The first case is at least documented that it's the programmer's responsibility that the view should not outlive the object pointed to.
Finally, the address sanitizer helps you with that, however I wonder how many actually do use sanitizers?
Overall, I agree that something could have been done to prevent temporary objects at all. From my newbie point over view, it seems the standard API has the tendency to be lower level rather than ergonomic: it's up to you to know how to use it (and fuck up with it). Quite sad, because that kind of makes the language more difficult to use than it should be. I don't have enough knowledge, and I wonder if making the constructor on (const std::string&&) private/deleted would have been enough to prevent it?
The second case I guess the principle is similar. Not sure if the sanitizer finds the error there, but still scary.
There is a discussion that without rust's move semantics C++ cannot reach the safety levels of Rust. But rust's move semantic cannot be brought to C++ without breaking an existing code.[1]
In a short, C++ approach is to give any object a "blank state" which it must turn into after the value was moved from it. It is an attempt to track state "value was moved out" dynamically. Rust tracks it statically by treating a variable whose value was moved out as uninitialized variable and ensuring that are no accesses to uninitialized variables.
Yeah, I do understand the main principle behind it, and I think an address sanitizer helps here - I did some tests and the ASAN coming with Clang 14.0.0 catches the bug (at runtime, of course).
It's a different approach, and definitely less efficient than compile-time checking, but if your program is not too complex I think it's OK. Especially if you use such sanitizers at the unit test level.
I don't have enough experience to say if it actually works in general though, because as usual everything on paper is always working.
> The first case is at least documented that it's the programmer's responsibility that the view should not outlive the object pointed to.
This is the problem with naked pointers in the first case. We've had I don't know how many years of experience to tell us that relying on programmers to not make mistakes is a terrible idea. If documenting requirements fixed these issues we would still just be able to write C.
The problem with sanitizers is they're an opt-in addition, and like static analysis tools they have a tendency to be have some false positives, which causes people to distrust then and say "but I'd never make that mistake". Compiling with asan enabled would cause our CI build times to double, as we'd need to build with and without (and we have 4 configurations over 3 platforms. My previous project had 3 configurations over 9 platforms).
>"Finally, the address sanitizer helps you with that, however I wonder how many actually do use sanitizers?"
I use C++ to write general backend servers / web apps among the other things. Not a single one ever deployed without passing sanitizer tests.
Not that my code would ever look like the examples above. I personally consider modern C++ safe enough for decent level programmer.
Of course I can not guarantee safety buy my servers run non stop servicing tens of thousands of client for months between updates without any hick-ups.
I looked at Rust to see if it can offer me any practical advantage vs modern C++ for what I do and so far did not see anything convincing enough.
I've written software for enterprises of Bell scale, but yes the team was small and always under my control. I still work mostly alone (hire subcontractors occasionally). My interactions with other systems is by network APIs so I do not have incompetents screwing with my code.
I understand that this is rather unique position but this is what I wanted, worked for and had managed to achieve. I mostly design and create products from start to finish for my clients. Been on my own for 20+ years already.
BTW. I doubt that Rust or any language for that matter can be a cure from shitty programmers. Some help sure but they'll manage to fuck things up regardless on a different level.
