Overload 180: C++ Safety, In Context -- Herb Sutter

Overload180-Sutter.pngThe safety of C++ has become a hot topic recently. Herb Sutter discusses the language’s current problems and potential solutions.

Overload 180: C++ Safety, In Context

by Herb Sutter

From the article:

We must make our software infrastructure more secure against the rise in cyberattacks (such as on power grids, hospitals, and banks), and safer against accidental failures with the increased use of software in life-critical systems (such as autonomous vehicles and autonomous weapons).

The past two years in particular have seen extra attention on programming language safety as a way to help build more-secure and -safe software; on the real benefits of memory-safe languages (MSLs); and that C and C++ language safety needs to improve – I agree.

But there have been misconceptions, too, including focusing too narrowly on programming language safety as our industry’s primary security and safety problem – it isn’t. Many of the most damaging recent security breaches happened to code written in MSLs (e.g., Log4j [CISA-1]) or had nothing to do with programming languages (e.g., Kubernetes Secrets stored on public GitHub repos [Kadkoda23]).

In that context, I’ll focus on C++ and try to:

  • highlight what needs attention (what C++’s problem is), and how we can get there by building on solutions already underway;
  • address some common misconceptions (what C++’s problem isn’t), including practical considerations of MSLs; and
  • leave a call to action for programmers using all languages.

tl;dr: I don’t want C++ to limit what I can express efficiently. I just want C++ to let me enforce our already-well-known safety rules and best practices by default, and make me opt out explicitly if that’s what I want. Then I can still use fully modern C++… just nicer.

Let’s dig in.

2024-04 Mailing Available

The 2024-04 mailing of new standards papers is now available.

 

