Taming the UB Monsters in C++

Original Article ↗ Hacker News Discussion ↗

Perceived impact of Herb’s UB work

  • Many see the proposal as incremental: largely cataloging dynamic mitigations (CFI, pointer integrity, bounds checks) that don’t change the C++ spec, add overhead, and sometimes need special hardware.
  • Commenters note that major projects (e.g., browsers) already use these techniques and still suffer serious UB issues, so this doesn’t “solve” the problem.
  • Constexpr-UB restrictions are viewed as mostly irrelevant to attackers, who exploit runtime behavior.
  • Others welcome consolidation of hardening options, especially for unrewritable legacy codebases; “better compilers that complain more” are seen as pragmatically valuable.

C++ standardization and committee dynamics

  • Strong criticism of WG21: too many feature proposals from people without implementation experience; implementers allegedly ignored even when all major compilers object.
  • Desire for genuine “proof of implementation” before standardizing features.
  • Several expect C++23/26 to be the last widely influential standards; later ones may resemble obscure Fortran/COBOL revisions.
  • Complaints about complexity, slower compile times, and very slow industry adoption (many projects just now moving to C++17).

Rust and “safe language” alternatives

  • Some committee-adjacent voices reportedly see C++ as mainly for existing projects; for new work, C++ is often deemed subpar versus Rust.
  • Many argue that if you’re going to rewrite into a non-standard dialect (e.g., Circle), you might as well choose Rust with a mature tooling ecosystem.
  • Rust is praised for FFI and enabling gradual migration; mitigations in C++ are seen as complementary but not a substitute for safe languages.
  • Others emphasize that massive C/C++ infrastructure (compilers, drivers, POSIX, financial systems) can’t realistically be wholesale rewritten, so improving C/C++ remains necessary.

UB, memory safety, and real-world exploits

  • Debate over which UB matters most: some stress out-of-bounds as top CWE categories; others note modern exploits heavily use temporal bugs (UAF, double free) and data-only attacks that bypass CFI.
  • Explanation that UB is a contract exploited by optimizers, leading to “time-travel” bugs where earlier code is transformed based on later UB.
  • Disagreement on integer-overflow UB: one side sees it as mostly logic bugs where any overflow is already wrong; the other insists it’s a good teaching example of how UB invalidates reasoning and proofs.

Mitigations vs rewrites

  • Hardening options (STL bounds checks, ASan, CFI, shadow stacks, fuzzing, static analysis) are widely recommended for legacy C++; they reduce many memory-safety CVEs and often turn RCE into DoS.
  • Security practitioners say these measures raise the bar but do not make exploitation “impossible,” especially for temporal bugs and non-control-flow attacks.
  • Some argue critical new systems should default to Rust or similar; others highlight broader security issues (patching, password reuse, social engineering) and worry that memory-safety focus is skewed by large vendors’ priorities.