Microsoft supports memory safety. Rust is 100% the direction for new projects. But there are existing C codebases that are unlikely to be entirely rewritten in a memory-safe language for various reasons. Such projects can significantly benefit from incremental improvements in memory safety.

I think the real failing is that new language features then must be prototyped by people who have a background in compilers. That's a very small subset of the overall C community.

I don't have any clue how to patch clang's front end. I'm not a language or compiler person. I just want to make stuff better. There needs to be a playground for people like me, and hopefully lib0xc can be that playground.

Thanks! I agree, a better build story for C projects is desperately needed.

It's designed to be incremental. For example, you can do a search for `sprintf` and replace it with `ssprintf`. The function signature is the same. Any instance of printing to a character array just works. Think of the APIs as "the stuff you usually do by hand, but safer".

If you get compiler errors, it means you were printing to a heap-allocated buffer (or a buffer whose bounds you did not know), and you should be propagating bounds and using `snprintf`.

Integer conversion is the same way. If you have something like

int v1; uint64_t v2;

<stuff happens>

v2 = (uint64_t)v1;

Then you can replace it with

v2 = __cast_signed_unsigned(uint64_t, v1);

and you'll get a runtime trap when v1 is a negative value, meaning you can both enable -Wint-conversion and have defined behavior for when the value in a certain integer type is not representable in another.

Author here, I posted this in Show HN but someone clearly beat me to it. So I'll repost my blurb from there.

Various patterns for safer C programming have been cargo-culting around the industry for decades. Because the language evolves intentionally slowly, these patterns rarely get folded into the language as first-class constructs and are passed down through the generations in a sort of oral tradition of programming.

lib0xc leverages GNUC extensions and C11 features to codify safer C practices and patterns into real APIs with real documentation and real testing. Reduce your casts to and from `void *` with the `context_t` tagged pointer type. Enable type-checked, deferred function invocation with `call_t`. Interrogate structure descriptors with `struct_field_t`. Stop ignoring `-Wint-conversion` and praying you won't regret it when you assign a signed integer to an unsigned integer and use `__cast_signed_unsigned`. These are just a few of lib0xc's standard-library-adjacent offerings.

lib0xc also provides a basic systems programming toolkit that includes logging, unit tests, a buffer object designed to deal with types, a unified Mach-O and ELF linker set, and more.

Everything in lib0xc works with clang's bounds-safety extensions if they are enabled. Both gcc and clang are supported. Porting to another environment is a relatively trivial effort.

It's not Rust, and it's not type safety, but it's not supposed to be. It's supposed to help you make your existing C codebase significantly safer than it was yesterday.

My employer holds the copyright and has permitted its release under the MIT license.

Thanks!

Two notes: GCC has its "access" attributes which can give you similar bounds safety as clang.

Please see also my experimental library. https://codeberg.org/uecker/noplate/ While I do not had enough time to polish it yet, I think it provides some very nice interfaces with improve type and bounds safety, and are also rather convenient.

Also I wonder what parts are redundant if you have FORTIFY_SOURCE ?

(And thank you for working in this topic. If you continue, please reach out to us)

This might be a dumb question, but using this + clang bounds-safety, whats the difference between this and something like Zig or Odin.

What do you think C would need in order to reach the user experience of those languages?

> This might be a dumb question, but using this + clang bounds-safety, whats the difference between this and something like Zig or Odin.

I really need to learn more about Zig, but from what I know, there are still worlds of possibilities that a modern, well-designed language offers over something like lib0xc. Zig's ability to evaluate any expression at compile-time is one such example.

But generally, lib0xc gives you bounds-safety everywhere it can. Languages like Zig and Rust give you type-safety to their own degrees, which I think is a superset.

> What do you think C would need in order to reach the user experience of those languages?

