Rust has panics as well and they appear pretty much everywhere, because the Rust stdlb made a conscious decision to panic on allocation failures (later non-panicking APIs were added, but most people dont use them, and in special, most dependencies will not use this and will panic on random occasions), and also because common operations like integer division and array indexing will panic on bugs (and also integer overflow on debug builds)
In any case OCaml has memory safety, sort of (it has data races but as described in the paper "data races bounded in time and space", data races in OCaml doesn't lead to unrestricted UB like in Rust, C, C++, and most other languages actually) (unless you opt into OCaml's unsafe constructs like Obj.magic, which is like Rust's unsafe without using unsafe {} block), because it has a GC
So when you talk about safety in the context of exceptions, you probably mean exception safety rather than memory safety. Exception safety basically means you code works even if an exception is raised. Which is really hard to assure since as you said, exceptions are everywhere
But Rust suffer from this same problem! In Rust this is called panic safety and mitigating it has taken a great deal of complexity, with things like lock poisoning, which adds overhead but limit the scope of panics in multithreaded programs, and the UnwindSafe trait, which is probably a good attempt but is ignored in most of the ecosystem. Many people think such measures are inadequate and insufficient and prefer to run programs with panic=abort, which means to just terminate the program when there is any panic. (many C++ projects disable exceptions in the same way for example)
Which is kind of unfortunate because now there are many Rust programs that are only correct if you run with panic=abort, and will break if you enable stack unwinding (which is the default)
Rust currently cannot reliably panic on allocation failures because the error object is inside a Box, which itself requires allocation. This means that if memory is tight, panicking itself might fail.
Safety was something added to Rust as it developed, not one of the original goals. As I recall it.
And you're working with multiple definitions of "safety" here, and Rust sorta conflates them all via borrow checker, but the one people are usually most concerned with is memory safety which is not a concern for a garbage collected language.
I do seem to recall that StandardML did not have exceptions though. And I always felt that SML was the better language.
OCaml adding OO classes and exceptions and other 90s trends that actually have ended up not aging well...
But the flow control is easier to reason about. You don't have to go guessing about non-local catch blocks that the caller may have introduced. The code either panics, or propagates.
Exceptions look remarkably wrong headed to me in retrospect. Allowing the caller to change the error handling contract and flow control.
I don't like Exceptions in OCaml (or Haskell or C++ or JS/TS) either. But they aren't unsafe, except for bugs in the compiler/runtime (in OCaml, in C++ there are of course some footguns ;).
Of course they add "bottom" to any function where an Exceptions can occur (and other things, see for example
https://markkarpov.com/tutorial/Exceptions) but for stuff like `0/0` there are 3 possibilities:
use something like `Maybe` for the result - clumsy.
return (for example) 0, which is what most theorem provers (like Coq or Lean and dependently typed languages like Idris) do, that need their functions to be total
or throw an exception.
(C's solution of declari g it undefined behavior is missing).
Second, less-predictable execution path. Additional cognitive load in evaluating effects across both paths. Additional opportunity for bugs. Doesn't necessarily mean that exceptions make all software which uses them unsafe, but does tend to mean that exceptions significantly complicate the task of proving safety for any nontrivial program.
Safe isn't the best word to describe it with. But it does mean that any expression or statement always has two possible control flows. You have the "surface flow" as well as the exceptional flow, so there's an added complexity.
I never felt this was a problem when I did Java though (despite their awkwardness - basically forcing coders to not use checked exceptions.)
Rust's control flow syntax for Results and Options are very similar to this but with an added benefit: you don't have to use the ?-operator.
panics is different, however. They are more akin to the way any Java program will happily OutOfMemoryError or NoClassDefFoundError given circumstances not (always) in your control.
nextaccountic|2 years ago
In any case OCaml has memory safety, sort of (it has data races but as described in the paper "data races bounded in time and space", data races in OCaml doesn't lead to unrestricted UB like in Rust, C, C++, and most other languages actually) (unless you opt into OCaml's unsafe constructs like Obj.magic, which is like Rust's unsafe without using unsafe {} block), because it has a GC
So when you talk about safety in the context of exceptions, you probably mean exception safety rather than memory safety. Exception safety basically means you code works even if an exception is raised. Which is really hard to assure since as you said, exceptions are everywhere
But Rust suffer from this same problem! In Rust this is called panic safety and mitigating it has taken a great deal of complexity, with things like lock poisoning, which adds overhead but limit the scope of panics in multithreaded programs, and the UnwindSafe trait, which is probably a good attempt but is ignored in most of the ecosystem. Many people think such measures are inadequate and insufficient and prefer to run programs with panic=abort, which means to just terminate the program when there is any panic. (many C++ projects disable exceptions in the same way for example)
Which is kind of unfortunate because now there are many Rust programs that are only correct if you run with panic=abort, and will break if you enable stack unwinding (which is the default)
fweimer|2 years ago
For reference, this is the type that is returned from catch_unwind: https://doc.rust-lang.org/std/thread/type.Result.html
But I completely agree that Rust has exceptions. They are even used in the toolchain implementation for non-local control flow.
cmrdporcupine|2 years ago
And you're working with multiple definitions of "safety" here, and Rust sorta conflates them all via borrow checker, but the one people are usually most concerned with is memory safety which is not a concern for a garbage collected language.
I do seem to recall that StandardML did not have exceptions though. And I always felt that SML was the better language.
OCaml adding OO classes and exceptions and other 90s trends that actually have ended up not aging well...
steveklabnik|2 years ago
> I have been writing a compiled, concurrent, safe, systems programming language for the past four and a half years.
Safety was always part of it.
weatherlight|2 years ago
Georgelemental|2 years ago
cmrdporcupine|2 years ago
Exceptions look remarkably wrong headed to me in retrospect. Allowing the caller to change the error handling contract and flow control.
ReleaseCandidat|2 years ago
use something like `Maybe` for the result - clumsy.
return (for example) 0, which is what most theorem provers (like Coq or Lean and dependently typed languages like Idris) do, that need their functions to be total
or throw an exception.
(C's solution of declari g it undefined behavior is missing).
Now, with OCaml's effect systém, there also is no need to use exceptions for control flow - which you should have never done anyway.
bmitc|2 years ago
debo_|2 years ago
bananapub|2 years ago
timschmidt|2 years ago
hurril|2 years ago
I never felt this was a problem when I did Java though (despite their awkwardness - basically forcing coders to not use checked exceptions.)
Rust's control flow syntax for Results and Options are very similar to this but with an added benefit: you don't have to use the ?-operator.
panics is different, however. They are more akin to the way any Java program will happily OutOfMemoryError or NoClassDefFoundError given circumstances not (always) in your control.