Date: Tue, 14 Oct 2025 20:34:54 +0000
The point is that hardened standard library implementations are being delivered right now, today, for supported language versions, without being phrased in term of P2900, by GCC, Clang, MSVC, etc.
Any rephrasing in terms of P2900 should bring tangible benefits over what is available today. I see none.
-- Gaby
________________________________
From: Ryan McDougall <mcdougall.ryan_at_[hidden]il.com>
Sent: Tuesday, October 14, 2025 4:27:27 PM
To: sg21_at_[hidden] <sg21_at_[hidden]>
Cc: sg15_at_lists.isocpp.org <sg15_at_[hidden]>; Gabriel Dos Reis <gdr_at_[hidden]>; Tom Honermann <tom_at_[hidden]>
Subject: Re: [isocpp-sg21] [isocpp-sg15] P3835 -- Different contract checking for different libraries
C++ is not in a vacuum -- people are building vehicles and robots now and making language choices. C++ will never ever beat Rust on Language Safety, but it has a lane for Functional Safety.
If there was reason to believe there were insurmountable problems I'd be sympathetic, but all arguments have been of one of two forms: "P2900 is too minimal" or "P2900 is not minimal enough". EWG and Plenary have decided it's about as right as one can get in the committee model. There is no "here" here.
On Tue, Oct 14, 2025 at 1:17 PM Gabriel Dos Reis via SG21 <sg21_at_[hidden]<mailto:sg21_at_[hidden]>> wrote:
[Tom]
* They are, or will be, once either of P3290 (Integrating Existing Assertions With Contracts)<https://wg21.link/p3290> or P3400 (Specifying Contract Assertion Properties with Labels)<https://wg21.link/p3400> is adopted.
If that conjecture is true, then I would recommend to wait for those papers to be implemented, with deployment experience and adopted before phrasing the hardened standard library in terms of contracts.
-- Gaby
From: SG15 <sg15-bounces_at_[hidden]<mailto:sg15-bounces_at_[hidden]>> On Behalf Of Tom Honermann via SG15
Sent: Tuesday, October 14, 2025 4:00 PM
To: sg21_at_lists.isocpp.org<mailto:sg21_at_[hidden]>; Ville Voutilainen via SG15 <sg15_at_[hidden]<mailto:sg15_at_[hidden]>>
Cc: Tom Honermann <tom_at_[hidden]<mailto:tom_at_[hidden]>>
Subject: Re: [isocpp-sg15] [isocpp-sg21] P3835 -- Different contract checking for different libraries
On 10/14/25 3:21 PM, Ran Regev via SG21 wrote:
On Tue, Oct 14, 2025, 21:47 Ville Voutilainen via SG15 <sg15_at_[hidden]<mailto:sg15_at_[hidden]>> wrote:
On Tue, 14 Oct 2025 at 21:42, Ryan McDougall <mcdougall.ryan_at_[hidden]<mailto:mcdougall.ryan_at_[hidden]>> wrote:
>
> And there are existing deployments where it's not desired and not a requirement...
That doesn't mean that hardening should be possible to be turned off
by a contract evaluation semantic choice
One of the fundamental aspects of p2900 is that the person who write the contract is not the one who selects the semantics for the application.
Is this aspect of contracts aligned with hardened libraries needs? The discussion seems to reveal that not. And therefore the draft paper mentioned earlier seems to be correct - contracts are not good fit for standard library hardening.
They are, or will be, once either of P3290 (Integrating Existing Assertions With Contracts)<https://wg21.link/p3290> or P3400 (Specifying Contract Assertion Properties with Labels)<https://wg21.link/p3400> is adopted.
Tom.
applying to other code. Or more in the opposite direction, it doesn't
mean that the choice of a contract evaluation semantic
for other code should turn the hardening off.
> The original sin is thinking that any one engineer knows all domains and anything that doesn't fit their preconceptions is universally wrong.
Funny, you seem to be the only person in this discussion stating that
something is universally wrong, or otherwise I have misunderstood
what you think "patently false" means.
>P2900 has been in development for a long time, and is useful and needed. The idea it's "unsafe" shows a lack of understanding of what that word means.
Oh sure, it's a likely story that the critics of P2900 simply
misunderstand something. In fact, a story so unlikely that it's safe
to say it's patently false.
_______________________________________________
SG15 mailing list
SG15_at_[hidden]<mailto:SG15_at_lists.isocpp.org>
https://lists.isocpp.org/mailman/listinfo.cgi/sg15
_______________________________________________
SG21 mailing list
SG21_at_[hidden]<mailto:SG21_at_[hidden]>
Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
Link to this post: http://lists.isocpp.org/sg21/2025/10/11273.php
_______________________________________________
SG21 mailing list
SG21_at_[hidden]<mailto:SG21_at_[hidden]>
Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
Link to this post: http://lists.isocpp.org/sg21/2025/10/11281.php
Any rephrasing in terms of P2900 should bring tangible benefits over what is available today. I see none.
