
Checked C: extension to C that adds static and dynamic checking - ingve
https://github.com/Microsoft/checkedc#checked-c
======
Animats
From the technical paper:

    
    
        Checked C adds new types to C:
        • ptr<T>, the checked pointer to singleton type,
        • array_ptr<T>, the checked pointer to array type,
        • T checked[N], the checked array type,
    

Many people have been down that road. GCC had "fat pointers" for subscript
checking years ago.[1] That never caught on. Walter Bright had a proposal.[2]
I had a proposal. Microsoft had "Managed C++". It's technically possible, but
retrofitting old code rarely happens.

[1]
[http://williambader.com/bounds/example.html](http://williambader.com/bounds/example.html)
[2]
[https://news.ycombinator.com/item?id=8509155](https://news.ycombinator.com/item?id=8509155)

~~~
pjmlp
It only works when companies take the "my way or the high way" approach.

Hence why Microsoft went C++ and .NET Native, keeping C compatibility just as
far as ANSI C++ requires it. And support C++ kernel code since Windows 8.

Why the NDK is such a pain to use on Android, with a very tiny API surface.

Why all Objective-C improvements are now only related to improve
interoperability with Swift.

So maybe if Microsoft decides to also force Checked C on Windows, it might
eventually work.

~~~
Animats
10-15 years ago, Microsoft had the clout to do that. They no longer do.

~~~
pjmlp
They still do, just in HN bubble people think they don't.

Azure is a money printing machine, the "Year of Desktop Linux" will never
happen, hybrid tablets/laptops with Windows are being bought instead of
Android ones, IoT devices for healthcare or ticketing machines run on Windows,
on the enterprise Linux mostly matters on the server room, they own PC/XBox
gaming.

So just like Apple and Google, they can do whatever they feel like it, because
non-technical consumers aren't going to suddenly start buying alternative
systems, just because devs don't like Apple, Google and Microsoft roadmaps
regarding which programming languages one is allowed to use on their systems.

------
peterevans
I highly recommend the Static Analyzer that clang already uses. I use this
frequently in the C project I am currently working on, and it's very good at
spotting memory leaks and other potential issues. I've had more than one
occasion where I've looked at an issue it's reported and said, nah, this is a
false positive...oh, no, wait.

------
fwsgonzo
It's apparently a Microsoft research project: [https://www.microsoft.com/en-
us/research/project/checked-c/?...](https://www.microsoft.com/en-
us/research/project/checked-c/?from=http%3A%2F%2Fresearch.microsoft.com%2Fen-
us%2Fprojects%2Fcheckedc%2Fdefault.aspx)

Very interesting to add additional compiler support to am existing language,
in a sense. Sanitizers and static analyzers have made C/C++ much more
bearable, and this adds to the pile!

------
kqr
If anyone is looking for a battle-tested (sometimes literally) production
ready, statically and dynamically checked C-like language, take a look at
[https://ada2012.org](https://ada2012.org)!

~~~
Hasknewbie
Ada is in practice almost completely maintained by one single (consulting)
company, Adacore, who, except for the GNAT compiler, release all of their OSS
contributions under GPLv3 "to limit your freedom [of use/reuse]" (it's
mentioned explicitly on their Website).

They do NOT want an autonomous Ada community to pop up, they just want to
attract programmers they can contract. Since they're basically the only
noteworthy contributors for Ada, they're impossible to bypass, hence using Ada
means submitting to Adacore's whims.

Ada is indeed a very well designed language, and with some recent language
revisions, so have you ever wondered why it did not get any traction at all?
Well, that's why.

Every 6 months or so on HN or Reddit, someone rediscovers Ada, gets psyched
and tells everyone ... and then discovers the licensing / controlled ecosystem
issues, and walks away. And we don't hear about it. For about 6 months.

~~~
pjmlp
Adacore is not the only compiler vendor in town.

[https://www.ghs.com/products/ada_optimizing_compilers.html](https://www.ghs.com/products/ada_optimizing_compilers.html)

[https://www.ptc.com/en/products/developer-
tools/objectada](https://www.ptc.com/en/products/developer-tools/objectada)

[https://www.ptc.com/en/products/developer-
tools/apexada](https://www.ptc.com/en/products/developer-tools/apexada)

Ada it is pretty live in European universities, a constant presence at FOSDEM
during the last decades, and high integrity computing conferences.

Also, if you want the industry to care about any C or C++ feature, you have to
buy your seat at the ANSI/ISO table.

~~~
Hasknewbie
You are correct, but I was speaking in terms of general-purpose programming,
with an OSS/free implementation available, and to my knowledge all the other
vendors only target the embedded and high-integrity spaces. And they cost
money.

Moreover Adacore is the only one to have a general-purpose OSS (albeit kind of
captive) ecosystem.

