THIS REQUIRES MORE WORK
Define unchecked (random) access in clause 3 or explain C++ approach. Likely needs a new subclause. Indexing into raw memory is a random access with no checking. In the STL, the [] operator does random access without checking. The function at
was added to provide range checking, including throwing an exceptiion if the check fails.
C++ is a strongly- and statically-typed language: all variables and expressions must have a type. C++ also permits implicit and explicit conversions between types.
C++ has a rich type system with many nuances. In addition to the C base types (int, long, float, double, char, and arrays with their C-style vulnerabilities), C++ provides the following:
Distinct types for char, signed char, unsigned char
bool with a true Boolean context
enum with fixed underlying type
Classes as the primary user-defined types
Arrays
References in addition to pointers
Parameterized types
Many vulnerabilities can be mitigated more easily by using library facilities rather than the base language types. (e.g. std::string rather than char*)
Use of the `explicit`{.cpp} keyword for constructors and conversion
operators
`operator bool()`{.cpp} discussion
many built-in implicit conversions, refer to TR 24772-3 clause 6.2
and other clauses (C)
conversion to bool and null pointer conversions
legacy code operator void\* - change to explicit operator bool
C-style casts break type safety.
static_cast
explicit casts highlight mismatches between the design and
implementation.
const and volatile
constexpr -- needs a writeup -- (in C++:11 , encouraged heavy stack
use and possible exhaustion).
Narrowly tailored number-like class types, such as time_point and duration, improve safety by providing only safe and appropriate operations. User-defined types tailored to a particular use case can provide additional safety.
C++ was initially defined as a syntactic superset of the C programming language: adding object oriented features such as classes, encapsulation, dynamic dispatch, namespaces and templates. It was a “syntactic superset” because whilst there is a core of C++ that is syntactically identical to C, it has always been the case that there are subtle semantic differences between the two, for example:
Historically, C permitted the use of a function before its declaration (though this is now deprecated in C) . This is illegal in C++
Where a struct is defined within another struct, in C the inner declaration is in effect made at file scope, so the definition is available for use later in the program. In C++, the inner declaration name is qualified by that of the parent, so without qualification, the inner struct cannot be used later in the program, as in the following example
struct S1 {
struct S2 {...} m1;
...
};struct S2 v1; /\* legal in C not C++ \*/
// legal in C++ not C S1::S2 v2
Subsequently, the two languages have diverged, both adding features not present in the other. Not withstanding that, there is still a significant syntactic and semantic overlap between C and C++, so the starting point for this report has been the equivalent for C. However, in many cases, the additional features of C++ provide mechanisms for avoiding the vulnerabilities inherited from C, and these are reflected in the following sections.
Include discussions of Object orientation, static, and const, scoped enumerations