Xr0: C but Safe
C’s Safety Problems and Developer Skill
- Some argue C’s main issue is undertrained developers and management expecting production code from people who “half know” the language.
- Others counter that C’s design has many “footguns” (pointer arithmetic, temporal bugs, integer conversions) and requires extreme diligence even from experts.
- Several note that C is taught and used less now; many devs only wrote poor C in college, so they lack idioms and coping patterns that mitigate risk.
- Disagreement over whether C’s quirks are “obvious” once learned or fundamentally treacherous even for experienced programmers.
Safe C Subsets vs Rewrites in Other Languages
- One camp: if you’re writing substantial new code, better to use a memory-safe language (Rust, Ada, etc.) than a safe C subset.
- Others emphasize the cost and risk of large rewrites: regressions, stalled feature work, and the difficulty of matching existing behavior.
- Annotating existing C is seen by some as incrementally safer and less risky; others report that, in practice (e.g., with Frama-C), annotation can be nearly as hard as rewrites.
What Xr0 Aims to Do
- Xr0 adds annotations to C to verify absence of undefined behavior, starting with temporal memory safety and planning spatial checks later.
- It positions itself as a “TypeScript for C”: a wrapper that enforces “safety semantics” at function interfaces, not a new language or runtime.
- Annotations are intentionally C-like and verbose; the idea is that contracts become simpler as you move up abstraction layers (“denouement”).
- Current implementation is very early: limited subset of C (no loops, many operators missing), assertion failures on modest examples, mainly useful for tiny fragments.
Comparisons, Prior Art, and Critiques
- Commenters liken Xr0 to Frama-C, Dafny, ATS, CCured/Cyclone, C#/Ada design-by-contract, and various C/C++ annotation efforts.
- Some criticize the project for not engaging deeply with this prior work or explaining why it will succeed where others stayed niche.
- Concerns focus on: handling loops and recursion, scalability of annotations, undecidability of general safety properties, and practicality for real-world C.
- Supporters see value in incremental safety for C programmers who dislike Rust’s ownership model or are constrained by existing C ecosystems and toolchains.