(hwisnu.bearblog.dev)

271 points mithcs | 1 comments | 17 Nov 25 10:40 UTC | HN request time: 0s | source

Show context

keyle ◴[17 Nov 25 12:50 UTC] No.45953126[source]▶

>>45952428 (OP) #

I don't understand this passion for turning C into what it's not...

Just don't use C for sending astronauts in space. Simple.

C wasn't designed to be safe, it was designed so you don't have to write in assembly.

Just a quick look through this and it just shows one thing: someone else's walled garden of hell.

replies(5): >>45953147 #>>45953182 #>>45953246 #>>45953302 #>>45954015 #

pkhuong ◴[17 Nov 25 12:54 UTC] No.45953147[source]▶

>>45953126 #

> Just don't use C for sending astronauts in space

But do use C to control nuclear reactors https://list.cea.fr/en/page/frama-c/

It's a lot easier to catch errors of omission in C than it is to catch unintended implicit behavior in C++.

replies(1): >>45953232 #

debugnik ◴[17 Nov 25 13:08 UTC] No.45953232[source]▶

>>45953147 #

I consider code written in Frama-C as a verifiable C dialect, like SPARK is to Ada, rather than C proper. I find it funny how standard C is an undefined-behaviour minefield with few redeeming qualities, but it gets some of the best formal verification tools around.

replies(2): >>45953861 #>>45956396 #

uecker ◴[17 Nov 25 18:28 UTC] No.45956396[source]▶

>>45953232 #

IMHO and maybe counterintuitively, I do not think the existence of UB makes it harder to do formal verification or have safe C implementations. The reason is that you can treat it as an error if the program encounters UB, so one can either derive local requirements or add run-time checks (such as Fil-C) and then obtains spatial and temporal isolation of memory object.

replies(1): >>45963066 #

1. ◴[18 Nov 25 09:27 UTC] No.45963066[source]▶

>>45956396 #

↑

Giving C a superpower: custom header file (safe_c.h)