Story-time: C++, bounds checking, performance, and compilers

Recently, several of my colleagues at Google shared the story of how we are retrofitting spatial safety onto our monolithic C++ codebase: https://security.googleblog.com/2024/11/retrofitting-spatial-safety-to-hundreds.html

I wanted to have a bit of story-time about some of the strange ways that all this came to be, at least as I remember things. There are some really interesting developments that led us here, and some important lessons to learn from that history.

Do note that this is just my retrospective memory. It’s entirely possible I’m misremembering some of it (let me know if so!). It’s also limited to my perspective, and others may have seen very different aspects of things (please share!).

I was a deep skeptic about this area for many years due to deep concerns about the performance impact of bounds checking. A number of historical reports by others of the costs coupled with some fairly casual experimentation on my own instilled a pretty strong belief that bounds checks couldn’t realistically be made cheap enough to enable by default. However, so far they are looking very affordable. From the above post, 0.3% for bounds checks in all the standard library types!

Sadly, I wasn’t alone in this belief. A lot of us were very wrong. I think this broadly held collective “belief” in the cost of bounds checking discouraged lots of folks from doing two things that needed to happen:

Leave a Comment