The C++ standard for the F-35 Fighter Jet [video]

(www.youtube.com)

327 points AareyBaba | 2 comments | 07 Dec 25 18:07 UTC | HN request time: 0s | source

PDF: https://www.stroustrup.com/JSF-AV-rules.pdf

Show context

don-code ◴[07 Dec 25 23:11 UTC] No.46186343[source]▶

> All if, else if constructs will contain either a final else clause or a comment indicating why a final else clause is not necessary.

I actually do this as well, but in addition I log out a message like, "value was neither found nor not found. This should never happen."

This is incredibly useful for debugging. When code is running at scale, nonzero probability events happen all the time, and being able to immediately understand what happened - even if I don't understand why - has been very valuable to me.

replies(2): >>46187141 #>>46187743 #

YesBox ◴[08 Dec 25 02:45 UTC] No.46187743[source]▶

>>46186343 #

Same. I go one step further and create a macro _STOP which is defined as w/e your language's DebugBreak() is. And if it's really important, _CRASH (this coerces me to fix the issue immediately)

replies(1): >>46187836 #

creato ◴[08 Dec 25 03:01 UTC] No.46187836[source]▶

>>46187743 #

The "standard" (typically defined in projects I'm familiar with, and as of C23, an actual standard) is "unreachable": https://en.cppreference.com/w/c/program/unreachable.html

replies(2): >>46187855 #>>46188241 #

vlovich123 ◴[08 Dec 25 04:18 UTC] No.46188241[source]▶

>>46187836 #

That is not the same thing at all. Unreachable means that entire branch cannot be taken and the compiler is free to inject optimizations assuming that’s the case. It doesn’t need to crash if the violation isn’t met - indeed it probably won’t. It’s the equivalent of having something like

    x->foo();
    if (x == null) {
        Return error…;
    }

This literally caused a security vulnerability in the Linux kernel because it’s UB to dereference null (even in the kernel where engineers assumed it had well defined semantics) and it elided the null pointer check which then created a vulnerability.

I would say that using unreachable() in mission critical software is super dangerous, moreso than an allocation failing. You want to remove all potential for UB (ie safe rust with no or minimal unsafe, not sprinkling in UB as a form of documentation).

replies(2): >>46188922 #>>46189769 #

1. creato ◴[08 Dec 25 06:05 UTC] No.46188922[source]▶

>>46188241 #

You're right, the thing I linked to do does exactly that. I should have read it more closely.

The projects that I've worked on, unconditionally define it as a thing that crashes (e.g. `std::abort` with a message). They don't actually use that C/C++ thing (because C23 is too new), and apparently it would be wrong to do so.

replies(1): >>46190411 #

2. uecker ◴[08 Dec 25 09:53 UTC] No.46190411[source]▶

>>46188922 (TP) #

You can use the standard feature with the unreachable sanitizer: https://godbolt.org/z/3hePd18Tn

↑