"If you can't write safe C++ code, it's because you can't write C++"
If you're a software developer with an interest in writing fast and efficient code for trading systems, you will probably have come across C++. And if you have an interest in C++, you will probably have noticed this week's provocative Tweet from Mark Russinovich, the CTO of Microsoft Azure.
Speaking of languages, it's time to halt starting any new projects in C/C++ and use Rust for those scenarios where a non-GC language is required. For the sake of security and reliability. the industry should declare those languages as deprecated.— Mark Russinovich (@markrussinovich) September 19, 2022
Russinovich subsequently moderated his statement by acknowledging that C++ isn't going to disappear for legacy applications. But Rust should be used for "new tools," he said.
His claims have prompted an outcry among C++ devotees, many of whom work in the financial services industry. "C++ is fine, it’s just that many who use it (and other languages) essentially don’t know how to program," said one. "I freely admit that it takes good developers to write good C++ code, and it might very well be much easier to find developers who write good Rust code. But it is possible to write rock-stable, highly-abstracted, well-maintainable, and fast C++ code," said another.
It's just that not many people can write good C++.
The safety issues with C++ are well-documented. A 2019 Microsoft study found they were mostly the result of memory errors relating to heap out of bounds, use after free, type confusion and uninitialized use.
However, if you know how to use C++ well, many of these errors can be corrected.
"We can now achieve guaranteed perfect type and memory safety in ISO C++," Bjarne Stroustrup, creator of C++, told the Register this week. "That is, every object is used according to the type it was defined with. That implies that we eliminate uses of dangling pointers, catch range errors, and eliminate data races."
Stroustrup's defense of his creation follows his recent presentation on C++ at CPPCon. C++ is based on a "coherent philosophy" and not "several fashionable rules," declared Stroustrup. The language can develop, but it also needs to be compatible with the "few billions of lines" of legacy C++ code already in existence, he added. Instead of looking for "silver bullets" that eliminate complexity and render contemporary versions of C++ incompatible with their predecessors, it's therefore necessary to be pragmatic. "The language is just part of our toolbox... I don't suffer from the delusion that all the solutions are in the language, a language is embedded in a world."
With this caveat, and even with this focus on legacy C++ code and backwards compatibility, Stroustrup said that C++ is still safe. "I think that the approach I'm talking about - the static analysis and rule-based for modern styles can deliver complete safety, no leaks, no type violations...and by type safety I mean that every object is used exclusively according to its definition..."
There may be "edge cases" where C++ has safety issues, but they will be just that, added Stroustrup. "The strength of this system is that you can get a gradual evolution... you can actually gradually gain first the complete safety of foundational stuff and then slowly move into the rest..."
Stroustrup also said that Rust isn't as safe as people think: "Note that every 'safe' language, including Rust, has loopholes allowing unsafe code." Rust's detractors point out that the language is too new and untested to be a meaningful C++ replacement. Nor does it have the enormous array of open source libraries that have evolved to support C++.
The presumption is that if you can simply get to grips with C++, you will write safe code.
Not everyone agrees, though. "About 70–80% of serious security vulnerabilities in software are caused by memory unsafety," said one developer responding to Russinovich's tweet. "These extremely serious bugs can basically only happen in C and C++, and we’ve got a few decades of experience and research showing that just being more careful isn’t enough to reduce that."
Have a confidential story, tip, or comment you’d like to share? Contact: email@example.com in the first instance. Whatsapp/Signal/Telegram also available (Telegram: @SarahButcher)
Bear with us if you leave a comment at the bottom of this article: all our comments are moderated by human beings. Sometimes these humans might be asleep, or away from their desks, so it may take a while for your comment to appear. Eventually it will – unless it’s offensive or libelous (in which case it won’t.)