| ▲ | Giving C a Superpower(hwisnu.bearblog.dev) |
| 138 points by mithcs 5 hours ago | 92 comments |
| |
|
| ▲ | woodruffw 2 hours ago | parent | next [-] |
| Intentionally or not, this post demonstrates one of the things that makes safer abstractions in C less desirable: the shared pointer implementation uses a POSIX mutex, which means it’s (1) not cross platform, and (2) pays the mutex overhead even in provably single-threaded contexts. In other words, it’s not a zero-cost abstraction. C++’s shared pointer has the same problem; Rust avoids it by having two types (Rc and Arc) that the developer can select from (and which the compiler will prevent you from using unsafely). |
| |
| ▲ | kouteiheika 2 hours ago | parent | next [-] | | > the shared pointer implementation uses a POSIX mutex [...] C++’s shared pointer has the same problem It doesn't. C++'s shared pointers use atomics, just like Rust's Arc does. There's no good reason (unless you have some very exotic requirements, into which I won't get into here) to implement shared pointers with mutexes. The implementation in the blog post here is just suboptimal. (But it's true that C++ doesn't have Rust's equivalent of Rc, which means that if you just need a reference counted pointer then using std::shared_ptr is not a zero cost abstraction.) | | |
| ▲ | woodruffw 2 hours ago | parent | next [-] | | To be clear, the “same problem” is that it’s not a zero-cost abstraction, not that it uses the same specific suboptimal approach as this blog post. | | |
| ▲ | kouteiheika 2 hours ago | parent [-] | | I think that's an orthogonal issue. It's not that C++'s shared pointer is not a zero cost abstraction (it's as much a zero cost abstraction as in Rust), but that it only provides one type of a shared pointer. But I suppose we're wasting time on useless nitpicking. So, fair enough. | | |
| ▲ | woodruffw 2 hours ago | parent [-] | | I think they’re one and the same: C++ doesn’t have program-level thread safety by construction, so primitives like shared pointers need to be defensive by default instead of letting the user pick the right properties for their use case. Edit: in other words C++ could provide an equivalent of Rc, but we’d see no end of people complaining when they shoot themselves in the foot with it. (This is what “zero cost abstraction” means: it doesn’t mean no cost, just that the abstraction’s cost is no greater than the semantically equivalent version written by the user. So both Arc and shared_ptr are zero-cost in a MT setting, but only Rust has a zero-cost abstraction in a single-threaded setting.) | | |
| ▲ | kouteiheika an hour ago | parent [-] | | I can't say I agree with this? If C++ had an Rc equivalent (or if you'd write one yourself) it would be just as zero cost as it is in Rust, both in a single-threaded setting and in a multithreaded-setting. "Zero cost abstraction" doesn't mean that it cannot be misused or that it doesn't have any cognitive overhead to use correctly, just that it matches whatever you'd write without the abstraction in place. Plenty of "zero cost" features in C++ still need to you pay attention to not accidentally blow you leg off. Simply put, just as a `unique_ptr` (`Box`) is an entirely different abstraction than `shared_ptr` (`Arc`), an `Rc` is also an entirely different abstraction than `Arc`, and C++ simply happens to completely lack `Rc` (at least in the standard; Boost of course has one). But if it had one you could use it with exactly the same cost as in Rust, you'd just have to manually make sure to not use it across threads (which indeed is easier said than done, which is why it's not in the standard), exactly the same as if you'd manually maintain the reference count without the nice(er) abstraction. Hence "zero cost abstraction". | | |
| ▲ | woodruffw an hour ago | parent [-] | | Sorry, I realized I’m mixing two things in a confusing way: you’re right that C++ could easily have a standard zero-cost Rc equivalent; I’m saying that it can’t have a safe one. I think this is relevant given the weight OP gives to both performance and safety. |
|
|
|
| |
