I dramatically prefer modern C++ to either of Python or Rust in domains where it's a toss up. It's really nice these days.
Like any language that lasts (including Python and Rust) you subset it over time: you end up with linters and sanitizers and static analyzers and LSP servers, you have a build. But setting up a build is a one-time cost and maintaining a build is a fact of life, even JavaScript is often/usually the output of a build.
And with the build done right? Maybe you dont want C++ if youre both moving fast and doing safety or security critical stuff (as in, browser, sshd, avionics critical) but you shouldnt be moving fast on avoinics software to begin with.
And for stuff outside of that "even one buffer overflow is too many" Venn?
C++ doesn't segfault more than either of those after its cleared clang-tidy and ASAN. Python linking shoddy native stuff crashes way more.
I agree that python is often painful to get right. But asan really, doesn't help you unless you have tests that cover the path with the mistake it would catch. Safe rust doesn't segfault ever. Unsafe rust is still easier to get right for me than c, but mostly because c targets weird architectures with weird rules. Rust is also easier for me to develop fast in than either python or c++. For c++ that is because fragmented package management and build systems, and syntax that lets me express things I don't want to, like a race condition. Python slows me down because the duck typing can't help me reason about my design like static explicitly converted types can.
> That is why cve-rs uses #![deny(unsafe_code)] in the entire codebase. There is not a single block of unsafe code (except for some tests) in this project.
> cve-rs implements the following bugs in safe Rust:
Rust’s borrow checker has been mathematically verified to be always sound.[0] These are edge case implementation bugs that user code is unlikely to touch. I have never had a soundness hole/segfault from safe Rust, and I am not aware of any code in the wild which stumbled into one of these soundness holes either. The main bug is [1], which is very contrived lifetime shenanigans that wouldn't appear in real code. Some bugs [2] are miscompilations coming from the LLVM side. If implemented perfectly, all safe Rust code would be sound, but of course all programs have bugs. The important part is that 99.9% of safe Rust code is sound.
I don't feel I was bombastic, simply ignorant. I knew there had been unsoundness bugs in the past, but I thought they had all been fixed at this point. I see why it is taking them so long to fix this one, but yes it is not 100%. I will rather say that I have had no segfaults from safe rust in the decade I've been using it, and that even after 35 years in c++ I still average a couple a month. Probably worse now because I'm rusty when I go back to use it for something. It could be argued I'm really bad at c++, and maybe that is true, but then maybe I shouldn't be using it, and should use rust instead, it allows me to get the same job done.
If you don't have good tests with coverage information then your Python and Rust code is buggy too. If you want "as low of defects as I can get from the compiler alone" then your options are things like Haskell and theory-laden TypeScript.
If you have low-defect appropriate test coverage, ASAN approaches linear typing for the class of bugs that the borrow checker catches.
Python and Rust have their sweet spots just like C++ does, I use all three. The meme that either is a blanket replacement for all of C++'s assigned duties is both sikly by observation and not demonstrated by enthusiastic adoption in C/C++ in the highest-demand regimes: AI inference, HFT, extreme CERN-scale physics, your web browser.
Python is better for fast prototyping and other iteration critical work, Rust is unmatched for "zero defect target with close to zero cost abstractions" (it was designed for writing a web browser and in that wildly demanding donain I can think of nothing better).
C++ excels in extreme machine economics scenarios where you want a bit more flexibility in your memory management and a bit more license to overrule the compiler and a trivial FFI story. Zig to me looks likely to succeed it in this role someday.
All have their place, software engineers in these domains should know all of them well, and any "one true language" crap is zealoty or cynical marketing or both.
A coworker found a stack use after free in production that no amount of linters or tidyers caught. It only actually happened in the release build, and asan caught it, but only when we pushed to 100% branch coverage instead of just line coverage. Rust makes coverage much easier to get with fewer tests due to it's type system. It seems really clear to me that rust will be the c++ successor. If you need that extra flexibility, you use unsafe. That still feels less foot gun ridden than c++. The slow adoption of rust is because c++ interoperability is bad and people are stuck maintaining c++ behemoths. Green field rust adoption in c++ domains is much higher. Zig is more of a c replacement, but as much as I like it, I don't think that will happen. C is like a standardized ir. But when sonos wanted to make an arm cpu only onnx inference engine for instance, they made it in rust (tract). When c++ developers get to choose rust, we often do. I can throw earlier career c++ devs with modern c++ experience directly into a rust codebase and have them be immediately productive, but also not worry about them doing horrible things.
Yeah, you and I are both entitled to our guesses about Rust and Zig respectively in the future. Both have serious production projects (bun and TigerBeetle are best-in-class to head off any "hobby project" stuff), neither is making serious inroads to the domains I'm talking about: it doesn't get any hotter than the new CUTLASS stuff, and that's greenfield modern C++ with a standardization regime (mdarray) with 100% industry voting as a bloc for "it's still modern C++ at the frontier". HFT shops have at least some Rust at least auditioning, but the reqs are still C++, and they rewrite anything that alpha decays out.
When it's for all the marbles today? It's C++. The future is an open question, but a lot of us are pushing hard for C++.
Like any language that lasts (including Python and Rust) you subset it over time: you end up with linters and sanitizers and static analyzers and LSP servers, you have a build. But setting up a build is a one-time cost and maintaining a build is a fact of life, even JavaScript is often/usually the output of a build.
And with the build done right? Maybe you dont want C++ if youre both moving fast and doing safety or security critical stuff (as in, browser, sshd, avionics critical) but you shouldnt be moving fast on avoinics software to begin with.
And for stuff outside of that "even one buffer overflow is too many" Venn?
C++ doesn't segfault more than either of those after its cleared clang-tidy and ASAN. Python linking shoddy native stuff crashes way more.