Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Has anyone found a static analysis tool which understands C11 annex K (aka “safe C”) functions? I’ve found some tools like CLANG static analysis will raise errors for potentially incorrect calls to stdlib C functions, but doesn’t understand the replacements, which means some errors previously caught by analysis can only be caught at runtime.


Annex K is optional and the only compiler I'm aware of implementing it is MSVC (and only Microsoft wanted that in the standard), so the support for it will be nonexistent in "normal" tooling. If you need it, check if MS has something.


> Annex K is optional and the only compiler I'm aware of implementing it is MSVC (and only Microsoft wanted that in the standard),

And to rub salt into the wound, the Annex K functions supplied with MSVC are non-conforming to the standards Annex K functions, which were also pushed hard by Microsoft, which make them kinda doubly pointless: you use them and make code that is neither portable to another compiler nor conforming to the standard :-/


To be fair, most the stuff ISO adopts is rarely taken as suggested, that isn't the first, nor will be the last.


Almost sounds like yet another EEE tactic.


I'd just as happily attribute this one to Microsoft's systemic inability to stick to a single plan for five minutes in a row.


I've implemented _FORTIFY_SOURCE=3 like checks with safeclib, the Annex K library. Compile-time and run-time




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: