Exclusive C and C++ programmers may not need to learn Rust after all to participate in the push for memory safety.
Speaking to us remotely from the W2140 conference in Bangkok, Thailand – which started today – Robin Rowe, a former computer science professor, product designer, and graphics expert, plans to announce a memory-safe fork of the C programming language called TrapC. Its goal is to help developers create software that can’t crash.
TrapC code resembles C/C++ code, but, according to Rowe, it’s memory safe. That is to say, its pointers cannot produce segfaults, buffer overruns, or memory leaks. The programming language is designed to be link compatible with C, because it uses the same application binary interface (ABI). And supposedly it’s safer than Rust because it lacks an “unsafe” keyword while also being easier to learn.
The TrapC compiler is due to be released as free open source software in 2025, through Rowe’s startup, Trasec, which will support the forthcoming memory-safe C-adjacent language and at some point will have a website associated with its domain name.
“Back in February, the White House announced that we needed to do something about memory safety in C and C++ or change over to Rust,” Rowe told The Register.
“And at the time, I was a member of both the C and C++ committees and, as you can imagine, this caused quite a stir in that corner.”
There was a huge discussion within the C and C++ communities because neither language is memory safe and there’s skepticism that they can be made so. The Safe C++ proposal was one of the responses from the C++ community.
According to Rowe, Bjarne Stroustrup, creator of C++, said he had been working on Profiles [PDF] and wanted to continue doing so.
“And I love Bjarne, but I don’t think Profiles are the right answer,” said Rowe. “And in the C community, the answer was even less [clear]. There wasn’t really a plan of what to do.”
Doing something to improve memory safety has become a matter of national security, supported by the White House, the Five Eyes intelligence agencies, federal law enforcement, and the US Cybersecurity and Infrastructure Agency, among others. Memory safety bugs account for about 75 percent of the CVEs used in zero-day exploits, according to Google. And about 70 percent of severe vulnerabilities in large codebases are attributable to such bugs.
C and C++ are common sources of memory safety bugs because they rely on manual memory management. The benefit, generally speaking, is better performance and less overhead than languages like Python or Java that manage memory through a process known as garbage collection. The downside of manual memory management is that it can lead to memory-related bugs like buffer overflows and use-after-free.
“Then in March, I was in Tokyo at the C++ standards group meeting,” said Rowe. “And of course, [memory safety] was still being discussed there, although people had many other things that they were working on. And so I got to thinking about it and I was like, ‘Well, the reason it’s so hard to fix C++ is backward compatibility with C.'”
Rowe said that the biggest memory safety holes in C++ were inherited from C. “So there was discussion at the March meeting about how to improve exceptions so that C++ could have better error handling.” Exceptions are a mechanism for error handling in code.
Developers of games, embedded systems, and high-availability servers typically ban using exceptions because they’re non-deterministic and have other performance-related issues, explained Rowe.
“The places that need to be the most error-proof are the places that see those exceptions are banned,” he said. “And so I looked at some of the work that was going on there and said, ‘Well, instead of trying to fix that, what if we would just change how error handling works so that errors are tracked by default instead of by exception?'”
Presently, in C and C++, if you try to open a file and don’t code an error condition to handle what happens when the file doesn’t open, the program will probably crash, explained Rowe.
But it doesn’t have to be that way. “What if, say, you go to open a file in C and if you don’t say what happens when the file doesn’t open, then that creates some kind of error condition that gets implicitly called?” he said.
That, he said, got him thinking about memory management, which is what everyone’s concerned about.
“People said that we can’t do memory, we can’t check pointers in C++, because it’s too hard,” he said. “And they didn’t actually mean it was too hard, they just meant that it was too slow. They meant it was too hard to do it well.”
Rowe’s answer to this is to put more intelligence into the compiler so that where unchecked pointers could not go out of bounds, the compiler knew not to check that. And that improved performance by avoiding unnecessary checks.
“And then I thought, ‘Well, since the compiler now knows when pointers are OK, what if the compiler would null any pointer that goes out of bounds?'” he said.
“So in C and C++, if you have a pointer to a buffer and you plus-plus it, you increment it forward, at some point you go off the end and if you’re not careful to check that you’ve gone off the end, that’s going to be a segfault or something terrible.
“And I was like, ‘Well, since the compiler knows where the end is, what if when it goes off the end, the pointer just went to zero?’ And that’s much easier to deal with than a wild pointer because you can easily check if the pointer is zero.
“And so that’s the essence of what we’re working on with TrapC, to create this C-like language where everything looks pretty much the same except pointers work in a fundamentally different way that is mostly transparent. And error handling works in a way that is fundamentally different but mostly transparent.”
Rowe’s experience with the C++ committee, which oversees proposals and approves changes, led him to believe that pushing memory safety changes through the existing bureaucratic process would take too long.
After proposing a GUI library for C++, he said he was advised to join the committee and write a paper. When he joined, “several people that were old hands of the committee wrote to me that I didn’t really know them but they were trying to take me under their wing and said, ‘Just understand that it takes ten years to approve anything in the committee.’ You know, they were really selling me on it.”
Rowe said that after being on the committee and interacting with a lot of smart people, “I was like, ‘Wow,