Comment by wyldfire

4 days ago

A really good accompaniment to this is Carruth's "C++, bounds checking, performance, and compilers" [1]:

> ... strong belief that bounds checks couldn’t realistically be made cheap enough to enable by default. However, so far they are looking very affordable. From the above post, 0.3% for bounds checks in all the standard library types!

There's more to the hardening story than just bounds checks. But it's a big part IMO.

[1] https://chandlerc.blog/posts/2024/11/story-time-bounds-check...

16 comments

wyldfire

tempodox 4 days ago

Even if bounds checks were only active in debug builds, that would already be of high value.

delta_p_delta_x 4 days ago
> Even if bounds checks were only active in debug builds
In MSVC or Clang, when compiled against the Microsoft C++ STL, they already are. So,
auto x = std::vector{1, 2, 3, 4, 5}; std::println("{}", x[5]);
throws a very specific exception at runtime under debug mode.
In fact on Windows, even the C runtime has debug checks. That's why there are four options to choose from when linking against the modern UCRT:
/MT (static linking, no debug) /MTd (static linking, with debug) /MD (dynamic linking, no debug) /MDd (dynamic linking, with debug)
For what 'debug in the C runtime' entails, see this comment I made a while ago[1]. As I mentioned, Unix-likes have no equivalent; you get one libc, and if you want to statically link against it, you have to release your own source code because it's GPL. Not sure why people put up with it.
[1]: https://news.ycombinator.com/item?id=40361096
- uecker 4 days ago
  
  Not sure what you mean by "Not sure why people put up with it". Glibc is licensed under LGPL, so you can distribute it proprietary software even with static linking under some conditions. And there also other alternatives.
- fweimer 4 days ago
  
  The GNU equivalent is -D_GLIBCXX_ASSERTIONS: https://gcc.gnu.org/onlinedocs/libstdc++/manual/using_macros...
  It mostly impacts templated code, so it's a compiler flag, not a linker flag. Many distributions have been using this flag to build C++ code for quite some time.
  (And this concerns GNU libstdc++, not glibc, so different licensing rules apply.)
  
  1 reply →
- wahern 4 days ago
  
  glibc has -D_FORTIFY_SOURCE, which uses several GCC and clang builtins and features along with hardened alternative function implementations to enable additional compile-time and runtime checks.
pjmlp 4 days ago
That at least has been covered almost since C++ exists.
First in compiler vendors frameworks, pre C++98, afterwards with build settings.
It is quite telling from existing community culture, that some folks only read their compiler manuals when government knocks on the door.
- tester756 4 days ago
  
  >It is quite telling from existing community culture, that some folks only read their compiler manuals when government knocks on the door.
  What do you want to say?
  Is this bad? I think this is desired. Only in c or c++ world people act like understanding how compiler internals work (often poorly) is desired
  
  4 replies →
rwmj 4 days ago
This is why you should have an option (enabled routinely in your CI) to run your tests under valgrind.
- throw-qqqqq 4 days ago
  
  I do this too, but valgrind is slow! In my experience, the runtime increases a factor of 10/20/30x ..
  
  2 replies →