STL Hardening

Plan

• Review:
  • P3471R1 Standard Library Hardening
  • libc++'s hardening modes
  • Existing CDL checks (below)
• Design a consistent policy for what should be hardened
• Design how this will be controlled, and its defaults
  • Opt-in means virtually no users will benefit, but has the least performance requirements
  • Implied-by-/sdl means some users will benefit automatically
  • Opt-out means all users will benefit automatically, but has the most stringent performance requirements
• Design a termination mechanism:
  • Is CDL's termination mechanism ideal?
  • Should violations terminate the program differently?
  • Should it be customizable?
• With a design, make the code changes (should be the easy part as 90% of the work is already present)
• Optimizations to mitigate perf impact, once we have examples of where the perf impact will be
  • Loop in the compiler back-end
  • Additional library changes may also be necessary

Audit of CDL checks (as of 2024-12-09)

Click to expand:

• vector
  • pop_back
  • operator[]
  • front
  • back
• vector<bool>
  • operator[]
  • front
  • back
• deque
  • operator[]
  • front
  • back
• list
  • front
  • back
  • pop_front
  • pop_back
• forward_list
  • front
• basic_string
  • operator[]
  • front
  • back
  • resize_and_overwrite
• basic_string_view
  • basic_string_view(const_pointer, size_type)
  • operator[]
  • front
  • back
  • remove_prefix
  • remove_suffix
• array
  • operator[]
• array<T, 0>
  • operator[]
  • front
  • back
• ranges::view_interface
  • front
  • back
  • operator[]
• condition_variable
  • wait_until(unique_lock&, const time_point&)
• generator::iterator
  • operator*
  • operator++
• generator
  • begin
• valarray
  • operator*=
  • operator/=
  • operator%=
  • operator+=
  • operator-=
  • operator^=
  • operator|=
  • operator&=
  • operator<<=
  • operator>>=
  • operator[]
  • operator*
  • operator/
  • operator%
  • operator+
  • operator-
  • operator^
  • operator&
  • operator|
  • operator<<
  • operator>>
  • operator&&
  • operator||
  • operator==
  • operator!=
  • operator<
  • operator>
  • operator<=
  • operator>=
• optional
  • operator*
  • operator->
• expected<T, E>
  • operator->
  • operator*
  • error
• expected<void, E>
  • operator*
  • error
• span
  • span(It, size_type)
  • span(It, End)
  • span(R&&)
  • span(const span<OtherElementType, OtherExtent>&)
  • first
  • last
  • subspan
  • size_bytes
  • operator[]
  • front
  • back
• iota_view
  • iota_view(W)
  • iota_view(type_identity_t<W>, type_identity_t<Bound>)
  • iota_view(Iter, Sent)
• repeat_view::iterator
  • operator++
  • operator--
  • operator+=
  • operator-=
• repeat_view
  • repeat_view(const T&, Bound)
  • repeat_view(T&&, Bound)
  • repeat_view(piecewise_construct_t, tuple<TArgs...>, tuple<BoundArgs...>)
• filter_view
  • pred
  • begin
• take_view
  • take_view(V, range_difference_t<V>)
• take_while_view
  • pred
  • end
• drop_view
  • drop_view(V, range_difference_t<V>)
• drop_while_view
  • pred
  • begin
• views::counted
  • operator()
• chunk_view
  • chunk_view(V, range_difference_t<V>)
• slide_view
  • slide_view(V, range_difference_t<V>)
• chunk_by_view
  • pred
  • begin
• stride_view
  • stride_view(V, range_difference_t<V>)
• cartesian_product_view
  • size
• extents
  • extents(VARIOUS ARGS)
  • static_extent
  • extent
• layout_left::mapping
  • mapping(VARIOUS ARGS)
  • stride
  • operator()
• layout_right::mapping
  • mapping(VARIOUS ARGS)
  • stride
  • operator()
• layout_stride::mapping
  • mapping(VARIOUS ARGS)
  • stride
  • operator()
• mdspan
  • static_extent
  • mdspan(const mdspan<OtherElementType, OtherExtents, OtherLayoutPolicy, OtherAccessor>&)
  • operator[]
  • size

Optimization issues

• VSO-1556181 gsl::span CQ deficiency: predicate inference weakness #1
• VSO-1556194 gsl::span CQ deficiency: useless multibyte copy
• VSO-1556195 gsl::span CQ deficiency: predicate inference weakness #2

Reference

• #5090 "Implement a hardened mode"