WG21 Number Title Author Document Date Mailing Date Previous Version Subgroup
N4974 2024-11 Wroclaw meeting information Herb Sutter 2024-03-18 2024-04   All of WG21
N4975 2024 WG21 admin telecon meetings Herb Sutter 2024-02-21 2024-04   All of WG21
N4976 WG21 agenda: 18-23 March 2024, Tokyo, Japan John Spicer 2024-02-26 2024-04   All of WG21
N4978 WG21 2024-03 Admin telecon minutes Nina Ranns 2024-03-11 2024-04   All of WG21
N4979 Hagenberg Meeting Invitation and Information Peter Kulczycki 2024-03-22 2024-04   All of WG21
N4980 WG21 2024-03 Tokyo Minutes of Meeting Nina Ranns 2024-04-05 2024-04   All of WG21
N4981 Working Draft, Programming Languages -- C++ Thomas Köppe 2024-04-16 2024-04   All of WG21
N4982 Editors' Report, Programming Languages -- C++ Thomas Köppe 2024-04-16 2024-04   All of WG21
P0260R8 C++ Concurrent Queues Detlef Vollmann 2024-03-09 2024-04 P0260R7 SG1 Concurrency and Parallelism,LEWG Library Evolution
P0562R1 Initialization List Symmetry Alan Talbot 2024-03-21 2024-04 P0562R0 EWG Evolution
P0562R2 Trailing Commas in Base-clauses and Ctor-initializers Alan Talbot 2024-04-15 2024-04 P0562R1 CWG Core
P0609R3 Attributes for Structured Bindings Aaron Ballman 2024-03-21 2024-04 P0609R2 CWG Core
P0843R11 inplace_vector Gonzalo Brito Gadeschi 2024-03-21 2024-04 P0843R10 LWG Library
P0876R16 fiber_context - fibers without scheduler Oliver Kowalke 2024-03-22 2024-04 P0876R15 EWG Evolution,CWG Core,LWG Library
P1061R8 Structured Bindings can introduce a Pack Barry Revzin 2024-04-14 2024-04 P1061R7 CWG Core
P1068R11 Vector API for random number generation Ilya Burylov 2024-04-01 2024-04 P1068R10 LWG Library
P1317R1 Remove return type deduction in std::apply Aaryaman Sagar 2024-04-03 2024-04 P1317R0 LEWG Library Evolution
P2034R3 Partially Mutable Lambda Captures Ryan McDougall 2024-03-20 2024-04 P2034R2 EWGI SG17: EWG Incubator,EWG Evolution,CWG Core
P2075R5 Philox as an extension of the C++ RNG engines Ilya Burylov 2024-04-01 2024-04 P2075R4 LEWG Library Evolution,LWG Library
P2127R0 Making C++ Software Allocator Aware Pablo Halpern 2024-03-11 2024-04   LEWG Library Evolution
P2135R1 P2055R1: A Relaxed Guide to memory_order_relaxed Paul E. McKenney 2024-04-09 2024-04 P2135R0 SG1 Concurrency and Parallelism
P2141R2 Aggregates are named tuples Antony Polukhin 2024-03-06 2024-04 P2141R1 LEWG Library Evolution,LWG Library
P2248R8 Enabling list-initialization for algorithms Giuseppe D'Angelo 2024-03-20 2024-04 P2248R7 LWG Library
P2300R8 `std::execution` Eric Niebler 2024-04-02 2024-04 P2300R7 LEWG Library Evolution,LWG Library
P2300R9 `std::execution` Eric Niebler 2024-04-02 2024-04 P2300R8 LEWG Library Evolution,LWG Library
P2355R2 Postfix fold expressions S. Davis Herring 2024-03-20 2024-04 P2355R1 EWG Evolution
P2389R1 `dextents` Index Type Parameter Bryce Adelstein Lelbach 2024-04-12 2024-04 P2389R0 LEWG Library Evolution
P2414R3 Pointer lifetime-end zap proposed solutions Paul E. McKenney 2024-04-08 2024-04 P2414R2 SG1 Concurrency and Parallelism,EWG Evolution
P2542R8 views::concat Hui Xie 2024-03-20 2024-04 P2542R7 SG9 Ranges,LEWG Library Evolution,LWG Library
P2573R2 = delete("should have a reason"); Yihe Li 2024-03-21 2024-04 P2573R1 CWG Core
P2591R5 Concatenation of strings and string views Giuseppe D'Angelo 2024-03-20 2024-04 P2591R4 LWG Library
P2746R5 Deprecate and Replace Fenv Rounding Modes Hans Boehm 2024-04-15 2024-04 P2746R4 SG6 Numerics,LEWG Library Evolution
P2747R2 constexpr placement new Barry Revzin 2024-03-18 2024-04 P2747R1 EWG Evolution
P2748R5 Disallow Binding a Returned Glvalue to a Temporary Brian Bi 2024-03-22 2024-04 P2748R4 CWG Core
