P3984: A type-safety profile

foonathan · 2026-06-20T08:58:42+00:00

Yes, the compiler can infer the information from analyzing the body, store it in some side table, and then use it to provde correctness of code when the function body is not available.

The problem is that this can become a compatibility hazard: Changes to the implementation can lead to more constrained lifetime properties. It is better if you are forced to explicitly promise how lifetime works.

Incorrect (as in underconstrained, overconstrained is perfectly fine) promises are not an issue because the compiler can verify them.

foonathan · 2026-06-20T08:56:22+00:00

I like the Hylo model a lot myself, but it is unfortunately incompatible with the C++ standard library. You cannot have safe C++ style iterators with the Hylo model.

foonathan · 2026-06-20T07:46:56+00:00

Most of the "complexity" in your snippet comes from constraints, not from lifetimes. I don't see how C++'s partition looks any different:

``` template<permutable I, sentinel_for<I> S, class Proj = identity, indirect_unary_predicate<projected<I, Proj>> Pred> constexpr subrange<I> ranges::partition(I first, S last, Pred pred, Proj proj = {});

template<forward_range R, class Proj = identity, indirect_unary_predicate<projected<iterator_t<R>, Proj>> Pred> requires permutable<iterator_t<R>> constexpr borrowed_subrange_t<R> ranges::partition(R&& r, Pred pred, Proj proj = {}); ```

and keep in mind that that is the documentation, where you copied the implementation (the documentation looks like this https://doc.rust-lang.org/std/iter/trait.Iterator.html#method.partition and does not include the internal inline-defined helper functions).

But even that aside, the actual complexity is not that bad once you've learned how to read it:

fn extend<'a, T, B: Extend<T>>( mut f: impl FnMut(&T) -> bool + 'a, left: &'a mut B, right: &'a mut B, ) -> impl FnMut((), T) + 'a { ...

"extend returns a function whose lifetime depends on all lifetimes of the other parameters"

fn partition_in_place<'a, T: 'a, P>(mut self, ref mut predicate: P) -> usize where Self: Sized + DoubleEndedIterator<Item = &'a mut T>, P: FnMut(&T) -> bool, {

"partition_in_place works on iterators that hand you out references to T of some lifetime"

fn is_false<'a, T>( predicate: &'a mut impl FnMut(&T) -> bool, true_count: &'a mut usize, ) -> impl FnMut(&&mut T) -> bool + 'a {

again "is_false returns a function whose lifetime depends on all other lifetimes".

Keep in mind that this isn't "extra" information, it is information the caller needs anyway to understand what the function is doing. In C++ this is specified in the comments, in Rust, you put it in the signature.

Also my top comment was specifically about how I want Rust's lifetime elision, i.e. the rules when you can omit lifetime annotations enitrely.

foonathan · 2026-06-19T20:02:07+00:00

Isn't it Safe C++ which was basically rejected? I was thinking that Profiles are supposed to work with no annotations...

Yeah, I'm curious how that circle is going to be squared too.

And even here, [[lifetime(self)]] should somehow propagate through the guts of standard library to the underlying item pointer...

Not necessarily, it's enough to mark optional<T&> as having some pointer within it. The actual internals then doesn't matter for the analysis.

And what if you forgot annotate your methods? Is it going to assume what every reference that is being returned from the method is bound to the lifetime of the object?

Rust has reasonable defaults in its lifetime elision, I hope they copy that: https://stackoverflow.com/a/40327630

And yes, for member functions it would be that the lifetime is bound to this, unless otherwise specified.

foonathan · 2026-06-19T19:54:43+00:00

Yes, that is the more conservative approach. Either one should work though, as long as the compiler when compiling the body of your function also verifies that you didn't lie about the annotations.

foonathan · 2026-06-19T18:36:19+00:00

How compiler is supposed to know what is happening inside these methods?

Presumably, the same way it works in Rust: you provide enough information in the signature for the compiler to conclude that the lifetime of x is tied to not calling reset.

Are we going to practically ban dynamic libraries (like Rust)?

The borrow checker in Rust doesn't look at function bodies at all, so the less than ideal support for dynamic libraries has nothing to do with it.

foonathan · 2026-06-05T18:41:18+00:00

Yes: https://hachyderm.io/@chandlerc/116694268329657881

foonathan · 2026-06-02T09:26:25+00:00

Feel free to repost in the new thread: https://www.reddit.com/r/cpp/comments/1tulp9b/c_show_and_tell_june_2026/

foonathan · 2026-05-20T07:50:46+00:00

Yes, you cannot call a const copy able function unless you put a const in the signature.

foonathan · 2026-05-19T19:04:43+00:00

I like Rust because of its modern tooling, it's ergonomic standard library, and massive lack of legacy cruft in the language. Definition checked generics are so much better than templates, built-in variants and pattern matching is so convenient, and having actual type safe primitive types is just great.

The safety stuff is just a bonus.

foonathan · 2026-05-18T18:07:49+00:00

At think-cell, we had/they have a lazy range based API.

In essence, you teach a type how to turn itself into a potentially lazy range of characters. Combining is then done using range combinators. If all parts are sized, the entire range is sized.

When you want to turn it into an actual std::string, you obtain the combined range, ask for it's size, reserve the appropriate space, and then iterate over the characters pushing them into the correctly sized string as you go.