Thanks! I thought this felt familiar. 2023 is a long time to still be in this "Initial signs are promising" mode. There are no code commits since March 2025.

I've had projects which stalled for a few months or even a year, but generally if I said I'll get to it "soon" and two years later I haven't, that's not getting done. There are two boxes of books I planned to unbox "soon" after discovering that the bookshelves for my new flat were full & so I had nowhere to put them. That was when Obama was still President of the United States of America. Don't expect me to ever get around to unboxing those books, I clearly haven't even missed them.

NULL is a valid return for malloc. Wouldn’t that case already be handled?

as someone building an analyzer for zig, if you sent something like this through the system im building, it would get handled by Zig's optional type tagging; but lets say you did "free" (so your result is half freed, half not freed): it would get rejected because both branches produce inconsistent type refinements, you don't have to solve the halting problem, just analyze all possible branches and seek convergence.

In general, symbolic execution will consider all code paths. If it can't (or doesn't want to) prove that the condition is always true or false it will check that the code is correct in two cases: (1) true branch taken, (2) false branch taken.

I think all paths have to return the same allocation. You would have to solve this in another way.

There will always be valid programs that are nonetheless rejected by some verifier (Rice's theorem). That is, programs that have really nothing wrong but nonetheless are rejected as invalid

In those cases you generally try to rewrite it in another way

> we don't even use static analysis and validators for c or C++

There is some use, how much I don't know. I guess it should be established best practice by now. Also run test suites with valgrind.

Historically many of the C/C++ static analyzers were proprietary. I haven't checked lately but I think Coverity was (is?) free for open source projects.

Not sure what this post has to do with Rust, but people do use static analysis on C and C++. The problem is that C and C++ are so flexible that retrofitting static verification after the fact becomes quite difficult.

Rust restricts the shape of program you are able to write so that it's possible to statically guarantee memory safety.

> Does it require annotations or can it validate any c code?

If you had clicked through you would see that it requires annotations.

Today's experts are the novices of 40 years ago, and today's novices will be the experts in 40 years.

C and C++ don't require static analysis, and it's difficult to set up, and so most of us slide down the incentive gradient of using C / C++ without any helpers except CMake and gdb.

Rust requires it, so the noobies use it, so in 40 years the experts will accept it.

BTW, when D compiles C code, it will default initialize the C variables, too.

I think that the right thing to do is to error out though. When the behaviour of some code cannot be guaranteed, that code should just be ruled out imo. Manually initializing a variable generally doesn't clutter the code, arguably it's making it clearer.

Pretty much any existing C compiler will also solve that problem by telling you that it's uninitialized.

    int test()
    {
        int i;
        return i;
    }

    clang -c test.c

  > clang -Wall test.c
  test.c:4:16: warning: variable 'i' is uninitialized when used here [-Wuninitialized]
      4 |         return i;
        |                ^
  test.c:3:14: note: initialize the variable 'i' to silence this warning
      3 |         int i;
        |              ^
        |               = 0
  1 warning generated.

  warning C4700: uninitialized local variable 'i' used

You can do that in GCC now (-ftrivial-auto-var-init=zero). There are a few projects that decided to enable this by default.

> But "We currently model all buffers as infinitely-sized. We will be adding out-of-bounds checking soon." That's the hard problem.

It's not particularly difficult for the prover. You essentially just need to do a translation from C in to your ATP language of choice, with a bunch of constraints that check undefined behaviour never occurs. Tools such as Frama-C and CBMC have supported this for a long time.

The difficult part is for the user as they need to add assertions all over the place to essentially keep the prover on the right track and to break down the program in to manageable sections. You also want a bunch of tooling to make things easier for the user, which is a problem that can be as difficult as you want it to be since there's always going to be one more pattern you can detect and add a custom handler/error message for.

Oddly they didn't even reuse the annotation for this that GCC already has: https://stackoverflow.com/questions/18485447/gcc-attribute-m...

> Cute. They've introduced ownership to C.

Ownership semantics are described in every serious C interface. Linters for checking it have also existed for decades. I find the notion that Rust invented it to be incredible stupid. Rust just has different ownership semantics and makes it an enforced part of the language (arguable a good idea). And yes they of course also do bounds-checking.