| ▲ | -fbounds-safety: Enforcing bounds safety for C(clang.llvm.org) |
| 92 points by thefilmore 3 days ago | 80 comments |
| |
|
| ▲ | tandr an hour ago | parent | next [-] |
| Niklaus Wirth died in 2024, and yet I hope he is having a major I-told-you-so moment about people blaming Pascal's bounds checking to be unneeded and making things slow. |
| |
| ▲ | nmz 16 minutes ago | parent [-] | | To this day, FPC uses less ram than any C compiler, A good thing in today's increasingly ramless world and they've managed this with way less developers working on it than its C compiler equivalent, I can't even imagine what it would look like if they had the same amount of people working on it. C optimization tricks are hacks, the fact godbolt exists is proof that C is not meant to be optimizable at all, it is brute force witchcraft. At a certain point though, something's gotta give, the compiler can do guesswork, but it should do no more, if you have to add more metadata then so be it it's certainly less tedious than putting pragmas and _____ everywhere, some C code just looks like the writings of an insane person. |
|
|
| ▲ | jcalvinowens 2 hours ago | parent | prev | next [-] |
| > As local variables are typically hidden from the ABI, this approach has a marginal impact on it. I'm skeptical this is workable... it's pretty common in systems code to take the address of a local variable and pass it somewhere. Many event libraries implement waiting for an event that way: push a pointer to a futex on the stack to a global list, and block on it. They address it explicitly later: > Although simply modifying types of a local variable doesn’t normally impact the ABI, taking the address of such a modified type could create a pointer type that has an ABI mismatch That breaks a lot of stuff. The explicit annotations seem like they could have real value for libraries, especially since they can be ifdef'd away. But the general stack variable thing is going to break too much real world code. |
| |
| ▲ | menaerus an hour ago | parent | next [-] | | I don't understand this example: you're taking an address of local-scope stack object, storing it into a global list, and then use this address elsewhere in the code, possibly at different time-point, to manipulate with the object? I am obviously missing something because this cannot work unless this object lives on the stack of main(). | | |
| ▲ | jcalvinowens 32 minutes ago | parent | next [-] | | The best example I know of off the top of my head is wait_event() in Linux. So long as the thread is guaranteed not to exit while blocked, you know its stack, and therefore the object allocated on it, must continue to exist. So, as long as there is no way to wake the thread except by kicking that object, the memory backing it is guaranteed to continue to exist until that object is kicked. You do have to somehow serialize the global data structure lookup (e.g. lock/dequeue/unlock/kick), if multiple threads can find and kick the object concurrently that's unsafe (the thread might exit between the first and subsequent kicks). Generally that's true, even in pthread userspace: while there are some obvious artificial counterexamples one can construct, real world code very rarely does things like that. | | |
| ▲ | menaerus 15 minutes ago | parent [-] | | Ok, I see, thanks for the example. Is this technique used to avoid the potential runtime performance cost because one would otherwise need to keep that object elsewhere/heap and not on a stack? Or is the problem definition something else? | | |
| ▲ | jcalvinowens 2 minutes ago | parent [-] | | It's just mechanically simpler that way. If the wakee thread dynamically allocated the object, it would have to free it: may as well let the compiler do that automatically for us. |
|
| |
| ▲ | jandrese 43 minutes ago | parent | prev [-] | | Yep, it's a straight up error in C to return the address of a local variable from a function outside of main. Valgrind will flag this as use of an uninitialized value. The problem is that as long as it's something where the calling function checks it immediately after the function exits and never looks again (something like an error code or choosing a code path based on the result) they often get away with it, especially in single threaded code. I'm running into this at this very moment as I'm trying to make my application run cleanly, but some of the libraries are chock full of this pattern. One big offender is the Unix port of Microsoft's ODBC library, at least the Postgre integration piece. I also blame the Unix standard library for almost having this pattern but not quite. Functions that return some kind of internal state that the programmer is told not to touch. Later they had to add a bunch of _r variants that were thread safe. The standard library functions don't actually have this flaw due to how they define their variables, but from the outside it looks like they do. It makes beginning programmers think that is how the functions should work and write their code in a similar manner. | | |
