A Brief and Incomplete Comparison of Memory Corruption Detection Tools -- Raymond Chen

By Blog Staff | Mar 26, 2025 01:27 PM | Tags: None

Memory diagnostic tools can be divided into runtime detection tools like Address Sanitizer (ASAN), Valgrind, and Application Verifier, and recording tools like rr and Time Travel Debugging (TTD). While runtime tools help catch memory errors as they occur, recording tools allow developers to trace memory modifications over time, making them a powerful combination for debugging complex issues.

A Brief and Incomplete Comparison of Memory Corruption Detection Tools

by Raymond Chen

From the article:

I promised last time to do a comparison of memory diagnostic tools. We have runtime diagnostic tools Address Sanitizer (ASAN), Valgrind, and Application Verifier (AppVerifier, avrf), and we have recording tools rr, and Time Travel Debugging (TTD)

First, the runtime tools:

ASAN detects a lot more types of memory errors, but it requires that you recompile everything. This can be limiting if you suspect that the problem is coming from a component you cannot recompile (say because you aren’t set up to recompile it, or because you don’t have the source code). Valgrind and AppVerifier have the advantage that you can turn them on for a process without requiring a recompilation. That means that you can ask a customer to turn it on at their site, without having to deliver a custom build to them. This is even more important on Windows because you have no chance of giving them an ASAN-enabled version of, say, kernel32.dll.

Reminder: When a C++ Object Fails to Construct, the Destructor Does Not Run -- Raymond Chen

By Blog Staff | Mar 24, 2025 01:24 PM | Tags: None

In C++, if an object’s constructor fails (due to an exception), destructors are run for the object’s member variables and base classes, but not for the object itself. The principle at play is that you cannot destruct something that was never constructed in the first place.

Reminder: When a C++ Object Fails to Construct, the Destructor Does Not Run

by Raymond Chen

From the article:

Consider this pull request:

com_timeout_t(DWORD timeoutInMilliseconds)
    : m_threadId(GetCurrentThreadId())
{
    m_cancelEnablementResult = CoEnableCallCancellation(nullptr);
    err_policy::HResult(m_cancelEnablementResult);
    if (SUCCEEDED(m_cancelEnablementResult))
    {
        m_timer.reset(CreateThreadpoolTimer(
            &com_timeout_t::timer_callback, this, nullptr));
        err_policy::LastErrorIfFalse(
            static_cast<bool>(m_timer));
        if (m_timer)
        {
            FILETIME ft = filetime::get_system_time();
            ft = filetime::add(ft, filetime::
                    convert_msec_to_100ns(timeoutInMilliseconds));
            SetThreadpoolTimer(m_timer.get(), &ft,
                    timeoutInMilliseconds, 0);
        }
    }
}

~com_timeout_t()
{
    m_timer.reset();

    if (SUCCEEDED(m_cancelEnablementResult))
    {
        CoDisableCallCancellation(nullptr);
    }
}

⟦ member variables: ⟧

HRESULT m_cancelEnablementResult{};
DWORD m_threadId{};
bool m_timedOut{};
wil::unique_threadpool_timer_nocancel m_timer;

The idea is that the constructor first calls Co­Enable­Call­Cancellation and reports the failure via err_policy::HResult().

Bjarne Stroustrup's Vision for 21st Century C++ -- Darryl K. Taft & David Cassel

By Blog Staff | Mar 22, 2025 01:37 PM | Tags: None

Bjarne Stroustrup, the creator of C++, has outlined his vision for the language’s future in his article "21st Century C++," emphasizing the need for safer and more modern coding practices without abandoning its powerful legacy. His approach advocates for incremental improvements, such as guideline-enforcing profiles and enhanced type safety, ensuring C++ remains relevant in an era of heightened security and performance demands.

Bjarne Stroustrup's Vision for 21st Century C++: Balancing Legacy, Safety, and Innovation

by Darryl K. Taft & David Cassel

From the article:

Bjarne Stroustrup, the mind behind the venerable C++ programming language, has once again entered the fray to shape the language’s future, publishing a weighty, 6,300-word piece titled "21st Century C++" in Communications of the ACM. Central to his argument is the idea that while C++ itself cannot drastically change due to its extensive legacy, the practices surrounding it can and must adapt. His manifesto outlines a path forward, advocating for tools like guideline-enforcing profiles to detect and mitigate coding errors, alongside a deliberate, type-safe evolution of the language. Stroustrup's call to action is as much about preserving the language's relevance in an era of heightened attention to memory safety as it is about addressing criticism aimed at C++’s historical complexities.

