Bold proposal:

https://safecpp.org/draft.html

@Migueldeicaza Annoys me when people say C is not memory safe. It's an implementation detail only. C allows range checking on arrays. It specifically makes casting between function pointers and any other kind of pointer undefined and possibly forbidden. It also doesn't mandate that pointers are memory addresses. A C pointer for data is simply a handle to an object with a size. A C function pointer is just a handle. Malloc/free can delay free until last deref.

@Migueldeicaza My biggest gripe about many of the C++ extensions over the years is how unreadable (by humans) the code can become. I believe simple, concise, readable syntax is another dimension of coding safety.

@clolsonus yeah I am not a fan either, but the joy of this is that folks that have those codebases might be able to sanitize them- which we should do.

@Migueldeicaza the wise guy part of me wants to ask “isn’t that just C#”? 😜

@etchedpixels @Migueldeicaza Well, while standard may allow memory safe C, AFAIK no such implementation exist and I'm not sure people would call it "C compiler" if it did. So "C is not memory safe" is pretty reasonable thing to say.

@Migueldeicaza Ohhh, I love this.

C++23 already makes a lot easier to write safe code, having something that can formally verify that like rust would be really nice. (I haven't seen a seg fault in my c++23 projects in a long time)

@hp yeah, this is a great step. And Godot is surprisingly resilient, I am in awe.

@codemonkey85 heh it isn’t :-)

@etchedpixels @Migueldeicaza As Wesley said,"You're only saying that because no one ever has!"

In all seriousness, has there been a C compiler that has taken this approach?

@mcdanlj @etchedpixels I think the issue is less “cannot be done”, but “would any existing code deemed to be C work”

@Migueldeicaza @mcdanlj Very little code would fail. There are a couple of uglies if you want to make it very compatible, particularly around casting of function pointers. It's a handle to an object but you still need to only invoke if it is cast to the correct type.

Most well written ANSI C will work fine though. Older code often hits the "but so long as the prototype is sort of right" function cast problem - but that breaks even with some modern calling sequences.

@mcdanlj @Migueldeicaza MSCC did a chunk of the early work proving it was quite tractable (see the ACM SIGSOFT paper). Later work includes "Implementation of the Memory-safe Full ANSI-C Compiler" .ACM SIGPLAN Conference on Programing Language Design and Implementations (PLDI2009), June 2009.

So yes it's been done and a lot of the underlying stuff like fat pointers are well understood in other languages too

It's also been done on the virtual machine side by Cambridge University folks.

@Migueldeicaza

Is there any chance, while we are still alive, that C++ might eventually do away with the need for forward declarations and separate header files?

Only C and C++ have this limitation AFAIK because every compiler since 1985 has enough memory to remember names and do a second pass.

@Phosphenes God that pisses me off so much.

@Migueldeicaza too little way too late. This should have been in preview 10 years ago vs in preview 10 years from now if we are lucky. Rust has too much momentum at this point. Better C++/Rust interop is a better use of engineering resources at this point.

@Migueldeicaza also I think the comment that "rust is foreign to c++ programmers" is funny. As a life long C++ programmer (for better or worse) Rust was super easy to learn and feels like fixed C++ to me, which is not surprising as it was invented by C++ programmers!

@mattklein123 @Migueldeicaza also, the only things that might be really "foreign" to C++ programmers are precisely the things that this proposal adds (borrow checking, interior mutability rules, etc.), so the learning curve is pretty much the same!

@mattklein123 I am in camp "Let's swift all the things", but realistically, there is a lot of C++ code out there that deserves to be made safer, because the cost and risk of rewriting is real.

@mattklein123 Both C++ and Rust share the trait of not being pleasant to write for, true :-)

@etchedpixels @Migueldeicaza @mcdanlj I'm afraid "well written ANSI C" code is quite rare. I'm pretty sure it LibreOffice, Gimp and Firefox would ... "not be trivial to get running"? :-). Not sure if emacs and bash would be easy to run...

@pavel @etchedpixels @mcdanlj I try to avoid writing new C and C++ code as a duty to humanity (unless it is absolutely necessary), but I deeply appreciate any efforts to make C or C++ safer.

Happy to try a C compiler that attempts to do this, or extensions to C to improve this.

@pavel @Migueldeicaza @mcdanlj Lots of stuff is. although most of your examples are C++ which is more of a lost cause anyway.

The more important questions for old code though are
1. Is it lower risk to keep in a safe C or to rewrite
2. What are the cost differences for the options

So having a safe C compiler is potentially a very good thing for legacy code. That's not to say you shouldn't write future code in a memory safe language like Rust or COBOL 8)

@etchedpixels @pavel @mcdanlj My position on this matter summarized in meme form:

@Migueldeicaza I don't think you have given rust a real chance. I use Rust to write systems and to replace things I would have done with Python. It's an amazing accomplishment.

@Migueldeicaza I think I said 5+ years ago that Swift could/should have won this battle but also too late with real safety. Rust has too much momentum in the systems space.

@mattklein123 I am happy if folks use Rust, and I encourage people to use it, I just don’t enjoy it.

@mattklein123 @Migueldeicaza people rewrote stuff in c++ when c++ appeared

@mrt181 @mattklein123 yes, some people did some things when something happened.

@mattklein123 I have tried to move to Python for my quick hacks for a decade, but I still find myself writing Perl for that - that’s just how cozy my living room is :-)

@Migueldeicaza too little too late.

The industry cannot hire talent to deal with the complexity of C++. Even hardcore C++ shops are unable to train people internally.

Thermal death is on the horizon.

@ezaquarii ok. I’ll let them know.

@Migueldeicaza One thing I always find weird is when ARC is referred to as garbage collection. I would never consider manual retain/release garbage collection yet this isn’t the first time I’ve seen someone primarily working in another language suggest ARC is

@pilky it is not uncommon, academia treats it as such. Lots of academia and practitioners consider it part of the domain space with lots of cross-over and blends.

@pilky example (I own the old edition): https://gchandbook.org/contents.html