P2755R1 A Bold Plan for a Complete Contracts Facility Joshua Berne, Jake Fevold, John Lakos 2024-04-10 2024-04 P2755R0 SG21 Contracts
P2786R5 Trivial Relocatability For C++26 Mungo Gill 2024-04-09 2024-04 P2786R4 EWG Evolution,LEWG Library Evolution
P2795R5 Erroneous behaviour for uninitialized reads Thomas Köppe 2024-03-21 2024-04 P2795R4 SG12 Undefined and Unspecified Behavior,SG23 Safety and Security,EWG Evolution,CWG Core,LWG Library
P2809R3 Trivial infinite loops are not Undefined Behavior JF Bastien 2024-03-21 2024-04 P2809R2 SG22 Compatibility,CWG Core
P2810R4 is_debugger_present is_replaceable René Ferdinand Rivera Morell 2024-03-20 2024-04 P2810R3 LWG Library
P2825R1 Overload Resolution hook: declcall(unevaluated-postfix-expression) Gašper Ažman 2024-03-20 2024-04 P2825R0 EWGI SG17: EWG Incubator,EWG Evolution
P2825R2 Overload Resolution hook: declcall(unevaluated-postfix-expression) Gašper Ažman 2024-04-16 2024-04 P2825R1 EWG Evolution
P2826R2 Replacement functions Gašper Ažman 2024-03-17 2024-04 P2826R1 EWG Evolution
P2830R2 Standardized Constexpr Type Ordering Gašper Ažman 2024-03-17 2024-04 P2830R1 EWG Evolution
P2830R3 Standardized Constexpr Type Ordering Gašper Ažman 2024-04-16 2024-04 P2830R2 EWG Evolution
P2841R2 Concept and variable-template template-parameters Corentin Jabot 2024-02-22 2024-04 P2841R1 EWG Evolution
P2845R7 Formatting of std::filesystem::path Victor Zverovich 2024-03-10 2024-04 P2845R6 LEWG Library Evolution,LWG Library
P2845R8 Formatting of std::filesystem::path Victor Zverovich 2024-03-20 2024-04 P2845R7 LWG Library
P2855R1 Member customization points for Senders and Receivers Ville Voutilainen 2024-02-22 2024-04 P2855R0 LEWG Library Evolution
P2863R5 Review Annex D for C++26 Alisdair Meredith 2024-04-16 2024-04 P2863R4 EWG Evolution,LEWG Library Evolution
P2866R2 Remove Deprecated Volatile Features From C++26 Alisdair Meredith 2024-04-16 2024-04 P2866R1 SG1 Concurrency and Parallelism,LEWG Library Evolution
P2867R2 Remove Deprecated strstreams From C++26 Alisdair Meredith 2024-03-19 2024-04 P2867R1 LWG Library
P2869R4 Remove Deprecated `shared_ptr` Atomic Access APIs From C++26 Alisdair Meredith 2024-03-20 2024-04 P2869R3 LWG Library
P2872R3 Remove `wstring_convert` From C++26 Alisdair Meredith 2024-03-19 2024-04 P2872R2 LWG Library
P2873R1 Remove Deprecated locale category facets for Unicode from C++26 Alisdair Meredith 2024-04-08 2024-04 P2873R0 LEWG Library Evolution
P2875R4 Undeprecate `polymorphic_allocator::destroy` For C++26 Alisdair Meredith 2024-03-20 2024-04 P2875R3 LWG Library
P2893R3 Variadic Friends Jody Hagins 2024-03-21 2024-04 P2893R2 CWG Core
P2900R6 Contracts for C++ Joshua Berne 2024-02-29 2024-04 P2900R5 EWG Evolution,LEWG Library Evolution
P2927R2 Observing exceptions stored in exception_ptr Gor Nishanov 2024-04-15 2024-04 P2927R1 LEWG Library Evolution
P2944R3 Comparisons for reference_wrapper Barry Revzin 2024-03-20 2024-04 P2944R2 EWG Evolution,LEWG Library Evolution
P2977R1 Build database files Ben Boeckel 2024-03-25 2024-04 P2977R0 SG15 Tooling
P2988R4 std::optional<T&> Steve Downey 2024-04-16 2024-04 P2988R3 LEWG Library Evolution,LWG Library
P2993R0 Constrained Numbers Luke Valenty 2024-03-21 2024-04   SG6 Numerics,SG23 Safety and Security
P2997R1 Removing the common reference requirement from the indirectly invocable concepts Barry Revzin 2024-03-21 2024-04 P2997R0 SG9 Ranges,LEWG Library Evolution
P3008R2 Atomic floating-point min/max Gonzalo Brito Gadeschi 2024-03-18 2024-04 P3008R1 LEWG Library Evolution
P3016R3 Resolve inconsistencies in begin/end for valarray and braced initializer lists Arthur O'Dwyer 2024-03-22 2024-04 P3016R2 LWG Library