| ▲ | cogman10 2 hours ago | parent | prev [-] | | > very exotic requirements I'd be interested to know what you are thinking. The primary exotic thing I can imagine is an architecture lacking the ability to do atomic operations. But even in that case, C11 has atomic operations [1] built in. So worst case, the C library for the target architecture would likely boil down to mutex operations. [1] https://en.cppreference.com/w/c/atomic.html | | |
| ▲ | kouteiheika an hour ago | parent | next [-] | | Well, basically, yeah, if your platform lacks support for atomics, or if you'd need some extra functionality around the shared pointer like e.g. logging the shared pointer refcounts while enforcing consistent ordering of logs (which can be useful if you're unfortunate enough to have to debug a race condition where you need to pay attention to refcounts, assuming the extra mutex won't make your heisenbug disappear), or synchronizing something else along with the refcount (basically a "fat", custom shared pointer that does more than just shared-pointering). | |
| ▲ | goalieca 28 minutes ago | parent | prev [-] | | Which platforms might that be? Even MIPS has atomics (at least pointer sized last i checked). |
|
| |
| ▲ | spacedcowboy 2 hours ago | parent | prev | next [-] | | The number of times I might want to write something in C and have it less likely to crash absolutely dwarfs the number of times I care about that code being cross-platform. Sure, cross-platform is desirable, if there's no cost involved, and mandatory if you actually need it, but it's a "nice to have" most of the time, not a "needs this". As for mutex overheads, yep, that's annoying, but really, how annoying ? Modern CPUs are fast. Very very fast. Personally I'm far more likely to use an os_unfair_lock_t than a pthread_mutex_t (see the previous point) which minimizes the locking to a memory barrier, but even if locking were slow, I think I'd prefer safe. Rust is, I'm sure, great. It's not something I'm personally interested in getting involved with, but it's not necessary for C (or even this extra header) to do everything that Rust can do, for it to be an improvement on what is available. There's simply too much out there written in C to say "just use Rust, or Swift, or ..." - too many libraries, too many resources, too many tutorials, etc. You pays your money and takes your choice. | | |
| ▲ | woodruffw 2 hours ago | parent [-] | | That’s all reasonable, but here’s one of the primary motivations from the post: > We love its raw speed, its direct connection to the metal If this is a strong motivating factor (versus, say, refactoring risk), then C’s lack of safe zero-cost abstractions is a valid concern. |
| |
| ▲ | saurik an hour ago | parent | prev [-] | | I'd think a POSIX mutex--a standard API that I not only could implement anywhere, but which has already been implemented all over the place--is way more "cross platform" than use of atomics. | | |
| ▲ | woodruffw an hour ago | parent [-] | | To lift things up a level: I think a language’s abstractions have failed if we even need to have a conversation around what “cross platform” really means :-) |
|
|
|
| ▲ | cachius 3 hours ago | parent | prev | next [-] |
| A recent superpower was added by Fil aka the pizlonator who made C more Fil-C with FUGC, a garbage collector with minimal adjustments to existing code, turning it into a memory safe implementation of the C and C++ programming languages you already know and love. https://news.ycombinator.com/item?id=45133938 https://fil-c.org/ |
| |
| ▲ | mk89 12 minutes ago | parent | next [-] | | Thank you so much for sharing this. I missed the HN post. This is beautiful! | |
| ▲ | 762236 2 hours ago | parent | prev [-] | | Why would I want to run a garbage collector and deal with it's performance penalties? | | |
| ▲ | jerf 2 hours ago | parent | next [-] | | Because about 99% of the time the garbage collect is a negligible portion of your runtime at the benefit of a huge dollop of safety. People really need to stop acting like a garbage collector is some sort of cosmic horror that automatically takes you back to 1980s performance or something. The cases where they are unsuitable are a minority, and a rather small one at that. If you happen to live in that minority, great, but it'd be helpful if those of you in that minority would speak as if you are in the small minority and not propagate the crazy idea that garbage collection comes with massive "performance penalties" unconditionally. They come with conditions, and rather tight conditions nowadays. | | |
