Document ISO/IEC/JTC 1/SC 22/WG 23 N0759

Minutes ofMeeting #51
7-8 November 2017

Meeting Location :

Albuquerque Marriott Hotel

2101 Louisiana Bvld NE

Alburquerque, New Mexico, USA

Salon D

Meeting Times: 0900-1700 MDT

Stephen Michell – WG 23 chair, Canada
Michael Wong – Acting chair WG21/SG12, Canada
Aaron Ballman – Gramma Tech
J. Daniel Garcia – University Carlos III, Spain
Peter Sommerlod – HSR, Rapperswil, Switzerland
Scott Schurr – Ripple Labs USA
Lisa Lippincott – Tanium, USA
Christof Meerwald – Programming Research
James Dennet – Google
Paul Preney – University of Windsor, Canada
Erhard Ploedereder – Stuttgart University
Joyce Tokar – Pyhrrus Software


51.1 Opening activities

51.1.1 Opening Comments

51.1.2 Introduction of Participants/Roll Call

51.1.3 Procedures for this Meeting

51.1.4 Approval of previous Minutes of meeting 50 (N0739)

51.1.5 Review of actions items and resolutions, Action Item and Decision Logs

51.1.6 Approval of Agenda [N 0743]

51.1.7 Future Meeting Schedule


Pre-mtg 61

TBD November 2019



22-23 August 2019

Seoul, Korea


TBD June 2019

With WG 9 or WG 21


TBD November 2019



TBD April 2019

With WG 21

Pre-mtg 58

TBD March 2019



21-22 January 2019

Atlanta (at CSA)


Pre-mtg 57


Likely with WG 21, Oct 2018






Toronto, Ontario, Canada with SC 22

Pre-mtg 57




With WG 21, Rapperswil, Switzerland?





26-27 April 2018

Brno Chez Republic with WG 14


14-15 March 2018

With WG 21, Jacksonville, FL, mostly WebEx

Pre-mtg 53




21-22 January 2018

Phoenix, AZ

51.2. Liaison Activities

51.2.1 PL22.3/WG5 (Fortran)

51.2.2 WG4 (COBOL)

51.2.3 WG9 (Ada) Erhard Ploedereder

New document from WG 9 ready to go. Top-14 list finished. We will review in January.

51.2.4 PL22.11/WG14 C Clive Pygott

Report from C meeting. Not great acceptance. Some resistance to the idea of the top-10 list. What is the real target audience? Specific critique on casting the “type” of malloc. There is a false security. Use a macro. This will be discussed in the Phoenix meeting in January. Reach out to Robert Seacord’s group to help. Clive to reach out. (AI).

51.2.5 PL22.16/WG21 (C++) Michael Wong

51.2.6 Ecma International, TC49/TG2 (C#) and TC 39 (EcmaScript) Stephen Michell

51.2.7 MISRA C Clive Pygott

51.2.8 MISRA (C++) Clive

51.2.9 SPARK

51.2.10 SC27/WG3, WG4 Security Stephen Michell

51.2.11 Other Liaison Activities or National body reports

51.3. Document Review

51.3.1 TR 24772-1 Vulnerabilities, language independent (N0742 or later)

51.3.2 TR 24772-2 Ada language specific part (if new version available)

The Ada document was not reviewed. In reviewing the Python document (N075?), clause 6.43, that catching the memory exception upon memory recursion is the remedy. Discuss in terms of Part 2.

51.3.3 TR 24772-6 Spark (if available)

51.3.4 TR 24772-3 C language specific part

51.3.5 TR 24772-4 Python language specific part

Stephen has had some contact with appropriate Python experts, and has made progress on the OO vulnerabilities. To be finished are the concurrency vulnerabilities. Steve will push these to a different set of Python experts for review.

51.3.6 TR 24772-8 Fortran

Dan Nagle has stepped away. Gary Klimowicz has replaced him. AI – Steve – bring him on board.

51.3.7 TR 24772-9 C++

Michael’s list of a “charter” for SG 12 working with WG 23

SC 22/WG 23 Programming Language Vulnerabilities and SC 22/WG 21/SG 12 Undefined Behavior and Vulnerabilities and Vulnerabilities Study Group agree that as a liaison and in developing a guidance document to avoiding programming language vulnerabilities in C++, that we will follow these principles:

  1. Provide strong references to existing work (CERT and C++ Core Guidelines)

  2. Process (evaluate) a) for safety and security

  3. Enhance “a.” by feeding back issues identified to other existing work.

  4. Add new sections to our TR and other guidelines where applicable (e.g. parallelism,

  5. Develop a cross-language taxonomy from C++ to C and possibly other languages.

  6. A way to link with other efforts such as MISRA, AUTOSAR, OpenCL/SYCL SC, CUDA

  7. Consider the guidance for previous language versions. Maybe we can have bullets for other versions, or document guidance for previous version in clause 7 (or even clause 8). We will consider these as we trip over them clause-by-clause. For example -- strings.

  8. New code or old code? TR 24772 is generally oriented to the creation of new code, and the coding guidelines for such code. It is expected that old code would only be affected when a major rewrite occurs.

  9. Target audience – team lead that produces the coding guidelines for the organization, but C++ programmers, not new C++ programmers coming from another language. Goal is not to teach C++.

For Wednesday, revisit enumerator issue and null ptr issue.

The group drafted writeups for

obtained initial write-up for 

51.3.8 Potential TR24772 Guidance on avoiding Programming Vulnerabilities – IS


51.3.9 Bibliography for each TR24772 Part

51.4 Strategy (Face to face meetings only)

51.5 Publicity (Face to face meetings only)

51.6 Other Business

51.6.1 Review of Assignment of responsibilities

51.7. Resolutions and Action Items

Next meetings:

Nov 20 2100-2300 UTC, Teleconference.

January 21-22 or 22-23 (David Keaton is chairing an OASIS meeting 22-23 in Phoenix and we may be able to co-locate.

WG 21/SG 12 will be working on N 0758 C++ vulnerabilities. We can create a WebEx link to assist in the Jacksonville meetings.

April 2018 – Brno, Czech Republic with WG 21

June 5-6, Rapperswil, Switzerland with WG 21.

51.8. Adjournment