P3019R7 Vocabulary Types for Composite Class Design Jonathan Coe 2024-03-18 2024-04 P3019R6 LEWG Library Evolution,LWG Library
P3019R8 Vocabulary Types for Composite Class Design Jonathan Coe 2024-03-22 2024-04 P3019R7 LEWG Library Evolution,LWG Library
P3029R1 Better mdspan's CTAD Hewill Kang 2024-03-20 2024-04 P3029R0 LEWG Library Evolution
P3032R1 Less transient constexpr allocation Barry Revzin 2024-03-21 2024-04 P3032R0 EWG Evolution
P3032R2 Less transient constexpr allocation Barry Revzin 2024-04-16 2024-04 P3032R1 EWG Evolution
P3034R1 Module Declarations Shouldn't be Macros Michael Spencer 2024-03-20 2024-04 P3034R0 All of WG21
P3037R1 constexpr std::shared_ptr Paul Keir 2024-03-05 2024-04 P3037R0 SG7 Reflection,LEWG Library Evolution
P3049R0 node-handles for lists Michael Florian Hava 2024-04-03 2024-04   LEWG Library Evolution
P3050R1 Fix C++26 by optimizing linalg::conjugated for noncomplex value types Mark Hoemmen 2024-04-08 2024-04 P3050R0 LEWG Library Evolution
P3064R0 How to Avoid OOTA Without Really Trying Paul E. McKenney 2024-04-05 2024-04   SG1 Concurrency and Parallelism
P3068R1 Allowing exception throwing in constant-evaluation. Hana Dusíková 2024-03-30 2024-04 P3068R0 EWG Evolution
P3072R2 Hassle-free thread attributes Zhihao Yuan 2024-03-17 2024-04 P3072R1 LEWG Library Evolution
P3074R3 trivial union (was std::uninitialized<T>) Barry Revzin 2024-04-14 2024-04 P3074R2 EWG Evolution
P3085R1 `noexcept` policy for SD-9 (throws nothing) Ben Craig 2024-03-17 2024-04 P3085R0 LEWG Library Evolution
P3086R1 Proxy: A Pointer-Semantics-Based Polymorphism Library Mingxin Wang 2024-03-18 2024-04 P3086R0 LEWGI SG18: LEWG Incubator,LEWG Library Evolution
P3086R2 Proxy: A Pointer-Semantics-Based Polymorphism Library Mingxin Wang 2024-04-16 2024-04 P3086R1 LEWG Library Evolution
P3091R1 Better lookups for `map` and `unordered_map` Pablo Halpern 2024-03-22 2024-04 P3091R0 LEWGI SG18: LEWG Incubator
P3094R1 std::basic_fixed_string Mateusz Pusz 2024-03-20 2024-04 P3094R0 SG16 Unicode,LEWG Library Evolution
P3097R0 Contracts for C++: Support for virtual functions Timur Doumler 2024-04-15 2024-04   SG21 Contracts
P3103R1 More bitset operations Jan Schultke 2024-03-07 2024-04 P3103R0 LEWGI SG18: LEWG Incubator
P3104R1 Bit permutations Jan Schultke 2024-03-07 2024-04 P3104R0 LEWGI SG18: LEWG Incubator
P3104R2 Bit permutations Jan Schultke 2024-04-04 2024-04 P3104R1 LEWGI SG18: LEWG Incubator
P3105R1 constexpr std::uncaught_exceptions() Jan Schultke 2024-03-07 2024-04 P3105R0 LEWGI SG18: LEWG Incubator
P3105R2 constexpr std::uncaught_exceptions() Jan Schultke 2024-04-04 2024-04 P3105R1 LEWGI SG18: LEWG Incubator
P3106R1 Clarifying rules for brace elision in aggregate initialization James Touton 2024-03-20 2024-04 P3106R0 CWG Core
P3107R1 Permit an efficient implementation of std::print Victor Zverovich 2024-02-25 2024-04 P3107R0 LEWG Library Evolution
P3107R2 Permit an efficient implementation of std::print Victor Zverovich 2024-03-17 2024-04 P3107R1 LEWG Library Evolution
P3107R3 Permit an efficient implementation of std::print Victor Zverovich 2024-03-18 2024-04 P3107R2 LEWG Library Evolution
P3107R4 Permit an efficient implementation of std::print Victor Zverovich 2024-03-19 2024-04 P3107R3 LEWG Library Evolution
P3107R5 Permit an efficient implementation of std::print Victor Zverovich 2024-03-21 2024-04 P3107R4 LWG Library
P3119R0 Tokyo Technical Fixes to Contracts Joshua Berne 2024-04-04 2024-04   SG21 Contracts
P3122R1 [[nodiscard]] should be Recommended Practice Jonathan Wakely 2024-03-12 2024-04 P3122R0 LEWG Library Evolution,LWG Library
P3135R1 Hazard Pointer Extensions Maged Michael 2024-04-12 2024-04 P3135R0 SG1 Concurrency and Parallelism
