Date: Tue, 14 Oct 2025 21:53:02 +0300
On Tue, 14 Oct 2025 at 21:42, Ryan McDougall <mcdougall.ryan_at_[hidden]> wrote:
>
> Sorry, this is a weakness of the medium -- what I'm saying is "no one is producing inline functions that are promised to be hardened in a legally binding way, such as in safety critical applications" -- precisely because putting hardening in source that is copy-pasta into a TU weakens the promise. It's the legally binding promise of hardening that's at stake. If your user is determined to defeat your library-level hardening, you cannot control that. Fighting your users is a battle that can't be won. You give them library hardening, and they either enable it or they don't.
The concerns is not about expert users being able to turn hardening
off. They can do that, and that's fine. The concern is about more
innocent
users turning the hardening off accidentally by merely linking in another TU.
> What I'm saying is that hardened library writers do not rely on inlining. The standard library occupies a bit of a unique space since it has (to try) to be all things to all people -- including the people who cannot imagine a reason why hardening should be turned off. Even if P2900 is somehow universally declared unsuitable for the standard library, this has no bearing on whether P2900 is necessary for Functional Safety. Neither the standard library nor GSL are the only or primary users of contracts.
I don't think any of us have information on who the primary user is,
but in contrast to what you said, users in your domains (which happen
to be
the domains of some others of us, too, and we don't exactly agree with
your take for those domains, either) are also not the only users of
contracts.
>
> Sorry, this is a weakness of the medium -- what I'm saying is "no one is producing inline functions that are promised to be hardened in a legally binding way, such as in safety critical applications" -- precisely because putting hardening in source that is copy-pasta into a TU weakens the promise. It's the legally binding promise of hardening that's at stake. If your user is determined to defeat your library-level hardening, you cannot control that. Fighting your users is a battle that can't be won. You give them library hardening, and they either enable it or they don't.
The concerns is not about expert users being able to turn hardening
off. They can do that, and that's fine. The concern is about more
innocent
users turning the hardening off accidentally by merely linking in another TU.
> What I'm saying is that hardened library writers do not rely on inlining. The standard library occupies a bit of a unique space since it has (to try) to be all things to all people -- including the people who cannot imagine a reason why hardening should be turned off. Even if P2900 is somehow universally declared unsuitable for the standard library, this has no bearing on whether P2900 is necessary for Functional Safety. Neither the standard library nor GSL are the only or primary users of contracts.
I don't think any of us have information on who the primary user is,
but in contrast to what you said, users in your domains (which happen
to be
the domains of some others of us, too, and we don't exactly agree with
your take for those domains, either) are also not the only users of
contracts.
Received on 2025-10-14 18:53:16