But unique_ptr provides no guaranty, yet alone strong guaranty. For example:

-> segmentation fault

Or how about this one:

There you have an unique_ptr that outlives the pointed object, just like that.

Almost no-one ever assigns a pointer to an arbitrary address in C++ or in Rust, unless they are doing very low level code. The thing that makes memory management unsafe in C++ is that any C++ compiler accepts and compiles stuff like the above. You can trivially have situations when unique_ptr are not really unique, where several sets of shared_ptrs independently point to the same object, you can have unitialised pointers galore, null pointers that are never checked and anything you like. In fact unique_ptr and friends don't make C++ any safer than the old C++ or even plain C, they are just a bit of syntactic sugar over the same old model. In Rust on the other hand, none of that would compile.

There is this belief among C++ programmers who don't understand Rust (but believe that they do) that if they only stick to the "modern" C++ then it's safe, but you've just seen a demonstration that it isn't. In fact trying to prove memory management in C++, even using exclusively the "modern" features, is tantamount to the Turing Machine halting problem and thus is not provable. Plus there is a LOT of C++ that doesn't even use that, for example the iostream classes still take void* pointers....

There was a study published by Google showing that about 50% of their memory-related bugs in C++ were less than 1 year old. That doesn't mean that their new code is somehow dramatically worse than old code, it means that as older bugs get fixed, new ones are unstoppably coming in.

Among the other reasons why C++ can't be as safe as Rust:

• Rust's type system is strong, provably sound and uses Hindley-Milner inference, C++'s is weak (albeit very slightly stronger than C's)
• Rust has well defined move semantics, move in C++ is basically undefined behaviour
• (consequence of the above) in Rust all objects have a clear lifetime, functions can be data sinks and it is possible to enforce that an object cannot ever be used after a certain operation. In C++ this does not exist.
• in Rust the compiler ensures that all possible values in match{} (switch in C++) are covered, in C++ it doesn't
• Error management in Rust is entirely under the scope of the type system, borrow checker, is itself memory safe, thread safe and provably handles all cases. in C++ you have sometimes potentially null pointers (which is not possible in Rust), sometimes exceptions that involve very strange and often unpredictable pointer lifetime and aliasing errors and can actually themselves crash your code
• Rust is safe from data races, which is proven at compile time with no need for runtime support.

You clearly don't understand how threading safety works in Rust. You can create a threading library for any language, but unless that language has a type system like Rust's (or, in a different approach, Haskell's), which C++ doesn't, then you won't ever be able to prove that your code is sound. Then you are back to the same place as with the memory: either you insert runtime checks and incur a performance penalty (that's what Go and Swift do), or you take someone's word for it and wait for the program to crash, which it will.

Sorry, but this is delusional. People eager to improve the Rust language will not want to work on a compiler implemented in C++. The whole language design workflow is organized around Rustc's Github, and is a well-tuned system. Both Rustc and LLVM have more developers than Gcc as a whole (1, 2). The GNU community is not bad, but it's much less welcoming than the Rust community. It'll be a challenge for gccrs to stay relevant, and not repeat the failures of Gcc's Java, D, and Go frontends despite trying to tackle a more complex and fast-moving language.

If you want to compile Rust code with Gcc (many people do), you'll be better served by rustc_codegen_gcc.

Well you said it yourself, proving beats testing. But besides that, the D ecosystem is nowhere as mature and well managed as Rust despite being older and the language never seems to know where it really wants to go (gc vs nogc vs nogc-but-we-still-actually-want-a-gc but we don't really want to have to use it). Everything is permanently unfinished, no clear decisions are made. As a result D never got any solid backing and it looks like a perpetual hobby project for Walter and Andrei. I'm not saying it couldn't be used for the Linux kernel technically speaking, but it's not something I would bet Linux's future on if I was a kernel developer.

Almost no-one ever assigns a pointer to an arbitrary address in C++ or in Rust, but that doesn't invalidate what I said about arbitrary pointer accesses being the problem. It doesn't matter how the invalid pointers come to life. Off-by-one indexing? Already freed memory? Invalid alignment? It doesn't have to be by direct assignment. The problem in the end is that pointers can have arbitrary values.


The only thing you've demonstrated here is that if you want to purposefully compile bad code in C++, you can. Both are great examples of errors that, while theoretically accepted by the language, are irrelevant for any comparison or real-life examples, as any mainstream compiler (GCC, clang, MSVC, possibly others too) will warn you about these during compilation (or depending on compiler flags even error out). You can of course choose to neglect the compiler messages, but with that attitude as a programmer people are going to have a hard time compiling Rust code too.

Perfectly neglecting the fact that new bugs "less than 1 year old" doesn't mean the bugs were introduced in code adhering to new style. The basic assumption when I claim C++ is memory safe is that you are making proper use of the modern standards. And most code today cannot do that as there are restrictions regarding these due to the historical nature of the old code base that has to be maintained. And even if a code base finally manages to migrate to a new toolset, the old code that already existed still needs to be rewritten.