P3146R1 Clarifying std::variant converting construction Giuseppe D'Angelo 2024-02-20 2024-04 P3146R0 LEWG Library Evolution,LWG Library
P3147R1 A Direction for Vector Alan Talbot 2024-03-17 2024-04 P3147R0 LEWG Library Evolution
P3149R1 async_scope -- Creating scopes for non-sequential concurrency Ian Petersen 2024-03-13 2024-04 P3149R0 SG1 Concurrency and Parallelism,LEWG Library Evolution
P3149R2 async_scope -- Creating scopes for non-sequential concurrency Ian Petersen 2024-03-20 2024-04 P3149R1 LEWG Library Evolution
P3159R0 C++ Range Adaptors and Parallel Algorithms Bryce Adelstein Lelbach 2024-03-17 2024-04   SG1 Concurrency and Parallelism,LEWG Library Evolution
P3160R1 An allocator-aware `inplace_vector` Pablo Halpern 2024-03-08 2024-04 P3160R0 LEWG Library Evolution
P3161R0 Unified integer overflow arithmetic Tiago Freire 2024-02-17 2024-04   SG6 Numerics
P3161R1 Unified integer overflow arithmetic Tiago Freire 2024-03-13 2024-04 P3161R0 SG6 Numerics
P3162R0 LEWG [[nodiscard]] policy Darius Neațu 2024-02-22 2024-04   LEWG Library Evolution
P3164R0 Improving diagnostics for sender expressions Eric Niebler 2024-02-29 2024-04   LEWG Library Evolution
P3165R0 Contracts on virtual functions for the Contracts MVP Ville Voutilainen 2024-02-26 2024-04   SG21 Contracts
P3166R0 Static Exception Specifications Lewis Baker 2024-03-16 2024-04   EWGI SG17: EWG Incubator,LEWGI SG18: LEWG Incubator
P3167R0 Attributes for the result name in a postcondition assertion Tom Honermann 2024-02-28 2024-04   SG21 Contracts
P3168R0 Give std::optional Range Support David Sankel 2024-02-28 2024-04   LEWG Library Evolution
P3168R1 Give std::optional Range Support David Sankel 2024-04-11 2024-04 P3168R0 LEWG Library Evolution
P3169R0 Inherited contracts Jonas Persson 2024-04-13 2024-04   SG21 Contracts
P3170R0 sinkable exception error message Jarrad J Waterloo 2024-02-29 2024-04   LEWG Library Evolution
P3171R0 Adding functionality to placeholder types Barry Revzin 2024-03-04 2024-04   LEWG Library Evolution
P3172R0 Using `this` in constructor preconditions Andrzej Krzemieński 2024-03-08 2024-04   SG21 Contracts
P3173R0 P2900R6 may be minimimal, but it is not viable Gabriel Dos Reis 2024-03-15 2024-04   EWG Evolution
P3174R0 SG16: Unicode meeting summaries 2023-10-11 through 2024-02-21 Tom Honermann 2024-03-09 2024-04   SG16 Unicode
P3175R0 Reconsidering the `std::execution::on` algorithm Eric Niebler 2024-03-14 2024-04   LEWG Library Evolution
P3176R0 The Oxford variadic comma Jan Schultke 2024-03-07 2024-04   EWGI SG17: EWG Incubator
P3177R0 const prvalues in the conditional operator Barry Revzin 2024-03-17 2024-04   EWG Evolution
P3179R0 C++ parallel range algorithms Ruslan Arutyunyan 2024-03-14 2024-04   SG1 Concurrency and Parallelism,SG9 Ranges
P3180R0 C++ Standard Library Ready Issues to be moved in Tokyo, Mar. 2024 Jonathan Wakely 2024-03-15 2024-04   All of WG21
P3181R0 Atomic stores and object lifetimes Hans Boehm 2024-04-15 2024-04   SG1 Concurrency and Parallelism
P3182R0 Add pop_value methods to container adaptors Brian Bi 2024-04-16 2024-04   LEWG Library Evolution
P3183R0 Contract testing support Bengt Gustafsson 2024-04-15 2024-04   SG21 Contracts
P3187R1 remove ensure_started and start_detached from P2300 Kirk Shoop 2024-03-20 2024-04 P3187R0 SG1 Concurrency and Parallelism,LEWG Library Evolution
P3187R1 remove ensure_started and start_detached from P2300 Kirk Shoop 2024-03-20 2024-04 P3187R0 SG1 Concurrency and Parallelism,LEWG Library Evolution
P3188R0 Proxy: A Pointer-Semantics-Based Polymorphism Library - Presentation slides for P3086R1 Mingxin Wang 2024-04-16 2024-04   LEWGI SG18: LEWG Incubator
