Date: Tue, 14 Oct 2025 17:40:07 -0400
On Tue, Oct 14, 2025 at 4:35 PM Gabriel Dos Reis via SG21 <
sg21_at_[hidden]> wrote:
> The point is that hardened standard library implementations are being
> delivered right now, today, for supported language versions, without being
> phrased in term of P2900, by GCC, Clang, MSVC, etc.
>
> Any rephrasing in terms of P2900 should bring tangible benefits over what
> is available today. I see none.
>
I don't think that is accurate. Libc++'s implementation of hardening is
basically as close as possible to Contracts without actually using the
language feature. We provide `enforce`, `quick_enforce`, `observe` and
`ignore`, which can be selected using macros. We allow users to customize
the handlers for `enforce` and `observe` in a way similar to what Contracts
proposes. All of these decisions basically came from deployment experience
and user feedback / feature requests (in particular observe, which we
didn't have originally). IMO, that demonstrates a tangible benefit of
wording hardening on top of Contracts, backed by libc++'s experience. Folks
are free not to believe it, but it is historically and factually accurate
that libc++ ended up where it is due to user demand and real world
constraints. It's also the case that this has been deployed at a large
scale and documented.
By the way, I'm not disputing that other standard libraries also provide
useful hardening-like modes that are not built on top of Contracts. But
that doesn't make what I said above untrue.
Louis
> -- Gaby
>
>
>
> ------------------------------
> *From:* Ryan McDougall <mcdougall.ryan_at_[hidden]>
> *Sent:* Tuesday, October 14, 2025 4:27:27 PM
> *To:* sg21_at_[hidden] <sg21_at_[hidden]>
> *Cc:* sg15_at_[hidden] <sg15_at_[hidden]>; Gabriel Dos Reis <
> gdr_at_[hidden]>; Tom Honermann <tom_at_[hidden]>
> *Subject:* Re: [isocpp-sg21] [isocpp-sg15] P3835 -- Different contract
> checking for different libraries
>
> C++ is not in a vacuum -- people are building vehicles and robots now and
> making language choices. C++ will never ever beat Rust on Language Safety,
> but it has a lane for Functional Safety.
>
> If there was reason to believe there were insurmountable problems I'd be
> sympathetic, but all arguments have been of one of two forms: "P2900 is too
> minimal" or "P2900 is not minimal enough". EWG and Plenary have decided
> it's about as right as one can get in the committee model. There is no
> "here" here.
>
> On Tue, Oct 14, 2025 at 1:17 PM Gabriel Dos Reis via SG21 <
> sg21_at_[hidden]> wrote:
>
> [Tom]
>
> - They are, or will be, once either of P3290 (Integrating Existing
> Assertions With Contracts) <https://wg21.link/p3290> or P3400
> (Specifying Contract Assertion Properties with Labels)
> <https://wg21.link/p3400> is adopted.
>
>
>
> If that conjecture is true, then I would recommend to wait for those
> papers to be implemented, with deployment experience and adopted before
> phrasing the hardened standard library in terms of contracts.
>
>
>
> -- Gaby
>
>
>
> *From:* SG15 <sg15-bounces_at_[hidden]> *On Behalf Of *Tom Honermann
> via SG15
> *Sent:* Tuesday, October 14, 2025 4:00 PM
> *To:* sg21_at_[hidden]; Ville Voutilainen via SG15 <
> sg15_at_[hidden]>
> *Cc:* Tom Honermann <tom_at_[hidden]>
> *Subject:* Re: [isocpp-sg15] [isocpp-sg21] P3835 -- Different contract
> checking for different libraries
>
>
>
> On 10/14/25 3:21 PM, Ran Regev via SG21 wrote:
>
>
>
> On Tue, Oct 14, 2025, 21:47 Ville Voutilainen via SG15 <
> sg15_at_[hidden]> wrote:
>
> On Tue, 14 Oct 2025 at 21:42, Ryan McDougall <mcdougall.ryan_at_[hidden]>
> wrote:
> >
> > And there are existing deployments where it's not desired and not a
> requirement...
