1 Aurora InnovationContinuous Regression Testing for Safer and Faster Refactoring Pejman Ghorbanzade Aurora Innovation3 Aurora Innovation Engineers spend 17 hours per week maintaining software. *Stripe

2019/2020 2020 2021 Now 2022 Gabor.Horvath@microsoft.comApproaches to safety C++ is getting safer The lifetime safety toolbox What comes next?Memory Safety • Microsoft: 70 percent of all security 23Approaches to safety Safe Unsafe Hybrid approach • Suggest safer constructs • Find bugsApproaches to safety Safe Unsafe Hybrid approach • Suggest safer constructs • Find bugs • Suggest use of RAII • Find Hybrid approach • Suggest safer constructs • Find bugs • Suggest use of RAII • Find bad locking patterns • Choose your own adventureApproaches to safety C++ is getting safer The lifetime safety

Absolute measures (“Is it safe?” “Is it secure?”) very hard to attain ▪ Relative measures (“Is it safer?” “Is it secure against attack X?”) easier to attain 30SAFETY ▪ It is a tradeoff… ▪ Performance via a correctly initialized array_view, then its bounds cannot be overrun.” ▪ Is this safe? ▪ Safer? Perhaps. Safe? No. ▪ We can’t check if either pointer or [pointer, pointer + size) is valid defined behavior is one that can be caught in the code by catching the exception.” ▪ Is this safe? ▪ Safer? Perhaps (if folks call at() instead of []). Safe? No. ▪ Still suffers from not knowing if span

4Same program, only safer 26Same program, only safer (No units library) int degrees_per_second_from_rpm(int rpm) { return rpm * 6; // Magic number! } 26.1Same program, only safer (No units library) return degrees_per_second_t{revolutions_per_minute_t{rpm}}.to(); } 26.2Same program, only safer (No units library) int degrees_per_second_from_rpm(int rpm) { return rpm * 6; // Magic number (int rpm) { return (revolutions / minute)(rpm).in(degrees / second); } 26.3Same program, only safer (No units library) int degrees_per_second_from_rpm(int rpm) { return rpm * 6; // Magic number

COULDN'T DO THIS BEFORE… Anywhere we can put a template, we can put a concept. Methods can be made safer with P0847, because they can constrain the derived type of the explicit object parameter. struct Code deduplication/correctness-by-compiler Completeness-by-compiler Class interface gets "simpler & safer on the outside" Constrained descendants Simpler member function pointersADT STYLE ADVANTAGES Code Code deduplication/correctness-by-compiler Completeness-by-compiler Class interface gets "simpler & safer on the outside" Constrained descendants Simpler member function pointers Easier patternsADT STYLE

violations of the static type system • No resource leaks • Convince developers to use that safe (or just safer) styles of use • Except where it is not appropriate • Direct use of system and hardware resources user-defined types • Operator overloading (initially for resource management) • References: simpler and safer argument passing Stroustrup - C++ safety -CppCon - October 2023 23 Problem: Too many pointers in guidelines • Serving a variety of needs Stroustrup - C++ safety -CppCon - October 2023 29 Do you use the safer features? Consistently? If not, why not?State of affairs • The parts of what I am describing have

improvement via directed evolution 10 simpler metric: 90% of today’s guidance not needed 50 safer metric: 98% fewer type/bounds/init/lifetime CVEs Friction-free interop Always generate 100% C++20/23 language type C++17: Safer variant library type But: Everything is unnamed → harder to use, and can’t distinguish repeated types .42 C: Special unsafe union language type C++17: Safer variant library type time for the whole language: as an intentional directed evolution to be 10 simpler to be 50 safer to evolve more freely again for another 30 years?

developers in a safer way; We can use safer tools to experiment, optimize and interact with our systems. • It may be the safest way to access system level features of our operating systems in a safer way. Alot

interactions? What are best practices for using C from C++? How can we use C++ to make HW access cleaner, safer, and more testable?Why is C so proli�c? It’s the kernel, silly! 30 years ago, all low level interaction y);Wrapping up Developers do a lot in C to make it ‘safer’ But C++ has advantages: Strong typing and a more thorough type system makes code safer Lifetime management is important and C++ takes many