@Migueldeicaza Annoys me when people say C is not memory safe. It's an implementation detail only. C allows range checking on arrays. It specifically makes casting between function pointers and any other kind of pointer undefined and possibly forbidden. It also doesn't mandate that pointers are memory addresses. A C pointer for data is simply a handle to an object with a size. A C function pointer is just a handle. Malloc/free can delay free until last deref.
@etchedpixels @Migueldeicaza As Wesley said,"You're only saying that because no one ever has!"
In all seriousness, has there been a C compiler that has taken this approach?
@mcdanlj @etchedpixels I think the issue is less “cannot be done”, but “would any existing code deemed to be C work”
@Migueldeicaza @mcdanlj Very little code would fail. There are a couple of uglies if you want to make it very compatible, particularly around casting of function pointers. It's a handle to an object but you still need to only invoke if it is cast to the correct type.
Most well written ANSI C will work fine though. Older code often hits the "but so long as the prototype is sort of right" function cast problem - but that breaks even with some modern calling sequences.
@pavel @etchedpixels @mcdanlj I try to avoid writing new C and C++ code as a duty to humanity (unless it is absolutely necessary), but I deeply appreciate any efforts to make C or C++ safer.
Happy to try a C compiler that attempts to do this, or extensions to C to improve this.
@pavel @Migueldeicaza @mcdanlj Lots of stuff is. although most of your examples are C++ which is more of a lost cause anyway.
The more important questions for old code though are
1. Is it lower risk to keep in a safe C or to rewrite
2. What are the cost differences for the options
So having a safe C compiler is potentially a very good thing for legacy code. That's not to say you shouldn't write future code in a memory safe language like Rust or COBOL 8)
@etchedpixels @pavel @mcdanlj My position on this matter summarized in meme form:
@mcdanlj @Migueldeicaza MSCC did a chunk of the early work proving it was quite tractable (see the ACM SIGSOFT paper). Later work includes "Implementation of the Memory-safe Full ANSI-C Compiler" .ACM SIGPLAN Conference on Programing Language Design and Implementations (PLDI2009), June 2009.
So yes it's been done and a lot of the underlying stuff like fat pointers are well understood in other languages too
It's also been done on the virtual machine side by Cambridge University folks.
@mcdanlj @etchedpixels @Migueldeicaza the only bounds-checked C i know of that has done it at scale is CHERI but that’s with hardware support
@mcdanlj @etchedpixels @Migueldeicaza
There is at least Emscripten, which pretty strictly enforces correct function pointer types: https://emscripten.org/docs/porting/guidelines/function_pointer_issues.html
This addresses only one of the mentioned aspects, but it exists, and is used with real world code.