There are many things wrong with your list. Move semantics being UB is false, object lifetimes in C++ not being clear or well-defined is a complete BS, the complete coverage of all options in a switch is checked by basically all compilers today, error management does not at all involve unpredictable pointers, and aliasing issues are again checked by compilers and pretty often tricks with aliasing are even explicitly wanted by the programmer and could be well defined. As far as data races are concerned, preventing data races was never a hard problem. What makes them non-trivial is to avoid them efficiently in a contended scenario that scales well. Show me the implementation of a high-performance thread-safe lockless multi-writer multi-consumer queue in Rust. Or a cache implementation under similar circumstances. It won't be any easier to develop or understand than in C++. Those are the things that make multi-threading a complex topic, simply preventing data races never was.

But as I said earlier, I do agree Rust has much better "defaults" and is thus easier to teach and learn when you're starting out.

Agreed. If it wasn't clear, in my mind the "4x as good" language is Rust, not D or C++.

Folks - if big corporations decide to support, fund and enable something as globally (and human as a species) important like getting Rust in the Linux kernel, at least give it space and time.
This is not a fad - if billions of dollar's worth of servers, mobile devices and PCs can be spared from exploited code paths by using Rust, allow at least the people that is doing the actual work to continue to do their work.
Tooling takes time - as steward of the kernel I do think Linus Torvalds has the experience and sobriety not to include rubbish into his kernel.

I think they are referring to the state of the object which was moved. You can still access it and that is UB.

What was originally is the following:

1. You create an object in a scope.
2. you move it into a function
3. the function "forgets" the object

In c++ you can move an object, but you can still access it in the original scope. Some compilers warn about that, others not.
The usage for the aforementioned procedure is the TypeState pattern.

True, sadly it is only a warning, not a hard compile error. While you can make warnings a hard compile error, this is usually not done in real life, as it will break everything once you use a newer compiler. Luckily my employer tries hard to have a warning free code base.

Huh? How can a C++ compiler know when pointer addresses are generated at run time (i.e. via malloc under the hood)?

Really?


The problem is not implementing a queue, the problem is to find the places where to insert this construct. And keep it data race free even after the n-th refactoring.

No, I'm looking at it from a user and maintainer perspective. It may all be convenient to the programmer of the software, but as a user or package maintainer is a huge nightmare of dependencies that can't be separated in a clean way. Hell, sometimes cargo pulls even multiple version of a crate into the dependencies. But this isn't a unique problem for rust. A lot of modern applications just go the way of bundling everything together. I really just don't like that and try to stay away from such software as much as possible.

As for the programing side of things. I would love something like Rust, but with actual dynamic libraries like C has. I don't care if you think that is outdated. It's in my opinion an incredibly more robust approach to develop software that lasts and gets maintained for a long time. There is a reason that like 90% of the base system of a given Linux is still C.

Well, nobody stops you from using dylib crates. Then all your dependencies will be linked dynamically.

EDIT: This is what the systemd-developers are discussing about, IF they were to adopt rust in their code base.

As Modern C++ Won't Save Us by Alex Gaynor demonstrates, that and other things are easier said than done under C++'s opt-in, retrofitted safety model.

It also points out things like how you can dereference a std:ptional<T> that's empty and the compiler will let you get away with it.

What makes Rust different is that the whole API ecosystem is built around a philosophy that unsafe is to be used to construct abstractions like Arc<T> which enforce safety at compile time through their API designs... thus ensuring that auditing for memory safety need only occur locally, not globally.

Not just Google and Microsoft. Alex Gaynor also did a blog post where he tallied up citations for half a dozen different sources that support that point.

What science can tell us about C and C++'s security

The argument is that it's too easy to accidentally invoke undefined behaviour with C++'s non-destructive moves.

See Move semantics in C++ and Rust: The case for destructive moves by Radek Vit.

If you think C and C++ are any better, you haven't looked into it. See the "Gotta go deeper" section of Let's Be Real About Dependencies, which touches on the elephant in the room:

Header-only libraries and hand-rolled re-implementations that it's not feasible for package maintainers to split back out again.

You'd rather the status quo, of having people up and down the stack vendoring patched versions or holding back updates to deal with symbol collisions while they wait for their dependencies to get their transitive dependencies back in sync?

So would a lot of people. The problem is, it's a Hard Problem and an area of active study. Monomorphization (i.e. templates/generics) doesn't play well with dynamic linking, and it's been argued that the C ABI is the highest stable one we had before Swift came along because it's right at the edge of what we know how to make stable without the abstraction tricks Swift uses.

See The impact of C++ templates on library ABI by Michał Górny from Gentoo.

...because they have real problems that need to be solved and, instead of trying to help solve them, distro packaging systems are trying to convince them that their priorities are wrong.

Distro packaging was designed around the needs of C and C++. That's visible in how it doesn't attempt to address things things like bespoke implementations of functionality that gets reinvented differently by everyone that needs it for want of a more modern dependency system.

Also, Rust is suitable for current approaches to library sharing... using the same techniques as C++.

Manually declare C ABIs to be built as shared libraries where it makes sense and, for the stuff where it doesn't make sense to do that (eg. monomorphized generics that no other packages need), link it statically and rely on the tooling's ability to query which dependencies are being used to determine when you need to rebuild what.

There's work in progress to design a specification and tooling for embedding that dependency information in the built binaries and, as for shared libraries for other purposes, Drew Devault did a blog post showing some actual statistics on how claimed benefits work out in actual practice... and his blog post is talking about C and C++.