>
> That doesn't mean that hardening should be possible to be turned off
> by a contract evaluation semantic choice
>
> One of the fundamental aspects of p2900 is that the person who write the
> contract is not the one who selects the semantics for the application.
>
> Is this aspect of contracts aligned with hardened libraries needs? The
> discussion seems to reveal that not. And therefore the draft paper
> mentioned earlier seems to be correct - contracts are not good fit for
> standard library hardening.
>
> They are, or will be, once either of P3290 (Integrating Existing
> Assertions With Contracts) <https://wg21.link/p3290> or P3400 (Specifying
> Contract Assertion Properties with Labels) <https://wg21.link/p3400> is
> adopted.
>
> Tom.
>
>
>
> applying to other code. Or more in the opposite direction, it doesn't
> mean that the choice of a contract evaluation semantic
> for other code should turn the hardening off.
>
>
> > The original sin is thinking that any one engineer knows all domains and
> anything that doesn't fit their preconceptions is universally wrong.
>
> Funny, you seem to be the only person in this discussion stating that
> something is universally wrong, or otherwise I have misunderstood
> what you think "patently false" means.
>
> >P2900 has been in development for a long time, and is useful and needed.
> The idea it's "unsafe" shows a lack of understanding of what that word
> means.
>
> Oh sure, it's a likely story that the critics of P2900 simply
> misunderstand something. In fact, a story so unlikely that it's safe
> to say it's patently false.
> _______________________________________________
> SG15 mailing list
> SG15_at_[hidden]
> https://lists.isocpp.org/mailman/listinfo.cgi/sg15
>
>
>
> _______________________________________________
>
> SG21 mailing list
>
> SG21_at_[hidden]
>
> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
>
> Link to this post: http://lists.isocpp.org/sg21/2025/10/11273.php
>
> _______________________________________________
> SG21 mailing list
> SG21_at_[hidden]
> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
> Link to this post: http://lists.isocpp.org/sg21/2025/10/11281.php
>
> _______________________________________________
> SG21 mailing list
> SG21_at_[hidden]
> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
> Link to this post: http://lists.isocpp.org/sg21/2025/10/11285.php
>
sg21_at_[hidden]> wrote:
> The point is that hardened standard library implementations are being
> delivered right now, today, for supported language versions, without being
> phrased in term of P2900, by GCC, Clang, MSVC, etc.
>
> Any rephrasing in terms of P2900 should bring tangible benefits over what
> is available today. I see none.
>
I don't think that is accurate. Libc++'s implementation of hardening is
basically as close as possible to Contracts without actually using the
language feature. We provide `enforce`, `quick_enforce`, `observe` and
`ignore`, which can be selected using macros. We allow users to customize
the handlers for `enforce` and `observe` in a way similar to what Contracts
proposes. All of these decisions basically came from deployment experience
and user feedback / feature requests (in particular observe, which we
didn't have originally). IMO, that demonstrates a tangible benefit of
wording hardening on top of Contracts, backed by libc++'s experience. Folks
are free not to believe it, but it is historically and factually accurate
that libc++ ended up where it is due to user demand and real world
constraints. It's also the case that this has been deployed at a large
scale and documented.
By the way, I'm not disputing that other standard libraries also provide
useful hardening-like modes that are not built on top of Contracts. But
that doesn't make what I said above untrue.
Louis
> -- Gaby
>
>
>
> ------------------------------
> *From:* Ryan McDougall <mcdougall.ryan_at_[hidden]>
> *Sent:* Tuesday, October 14, 2025 4:27:27 PM
> *To:* sg21_at_[hidden] <sg21_at_[hidden]>
> *Cc:* sg15_at_[hidden] <sg15_at_[hidden]>; Gabriel Dos Reis <
> gdr_at_[hidden]>; Tom Honermann <tom_at_[hidden]>
> *Subject:* Re: [isocpp-sg21] [isocpp-sg15] P3835 -- Different contract
> checking for different libraries
>
> C++ is not in a vacuum -- people are building vehicles and robots now and
> making language choices. C++ will never ever beat Rust on Language Safety,
> but it has a lane for Functional Safety.
