephone switches and Whatsapp.

Or just fix the language to have a reasonable type system so that it can have a nice built in theorem checker

@@zantrua Yeah, that's the catch. It's (next to?) impossible to theorem check unconstrained C++.

sean baxter is actually writing a proposal to add the rust features to c++. But you are right, the syntax he came up with is horrible. But hopefully it will change for a better syntax. But at this point, migrating away from c++ is a better approach. No solution will make c++ safer without rewrites anyway.

@@alfredomoreira6761And he's publicly stated it may not be worth the effort over just migrating to existing memory safe languages. 10-30 years of standards body negotiations in the optimistic scenario (as was highlighted in the video)? Not gonna happen.

@@alfredomoreira6761 Sean Baxter is a bad actor trying to destroy C++, not some starry-eyed developer trying to bring fire from the gods. Safe C++ would require a completely new standard library with a different API and idioms btw

There are always trade offs. Anyone saying otherwise is selling something. Building with --hashed-pointers might be slower but you need to remove creature comforts to go fast in motorsport too.

JavaScript is memory safe at least. Slower, but provably memory safe. Rewriting everything into C++ makes the global corpus of code far less safe.

C++ stdlib is part of the ISO standard.

C++ stdlib is part of the ISO standard.

Your towel will never let you down.

Zigfault 🤣

HFT people are not the audience for this video. This video targets people working on safety critical projects, many of which work on embedded devices. I think this is more than clear enough.

How is it clear when this guys is yapping about safety by default for all c++. Leave c++ allow and go do rust balder.​@Zel-kr3qj

What on earth is HFT lol

​@@RustIsWinningHigh-frequency Trading

It's not "arrogance". I know people that can jump into arbitrary code-bases and find whatever bugs they want to find. If you "trust" the developers, imagine the NSA trying to use open-source, when "the enemy" is contributing to everything. They want a language where you can ask a bot to prove that certain problems are impossible.

Everyone in the industry knows about the problem, it's why C and C++ are losing devs every day, it's a broken language and always has been and there's no way to fix it without completely scrapping the language more or less. It's not arrogance, it's the feds finally waking up to what specialists have known since the 80s

15:10 for some info about what the committee thinks about memory safety. Only after everyone started switching to Rust they started thinking about it.

@@zantrua Literally every piece of software used in writing, sending, and displaying your "C and C++ are broken language" comment was written in C and C++.

⁠@@gulagz1549 Yes, however that very same software, is also likely riddled with memory safety issues. Just because it runs doesn’t mean it’s safe or secure.

Great perspective. So, it all comes down to skill issues? How to fix that?

@@dwight4k Well, you are not going to solve it by removing possibilities to train on getting skilled

@@perghosh8135 Maybe there needs to be an external community to do that? I don't know. This language needs skilled people to work with it, because it's not going away anytime soon.

There is a lot of irrational sheep-like hate toward C++. Mostly clueless folk who just like making a loud noise. C++ is a great, versatile, mature, flexible, performant language. The whole "unsafe" thing is a skills issue. There is a massive amount of C++ code out there not crashing every day. C++ is not going away any time soon.

I do wonder if AI is ultimately the solution for safer C++. Such as an AI fuzzing framework that torments and stresses software in ways that humans don't have time for.

The answer is simple: Without interop there's no smooth transition, and without a smooth transition the answer will always be "NO".

@@heavymetalmixer91 I suspect if tech companies were actually held liable for all the bugs that their language choice creates, they'd switch over rather quickly, invariant of the cost. Tech is the only industry I can think of where a click-through bubble that says "WE MAKE NO CLAIMS OF THIS SOFTWARE'S UTILITY OR APPLICATION FOR ANY PURPOSE AND ARE NOT LIABLE FOR ANY DAMAGES IT MAY CAUSE" is even legal, let alone the universal standard of the entire industry.

First, it's unfeasible to just rewrite a large enough application in one pass. This needs to be done step by step, and for this we need interop. Also, there are just so many useful C++ libraries with years of work in them. It will take some time to recreate all of this software in a new, memory safe language. Until then, we need interop. It's also not all bad: The Google Android team has presented statistics that the largest fraction of memory errors is found in new code, while the rate of CVEs found in old code tapers of exponentially with age. So using a memory safe language for new code while depending on old unsafe code (for a while) is not as futile as it sounds.

One of the main holes in Rust adoption is a stable ABI. Without it you don't get shared libraries in Rust. As it stands, Rust has to pretend to be a C shared library or (kinda sorta) a C++ shared library in order to play in the greater sandbox. If it did have a stable ABI, mapping to other popular interfaces such as C++'s would be comparatively trivial.

@@mileselam641 Why is there no stable ABI for Rust?

who is Jimmy?