ACM Magazine Criticizes Latest Draft of New C Standard, 'C23'

The ACM's software engineering magazine Queue delves into the latest draft for "a new major revision of the C language standard, C23... due out this year," noting the highs, lows, and several useful new features.The most important, if not the most exciting, make it easier to write safe, correct, and secure code. For example, the new header standardizes checked integer arithmetic: int i =...; unsigned long ul =...; signed char sc =...; bool surprise = ckd_add(&i, ul, sc); The type-generic macro ckd_add() computes the sum of ul and sc "as if both operands were represented in a signed integer type with infinite range." If the mathematically correct sum fits into a signed int, it is stored in i and the macro returns false, indicating "no surprise"; otherwise, i ends up with the sum wrapped in a well-defined way and the macro returns true. Similar macros handle multiplication and subtraction. The ckd_* macros steer a refreshingly sane path around arithmetic pitfalls including C's "usual arithmetic conversions." C23 also adds new features to protect secrets from prying eyes and programmers from themselves. The new memset_explicit() function is for erasing sensitive in-memory data; unlike ordinary memset, it is intended to prevent optimizations from eliding the erasure. Good old calloc(size_t n, size_t s) still allocates a zero'd array of n objects of size s, but C23 requires that it return a null pointer if n*s would overflow. In addition to these new correctness and safety aids, C23 provides many new conveniences: Constants true, false, and nullptr are now language keywords; mercifully, they mean what you expect. The new typeof feature makes it easier to harmonize variable declarations. The preprocessor can now #embed arbitrary binary data in source files. Zero-initializing stack-allocated structures and variable-length arrays is a snap with the new standard "={}" syntax. C23 understands binary literals and permits apostrophe as a digit separator, so you can declare int j = 0b10'01'10, and the printf family supports a new conversion specifier for printing unsigned types as binary ("01010101"). The right solution to the classic job interview problem "Count the 1 bits in a given int" is now stdc_count_ones(). Sadly, good news isn't the only news about C23. The new standard's nonfeatures, misfeatures, and defeatures are sufficiently numerous and severe that programmers should not "upgrade" without carefully weighing risks against benefits... The article complains that C23 "transforms decades of perfectly legitimate programs into Molotov cocktails," citing the way C23 now declares realloc(ptr,0) to be undefined behavior. ("Compile old code as C23 only for good reason and only after verifying that it doesn't run afoul of any constriction in the new standard.") It also criticizes C23's new unreachable annotation, as well as its lack of improvement on pointers. "Comparing pointers to different objects (different arrays or dynamically allocated blocks of memory) is still undefined behavior, which is a polite way of saying that the standard permits the compiler to run mad and the machine to catch fire at run time." The article even cites the obligatory XKCD cartoon. "Let's not overthink it; if this code is still in use that far in the future, we'll have bigger problems."

Read more of this story at Slashdot.