P3189R0 Slides for LEWG presentation of P2900R6: Contracts for C++ Timur Doumler 2024-03-18 2024-04   LEWG Library Evolution
P3190R0 Slides for EWG presentation of D2900R7: Contracts for C++ Timur Doumler 2024-03-19 2024-04   EWG Evolution
P3191R0 Feedback on the scalability of contract violation handlers in P2900 Louis Dionne 2024-03-20 2024-04   SG21 Contracts,EWG Evolution
P3192R0 LEWGI/SG18 Presentation of P3104R1 Bit Permutations Jan Schultke 2024-03-19 2024-04   LEWGI SG18: LEWG Incubator
P3194R0 LEWGI/SG18 Presentation of P3105R1 constexpr std::uncaught_exceptions() Jan Schultke 2024-03-19 2024-04   LEWGI SG18: LEWG Incubator
P3196R0 Core Language Working Group "ready" Issues for the March, 2024 meeting Jens Maurer 2024-03-22 2024-04   CWG Core
P3197R0 A response to the Tokyo EWG polls on the Contracts MVP (P2900R6) Timur Doumler 2024-04-12 2024-04   SG21 Contracts,EWG Evolution
P3198R0 A takeaway from the Tokyo LEWG meeting on Contracts MVP Andrzej Krzemieński 2024-03-29 2024-04   SG21 Contracts
P3199R0 Choices for make_optional and value() Steve Downey 2024-03-22 2024-04   LEWG Library Evolution
P3201R0 LEWG [[nodiscard]] policy Jonathan Wakely 2024-03-21 2024-04   LEWG Library Evolution
P3201R1 LEWG [[nodiscard]] policy Jonathan Wakely 2024-03-21 2024-04 P3201R0 LEWG Library Evolution
P3203R0 Implementation defined coroutine extensions Klemens Morgenstern 2024-03-22 2024-04   EWGI SG17: EWG Incubator
P3205R0 Throwing from a `noexcept` function should be a contract violation. Gašper Ažman 2024-04-15 2024-04   SG21 Contracts,EWG Evolution,LEWG Library Evolution
P3207R0 More & like Jarrad J Waterloo 2024-03-24 2024-04   LEWG Library Evolution
P3208R0 import std; and stream macros Sunghyun Min 2024-04-16 2024-04   EWGI SG17: EWG Incubator,LEWGI SG18: LEWG Incubator
P3210R0 A Postcondition *is* a Pattern Match Andrew Tomazos 2024-03-28 2024-04   SG21 Contracts,EWG Evolution
P3211R0 views::transform_join Hewill Kang 2024-04-07 2024-04   SG9 Ranges,LEWG Library Evolution,LWG Library,Direction Group
P3213R0 2024-04 Library Evolution Polls Inbal Levi 2024-04-16 2024-04   LEWG Library Evolution
P3215R0 Slides: Thread Attributes as Designators (P3072R2 presentation) Zhihao Yuan 2024-03-29 2024-04   LEWG Library Evolution
P3216R0 views::slice Hewill Kang 2024-04-07 2024-04   SG9 Ranges,LEWG Library Evolution,LWG Library,Direction Group
P3217R0 Adjoints to "Enabling list-initialization for algorithms": find_last Giuseppe D'Angelo 2024-03-31 2024-04   LEWG Library Evolution,LWG Library
P3218R0 const references to constexpr variables Jarrad J Waterloo 2024-04-09 2024-04   EWG Evolution,CWG Core
P3220R0 views::delimit Hewill Kang 2024-04-16 2024-04   SG9 Ranges,LEWG Library Evolution,LWG Library,Direction Group
P3221R0 Disable pointers to contracted functions Jonas Persson 2024-04-15 2024-04   SG21 Contracts
P3222R0 Fix C++26 by adding transposed special cases for P2642 layouts Mark Hoemmen 2024-04-08 2024-04   LEWG Library Evolution
P3223R0 Making std::basic_istream::ignore less surprising Jonathan Wakely 2024-04-12 2024-04   LEWG Library Evolution
P3224R0 Slides for P3087 - Make direct-initialization for enumeration types at least as permissive as direct Jan Schultke 2024-04-04 2024-04   EWGI SG17: EWG Incubator
P3225R0 Slides for P3140 std::int_least128_t Jan Schultke 2024-04-04 2024-04   EWGI SG17: EWG Incubator,LEWGI SG18: LEWG Incubator
P3226R0 Contracts for C++: Naming the "Louis semantic" Timur Doumler 2024-04-12 2024-04   SG21 Contracts
P3228R0 Contracts for C++: Revisiting contract check elision and duplication Timur Doumler 2024-04-16 2024-04   SG21 Contracts

