← Back to context

Comment by steveklabnik

5 months ago

> with all of the profiles enabled, you are only allowed to use the safe subset of C++ and all of the unsafe stuff is hidden behind APIs whose implementations don't have those profiles enabled.

This is not the goal of profiles. It’s to be “good enough.” Guaranteed safety isn’t in the cards.

7 comments

steveklabnik

Reply
pizlonator  5 months ago

> This is not the goal of profiles. It’s to be “good enough.” Guaranteed safety isn’t in the cards.

- Rust isn’t totally guaranteed safe since folks can and do use unsafe code.

- Exact same situation in Swift

- Go has escape hatches like it you race, but not only.

So most “safe” things are really “safe enough” for some definition of “enough”.

  • steveklabnik  5 months ago

    You’re misunderstanding what I’m saying. Safe Rust guarantees memory safety. Profiles do not. This is regardless of the ability of the unchecked versions, on both sides, to introduce issues.

    Profiles do not, even for code that is 100% using profiles, guarantee safety.

    • pizlonator  5 months ago

      The kind of "safe Rust" where you never use `unsafe` and never call into a C library is theoretical. None of the major ports of software to Rust achieve that.

      So, no matter what safe language we talk about, "safety" always has its caveats.

      Can you be specific about what missing safety feature of profiles leads you to be so negative about them?

      3 replies →

  • AlotOfReading  5 months ago

    The language standard assumes that everyone collectively agrees to standard semantics implying certain things. If users don't follow the rules and write something without semantics (undefined behavior), the entire program is meaningless as opposed to just the bit around the violation. You know this, so I emphasize it here because it's entirely incompatible with the view that "good enough" is a meaningful concept to discuss from the PoV of the standard.

    Rust does a pretty good job formalizing what the safety guarantees are and when you can assume them. Other languages don't, but they also don't support safety concepts that C++ nominally does like safety critical systems. "Good enough" can be perfectly fine for a web service like Go while being grossly inadequate for HPC or safety critical.