"21st Century C++" and the Pursuit of Safety Without Sacrificing Power

C++ is a linguistic titan. It powers systems that range from high-frequency trading platforms to embedded systems in spacecraft, and yet its intricate, low-level control has often been a double-edged sword. For Stroustrup, the path forward lies in preserving this power while ensuring safer usage—a delicate dance that avoids alienating the vast community reliant on its compatibility with decades-old code. In "21st Century C++," Stroustrup suggests that the way forward lies in shifting the culture and tools surrounding the language, rather than the language itself.

One of the most critical elements of his vision is the concept of "guideline-enforcing profiles."

2025-03 Mailing Available

By Administrator | Mar 21, 2025 01:44 PM | Tags: None

The 2025-03 mailing of new standards papers is now available.

The Case of the Crash When Trying to Erase an Element from a std::set -- Raymond Chen

By Blog Staff | Mar 21, 2025 01:17 PM | Tags: None

Today, we’ll look at a crash that occurred when trying to erase an element from a std::set.

The Case of the Crash When Trying to Erase an Element from a std::set

by Raymond Chen

From the article:

rax=000001f565bc046e rbx=000001f589b20340 rcx=000001f565bc046e
rdx=000000e6658feca8 rsi=000001f589b20690 rdi=000001f589b203c0
rip=00007ffdd4726bc4 rsp=000000e6658fec30 rbp=0000388a1713ab55
 r8=000001f589b895d0  r9=000001f589b895d0 r10=000001f589000140
r11=0000000000000000 r12=0000000000000001 r13=000000007ffe0385
r14=0000000000000000 r15=000001f589b8f900

LitWare!std::_Tree<std::_Tset_traits<WidgetWatcher *,
        std::less<WidgetWatcher *>,
        std::allocator<WidgetWatcher *>,0> >::_Eqrange+0x14
    [inlined in LitWare!std::_Tree<std::_Tset_traits<
        WidgetWatcher *,std::less<WidgetWatcher *>,
        std::allocator<WidgetWatcher *>,0> >::erase+0x18]:
00007ffd`d4726bc4 cmp     byte ptr [rax+19h],r11b ds:000001f5`65bc0487=??

The stack trace has some information about how we got here.

LitWare!std::_Tree<std::_Tset_traits<Widget *,
        std::less<Widget *>,
        std::allocator<Widget *>,0> >::_Eqrange+0x14
LitWare!std::_Tree<std::_Tset_traits<Widget *,
        std::less<Widget *>,
        std::allocator<Widget *>,0> >::erase+0x18
LitWare!Widget::~Widget+0xc8
LitWare!Widget::`scalar deleting destructor'+0x14
LitWare!DestroyWidget+0x15
Fabrikam!Doodad::~Doodad+0x75
Fabrikam!Doodad::`scalar deleting destructor'+0x14
Fabrikam!Doodad::Release+0x40
Contoso!Gadget::~Gadget+0x66
ucrtbase!<lambda_⟦...⟧>::operator()+0xa5
ucrtbase!__crt_seh_guarded_call<int>::operator()<⟦...⟧>+0x3b
ucrtbase!__acrt_lock_and_call+0x1c
ucrtbase!_execute_onexit_table+0x3d
Contoso!dllmain_crt_process_detach+0x45
Contoso!dllmain_dispatch+0xe6
ntdll!LdrpCallInitRoutine+0xb0
ntdll!LdrShutdownProcess+0x260
ntdll!RtlExitUserProcess+0x114
kernel32!FatalExit+0xb
ucrtbased!exit_or_terminate_process+0x3a
ucrtbased!common_exit+0x85
ucrtbased!exit+0x16

C++ for Embedded Systems: constexpr and consteval -- Andreas Fertig

By Blog Staff | Mar 18, 2025 01:12 PM | Tags: None

In today's post, I'll learn how modern C++ can influence the code you write for your embedded system. You will see code using up to C++23. The example I show you below circles around at least two questions I got various times from customers: What is consteval good for? What is that user-defined literal operator, and why should I care?

C++ for Embedded Systems: constexpr and consteval

by Andreas Fertig

From the article:

Chapter One: What is a MAC address?

I teach a lot of classes to customers who are developing embedded systems. That makes sense. I worked for a long time in that domain, and I enjoyed it so much.

One recurring topic is networking. While nowadays we have various different network types and technologies, let's use the Internet Protocol (IP) today. The base of network communication is your Network Interface Card (NIC). Each NIC has a unique Medium Control Address (MAC) assigned. The MAC address is the base layer for everything on top, like TCP/IP.

