{"id":1875,"date":"2024-06-12T08:27:18","date_gmt":"2024-06-12T08:27:18","guid":{"rendered":"https:\/\/cppdepend.com\/blog\/?p=1875"},"modified":"2024-06-12T10:14:28","modified_gmt":"2024-06-12T10:14:28","slug":"could-herb-sutters-call-to-action-for-c-safety-be-acheived-soon","status":"publish","type":"post","link":"https:\/\/cppdepend.com\/blog\/could-herb-sutters-call-to-action-for-c-safety-be-acheived-soon\/","title":{"rendered":"Could Herb Sutter&#8217;s call to action for C++ safety be acheived soon?"},"content":{"rendered":"\n<p>Recently, Herb Sutter wrote an excellent <a href=\"https:\/\/herbsutter.com\/2024\/03\/11\/safety-in-context\/\">article<\/a> on C++ safety. He discussed numerous ideas, but I&#8217;ll provide a summary of his perspective on what can be done in the medium term to enhance C++ safety.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>In C++, by default enforce \u2026<\/td><td><strong>(A) Solution for new\/updated code (can require code changes \u2014 no link\/binary changes)<\/strong><\/td><td><strong>(B) Solution for existing code (requires recompile only \u2014 no manual code changes, no link\/binary changes)<\/strong><\/td><\/tr><tr><td><strong>Type safety<\/strong><\/td><td>Ban all inherently unsafe casts and conversions<\/td><td>Make unsafe casts and conversions with a safe alternative do the safe thing<\/td><\/tr><tr><td><strong>Bounds safety<\/strong><\/td><td>Ban pointer arithmetic Ban unchecked iterator arithmetic<\/td><td>Check in-bounds for all allowed iterator arithmetic Check in-bounds for all subscript operations<\/td><\/tr><tr><td><strong>Initialization safety<\/strong><\/td><td>Require all variables to be initialized (either at declaration, or before first use)<\/td><td>\u2014<\/td><\/tr><tr><td><strong>Lifetime safety<\/strong><\/td><td>Statically diagnose many common pointer\/iterator lifetime error cases<\/td><td>Check not-null for all pointer dereferences<\/td><\/tr><tr><td><strong>Less undefined behavior<\/strong><\/td><td>Statically diagnose known UB\/bug cases, to error on actual bugs in existing code with just a recompile and zero false positives:<br>Ban mathematically invalid comparison chains<br>(add additional cases from UB Annex review)<\/td><td>Automatically fix known UB\/bug cases, to make current bugs in existing code be actually correct with just a recompile and zero false positives:<br>Define mathematically valid comparison chains<br>Default return *this; for C assignment operators that return C&amp;<br>(add additional cases from UB Annex review)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>But what are the current possibilities for achieving this goal?<\/p>\n\n\n\n<!--more-->\n\n\n\n<p><strong>Type Safety:<\/strong><\/p>\n\n\n\n<p>To enforce type safety in C++, you can use the following compilation command with various flags to enable strict type checking and other safety features:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;showPanel&quot;:false,&quot;languageLabel&quot;:&quot;language&quot;,&quot;fullScreenButton&quot;:true,&quot;copyButton&quot;:true,&quot;mode&quot;:&quot;clike&quot;,&quot;mime&quot;:&quot;text\/x-c++src&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;fileName&quot;:&quot;C++&quot;,&quot;language&quot;:&quot;C++&quot;,&quot;maxHeight&quot;:&quot;400px&quot;,&quot;modeName&quot;:&quot;cpp&quot;}\">g++ -Wall -Wextra -Wpedantic -Wconversion -Wsign-conversion -Wshadow -Werror  -o output_file source_file.cpp<\/pre><\/div>\n\n\n\n<p>Here&#8217;s a breakdown of what these flags do:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>-Wall<\/code>: Enables all the common warnings.<\/li>\n\n\n\n<li><code>-Wextra<\/code>: Enables additional warnings.<\/li>\n\n\n\n<li><code>-Wpedantic<\/code>: Enforces strict ISO C++ compliance.<\/li>\n\n\n\n<li><code>-Wconversion<\/code>: Warns about implicit conversions that may change a value.<\/li>\n\n\n\n<li><code>-Wsign-conversion<\/code>: Warns about implicit conversions between signed and unsigned types.<\/li>\n\n\n\n<li><code>-Wshadow<\/code>: Warns if a variable declaration shadows one from an outer scope.<\/li>\n\n\n\n<li><code>-Werror<\/code>: Treats all warnings as errors, stopping compilation if any warnings are present.<\/li>\n<\/ul>\n\n\n\n<p><strong>Bounds Safety:<\/strong><\/p>\n\n\n\n<p>To enforce bounds safety in C++, you can use the <code>-fsanitize=bounds<\/code> option with <code>gcc<\/code> or <code>clang<\/code>. This flag enables runtime checks for out-of-bounds array access. Here&#8217;s a sample compilation command:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;showPanel&quot;:false,&quot;languageLabel&quot;:&quot;language&quot;,&quot;fullScreenButton&quot;:true,&quot;copyButton&quot;:true,&quot;mode&quot;:&quot;clike&quot;,&quot;mime&quot;:&quot;text\/x-c++src&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;fileName&quot;:&quot;C++&quot;,&quot;language&quot;:&quot;C++&quot;,&quot;maxHeight&quot;:&quot;400px&quot;,&quot;modeName&quot;:&quot;cpp&quot;}\">g++ -fsanitize=bounds -o my_program my_program.cpp<\/pre><\/div>\n\n\n\n<p>This command will compile <code>my_program.cpp<\/code> with bounds safety checks enabled and produce an executable named <code>my_program<\/code>. If you encounter any out-of-bounds access during execution, the sanitizer will report it.<\/p>\n\n\n\n<p><strong>Initialisation Safety:<\/strong><\/p>\n\n\n\n<p>To enforce initialization safety in C++, you can use several compiler flags that help catch uninitialized variables and other related issues. Here are the commands for GCC and Clang:<\/p>\n\n\n\n<h6 class=\"wp-block-heading\">GCC<\/h6>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;showPanel&quot;:false,&quot;languageLabel&quot;:&quot;language&quot;,&quot;fullScreenButton&quot;:true,&quot;copyButton&quot;:true,&quot;mode&quot;:&quot;clike&quot;,&quot;mime&quot;:&quot;text\/x-c++src&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;fileName&quot;:&quot;C++&quot;,&quot;language&quot;:&quot;C++&quot;,&quot;maxHeight&quot;:&quot;400px&quot;,&quot;modeName&quot;:&quot;cpp&quot;}\">g++ -Wall -Wextra -Wuninitialized -Wmaybe-uninitialized -o your_program your_program.cpp<\/pre><\/div>\n\n\n\n<h6 class=\"wp-block-heading\">Clang<\/h6>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;showPanel&quot;:false,&quot;languageLabel&quot;:&quot;language&quot;,&quot;fullScreenButton&quot;:true,&quot;copyButton&quot;:true,&quot;mode&quot;:&quot;clike&quot;,&quot;mime&quot;:&quot;text\/x-c++src&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;fileName&quot;:&quot;C++&quot;,&quot;language&quot;:&quot;C++&quot;,&quot;maxHeight&quot;:&quot;400px&quot;,&quot;modeName&quot;:&quot;cpp&quot;}\">clang++ -Wall -Wextra -Wuninitialized -o your_program your_program.cpp<\/pre><\/div>\n\n\n\n<h6 class=\"wp-block-heading\">Explanation<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>-Wall<\/code>: Enables all the commonly used warning messages.<\/li>\n\n\n\n<li><code>-Wextra<\/code>: Enables some extra warning flags that are not enabled by <code>-Wall<\/code>.<\/li>\n\n\n\n<li><code>-Wuninitialized<\/code>: Warns about uninitialized variables.<\/li>\n\n\n\n<li><code>-Wmaybe-uninitialized<\/code>: Warns about variables that may be uninitialized.<\/li>\n<\/ul>\n\n\n\n<p><strong>Life time safety:<\/strong><\/p>\n\n\n\n<p>To enforce lifetime safety in C++, you need to use specific compiler flags and potentially enable certain features or tools designed to help with lifetime analysis and safety checks. As of recent developments, the <code>-fsanitize=address<\/code> flag with the Clang or GCC compiler can help detect lifetime issues. Additionally, you might want to use Clang&#8217;s static analyzer or Microsoft&#8217;s tools in Visual Studio for more comprehensive checks.