神刀安全网

"Safe C++ Subset" Is Vapourware

Almost every time a discussion of Rust vs C++ comes up, someone comes up with a comment like:

the subset of C++14 that most people will want to use and the guidelines for its safe use are already well on their way to being defined … By following the guidelines, which can be verified statically at compile time, the same kind of safeties provided by Rust can be had from C++, and with less annotation effort.

This promise is vapourware

. In fact, it’s classic vapourware in the sense of "wildly optimistic claim about a future product made to counter a competitor".

(FWIW the claim quoted above is actually an overstatement of the goals of the C++ Core Guidelines, which say "our design is a simpler feature focused on eliminating leaks and dangling only"; Rust provides important additional safety properties such as data-race freedom. But even just the memory safety claim is vapourware.)

To satisfy this claim, we need to see a complete set of statically checkable rules and a plausible argument that a program adhering to these rules cannot exhibit memory safety bugs. Notably, languages that offer memory safety are not just claiming you can write safe programs in the language, nor that there is a static checker that finds most memory safety bugs; they are claiming that code written in that language (or the safe subset thereof) cannot exhibit memory safety bugs .

AFAIK the closest to this C++ gets is the Core Guidelines Lifetimes I and II document, last updated December 2015. It contains only an "informal overview and rationale"; it refers to "Section III, analysis rules (forthcoming this winter)", which apparently has not yet come forth. (I’m pretty sure they didn’t mean the New Zealand winter.) The informal overview shows a heavy dependence on alias analysis, which does not inspire confidence because alias analysis is always fragile. The overview leaves open critical questions about even trivial examples. Consider:

unique_ptr    p; void foo(const int& v) {   p = nullptr;   cout << v; } void bar() {   p = make_unique(7);   foo(*p); } 

Obviously this program is unsafe and must be forbidden, but what rule would reject it? The document says

  • In the function body, by default a Pointer parameter param is assumed to be valid for the duration of the function call and not depend on any other parameter, so at the start of the function lset(param) = param (its own lifetime) only.
  • At a call site, by default passing a Pointer to a function requires that the argument’s lset not include anything that could be invalidated by the function.

Clearly the body of foo is OK by those rules. For the call to foo from bar

, it depends on what is meant by "anything that could be invalidated by the function". Does that include anything reachable via global variables? Because if it does, then you can’t pass anything reachable from a global variable to any function by reference, which is crippling. But if it doesn’t, then what rejects this code?

This is not one rogue example that is easily addressed. This example cuts to the heart of the problem, which is that understanding aliasing in the face of functions with potentially unbounded side effects is notoriously difficult. I myself wrote a PhD thesis on the subject, one among hundreds, if not thousands. Designing your language and its libraries from the ground up to deal with these issues has been shown to work, in Rust at least, but I’m deeply skeptical it can be bolted onto C++.

Q&A

Aren’t clang and MSVC already shipping previews of this safe subset?They’re implementing static checking rules that no doubt will catch many bugs, which is great. They’re nowhere near demonstrating they can catch every memory safety bug.

Aren’t you always vulnerable to bugs in the compiler, foreign code, or mistakes in the safety proofs, so you can never reach 100% safety anyway?Yes, but it is important to reduce the amount of trusted code to the minimum. There are ways to use machine-checked proofs to verify that compilation and proof steps do not introduce safety bugs.

Won’t you look stupid when Section III is released?Occupational hazard, but that leads me to one more point: even if and when a statically checked, plausibly safe subset is produced, it will take significant experience working with that subset to determine whether it’s viable. A subset that rejects core C++ features such as references, or otherwise excludes the majority of existing C++ code, will not be very compelling (as acknowledged in the Lifetimes document: "Our goal is that the false positive rate should be kept at under 10% on average over a large body of code").

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » "Safe C++ Subset" Is Vapourware

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址