Date: Wed, 15 Oct 2025 03:55:40 +0000
I hate to disagree with you, but nope, unless we are measuring "close" in "light years".
-- Gaby
________________________________
From: Louis Dionne <ldionne.2_at_[hidden]>
Sent: Tuesday, October 14, 2025 5:40:07 PM
To: sg21_at_[hidden] <sg21_at_[hidden]>
Cc: Ryan McDougall <mcdougall.ryan_at_[hidden]>; Gabriel Dos Reis <gdr_at_[hidden]>; sg15_at_[hidden] <sg15_at_[hidden]>; Tom Honermann <tom_at_[hidden]>
Subject: Re: [isocpp-sg21] [isocpp-sg15] P3835 -- Different contract checking for different libraries
You don't often get email from ldionne.2_at_gmail.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
On Tue, Oct 14, 2025 at 4:35 PM Gabriel Dos Reis via SG21 <sg21_at_[hidden]<mailto:sg21_at_[hidden]>> wrote:
The point is that hardened standard library implementations are being delivered right now, today, for supported language versions, without being phrased in term of P2900, by GCC, Clang, MSVC, etc.
Any rephrasing in terms of P2900 should bring tangible benefits over what is available today. I see none.
I don't think that is accurate. Libc++'s implementation of hardening is basically as close as possible to Contracts without actually using the language feature. We provide `enforce`, `quick_enforce`, `observe` and `ignore`, which can be selected using macros. We allow users to customize the handlers for `enforce` and `observe` in a way similar to what Contracts proposes. All of these decisions basically came from deployment experience and user feedback / feature requests (in particular observe, which we didn't have originally). IMO, that demonstrates a tangible benefit of wording hardening on top of Contracts, backed by libc++'s experience. Folks are free not to believe it, but it is historically and factually accurate that libc++ ended up where it is due to user demand and real world constraints. It's also the case that this has been deployed at a large scale and documented.
By the way, I'm not disputing that other standard libraries also provide useful hardening-like modes that are not built on top of Contracts. But that doesn't make what I said above untrue.
Louis
-- Gaby
________________________________
From: Ryan McDougall <mcdougall.ryan_at_[hidden]<mailto:mcdougall.ryan_at_[hidden]>>
Sent: Tuesday, October 14, 2025 4:27:27 PM
To: sg21_at_lists.isocpp.org<mailto:sg21_at_[hidden]> <sg21_at_[hidden]<mailto:sg21_at_[hidden]>>
Cc: sg15_at_lists.isocpp.org<mailto:sg15_at_[hidden]> <sg15_at_[hidden]<mailto:sg15_at_[hidden]>>; Gabriel Dos Reis <gdr_at_[hidden]<mailto:gdr_at_[hidden]>>; Tom Honermann <tom_at_[hidden]<mailto:tom_at_[hidden]>>
Subject: Re: [isocpp-sg21] [isocpp-sg15] P3835 -- Different contract checking for different libraries
C++ is not in a vacuum -- people are building vehicles and robots now and making language choices. C++ will never ever beat Rust on Language Safety, but it has a lane for Functional Safety.
If there was reason to believe there were insurmountable problems I'd be sympathetic, but all arguments have been of one of two forms: "P2900 is too minimal" or "P2900 is not minimal enough". EWG and Plenary have decided it's about as right as one can get in the committee model. There is no "here" here.
On Tue, Oct 14, 2025 at 1:17 PM Gabriel Dos Reis via SG21 <sg21_at_[hidden]<mailto:sg21_at_[hidden]>> wrote:
[Tom]
* They are, or will be, once either of P3290 (Integrating Existing Assertions With Contracts)<https://wg21.link/p3290> or P3400 (Specifying Contract Assertion Properties with Labels)<https://wg21.link/p3400> is adopted.
If that conjecture is true, then I would recommend to wait for those papers to be implemented, with deployment experience and adopted before phrasing the hardened standard library in terms of contracts.
-- Gaby
From: SG15 <sg15-bounces_at_[hidden]<mailto:sg15-bounces_at_[hidden]>> On Behalf Of Tom Honermann via SG15
Sent: Tuesday, October 14, 2025 4:00 PM
To: sg21_at_[hidden]pp.org<mailto:sg21_at_[hidden]>; Ville Voutilainen via SG15 <sg15_at_[hidden]<mailto:sg15_at_[hidden]>>
Cc: Tom Honermann <tom_at_[hidden]<mailto:tom_at_honermann.net>>
Subject: Re: [isocpp-sg15] [isocpp-sg21] P3835 -- Different contract checking for different libraries
On 10/14/25 3:21 PM, Ran Regev via SG21 wrote:
On Tue, Oct 14, 2025, 21:47 Ville Voutilainen via SG15 <sg15_at_[hidden]<mailto:sg15_at_[hidden]>> wrote:
On Tue, 14 Oct 2025 at 21:42, Ryan McDougall <mcdougall.ryan_at_[hidden]<mailto:mcdougall.ryan_at_[hidden]>> wrote:
>
> And there are existing deployments where it's not desired and not a requirement...
