Application Security Testing: An Integral Part of DevOps
On Saturday March 13th 2010, the ISOC C++ standards committee moved one step further towards the completion of the C++0x standard by approving the C++0x Final Committee Draft (FCD). As some committee members put it: the FCD approval is a big deal, jocularly referring to a recent comment of the US vice president. However, there's still a lot of work to be done and the shape of the FCD still raises some concerns.
Those of you who aren't familiar with the bureaucratic jargon of ISO would probably appreciate a brief explanation on the standardization procedure. The C++0x standardization project is a joint effort of several national standardization bodies such as NCITS (USA), BSI (UK) etc., aiming to produce an ISO International Standard. In the past, a different procedure was carried out. First, an American standard was produced (ANSI C for instance), and later, the ANSI standard served as the basis for an ISO International Standard (ISO C). However, the two-phased standardization process took long and doubled the amount of work. That is why a different approach has been used in recent years, namely producing an ISO International Standard right from the start. And yet, experience shows that even in the case of a joint international effort, the standardization process takes years.
CD, FCD, FDIS and IS
Author's Note: the ISO regulations regarding FDIS have just been changed. However, the new regulations will have little or no impact at all on the C++0x standardization.
A Race Against Time
The approval of an FCD implies that the current text of the Standard is in much better shape than it was six months ago. However, there are still several issues of concern. No one really knows how many more undetected bugs are lurking in the FCD. The FCD consists of nearly 1300 pages of text. It wouldn't be an exaggeration if I said that every word and punctuation mark make a difference. Up until now, the standard draft has been constantly updated, as new features kept coming in, while other features were being revised, and sometimes entirely removed. Almost every C++ section in the standard refers to other sections in the standard. Changing one paragraph may trigger a landslide of updates in other sections of the FCD. My estimate is that the FCD still contains hundreds of bugs and defects of all sorts, most of which are minor editorial fixes. However, there are probably sections that will require substantial redrafting. Time is of the essence, since ISO set August 2012 as a non-negotiable deadline for the completion of the FDIS. The FDIS is the committee's next (and hopefully last) milestone. Once the FDIS has been approved, it will be passed on to ISO for ratification--a process that can take up to a year. In other words, of all goes well, the C++0x standard will be ready in 2012.
The FCD is truly a remarkable achievement, considering the trials and tribulations that the CD has undergone since October 2008. For the typical C++ programmer, the most important C++0x feature is multithreading. However, the new standard lacks some features that were originally slated for standardization such as automatic garbage collection, thread pools and even a networking API. Additionally, there are concerns about the quality and the necessity of certain features that are in the FCD.
- Rvalue references are my main concern. Their pervasiveness and complexity reminds me of concepts.
- Attributes still seem like a solution to a non-existing problem.
- Lambda expressions are criticized for their lack of polymorphism support and their odd syntax.
- Another controversial feature entered the FCD just days before its approval: the keyword noexcept which designates a function that doesn't throw any exceptions.
The ISO clock is ticking fast, with only 16 months left to finalize the C++0x standard. The approval of the FCD last month is an important step towards this ambitious goal.Related Articles