Home » Blog

Blog

Overload 180: C++ Safety, In Context -- Herb Sutter

By Blog Staff | Apr 18, 2024 09:21 AM | Tags: None

Overload180-Sutter.pngThe safety of C++ has become a hot topic recently. Herb Sutter discusses the language’s current problems and potential solutions.

Overload 180: C++ Safety, In Context

by Herb Sutter

From the article:

We must make our software infrastructure more secure against the rise in cyberattacks (such as on power grids, hospitals, and banks), and safer against accidental failures with the increased use of software in life-critical systems (such as autonomous vehicles and autonomous weapons).

The past two years in particular have seen extra attention on programming language safety as a way to help build more-secure and -safe software; on the real benefits of memory-safe languages (MSLs); and that C and C++ language safety needs to improve – I agree.

But there have been misconceptions, too, including focusing too narrowly on programming language safety as our industry’s primary security and safety problem – it isn’t. Many of the most damaging recent security breaches happened to code written in MSLs (e.g., Log4j [CISA-1]) or had nothing to do with programming languages (e.g., Kubernetes Secrets stored on public GitHub repos [Kadkoda23]).

In that context, I’ll focus on C++ and try to:

  • highlight what needs attention (what C++’s problem is), and how we can get there by building on solutions already underway;
  • address some common misconceptions (what C++’s problem isn’t), including practical considerations of MSLs; and
  • leave a call to action for programmers using all languages.

tl;dr: I don’t want C++ to limit what I can express efficiently. I just want C++ to let me enforce our already-well-known safety rules and best practices by default, and make me opt out explicitly if that’s what I want. Then I can still use fully modern C++… just nicer.

Let’s dig in.

Results summary: 2024 Annual C++ Developer Survey "Lite"

By Blog Staff | Apr 11, 2024 08:44 PM | Tags: None

Over the past week, we ran our 2024 annual global C++ developer surveyThank you to everyone who responded. As promised, here is a summary of the results:

CppDevSurvey-2024-summary.pdf

The results have now been forwarded to the C++ standards committee to help inform C++ evolution. Your feedback will be very helpful, and thank you again for your participation! Stay safe, everyone.

Update to add note: We discovered after the survey went live that SurveyMonkey has started rejecting responses from some countries. They did not notify us this was going to happen, and it means we don't have responses this year from countries that were included in all previous years. We'll look into fixing that for next year because we do want to hear from all C++ programmers worldwide.

Trip Report: Spring ISO C++ Meeting in Tokyo, Japan -- Jonathan Müller

By Blog Staff | Apr 8, 2024 03:51 PM | Tags: None

thinkcell-logo.pngLast week, I attended the spring 2024 meeting of the ISO C++ standardization committee in Tokyo, Japan. This was the third meeting for the upcoming C++26 standard and my first meeting as assistant chair of SG 9, the study group for ranges.

Trip Report: Spring ISO C++ Meeting in Tokyo, Japan

by Jonathan Müller

From the article:

I started the week on Monday in LEWG, the working group for the C++ standard library design. After the usual papers adding/extending std::format (Victor Zverovich keeps us busy), we approved a proposal that adds thread attributes, and reviewed the library parts of P2900 contracts. LEWG being LEWG, we mostly complained about the names (std::contracts::contract_violation has too many contracts in it), but overall liked it. However, contracts are a language feature, and the real controversy was over at EWG, the language design group. In particular, what happens if you have undefined behavior in a precondition? Consider the following example:

std::string_view slice(std::string_view str, int pos, int length)
pre (0 <= pos && pos <= std::ssize(str) && 0 <= length && pos + length <= std::ssize(str))
{
return std::string_view(str.data() + pos, str.data() + pos + length);
}

A slicing function for std::string_view using signed integers for demonstration purposes.

An integer overflow of pos + length in the precondition is undefined behavior. Some argue that this should instead be well-defined and lead to a precondition violation. While this would be nice and can lead to a general "safe mode" of C++ which could (and should!) be usable outside of contracts as well, I don't see how it can be worked out before C++26. I'd much rather have contracts with undefined behavior in C++26 then delaying it even further. The nice thing about undefined behavior is that it can be always well-specified later.

How not to check array size in C++

By Andrey Karpov | Apr 8, 2024 06:29 AM | Tags: std::size sizeof size countof

How often do you see the sizeof(array)/sizeof(array[0]) statement used to get the size of an array? I really hope it's not too often, because it's 2024 already. In this note, we'll talk about the statement flaws, where it comes from in modern code, and how to finally get rid of it.

How not to check array size in C++

by Mikhail Gelvikh

From the article:

Since we're coding in C++ here, let's harness the power of templates! This brings us to the legendary ArraySizeHelper (aka "the safe sizeof" in some articles), which developers write sooner or later in almost every project. In the old days — before C++11 — you could encounter such monstrosities.

Survey closing soon: 2024 Annual C++ Developer Survey "Lite"

By Blog Staff | Apr 8, 2024 01:35 AM | Tags: None

cpp_logo.png

Last week, the annual global C++ developer survey opened. If you haven't already, please take 10 minutes or so to participate!

2024 Annual C++ Developer Survey "Lite"

A summary of the results, including aggregated highlights of common answers in the write-in responses, will be posted publicly here on isocpp.org and shared with the C++ standardization committee participants to help inform C++ evolution.

The survey closes on Wednesday.

Thank you for participating and helping to inform our committee and community!

GCC 14 -fanalyzer improvements for buffer overflows and more -- David Malcolm

By Blog Staff | Apr 4, 2024 03:31 PM | Tags: None

For anyone interested in the top source of memory safety issues, out-of-bounds accesses... GCC 14 will be able to catch more cases, and even show them with some colorful retro ASCII art:

Improvements to static analysis in the GCC 14 compiler

by David Malcolm

It does require some source code annotation, but also delivers safety value in return.

From the article:

So for GCC 14, I've added the ability for the analyzer to emit text-based diagrams visualizing the spatial relationships in a predicted buffer overflow. ... [For example,] this diagram shows the destination buffer populated by the content from the strcpy call, and thus the existing terminating NUL byte used for the start of the strcat call. For non-ASCII strings ... it can show the UTF-8 representation of the characters ...

... [Another improvement] is that the analyzer now simulates APIs that scan a buffer expecting a null terminator byte, and will complain about code paths where a pointer to a buffer that isn't properly terminated is passed to such an API.

Plus more, such as:

The analyzer has a form of "taint analysis", which tracks attacker-controlled inputs, places where they are sanitized, and places where they are used without sanitization. In previous GCC releases this was too buggy to enable by default, with lots of false positives, so I hid it behind an extra command-line argument. I've fixed many bugs with this, so for GCC 14 I've enabled this by default when -fanalyzer is selected. This also enables these 6 taint-based warnings:

Using Copilot Chat with C++ in VS Code -- Sinem Akinci

By Blog Staff | Apr 4, 2024 10:54 AM | Tags: None

copilotchat.pngIf you are a C++ developer who uses VS Code as your editor, Copilot Chat can help you with many of your everyday coding tasks by allowing you to iterate with your code in natural language.

Using Copilot Chat with C++ in VS Code

by Sinem Akinci

From the article:

We have just released a new YouTube video demonstrating the power of Copilot Chat in C++ code:

We cover how Copilot Chat can provide enhancements to your C++ coding scenarios like:

  • Simplifying and refactoring existing code
  • Generating new code and iterating with the prompt
  • Generating and explaining new test cases
  • Refactoring test cases to new frameworks
  • Understanding errors with your code
  • … and more!

SObjectizer Tales – 26. Dispatcher selection--Marco Arena

By Marco Arena | Apr 4, 2024 03:35 AM | Tags: sobjectizer intermediate c++20

A new episode of the series about SObjectizer and message passing:

SObjectizer Tales – 26. Dispatcher selection

by Marco Arena

From the article:

In this episode we explore guidelines and considerations for binding agents to dispatchers. We'll emphasize the significance of asking pertinent questions rather than expecting definitive answers, as the decision-making process hinges on the unique requirements of the system.