That doesn't mean that hardening should be possible to be turned off
by a contract evaluation semantic choice
One of the fundamental aspects of p2900 is that the person who write the contract is not the one who selects the semantics for the application.
Is this aspect of contracts aligned with hardened libraries needs? The discussion seems to reveal that not. And therefore the draft paper mentioned earlier seems to be correct - contracts are not good fit for standard library hardening.
They are, or will be, once either of P3290 (Integrating Existing Assertions With Contracts)<https://wg21.link/p3290> or P3400 (Specifying Contract Assertion Properties with Labels)<https://wg21.link/p3400> is adopted.
Tom.
applying to other code. Or more in the opposite direction, it doesn't
mean that the choice of a contract evaluation semantic
for other code should turn the hardening off.
> The original sin is thinking that any one engineer knows all domains and anything that doesn't fit their preconceptions is universally wrong.
Funny, you seem to be the only person in this discussion stating that
something is universally wrong, or otherwise I have misunderstood
what you think "patently false" means.
>P2900 has been in development for a long time, and is useful and needed. The idea it's "unsafe" shows a lack of understanding of what that word means.
Oh sure, it's a likely story that the critics of P2900 simply
misunderstand something. In fact, a story so unlikely that it's safe
to say it's patently false.
_______________________________________________
SG15 mailing list
SG15_at_[hidden]<mailto:SG15_at_[hidden]pp.org>
https://lists.isocpp.org/mailman/listinfo.cgi/sg15
_______________________________________________
SG21 mailing list
SG21_at_[hidden]<mailto:SG21_at_[hidden]>
Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
Link to this post: http://lists.isocpp.org/sg21/2025/10/11273.php
_______________________________________________
SG21 mailing list
SG21_at_[hidden]<mailto:SG21_at_[hidden]>
Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
Link to this post: http://lists.isocpp.org/sg21/2025/10/11281.php
_______________________________________________
SG21 mailing list
SG21_at_[hidden]<mailto:SG21_at_[hidden]>
Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
Link to this post: http://lists.isocpp.org/sg21/2025/10/11285.php
-- Gaby
________________________________
From: Louis Dionne <ldionne.2_at_[hidden]>
Sent: Tuesday, October 14, 2025 5:40:07 PM
To: sg21_at_[hidden] <sg21_at_[hidden]>
Cc: Ryan McDougall <mcdougall.ryan_at_[hidden]>; Gabriel Dos Reis <gdr_at_[hidden]>; sg15_at_[hidden] <sg15_at_[hidden]>; Tom Honermann <tom_at_[hidden]>
Subject: Re: [isocpp-sg21] [isocpp-sg15] P3835 -- Different contract checking for different libraries
You don't often get email from ldionne.2_at_gmail.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
On Tue, Oct 14, 2025 at 4:35 PM Gabriel Dos Reis via SG21 <sg21_at_[hidden]<mailto:sg21_at_[hidden]>> wrote:
The point is that hardened standard library implementations are being delivered right now, today, for supported language versions, without being phrased in term of P2900, by GCC, Clang, MSVC, etc.
Any rephrasing in terms of P2900 should bring tangible benefits over what is available today. I see none.
I don't think that is accurate. Libc++'s implementation of hardening is basically as close as possible to Contracts without actually using the language feature. We provide `enforce`, `quick_enforce`, `observe` and `ignore`, which can be selected using macros. We allow users to customize the handlers for `enforce` and `observe` in a way similar to what Contracts proposes. All of these decisions basically came from deployment experience and user feedback / feature requests (in particular observe, which we didn't have originally). IMO, that demonstrates a tangible benefit of wording hardening on top of Contracts, backed by libc++'s experience. Folks are free not to believe it, but it is historically and factually accurate that libc++ ended up where it is due to user demand and real world constraints. It's also the case that this has been deployed at a large scale and documented.
By the way, I'm not disputing that other standard libraries also provide useful hardening-like modes that are not built on top of Contracts. But that doesn't make what I said above untrue.
