The developers of the LLVM project have proposed a number of changes aimed at strengthening the security of mission-critical C++ projects and providing a means to eliminate errors caused by buffer overruns. The work is focused on two areas: providing a development model that allows you to safely work with buffers, and working on hardening the security of the libc++ standard library of functions.
The proposed safe programming model for C++ is to use the classes provided by the standard library when working with buffers instead of manipulating bare pointers. For example, it is proposed to use the std::array, std::vector, and std::span classes, which will be added with a run-time check for out-of-bounds allocated memory.
To combat dangerous programming practices in clang, it is proposed to issue compiler warnings for all pointer arithmetic operations, similar to clang-tidy's linter warnings when using the "cppcoreguidelines-pro-bounds-pointer-arithmetic" flag, support for which will appear in the release LLVM 16. To enable such warnings, a separate flag will be added to clang, which is not active by default.
It is planned to implement an optional hardened protection mode in libc++, which, when enabled, will catch some situations that lead to undefined behavior at run time. For example, in the std::span and std::vector classes, an out-of-bounds access will be monitored, in which case the program will crash. The developers believe that adding such changes will keep libc++ compliant with C++ standards, since the choice of how to handle cases of undefined behavior lies with the developers of the library, which may, among other things, interpret undefined behavior as a crash that requires the program to exit.
Runtime checks in libc++ are planned to be divided into categories that can be included individually. Some of the suggested checks that do not result in more complex operations or ABI changes are already implemented in libc++'s safe mode.
In addition, it is planned to prepare a toolkit for correcting the code, allowing you to replace variables with bare pointers on containers and apply alternative handlers in situations where the container cannot directly replace the pointer (for example, the βif (array_pointer)β construct can be converted to βif (span.data ()"). Adjustments can be applied not only to local variables, but also to type parameters with pointers.
Source: opennet.ru