| ▲ | jcalvinowens 32 minutes ago | parent [-] | | > Yep, it's a straight up error in C to return the address of a local variable from a function Sure, that's true, but nobody is suggesting returning the address of a local variable anywhere in this thread. I'm describing putting a pointer to a local variable in a global data structure, which is safe so long as the function doing it is somehow guaranteed not to return until the pointer is removed from the global data structure. |
|
| |
| ▲ | rbanffy an hour ago | parent | prev [-] | | I would imagine variables that are passed to functions would be considered ABI-visible. If the compiler is smart enough, it can keep the pointer wide when it’s passed to a function that’s also being compiled and act accordingly on the other side, but that worries me because this new meaning of “pointer” is propagating to parts of the code that might not necessarily agree with it. |
|
|
| ▲ | ndiddy 4 hours ago | parent | prev | next [-] |
| Has any progress been made on this? I remember seeing this proposal 3 or 4 years ago but it looks like it still hasn't been implemented. It's a shame because it seems like a useful feature. It looks like Microsoft has something similar (https://learn.microsoft.com/en-us/cpp/code-quality/understan...) but it would be nice to have something that worked on other platforms. |
| |
| ▲ | mrpippy an hour ago | parent | next [-] | | Apple is shipping code built with this, and is supporting it for developers to use (see https://developer.apple.com/documentation/xcode/enabling-enh...) | |
| ▲ | Someone 4 hours ago | parent | prev | next [-] | | https://discourse.llvm.org/t/the-preview-of-fbounds-safety-i...: “-fbounds-safety is a language extension to enforce a strong bounds safety guarantee for C. Here is our original RFC. We are thrilled to announce that the preview implementation of -fbounds-safety is publicly available at this fork of llvm-project. Please note that we are still actively working on incrementally open-sourcing this feature in the llvm.org/llvm-project . To date, we have landed only a small subset of our implementation, and the feature is not yet available for use there. However, the preview does contain the working feature. Here is a quick instruction on how to adopt it.” “This fork” is https://github.com/swiftlang/llvm-project/tree/stable/202407..., Apple’s fork of LLVM. That branch is from a year ago. I don’t know whether there’s a newer publicly available version. There is a GSoC 2026 opportunity on upstreaming this into mainline LLVM (https://discourse.llvm.org/t/gsoc-2026-participating-in-upst...) | |
| ▲ | groos 2 hours ago | parent | prev [-] | | Microsoft's SAL annotations are meant to inform the static analyzer how the parameters are meant to be used so any violations of the contract can be diagnosed at compile time. The LLVM proposal is different in that it is checked at run time and will stop your program before it makes an out of bounds access. Static analyzers can obviously use the information in the type to help diagnose a subset of such problems at compile time. |
|
|
| ▲ | matheusmoreira an hour ago | parent | prev | next [-] |
| Amazing, this is a life saving feature for C developers. Apparently it's not complete yet? I will apply this to my code once the feature is included on LLVM and GCC. Would be nice if the annotations could also be applied to structure fields. struct bytes {
size_t count;
unsigned char * __counted_by(count) pointer;
};
void work_with(struct bytes);
|
| |
| ▲ | zokier 41 minutes ago | parent [-] | | counted_by for struct fields actually is actually the part that afaik works today: https://embeddedor.com/blog/2024/06/18/how-to-use-the-new-co... | | |
| ▲ | matheusmoreira 31 minutes ago | parent [-] | | That's amazing. Thanks for that reference. If it's good enough for the kernel, then it's good enough for me to start using in my own projects. It's really cool that the kernel is using this. The compiler must be generating simple bounds checking code with traps instead of crazy stuff involving magical C standard library functions. Perfect for freestanding nostdlib projects. |
|
|
|
| ▲ | taminka 4 hours ago | parent | prev | next [-] |
| this is amazing, counter to what most ppl think, majority of memory bugs are from out of bounds access, not stuff like forgetting to free a pointer or some such |
| |