| ▲ | hypeatei an hour ago | parent | next [-] | | I think these threads attract people that write code for performance-critical use cases which explains the "cosmic horror" over pretty benign things. I agree though: most programs aren't going to be brought to their knees over some GC sweeps every so often. | |
| ▲ | Phil_Latio an hour ago | parent | prev | next [-] | | > Because about 99% of the time the garbage collect is a negligible portion of your runtime In a system programming language? | | |
| ▲ | pjmlp an hour ago | parent | next [-] | | Yes, plenty have been done already so since Lisp Machines, Smalltalk, Interlisp-D, Cedar, Oberon, Sing#, Modula-2+, Modula-3, D, Swift,.... It is a matter to have an open mindset. Eventually system languages with manual memory management will be done history in agentic driven OSes. | |
| ▲ | Snarwin an hour ago | parent | prev [-] | | There's plenty of application-level C and C++ code out there that isn't performance-critical, and would benefit from the safety a garbage collector provides. |
| |
| ▲ | 762236 an hour ago | parent | prev [-] | | For new projects, I just use Rust: there is zero reason to deal with a garbage collector today. If I'm in C, it's because I care about predictable performance, and why I'm not using Java for that particular project. | | |
| |
| ▲ | sesm an hour ago | parent | prev | next [-] | | IDK about Fil-C, but in Java garbage collector actually speeds up memory management compared to C++ if you measure the throughput. The cost of this is increased worst-case latency. A CLI tool (which most POSIX tools are) would pick throughput over latency any time. | | |
| ▲ | dataflow 24 minutes ago | parent | next [-] | | > in Java garbage collector actually speeds up memory management compared to C++ if you measure the throughput If I had a dollar for every time somebody repeated this without real-world benchmarks to back it up... | |
| ▲ | zozbot234 29 minutes ago | parent | prev [-] | | You also pay for the increased throughput with significant memory overhead, in addition to worst-case latency. |
| |
| ▲ | palata 2 hours ago | parent | prev [-] | | Easy: because in your specific use-case, it's worth trading some performance for the added safety. | | |
| ▲ | 762236 an hour ago | parent [-] | | If I'm in C, I'm using JNI to work around the garbage collector of Kava | | |
|
|
|
|
| ▲ | fuhsnn 2 hours ago | parent | prev | next [-] |
| > C23 gave us [[cleanup]] attributes C23 didn't introduce it, it's still a GCC extension that needs to be spelled as [[gnu::cleanup()]] https://godbolt.org/z/Gsz9hs7TE |
| |
| ▲ | cassepipe 2 hours ago | parent [-] | | It is surprisingly hard to find information about it, do you have any ? From what I can guess it's a new syntax but it's the feature itself is still an extension ? | | |
|
|
| ▲ | krapht 3 hours ago | parent | prev | next [-] |
| C++: "look at what others must do to mimic a fraction of my power" This is cute, but also I'm baffled as to why you would want to use macros to emulate c++. Nothing is stopping you from writing c-like c++ if that's what you like style wise. |
| |
| ▲ | Qwuke 3 hours ago | parent | next [-] | | It's interesting to me to see how easily you can reach a much safer C without adding _everything_ from C++ as a toy project. I really enjoyed the read! Though yes, you should probably just write C-like C++ at that point, and the result sum types used made me chuckle in that regard because they were added with C++17. This person REALLY wants modern CPP features.. | |
| ▲ | loup-vaillant 2 hours ago | parent | prev | next [-] | | > I'm baffled as to why you would want to use macros to emulate c++. I like the power of destructors (auto cleanup) and templates (generic containers). But I also want a language that I can parse. Like, at all. C is pretty easy to parse. Quite a few annoying corner cases, some context sensitive stuff, but still pretty workable. C++ on the other hand? It’s mostly pick a frontend or the highway. | |