Not really having direct user experience, it's hard for me to say. But if I what I can give you is a list of features that would make large parts of lib0xc irrelevant:

1. Protocols/traits

2. Allocating from a caller's stack frame (think, returning the result of `alloca` to the caller)

3. printf format specifiers for stdint.h types and for octet strings

4. Ability to express function parameter lists as structures

5. New sprintf family that returns a value which is always less than or equal to the size passed (no negative values)

Basically, I think that the C standard should be working aggressively to cut down on the use cases for heap allocation and `void *`. And I think that the bounds safety annotations should become first-class language features.

> I really need to learn more about Zig, but from what I know, there are still worlds of possibilities that a modern, well-designed language offers over something like lib0xc.

Doesn't Apple have a nice `defer { }` block for cleanup? Did you include that in lib0xc? I didn't see in on your README.

I think defer has been included in the next round of working group proposals for C2y, but I don't think Apple's clang has it. Maybe it's there as a language extension and I just didn't see it.

What lib0xc has is some cleanup attributes that you can apply to variables to e.g. automatically free a heap allocation or close a file descriptor, at end of scope. Personally, I like variable annotations much more than defer for these uses, but they accomplish the same thing. I've also found that using those attributes inherently pushes your code to make ownership more explicit. I personally stopped being terrified of double-pointers and started using them for ownership transfers, which eliminates a large class of bugs.

> I've also found that using those attributes inherently pushes your code to make ownership more explicit. I personally stopped being terrified of double-pointers and started using them for ownership transfers, which eliminates a large class of bugs.

This is very interesting. Do you have a practical example?

In C++ you can implement such a thing using destructors, which are guaranteed to run in reverse order on scope exit even in the presence of exceptions. Alexei Alexandrescu's Scopeguard did this (in the 90s I think, long before C++11). But in standard C, there's no mechanism that this could be attached to (especially if you want to use "C exceptions", a.k.a. setjmp()/longjmp()).

Maybe the compilers they support all have non-standard extensions that allow something like this though?

Yes, because all compilers support a non-standard defer mechanism, its now being considered for inclusion into standard C. [0]

And that suggested defer standard, is already available from GCC 9 and clang 22.

[0] https://www.open-std.org/JTC1/SC22/WG14/www/docs/n3734.pdf

Wouldn't the last case (void *) hurt embedded C development, or retrogaming with direct memory access and pointers?

They said "cut down", not "eliminate."

Not really. You'd still be able to address memory as bytes. The problem with void * is that it strips all bounds information by its nature. Most of the time when you're passing a void * without an associated length (e.g. context pointers, objects that you pinky-swear are of a certain type), it indicates a failure in the language. That's the stuff I think needs to be eliminated.

Have a look on libre C SDK's for the GBA and read about how some data it's set. Ditto with another set of archs where some simple C89 it's being ported.

Because it is C not Zig/Odin. The mental/ecosystem cost to use a new language is way way under-estimated in most cases.

Glad to see you’re still doing great stuff, and also very glad to see your new employer supports such things, especially compared to our old employer! Part of why I retired around the same time you left was because I wanted to make and share things.

Every time I look at how easy for people to use this kind of thing but people tends not to, remind me if so-called "memory safety" is a real concern anyway.

Haven't really verified that it works with C++, but I tried my best to guard the stuff I knew would be problematic with #if __cplusplus. Happy to have a PR that makes C++ happier with it.

Thanks for the reply. Noted :)

Author here. It is not currently in production, but it is part of a project in Azure which will go to production at some point. I'm actually leaving Microsoft next week and fully intend to keep working on it if I can reach an agreement to do so with my new employer.

That's not apples to apples due to Microsoft's massive force reductions and Azure's massive growth.

The average user cares about their fans going full-blast when running some garbage electron app and their battery life being shit. You're just being dense.

Back when these machines were released they were hallowed as being the ultimate in mobile computing. What happened here what did not happen to other Intel-based machines from that era?

The only changes I'd want to Markdown:

- Reverse the link syntax braces, so the URL is in [], and the link text is in ()

- Allow table cell content to have line continuations