[hvdijk]

Sure, std::optional<int> is unlikely to result in such behaviour in practice, and std::optional<int*> is likely to "only" result in such behaviour if the result of operator*() is dereferenced again, despite both already being UB. Think of non-POD types, such as std::optional<std::string>, though: when you end up using uninitialised std::string objects, things do break in practice because of pointers used internally to implement std::string, and badly so.

The fact that checked versions exist but are not used by default, have to be explicitly opted into, is consistent with C++'s designs and may be used to defend the current design, but at the same time also means it describing std::optional as memory-unsafe becomes a valid opinion based on facts, I think.

[kllrnohj]

> but at the same time also means it describing std::optional as memory-unsafe becomes a valid opinion based on facts

But your "facts" are "if I use the API wrong, it behaves wrong." But std::optional isn't easy to accidentally misuse here, unlike string_view (an actually "unsafe" addition). The argument that optional is broken if you both don't use has_value and don't use any of the other helpers (like value_or() or value() or transform or etc...) then it has UB means that optional is "broken by design" is not a very strong position to take.

It's hard to imagine this being a problem in practice. It's pretty encoded in the code that it's optional, to just completely ignore that and blindly access it anyway seems pretty self-evident as a usage issue. Yes bugs happen, but come on. This is not a particularly sharp edge in C++'s toolbox here. It's a pretty straightforward, intuitive type, doing pretty much exactly what it says it does, exactly how you'd expect it to do.

Should operator->() and value() be swapped? maybe, but then it'd be inconsistent with std::vector & other older types. And that inconsistency is probably worse overall.

[hvdijk]

> But your "facts" are "if I use the API wrong, it behaves wrong."

Kind of, yes. That is what memory safety is about, isn't it? If I look for definitions, I find for instance <https://hacks.mozilla.org/2019/01/fearless-security-memory-s...>, explaining it as:

> When we talk about building secure applications, we often focus on memory safety. Informally, this means that in all possible executions of a program, there is no access to invalid memory. Violations include:

> - use after free

> - null pointer dereference

> - using uninitialized memory

> - double free

> - buffer overflow

std::optional does not itself protect against using uninitialised memory, it merely provides the tools by which the programmer can prevent using uninitialised memory. Isn't that exactly what memory safety is about, about having std::optional somehow automatically ensure that that doesn't happen? If that isn't what memory safety is, what, in your opinion, does it mean instead?

Note that I have attempted to refrain from posting my opinion on whether C++ made the right call or not. That is a separate question from whether it qualifies as memory-safe.

[kllrnohj]

I'm not arguing that c++ is memory safe, it isn't. But the initial claim is that std::optional is "explicitely anti-memory-safety". And that seems like a very unsupported claim. std::optional isn't safer than the rest of C++, but it's definitely not less safe either.

[hvdijk]

Ah, thanks for the clarification, I think we've been talking about two slightly different things, then. For you, std::optional would have to make C++ more memory-unsafe than it already is in order for "anti-memory-safety" to be a fair characterisation. For me, that label merely implies that memory-safer alternative designs of std::optional were considered, and the current design was picked despite its memory-unsafety being a known potential issue. I think I would likely agree with you that std::optional does not make C++ less memory-safe than it already was before that got added.