Shulou(Shulou.com)06/02 Report--

This article mainly explains the "C++ Core Check security coding standards are what", the content of the article is simple and clear, easy to learn and understand, now please follow the editor's ideas slowly in depth, together to study and learn "C++ Core Check security coding standards is what" it!

For performance, but also for safety

Rust and C++ are two popular system-level development languages. Over the years, the industry's focus on C++ is mainly on performance, and we have been hearing feedback from customers and security researchers that they hope C++ should have more security coding guidelines at the language level.

C++ is often considered to lag behind Rust in terms of secure programming.

Drawing on the characteristics of Rust in secure coding, we have added four new coding security guidelines in C++ Core Check of Visual Studio 2019 v16.7. Let's see.

The switch statement has no default tag

The pattern matching structure in Rust is similar to the switch language structure in C++. The main difference is that Rust requires developers to cover all pattern matching possibilities, either by writing an explicit processor for each pattern, or by adding a default processor (if all other patterns do not match).

For example, the following Rust code will not be compiled because it lacks a default processor.

This is a concise security feature because it prevents programming errors that are easy to occur but not so easy to catch.

If the enumerated type is used in the switch statement and not every enumerated value is judged, Visual Studio warns the developer and issues C4061 and C4062. However, for other types, such as integers, there is no warning.

In this version, we introduce a safe coding guideline: for non-enumerated types (such as char, int), Visual Studio will issue a warning if there is no default processing tag in the switch statement. You can select three different rules in the project's rule settings and analyze the code.

C++ Core Check Style Rules

C++ Core Check Rules

> Microsoft All Rules

Let's use C++ to rewrite the above example of Rust.

If we remove the default tag, Visual Studio will give the following warning:

Implicit jump (Unannotated fallthrough) in switch statement

Another limitation on pattern matching in Rust is that they do not support implicit jumps in case statements. In C++, the following code passes the compiler check perfectly.

The above C++ code makes a lot of sense, but an implicit jump in a case statement can easily become the Bug of the program. For example, if the developer forgets to add the break statement after the each (food) call, the code will still be compiled, but the result will be very different. If the scale of the project is very large, it will be difficult to track this kind of Bug.

Fortunately, annotations like [[fallthrough]] have been added to Clippers 17, the main purpose of which is to make implicit jumps in different case statements, so that in the above example, the developer can use this tag to indicate to the compiler that he really wants to perform this behavior.

In Visual Studio 2019 v16.7, the compiler gives a C26819 warning if an implicit jump occurs without using the [[fallthrough]] annotation in the code. This rule is enabled by default when Visual Studio performs code analysis.

To address the above warning, you can add a [[fallthrough]] tag to the case statement, as shown in the following figure:

Expensive copy operation

One of the main differences between Rust and C++ is that Rust defaults to move semantics instead of copy.

For example:

This means that when you do need to copy semantics, you need to use explicit copy statements, as shown in the following figure:

C++ is different, it defaults to copy semantics. Generally speaking, this is not a big problem, but sometimes it can lead to some Bug. A common example is when using the range-for statement. Let's take a look at this example:

In the above code, each primitive in vector is copied into p in each iteration loop. If the element is a large structure, the copy operation will be very expensive, and this situation is not easy to see.

To avoid unnecessary copying, we have added a coding guideline to C++ Core Check and recommend that developers remove such copying, as shown in the following figure:

The following is a way to determine whether a copy operation is necessary:

If the size of the type is more than twice the size of the platform-dependent pointer, and the type is not a smart pointer or one of gsl::span, gsl::string_span, or std::string_view, the copy is considered unnecessary. This means that for smaller data types, such as integers, the warning is not triggered. For larger types, such as the Person type in the example above, the copy operation is considered expensive (unnecessary) and the compiler issues a warning.

The last point about this rule is that if the variable in the body of the loop is mutated, the warning will not be triggered, as shown in the following figure:

If you are using a container other than the const type, you can avoid unnecessary copies by changing the object to a reference type.

However, this modification will lead to a new side effect. Therefore, this warning only recommends that the circular variable be marked as a const reference, and will not be triggered if the circular variable cannot be legally marked as const.

This coding guideline is enabled by default.

Copy of auto type variable

The last check rule concerns the copy operation of a variable of type auto.

Consider the following Rust code, where type resolution is performed for a variable that is assigned a reference.

Due to the requirements of Rust, in most cases, replication must be explicit, so in the above example, the password type automatically resolves to an immutable reference after it is assigned an immutable reference, and does not perform expensive copy operations.

On the other hand, consider the following C++ code:

In the above code, even if the return type of getPassword is a const reference to a string, the type of password is resolved to std::string. As a result, the contents of PasswordManager::password are copied to the local variable password.

The following is compared with a function that returns a pointer:

The behavior difference between assigning references and pointers to variables marked auto is not obvious, which can lead to unnecessary and accidental copies.

To prevent errors caused by this behavior, the inspector checks all initialization instances from references to variables marked auto. If the generated copy operation is considered expensive using the same heuristics as scope checking, the inspector warns you to mark the variable as a const reference type.

And as with scope checking, this warning is not issued as long as the variable cannot be legally marked as const.

Another situation in which no warning is issued is when a reference is derived from a temporary object. In this case, once the temporary file is destroyed, the use of a const auto reference will result in a "hanging" reference to the destroyed temporary variable.

This coding guideline is enabled by default.

Thank you for your reading, the above is the content of "what is the C++ Core Check security coding standard". After the study of this article, I believe you have a deeper understanding of what the C++ Core Check security coding standard is, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.