RFC: Adopt C++ Safe Buffers? #31272

issue maflcko openend this issue on November 11, 2024
  1. maflcko commented at 2:30 pm on November 11, 2024: member

    C++ is unsafe, meaning that any code written in it may cause undefined behavior at runtime. One possible source of undefined behavior is out-of-range memory access.

    While some limited compiler warnings exist to detect some obvious cases, tracking down out-of-range memory access is usually done at runtime with debugging tools such as Valgrind or Asan. However, such tools can normally not be used in production, because they are not hardening tools, see https://stackoverflow.com/a/70004411/2084795. Some C++ standard libraries provide options to enable a hardened build, which can also be used in production, see https://libcxx.llvm.org/Hardening.html.

    However, this requires using the standard library containers or primitives to represent buffers. For example, instead of using a raw C-array, std::array should be preferred. Also, instead of using a raw C-pointer, std::span should be preferred.

    The required patch is large-ish. However, I think it would be good to keep this hardening feature in mind and use std::array and std::span for new code. Possibly in the future, those can be enforced. std::array via https://clang.llvm.org/extra/clang-tidy/checks/modernize/avoid-c-arrays.html and std::span (really all buffer representations) via -Wunsafe-buffer-usage https://clang.llvm.org/docs/SafeBuffers.html.

  2. maflcko added the label Brainstorming on Nov 11, 2024
  3. laanwj commented at 11:02 am on November 14, 2024: member

    However, this requires using the standard library containers or primitives to represent buffers. For example, instead of using a raw C-array, std::array should be preferred. Also, instead of using a raw C-pointer, std::span should be preferred.

    i think we’ve already been going in this direction for quite a while.

  4. dergoegge commented at 7:52 pm on November 15, 2024: member

    My understanding is that only libc++ offers such a hardened build right now

    -D_GLIBCXX_ASSERTIONS appears to enable the same (or similar) for libstdc++, see here.

  5. vasild commented at 12:09 pm on November 21, 2024: contributor

    Concept ACK

    required patch is large-ish

    Which patch exactly? To switch everything to use std::array and make clang-tidy-avoid-c-arrays happy (and similar for std::span)? Approach ACK on that one ;)

  6. ldionne commented at 10:37 pm on December 4, 2024: none

    Libc++ maintainer here. I don’t know how much existing use of the C++ Standard Library you have in the code base today, however one thing you could do is enable hardening today and then your code will get safer the more standard library usage you introduce. Adoption-wise, that can be easier and it can also provide a nice incentive for folks to use the standard library instead of e.g. C arrays and raw pointers. In other words, you don’t need to already be using the standard library extensively to enable hardening.

    libc++: -D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_{FAST,EXTENSIVE,DEBUG} (for production, we recommend _LIBCPP_HARDENING_MODE_FAST libstdc++: -D_GLIBCXX_ASSERTIONS which should be more or less equivalent to libc++’s fast mode

    If you do enable hardening and have questions or run into issues (with libc++), feel free to @ldionne or @var-const and we can probably help out.

  7. vasild referenced this in commit 0398eb63a3 on Dec 5, 2024
  8. vasild commented at 6:22 am on December 5, 2024: contributor
    @ldionne, thanks for the suggestion! Followed up in #31424.
  9. vasild referenced this in commit 5523b84bdf on Dec 6, 2024
  10. vasild referenced this in commit 221c410eb6 on Dec 9, 2024
  11. vasild referenced this in commit 10fff39298 on Dec 9, 2024
  12. vasild referenced this in commit 0c9e6143e5 on Dec 10, 2024
  13. vasild referenced this in commit f594291f3f on Dec 18, 2024
  14. vasild referenced this in commit 5b9ce48d74 on Dec 19, 2024
  15. vasild referenced this in commit f4218b8a78 on Dec 20, 2024
  16. vasild referenced this in commit 1ef9f7ca4a on Jan 6, 2025
  17. fanquake referenced this in commit 98939ce7b7 on Jan 16, 2025
  18. vasild referenced this in commit 8cf75a4a18 on Jan 27, 2025
  19. vasild referenced this in commit a3a799c77c on Mar 14, 2025
  20. fanquake referenced this in commit aa87e0b446 on Mar 20, 2025


maflcko laanwj dergoegge vasild ldionne

Labels
Brainstorming

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-04-27 18:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me