| ▲ | Night_Thastus 2 hours ago | parent | next [-] | | Personally, as someone in C and C++ for the last few years, memory access is almost never the root bug. It's almost always logic errors. Not accounting for all paths, not handling edge cases, not being able to handle certain combinations of user or file input, etc. Occasionally an out-of-bounds access pops up, but they're generally so blindingly obvious and easy to fix that it's never been the slow part of bug fixing. | | |
| ▲ | lelanthran 2 hours ago | parent | next [-] | | I've been programming for long; the ratio of memory errors to logic bugs in production is so low as to be non-existent. My last memory error in C code in production was in 2018. Prior to that it I had a memory error in C code in production in 2007 or 2008. In C++, I eventually gave up trying to ship the same level of quality and left the language altogether. | | |
| ▲ | vlovich123 an hour ago | parent [-] | | The wider industry data gathered indicates that for memory unsafe languages 80% of issues are due to memory vulnerabilities, including mature codebases like Linux kernel, curl, V8, Chrome, Mach kernel, qemu etc etc etc. This doesn’t mean that logic bugs are less common, it just means that memory safety issues are the easiest way to get access. As for why your experience may be different, my hunch is that either your code was super simple OR you didn’t test it thoroughly enough against malicious/unexpected inputs OR you never connected the code to untrusted I/O. Keep in mind the data for this comes from popular projects that have enough attention to warrant active exploit research by a wide population. This is different from a project you wrote that doesn’t have the same level of attention. | | |
| ▲ | lelanthran 43 minutes ago | parent [-] | | > The wider industry data gathered indicates that for memory unsafe languages 80% of issues are due to memory vulnerabilities, including mature codebases like Linux kernel, curl, V8, Chrome, Mach kernel, qemu etc etc etc. You are misremembering the various reports - the reports were not that 80%[1] of issues were due to memory errors, but more along the lines of 80% of exploits were due to memory errors. You could have 1000 bugs, with 10 of them being vulnerabilities, and 8 of those 10 being due to memory errors, and that would still be in line with the reports. > As for why your experience may be different, my hunch is that either your code was super simple OR you didn’t test it thoroughly enough against malicious/unexpected inputs OR you never connected the code to untrusted I/O. Payments processing, telecoms and munitions control software. Of those, your explanation only applies to Telecoms; payments processing (EMV) was basically a constant stream of daily attacks, while munitions are live, in the field, with real explosives. We would've noticed any bugs, not just memory error bugs with the munitions one. -------------------- [1] The number wasn't 80% IIRC, more like 70%? | | |
| ▲ | thomasmg 17 minutes ago | parent [-] | | Yes. The problem is that most memory errors (out of bounds + use after free etc.) result in a vulnerability. Only a minority of the logic errors do. For operating systems kernels, browsers etc, vulnerabilities have a much, much bigger impact than logic errors: vulnerabilities need to be fixed immediately, and released immediately. Most logic errors don't need to be fixed immediately (sure, it depends on the issue, and on the type of software.) I would probably say "for memory unsafe languages, 80% of the _impact_ is due to memory vulnerabilities" |
|
|
| |
| ▲ | taminka 2 hours ago | parent | prev [-] | | logic errors aren't memory errors, unless you have some complex piece of logic for deallocating resources, which, yeah, is always tricky and should just generally be avoided |
| |
| ▲ | woodruffw 2 hours ago | parent | prev | next [-] | | "Majority" could mean a few things; I wouldn't be surprised if the majority of discovered memory bugs are spatial, but I'd expect the majority of widely exploited memory bugs to be temporal (or pseudo-temporal, like type confusions). | |
| ▲ | Retr0id 4 hours ago | parent | prev | next [-] | | I think UAFs are more common in mature software | | |
| ▲ | q3k 4 hours ago | parent [-] | | Or type confusion bugs, or any other stuff that stems from complex logic having complex bugs. Boundary checking for array indexing is table stakes. | | |
