16 comments

[ 2.7 ms ] story [ 43.0 ms ] thread
> those that lead to undefined behavior but aren't security-critical.

Once again C++ people imagining into existence Undefined Behaviour which isn't Security Critical as if somehow that's a thing.

Mostly I read the link because I was intrigued as to how this counted as "at scale" and it turns out that's misleading, the article's main body is about the (at scale) deployment at Google, not the actual hardening work itself which wasn't in some special way "at scale".

> Undefined Behaviour which isn't Security Critical as if somehow that's a thing

Undefined behavior in the (poorly written) spec doesn't mean undefined behavior in the real world. A given compiler is perfectly free to specify the behavior.

Well, there is ongoing work to put all known UB into an UB annex on the standard, with hope that the size of the annex gets reduced over time.

How well this will work out remains to be seen.

Rust still needs to get rid of its dependency on C++ compiler frameworks, and I don't see Cranelift matching GCC and LLVM any time soon.

std::optional is unsafe in idiomatic use cases? I'd like to challenge that.

Seems like the daily anti c++ post

It's great that finally bounds checking happened in C++ by (mostly) default.

The only thing that's less great is that this got so much less upvotes than all the Safe-C++ languages that never really had the chance to get into production in old code.

It has always been the default in compiler provided frameworks before C++98, like Turbo Vision, BIDS, OWL, MFC and so on.

Unfortunately the default changed when C++98 came out, and not everyone bothered with providing at least hardening mode in debug builds, VC++ followed by GCC, or compilers in high integrity computing like Green Hills.

Sadly the security and quality mentality seems to be a hard sell in areas where folks are supposed to be Engineers and not craftsmen.

Interesting how C++ is still improving; seems like changes of this kind my rival at least some of the Rust use cases; time will tell
I’m not really sure how checks like this can rival rust. Rust does an awful lot of checks at compile time - sometimes even to the point of forcing the developer to restructure their code or add special annotations just to help the compiler prove safety. You can’t trivially reproduce those all those guardrails at runtime. Certainly not without a large performance hit. Even debug mode stdc++ - with all checks enabled - still doesn’t protect against many bugs the rust compiler can find and prevent.

I’m all for C++ making these changes. For a lot of people, adding a bit of safety to the language they’re going to use anyway is a big win. But in general guarding against threading bugs, or use after free, or a lot of more obscure memory issues requires either expensive GC like runtime checks (Fil-C has 0.5x-4x performance overhead and a large memory overhead). Or compile time checks. And C++ will never get rust’s extensive compile time checks.

Rust borrow checker rules out a lot of patterns that typical C++ code uses. So if C++ would get similar rules, they still cannot be applied to most of the existing code in any case.
How does this compare to _GLIBCXX_ASSERTIONS in libstdc++ (on by default in Fedora since 2018)?
Imagine hardening the regex library, its already as slow as molasses.
It's a good decision to add at least some checks into C++ standard library. But no runtime check can find a bug in code like this:

  std::vector<int> v;
  v.push_back(123);
  auto& n= v.front();
  v.push_back(456);
  auto n_doubled= n * 2;
A better language is needed in order to prevent such bugs, where such compile-time correctness checks are possible. Some static analyzers are able to detect it in C++, but only in some cases.