Results summary: 2024 Annual C++ Developer Survey "Lite"

Over the past week, we ran our 2024 annual global C++ developer surveyThank you to everyone who responded. As promised, here is a summary of the results:

CppDevSurvey-2024-summary.pdf

The results have now been forwarded to the C++ standards committee to help inform C++ evolution. Your feedback will be very helpful, and thank you again for your participation! Stay safe, everyone.

Update to add note: We discovered after the survey went live that SurveyMonkey has started rejecting responses from some countries. They did not notify us this was going to happen, and it means we don't have responses this year from countries that were included in all previous years. We'll look into fixing that for next year because we do want to hear from all C++ programmers worldwide.

Trip Report: Spring ISO C++ Meeting in Tokyo, Japan -- Jonathan Müller

thinkcell-logo.pngLast week, I attended the spring 2024 meeting of the ISO C++ standardization committee in Tokyo, Japan. This was the third meeting for the upcoming C++26 standard and my first meeting as assistant chair of SG 9, the study group for ranges.

Trip Report: Spring ISO C++ Meeting in Tokyo, Japan

by Jonathan Müller

From the article:

I started the week on Monday in LEWG, the working group for the C++ standard library design. After the usual papers adding/extending std::format (Victor Zverovich keeps us busy), we approved a proposal that adds thread attributes, and reviewed the library parts of P2900 contracts. LEWG being LEWG, we mostly complained about the names (std::contracts::contract_violation has too many contracts in it), but overall liked it. However, contracts are a language feature, and the real controversy was over at EWG, the language design group. In particular, what happens if you have undefined behavior in a precondition? Consider the following example:

std::string_view slice(std::string_view str, int pos, int length)
pre (0 <= pos && pos <= std::ssize(str) && 0 <= length && pos + length <= std::ssize(str))
{
return std::string_view(str.data() + pos, str.data() + pos + length);
}

A slicing function for std::string_view using signed integers for demonstration purposes.