| ▲ | dboon an hour ago | parent | prev | next [-] | | No name mangling by default, far simpler toolchain, no dependence on libstdc++, compiles faster, usable with TCC/chibicc (i.e. much more amenable to custom tooling, be it at the level of a lexer, parser, or full compiler). C’s simplicity can be frustrating, but it’s an extremely hackable language thanks to that simplicity. Once you opt in to C++, even nominally, you lose that. | |
| ▲ | Lerc 3 hours ago | parent | prev | next [-] | | Perhaps but a project using this stops you from writing any old C++ in your C. Writing C++ in a C style has no such protection. It's choosing which features are allowed in. | |
| ▲ | ikamm 2 hours ago | parent | prev | next [-] | | >Nothing is stopping you from writing c-like c++ if that's what you like style wise. You'll just have to get used to the C++ community screaming at you that it's the wrong way to write C++ and that you should just use Go or Zig instead | | |
| ▲ | elashri 37 minutes ago | parent [-] | | You’re not wrong, but please be prepared for some polite but persistent suggestions to std::move toward more idiomatic patterns :) |
| |
| ▲ | sesm an hour ago | parent | prev [-] | | Embedded CPU vendors not shipping C++ compilers is what usually stops people. |
|
|
| ▲ | edwcross 37 minutes ago | parent | prev | next [-] |
| The post mentions cgrep several times, but I don't see a link to the code. Is it available somewhere? Github has several repositories named cgrep, but the first results are written in other languages than C (Haskell, Python, Typescript, Java, etc). |
|
| ▲ | archargelod an hour ago | parent | prev | next [-] |
| You can get all of that and more with Nim[0]. Nim is a language that compiles to C. So it is similar in principle to the "safe_c.h". We get power and speed of C, but in a safe and convenient language. > It's finally, but for C Nim has `finally` and `defer` statement that runs code at the end of scope, even if you raise. > memory that automatically cleans itself up Nim has ARC[1]: "ARC is fully deterministic - the compiler automatically injects destructors when it deems that some variable is no longer needed. In this sense, it’s similar to C++ with its destructors (RAII)" > automated reference counting See above > a type-safe, auto-growing vector. Nim has sequences that are dynamically sized, type and bounds safe > zero-cost, non-owning views Nim has openarray, that is also "just a pointer and a length", unfortunately it's usage is limited to parameters.
But there is also an experimental view types feature[2] > explicit, type-safe result Nim has `Option[T]`[3] in standard library > self-documenting contracts (requires and ensures) Nim's assert returns message on raise: `assert(foo > 0, "Foo must be positive")` > safe, bounds-checked operations Nim has bounds-checking enabled by default (can be disabled) > The UNLIKELY() macro tells the compiler which branches are cold, adding zero overhead in hot paths. Nim has likely / unlikely template[4] ------------------------------------------------------------ [0] https://nim-lang.org [1] https://nim-lang.org/blog/2020/10/15/introduction-to-arc-orc... [2] https://nim-lang.org/docs/manual_experimental.html#view-type... [3] https://nim-lang.org/docs/options.htm [4] https://nim-lang.org/docs/system.html#likely.t%2Cbool |
|
| ▲ | rurban 3 hours ago | parent | prev | next [-] |
| Just don't mix that up with the real safec.h header from safeclib: https://github.com/rurban/safeclib/tree/master/include |
| |
| ▲ | debugnik 3 hours ago | parent [-] | | How can anyone be this interested in maintaining an annex k implementation when it's widely regarded as a design failure, specially the global constraint handler. There's a reason why most C toolchains don't support it. https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1967.htm | | |
| ▲ | rurban an hour ago | parent | next [-] | | It's only regarded as design failure by the linux folks.