A MAC address consists of exactly six bytes. One way to represent a MAC address in code is this:

A Simplified Overview of Ways to Add or Update Elements in a std::map -- Raymond Chen

By Blog Staff | Mar 14, 2025 01:05 PM | Tags: None

The std::map subscript operator ([]) is a convenient but sometimes dangerous feature, as it can create unintended default-constructed entries. By understanding the behavior of various map insertion and lookup methods—such as insert, emplace, try_emplace, and insert_or_assign—developers can write more efficient and predictable code while avoiding unnecessary key-value creations and duplicate lookups.

A Simplified Overview of Ways to Add or Update Elements in a std::map

by Raymond Chen

From the article:

Some time ago, I mentioned how the std::map subscript operator is a dangerous convenience. In that article, I linked to an overview of the insertion emplacement methods, but I’m going to recapture the essential points in a table.¹

In the table below, the discussion of “consumed” or “not consumed” refers to the case that v is an rvalue reference like std::move(something).

We can reorganize the table by effect.

Exercise: Why are the bottom left two boxes blank?

C++26: pack indexing -- Sandor Dargo

By Blog Staff | Mar 12, 2025 01:00 PM | Tags: None

C++26 introduces pack indexing as a core language feature, making it significantly easier to extract specific elements from parameter packs using a familiar subscript syntax. This improvement, proposed by Corentin Jabot and Pablo Halpern, eliminates the need for cumbersome workarounds like recursive templates or boolean expression tricks, providing a more intuitive and readable approach.

C++26: pack indexing

by Sandor Dargo

From the article:

C++11 introduced parameter packs to provide a safer way to pass an undefined number of parameters to functions instead of relying on variadic functions.

While packs are a useful feature, and since C++17 it’s so easy to use them in fold expressions, extracting a specific element of a pack is somewhat cumbersome.

You either have to rely on some standard functions not made for the purpose or use “awkward boolean expression crafting or recursive templates”. None of them is unbearable, but it might be error-prone or simply expensive regarding compile-time performance. Nevertheless, they are not the most readable solutions.

C++26 brings us pack indexing as a core language feature thanks to the proposal of Corentin Jabot and Pablo Halpern, P2662R3.

Before discussing some interesting points, first, let’s look at an example:

Improving Code Safety in C++26: Managers and Dangling References -- Bartlomiej Filipek

By Blog Staff | Mar 10, 2025 12:55 PM | Tags: None

In this blog post, we’ll explore ways to improve the safety of a simple configuration manager. We’ll handle common pitfalls like dangling references and excessive stack usage. Additionally, we’ll see how C++26 helps enforce safer coding practices with stricter diagnostics and improved handling of large objects.

Improving Code Safety in C++26: Managers and Dangling References

by Bartlomiej Filipek

From the article:

Step 1: The Buggy Implementation 
 
Below is a simple example of a manager object that stores various configs in a map and provides a method to retrieve them. When a requested configuration isn’t found, the code attempts to return a default certificate:

Do you see a potential error in this code?

. . .

At first glance, the code looks harmless. However, if the requested entry isn’t found, the function returns a reference to a temporary std::vector. Once the function exits, that temporary is destroyed—leaving you with a dangling reference and undefined behavior.

Inside STL: Waiting for a std::atomic to change, part 2 -- Raymond Chen

By Blog Staff | Mar 6, 2025 12:53 PM | Tags: None

Last time, we looked at how the Microsoft C++ standard library implements wait and notify_* for std::atomic<std::shared_ptr<T>>. Today, we’ll look at the other library that (as of this writing) implements std::atomic<std::shared_ptr<T>>: libstdc++.

Inside STL: Waiting for a std::atomic<std::shared_ptr<T>> to change, part 2

by Raymond Chen

From the article:

The first thing to note is that the traditional “wait for a value to change” mechanism on unix is the futex, but futexes (futexen?) are limited to 4-byte values, which is insufficient for a 64-bit pointer, much less the two pointers inside a shared_ptr.

At this point, I will refer you to learn about how libstdc++ implements waits on atomic values, particularly the section on how it handles types that do not fit in a __platform_wait_t. The remainder of this discussion will treat that as an already-solved problem and focus on the shared pointer part.

Okay, back to atomic<shared_ptr<T>>::wait():

// atomic<shared_ptr<T>>::wait
void
wait(value_type __old,
     memory_order __o = memory_order_seq_cst) const noexcept
{
    _M_impl.wait(std::move(__old), __o);
}

When you wait on a shared_ptr, the work is done by _Sp_atomic::wait:

// _Sp_atomic<shared_ptr<T>>::wait
void
wait(value_type __old, memory_order __o) const noexcept
{
    auto __pi = _M_refcount.lock(memory_order_acquire);
    if (_M_ptr == __old._M_ptr && __pi == __old._M_refcount._M_pi)
      _M_refcount._M_wait_unlock(__o);
    else
      _M_refcount.unlock(memory_order_relaxed);
}