Show HN: Xr0 – Vanilla C Made Safe with Annotations

I&#x27;m glad that I wasn&#x27;t the only persion pondering the similar thing (referring to the theses), but I&#x27;m not sure if the current direction can produce a small enough solution. For example I expected the following to work even with the currently restricted xlib:<p><pre><code> #include &lt;stdlib.h&gt; foo(int **pp) [ if (@pp) { .alloc *pp; } else { .undefined; } ] { *pp = malloc(4); &#x2F;&#x2F; or: int *qq = malloc(4); *pp = qq; } </code></pre> It seems that `*pp` doesn&#x27;t even work in the abstraction. (I originally tried structs, but realized that Xr0 currently doesn&#x27;t support them.) This is crucial because you can&#x27;t just do pattern matching against abstractions and axioms, there should be some sort of tactics that massage abstractions so that appropriate axioms can be used if any. Even keeping track of non-variable places (here `*qq`) is not trivial, please consider how to handle the commented code.

Reminds me of <a href="https:&#x2F;&#x2F;github.com&#x2F;microsoft&#x2F;checkedc">https:&#x2F;&#x2F;github.com&#x2F;microsoft&#x2F;checkedc</a>

Seems like it has potential, try to run it for files in some open source projects like curl? Pick something gnarly with lots of string allocs.

How does it compare to existing static analysis tools for C? Any unique&#x2F;new features?<p>Does code using the annotations compile as is?

I find it implausible that this can catch all the ways that C programmers actually do mess up (as one for ~40Y).<p>I can make even languages such as Java leak memory even though it shouldn&#x27;t be possible, nominally, so just knowing that something is returning heap-allocated memory somehow doesn&#x27;t seem to help much.<p>But I have only skimmed the page, so hopefully I am wrong!