Maybe because it came from Microsoft, NIH syndrome. A global constraint handler is still by far better than dynamic env handlers, and most of the existing libc/POSIX design failures. You can disable this global constraint handler btw. | | |
| ▲ | 1718627440 an hour ago | parent [-] | | > Maybe because it came from Microsoft, NIH syndrome. No it is because you still need to get the size calculation correct, so it doesn't actually have any benefit over the strn... family other than being different. Also a memcpy that can fail at runtime, seems to be only complicating things. If anything it should fail at compile time. |
| |
| ▲ | quotemstr 2 hours ago | parent | prev [-] | | FWIW, it's heavily used inside Microsoft and is actually pretty nice when combined with all the static analysis tools that are mandatory parts of the dev cycle. |
|
|
|
| ▲ | dboon an hour ago | parent | prev | next [-] |
| Nice, but if the intention is portability my experience has unfortunately been that you pretty much have to stick to C99. MSVC’s C compiler is rough, but pretty much necessary for actual cross platform. I have my own such header which has many, many things like the OP’s. As much as I would find it constantly useful, I don’t have a cleanup utility because of this. But if you can stay out of MSVC world, awesome! You can do so much with a few preprocessor blocks in a header |
| |
| ▲ | Dwedit 37 minutes ago | parent | next [-] | | That's the nice thing about macros, you can also have the macro generate C++ code using destructors instead of using the cleanup attribute. As long as your other C code is also valid C++ code, it should work. | |
| ▲ | Maxatar 42 minutes ago | parent | prev [-] | | MSVC now supports C17. |
|
|
| ▲ | HexDecOctBin 3 hours ago | parent | prev | next [-] |
| Any hopes that MSVC will add C23 support before 2040? |
| |
|
| ▲ | hanstospace 2 hours ago | parent | prev | next [-] |
| I checked Fil-C out and it looks great. How is this different from Fil-C? Apart from the obvious LLVM stuff |
| |
| ▲ | woodruffw 2 hours ago | parent [-] | | Fil-C essentially lifts C onto a managed, garbage-collected runtime. This is a small header that adds some C++ features to C. (These features are still essentially unsafe: the unique pointer implementation still permits UAF, for example, because nothing prevents another thread from holding the pointer and failing to observe that it has been freed.) |
|
|
| ▲ | khaledh 2 hours ago | parent | prev | next [-] |
| The problem with macro-laden C is that your code becomes foreign and opaque to others. You're building a new mini-language layer on top of the base language that only your codebase uses. This has been my experience with many large C projects: I see tons of macros used all over the place and I have no idea what they do unless I hunt down and understand each one of them. |
| |
|
| ▲ | immibis an hour ago | parent | prev | next [-] |
| This feels AI-generated. |
|
| ▲ | miroljub 3 hours ago | parent | prev | next [-] |
| Nice toy. It works until it stops working. An experienced C developer would quickly find a bunch of corner cases where this just doesn't work. Given how simple examples in this blog post are, I ask myself, why don't we already have something like that as a part of the standard instead of a bunch of one-off personal, bug-ridden implementations? |
| |
| ▲ | brabel 3 hours ago | parent | next [-] | | It would be a lot more constructive if you reported a bunch of corner cases where this doesn't work rather than just dismissing this as a toy. | | |
| ▲ | miroljub 2 hours ago | parent [-] | | No, I don't dismiss anything. It's just, I'd rather play with my own toys instead of using someone else's toy. Especially since I don't think it would ever grow up to be something more than a toy. For serious work, I'd use some widely used, well-maintained, and battle-tested library instead of my or someone else's toy. |
| |
| ▲ | Borg3 3 hours ago | parent | prev [-] | | Yeah, kids like to waste time to make C more safe or bring C++ features.
If you need them, use C++ or different language. Those examples make code look ugly and you are right, the corner cases. If you need to cleanup stuff on early return paths, use goto.. Its nothing wrong with it, jump to end when you do all the cleanup and return.