An integer overflow of pos + length in the precondition is undefined behavior. Some argue that this should instead be well-defined and lead to a precondition violation. While this would be nice and can lead to a general "safe mode" of C++ which could (and should!) be usable outside of contracts as well, I don't see how it can be worked out before C++26. I'd much rather have contracts with undefined behavior in C++26 then delaying it even further. The nice thing about undefined behavior is that it can be always well-specified later.

How not to check array size in C++

How often do you see the sizeof(array)/sizeof(array[0]) statement used to get the size of an array? I really hope it's not too often, because it's 2024 already. In this note, we'll talk about the statement flaws, where it comes from in modern code, and how to finally get rid of it.

How not to check array size in C++

by Mikhail Gelvikh

From the article:

Since we're coding in C++ here, let's harness the power of templates! This brings us to the legendary ArraySizeHelper (aka "the safe sizeof" in some articles), which developers write sooner or later in almost every project. In the old days — before C++11 — you could encounter such monstrosities.

Survey closing soon: 2024 Annual C++ Developer Survey "Lite"

cpp_logo.png

Last week, the annual global C++ developer survey opened. If you haven't already, please take 10 minutes or so to participate!

2024 Annual C++ Developer Survey "Lite"

A summary of the results, including aggregated highlights of common answers in the write-in responses, will be posted publicly here on isocpp.org and shared with the C++ standardization committee participants to help inform C++ evolution.

The survey closes on Wednesday.

Thank you for participating and helping to inform our committee and community!

GCC 14 -fanalyzer improvements for buffer overflows and more -- David Malcolm

For anyone interested in the top source of memory safety issues, out-of-bounds accesses... GCC 14 will be able to catch more cases, and even show them with some colorful retro ASCII art:

Improvements to static analysis in the GCC 14 compiler

by David Malcolm

It does require some source code annotation, but also delivers safety value in return.

From the article:

So for GCC 14, I've added the ability for the analyzer to emit text-based diagrams visualizing the spatial relationships in a predicted buffer overflow. ... [For example,] this diagram shows the destination buffer populated by the content from the strcpy call, and thus the existing terminating NUL byte used for the start of the strcat call. For non-ASCII strings ... it can show the UTF-8 representation of the characters ...

... [Another improvement] is that the analyzer now simulates APIs that scan a buffer expecting a null terminator byte, and will complain about code paths where a pointer to a buffer that isn't properly terminated is passed to such an API.

Plus more, such as:

The analyzer has a form of "taint analysis", which tracks attacker-controlled inputs, places where they are sanitized, and places where they are used without sanitization. In previous GCC releases this was too buggy to enable by default, with lots of false positives, so I hid it behind an extra command-line argument. I've fixed many bugs with this, so for GCC 14 I've enabled this by default when -fanalyzer is selected. This also enables these 6 taint-based warnings:

Using Copilot Chat with C++ in VS Code -- Sinem Akinci

copilotchat.pngIf you are a C++ developer who uses VS Code as your editor, Copilot Chat can help you with many of your everyday coding tasks by allowing you to iterate with your code in natural language.

Using Copilot Chat with C++ in VS Code

by Sinem Akinci

From the article:

We have just released a new YouTube video demonstrating the power of Copilot Chat in C++ code:

We cover how Copilot Chat can provide enhancements to your C++ coding scenarios like:

  • Simplifying and refactoring existing code
  • Generating new code and iterating with the prompt
  • Generating and explaining new test cases
  • Refactoring test cases to new frameworks
  • Understanding errors with your code
  • … and more!