Louis
-- Gaby
________________________________
From: Ryan McDougall <mcdougall.ryan_at_[hidden]<mailto:mcdougall.ryan_at_[hidden]>>
Sent: Tuesday, October 14, 2025 4:27:27 PM
To: sg21_at_lists.isocpp.org<mailto:sg21_at_[hidden]> <sg21_at_[hidden]<mailto:sg21_at_[hidden]>>
Cc: sg15_at_lists.isocpp.org<mailto:sg15_at_[hidden]> <sg15_at_[hidden]<mailto:sg15_at_[hidden]>>; Gabriel Dos Reis <gdr_at_[hidden]<mailto:gdr_at_[hidden]>>; Tom Honermann <tom_at_[hidden]<mailto:tom_at_[hidden]>>
Subject: Re: [isocpp-sg21] [isocpp-sg15] P3835 -- Different contract checking for different libraries
C++ is not in a vacuum -- people are building vehicles and robots now and making language choices. C++ will never ever beat Rust on Language Safety, but it has a lane for Functional Safety.
If there was reason to believe there were insurmountable problems I'd be sympathetic, but all arguments have been of one of two forms: "P2900 is too minimal" or "P2900 is not minimal enough". EWG and Plenary have decided it's about as right as one can get in the committee model. There is no "here" here.
On Tue, Oct 14, 2025 at 1:17 PM Gabriel Dos Reis via SG21 <sg21_at_[hidden]<mailto:sg21_at_[hidden]>> wrote:
[Tom]
* They are, or will be, once either of P3290 (Integrating Existing Assertions With Contracts)<https://wg21.link/p3290> or P3400 (Specifying Contract Assertion Properties with Labels)<https://wg21.link/p3400> is adopted.
If that conjecture is true, then I would recommend to wait for those papers to be implemented, with deployment experience and adopted before phrasing the hardened standard library in terms of contracts.
-- Gaby
From: SG15 <sg15-bounces_at_[hidden]<mailto:sg15-bounces_at_[hidden]>> On Behalf Of Tom Honermann via SG15
Sent: Tuesday, October 14, 2025 4:00 PM
To: sg21_at_[hidden]pp.org<mailto:sg21_at_[hidden]>; Ville Voutilainen via SG15 <sg15_at_[hidden]<mailto:sg15_at_[hidden]>>
Cc: Tom Honermann <tom_at_[hidden]<mailto:tom_at_honermann.net>>
Subject: Re: [isocpp-sg15] [isocpp-sg21] P3835 -- Different contract checking for different libraries
On 10/14/25 3:21 PM, Ran Regev via SG21 wrote:
On Tue, Oct 14, 2025, 21:47 Ville Voutilainen via SG15 <sg15_at_[hidden]<mailto:sg15_at_[hidden]>> wrote:
On Tue, 14 Oct 2025 at 21:42, Ryan McDougall <mcdougall.ryan_at_[hidden]<mailto:mcdougall.ryan_at_[hidden]>> wrote:
>
> And there are existing deployments where it's not desired and not a requirement...
That doesn't mean that hardening should be possible to be turned off
by a contract evaluation semantic choice
One of the fundamental aspects of p2900 is that the person who write the contract is not the one who selects the semantics for the application.
Is this aspect of contracts aligned with hardened libraries needs? The discussion seems to reveal that not. And therefore the draft paper mentioned earlier seems to be correct - contracts are not good fit for standard library hardening.
They are, or will be, once either of P3290 (Integrating Existing Assertions With Contracts)<https://wg21.link/p3290> or P3400 (Specifying Contract Assertion Properties with Labels)<https://wg21.link/p3400> is adopted.
Tom.
applying to other code. Or more in the opposite direction, it doesn't
mean that the choice of a contract evaluation semantic
for other code should turn the hardening off.
> The original sin is thinking that any one engineer knows all domains and anything that doesn't fit their preconceptions is universally wrong.
Funny, you seem to be the only person in this discussion stating that
something is universally wrong, or otherwise I have misunderstood
what you think "patently false" means.
>P2900 has been in development for a long time, and is useful and needed. The idea it's "unsafe" shows a lack of understanding of what that word means.
Oh sure, it's a likely story that the critics of P2900 simply
misunderstand something. In fact, a story so unlikely that it's safe
to say it's patently false.
_______________________________________________
SG15 mailing list
SG15_at_[hidden]<mailto:SG15_at_[hidden]pp.org>
https://lists.isocpp.org/mailman/listinfo.cgi/sg15
_______________________________________________
SG21 mailing list
SG21_at_[hidden]<mailto:SG21_at_[hidden]>
Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
Link to this post: http://lists.isocpp.org/sg21/2025/10/11273.php
_______________________________________________
SG21 mailing list
SG21_at_[hidden]<mailto:SG21_at_[hidden]>
Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
Link to this post: http://lists.isocpp.org/sg21/2025/10/11281.php
_______________________________________________
SG21 mailing list
SG21_at_[hidden]<mailto:SG21_at_[hidden]>
Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
Link to this post: http://lists.isocpp.org/sg21/2025/10/11285.php
Received on 2025-10-15 03:55:52