Temporary buffers? if they arent big, dont be afraid to use static char buf[64];
No need to waste time for malloc() and free. They are big? preallocate early and reallocate or work on chunk sizes. Simple and effective. | | |
| ▲ | 1718627440 an hour ago | parent | next [-] | | > use goto My thoughts as well. The only thing I would be willing to use is the macro definition for __attribute__, but that is trivial. I use C, because I want manual memory handling, if I wouldn't want that I would use another language. And now I don't make copies when I want to have read access to some things, that is simply not at a problem. You simply pass non-owning pointers around. | |
| ▲ | lukan 3 hours ago | parent | prev | next [-] | | Can you share such a corner case? | |
| ▲ | 1718627440 2 hours ago | parent | prev | next [-] | | > static char buf[64]; In a function? That makes the function not-threadsafe and the function itself stateful. There are places, where you want this, but I would refrain from doing that in the general case. | |
| ▲ | kstrauser 3 hours ago | parent | prev [-] | | God forbid we should make it easier to maintain the existing enormous C code base we’re saddled with, or give devs new optional ways to avoid specific footguns. | | |
| ▲ | mightyham 2 hours ago | parent [-] | | Goofy platform specific cleanup and smart pointer macros published in a brand new library would almost certainly not fly in almost any "existing enormous C code base". Also the industry has had a "new optional ways to avoid specific footguns" for decades, it's called using a memory safe language with a C ffi. | | |
| ▲ | kstrauser 2 hours ago | parent [-] | | I meant the collective bulk of legacy C code running the world that we can’t just rewrite in Rust in a finite and reasonable amount of time (however much I’d be all on board with that if we could). There are a million internal C apps that have to be tended and maintained, and I’m glad to see people giving those devs options. Yeah, I wish we (collectively) could just switch to something else. Until then, yay for easier upgrade alternatives! | | |
| ▲ | mightyham 2 hours ago | parent [-] | | I was also, in fact, referring to the bulk of legacy code bases that can't just be fully rewritten. Almost all good engineering is done incrementally, including the adoption of something like safe_c.h (I can hardly fathom the insanity of trying to migrate a million LOC+ of C to that library in a single go). I'm arguing that engineering effort would be better spent refactoring and rewriting the application in a fully safe language one small piece at a time. | | |
| ▲ | kstrauser 2 hours ago | parent [-] | | I’m not sure I agree with that, especially if there were easy wins that could make the world less fragile with a much smaller intermediate effort, eg with something like FilC. I wholeheartedly agree that a future of not-C is a much better long term goal than one of improved-C. |
|
|
|
|
|
|
|
| ▲ | keyle 3 hours ago | parent | prev [-] |
| I don't understand this passion for turning C into what it's not... Just don't use C for sending astronauts in space. Simple. C wasn't designed to be safe, it was designed so you don't have to write in assembly. Just a quick look through this and it just shows one thing: someone else's walled garden of hell. |
| |
| ▲ | pkhuong 3 hours ago | parent | next [-] | | > Just don't use C for sending astronauts in space But do use C to control nuclear reactors https://list.cea.fr/en/page/frama-c/ It's a lot easier to catch errors of omission in C than it is to catch unintended implicit behavior in C++. | | |
| ▲ | debugnik 2 hours ago | parent [-] | | I consider code written in Frama-C as a verifiable C dialect, like SPARK is to Ada, rather than C proper. I find it funny how standard C is an undefined-behaviour minefield with few redeeming qualities, but it gets some of the best formal verification tools around. | | |
| ▲ | 1718627440 an hour ago | parent [-] | | The popular C compilers include a static analyzer and a runtime sanitizer. What features do you consider proper C? The C standard has always been about standardization of existing compilers, not about prescribing features. |
|
| |
| ▲ | fransje26 2 hours ago | parent | prev | next [-] | | > Just don't use C for sending astronauts in space. Simple. Last time I checked, even SpaceX uses C to send astronauts to space... | |
| ▲ | capitol_ an hour ago | parent | prev | next [-] | | I agree, if people just had refrained from building things in c/c++ that operated on data from across a security boundary we wouldn't be in this mess. | |
| ▲ | pjmlp 2 hours ago | parent | prev | next [-] | | Some C devs will make all kinds of crazy efforts only not to use C++. | | | |
| ▲ | ReptileMan 3 hours ago | parent | prev [-] | | Actually C performs quite good in exactly that area. https://ntrs.nasa.gov/citations/19950022400 | | |
|