>
> If there was reason to believe there were insurmountable problems I'd be
> sympathetic, but all arguments have been of one of two forms: "P2900 is too
> minimal" or "P2900 is not minimal enough". EWG and Plenary have decided
> it's about as right as one can get in the committee model. There is no
> "here" here.
>
> On Tue, Oct 14, 2025 at 1:17 PM Gabriel Dos Reis via SG21 <
> sg21_at_[hidden]> wrote:
>
> [Tom]
>
> - They are, or will be, once either of P3290 (Integrating Existing
> Assertions With Contracts) <https://wg21.link/p3290> or P3400
> (Specifying Contract Assertion Properties with Labels)
> <https://wg21.link/p3400> is adopted.
>
>
>
> If that conjecture is true, then I would recommend to wait for those
> papers to be implemented, with deployment experience and adopted before
> phrasing the hardened standard library in terms of contracts.
>
>
>
> -- Gaby
>
>
>
> *From:* SG15 <sg15-bounces_at_[hidden]> *On Behalf Of *Tom Honermann
> via SG15
> *Sent:* Tuesday, October 14, 2025 4:00 PM
> *To:* sg21_at_[hidden]; Ville Voutilainen via SG15 <
> sg15_at_[hidden]>
> *Cc:* Tom Honermann <tom_at_[hidden]>
> *Subject:* Re: [isocpp-sg15] [isocpp-sg21] P3835 -- Different contract
> checking for different libraries
>
>
>
> On 10/14/25 3:21 PM, Ran Regev via SG21 wrote:
>
>
>
> On Tue, Oct 14, 2025, 21:47 Ville Voutilainen via SG15 <
> sg15_at_[hidden]> wrote:
>
> On Tue, 14 Oct 2025 at 21:42, Ryan McDougall <mcdougall.ryan_at_[hidden]>
> wrote:
> >
> > And there are existing deployments where it's not desired and not a
> requirement...
>
> That doesn't mean that hardening should be possible to be turned off
> by a contract evaluation semantic choice
>
> One of the fundamental aspects of p2900 is that the person who write the
> contract is not the one who selects the semantics for the application.
>
> Is this aspect of contracts aligned with hardened libraries needs? The
> discussion seems to reveal that not. And therefore the draft paper
> mentioned earlier seems to be correct - contracts are not good fit for
> standard library hardening.
>
> They are, or will be, once either of P3290 (Integrating Existing
> Assertions With Contracts) <https://wg21.link/p3290> or P3400 (Specifying
> Contract Assertion Properties with Labels) <https://wg21.link/p3400> is
> adopted.
>
> Tom.
>
>
>
> applying to other code. Or more in the opposite direction, it doesn't
> mean that the choice of a contract evaluation semantic
> for other code should turn the hardening off.
>
>
> > The original sin is thinking that any one engineer knows all domains and
> anything that doesn't fit their preconceptions is universally wrong.
>
> Funny, you seem to be the only person in this discussion stating that
> something is universally wrong, or otherwise I have misunderstood
> what you think "patently false" means.
>
> >P2900 has been in development for a long time, and is useful and needed.
> The idea it's "unsafe" shows a lack of understanding of what that word
> means.
>
> Oh sure, it's a likely story that the critics of P2900 simply
> misunderstand something. In fact, a story so unlikely that it's safe
> to say it's patently false.
> _______________________________________________
> SG15 mailing list
> SG15_at_[hidden]
> https://lists.isocpp.org/mailman/listinfo.cgi/sg15
>
>
>
> _______________________________________________
>
> SG21 mailing list
>
> SG21_at_[hidden]
>
> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
>
> Link to this post: http://lists.isocpp.org/sg21/2025/10/11273.php
>
> _______________________________________________
> SG21 mailing list
> SG21_at_[hidden]
> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
> Link to this post: http://lists.isocpp.org/sg21/2025/10/11281.php
>
> _______________________________________________
> SG21 mailing list
> SG21_at_[hidden]
> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
> Link to this post: http://lists.isocpp.org/sg21/2025/10/11285.php
>
Received on 2025-10-14 21:40:40