Lib0xc: A set of C standard library-adjacent APIs for safer systems programming

thayne 6 hours ago|

Interesting that a project from Microsoft doesn't support MSVC or Windows.

queuebert 4 hours ago|

I suspect in 20 years Windows will be a Linux distribution with a compatibility layer.

kristianp 4 hours ago||

People say that kind of thing on HN every now and then. I have no idea why this idea is around, it's a complete fantasy in my opinion. I say this as someone who mostly uses Linux.

akoboldfrying 3 hours ago||

How things change. Imagine Microsoft circa 2000 publishing an MIT-licensed source code library targeting "the competition"'s compilers, and including some light humour ("Embiggen C's Pit of Success") in the docs.

DeathArrow 2 hours ago||

I thought Microsoft adopted Rust. Are they back pedaling?

EPWN3D 2 hours ago|

Microsoft supports memory safety. Rust is 100% the direction for new projects. But there are existing C codebases that are unlikely to be entirely rewritten in a memory-safe language for various reasons. Such projects can significantly benefit from incremental improvements in memory safety.

andrefelipeafos 8 hours ago||

Quick question for those who've tried it — does this play with existing C codebases incrementally, or is it more of a "new project only" situation? The README didn't make that obvious to me.

EPWN3D 8 hours ago|

It's designed to be incremental. For example, you can do a search for `sprintf` and replace it with `ssprintf`. The function signature is the same. Any instance of printing to a character array just works. Think of the APIs as "the stuff you usually do by hand, but safer".

If you get compiler errors, it means you were printing to a heap-allocated buffer (or a buffer whose bounds you did not know), and you should be propagating bounds and using `snprintf`.

Integer conversion is the same way. If you have something like

int v1; uint64_t v2;

v2 = (uint64_t)v1;

Then you can replace it with

v2 = __cast_signed_unsigned(uint64_t, v1);

and you'll get a runtime trap when v1 is a negative value, meaning you can both enable -Wint-conversion and have defined behavior for when the value in a certain integer type is not representable in another.

fudgeonastick 3 hours ago||

This stuff is amongst my favourite type of engineering.

Practical. Useful. Not sexy. (I am only one of those.)

Bravo!

bananaboy 9 hours ago|

This is very cool!