Or Ada 2012 + SPARK 2014 wrapping the C API behind safer interfaces. One can catch most problems, including integer overflow, at compile time or with runtime checks it inserts. The other can prove their absence automatically in more static code. Rust can prevent temporal errors at compile time so it's on table, too.
