Date: Sun, 31 Aug 2025 20:01:26 +0000
On Sun, Aug 31, 2025 at 02:43:32AM -0700, Oliver Hunt wrote:
>
>
> > On Aug 31, 2025, at 2:31 AM, Levo D via Std-Proposals <std-proposals_at_[hidden]> wrote:
> >
> > I wrote quite a bit, so I figure I should stop and take feedback before I accidentally double this size.
> > I'd like to hear more about things I should consider (the end gives two examples).
> > Let me know if you'd like to work on this proposal with me. I'll be able to cover the content, but I doubt I can attend any meetings.
> > I personally have implemented the analysis below in my compiler, so I know it's pretty darn simple to implement (in my non-C++ compiler)
>
> It has finally been published, so I would recommend watching Geoff Garen’s talk at cppnow: https://www.youtube.com/watch?v=RLw13wLM5Ko
Ha, I saw that min problem coming. It's already in the proposal
> I spent a decade working and webkit with Geoff, before migrating to trying to fix the security issues below the browser (at this point I’ve reached codegen).
>
> It covers many of these issues, and includes a discussion of use of the hardened runtime, which mitigates many/most of the issues in this post, and what they did to resolve the remainder.
>
> Beyond that, these solutions seem to assume static analyses already perform all kinds of value and range analysis being discussed as things that they would have to do - they already do.
>
> The reason for the hardened runtime is that is does not matter what static analysis does: it stops the invalid access at runtime.
>
> _If_ the compiler can prove a bounds check is unneeded it will be optimized, if it cannot prove it, the chances are the code is sufficiently difficult to follow that the developer also cannot trivially prove the bounds check is never needed.
>
> * Attributes For Containers:
>
> Static analysis does not guess - commercial analysers have explicitly included knowledge of every major API - C, C++, platform specific, common libraries, etc.
AFAIK they don't do it for user containers? These attributes will enable that
> In C++26 there is the introduction of the concept of ‘“hardened” preconditions that make it more clear which preconditions are considered security critical, and C++26 introduces contracts that can be used to provide source level awareness of valid use to a static analyzer even without prior awareness.
>
> —Oliver
>
>
>
> > On Aug 31, 2025, at 2:31 AM, Levo D via Std-Proposals <std-proposals_at_[hidden]> wrote:
> >
> > I wrote quite a bit, so I figure I should stop and take feedback before I accidentally double this size.
> > I'd like to hear more about things I should consider (the end gives two examples).
> > Let me know if you'd like to work on this proposal with me. I'll be able to cover the content, but I doubt I can attend any meetings.
> > I personally have implemented the analysis below in my compiler, so I know it's pretty darn simple to implement (in my non-C++ compiler)
>
> It has finally been published, so I would recommend watching Geoff Garen’s talk at cppnow: https://www.youtube.com/watch?v=RLw13wLM5Ko
Ha, I saw that min problem coming. It's already in the proposal
> I spent a decade working and webkit with Geoff, before migrating to trying to fix the security issues below the browser (at this point I’ve reached codegen).
>
> It covers many of these issues, and includes a discussion of use of the hardened runtime, which mitigates many/most of the issues in this post, and what they did to resolve the remainder.
>
> Beyond that, these solutions seem to assume static analyses already perform all kinds of value and range analysis being discussed as things that they would have to do - they already do.
>
> The reason for the hardened runtime is that is does not matter what static analysis does: it stops the invalid access at runtime.
>
> _If_ the compiler can prove a bounds check is unneeded it will be optimized, if it cannot prove it, the chances are the code is sufficiently difficult to follow that the developer also cannot trivially prove the bounds check is never needed.
>
> * Attributes For Containers:
>
> Static analysis does not guess - commercial analysers have explicitly included knowledge of every major API - C, C++, platform specific, common libraries, etc.
AFAIK they don't do it for user containers? These attributes will enable that
> In C++26 there is the introduction of the concept of ‘“hardened” preconditions that make it more clear which preconditions are considered security critical, and C++26 introduces contracts that can be used to provide source level awareness of valid use to a static analyzer even without prior awareness.
>
> —Oliver
>
Received on 2025-08-31 20:01:29