-- Gaby
________________________________
From: Ryan McDougall <mcdougall.ryan_at_[hidden]il.com>
Sent: Tuesday, October 14, 2025 4:27:27 PM
To: sg21_at_[hidden] <sg21_at_[hidden]>
Cc: sg15_at_lists.isocpp.org <sg15_at_[hidden]>; Gabriel Dos Reis <gdr_at_[hidden]>; Tom Honermann <tom_at_[hidden]>
Subject: Re: [isocpp-sg21] [isocpp-sg15] P3835 -- Different contract checking for different libraries
C++ is not in a vacuum -- people are building vehicles and robots now and making language choices. C++ will never ever beat Rust on Language Safety, but it has a lane for Functional Safety.
If there was reason to believe there were insurmountable problems I'd be sympathetic, but all arguments have been of one of two forms: "P2900 is too minimal" or "P2900 is not minimal enough". EWG and Plenary have decided it's about as right as one can get in the committee model. There is no "here" here.
On Tue, Oct 14, 2025 at 1:17 PM Gabriel Dos Reis via SG21 <sg21_at_[hidden]<mailto:sg21_at_[hidden]>> wrote:
[Tom]
* They are, or will be, once either of P3290 (Integrating Existing Assertions With Contracts)<https://wg21.link/p3290> or P3400 (Specifying Contract Assertion Properties with Labels)<https://wg21.link/p3400> is adopted.
If that conjecture is true, then I would recommend to wait for those papers to be implemented, with deployment experience and adopted before phrasing the hardened standard library in terms of contracts.
-- Gaby
From: SG15 <sg15-bounces_at_[hidden]<mailto:sg15-bounces_at_[hidden]>> On Behalf Of Tom Honermann via SG15
Sent: Tuesday, October 14, 2025 4:00 PM
To: sg21_at_lists.isocpp.org<mailto:sg21_at_[hidden]>; Ville Voutilainen via SG15 <sg15_at_[hidden]<mailto:sg15_at_[hidden]>>
Cc: Tom Honermann <tom_at_[hidden]<mailto:tom_at_[hidden]>>
Subject: Re: [isocpp-sg15] [isocpp-sg21] P3835 -- Different contract checking for different libraries
On 10/14/25 3:21 PM, Ran Regev via SG21 wrote:
On Tue, Oct 14, 2025, 21:47 Ville Voutilainen via SG15 <sg15_at_[hidden]<mailto:sg15_at_[hidden]>> wrote:
On Tue, 14 Oct 2025 at 21:42, Ryan McDougall <mcdougall.ryan_at_[hidden]<mailto:mcdougall.ryan_at_[hidden]>> wrote:
>
> And there are existing deployments where it's not desired and not a requirement...
That doesn't mean that hardening should be possible to be turned off
by a contract evaluation semantic choice
One of the fundamental aspects of p2900 is that the person who write the contract is not the one who selects the semantics for the application.
Is this aspect of contracts aligned with hardened libraries needs? The discussion seems to reveal that not. And therefore the draft paper mentioned earlier seems to be correct - contracts are not good fit for standard library hardening.
They are, or will be, once either of P3290 (Integrating Existing Assertions With Contracts)<https://wg21.link/p3290> or P3400 (Specifying Contract Assertion Properties with Labels)<https://wg21.link/p3400> is adopted.
Tom.
applying to other code. Or more in the opposite direction, it doesn't
mean that the choice of a contract evaluation semantic
for other code should turn the hardening off.
> The original sin is thinking that any one engineer knows all domains and anything that doesn't fit their preconceptions is universally wrong.
Funny, you seem to be the only person in this discussion stating that
something is universally wrong, or otherwise I have misunderstood
what you think "patently false" means.
>P2900 has been in development for a long time, and is useful and needed. The idea it's "unsafe" shows a lack of understanding of what that word means.
Oh sure, it's a likely story that the critics of P2900 simply
misunderstand something. In fact, a story so unlikely that it's safe
to say it's patently false.
_______________________________________________
SG15 mailing list
SG15_at_[hidden]<mailto:SG15_at_lists.isocpp.org>
https://lists.isocpp.org/mailman/listinfo.cgi/sg15
_______________________________________________
SG21 mailing list
SG21_at_[hidden]<mailto:SG21_at_[hidden]>
Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
Link to this post: http://lists.isocpp.org/sg21/2025/10/11273.php
_______________________________________________
SG21 mailing list
SG21_at_[hidden]<mailto:SG21_at_[hidden]>
Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
Link to this post: http://lists.isocpp.org/sg21/2025/10/11281.php
Received on 2025-10-14 20:34:58