C++ Logo

std-proposals

Advanced search

[std-proposals] Memory Safety in C++ via Safe Subset and Static Analysis - Master’s Thesis Summary

From: Thomas Krogh Lohse <tlohse20_at_[hidden]>
Date: Sun, 1 Jun 2025 08:32:00 +0000
Dear all,

I’ve just submitted my master’s thesis in Software Engineering from Aalborg University (defending it on June 6), which focuses on memory safety in C++, and I’d like to briefly share the core idea of my project.

The project defines a conservative safe subset of C++, and applies two static dataflow analyses:
    * A lifetime analysis to detect use-after-free, use-after-move, and similar issues.
    * A borrow checker-style analysis to ensure mutually exclusive access to resources.

The safe subset is inspired by Rust and restricts some inherently unsafe constructs:
    * Pointer dereferencing
    * `new` / `delete`
    * `reinterpret_cast`, `const_cast`, and C-style casts
    * Union field access
    * Labels and `goto`

Instead, developers are encouraged (by the language) to use smart pointers for ownership and lvalue-references for borrowing, promoting RAII by default.

The analyses are implemented in a proof-of-concept Clang plugin. Users can annotate types and functions with attributes (e.g., to define smart pointer behavior or skip analysis — similar to Rust's unsafe). It’s still a prototype and has some scalability and precision limitations, but it successfully enforces the subset and detects key violations. The implementation uses Andersen’s pointer analysis.

Currently, the analysis does not handle polymorphism, exceptions, or lambdas, though I outline ideas for addressing these in future work.

If refined with a more precise pointer analysis, some over-approximation fixes, and extended support for more of C++, I believe this approach could provide safety guarantees similar to Rust — but within standard, modern C++, without requiring a new frontend or language changes.

I’d love to hear your thoughts:
    * Do you see value in defining a "safe-by-default" C++ subset with opt-in unsafe features?
    * Could something like this analysis model help enforce safety in future directions for the language?

I’ve tried to keep this short, but I’d be happy to elaborate on any part of the project if there's interest.

Best regards,
Thomas Lohse

Received on 2025-06-01 08:32:10