Memory safety in C++: WG21 initiatives (lifetime, contracts, safety profiles) and empirical analysis of open-source projects
DOI:
https://doi.org/10.15330/itee.2025.2.05Keywords:
C++, memory safety, undefined behavior, lifetime safety, contracts, safety profiles, sanitizers, ASan, UBSanAbstract
The study demonstrates memory safety in C++ in the context of ISO WG21 initiatives and an empirical evaluation on real-world open-source code. We summarize typical undefined behavior (UB) and vulnerability classes related to object lifetimes, out-of-bounds accesses, and resource misuse. We review WG21/SG23 directions: Lifetime Safety, Contracts, and Safety Profiles as a staged approach to increase safety guarantees while preserving C++ performance and ecosystem. We conduct a reproducible experiment on three libraries (fmt, spdlog, nlohmann/json) using g++ 13.3 with AddressSanitizer and UndefinedBehaviorSanitizer, provide a build-and-test protocol, normalized metrics, tables, and charts. The data show a low incidence of runtime findings in mature libraries under test coverage, while supporting the relevance of both tooling and standardization efforts to reduce UB-related risks.
References
Serebryany K., Bruening D., Potapenko A., Vyukov D. AddressSanitizer: A Fast Address Sanity Checker. Proceedings of the 2012 USENIX Annual Technical Conference (USENIX ATC ’12). 2012. URL: https://dl.acm.org/doi/10.5555/2342821.2342849
ISO/IEC JTC1/SC22/WG21. Working Draft, Standard for Programming Language C++. URL: https://open-std.org
Sutter H. Lifetime safety: Preventing common dangling. P1179R1. WG21, 2019. URL: https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2019/p1179r1.pdf
Stroustrup B., Dos Reis G. Design Alternatives for Type-and-Resource Safe C++. P2687R0. WG21, 2022. URL: https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2022/p2687r0.pdf
Doumler T. at al. Contracts for C++. P2900R13. WG21, 2025. URL: https://open-std.org/jtc1/sc22/wg21/docs/papers/2025/p2900r13.pdf
Sutter H. Core safety profiles for C++26. P3081R2. WG21, 2025. URL: https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2025/p3081r2.pdf
Berne J., Lakos J. Prevent Undefined Behavior By Default. P3558R0. WG21, 2025. URL: https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2025/p3558r0.pdf
Dos Reis G. Reference checking. P2878R1. WG21, 2023. URL: https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2023/p2878r1.html
Sutter H. Making Safe C++ Happen. P3700R0. WG21, 2025. URL: https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2025/p3700r0.html
Du J. X. K. L. Z. at al. A Study of Compiler-Introduced Security Bugs. 2023. URL: https://nebelwelt.net/files/23SEC4.pdf
X. Yang, Y. Chen, E. Eide, and J. Regehr, “Finding and understanding bugs in C compilers,” ACM SIGPLAN Not., vol. 46, no. 6, pp. 283–294, Jun. 2011. doi: https://doi.org/10.1145/1993316.1993532
Verdi M. at al. An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples. 2019. URL: https://arxiv.org/pdf/1910.01321
Xu H. та ін. Memory-Safety Challenge Considered Solved? An In-Depth Study of Rust. 2020. URL: https://arxiv.org/pdf/2003.03296
Moghadam V. E. Memory Integrity Techniques for Memory-Unsafe Languages: A Survey. 2024. URL: https://iris.santannapisa.it/retrieve/9ebf4c27-86fb-401c-827b-6fad063f1d08/Memory_Integrity_Techniques_for_Memory-Unsafe_Languages_A_Survey.pdf
nlohmann. JSON for Modern C++. GitHub repository. URL: https://github.com/nlohmann/json
Downloads
Published
How to Cite
Issue
Section
