Thanks!

Two notes: GCC has its "access" attributes which can give you similar bounds safety as clang.

Please see also my experimental library. https://codeberg.org/uecker/noplate/ While I do not had enough time to polish it yet, I think it provides some very nice interfaces with improve type and bounds safety, and are also rather convenient.

Also I wonder what parts are redundant if you have FORTIFY_SOURCE ?

(And thank you for working in this topic. If you continue, please reach out to us)

This might be a dumb question, but using this + clang bounds-safety, whats the difference between this and something like Zig or Odin.

What do you think C would need in order to reach the user experience of those languages?

Glad to see you’re still doing great stuff, and also very glad to see your new employer supports such things, especially compared to our old employer! Part of why I retired around the same time you left was because I wanted to make and share things.

Every time I look at how easy for people to use this kind of thing but people tends not to, remind me if so-called "memory safety" is a real concern anyway.

Haven't really verified that it works with C++, but I tried my best to guard the stuff I knew would be problematic with #if __cplusplus. Happy to have a PR that makes C++ happier with it.

At the very least, It's a treasure trove of more advanced c design patterns that are worth knowing.

As the readme describes it as basically established industry patterns passed down through word of mouth.

I find It's difficult to find deeper level C programming techniques like these normally.

I suspect in 20 years Windows will be a Linux distribution with a compatibility layer.

I think most people who are into c that I’ve met quite like header only libraries. Copy paste as a package manager does have its benefits.

The Elf interface is a standardised packaging system.

I do NOT want a package manager in my c code. I'm perfectly content with cloning a git repo from my cmake script.

And there is plenty to choose from if you don't like one or another build system.

Thanks! I agree, a better build story for C projects is desperately needed.

Because that's precisely what is needed: an easy way to ship dependency malware like npn, pip, cargo, etc.

Like it or not, having a little bit of friction prevents pulling in packages with thousands of transitive dependencies.

Author here. It is not currently in production, but it is part of a project in Azure which will go to production at some point. I'm actually leaving Microsoft next week and fully intend to keep working on it if I can reach an agreement to do so with my new employer.

> I'm not sure MSVC could compile the GNU extensions used.

The supported platforms only list Linux and Mac. Notably missing from that list is any of the BSDs (not counting what may or may not remain of BSD under the Mac hood).

Just use compiler option -std=c++20 and use std::span. Don't try reinventing it in C.

Microsoft supports memory safety. Rust is 100% the direction for new projects. But there are existing C codebases that are unlikely to be entirely rewritten in a memory-safe language for various reasons. Such projects can significantly benefit from incremental improvements in memory safety.

You forgot the part where you have to read an 800-page document that costs 250€ to access.

Hell, I aim to be all of those.

It's designed to be incremental. For example, you can do a search for `sprintf` and replace it with `ssprintf`. The function signature is the same. Any instance of printing to a character array just works. Think of the APIs as "the stuff you usually do by hand, but safer".

If you get compiler errors, it means you were printing to a heap-allocated buffer (or a buffer whose bounds you did not know), and you should be propagating bounds and using `snprintf`.

Integer conversion is the same way. If you have something like

int v1; uint64_t v2;

<stuff happens>

v2 = (uint64_t)v1;

Then you can replace it with

v2 = __cast_signed_unsigned(uint64_t, v1);

and you'll get a runtime trap when v1 is a negative value, meaning you can both enable -Wint-conversion and have defined behavior for when the value in a certain integer type is not representable in another.

This is a tragically misguided view. There are tons of code bases that aren't going to be rewritten in safe languages for various reasons, be it political or technical. You may or may not agree with those reasons, and you may or may not like that these code bases are important, but the fact remains that these projects exist. Giving them a toolset to adopt a broad set of bounds-safe behavior can only be a good thing.

If i cannot use GCC i cannot compile to half the embedded platforms i work with on a daily basis.

C remains widespread for unique reasons that not many other languages actually quite grasp.

Using C for a destop application should probably stop being done in light of many more languages more suited for the domain.

But there is no replacement for C in hard embedded systems. And there is no replacement for C in the massive domain of legacy c systems.

This is a misrepresentation based on a misunderstanding on how standardization works. The C standard committee has long recognized the need for better safety and carefully made it possible so that C could be implemented safely. But the process is that vendors implement something and then come together during standardization so that it is compatible, not that the standardization is the government that prescribes top-down what everybody has to do. Vendors did not bother to provide safer C implementations and safety features (such as bounds checking) did not get much attention from users in the past. So I am happy to see that there is now more interest in safety, because as soon as there solutions we can start putting them into the standard.

(We can do some stuff before this, but this is always a bit of a fight with the vendors, because they do not like it at all if we tell them what to do, especially clang folks)

Yup, and its not just the standards committees. Look at TR 24731 as an example, an absolute no-brainer for security adding (shock, horror!) bounds checking to long-standing trouble-prone APIs that's been around for 20 years, and the response from most compiler writers/library authors has been "lalalalala I'm not listening I'm not listening". Even then it only got as far as it did due to relentless pressure from Microsoft, anyone else and it'd have been rejected outright.

Having said that, some of it may be due to "it's from Microsoft, we can't ever use it". I'm actually surprised not to have seen any anti-MS diatribes in the discussion so far.

Despite all security denial attitude, WG21 is doing much better than WG14.

Still looking forward to the day C supports something like std::string, std::string_view, std::span, std:;array.

Which starting with C++26 finally have a standards compliant story about having bounds checks enabled by default.

That produces a bit of a chicken and egg probablem for a stdlib overhaul. Compilers and libc implementations don't have a strong reason to implement safer APIs, because if it is non-standard then projects that want to be portable won't use it , but it won't get standardized unless they do add safer APIs.

So the best hope is probably for a third party library that has safet APIs to get popular enough that it becomes a de facto standard.

Immediately what I thought of when I saw /microsoft.

Not all of the APIs were brain-dead. They just ignored all previous developments and in the proposal they didn't even remove the C++-related language.

A vast number of C++ programs import C and POSIX headers directly, so the language level distinction you wish to make isn’t all that relevant to the subject matter.