| ▲ | michh 4 hours ago | parent [-] | | table stakes, but people still mess up on it constantly. The "yeah, but that's only a problem if you're an idiot" approach to this kind of thing hasn't served us very well so it's good to see something actually being done. Trains shouldn't collide if the driver is correctly observing the signals, that's table stakes too. But rather than exclusively focussing on improving track to reduce derailments we also install train protection systems that automatically intervene when the driver does miss a signal. Cause that happens a lot more than a derailment. Even though "pay attention, see red signal? stop!" is conceptually super easy. | | |
| ▲ | q3k 4 hours ago | parent [-] | | I'm not saying it's not important, it is. I just don't believe that '[the] majority of memory bugs are from out of bounds access'. That was maybe true 20 years ago, when an unbounded strcpy to an unprotected return pointer on the stack was super common and exploiting this kind of vulnerabilities what most vulndev was. This brings C one tiny step closer to the state of the art, which is commendable, but I don't believe codebases which start using this will reduce their published vulnerability count significantly. Making use of this requires effort and diligence, and I believe most codebases that can expend such effort already have a pretty good security track record. | | |
| ▲ | vlovich123 an hour ago | parent [-] | | The majority of security vulnerabilities in languages like C that aren’t memory safe are due to memory safety issues like UAF, buffer overflows etc etc. I don’t think I’ve seen finer grained research that tries to break it out by class of memory safety issue. The data is something like 80% of reported vulnerabilities in code written in these languages are due to memory safety issues. This doesn’t mean there aren’t other issues. It just means that it’s the cheapest exploit to search for when you are trying to break into a C/C++ service. And in terms of how easy it is to convert a memory safety issue into an exploit, it’s not meaningfully much harder. The harder pieces are when sandboxing comes into play so that for example exploiting V8 doesn’t give you arbitrary broader access if the compromised process is itself sandboxed. |
|
|
|
| |
| ▲ | random_mutex 4 hours ago | parent | prev [-] | | There is use after free | | |
| ▲ | eecc 4 hours ago | parent [-] | | Majority. Parent said majority | | |
| ▲ | IshKebab an hour ago | parent [-] | | Exactly. Use after free is common enough that you can't just assert that out-of-bounds is the majority without evidence. |
|
|
|
|
| ▲ | hoyhoy 3 hours ago | parent | prev | next [-] |
| Xcode (AppleClang) has had -fbounds-safety for a while now. What is the delay getting this into merged into LLVM? |
|
| ▲ | worldsavior 4 hours ago | parent | prev | next [-] |
| Very cool. I always wondered why there isn't something like this in GCC/LLVM, it would obviously solve uncountable of security issues. |
|
| ▲ | manbash 3 hours ago | parent | prev | next [-] |
| Exciting! It doesn't imply that we should now sprinkle the new annotations everywhere. We still should keep working with proper iterators and robust data structures, and those would need to add such annotations. |
|
| ▲ | musicale 2 days ago | parent | prev | next [-] |
| I want an OS distro where all C code is compiled this way. OpenBSD maybe? or a fork of CheriBSD? macOS clang has supported -fbounds-safety for a while, but I"m not sure how extensively it is used. |
| |
| ▲ | kgeist 4 hours ago | parent | next [-] | | Maybe this: https://fil-c.org/pizlix >Pizlix is LFS (Linux From Scratch) 12.2 with some added components, where userland is compiled with Fil-C. This means you get the most memory safe Linux-like OS currently available. The author, @pizlonator, is active on HN. | | | |
| ▲ | wyldfire 6 hours ago | parent | prev | next [-] | | You need to annotate your program with indications of what variable tracks the size of the allocation. So, sure, but first work on the packages in the distro. Note that corresponding checks for C++ library containers can be enabled without modifying the source. Google measured some very small overhead (< 0.5% IIRC) so they turned it on in production. But I'd expect an OS distro to be mostly C. [1] https://libcxx.llvm.org/Hardening.html | |
| ▲ | bombcar 6 hours ago | parent | prev | next [-] | | Get gentoo, add this to CFLAGS and start fixing everything that breaks. Become a hero. | |
| ▲ | pjmlp 5 hours ago | parent | prev | next [-] | | It is called Solaris, and has this enabled since 2015 on SPARC. https://docs.oracle.com/en/operating-systems/solaris/oracle-... | | |
| ▲ | salawat an hour ago | parent [-] | | Might as well not even talk about anything with the Oracular kiss of death. | | |
| ▲ | rbanffy an hour ago | parent | next [-] | | Isn’t Illumos and OpenIndiana doing the same? I still remember someone at Sun commented they treated warnings as errors. This is how software should be developed. | | |