<\/p>\n\n\n\n<p>Here are some commands you can use for GCC and Clang:<\/p>\n\n\n\n<h6 class=\"wp-block-heading\">GCC<\/h6>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;showPanel&quot;:false,&quot;languageLabel&quot;:&quot;language&quot;,&quot;fullScreenButton&quot;:true,&quot;copyButton&quot;:true,&quot;mode&quot;:&quot;clike&quot;,&quot;mime&quot;:&quot;text\/x-c++src&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;fileName&quot;:&quot;C++&quot;,&quot;language&quot;:&quot;C++&quot;,&quot;maxHeight&quot;:&quot;400px&quot;,&quot;modeName&quot;:&quot;cpp&quot;}\">g++ -fsanitize=address -fno-omit-frame-pointer -g -o your_program your_program.cpp<\/pre><\/div>\n\n\n\n<h6 class=\"wp-block-heading\">Clang<\/h6>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;showPanel&quot;:false,&quot;languageLabel&quot;:&quot;language&quot;,&quot;fullScreenButton&quot;:true,&quot;copyButton&quot;:true,&quot;mode&quot;:&quot;clike&quot;,&quot;mime&quot;:&quot;text\/x-c++src&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;fileName&quot;:&quot;C++&quot;,&quot;language&quot;:&quot;C++&quot;,&quot;maxHeight&quot;:&quot;400px&quot;,&quot;modeName&quot;:&quot;cpp&quot;}\">clang++ -fsanitize=address -fno-omit-frame-pointer -g -o your_program your_program.cpp<\/pre><\/div>\n\n\n\n<p>These commands enable the AddressSanitizer, which helps detect various memory errors including use-after-free, use-after-return, and use-after-scope issues, which are critical for enforcing lifetime safety.<\/p>\n\n\n\n<p><strong>Undefined behavior:<\/strong><\/p>\n\n\n\n<p>To enforce C++ undefined behavior safety, you can use various compiler flags and tools. Here\u2019s a compilation command using <code>g++<\/code> (part of the GNU Compiler Collection) that includes common flags to help detect and prevent undefined behavior:<\/p>\n\n\n\n<div class=\"wp-block-codemirror-blocks-code-block code-block\"><pre class=\"CodeMirror\" data-setting=\"{&quot;showPanel&quot;:false,&quot;languageLabel&quot;:&quot;language&quot;,&quot;fullScreenButton&quot;:true,&quot;copyButton&quot;:true,&quot;mode&quot;:&quot;clike&quot;,&quot;mime&quot;:&quot;text\/x-c++src&quot;,&quot;theme&quot;:&quot;material&quot;,&quot;lineNumbers&quot;:false,&quot;styleActiveLine&quot;:false,&quot;lineWrapping&quot;:false,&quot;readOnly&quot;:true,&quot;fileName&quot;:&quot;C++&quot;,&quot;language&quot;:&quot;C++&quot;,&quot;maxHeight&quot;:&quot;400px&quot;,&quot;modeName&quot;:&quot;cpp&quot;}\">g++ -Wall -Wextra -Werror -pedantic -fsanitize=address,undefined -fstack-protector-all -O2 -g your_file.cpp -o your_program<\/pre><\/div>\n\n\n\n<p>Here\u2019s a breakdown of the flags used:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>-Wall<\/code>: Enables all the commonly used warning messages.<\/li>\n\n\n\n<li><code>-Wextra<\/code>: Enables additional warning messages not included by <code>-Wall<\/code>.<\/li>\n\n\n\n<li><code>-Werror<\/code>: Treats all warnings as errors, forcing you to fix them.<\/li>\n\n\n\n<li><code>-pedantic<\/code>: Enforces strict ISO C++ compliance.<\/li>\n\n\n\n<li><code>-fsanitize=address,undefined<\/code>: Enables AddressSanitizer and UndefinedBehaviorSanitizer to detect memory errors and undefined behavior at runtime.<\/li>\n\n\n\n<li><code>-fstack-protector-all<\/code>: Adds stack protection to detect stack buffer overflows.<\/li>\n\n\n\n<li><code>-O2<\/code>: Enables optimization (level 2), which is a good balance between performance and debugging.<\/li>\n\n\n\n<li><code>-g<\/code>: Includes debugging information in the binary for use with a debugger (e.g., <code>gdb<\/code>).<\/li>\n<\/ul>\n\n\n\n<p><strong>C++ sanitizers Issues:<\/strong><\/p>\n\n\n\n<p>As we can see, sanitizers could address some of the problems reported by Herb Sutter. However, they have several issues:<\/p>\n\n\n\n<p>1- <strong>Performance Overhead<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Runtime Performance<\/strong>: Sanitizers introduce significant runtime overhead. AddressSanitizer, for example, can slow down the execution of a program by 2-3 times.<\/li>\n\n\n\n<li><strong>Memory Usage<\/strong>: Sanitizers, particularly AddressSanitizer, increase memory usage substantially. This can be problematic for memory-constrained environments.<\/li>\n<\/ul>\n\n\n\n<p>2- <strong>Compatibility Issues<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Platform Support<\/strong>: Not all sanitizers are available on all platforms or compilers. This can limit their use in cross-platform projects.