From the page:

My aim is to produce a superset of C++ that has a rigorously safe subset. Start a new project, or take an existing one, and write safe code in C++. Code written in the safety context exhibits the same strong safety guarantees as safe code programmed in Rust. Indeed, lifetime safety is enforced statically with borrow checking, the signature safety technology first introduced in Rust

What properties characterize Safe C++?

  • A superset of C++ with a safe subset. Undefined behavior is prohibited from originating in the safe subset.
  • The safe and unsafe parts of the language are clearly delineated, and users must explicitly leave the safe context to use unsafe operations.
  • The safe subset must remain useful. If we get rid of a crucial unsafe technology, like unions or pointers, we should supply a safe alternative, like choice types or borrows. A perfectly safe language is not useful if it’s so inexpressive you can’t get your work done.
  • The new system can’t break existing code. If you point a Safe C++ compiler at existing C++ code, that code must compile normally. Users opt into the new safety mechanisms. Safe C++ is an extension of C++. It’s not a new language.
#feature on safety
#include "std2.h"

int main() safe {
  std2::vector<int> vec { 11, 15, 20 };

  for(int x : vec) {
    // Ill-formed. mutate of vec invalidates iterator in ranged-for.
    if(x % 2)
      vec^.push_back(x);

    unsafe printf("%d\n", x);
  }
}
$ circle iter3.cxx
safety: iter3.cxx:10:10
      vec^.push_back(x);
         ^
mutable borrow of vec between its shared borrow and its use
loan created at iter3.cxx:7:15
  for(int x : vec) {
              ^

A couple other languages aiming to create a “C++ successor” which is fully interoperable with C++ (analogous to TypeScript and JavaScript):

  • Carbon: an entirely new language which compiles straight to LLVM, but still strives to be highly interoperable with C++. Its goal is to add “modern” features: new syntax, parametric polymorphism, as well as removing C++'s backwards-compatibility quirks.
    • It has a section on memory safety which mentions a “safe Carbon subset”. But this is a longer-term goal, whereas it’s the main goal of Circle.
  • Cpp2: an alternate syntax for C++. It compiles to C++, but makes new features such as modules and concepts less verbose, while hiding or removing backwards-compatibility quirks (e.g. lists are std::array and string literals are std::string).
    • 100% memory safety is a non-goal: AFAIK it doesn’t do static analysis and syntactic rewrites alone aren’t powerful enough to enforce it.

Compared to the other languages, Circle remains closest to C++. The other languages try to fix other C++ “problems”; Circle’s only goal is to fix memory unsafety, and otherwise keep syntax and semantics the same for maximum interoperability.

  • QuadriLiteral
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    6 months ago

    Note that the scope of “New Circle” is much bigger than “just” memory safety: choice types, pattern matching, …