| ▲ | kbolino 22 minutes ago | parent [-] | | The feature is only on SPARC, not x86. Oracle killed in-house SPARC development in 2017, and they abandoned OpenSPARC after they acquired Sun, so it's effectively a dead architecture. The software won't work without the hardware to run it on. | | |
| ▲ | pjmlp 18 minutes ago | parent [-] | | Fujsitsu also does SPARC, and contrary to HP-UX, people still do buy Solaris. EDIT: https://www.oracle.com/servers/sparc/ https://www.fujitsu.com/global/products/computing/servers/un... Finally, it is up to Intel and AMD to come up with hardware memory tagging, so far they have messed up all attempts, with MPX being the last short lived one. | | |
| ▲ | kbolino 9 minutes ago | parent [-] | | It's good info, and I wouldn't rush a migration off of SPARC systems if I was already using them, but slow death is still death. It was already worrying that workstations were killed off by Sun before the Oracle acquisition; it seems quite clear that no one has been serious about spreading adoption of the architecture for more than two decades now. |
|
|
| |
| ▲ | pjmlp 22 minutes ago | parent | prev [-] | | Not everyone suffers from Oracle phobia. Some of us actually do read licenses before using products. Also the FAANG are hardly any better only because they spew cool marketing stuff like do no evil. |
|
| |
| ▲ | 1over137 6 hours ago | parent | prev | next [-] | | >I want an OS distro where all C code is compiled this way. You first have to modify "all C code". It's not just a set and forget compiler flag. | |
| ▲ | prussian 5 hours ago | parent | prev | next [-] | | Fedora and its kernels are built with GCC's _FORTIFY_SOURCE and I've seen modules crash for out of bounds reads. | | |
| ▲ | dezgeg 5 hours ago | parent [-] | | _FORTIFY_SOURCE is way smaller in scope (as in, closes less vulnerabilities) than -fbounds-safety. |
| |
| ▲ | groundzeros2015 4 hours ago | parent | prev | next [-] | | What are you hoping it will achieve? | | |
| ▲ | irishcoffee 4 hours ago | parent [-] | | The internet went down because cloudflare used a bad config... a config parsed by a rust app. One of these days the witch hunt against C will go away. | | |
| ▲ | hypeatei 4 hours ago | parent | next [-] | | The internet didn't go down and you're mischaracterizing it as a parsing issue when the list would've exceeded memory allocation limits. They didn't hardcode a fallback config for that case. What memory safety promise did Rust fail there exactly? | | | |
| ▲ | random_mutex 4 hours ago | parent | prev | next [-] | | A panic in Rust is easier to diagnose and fix than some error or grabage data that was caused by an out of bounds access in some random place in the call stack | |
| ▲ | wat10000 3 hours ago | parent | prev [-] | | A service going down is a million times better than being exploited by an attacker. If this is a witch hunt then C is an actual witch. |
|
| |
| ▲ | pezgrande 5 hours ago | parent | prev [-] | | does any distro uses clang? I thought all linux kernels were compiled using gcc. | | |
| ▲ | yjftsjthsd-h an hour ago | parent | next [-] | | https://www.kernel.org/doc/html/latest/kbuild/llvm.html > The Linux kernel has always traditionally been compiled with GNU toolchains such as GCC and binutils. Ongoing work has allowed for Clang and LLVM utilities to be used as viable substitutes. Distributions such as Android, ChromeOS, OpenMandriva, and Chimera Linux use Clang built kernels. Google’s and Meta’s datacenter fleets also run kernels built with Clang. | |
| ▲ | honktime 4 hours ago | parent | prev | next [-] | | Chimera does, it also has a FreeBSD userland AFAIU. https://chimera-linux.org/ | |
| ▲ | zmodem 5 hours ago | parent | prev [-] | | Not a Linux distro, but FreeBSD uses Clang. And Android uses Clang for its Linux kernel. -fbounds-safety is not yet available in upstream Clang though: > NOTE: This is a design document and the feature is not available for users yet. |
|
|
|
| ▲ | nananana9 5 hours ago | parent | prev | next [-] |
| template <typename T>
struct Slice {
T* data = nullptr;
size_t size = nullptr;
T& operator[](size_t index) {
if (index >= size) crash_the_program();
return data[index];
}
};
If you're considering this extension, just use C++ and 5 lines of standard, portable, no-weird-annotations code instead. |
| |
| ▲ | uecker 5 hours ago | parent | next [-] | | Or just do it in C. #define span(T) struct span_##T { size_t len; T *data; }
#define span_access(T, x, i) (*({ \
span(T) *_v = (x); \
auto _i = (i); \
if (((size_t)_i) >= _v->len) abort(); \
&_v->data[_i]; \
}))
https://godbolt.org/z/TvxseshGc | | |
| ▲ | nananana9 4 hours ago | parent | next [-] | | Still requires a gcc/clang specific extension (although this one I'd be very happy to see standardized) | | |