<\/li>\n\n\n\n<li><strong>Third-Party Libraries<\/strong>: Using sanitizers with third-party libraries that were not compiled with sanitization in mind can result in compatibility issues or spurious errors.<\/li>\n<\/ul>\n\n\n\n<p>3- <strong>Build and Execution Complexity<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Complexity in Build Process<\/strong>: Integrating sanitizers into the build process can complicate the build configuration, especially when dealing with multiple build types (e.g., release vs. debug).<\/li>\n\n\n\n<li><strong>Special Execution Environment<\/strong>: Running tests under sanitizers often requires a special execution environment and additional setup, making the process more cumbersome.<\/li>\n<\/ul>\n\n\n\n<p>4- <strong>Limited Scope<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Specific Types of Bugs<\/strong>: Sanitizers are designed to catch specific types of bugs (e.g., memory errors, undefined behavior), and may not catch logic errors, algorithmic inefficiencies, or other kinds of bugs.<\/li>\n<\/ul>\n\n\n\n<p>5- <strong>Debugging Complexity<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detailed Reports<\/strong>: While detailed reports from sanitizers are helpful, they can sometimes be overwhelming or difficult to interpret, especially for large and complex codebases.<\/li>\n\n\n\n<li><strong>Reproducibility<\/strong>: Some issues reported by sanitizers might be non-deterministic and difficult to reproduce, complicating the debugging process.<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p>It&#8217;s clear that we need another mechanism to enhance safety without compromising C++ performance. This goal has become a high-priority concern for the C++ committee, and we hope to have a definitive solution for this urgent problem soon.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently, Herb Sutter wrote an excellent article on C++ safety. He discussed numerous ideas, but I&#8217;ll provide a summary of his perspective on what can be done in the medium term to enhance C++ safety. In C++, by default enforce \u2026 (A) Solution for new\/updated code (can require code changes \u2014 no link\/binary changes) (B) &hellip; <a href=\"https:\/\/cppdepend.com\/blog\/could-herb-sutters-call-to-action-for-c-safety-be-acheived-soon\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Could Herb Sutter&#8217;s call to action for C++ safety be acheived soon?&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[402,561,550,572,559,485,573,554,571,551,552,188,569,476,548,562,557,560,549,553,556,92,565,18,555,180,567,558,564,570,568,563,566],"class_list":["post-1875","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-addresssanitizer","tag-c-best-practices","tag-c-bounds-safety","tag-c-build-process","tag-c-code-quality","tag-c-committee","tag-c-compilation","tag-c-compiler-flags","tag-c-debugging","tag-c-initialization-safety","tag-c-lifetime-safety","tag-c-performance","tag-c-resource-management","tag-c-safety","tag-c-safety-features","tag-c-safety-improvements","tag-c-sanitizers","tag-c-static-analysis","tag-c-type-safety","tag-c-undefined-behavior","tag-clang-c-flags","tag-code-maintainability","tag-compiler-warnings","tag-cppdepend","tag-gcc-c-flags","tag-herb-sutter","tag-iterator-safety","tag-memory-safety-in-c","tag-memory-usage-c","tag-multi-threading-in-c","tag-pointer-safety","tag-runtime-performance-c","tag-type-checking-in-c"],"_links":{"self":[{"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/posts\/1875","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/comments?post=1875"}],"version-history":[{"count":9,"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/posts\/1875\/revisions"}],"predecessor-version":[{"id":1887,"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/posts\/1875\/revisions\/1887"}],"wp:attachment":[{"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/media?parent=1875"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/categories?post=1875"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/tags?post=1875"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}