Xr0: C but Safe

C’s Safety Problems and Developer Skill

  • Some argue C’s main issue is undertrained developers and management expecting production code from people who “half know” the language.
  • Others counter that C’s design has many “footguns” (pointer arithmetic, temporal bugs, integer conversions) and requires extreme diligence even from experts.
  • Several note that C is taught and used less now; many devs only wrote poor C in college, so they lack idioms and coping patterns that mitigate risk.
  • Disagreement over whether C’s quirks are “obvious” once learned or fundamentally treacherous even for experienced programmers.

Safe C Subsets vs Rewrites in Other Languages

  • One camp: if you’re writing substantial new code, better to use a memory-safe language (Rust, Ada, etc.) than a safe C subset.
  • Others emphasize the cost and risk of large rewrites: regressions, stalled feature work, and the difficulty of matching existing behavior.
  • Annotating existing C is seen by some as incrementally safer and less risky; others report that, in practice (e.g., with Frama-C), annotation can be nearly as hard as rewrites.

What Xr0 Aims to Do

  • Xr0 adds annotations to C to verify absence of undefined behavior, starting with temporal memory safety and planning spatial checks later.
  • It positions itself as a “TypeScript for C”: a wrapper that enforces “safety semantics” at function interfaces, not a new language or runtime.
  • Annotations are intentionally C-like and verbose; the idea is that contracts become simpler as you move up abstraction layers (“denouement”).
  • Current implementation is very early: limited subset of C (no loops, many operators missing), assertion failures on modest examples, mainly useful for tiny fragments.

Comparisons, Prior Art, and Critiques

  • Commenters liken Xr0 to Frama-C, Dafny, ATS, CCured/Cyclone, C#/Ada design-by-contract, and various C/C++ annotation efforts.
  • Some criticize the project for not engaging deeply with this prior work or explaining why it will succeed where others stayed niche.
  • Concerns focus on: handling loops and recursion, scalability of annotations, undecidability of general safety properties, and practicality for real-world C.
  • Supporters see value in incremental safety for C programmers who dislike Rust’s ownership model or are constrained by existing C ecosystems and toolchains.