| ▲ | uecker 2 hours ago | parent [-] | | Only statement expressions, but one can also implement this without them. |
| |
| ▲ | fuhsnn 3 hours ago | parent | prev [-] | | The fact that pointer types can't be used with this pattern without typedef still seems kinda primitive to me. | | |
| ▲ | uecker 2 hours ago | parent [-] | | You can use pointer types by using a typedef first, but I agree this not nice (I hope we will fix this in future C). But then, I think this is a minor inconvenience for having an otherwise working span type in C. |
|
| |
| ▲ | zmodem 5 hours ago | parent | prev | next [-] | | The extension is for hardening legacy C code without breaking ABI. | |
| ▲ | pjmlp 5 hours ago | parent | prev | next [-] | | Even better, starting with C++26, and considered to be done with DR for previous versions, hardned runtimes now have a portable way to be configured across compilers, instead of each having their own approach. However, you still need something like -fbounds-safety in C++, due to the copy-paste compatibility with C, and too many people writing Orthodox C++, C with Classes, Better C, kind of code, that we cannot get rid of. | | |
| ▲ | nananana9 5 hours ago | parent [-] | | I'm sure std::span is great, but I like mine better :) I find it a bit hard to justify using the STL when a single <unordered_map> include costs 250ms compile time per compile unit. The fact that I don't have to step through this in the debugger is also a bonus: template <size_t _Offset, size_t _Count = dynamic_extent>
[[nodiscard]] _LIBCPP_HIDE_FROM_ABI constexpr auto subspan() const noexcept
-> span<element_type, _Count != dynamic_extent ? _Count : _Extent - _Offset> {
static_assert(_Offset <= _Extent, "span<T, N>::subspan<Offset, Count>(): Offset out of range");
static_assert(_Count == dynamic_extent || _Count <= _Extent - _Offset,
"span<T, N>::subspan<Offset, Count>(): Offset + Count out of range");
using _ReturnType = span<element_type, _Count != dynamic_extent ? _Count : _Extent - _Offset>;
return _ReturnType{data() + _Offset, _Count == dynamic_extent ? size() - _Offset : _Count};
}
| | |
| ▲ | pjmlp 5 hours ago | parent [-] | | Only if not able to do import std, or pre-compiled headers, and not using modern IDEs with "just my code" filters. As someone that enjoys C++ since 1993, alongside other ecosystems, many pain points on using C++ complaints are self inflicted, by avoiding using modern tools. Heck, C++ had nice .NET and Java alike frameworks, with bounds checking even, before those two systems came to exist, and nowadays all those frameworks are mostly gone with exception of Qt and C++ Builder ones, due to bias. |
|
| |
| ▲ | osmsucks 2 hours ago | parent | prev | next [-] | | size_t size = nullptr;
wat | |
| ▲ | wat10000 5 hours ago | parent | prev | next [-] | | You should tell the LLVM folks, I guess they didn't know about this. | |
| ▲ | baq 5 hours ago | parent | prev [-] | | and if you write directly in assembly you don't even need a C++ compiler | | |
| ▲ | nananana9 5 hours ago | parent [-] | | That's an objectively correct statement, but I don't see how it makes sense as a response to my comment, as I'm advocating to use the more advanced feature-rich tool over the compiler-specific-hacks one. | | |
| ▲ | yjftsjthsd-h an hour ago | parent | next [-] | | If you're advocating switching languages, then there's no reason to stop at C++. It's more common to propose just converting the universe to Rust, but assembly also enjoys the possibility of being fairly easy to drop in on an existing C project. | |
| ▲ | zephen 4 hours ago | parent | prev [-] | | > I don't see how it makes sense as a response to my comment Your comment started out with "just." As if there are never any compelling reasons to want to make existing C code better. But instead of taking that as an opportunity to reflect on when various tools might be appropriate, > as I'm advocating to use the more advanced feature-rich tool over the compiler-specific-hacks one. You've simply doubled down. |
|
|
|
|
| ▲ | cranberryturkey 4 hours ago | parent | prev [-] |
| The real question is adoption friction. The annotation requirement means this won't just slot into existing codebases — someone has to go through and mark up every buffer relationship. Google turning on libcxx hardening in production with <0.5% overhead is compelling precisely because it required zero source changes. The incremental path matters more than the theoretical coverage. I'd love to see benchmarks on a real project — how many annotations per KLOC, and what % of OOB bugs it actually catches in practice vs. what ASAN already finds in CI. |