Your ANSI/ISO remark is off-topic. You don't need a seat there to use the
extensive C++ ecosystem. With Adacore it's either GPLv3 all the way or you pay
up. Also, to underline their gatekeeper status even more: they could one day
decide to stop releasing their compiler to GNAT, without giving any reason,
and there's nothing anyone could do about it.

~~~
pjmlp
> You don't need a seat there to use the extensive C++ ecosystem.

Thanks to GCC and Sun, and later Apple.

GCC was a toy compiler until Sun decided to start charging for their UNIX
development SDK, which made many companies contribute to GCC's development.

Likewise if it wasn't for GPLv3, Apple would probably never bothered to create
clang.

> With Adacore it's either GPLv3 all the way or you pay up

Actually I do have issues with people earning money with the work from others
for free without contributing anything back.

GPLv3 is quite appealing for free software.

Want to earn money without contributing anything back? Use commercial licensed
software.

> Also, to underline their gatekeeper status even more: they could one day
> decide to stop releasing their compiler to GNAT, without giving any reason,
> and there's nothing anyone could do about it.

There is always the very latest GPLv3 version, that everyone willing to
contribute can carry on using.

~~~
bb88
> Actually I do have issues with people earning money with the work from
> others for free without contributing anything back.

With the BSD license, you can fork it all you want, but you have to maintain
that fork. For most people/companies the feature is not a competitive
advantage. So they donate the code back, and it means they don't have to spend
so much time maintaining a fork.

The way I see it is, I'm a working stiff that's used a lot of opensource in
the past. I don't mind releasing things as BSD clause to help another working
stiff, as long as it doesn't contain my company's "secret sauce."

------
epx
One thing that C should have is an automatic string type (more like a byte[]
than a String) that knows its own size. A huge amount of programming bugs
arise from the lack of strings, and I can't see the reason why they could not
be supported even in small systems. Delphi/Object Pascal had something like 3
or 5 function pointers that support the string type (create, free, resize,
things like that).

~~~
admax88q
The funny thing is that the memory allocator typically knows the size of the
string.

You call free(foo) not free(foo, 12) or free(foo, strlen(foo));

But there's no standard way to ask for this size. Why doesn't strcpy just
check with the allocator about how much memory is available and refuse to
write past that.

~~~
rootbear
Not every string is allocated from the heap. There is no way to know if a
string passed to a function, for example, came from the heap or not.

~~~
admax88q
That's true, although there's no reason the stack allocator couldn't record
this information somewhere as well.

And if the memory allocator doesn't know about the string then you could just
revert to the existing behaviour so you're no worse off.

~~~
chrisseaton
There's more ways to allocate memory than the heap and stack.

~~~
stochastic_monk
What are you referring to? sbrk? mmap? I typically use either the heap or the
stack myself.

~~~
timClicks
Static memory is at the bottom of the address space, below the heap. But that
would really only be relevant in the case of string literals unless I'm
mistaken.

~~~
unwind
You can have a static buffer:

    
    
        static char buf[128];
    

and use strcpy() at any point to copy into it, so I don't think statically
allocated strings must be literals.

~~~
stochastic_monk
There is a distinction between const and non-const static memory, though, in
that the former can be stored in Read-Only Memory. Still, static memory is
generally used for many fewer purposes than the stack or the heap, and if I
understand correctly, sbrk is still working with the heap, just more manually.

~~~
timClicks
That's right. Allocators use the sbrk and mmap to manage the heap. IIRC high
performance allocators tend to use mmap exclusively.

------
staticassertion
Is there a whitepaper associated with this? I found the project page and the
github page, but I want to see:

a) What's involved in getting the C code to be 'safe' \- how much annotation
overhead, etc

b) How this interacts with C Preprocessor

c) What the runtime overhead is (usually the killer)

~~~
munin
There is a specification:
[https://github.com/Microsoft/checkedc/releases/download/v0.7...](https://github.com/Microsoft/checkedc/releases/download/v0.7-final/checkedc-v0.7.pdf)

We have been trying to publish a paper on this, perhaps one day we will be
successful! Our runtime overhead is very good, and our interaction with the
preprocessor is minimal.

~~~
staticassertion
Wonderful, thank you for the link.

------
ericfrederich
I wish that when all these guys tried to create a better C/C++ they made it
compatible such that I could create shared libraries usable from other
languages.

C, not even C++, is still the only common denominator between languages. The
fact that I cannot create a shared library in Golang or Python that is
callable from the other is very disappointing.

~~~
andrewmcwatters
I wonder if that has more to do with C++ undefined name mangling than anything
else. C exports are beautifully simple to read. C++ exports on the other hand
are some sort of alternate reality mind-bending shitstorm due to the language
not defining a scheme for decorators.

Maybe I'm wrong and hopefully someone can correct me; I don't have deep export
knowledge outside of simply using C exports, but it seems this decision has
had long-standing repercussions for people wanting to use FFIs outside of C.

------
fulafel
Anyone know what stage the implementation
([https://github.com/Microsoft/checkedc-
clang](https://github.com/Microsoft/checkedc-clang)) is at, is it ready for
use?

~~~
lenary
It is not ready for production use.

Do try it out though!

------
trentnelson
How does this compare to SAL, out of interest? Somewhat competing aims, no?

------
ausjke
the github is just a spec, you have to use llvm/clang to use this extension.
it would be nice to make this an independent executable to do C checking,
apparently not the case here.

------
fuklief
How does it compare to CCured ?

