In the realm of programming languages, the debate over memory safety has intensified, prompting Bjarne Stroustrup, the creator of C++, to make a vigorous defense of his creation. Amid rising scrutiny from cybersecurity agencies and experts, Stroustrup is rallying the C++ community to bolster the language’s standing against newer, more memory-safe languages like Rust.
The Challenge Facing C++
Recent years have seen a significant shift in the landscape of programming languages, driven by high-profile security breaches attributed to memory safety errors. These vulnerabilities, which are particularly prevalent in languages that require manual memory management such as C and C++, have led to a push from industry and government experts towards languages that offer more robust memory safety features.
Stroustrup’s Response
Stroustrup, a professor of computer science at Columbia University, has responded to these challenges with a clarion call for action. In his “Note to the C++ Standards Committee” (WG21), he emphasized the urgent need for the community to adopt and promote his Profiles memory safety framework. This framework aims to modernize C++ without sacrificing its core principles, such as type safety and resource safety, which include memory safety.
“This is clearly not a traditional technical note proposing a new language or library feature. It is a call to urgent action partly in response to unprecedented, serious attacks on C++,” Stroustrup stated, highlighting the gravity of the situation.
The Profiles Proposal
Stroustrup’s proposal involves the implementation of “Profiles” — a strategic framework designed to enhance memory safety in C++ through a more managed use of language features. However, skepticism remains within the community, particularly concerning the practical implementation and effectiveness of such a framework in existing codebases.
Community and Industry Reactions
The reaction to Stroustrup’s call has been mixed. On one hand, there is a recognition of the need to evolve C++ to meet modern security demands; on the other, there is concern about the feasibility of such significant changes without disrupting the vast ecosystems of existing C++ applications.
Robin Rowe, a project lead for TrapC, a competing safety initiative, expressed doubts about the viability of Profiles:
“If you mark your code to enforce a Profile, some features of the C/C++ language will stop working,” Rowe explained, comparing it to turning off pointers or arrays, which could require extensive rewrites of existing code.
The Bigger Picture: Memory Safety in the Tech Industry
The push for memory safety is not limited to just the C++ community. Other languages and platforms are also evolving to address these concerns. Google, for instance, has shifted its focus towards a memory-safe future, advocating for secure-by-design practices across the industry.
Moreover, government agencies like the US Cybersecurity and Infrastructure Security Agency (CISA) have underscored the importance of memory safety. CISA’s guidance suggests that by January 2026, manufacturers should either have a roadmap to eliminate memory safety vulnerabilities in products using memory-unsafe languages or transition to memory-safe languages.
Future Directions
As the debate over memory safety continues, the future of C++ hangs in the balance. Stroustrup’s passionate defense highlights a pivotal moment for the language. Whether C++ can adapt effectively to the new security landscape or gradually cede ground to emerging languages like Rust remains to be seen.
The community’s response to Stroustrup’s rallying cry will be critical in shaping the next chapter of C++. As developers and organizations weigh the costs and benefits of migrating to newer, safer programming models, the decisions made today will resonate throughout the tech industry for years to come.